Deployment Guide

ManualsBrandsDell ManualsAccess PlatformsW-Clearpass 100 Software

Amigopod 3.7

Deployment Guide

Summary of content (438 pages)

PAGE 1
Deployment Guide Amigopod 3.
PAGE 2
Copyright © 2012 Aruba Networks, Inc. Aruba Networks trademarks include, Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, Aruba Mobility Management System®, Mobile Edge Architecture®, People Move. Networks Must Follow®, RFProtect®, Green Island®. All rights reserved. All other trademarks are the property of their respective owners.
PAGE 3
Contents Chapter 1 Amigopod Visitor Management Appliance.......................................... 17 About this Manual................................................................................................17 Documentation Conventions.........................................................................17 Documentation Overview..............................................................................18 Getting Support ........................................................................
PAGE 4
Configure Amigopod Subscription ID ...........................................................42 Install Subscription Updates .........................................................................43 Setup Complete ............................................................................................44 Chapter 4 RADIUS Services ................................................................................... 45 Accessing RADIUS Services ...........................................................
PAGE 5
EAP and 802.1X Authentication ..........................................................................77 Specifying Supported EAP Types.................................................................78 Creating a Server Certificate and Self-Signed Certificate Authority .............79 Requesting a Certificate from a Certificate Authority ..................................81 Importing a Server Certificate .......................................................................
PAGE 6
Creating Multiple Guest Account Receipts.................................................138 Managing Guest Accounts..........................................................................139 Managing Multiple Guest Accounts............................................................142 Importing Guest Accounts ..........................................................................144 Exporting Guest Account Information.........................................................
PAGE 7
MAC Authentication on Amigopod....................................................................204 MAC Address Formats................................................................................204 Managing Devices ......................................................................................205 MAC Creation Modes..................................................................................210 Accounting-Based MAC Authentication .....................................................
PAGE 8
Classification Groups ..................................................................................261 Statistics and Metrics..................................................................................263 Output Series ..............................................................................................266 Output Series Fields....................................................................................267 Output Filters .............................................................
PAGE 9
Notifications.......................................................................................................313 OS Updates .......................................................................................................314 Manual Operating System Updates............................................................314 Reviewing the Operating System Update Log............................................314 Determining Installed Operating System Packages....................................
PAGE 10
Failure Detection .........................................................................................349 Database Replication ..................................................................................349 Configuration Replication............................................................................350 Primary Node Failure...................................................................................351 Secondary Node Failure............................................................
PAGE 11
NwaParseXml..............................................................................................382 NwaPasswordByComplexity.......................................................................382 NwaSmsIsValidPhoneNumber ....................................................................382 NwaStrongPassword ..................................................................................382 NwaVLookup..............................................................................................
PAGE 12
List of Standard Radius Attributes ....................................................................423 Authentication Attributes.............................................................................423 RADIUS Server Internal Attributes ..............................................................425 LDAP Standard Attributes for User Class .........................................................425 Regular Expressions...............................................................................
PAGE 13
Figures Figure 1 Figure 2 Figure 3 Figure 4 Figure 5 Figure 6 Figure 7 Figure 8 Figure 9 Figure 10 Figure 11 Figure 12 Figure 13 Figure 14 Figure 15 Figure 16 Figure 17 Figure 18 Figure 19 Figure 20 Figure 21 Figure 22 Figure 23 Figure 24 Figure 25 Figure 26 Figure 27 Figure 28 Figure 29 Figure 30 Figure 31 Figure 32 Figure 33 Figure 34 Figure 35 Figure 36 Figure 37 Figure 38 Figure 39 Figure 40 Figure 41 Figure 42 Figure 43 Visitor access using the Amigopod Visitor Management Appliance ..................
PAGE 14
| Amigopod 3.
PAGE 15
Tables Table 1 Table 2 Table 3 Table 4 Table 5 Table 6 Table 7 Table 8 Table 9 Table 10 Table 11 Table 12 Table 13 Table 14 Table 15 Table 16 Table 17 Table 18 Table 19 Table 20 Table 21 Table 22 Table 23 Table 24 Table 25 Table 26 Table 27 Table 28 Table 29 Table 30 Table 31 Table 32 Table 33 Table 34 Table 35 Table 36 Table 37 Table 38 Table 39 Table 40 Table 41 Table 42 Table 43 Table 44 Quick Links ........................................................................................................
PAGE 16
Table 45 Table 46 Table 47 Table 48 Table 49 Table 50 Table 51 Table 52 Table 53 Table 54 Table 55 Table 56 16 | Display Expressions for Data Formatting ..........................................................400 PHP Variables....................................................................................................401 General Configuration Settings .........................................................................410 Security Configuration Settings.......................................
PAGE 17
Chapter 1 Amigopod Visitor Management Appliance Collaboration between companies and mobility of staff has never been greater. Distributed workforces, traveling sales staff and a dependence on outsourced contractors and consultants requires efficient management, which can pose problems for network security and operational staff.
PAGE 18
Documentation Overview Click the context-sensitive Help link displayed at the top right of each page to go directly to the relevant section of the deployment guide. The following quick links may be useful in getting started. Table 1Quick Links For information about... Refer to...
PAGE 19
 Chapter 10, “High Availability Services” describes the optional high availability services that may be used to deploy a cluster of appliances in a fault-tolerant configuration.  Chapter 11, “Reference” contains technical reference information about many of the built-in features of the appliance. Getting Support Field Help The Amigopod Visitor Management Appliance has field help which is built into every form.
PAGE 20
If You Need More Assistance If you encounter a problem using the Amigopod Visitor Management Appliance, your first step should be to consult the appropriate section in this Deployment Guide. If you cannot find an answer here, the next step is to contact your reseller. The reseller can usually provide you with the answer or obtain a solution to your problem. Failing this, it may be possible to find a solution using the Web Resources command available under Support Services in the Amigopod user interface.
PAGE 21
Chapter 2 Management Overview This section explains the terms, concepts, processes, and equipment involved in managing visitor access to a network. The content here is intended for network architects, IT administrators and security consultants who are planning to deploy visitor access, or who are in the early stages of deploying a visitor access solution.
PAGE 22
Reference Network Diagram The following figure shows the network connections and protocols used by the Amigopod Visitor Management Appliance. See Figure 2. Figure 2 Reference network diagram for visitor access The network administrator, operators and visitors may use different network interfaces to access the visitor management features.
PAGE 23
Figure 3 Interactions involved in guest access The Amigopod Visitor Management Appliance is part of your network’s core infrastructure and manages guest access to the network. NAS devices, such as wireless access points and wired switches on the edge of the network, use the RADIUS protocol to ask the Amigopod Visitor Management Appliance to authenticate the username and password provided by a guest logging in to the network.
PAGE 24
Figure 4 Sequence diagram for network access using AAA Guest NAS Amigopod AMG Associates [1] Redirects Unregistered role Browse to Landing page [2] Complete login form Submit form [3] Login Message page [4] Automated NAS login Access-Request [5] Access-Accept [6] Web login Authentication Authorization Guest role [7] Accounting-Request [8] Accounting-Response Accounting Internet browsing Session timeout [9] Accounting-Request [10] Accounting-Response States: Unauthorized Authenticating Accoun
PAGE 25
Key Features Refer to the table below for a list of key features and a cross-reference to the relevant section of this deployment guide. Table 2 List of Key features Feature Refer to… Visitor Access RADIUS server providing authentication, authorization, and accounting (AAA) features “RADIUS Services”  Support for 802.1X authentication “EAP and 802.
PAGE 26
Table 2 List of Key features (Continued) Logout at account expiration “Account Expiration Types” Define unlimited custom fields “Customization of Fields” Username up to 64 characters “GuestManager Standard Fields” Customization Features Create new fields and forms for visitor management “Customization of Forms and Views” Use built-in data validation to implement visitor survey forms “Form Validation Properties” Create print templates for visitor account receipts “Receipt Page Properties” Create
PAGE 27
Visitor Management Terminology The following tables describes the common terms used in this guide. See Table 3. Table 3 Common Terms Term Explanation Accounting Accounting is the process of recording summary information about network access by users and devices. Authentication Authentication is the verification of a user’s credentials, typically a username and password. Authorization Authorization controls the type of access that an authenticated user is permitted to have.
PAGE 28
Deployment Process As part of your preparations for deploying a visitor management solution, you should consider the following areas:  Management decisions about security policy  Decisions about the day-to-day operation of visitor management  Technical decisions related to network provisioning Security Policy Considerations To ensure that your network remains secure, decisions have to be made regarding guest access:  Do you wish to segregate guest access? Do you want a different VLAN, or differen
PAGE 29
Site Preparation Checklist The following is a checklist of the items that should be considered when setting up the Amigopod Visitor Management Appliance.
PAGE 30
| Management Overview Amigopod 3.
PAGE 31
Chapter 3 Setup Guide This section covers the initial deployment and configuration of the Amigopod Visitor Management Appliance. If you have a hardware appliance, See “Hardware Appliance Setup” in this chapter. If you are using the Amigopod Visitor Management Appliance in a virtual machine, See “Virtual Appliance Setup” in this chapter.
PAGE 32
Table 5 Default Port configurations (Continued) Hostname Amigopod.localdomain Virtual Appliance Setup VMware Workstation or VMware Player The virtual appliance is packaged as a zip file containing a directory with the files for the virtual machine. To install the virtual appliance, extract the contents of the zip file to a new directory and double-click the .vmx file to start the appliance.The configuration for the VMware Player virtual machine includes two virtual Ethernet adapters.
PAGE 33
Table 7 Virtual ethernet adapter configuration (Continued) IP Address – Netmask – Gateway – DNS – Adapter Name eth0 Hostname Amigopod.localdomain Accessing the Console User Interface The appliance’s console user interface can be used to perform basic administrative functions such as changing the network configuration or viewing the appliance’s MAC address details. It is also possible to recover a forgotten administrator password, or reset the appliance to its factory default settings.
PAGE 34
3. Reinitialize database – Destroys the entire configuration of the appliance and resets to the factory default state. All guest accounts, operator logins, RADIUS accounting records, application configuration, and customization will be lost. 4. Change shell password – Sets the new shell password used to access the console user interface. 5. Reset admin Web password to default – Recovers a forgotten Web administration password by restoring the default setting of Amigopod. 6.
PAGE 35
Login Screen To start the setup wizard, log in to the administrative user interface using the default username and password. Enter the username admin and the password amigopod when logging in for the first time. Amigopod License Agreement Review and accept the software license agreement. If you have any questions about the license agreement, contact Aruba support using the Web site http:// support.arubanetworks.com. Amigopod 3.
PAGE 36
Set Administrator Password Create a new password for the administrator account. This account has full access to all settings and areas in the graphical user interface. You can optionally change the username of the administrative account for enhanced security. When the administrator password is set for the first time, the root password for the system will also be set to this password. The root password is required to log in to the console user interface.
PAGE 37
The system hostname is a fully-qualified domain name. By default, this is set to amigopod.localdomain, but you may specify another valid domain name. A valid hostname is a domain name that contains two or more components separated by a period (.). Hostname parameters are:  Each component of the hostname must not exceed 63 characters  The total length of the hostname must not exceed 255 characters  Only letters, numbers, and the hyphen (-) and period (.
PAGE 38
Your Amigopod visitor management solution must be configured appropriately for your organization’s relevant network infrastructure. For details on how to configure your network interface, see Changing Network Interface Settings in the Administrator Tasks chapter. Configure HTTP Proxy If your network configuration requires the use of a HTTP proxy to access the Internet, enter the details for the proxy here and click Save Changes.
PAGE 39
Configure SMTP Mail Settings For details on SMTP configuration, See “SNMP Configuration” in the Administrator Tasks chapter. Click the Send Test Message button to send an email to a test email address in the selected format. This can be used to verify the SMTP configuration, as well as check the delivery of HTML formatted emails. Click the Save and Close button to save the updated SMTP configuration. Amigopod 3.
PAGE 40
Configure SNMP The SNMP Setup form is used to configure the system’s SNMP server and enable SNMP access. (For details on SNMP configuration, See “SNMP Configuration” in the Administrator Tasks chapter. Click the Save Changes button to apply the SNMP configuration. Configure Server Time and Time Zone Select the server’s time zone and set other options related to timekeeping for the server. 40 | Setup Guide Amigopod 3.
PAGE 41
To ensure that authentication, authorization and accounting (AAA) is performed correctly, it is vital that the server maintains the correct time of day at all times. It is strongly recommended that you configure one or more NTP servers to automatically synchronize the server’s time. NTP can interfere with timekeeping in virtual machines. The default virtual machine configuration will automatically synchronize its time with the host server, and so you should not configure NTP within the virtual machine.
PAGE 42
RADIUS Network Access Servers Network access servers are RADIUS clients, and must be predefined in order to access the RADIUS server. For security, each NAS device must also have a shared secret which is known only to the device and the RADIUS server. Use the Network Access Servers list view to define the NAS devices for this server and to make changes to existing NAS devices. Click the Create tab to define a new NAS entry for the RADIUS server.
PAGE 43
If you have purchased the Amigopod appliance, you will have one or more subscription IDs that enable particular modules of functionality that you have purchased. These subscription IDs will have been provided to you by your reseller at the time of purchase. A subscription ID consists of number and letter groups separated with hyphens. A typical subscription ID might look like this: xn2ncr-gyjyd4-mxlx2s-fv9gcy-rwy7n6 You can also attach a description to each subscription ID.
PAGE 44
Setup Complete After downloading and installing the available plugin updates, the setup process is complete. Context-sensitive help is available throughout the application. For more detailed information about the area of the application you are using, click the Help link displayed at the top right of the page. This will open a new browser window showing the relevant section of this deployment guide. Operator logins are the login accounts used for administration and management of the Amigopod.
PAGE 45
Chapter 4 RADIUS Services RADIUS is a network access-control protocol that verifies and authenticates users. The framework around which RADIUS is built is known as the AAA process, consisting of authentication, authorization, and accounting. RADIUS authenticates a guest user’s session by checking that the guest’s password matches the guest’s login details stored in the RADIUS database. Guest access is authorized by assigning a user role to the guest account.
PAGE 46
Log entries that are displayed include both successful and unsuccessful authentication attempts, the details about any authentication or authorization failures, and server configuration messages when the RADIUS server is started. Debug RADIUS Server The AAA Debug option on the RADIUS Server Configuration page enables additional debugging messages logged during the handling of RADIUS packets. The default setting is “No debugging.
PAGE 47
Each row in the table groups together authentication attempts based on the username (that is, the UserName attribute provided to the RADIUS server in the Access-Request).
PAGE 48
The NAS Type list may be used to select a default type for network access servers. Use this option if you have a deployment that uses only one type of NAS. The AAA Debug option on the RADIUS Server Configuration page enables additional debugging messages logged during the handling of RADIUS packets. The default setting is “No debugging.” This option might be of use when setting up or troubleshooting advanced authorization methods, and you can refer to the application log to view the AAA debug messages.
PAGE 49
Example: Removing a User-Name Suffix Some NAS equipment always appends a realm in the form ‘@domain.com’ to a RADIUS User-Name attribute in the Access-Request message sent to the RADIUS server. It is possible to configure the RADIUS server to strip off this additional text, using the attr_rewrite module. Use the following Server Configuration entries to perform this modification: module.attr_rewrite.consentry.attribute = User-Name module.attr_rewrite.consentry.searchin = packet module.attr_rewrite.
PAGE 50
User roles can be used to apply different security policies to different classes of guest user accounts. For example, guest users, employees and contractors might all have differing network security policies. The RADIUS attributes defined by a user role can then specify what each class of user is authorized to do. The User Roles list view defines the user roles for the RADIUS server and allows you to make changes to existing user roles. Each role is identified by a unique number.
PAGE 51
Role Attributes RADIUS attributes form the heart of the role-based access control system. Different user roles may have different attributes associated with them, which allows you to control the behavior of network access devices that authenticate users with the RADIUS server. Furthermore, you can associate a set of rules called a condition with each RADIUS attribute. This allows you to make adjustments to the precise definition of a role depending on what kind of access is being requested.
PAGE 52
When all the attributes have been added, click the Save Changes button to create this user role. You must click the Save Changes button before any of the changes you have made will take effect in the user role. A warning message will be displayed if you attempt to navigate away from the RADIUS Role Editor page while there are unsaved changes. Attribute Tags Certain attributes, principally those defined in RFC 2868, have a “tag” value associated with them. The tag value is a small number (1 to 31).
PAGE 53
2. Click the Add Attribute tab. 3. Select the Reply-Message attribute from the drop-down list and enter the string value Good morning, guest. 4. Select Enter condition expression… from the Condition drop-down list and enter the following code in the Expression text field: return date('a') == 'am'; 5. Click the Add Attribute button. 6. Repeat the above steps, but use the string value Good afternoon, guest and the following code in the Expression text field: return date('a') == 'pm'; 7.
PAGE 54
4. Select Enter condition expression… from the Condition drop-down list and enter the following code in the Expression text field: return GetUserTraffic(86400) > 10485760 && AccessReject(); 5. Click the Add Attribute button. 6. Click the Save Changes button to apply the new settings to the role. The GetUserTraffic() function ( “GetUserTraffic()” in the Reference chapter) returns the total traffic for the user’s sessions in the past 24 hours (86,400 seconds).
PAGE 55
The network has an Aruba wireless controller at 192.168.30.2 which should be configured to place all visitor traffic into VLAN ID 100. There is another Aruba wireless controller at 192.168.40.2 which should be configured to place visitor traffic into VLAN ID 200. 1. Create a new role named Sample role 2. Click the Add Attribute tab. 3. Select the Aruba vendor, and then select the Aruba-User-Vlan attribute from the drop-down list.
PAGE 56
The NAS name is used in the RADIUS server log to identify access requests from NAS servers. This name must be unique.
PAGE 57
 Trendnet  Xirrus RFC 3576 is used by the RADIUS server to request that a NAS disconnect or reauthorize a session that was previously authorized by the RADIUS server. If your NAS vendor is not listed, select the “Other NAS” option. If the NAS is known to support RFC 3576, select the “RFC 3576 Dynamic Authorization Extensions Compatible” option. See “RFC 3576 Dynamic Authorization” in the Guest Management chapter for more information about RFC 3576.
PAGE 58
To complete the form, you must either specify a file containing the server information, or type or paste in the NAS information to the NAS List Text area. Advanced import options may be specified by selecting the Show additional import options check box. The Amigopod Visitor Management Appliance uses the UTF-8 character set encoding internally to store NAS server properties. If your file is not encoded in UTF-8, the import may fail or produce unexpected results if non-ASCII characters are used.
PAGE 59
To complete the Match Fields form, make a selection from each of the drop-down lists. Choose a column name (Field 1, Field 2, etc.) to use the values from that column when importing the NAS entries, or select one of the other available options to use a fixed value. Click the Next Step button to preview the final result. In step 3 of 3, a preview of the import operation is displayed. The properties of each NAS are determined, and any conflicts with existing NAS entries are displayed .
PAGE 60
Figure 7 Sequence diagram for guest captive portal and Web login In a typical configuration, you would enable the captive portal functionality of your NAS [1], and use the URL of your custom Web login page as the default portal landing page [2] for unauthorized guests. When the login form is submitted [3], the Login Message page is displayed to the visitor [4]. A subsequent automatic redirect to the NAS will perform the actual login [5], which invokes the AAA process.
PAGE 61
. Changing the vendor settings may overwrite any customizations you have made to the Header HTML and Footer HTML. If you have chosen a specific vendor, the form will display additional options: The Address option allows you to set the IP address for the NAS, as it will be visible to the guest network. The Secure Login option controls whether the NAS login should be performed using HTTP or HTTPS. The vendor’s address or hostname must be available to the guest.
PAGE 62
The Authentication field provides three options:  Credentials—a username and password. The guest is prompted for a username and password to log in to the network.  Access Code—Requires only username for authentication. The guest’s password is automatically provided for the login attempt.  Anonymous—This option supports two special usernames: _mac and underscore (_). When Anonymous is selected, two usernames may be used to enable specific behavior.
PAGE 63
 The visitor’s password will be submitted to the NAS unmodified if the Password Encryption option No encryption (plaintext password) is selected. Otherwise, See “Universal Access Method (UAM) Password Encryption” in this chapter for details about the supported password encryption methods.
PAGE 64
Use the Insert self-registration link… drop-down list to insert HTML code that creates a link to an existing guest self-registration page. This may be of use when you are creating a landing page suitable for both registered and unregistered visitors. You are able to optionally create a login message in this section. This could be used to welcome the guest and outline the terms of usage. The login message is only displayed for the time specified in the Login Delay.
PAGE 65
The ‘Allowed Access’ and ‘Denied Access’ fields are access control lists that determine if a client is permitted to access this Web login page. You can specify multiple IP addresses and networks, one per line, using the following syntax:  1.2.3.4 – IP address  1.2.3.4/24 – IP address with network prefix length  1.2.3.4/255.255.255.0 – IP address with explicit network mask The ‘Deny Behavior’ drop-down list may be used to specify the action to take when access is denied.
PAGE 66
http://192.168.88.88/weblogin.php/4?wlan=Amigopod This will in turn result in a hidden field included in the Web login form. The field will be named wlan and will be set to the value Amigopod. NAS Login Parameters Extra fields in the NAS login form may be defined using name=value pairs in the Web login form configuration. This allows you to specify values required by a particular NAS to log in, or to override values supplied by a NAS. You can also remove a NAS-supplied field from the form.
PAGE 67
{$extra_fields.wlan} To display all the remembered fields for the current visitor session, use the syntax: {dump var=$extra_fields export=html} Apple Captive Network Assistant Bypass with Amigopod This section describes the process for leveraging the Amigopod Captive Portal to bypass the Captive Network Assistant (Web sheet) that is displayed on iOS device such as iPhones, iPad and more recently Mac OS X machines running Lion (10.7).
PAGE 68
Also if the user chooses to cancel the Web sheet, the Wi-Fi connection to the Open network will be dropped automatically preventing any further interaction via the full browser or other applications. The following are examples of these Web sheet sessions from a Mac OS X Lion (10.7) laptop, iPad and an iPhone. Figure 8 Captive Network Assistant on MacOS X Figure 9 Captive Network Assistant on iPad \ 68 | RADIUS Services Amigopod 3.
PAGE 69
Figure 10 Captive Network Assistant on iPhone The Web sheet can be easily identified by the lack of a URL bar at the top of the screen and typical menu bar items. For many customers, this behavior of their Apple wireless devices will be acceptable and a great usability enhancement for their user community. There are however particular guest access or public access designs where the use of this Web sheet and the lack of ability to control the entire Web authentication user experience is not desirable.
PAGE 70
The following CLI and WebUI examples so a typical configuration of the Captive Portal profile and of note the login-page is set to point directly to the Amigopod hosted Web Login page.: http://10.169.130.50/ Aruba_Login.php Captive Portal Profile Configuration aaa authentication captive-portal "guestnet" default-role auth-guest direct-pause 3 no logout-popup-window login-page http://10.169.130.50/Aruba_Login.php welcome-page http://10.169.130.50/Aruba_welcome.
PAGE 71
Figure 12 Configuring the Web Login page For example, the Captive Portal profile login page configuration sample below will link to an Amigopod hosted Web Login page called Aruba_Login: http:///landing.php/Aruba_Login.php. Database Lists This is a list of databases on the NAS server. The Amigopod RADIUS server uses a database to store the user accounts for authentication and other settings for the server.
PAGE 72
Database Maintenance Tasks Database optimization and other maintenance tasks can be performed using this form. These tasks are normally carried out automatically and do not require administrative intervention. Some system updates may require a database schema upgrade. If this is required, it is indicated on the database list with the schema upgrade icon. To upgrade the database schema, select the “Upgrade an existing database schema” operation.
PAGE 73
The dictionary can be sorted by clicking on a column heading. Import Dictionary You are able to import RADIUS dictionary entries from a text file using the Import Dictionary command located under the More Options tab. These text files can be created by you or you can download them from a manufacturer who is not in the standard list. Export Dictionary You are able to export the dictionary by clicking on the More Options tab and choosing the Export Dictionary command.
PAGE 74
Creating a New Vendor A new vendor may be added to the dictionary by clicking the Dictionary list view. Create Vendor tab at the top of the You are required to enter the Vendor Name. This name cannot already exist in the dictionary. Spaces are not permitted in the Vendor Name. By convention, hyphens are used in vendor and attribute names instead of spaces. You are required to enter the Vendor Number. This is the IANA Private Enterprise Code assigned to this vendor.
PAGE 75
Add a Vendor-Specific Attribute (VSA) A Vendor Specific Attribute (VSA) is a RADIUS attribute defined for a specific vendor. You are able to add vendor-specific attributes to a vendor by clicking the vendor in the RADIUS dictionary list view and then clicking the Add VSA icon link. Each attribute has a name and a unique number specific to that vendor. Refer to your vendor’s documentation for the attribute name, number and type settings to use.
PAGE 76
Edit Vendor-Specific Attribute You can change the properties of an attribute by clicking on the attribute in the RADIUS dictionary list view and then clicking the Edit Attribute icon link. Once an attribute has been edited, click the Update Attribute button to save your changes. Delete Vendor-Specific Attribute Attributes can only be deleted from vendors that you have added to the dictionary.
PAGE 77
You are required to enter the name of the value to be added as well as its value. Values can only be added to attributes that are of integer type. Delete Attribute Value Values that have been added to a vendor-specific attribute can be deleted using the button. Attribute values with a lock symbol ( cannot be deleted. Delete Value ) next to their name are standard RADIUS dictionary entries and EAP and 802.
PAGE 78
To specify supported EAP types and the default type, and to configure OCSP options, see “Specifying Supported EAP Types”. To create a server certificate and self-signed certificate authority, see “Creating a Server Certificate and Self-Signed Certificate Authority”. To request a certificate from another certificate authority, see “Requesting a Certificate from a Certificate Authority ”. To import a certificate and its private key, see “Importing a Server Certificate”.
PAGE 79
1. In the Supported EAP Types row, mark the check box for each type the RADIUS server should support. The available types are EAP-MD5, EAP-MSCHAPv2, EAP-TLS, EAP-TTLS, and PEAP. If you select EAP-TLS, the EAP-TLS Configuration area is added at the bottom of the form. 2. In the Default EAP Type row, use the drop-down list to select the EAP type to use as the default when the server receives an EAP-Identity response. 3.
PAGE 80
RADIUS Server Certificate form is displayed. The unique set of identifying details you enter on this form creates the Distinguished Name (DN) for the new certificate. Creating a new server certificate and self-signed CA is a three-step process:  In step 1, a certificate signing request is created with the identifying details of the Distinguished Name for the RADIUS server’s digital certificate.
PAGE 81
The “Common Name” of the CA certificate will be used to identify it to clients installing it as a trusted CA root. Make sure to choose a sensible name. Signing RADIUS Server Certificate For a client to verify that the RADIUS server’s identity is valid, the server’s certificate must be issued by a certificate authority (CA) that is trusted by the client. This authority may be either a trusted third party CA, or a private certificate authority for which the root certificate has been distributed to clients.
PAGE 82
Complete the details for the certificate, and click the signing request. Download Request button to save the certificate This signing request should be submitted to your certificate authority (CA). The CA signs the request to create the server’s digital certificate. Once you have the certificate, you need to import it to set it up for use with EAP. See “Importing a Server Certificate”.
PAGE 83
Complete the form with the details for your certificate, and click Continue to proceed to Step 2. Installing a Server Certificate from a Certificate Authority The Install Server Certificate form is used to install a digital certificate you have obtained from a thirdparty certificate authority. This certificate should correspond to a certificate signing request that you previously created using the New Certificate Request form.
PAGE 84
3. Click the Save Changes button, and restart the RADIUS Server to apply the configuration. 4. You may verify that the EAP configuration is loaded by checking for a certain startup message on the RADIUS Server Control screen: Tue Nov 17 01:04:05 2009 : Info: rlm_eap_tls: Loading the certificate file as a chain 5. The certificate authority used to issue the server’s certificate must be exported. To do this, click the Export Server Certificate command link.
PAGE 85
2. Select the certificate in the list. Right-click it and choose Open: 3. Click the Install Certificate… button. The Certificate Import Wizard appears 4. Click Next. The Certificate Store form is displayed. Amigopod 3.
PAGE 86
5. Click the Browse button to select the Trusted Root Certification Authorities store : 6. Click OK, and then click Next. The last page of the Certificate Import Wizard will be displayed. 86 | RADIUS Services Amigopod 3.
PAGE 87
7. Once you have reached the end of the wizard, click Finish. A security warning dialog box will be displayed, indicating that the root certificate authorities store is about to be updated : 8. To make use of the imported root certificate, make sure that the CA is specified as a Trusted Root Certification Authority for the wireless network connection that is using PEAP. . Amigopod 3.
PAGE 88
Active Directory Domain Services To perform certain types of user authentication, such as using the MS-CHAPv2 protocol to verify a username and password, the RADIUS server must first be joined to an Active Directory domain. For information on Proxy RADIUS, LDAP, and local certifiacate authority external authentication servers, see External Authentication Servers.
PAGE 89
The process has built-in troubleshooting assistance, which can help with much of the necessary configuration: When the server’s DNS and network settings are correctly configured, all the necessary domain-related information is automatically detected. Use the Edit Settings link at the top of this page if any of the automatically detected settings need to be modified. Joining the server to the Active Directory domain then requires entering the username and password for a domain administrator account.
PAGE 90
Testing Active Directory User Authentication To verify that the domain has been joined successfully, click the Test Authentication command link on the RADIUS > Authentication > Active Directory page. Provide a username and password for a user in the domain to verify that authentication is working.
PAGE 91
Leaving an Active Directory Domain To remove the server from the domain, click the Leave Domain command link on the RADIUS > Authentication > Active Directory page . As with joining the domain, the credentials for a domain administrator are required to perform this operation. Provide these credentials in the Leave Active Directory Domain form and click the button. Leave Domain External Authentication Servers Many networks have more than one place where user credentials are stored.
PAGE 92
 Microsoft Active Directory — User accounts defined in a forest or domain and authenticated by the domain controller. Both user and machine accounts may be authenticated. Additionally, support is provided for authenticating users with a supplied username of either “DOMAIN\user” or “user”.  LDAP server (Lightweight Directory Access Protocol) — User accounts stored in a directory.  Proxy RADIUS server — User accounts authenticated by another RADIUS server.
PAGE 93
The top part of the form contains basic properties for the external authentication server.
PAGE 94
.  NetBIOS Domain – automatically detected when joining the domain.  LDAP Server and Port Number – the hostname or IP address of the domain controller, with the corresponding port number of the LDAP service.  Bind Identity and Bind Password – credentials used to bind to the directory.  Base DN – the LDAP distinguished name of the root of the search tree.
PAGE 95
The default settings for the “access_attr” and “access_attr_used_for_allow” settings mean that only users with the Remote Access Permission selected above will be authorized.
PAGE 96
The number of seconds to wait for the LDAP query to finish. timelimit = 3 The number of seconds the LDAP server has to process the query (server-side time limit). net_timeout = 1 The number of seconds to wait for a response from the LDAP server (network failures). use_mppe = yes If this option is set to ‘yes’, MS-CHAP authentication will return the RADIUS attribute MS-CHAP-MPPEKeys for MS-CHAPv1, and MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2.
PAGE 97
 LDAP Server and Port Number – the hostname or IP address of the LDAP server, with the corresponding port number of the LDAP service.  Security – select from one of these options:   Automatic – based on port number – LDAP connections to port 636 are encrypted using TLS, while all other port numbers use an unencrypted LDAP connection.
PAGE 98
 LDAP Filter – an optional LDAP filter expression that may be used to restrict the matching, over and above the standard filtering applied by usernames. For example, specifying the expression (objectClass=user) will ensure that only LDAP objects with the specified type will be matched.  Advanced Options – additional options controlling authentication against the directory.
PAGE 99
1. In the Name field, enter a name to uniquely identify this server. 2. (Optional) You can use the Description field to include additional information. 3. (Optional) To enable RADIUS authentication for this server, mark the check box in the Enabled row. 4. In the Rank row, enter a number to specify the ranking order for this server. Authentication servers are checked in order of increasing rank. 5. Under the Authorization heading, choose an authorization method from the Method drop-down list.
PAGE 100
 No authorization—Authenticate only may be used to remove all RADIUS attributes not related to authentication .   Use the common name of the client certificate to match a local user account may be specified for users authenticated via EAP-TLS on a client’s local certificate server.     The RADIUS server will return an Access-Accept or Access-Reject message indicating the result of the authentication attempt.
PAGE 101
 If the authentication is successful, the authorization code is evaluated. The user object returned from the external authentication server is available as the variable $user.  The PHP code should return one of the following values:  The ID of a user role (that is, an integer value) to assign that role to the external user.  NULL to indicate no role (that is, authentication only).
PAGE 102
 Use PHP code to assign a user role (Advanced) may be selected to return a role ID for users authenticated via EAP-TLS on a client’s local certificate server. The PHP authorization code is entered on the Edit Authentication Server form. The RADIUS Authentication diagnostic can be used to demonstrate the difference between the various authorization methods. To use the diagnostic, navigate to RADIUS Services > Server Control and click the Test RADIUS Authentication command link.
PAGE 103
Advanced Authorization — Example 1 This example covers the case where a domain contains several organizational units (OUs), and the users in each OU are to be mapped to a specific RADIUS role ID. To determine the appropriate role ID, navigate to RADIUS Services > User Roles and check the ID column for the appropriate role.
PAGE 104
returned. If no match is found, false is returned, which means that authorization fails and the user’s AccessRequest will be rejected. The in_array() comparison is done in a case-sensitive manner. Be sure to use the correct case as returned by the LDAP query for the group name. Also note that the complete distinguished name (DN) for the group must be specified, as this is the value checked for in the array of values returned for the ‘memberOf’ attribute.
PAGE 105
1. To specify the network layer to test against, mark the radio button in the Mode row for either the local RADIUS server or a remote RADIUS server. 2. To indicate the value for the User-Name field for outer authentication in the RADIUS access request, mark one of the radio buttons in the Identity row. You can use either the client’s local certificate’s common name or another value. 3. (Optional) You may enter a value in the MAC Address field for the Calling-Station-Id attribute. 4.
PAGE 106
3. In the Client Private Key row, browse to the file containing the client’s private key. This must be a base-64 encoded (PEM) or binary encoded (DER) private key file. 4. (Optional) In the Passphrase row, you may enter the passphrase for the client’s private key. 5. (Optional) To provide a file containing a CA certificate for verifying the server’s identity, you can use the Certificate Authority row to browse to the file. If you selected Copy and paste as text for the TLS identity: 1.
PAGE 107
The list displays the certificates that have been installed. By default, the list is empty. After selecting a certificate in the list, the following actions are available:  Show Details – display information about the certificate, including its unique “fingerprint” identifier and technical information about the certificate.  Export Certificate – download the certificate in one of several different formats (PKCS#7, base-64 encoded, binary X.509, or plain text).
PAGE 108
| RADIUS Services Amigopod 3.
PAGE 109
Chapter 5 Operator Logins An operator is a company’s staff member who is able to log in to the Amigopod Visitor Management Appliance. Different operators may have different roles that can be specified with an operator profile; these profiles could be to administer the Amigopod network, manage guests or run reports. Operators may be defined locally on the Amigopod Visitor Management Appliance, or externally in an LDAP directory server.
PAGE 110
See “About Operator Logins” in this chapter for details on configuring different forms and views for operator profiles. Operator Profiles An operator profile determines what actions an operator is permitted to take when using the Amigopod Visitor Management Appliance. Some of the settings in an operator profile may be overridden in a specific operator’s account settings. These customized settings will take precedence over the default values defined in the operator profile.
PAGE 111
The fields in the first area of the form identify the operator profile and capture any optional information: 1. You must enter a name for this profile in the Name field. 2. (Optional) You may enter additional information about the profile in the Description field. The fields in the second area of the form define permissions for the operator profile: 1. To disable a profile, unmark the Allow Operator Logins check box in the Enabled row.
PAGE 112
access. The default in all cases is No Access. This means that you must select the appropriate privileges in order for the profile to work. See “Operator Profile Privileges” in this chapter for details about the available access levels for each privilege. If you choose the Custom setting for an item, the form expands to include additional privileges specific to that item. Figure 13 Operator Profile Editor page—User roles and filters 4.
PAGE 113
Table 10 Operators supported in filters Operator Meaning Additional Information = is equal to != is not equal to You may search for multiple values when using the equality (=) or inequality !=) operators. To specify multiple values, list them separated by the pipe character ( | ).
PAGE 114
4. (Optional) In the Time Zone row, the Default setting indicates that the operator’s time zone will default to the system’s currently configured time zone. You can use the drop-down list to specify a particular time zone. Figure 14 Operator Profile Editor page—Custom forms and views 5. (Optional) In the Customization row, to specify that an operator profile should use a different form when creating a new visitor account, select the Override the application’s forms and views check box.
PAGE 115
Read Only Access means that the operator can see the options available but is unable to make any changes to them. Full Access means that all the options are available to be used by the operator. Custom access allows you to choose individual permissions within each group.
PAGE 116
Creating a New Operator Once you have a profile you can create an operator to use that profile. Any properties for the operator login that are set to (Default) are taken from the operator profile. The Operator Filter field lets you select from three other options besides Default:  No operator filter—All guest accounts display.  Only show accounts created by the operator—Only guest accounts created by the operator display. 116 | Operator Logins Amigopod 3.
PAGE 117
 Only show accounts by operators created within their profile—Only guest accounts created by all operators within a profile display. The User Account Filter and Session Filter fields are optional, and allow you to create and configure these filtering options:  The User Account Filter lets you create a filter for the user account list that cannot be overridden by the operator. This filter is designated by role and is persistent.
PAGE 118
When you click an operator login entry in the Operator Logins list, a menu appears that allows you to perform any of the following operations:  View/Hide Details—displays or hides configuration details for the selected operator login.
PAGE 119
Changing Operator Passwords To change the password for an operator, edit the operator login and type a new password in the “Operator Password” and “Confirm Password” password fields. You may also want to select “Force a password change on their next login” under Password Options to allow the operator to select a new password.
PAGE 120
Figure 15 Server Configuration page To specify a basic LDAP server connection (hostname and optional port number), use a Server URL of the form ldap://hostname/ or ldap://hostname:port/. See “Advanced LDAP URL Syntax” in this chapter for more details about the types of LDAP URL you may specify. Select the Enabled option if you want this server to authenticate operator logins. 120 | Operator Logins Amigopod 3.
PAGE 121
This form allows you to specify the type of LDAP server your system will use. Click the Server Type dropdown list and select one of the following options: Table 12 Server Type Parameters Server Type Required Configuration Parameters Microsoft Active Directory     POSIX Compliant:      Custom         RADIUS      Server URL: The URL of the LDAP server Bind DN: The password to use when binding to the LDAP server, or empty for an anonymous bind.
PAGE 122
Figure 16 LDAP Plugin Once you have completed the form, check your settings by clicking the Test Settings button. Use the Test Username and Test Password fields to supply a username and password for the authentication check. If the authentication is successful, the operator profile assigned to the username will be displayed. If the authentication fails, an error message will be displayed.
PAGE 123
Select any of the LDAP servers in the list to display options to perform the following actions on the selected server:  Edit—changes the properties of an LDAP server  Delete—removes the server from the LDAP server list  Duplicate—creates a copy of an LDAP server  Disable—temporarily disables a server while retaining its entry the server list  Enable—reenables a disabled LDAP server  Ping—sends a ping message (echo request) to the LDAP server to verify connectivity between the LDAP server an
PAGE 124
You can also verify operator authentication when you create a new LDAP server configuration using the Test Settings button on the LDAP Configuration form ( See “Creating an LDAP Server” in this chapter for a description). Looking Up Sponsor Names This option is only available if sponsor lookup has been enabled for the server on the Edit Authentication Server page. 1.
PAGE 125
Table 13 LDAP Error Messages (Continued) 773 User must reset password 775 User account is locked Other items to consider when troubleshooting LDAP connection problems:  Verify that you are using the correct LDAP version – use ldap:// for version 2 and ldap3:// to specify LDAP version 3.  Verify that you are using an SSL/TLS connection – use ldaps:// or ldap3s:// as the prefix of the Server URL.
PAGE 126
To create a new LDAP translation rule: 1. In the Name field, enter a self-explanatory name for the translation rule. In the example above the translation rule is to check that the user is an Administrator, hence the name MatchAdmin. 2. Select the Enabled check box to enable this rule once you have created it. If you do not select this check box, the rule you create will appear in the rules list, but will not be active until you enable it. 3. Click the Matching rule drop-down list and select a rule.
PAGE 127
Translation rules are processed in order, until a matching rule is found that does not have the Fallthrough field set. To edit the matching rule list, select an entry in the table to display a menu that lets you perform the following actions:  Edit – changes the configuration of matching rule.  Delete – removes matching rule from the list.  Duplicate – creates a duplicate copy of an existing rule  Disable – temporarily disables the rule without deleting it from the rule list.
PAGE 128
For example, to permit non-administrator users to access the system only between the hours of 8am and 6pm, you could define the following LDAP translation rule. The Custom rule is: {strip} {if stripos($user.memberof, "CN=Administrators")!==false} 1 {elseif date('H') >= 8 && date('H') < 18} 1 {else} 0 {/if} {/strip} Explanation: The rule will always match on the “memberof” attribute that contains the user’s list of groups.
PAGE 129
Operator Logins Configuration You are able to configure a message on the login screen that will be displayed to all operators. This must be written in HTML. You may also use template code to further customize the appearance and behavior of the login screen. Options related to operator passwords may also be specified, including the complexity requirements to enforce for operator passwords.
PAGE 130
Para entrar en el web demo de Amigopod,
necesitas un nombre y contraseña.

Si no tienes un login, puedes obtener uno
contactando con Aruba Networks.
{else}
The Amigopod demo site
requires a username and password.

If you don’t have a login,
contact Aruba Networks to obtain one.
PAGE 131
Advanced Operator Login Options The following options are available in the Logging drop-down list:  No logging  Log only failed operator login attempts  Log only Web logins  Log only XMLRPC access  Log all access Log messages for operator logins, whether successful or unsuccessful, are shown in the application log. Automatic Logout The Logout After option in the Advanced Options section lets you to configure an idle time, after which an operator’s session will be ended.
PAGE 132
| Operator Logins Amigopod 3.
PAGE 133
Chapter 6 Guest Management The ability to easily create and manage guest accounts is the primary function of the Amigopod Visitor Management Appliance. Guest Manager provides complete control over the user account creation process. Using the built-in customization editor you can customize fields, forms and views as well as the forms for guest selfregistration.
PAGE 134
Sponsored Guest Access The following figure shows the process of sponsored guest access. See Figure 17. Figure 17 Sponsored guest access with guest created by operator The operator creates the guest accounts and generates a receipt for the account. The guest logs on to the Network Access Server (NAS) using the credentials provided on her receipt. The NAS authenticates and authorizes the guest’s login using the Amigopod Visitor Management Appliance. Once authorized, the guest is able to access the network.
PAGE 135
See “Customizing Self Provisioned Access” in this chapter for details on creating and managing selfregistration pages.
PAGE 136
To complete the form, first enter the visitor’s details into the Sponsor’s Name, Visitor Name, Company Name and Email Address fields. The visitor’s email address will become their username to log into the network. You can specify the account activation and expiration times. The visitor account cannot be used before the activation time, or after the expiration time. The Account Role specifies what type of account the visitor should have. A random password is created for each visitor account.
PAGE 137
To print a receipt for the visitor, select an appropriate template from the Open print window using template… list. A new Web browser window will open and the browser’s Print dialog box will be displayed. Click the Send SMS receipt link to send a guest account receipt via text message. Use the SMS Receipt form to enter the mobile telephone number to which the receipt should be sent. Sending SMS receipts requires the SMS Services plugin.
PAGE 138
To complete the form, you must enter the number of visitor accounts you want to create. A random password will be created for each visitor account. This is not displayed on this form, but will be available on the guest account receipt. You can specify the account activation and expiration times. The visitor accounts cannot be used before the activation time, or after the expiration time. To create temporary “scratch card” accounts, you may specify a value for the Account Lifetime.
PAGE 139
 Lifetime – the account lifetime in minutes, or N/A if the account does not have a lifetime specified  Successful – “Yes” if the account was created successfully, or “No” if there was an error creating the account Managing Guest Accounts Use the Guest Manager Accounts list view to work with individual guest accounts. To open the Guest Manager Accounts list, go to Guests > List Guest Accounts. This view (guest_users) may be customized by adding new fields or modifying or removing the existing fields.
PAGE 140
You can use the Filter field to narrow the search parameters. You may enter a simple substring to match a portion of the username or any other fields that are configured for search, and you can include the following operators: Table 15 Operators supported in filters Operator Meaning Additional Information = is equal to != is not equal to You may search for multiple values when using the equality (=) or inequality !=) operators.
PAGE 141
Click the Update Account button to reset the guest account’s password. A new account receipt is then displayed, which allows you to print a receipt showing the updated account details.  Change expiration – Changes the expiration time for a guest account. . This form (change_expiration) may be customized by adding new fields, or modifying or removing the existing fields.
PAGE 142
This form may be customized by adding new fields, or modifying or removing the existing fields. Refer to the section of this chapter for details about this customization process. This is the guest_edit form. Click the Update Account button to update the properties of the guest account. A new account receipt is then displayed, which allows you to print a receipt showing the updated account details.  Sessions – Displays the active sessions for a guest account.
PAGE 143
You can use the Filter field to narrow the search parameters. You may enter a simple substring to match a portion of the username or any other fields that are configured for search, and you can include the following operators: Table 16 Operators supported in filters Operator Meaning Additional Information = is equal to != is not equal to You may search for multiple values when using the equality (=) or inequality !=) operators.
PAGE 144
Use the selection row at the top of the table to work with the current set of selected accounts. The number of currently selected accounts is shown. When a filter is in effect, the “All Matching” link can be used to add all pages of the filtered result to the selection. Use the Create tab to create new visitor accounts using the Create Guest Accounts form. See “Managing Multiple Guest Accounts” in this chapter for details about this form.
PAGE 145
. To complete the form, you must either specify a file containing account information, or type or paste in the account information to the Accounts Text area. Select the Show additional import options check box to display the following advanced import options:  Character Set: The Amigopod Visitor Management Appliance uses the UTF-8 character set encoding internally to store visitor account information.
PAGE 146
In this example, the following data was used: username,visitor_name,password,expire_time demo005,Demo five,secret005,2011-06-10 09:00 demo006,Demo six,secret006,2011-06-11 10:00 demo007,Demo seven,secret007,2011-06-12 11:00 demo008,Demo eight,secret008,2011-06-13 12:00 demo009,Demo nine,secret009,2011-06-13 12:00 demo010,Demo ten,secret010,2011-06-13 12:00 demo011,Demo eleven,secret011,2011-06-13 12:00 Because this data includes a header row that contains field names, the corresponding fields have been aut
PAGE 147
Click the Next Step button to preview the final result. Step 3 of 3 displays a preview of the import operation. The values of each guest account field are determined, and any conflicts with existing user accounts are displayed. The icon displayed for each user account indicates if it is a new entry ( be updated ( ). ) or if an existing user account will By default, this form shows ten entries per page.
PAGE 148
Exporting Guest Account Information Guest account information may be exported to a file in one of several different formats. Click the appropriate command link to save a list of all guest accounts in comma-separated values (CSV), tab-separated values (TSV), or XML format. This view (guest_export) may be customized by adding new fields, modifying or removing the existing fields. See “Customizing Self Provisioned Access” in this chapter for details about this customization process.
PAGE 149
 SMS and email receipts – Include a short text message with your guest’s username and password, or send HTML emails containing images.  Advanced customization – The Amigopod Visitor Management Appliance is flexible and can be used to provide location sensitive content and advertising. Default Settings for Account Creation The Guest Manager plugin configuration holds the default settings for account creation.
PAGE 150
   Username Length –This field is displayed if the Username Type is set to “Random digits”, “Random letters”, “Random letters and digits” or “Sequential numbering”. The default length of random account usernames (when creating groups of accounts). This may be overridden by using the random_username_length field.  Username Format – This field is displayed if the Username Type is set to “Format picture”. It sets the format of the username to be created.
PAGE 151
Figure 20 Customize Guest Manager page (part 2)—continued  Expire Action – Default action to take when the expiration time is reached. There are four options. A logout can only occur if the NAS is RFC-3576 compliant.  Account Retention – Deleted user accounts are available for reporting purposes. The default value is 1 year after the user account is deleted. If you do not want to retain any data, set the value to 0.
PAGE 152
Figure 21 Customize Guest Manager page (part 3)—continued  Lifetime Options – Default values for account lifetimes. These options are displayed as the values of the “Account Lifetime” field when creating a user account.  Terms of Use URL – URL of a terms and conditions page provided to sponsors. You may upload an HTML file describing the terms and conditions of use using the Content Manager ( See “Content Manager” in the Administrator Tasks chapter). If this file is called terms.
PAGE 153
 Password Display – Select the “View guest account passwords” to enable the display of visitor account passwords in the user list. To reveal passwords, the password field must be added to the “guest_users” or “guest_edit” view, and the operator profile in use must also have the View Passwords privilege.  Initial Sequence – This field contains the next available sequence number for each username prefix that has been used.
PAGE 154
 modify_password: This field controls password modification for the visitor account.
PAGE 155
Visitor Account Expiration Properties  do_expire, modify_expire_time, expire_after and expire_time: These fields are used to determine the time at which the visitor account will expire.  If modify_expire_time is “none”, then the account has no expiration time set.  If modify_expire_time is “now”, then the account is disabled and has no expiration time set.
PAGE 156
“Logout” indicates that a RADIUS Disconnect-Request will be used for all active sessions that have a username matching the account username. This option requires the NAS to support RFC 3576 dynamic authorization. See “RFC 3576 Dynamic Authorization” in this chapter for more information. Standard Fields See “Field, Form and View Reference” in the Reference chapter for a listing of the standard fields shipped with the Amigopod Visitor Management Appliance.
PAGE 157
Table 18 Visitor Management Forms and Views (Continued) guest_sessions View Active Sessions Yes guest_users View List Accounts Yes remove_account Form Remove Account No reset_password Form Reset Password No These forms are accessed directly:  create_multi form – multiple account creation  create_user form – sponsored account creation  guest_register form – guest self-registration form These forms are accessed through the action row of the guest_users view:  change_expiration form
PAGE 158
Creating a Custom Field To create a custom field click the Create tab at the top of the window or the at the bottom of the window. The Create Field form is displayed. Create a new field link The Field Name is not permitted to have spaces but you can use underscores. Enter a description in the Description field. You can enter multiple-line descriptions which result in separate lines displayed on the form. The Field Type can be one of String, Integer, Boolean or No data type.
PAGE 159
You can specify the default validation rules that should be applied to this field when it is added to a form. See “Form Validation Properties” in this chapter for further information about form validation properties. Select the Show advanced properties check box to reveal additional properties related to conversion, display and dynamic form behavior. See “View Field Editor” in this chapter for more information about advanced properties. Click the Save Changes button to complete the creation of a new field.
PAGE 160
The list displays the views that use the selected field. It also allows you to edit the view’s fields by clicking on the Edit Fields link. Clicking on the Use link displays the view. If the field is used on multiple views, you are able to select which view you would like to see. Customization of Forms and Views You are able to view a list of forms and views. From this list view, you can change the layout of forms or views, add new fields to a form or view, or alter the behavior of an existing field.
PAGE 161
The duplicated form or view has a name derived from the original, which cannot be changed. Use the Title and Description properties of the duplicated item to describe the intended purpose for the form or view. Click the it. Show Usage link for a duplicated form or view to see the operator profiles that are referencing Click the Delete link for a duplicated form or view to remove the copy. A duplicated item cannot be removed if it is referenced by an operator login account or an operator profile.
PAGE 162
form submit is successful and a summary of the values submitted is displayed. This allows you to verify any data conversion and formatting rules you have set up. Form Field Editor The form field editor is used to control both the data gathering aspects and user interface characteristics of a field. Each field can only appear once on a form. The Field Name selects which underlying field is being represented on the form.
PAGE 163
 CAPTCHA security code – A distorted image of several characters is shown. The image may be regenerated, or played as an audio sample for visually impaired users. When using the recommended validator for this field (NwaCaptchaIsValid), the security code must be matched or the form submit will fail with an error.  Check box – A check box is displayed for the field. The check box label can be specified using HTML.
PAGE 164
Because an array value may not be stored directly in a custom field, you should use the conversion and value formatting facilities to convert the array value to and from a string when using this user interface type. To store a comma-separated list of the selected values, enable the Advanced options, select “NwaImplodeComma” for Conversion, select “NwaExplodeComma” for Display Function and enter the field’s name for Display Param.
PAGE 165
How this works: Suppose the first two check boxes are selected (in this example, with keys “one” and “two”). The incoming value for the field will be an array containing 2 elements, which can be written as array("one", "two"). The NwaImplodeComma conversion is applied, which converts the array value into the string value “one,two”, which is then used as the value for the field.
PAGE 166
 File upload – Displays a file selection text field and dialog box (the exact appearance differs from browser to browser). File uploads cannot be stored in a custom field. This user interface type requires special form implementation support and is not recommended for use in custom fields.  Hidden field – If Hidden Field is selected in the User Interface drop-down list, the field is not displayed to the user, but is submitted with the form.
PAGE 167
 Password text field – The field is displayed as a text field, with input from the user obscured. The text typed in this field is submitted as the value for the field. Amigopod 3.
PAGE 168
 Radio buttons – The field is displayed as a group of radio buttons, allowing one to be selected. The text displayed for each option is the value from the options list. When the form is submitted, the key of the selected value becomes the value of the field. The “Vertical” and “Horizontal” layout styles control whether the radio buttons are organized in top-tobottom or left-to-right order. The default is “Vertical” if not specified.
PAGE 169
 Static text (Raw value) – The field’s value is displayed as a non-editable text string. HTML characters in the value are not escaped, which allows you to display HTML markup such as images, links and font formatting. Use caution when using this type of user interface element, particularly if the field’s value is collected from visitors. Allowing HTML from untrusted sources is a potential security risk. To set the value of this field, use the Initial Value option in the form field editor.
PAGE 170
 Static group heading – The label and description of the field is used to display a group heading on the form. The field’s value is not used, and the field is not submitted with the form. When using this user interface element, it is recommended that you use the “nwaImportant” CSS class to visually distinguish the group heading’s title.  Submit button – The field is displayed as a clickable form submit button, with the label of the field the label of the button. The description is not used.
PAGE 171
 Text area – The field is displayed as a multiple-line text box. The text typed in this box is submitted as the value for the field. It is recommended that you specify the desired minimum dimensions of the text area, either with the Rows and Columns options, or by specifying a width in the CSS Style (for example, “width: 460px; height: 100px;” specifies a 460 x 100 pixel minimum area).  Text field – The field is displayed as a single-line text box.
PAGE 172
Form Validation Properties The form validation properties control the validation of data entered into a form. By specifying appropriate validation rules, you can detect when users attempt to enter incorrect data and require them to correct their mistake. The initial value for a form field may be specified. Use this option when a field value has a sensible default. The initial value should be expressed in the same way as the field’s value.
PAGE 173
All fields must be successfully validated before any form processing can take place. This ensures that the form processing always has user input that is known to be valid. To validate a specific field, choose a validator from the drop-down list. See “Form Field Validation Functions” in the Reference chapter for a description of the built-in validators. The Validator Param is the name of a field on the form, the value of which should be passed to the validator as its argument.
PAGE 174
Furthermore, note that blank values, or non-numeric values, will result in a different error message: The reason for this is that in this case, the validation has failed due to a type error – the field is specified to have an integer type, and a blank or non-numeric value cannot be converted to an integer. To set the error message to display in this case, use the Type Error option under the Advanced Properties.
PAGE 175
Advanced Form Field Properties The Advanced Properties control certain optional form processing behaviors. You can also specify JavaScript expressions to build dynamic forms similar to those found elsewhere in the Amigopod Visitor Management Appliance user interface. On the Customize Form Fields page, select the Show advanced properties check box to display the advanced properties in the form field editor.
PAGE 176
 If a preliminary value was provided for the field but the guest’s entered value does not need to match case or all characters, choose Guest must supply field from the drop-down list. For example, a bulk account creation might use random usernames, and each visitor’s entry in that field would not need to match exactly.  If a preliminary value was provided for the field and the guest’s entered value must match case or all characters, choose Guest must supply field (match case) from the drop-down list.
PAGE 177
The Conversion step should be used when the type of data displayed in the user interface is different from the type required when storing the field. For example, consider a form field displayed as a date/time picker, such as the expire_time field used to specify an account expiration time on the create_user form. The user interface is displayed as a text field, but the value that is required for the form processing is a UNIX time (integer value).
PAGE 178
A comparison of these two approaches is shown below to illustrate the difference: When using a Conversion or Value Format function, you will almost always have to set up a Display Function for the form field. This function is used to perform the conversion in the reverse direction – between the internal stored value and the value displayed in the form field.
PAGE 179
Most user interface elements support the value property to retrieve the current value. For check boxes, however, use the checked property to determine if the check box is currently selected. The most practical use for this capability is to hide a form field until a certain value of some other related field has been selected. For example, the default create_user form has an Account Expiry drop-down list.
PAGE 180
Use the Edit Base Field link to make changes to an existing field definition. Any changes made to the field using this editor will apply to all views that are using this field (except where the view field has already been modified to be different from the underlying field definition). The Insert Before and Insert After links can be used to add a new column to the view. Clicking one of these links will open a blank view field editor and automatically set the rank number of the new column.
PAGE 181
 Boolean – Enabled/Disabled – The value of the field is converted to Boolean and displayed as “Enabled” or “Disabled”.  Boolean – On/Off – The value of the field is converted to Boolean and displayed as “On” or “Off”.  Date – The value of the field is assumed to be a UNIX timestamp value and is displayed as a date and time.
PAGE 182
Figure 23 Sequence diagram for guest self-registration . The captive portal redirects unauthorized users [1] to the register page [2]. After submitting the registration form [3], the guest account is created and the receipt page is displayed [4] with the details of the guest account. If NAS login is enabled, submitting the form on this page will display a login message [5] and automatically redirect the guest to the NAS login [6].
PAGE 183
The Register Page is the name of a page that does not already exist. There are no spaces in this name. This page name will become part of the URL used to access the self provisioning page. For example, the default “guest_register” page is accessed using the URL guest_register.php. Click the Save Changes button to save the self registration page. A diagram of the self registration process is displayed. Click the Save and Continue button to proceed to the next step of the setup.
PAGE 184
Figure 24 Guest self-registration process . A guest self-registration page consists of many different settings, which are divided into groups across several pages. Click an icon or label in the diagram to jump directly to the editor for that item. Basic Properties for Self-Registration Click the Master Enable, User Database, Choose Skin, or Rename Page links to edit the basic settings for guest self-registration.
PAGE 185
values, select the Guest Self-Registration (guest_register) option from the Parent field drop-down menu. Paying for Access If you select a standalone self -registration, (No parent- standalone) option you can also configure the Hotspot option. You can configure this setting so that registrants have to pay for access.
PAGE 186
 1.2.3.4/24 – IP address with network prefix length  1.2.3.4/255.255.255.0 – IP address with explicit network mask Use the Deny Behavior drop-down list to specify the action to take when access is denied. The Time Access field allows you to specify the days and times that self-registration is enabled. Times must be entered in 24-hour clock format.
PAGE 187
3. Click the Register Page link, or one of the Title, Header or Footer fields for the Register Page. Template code for the title, header, and footer may be specified. See “Smarty Template Syntax” in the Reference chapter for details on the template code that may be inserted. Select the Do not include guest registration form contents check box to override the normal behavior of the registration page, which is to display the registration form between the header and footer templates.
PAGE 188
 The auto_update_account field is set by default. This is to ensure that a visitor who registers again with the same email address has their existing account automatically updated. Receipt Page Properties Click the Receipt Page link or one of the Title, Header or Footer fields for the Receipt Page to edit the properties of the receipt page. This page is shown to guests after their visitor account has been created.
PAGE 189
Receipt Actions Click the Actions link to edit the actions that are available once a visitor account has been created. . Download and Print Actions Select the Download or Print check box to enable the template and display options to deliver a receipt to the user as a downloadable file, or display the receipt in a printable window in the visitor’s browser. Amigopod 3.
PAGE 190
Email Delivery of Receipts The Email Delivery options available for the receipt page actions allow you to specify the email subject line, the print template and email format, and other fields relevant to email delivery. When email delivery is enabled, the following options are available to control email delivery:  Disable sending guest receipts by email – Email receipts are never sent for a guest registration.
PAGE 191
These options under Enabled are available to control delivery of SMS receipts:  Disable sending guest receipts by SMS – SMS receipts are never sent for a guest registration.  Always auto-send guest receipts by SMS – An SMS receipt is always generated using the selected options, and will be sent to the visitor’s phone number.
PAGE 192
If automatic guest login is not enabled, the submit button on the receipt page will not be displayed, and automatic NAS login will not be performed. Many of the properties on this page are the same as for a RADIUS Web Login page. For details about specifying NAS login settings, extra fields, or URL redirection parameters, See “Creating a Web Login Page” in the RADIUS Services chapter. Login Page Properties Click the Title or Login Message fields for the login page to edit the properties of the login page.
PAGE 193
The login page consists of two separate parts: the login form page, and a login message page. The login form page contains a form prompting for the guest’s username and password. The title, header and footer of this page can be customized. If the Provide a custom login form option is selected, then the form must also be provided in either the Header HTML or Footer HTML sections.
PAGE 194
The self-service portal is accessed through a separate link that must be published to guests. The page name for the portal is derived from the registration page name by appending “_portal”. When the self-service portal is enabled, a Go To Portal link is displayed on the list of guest selfregistration pages, and may be used to determine the URL that guests should use to access the portal.
PAGE 195
session (that is, the guest’s HTTP client address is the same as the RADIUS Framed-IP-Address attribute for an active session). The Password Generation drop-down list controls what kind of password reset method is used in the portal. The default option is “Passwords will be randomly generated”, but the alternative option “Manually enter passwords” may be selected to enable guests to select their own password through the portal.
PAGE 196
Next, enable the “Required Field” option in the Self-Service Portal properties. Setting this to (Secret Question) will ask the guest the secret_question and will only permit the password to be reset if the guest supplies the correct secret_answer value.
PAGE 197
character used in the plain text template will be displayed below the preview. If you are including a guest account’s email address in the SMS, remember to allow for lengthy email addresses (up to 50 characters is a useful rule of thumb). Creating New Print Templates Print templates can be defined using the Create new print template link. This opens a window with four parts. The first part lists the variables that can be used in the template together with their meaning and an example of each.

PAGE 198

{if $u.guest_name} {/if} If this code is placed in the User Account HTML section it will cater for the create, edit and delete options.

Click the Create Template button to save your newly created print template and return to the list. Modifying Wizard-Generated Templates Once you have created a print template using the print template wizard, you can return to the wizard to modify it. Click the Edit print template code (Advanced) link to use the standard print template editor. See “Creating New Print Templates” in this chapter for a description.

PAGE 200

 Read-only access – the print template is visible in the list, and the settings for it may be viewed. The print template cannot be edited or deleted.  Update access – the print template is visible in the list, and may be edited. The print template cannot be deleted and the permissions for the print template cannot be modified.  Update and delete access – the print template is visible in the list, and may be edited or deleted. The permissions for the print template cannot be modified.

PAGE 201

Create the Print Template By default, the print templates include username, password, expiration, as well as other options. For the purpose of access codes, we only want the username presented. This access code login example bases the print template off an existing scratch card templates. 1. Navigate to Customization > Print Templates. 2. Select Two-column scratch cards and click Duplicate. 3. Select the Copy of Two-column scratch cards template, then click Edit. 4.

PAGE 202

Customize the Guest Accounts Form Next, modify the Guest Accounts form to add a flag that to allows access-code based authentication. 1. Navigate to Customization > Forms & Views. 2. In the Customize Forms & Views list, select create_multi and then click Edit Fields. 3. In the Edit Fields list, look for a field named username_auth. If the field exists, but is not bolded and enabled, select it and click Enable Field.

PAGE 203

2. Select the Username Authentication field added in the procedure above. (If you do not select this check box and if the username is entered on the login screen, the authentication will be denied.) The example shown below will create 10 accounts that will expire in two weeks, or fours hours after the visitors first log in, whichever comes first. . 3. Click Create Accounts to display the Finished Creating Guest Accounts page.

PAGE 204

4. Confirm that the accounts settings are as you expected with respect to letters and digits in the username and password, expiration, and role. 5. Click the Open print window using template drop-down list and select the new print template you created using this procedure. See “Create the Print Template” for a description of this procedure. A new window or tab will open with the cards.

PAGE 205

Figure 25 MAC Authentication Plugin—Configuration On the controller, the fields look as follows: Figure 26 MAC Authentication Profile Managing Devices To view the list of current MAC devices, go to Guests > List Devices. The Guest Manager Devices page opens. Amigopod 3.

PAGE 206

All devices created by one of methods described in the following section are listed. Options on the form let you change a device’s account expiration date; remove, activate, or edit the device; view active sessions or details for the device; or print details, receipts, confirmations, or other information. You can use the Filter field to narrow the search parameters.

PAGE 207

1. In the Account Expiration row, choose one of the options in the drop-down list to set an expiration date:  If you choose Account expires after, the Expires After row is added to the form. Choose an interval of hours, days, or weeks from the drop-down list.  If you choose Account Expires at a specified time, the Expiration Time row is added to the form. Click the button to open the calendar picker.

PAGE 208

Activating a Device To activate a disabled device’s account, click the device’s row in the Guest Manager Devices list, then click its Activate link. The row expands to include the Enable Guest Account form. 1. In the Activate Account row, choose one of the options in the drop-down list to specify when to activate the account. You may choose an interval, or you may choose to specify a time. 2. If you choose Activate at specified time, the Activation Time row is added to the form.

PAGE 209

2. If you need to change the activation time, choose one of the options in the Account Activation dropdown list. You may choose to activate the account immediately, at a preset interval of hours or days, or at a specified time.  If you choose Activate at a specified time, the Activation Time row is added to the form. Click the button to open the calendar picker.

PAGE 210

Viewing Current Sessions for a Device To view any sessions that are currently active for a device, click the Sessions link in the device’s row on the Guest Manager Devices form. The Active Sessions list opens. For more information, see “Active Sessions Management”. Viewing and Printing Device Details To print details, receipts, confirmations, or other information for a device, click the device’s row in the Guest Manager Devices list, then click its Print link.

PAGE 211

1. In the Sponsor’s Name row, enter the name of the person sponsoring the visitor account. 2. Enter the name for the device in the Device Name row. 3. Enter the address in the MAC Address row. If you need to modify the configuration for expected separator format or case, go to Administrator > Plugin Manager > Manage Plugins and click the Configuration link for the MAC Authentication Plugin. 4. Choose one of the options in the Account Activation drop-down list.

PAGE 212

5. To set the account’s expiration time, choose one of the options in the Account Expiration drop-down list. You may set the account to never expire, or to expire at a preset interval of hours or days, or at a specified time.  If you choose any time in the future, the Expire Action row is added to the form. Use this dropdown list to indicate the expiration action for the account—either delete, delete and log out, disable, or disable and log out.

PAGE 213

Figure 27 Modify fields Edit the receipt form fields:  Edit username to be a Hidden field  Edit password to be a Hidden field Adjust any headers or footers as needed. When the visitor registers, they should be able to still log in via the Log In button. The MAC will be passed as their username and password via standard captive portal means. The account will only be visible on the List Devices page.

PAGE 214

   UI: Hidden field  Field Required: optional  Validator: IsValidMacAddress Add or enable mac_auth_pair  UI: Hidden field  Initial Value: -1 Any other expiration options, role choice, surveys and so on can be entered as usual. You will see an entry under both List Accounts and List Devices. Each should have a View Pair action that cross links the two. Note if you delete the base account, all of its pairings will also be deleted.

PAGE 215

&& NwaDynamicLoad('NwaNormalizeMacAddress') // Required call && ($mac=NwaNormalizeMacAddress(GetAttr('Calling-Station-Id'))) // All MACs need to be normalized && ((!empty($user['id']) && NwaCreateUser(array(// We are caching the MAC for a local user account 'creator_accept_terms'=>1, 'mac_auth'=>1, // Flag as a MAC so it shows in List Devices 'mac'=>$mac, // The normalized MAC 'mac_auth_pair'=>$user['id'], // Formally pair the two accounts. Cross links and whatnot in the GUI.

PAGE 216

Figure 28 RADIUS Role Editor Note that modify_expire_time supports any valid syntax of strtotime. 216 | Guest Management Amigopod 3.

PAGE 217

Importing MAC Devices The standard Guests > Import Guests supports importing MAC devices. At a minimum the following two columns are required: mac and mac_auth. mac_auth,mac,notes 1,aa:aa:aa:aa:aa:aa,Device A 1,bb:bb:bb:bb:bb:bb,Device B 1,cc:cc:cc:cc:cc:cc,Device C Any of the other standard fields can be added similar to importing regular guests. Advanced MAC Features 2-Factor Authentication 2-factor authentication checks against both credentials and the MAC address on record.

PAGE 218

Navigate to Administrator > Plugin Manager > Manage Plugins: MAC Authentication: Configuration and enable MAC Detect. Edit the header of your redirect landing page (login or registration) and include the following:

{if $guest_receipt.u.visitor_name} Welcome back to the show, {$guest_receipt.u.

PAGE 219

To view and manage active sessions for the RADIUS server, go to Guests > Active Sessions. The Active Sessions list opens. You can use this list to modify, disconnect or reauthorize, or send SMS notifications for active visitor sessions; manage multiple sessions; or customize the list to include additional fields.  On the Manage Multiple Sessions form, the start time of each session is used to select the sessions to work with.

PAGE 220

Session States A session may be in one of three possible states:  Active—An active session is one for which the RADIUS server has received an accounting start message and has not received a stop message, which indicates that service is being provided by a NAS on behalf of an authorized client. While a session is in progress, the NAS sends interim accounting update messages to the RADIUS server. This maintains up-to-date traffic statistics and keeps the session active.

PAGE 221

Filtering the List of Active Sessions You can use the Filter tab to narrow the search parameters and quickly find all matching sessions: Enter a username or IP address in the Filter field. Additional fields can be included in the search if the “Include values when performing a quick search” option was selected for the field within the view. To control this option, use the Choose Columns command link on the More Options tab.

PAGE 222

Closing All Stale Sessions Immediately By default, the Close Stale Sessions option is selected when the Manage Multiple Sessions form opens. This option allows you to quickly close all stale sessions with one click. Stale sessions should be closed to keep accounting statistics accurate.  To close all stale sessions, leave the Close Stale Sessions radio button marked and click Make Changes. All stale sessions are closed and are removed from the Active Sessions list.

PAGE 223

5. Use the Session Stop drop-down list to specify how the stop time will be calculated for each session.  If you choose Use session start time, the session will be closed when you commit your changes on this form.  To specify a range of time after a session’s start time, choose one of the options for hours, day, or week. Sessions will be closed when that amount of time has elapsed after the start time. Since this setting is relative to start time, each session may be closed at a different time.

PAGE 224

3. Use the Start Time row to indicate the beginning of the time range for selecting sessions. To specify a time for the beginning of the range, click the button to open the calendar picker. In the calendar, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date.  If this field is left empty, the earliest available session start time is used.

PAGE 225

 If you choose Use session start time, the session will be closed when you commit your changes on this form.  To specify a range of time after a session’s start time, choose one of the options for hours, day, or week. Sessions will be closed when that amount of time has elapsed after the start time. Because this setting is relative to start time, each session may be closed at a different time.  To specify a range of time that is not included in the list, select the Specify another value option.

PAGE 226

2. Use the Start Time row to indicate the beginning of the time range for selecting sessions. To specify a time for the beginning of the range, click the button to open the calendar picker. In the calendar, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date.  If this field is left empty, the earliest available session start time is used.

PAGE 227

3. Enter the message in the Message text box. Messages may contain up to 160 characters. 4. Click Send. SMS Services With SMS Services, you can configure the Amigopod Visitor Management Appliance to send SMS messages to guests. You can use SMS to send a customized guest account receipt to your guest’s mobile phone. You are also able to use SMS Services to send an SMS from your Web browser. To use the SMS features of the Amigopod Visitor Management Appliance, you must have the SMS Services plugin installed.

PAGE 228

The SMS Gateways window displays the name and available credits for any currently defined SMS gateways. To create a new SMS gateway, click the Create new SMS gateway link to display the SMS Service Configuration form. If your country uses a national dialing prefix such as “0”, you may enter this on the form. When sending an SMS to a number that starts with the national dialing prefix, the prefix is removed and replaced with the country code instead.

PAGE 229

The New SMS Message form appears . Complete the form by typing in the SMS message and entering the mobile phone number that you are sending the SMS to. If multiple services are available, you may also choose the service to use when sending the message. The SMS is limited to a maximum length of 160 characters. The number of remaining characters is displayed on this form. Click the Send Message button to send the SMS. About SMS Credits Each SMS message sent consumes one credit.

PAGE 230

The Amigopod Visitor Management Appliance may be configured to automatically send SMS receipts to visitors, or to send receipts only on demand. To manually send an SMS receipt, navigate to the Guests > List Accounts window, select the guest to which you want to send a receipt, then click the Send SMS receipt link displayed on the guest account receipt page.

PAGE 231

Figure 29 Configure SMS Services Plugin SMS Receipt – Select the print template to be used when an SMS receipt is created. The print template used for the receipt must be in plain text format.  Phone Number Field – Select which guest account field contains the guest’s mobile telephone number. This field is used to determine the SMS recipient address. Amigopod 3.

PAGE 232

 Auto-Send Field – Select a guest account field which, if set to a non-empty string or non-zero value, will trigger an automatic SMS when the guest account is created or updated. The auto-send field can be used to create an “opt-in” facility for guests. Use a check box for the auto_send_sms field and add it to the create_user form, or a guest self-registration instance, and SMS messages will be sent to the specified phone number only if the check box has been selected.

PAGE 233

Figure 30 Customize SMS Receipt page SMS Receipt Fields The behavior of SMS receipt operations can be customized with certain guest account fields. You can override global settings by setting these fields.  sms_enabled – This field may be set to a non-zero value to enable sending an SMS receipt. If unset, the default value is true.  sms_handler_id – This field specifies the handler ID for the SMS service provider. If blank or unset, the default value from the SMS plugin configuration is used.

PAGE 234

values “_Disabled” and “_Enabled” may be used to never send an SMS or always send an SMS, respectively.  sms_warn_before_message – This field overrides the logout warning message. If blank or unset, the default value from the Customize SMS Receipt page is used. The logic used to send an SMS receipt is:  If SMS receipts are disabled, take no action.  Otherwise, check the auto-send field.  If it is “_Disabled” then no receipt is sent.  If it is “_Enabled” then continue processing.

PAGE 235

Email receipts may be sent manually by clicking the account receipt page. Send email receipt link displayed on the guest When using guest self-registration, the Email Delivery options available for the receipt page actions allow you to specify the email subject line, the print template and email format, and other fields relevant to email delivery.

PAGE 236

Email Receipt Options The Customize Email Receipt form may be used to set default options for visitor account email receipts. Figure 31 Customize Email Receipt page The Subject line may contain template code, including references to guest account fields. The default value, Visitor account receipt for {$email}, uses the value of the email field. See “Smarty Template Syntax” in the Reference chapter for more information on template syntax.

PAGE 237

 Do not send copies – The Copies To list is ignored and email is not copied.  Always send using ‘cc:’ – The Copies To list is always sent a copy of any guest account receipt (even if no guest account email address is available).  Always send using ‘bcc:’ – The Copies To list is always sent a blind copy of any guest account receipt (even if no guest account email address is available).

PAGE 238

SMTP Receipt Fields The behavior of email receipt operations can be customized with certain guest account fields. You do this on a per user basis.  smtp_enabled – This field may be set to a non-zero value to enable sending an email receipt. If unset, the default value from the email receipt configuration is used.

PAGE 239

 smtp_warn_before_template_id – This field overrides the print template ID specified under Logout Warnings on the email receipt. If the value is “default”, the default template ID under the Logout Warnings section on the email receipt configuration is used.  smtp_warn_before_receipt_format – This field overrides the email format under Logout Warnings to use for the receipt.

PAGE 240

| Guest Management Amigopod 3.

PAGE 241

Chapter 7 Report Management The Reporting Manager provides you with a set of tools to summarize the visitor accounts that have been created and analyze the accounting data collected by the RADIUS server. Through the predefined reports and the custom reports you can create using the report editor, you can get a complete picture of the network usage of your guests.

PAGE 242

 Number of concurrent sessions by role – This report shows the number of concurrent sessions according to the user’s role across a time interval.  Number of sessions per NAS – This report shows the total number of sessions per NAS in the selected period.  Number of sessions per day – This report shows the total number of sessions per day.  Number of users per day – This report shows the number of distinct users per day.

PAGE 243

Run The Run option allows you to change the date range of the report before it is run. Choose a time period for the report from the Date Range drop-down list. If the report definition includes any additional parameters that have a user interface, these will also be displayed as part of the Report Options form. Click the Run Report button to generate the report using the selected parameters. A progress window will appear as the report is generated, and then the report will be displayed automatically.

PAGE 244

The Report Type editor allows you to change the defaults for the Date Range and the Formats for the report you have selected. If you want to change the default for another report you must also edit that report. Click the Save Changes button to have these changes become the new default. Delete a Report You can delete any predefined reports by selecting the report and clicking the Delete link. You are asked to confirm the deletion. Once you delete a report, it is permanently deleted.

PAGE 245

 No access – the report is not visible on the list, and cannot be used, edited, duplicated, or deleted.  Visible-only access – the report is visible in the list. It can be viewed in HTML but cannot be edited  Read-only access – the report is visible in the list and it may be viewed and duplicated. The report cannot be edited or deleted.  Update access – the report is visible in the list and may be duplicated and edited.

PAGE 246

Exporting Report Definitions Report definitions may be exported to a file and later imported. This provides an easy way to move reports from one appliance to another. Click the More Options tab at the top of the report list to access the Export Reports command link. (This link also appears on the Reporting start page.) Use the check boxes to select the reports to export.

PAGE 247

Importing report Definitions Report definitions may be imported from a file that has been generated with the Export Reports command. Click the More Options tab at the top of the report list to access the Import Reports command link. (This link also appears on the Reporting start page.) You may select a file to upload using your Web browser, or alternatively the report definition may be pasted into the text area provided.

PAGE 248

About Custom Reports The Report Editor is used to build a custom report. The process used to generate a report is shown in the figure below. In this diagram, the arrows represent the flow of data, while the icons represent the processing stages that the data goes through. Figure 33 Report generation process . Starting from the top left, and working clockwise:  The Report Type ( “Report Type”) specifies the basic properties for the report.

PAGE 249

Data Sources The available data sources are:  Local RADIUS Accounting – Accounting traffic consists of summary information about visitor sessions, reported by NAS devices to the Amigopod Visitor Management Appliance. In the RADIUS Accounting data source, each data record corresponds to a single visitor session.

PAGE 250

Figure 35 Reporting – Bin west of GMT The next diagram is similar but for time zones that are east of GMT Figure 36 Reporting – Bin east of GMT . This process may be automated by entering an expression as the value for the time zone offset. The correct expression to use for the Bin Offset is:

PAGE 251

Statistics from Classification Groups The classification groups that you define in a report will determine what type of statistics that can be derived for that report. This is shown in the following diagrams. The following figure shows how statistics are calculated per bin when bins are present but groups are not present. For example, if each bin represents a different date, and the source data is a traffic measurement, then the statistic here could be the total amount of traffic per day. See Figure 37.

PAGE 252

Figure 39 Components of the Report Editor Report Type The Report Type link opens a window where you type a distinct name or Title for the report. You can add additional information in the Description field. This could be used to explain the purpose of the report. 252 | Report Management Amigopod 3.

PAGE 253

While you are working on creating the report you could leave the Enabled field unchecked. When you want the report to be available for use, mark the Enabled check box. You should set a default Date Range for the report. The available options are listed under the drop down menu. You are able to change the Unit for this date range to seconds, minutes, hours, weeks, months or years. You must select one or more of the Output Formats. When the report is run, it will be generated in each of these formats.

PAGE 254

 Properties for individual fields within an output series (header)  Properties for presentation blocks (container CSS style)  Properties for table cells within a presentation block (CSS style)  Within text presentation blocks In these cases the report editor may simply indicate that a value is required. To use the value of a report parameter in a template, use the syntax {$parameter}.

PAGE 255

Parameter User Interface Editing The Edit Parameter form is used to specify the default value for a parameter as well as the type of user interface to use for this parameter. If No user interface is selected, then the parameter will have a fixed value and cannot be edited before the report is run.

PAGE 256

The initial value displayed on this form for a report parameter may be specified as the Value for the parameter. The Run Preview and Run Default icon links will be available for a report if all parameters have an acceptable default value. This is determined by the validation properties for each parameter. If no validation properties are specified, all parameter values are considered to be valid.

PAGE 257

Click the Save Changes button to return to the Report Editor. Select Fields If you have not selected fields in the Data Source form, you must select the required source fields here. Fields can be defined one at a time by clicking the Create Source Field tab. Source fields are the basic building blocks from which the rest of the report is constructed.

PAGE 258

Each source field has a name that is unique within the report. You can also attach a description to the field for use by the report designer. If you select a field from the Data Source Field drop down list, that field name is automatically placed in the Field Name area. It can be changed if you want. As derived fields do not exist in the Data Source, you will need to give each field a unique name. You are also required to give the field a value.

PAGE 259

If you select to calculate a value by summing over source fields, you are required to nominate the fields to be summed. Click the Create Source Field button to create the source or derived field in the report. Source Filters Source filters are applied to the data source fields to determine whether a data record will be included for processing in the report. The statistics, metrics and output data of the report can only be generated from source data that has passed through the source filters.

PAGE 260

To add additional filters, click the first source filter. An action row is displayed with Edit and After links. There is also a Set Default Report Range option for the first date/time filter. The filter. Edit link allows you to alter the options for the source filter as well as being able to disable the Click the The Insert Save Changes button to keep any changes you have made. Insert After link allows you to create additional filters.

PAGE 261

You must then select the filter from the Filter Type drop down list.

PAGE 262

To create a bin or a classification group, click the Groups list view. Create Classifier tab in the Edit Classification You are required to choose the classification method and the Source Field to use for the classification. The Editor.

PAGE 263

 Time measurement: bin by days – See “Binning Example – Time Measurements” in this chapter for the bin classification method description. The bin classification method uses the specified date/time field to calculate a day number. Times that fall within the same day are assigned the same bin number. The bin offset is used to account for time zones as explained in the .  Time measurement: bin by hours – This bin classification method uses the specified date/time field to calculate an hour number.

PAGE 264

Like the statistic fields, metrics share a close relationship with the report’s classification groups. When designing a report, consider the metrics that you would like to generate, and work backwards to determine the statistics you will need in order to calculate each metric and the classification groups will be needed to calculate each statistic. Each statistic and metric field has a name that is unique within the report. You can also attach a description to the field for use by the report designer.

PAGE 265

 Median value – the median (middle) value of the source field over the selected classification group is calculated  Minimum value – the minimum value of the source field over the selected classification group is calculated  Number of bins – the number of different bin classification groups is calculated  Number of distinct values – the number of distinct values that the source field takes over the selected classification group is calculated  Number of groups – the total number of classificatio

PAGE 266

 Number of distinct values – the number of distinct values that the statistic field takes over the selected report dimension is calculated  Subtract (value 1 – value 2) – the values are subtracted  Sum of values – the sum of all values of the statistic field over the selected report dimension is calculated  Use an expression to calculate value – a PHP expression is used to calculate a value for the metric over the selected report dimension from one or more statistic fields Value 1 and Value 2 li

PAGE 267

You are required to enter a unique name for this output series. You must also select the Dimension to be used. This could be the source data or one of the classification groups defined in the report. Click the Create Output Series button to add the output series definition to the report. The Edit Output Series form will then be displayed to allow the components of the output series to be defined.

PAGE 268

To edit an output series field, click the below. Edit link for the field. The Edit Series field opens, as shown The Header is displayed in tables and charts that use this output series. Use a short description of the values contained in this field. The Value Format specifies how to generate the value for the output series field. You can specify an expression to calculate the value; in the expression, use the variable $_ to obtain the value of the report field for this output series.

PAGE 269

 Match filters check if a value matches a particular condition, which could be a regular expression or other match value.  List filters check to see if a value is found in a list. Click the Create output filter link to create an output filter. Select the output series you want to filter in order to view the remaining filter options. You can select any of the source fields that would be available to the output series, or any of the fields in the output series.

PAGE 270

 Unconditionally exclude item if filter matches – If the filter matches the item in the output series, the item will never be included in the output. No further filters will be applied to the data once this filter has matched. Click the Create Output Filter button to add the new output filter to the report definition. Presentation Options The Presentation Options provide you with a number of choices regarding the final presentation of your report.

PAGE 271

 Scatter  Polar In general, the first field in the output series is used as the category values for the chart. The second and subsequent fields are used as the values to display on the chart. The Pie and Pie 3-D charts support only a single data point for each category value. A pie chart is used to compare the relative proportions of different values in a single data series. The Floating Column and Floating Bar charts require two data points for each category value.

PAGE 272

This standard header includes the report title, the time at which the report was run, and the date range included in the report.

PAGE 273

Creating the Report – Step 1 The following form will be displayed when the Create New Report link is clicked. This is the same form that you would obtain if you clicked the Report Type option in the Report Editor. See “Report Type” in this chapter for more details about this form. Click the Continue button to move to Step 2. Creating the Report – Step 2 In step 2, the Select Data Source form is displayed.

PAGE 274

Creating Sample Reports Report Based on Modifying an Existing Report This sample involves modifying the predefined Number of users per day report to report on the number of users per week. 1. Select the “Number of users per day” report. 2. Click the Edit link. This opens the Report Editor. 3. Click Report Type in the Report Editor, as you need to change the title of the report to “Number of users per week”.

PAGE 275

Report Created from Report Manager using Create New Report To create a report that lists today’s user sessions, follow this process. 1. To create a new report without it being based on an existing report, click Create New Report. 2. You must give the report a Title. For this report, Today’s Sessions would be an appropriate name. 3. Enable the report by marking the Enabled check box. 4. Ensure that the Date Range is Today and select an Output Format. These changes are shown in the screen below. 5.

PAGE 276

6. Select the required fields in Step 2. For this report the fields are shown in the screen below. These are the fields of interest for the report. 7. Click the Save Changes button to have the report created. The Report Editor screen is displayed. 8. If you click the Final Report option in the Report Editor you can see the report as it is after these two steps. 276 | Report Management Amigopod 3.

PAGE 277

9. You can continue to further enhance this report using the Report Editor. To change the formatting of the table you would use the Presentation Options; to remove a column you would use the Output Series option; to restrict the data in the table you would use a filter, for example, a source filter to limit by NAS IP address; a classification group would enable you to carry out statistical analysis, for example, grouping by NAS IP address.

PAGE 278

11. The Source Field will be changed to nas_ip_address, as this report is to calculate the average traffic by NAS rather than the average traffic by user. The field will also be renamed to total_nas to reflect the new value it will contain. These changes are shown in the screen below. 12. Click the Save Changes button. 13. Because the total_users field is no longer available in the report, the average_bytes field must be updated to refer to the total_nas field instead.

PAGE 279

20. Click the Back to report editor link to return to the Report Editor. 21. As there are no further changes required, click the Final Report icon to preview your new report. Report Troubleshooting Report Preview with Debugging If you are experiencing problems with your report, you can receive help with the Report Diagnostics. The diagnostics run the report and show you the internal data that is being used to generate the contents of the final report.

PAGE 280

0 => /* group 0 */ array ( 'a' => /* group value: 'a' */ array ( 0 => first data record 1 => second data record ... ), ), ), 234 => /* bin value: 234 */ array ( /* bin items organized by group */ ) ), 1 => /* bin 1 */ ... ) Troubleshooting Tips The following tips may be useful to you when developing new reports.  Draw a diagram – Make a sketch of any charts or tables you want to include in the report.

PAGE 281

Chapter 8 Administrator Tasks The Amigopod Administrator provides tools used by a network administrator to perform both the initial configuration and ongoing maintenance of the Amigopod Visitor Management Appliance. Accessing Administrator Use the Administrator command link on the Amigopod Visitor Management Appliance home page to access the system administration features. Alternatively, use the Administrator navigation menu to jump directly to any of the system administration features.

PAGE 282

Automatic Network Diagnostics When you view or edit the appliance’s network configuration on the Network Setup, HTTP Proxy, Network Diagnostics, or Network Interfaces page, an automatic network connectivity test determines the current status of the network, and the results of the diagnostic are displayed.

PAGE 283

The system hostname should match the common name of the installed SSL certificate. If these names do not match, then HTTPS access to the appliance may result in security warnings from your Web browser. A valid hostname is a domain name that contains two or more components separated by a period (.).

PAGE 284

 Delete – Remove a network interface. Manually created network interfaces may be deleted—for example, tunnel, VLAN, or secondary interfaces. The standard system network interfaces cannot be deleted.  Routes – Define static routes that specify the gateway IP addresses for other networks.  Bring Down – Disables the network interface.  Bring Up – Enables the network interface.

PAGE 285

 To specify an IP address for the network interface, select Manually configure IP address. The following form is displayed for IP address details. The MTU field allows you to specify the Maximum Transfer Unit size in bytes for the network interface. While standard Ethernet uses a MTU of 1500 bytes, you may find it necessary to reduce the MTU slightly in some network topologies. The Amigopod Visitor Management Appliance uses a default MTU of 1476 bytes unless otherwise specified in this form.

PAGE 286

Click the Save Changes button to update the network interface with the specified settings. The new settings will be tested and the results of the test displayed.  If DNS name resolution is not working, the system will be unable to perform many common tasks. To resolve this issue, check the DNS server settings for the network interface. If you are using DHCP, check that your DHCP server provides DNS server information, and enable this option for the network interface.

PAGE 287

Managing Static Routes In the Network Interfaces list view, click the network interface to edit, and then click Network Interface Routes list view will be displayed. Routes. The Click the Create tab to add a new static route. You must specify the network address of the destination network as an IP address and netmask, and the gateway for the destination network. The gateway IP address must be reachable directly from the network interface. Click the Create Route button to add the route.

PAGE 288

Figure 40 Network diagram showing IP addressing for a GRE tunnel To create a GRE tunnel, navigate to the Network Interfaces page and click the network interface link. The Network Interface Settings form is displayed. Create a tunnel The Interface Name is the system’s internal name for this tunnel interface. A default value is supplied, which may be used without modification. A Display Name may be specified to identify the connection in the list of network interfaces.

PAGE 289

Use the Create a VLAN interface link to create a new network interface with a specific VLAN tag. The Create a New VLAN form is displayed. In this form, select the physical interface through which the VLAN traffic will be routed, and enter a name for the VLAN and the corresponding VLAN ID. Use a descriptive name for the VLAN Name field, as this is only used by administrators to identify the network interface. The corresponding VLAN ID is used by the network infrastructure to identify a specific virtual LAN.

PAGE 290

VLAN interfaces are distinguished from other network interfaces with blue icons. The possible states for the system’s network interfaces are summarized in the table below Table 25 Network Interface States Interface State Physical VLAN Active (up) Active with default gateway Inactive (down) The actions available when selecting a VLAN interface are: Show Details – Displays detailed information and statistics about the network interface.

PAGE 291

Secondary network interfaces have the same name as the underlying physical interface, with a suffix such as “:1”, “:2” and so on for each subsequent IP address created. All secondary interfaces will be brought down if the corresponding physical interface is brought down. Login Access Control Both guests and operators may use HTTP or HTTPS to access the Amigopod user interface. The system does not distinguish between these types of users at the protocol level.

PAGE 292

The ‘Deny Behavior’ drop-down list may be used to specify the action to take when access is denied. The access control rules will be applied in order, from the most specific match to the least specific match. Access control entries are more specific when they match fewer IP addresses. The most specific entry is a single IP address (for example, 1.2.3.4), while the least specific entry is the match-all address of 0.0.0.0/0. As another example, the network address 192.168.2.

PAGE 293

Select a diagnostic from the drop-down list. Depending on the diagnostic you have selected, additional parameters will also be available:  DHCP Leases – Select a network interface to view the DHCP lease information for that interface.  DNS Lookup – Enter a hostname to perform a domain name lookup and display the results.  Firewall Rules – Displays the iptables firewall rules that are currently in effect.  Interface Addresses– Displays all active IP addresses and interface details.

PAGE 294

form. Additional RADIUS attributes may also be included by adding Attribute-Name = Value pairs in the Extra Arguments field; see the example below.  Routing Table – Displays the current IPv4 routing table. The list shows the static, network addresses and default routes configured for the system.  Traceroute – Enter a hostname or IP address to determine the route that packets traverse to that host. The test may take a considerable amount of time (30 seconds or more), depending on network conditions.

PAGE 295

Select the network interface and, if required, enter filtering parameters to restrict the type and number of packets to be captured. You can enter network addresses in the Source IP and Destination IP fields by using an IP address and a network address length; for example, 192.168.2.0/24. Click the Capture button to begin the packet capture operation. While packet capturing is in effect, the status of the packet capture is displayed as part of the Network Diagnostics form. Amigopod 3.

PAGE 296

Once the packet capture has completed, the status is updated, and a link to Download packet capture file is available. Click this link to download a packet capture file, which may be analyzed using the Wireshark utility or another tool capable of reading the “pcap” file format. To delete the saved file, select the Delete current packet capture file check box and click the button. To start another packet capture, modify the filtering parameters if required and click the button.

PAGE 297

The fields on each line are separated by any number of blanks or tab characters. Any text from a # character to the end of the line is a comment, and is ignored. Hostnames may contain only alphanumeric characters, minus signs (“-”), and periods (“.”). A hostname must begin with an alphabetic character and end with an alphanumeric character. After making changes in the Hosts field, click the file.

PAGE 298

The SNMP Setup form is used to configure the system’s SNMP server and enable SNMP access. To enable SNMP access, one of the available modes must be selected. Version 2c, version 3, or both versions may be enabled. The System Contact and System Location parameters are basic SNMP “system” MIB parameters that are frequently used to identify network equipment. See “Supported MIBs” in this chapter for a list of supported MIBs.

PAGE 299

SNMP version 2c has only one configuration option, which is the name of the community string. SNMP clients must provide this value in order to access the server. The default community string is public. SNMP version 3 adds authentication and encryption capabilities to the protocol. You must supply a set of credentials to be used for SNMP v3 access. You can also select whether encryption should be used. Traps are notification messages sent when certain conditions are reached.

PAGE 300

 SNMP-VIEW-BASED-ACM-MIB  TCP-MIB  UCD-DISKIO-MIB  UCD-DLMOD-MIB  UCD-SNMP-MIB  UDP-MIB SMTP Configuration The SMTP Configuration form is used to provide system default settings used when sending email messages. To manage and view the current SMTP configuration click the SMTP Configuration command link on the Administrator > Network Setup page. See “SMTP Services” in the Guest Management chapter for additional configuration options for SMTP services.

PAGE 301

The From Address must be specified. This is the sender of the email and will be visible to all email recipients. It is recommended that you provide a valid email address so that guests receiving email receipts are able to contact you.

PAGE 302

A completed sample certificate request is shown below. Click the Create Certificate Request button to generate the certificate signing request. The certificate signing request is displayed in a text field in the browser. This can be used to copy and paste the request directly to a certificate authority that supports this form of request submission. Alternatively, you may click the Download the current CSR link to download a .csr file to your browser.

PAGE 303

The process for installing an SSL certificate has been simplified. In the first step, select whether you will be copying and pasting the certificate as plain text, or uploading the certificate from a file. In the second step, you must provide between one and three items of information:  The Certificate field must contain the digital certificate. This can be a file containing a base-64 representation of the certificate, or it can be a block of text that contains the certificate.

PAGE 304

To resolve this error, first check that you have provided the correct intermediate certificate. If the problem persists, check with your certificate authority for the appropriate root certificate to use. As an optional third step, if you have a private key that corresponds to the SSL certificate, it may be specified separately. This is only required if you did not generate the certificate signing request on the server. Click the Upload Certificate button to install the new SSL certificate.

PAGE 305

Backup and Restore Click the Backup & Restore command link on the Adminstrator start page to make backups of the appliance’s current configuration as well as restore a previous backup. It is recommended that you make a complete configuration backup of the system after completing a deployment and after making configuration changes.

PAGE 306

Server Configuration), you can select to back up the entire area or only a particular part of that area. To access the components within an area, click the down arrow . There are five possible states for each area, described below: 1. Complete backup – The tick mark is highlighted: . The components of the area are not displayed, but the entire area and all of its components will be backed up. 2. Partial backup – The down arrow is highlighted: .

PAGE 307

You are able to select either a complete or custom backup to run on the schedule. The options available are the same as for the manual backup. You are required to enter a prefix for the backup filename. The backup name is used as the basis for the name of the backup file. The current time and date is used to identify different backups, in the format YYYYMMDD-hhmmss. For example, with the backup name ‘backup’, the backup filename will be backup.20080101-123456.dat.

PAGE 308

  proxy*: proxy related arguments  quote=CMD: send custom command to FTP server  require-ssl: require SSL connection for success SMB options  kerberos: use Kerberos authentication (Active Directory)  domain=NAME or workgroup=NAME: set the workgroup to NAME  debug: generate additional debugging messages which are logged to the application log Multiple options should be separated with semicolons.

PAGE 309

restore, be sure to select the appropriate items by clicking the tick icon for each configuration item to restore. 4. Mark the Restore settings from backup check box. Be aware that it is possible to overwrite any local configuration changes that have been made since the backup was created. 5. Click the Restore Configuration button for the restore to commence. A progress window is shown for the restore operation. 6. You are presented with a ‘System restore operation completed successfully’ message.

PAGE 310

using the Amigopod’s built-in Web server. To access the Content Manager, click the Content Manager command link on the Customization start page. You can add content items by using your Web browser to upload them. You can also copy a content item stored on another Web server by downloading it. To use a content item, you can insert a reference to it into any custom HTML editor within the application.

PAGE 311

After you have completed the form, click the Fetch Content button to have the file downloaded. The file is placed in the public directory on the Web server. You are then able to reference this file when creating custom HTML templates. Additional Content Actions The Properties link allows you to view and edit the properties of the item. Editable properties include the content item’s filename and description.

PAGE 312

A security assessment will be performed and a report will be displayed containing the recommendations from the security assessment. Reviewing Security Audit Results For each of the security recommendations presented, you can choose to accept the recommendation, ignore the recommendation, or disable the recommendation. A Details link may be provided, containing more information about this security message or guidance on a recommended fix.

PAGE 313

The Amigopod appliance has a command line interface(CLI) which may be accessed using the appliance console or SSH.

PAGE 314

2. In the Warning Levels drop-down list, specify the maximum number of alerts to receive. If you do not want to receive notifications, choose 0-Disable warnings. 3. If you enabled warnings, in the Level 1 field, enter the amount of remaining disk space at which the first notification should be sent. 4.

PAGE 315

Determining Installed Operating System Packages Use the Advanced view of the System Information page to display a list of the installed operating system packages, together with the corresponding version numbers. Plugin Manager Plugins are the software components that fit together to make your Web application. The Plugin Manager allows you to manage subscriptions, list available plugins, add new plugins, and check for updates to the installed plugins.

PAGE 316

Managing Subscriptions A subscription ID is a unique number used to identify your software license and any custom software modules that are part of your Amigopod solution. To view current subscription IDs, navigate to Administrator > Plugin Manager, then click Manage Subscriptions. The Amigopod Subscription page opens.

PAGE 317

Adding or Updating New Plugins You can add or update plugins either from the Internet or from a file provided to you by email.  If your new plugin was emailed to you as a file, navigate to Administrator > Plugin Manager > Add New Plugin. On the Add New Plugin page, choose the Add Plugin from File command, then browse to the file to upload it. The Add New Plugin page also provides the option to choose the internet download method.

PAGE 318

When you select multiple available updates on the Add New Plugins page and click the Finish button, the system updates them sequentially. If an update for one plugin cannot be completed—for example, due to low disk space—the update for that plugin is cancelled. The other updates are not affected, and the system continues to process the rest of the plugin updates in the queue.

PAGE 319

To undo any changes to the plugin’s configuration, click the plugin’s Restore default configuration link. The plugin’s configuration is restored to the factory default settings. In most cases, plugin configuration settings do not need to be modified directly. Use the customization options available elsewhere in the application to make configuration changes.

PAGE 320

1. To change the application’s title, enter the new name in the Application Title field (for example, your company name) to display that text as the title of your Web application. Click Save Configuration. 2. TheKernel plugin’s Debug Level, Update Base URL and Application URL options should not be modified unless you are instructed to do so by Aruba support. 3. To restore the plugin’s configuration to the original settings, click the Restore default configuration link below the form.

PAGE 321

2. The default navigation layout is “expanded.” To change the behavior of the navigation menu, click the Navigation Layout drop-down list and select a different expansion level for menu items. 3. The Page Heading field allows you to enter additional heading text to be displayed at the very top of the page. The default skin used by the Amigopod Visitor Management Appliance is the one that is enabled in the Plugin Manager.

PAGE 322

To ensure that authentication, authorization, and accounting (AAA) is performed correctly, it is vital that the server maintains the correct time of day at all times. It is strongly recommended that you configure one or more NTP servers to automatically synchronize the server’s time. NTP can interfere with timekeeping in virtual machines.

PAGE 323

System Control The System Control commands on the Administrator > System Control page allow you to:  Shut down the server immediately.  Reboot the system which stops all services while the reboot is taking place.  Restart the system services without stopping the server. This would usually be done after a plugin installation if required, or if performing other system changes such as installing a new SSL certificate or changing the server’s time zone.

PAGE 324

Log Rotation: Configuring Data Retention To configure the number of weeks to retain records for data, log files, disabled accounts, and mobile device certificates, click the Configure data retention link in Log Rotation row. The Data Retention Policy page opens. Log files are rotated and expired logs are cleared according to the database maintenance schedule you define. See Managing Data Retention. Log Collector: Storing Incoming Syslog Messages Your Amigopod server can also act as a syslog server.

PAGE 325

Facility: Redirecting Application Log Messages To redirect log messages from the application log to the syslog, select an option from the Facility field drop-down menu. The default option None – Do not send application log messages to syslog stores all application-generated messages in the separate application log. If you select a specific syslog facility, the minimum priority level for the corresponding syslog facility determines whether the syslog message is forwarded to the remote collector.

PAGE 326

For high-traffic sites that are maintaining many weeks of log files, enter a non-zero value for Disk Space to ensure that the log files cannot fill up the system’s disk. If the disk space check is enabled, the server’s free disk space is checked daily at midnight, and if it is below the specified threshold, old log files are deleted to free up space. The syslog protocol is used to send log messages from one system to a syslog server (also known as a ‘collector’). The syslog protocol uses UDP port 514.

PAGE 327

Figure 41 Data Retention Policy page Select Enable to enable the the data retention policy opton and enter how many weeks in the Log Rotation field to indicated how many weeks you want log files kept before they are deleted. You can specify how many weeks a guest account persists after the account is disabled in the Guest Accounts field. For mobile device certificates, select the minimum delay, in weeks, required before an expired certificate or rejected request can be deleted.

PAGE 328

Changing Database Configuration Parameters The Database Configuration form allows you to configure the system’s database and manage its maintenance schedule. Access this form by navigating to System Control > Database Config. The Options field is a text field that accepts multiple name = value pairs. You can also add comments by entering lines starting with a # character.

PAGE 329

Changing Web Application Configuration Certain performance and security options may be configured that affect the operation of the Web application GUI. Use the Web Application Configuration command link to adjust these configuration parameters. The Memory Limit may be increased to allow larger reports to be run on the system. The File Upload Size may be increased to allow larger content items to be uploaded, or larger backup files to be restored.

PAGE 330

Changing Web Server Configuration High-traffic deployments may need to adjust certain performance options related to the system’s Web server. Use the Web Server Configuration command link to adjust these configuration parameters. The Maximum Clients option specifies the maximum number of clients that may simultaneously be making HTTP requests. The default value should only need to be increased for high-traffic sites.

PAGE 331

This report can be downloaded for support purposes. Adding Disk Space Storage capacity can be increased on VMware-based deployments. To increase available storage, click the Add Space option on the System Information screen. TheAdding Disk Space screen appears. Follow instructions on this page. Amigopod 3.

PAGE 332

. 332 | Administrator Tasks Amigopod 3.

PAGE 333

System Log The system log viewer available on the Support > System Logs page displays messages that have been generated from multiple different sources:  Application Logs—messages generated by the Amigopod application.  HTTP Logs—messages generated by the Apache Web Server.  RADIUS Logs—messages generated by the RADIUS server during authentication, authorization or accounting.  System Logs—messages generated by the system and various internal processes within it.

PAGE 334

Use the Filter tab to control advanced filtering settings, such as which logs to search and the time period to display: Click the Apply Filter button to save your changes and update the view, or click the remove the filter and return to the default view. Reset button to Exporting the System Log Use the Export tab to save a copy of the system logs, in one of several formats. Select one of the following formats from the Format drop-down list:  Comma Separated Values (*.

PAGE 335

Searching the Application Log You are able to search for particular log records using the form displayed when you click the tab. Click the Search Reset Form button to clear the search and return to displaying all records in the log. Exporting the Application Log Use the Export tab to save the log in other formats, including HTML, text, CSV, TSV and XML. You can select options to print, email or download the data. Amigopod 3.

PAGE 336

| Administrator Tasks Amigopod 3.

PAGE 337

Chapter 9 Hotspot Manager The Hotspot Manager controls self provisioned guest or visitor accounts. This is where the customer is able to create his or her own guest account on your network for access to the Internet. This can save you time and resources when dealing with individual accounts. The following diagram shows how the process of customer self provisioning works.

PAGE 338

Manage Hotspot Sign-up You can enable visitor access self provisioning by navigating to Customization > Hotspot Manager and selecting the Manage Hotspot Sign-up command. This allows you to change user interface options and set global preferences for the self-provisioning of visitor accounts. The Enable visitor access self-provisioning check box must be ticked for self-provisioning to be available. 338 | Hotspot Manager Amigopod 3.

PAGE 339

The Require HTTPS field, when enabled, redirects guests to an HTTPS connection for greater security. The Service Not Available Message allows a HTML message to be displayed to visitors if self-provisioning has been disabled. See “Smarty Template Syntax” in the Reference chapter for details about the template syntax you may use to format this message. Click the Save Changes button after you have entered all the required data.

PAGE 340

You can customize which plans are available for selection, and any of the details of a plan, such as its description, cost to purchase, allocated role and what sort of username will be provided to customers. Above is the list of default plans supplied with the Amigopod Visitor Management Appliance. Plans that you have enabled have their name in bold with the following icon: . Plans that have not been enabled do not have names in bold and their icon is a little different: .

PAGE 341

Creating New Plans Custom hotspot plans are added by clicking the displayed. Click the Create Hotspot plan button. The following form is Create Plan button to create this plan for use by your Hotspot visitors. See “Format Picture String Symbols” in the Reference chapter for a list of the special characters that may be used in the Generated Username and Generated Password format strings.

PAGE 342

 eWAY  Netregistry  Paypal  WorldPay Amigopod also includes a Demo transaction processor that you can use to create hotspot forms and test hotspot transactions. Creating a New Transaction Processor To define a new transaction processor, navigate to Customization > Hotspot Manager, click Manage Transaction Processors then select New Transaction Processor. In the Name field, enter a name for the transaction processor.

PAGE 343

You can customize the title shown on the invoice and how the invoice number is created. You can also customize the currency displayed on the invoice. The Invoice Title must be written in HTML. See “Basic HTML Syntax” in the Reference chapter for details about basic HTML syntax. You are able to use Smarty functions on this page. See “Smarty Template Syntax” in the Reference chapter for further information on these. You are able to insert content items such as logos or prepared text.

PAGE 344

Customize Page One Page one of the guest self-provisioning process requires that the guest selects a plan. You are able to customize how this page is displayed to the guest. You are able to give this page a title, some introductory text and a footer. The Introduction and the Footer are HTML text that may use template syntax, See “Smarty Template Syntax” in the Reference chapter.

PAGE 345

Amigopod 3.

PAGE 346

See “Smarty Template Syntax” in the Reference chapter for details about the template syntax you may use to format the content on this page. Customize Page Three You can make changes to the content of page 3, where the customer receives an invoice containing confirmation of their transaction and the details of their newly created wireless account. See “Smarty Template Syntax” in the Reference chapter for details about the template syntax you may use to format the content on this page.

PAGE 347

Chapter 10 High Availability Services The goal of a highly available system is to continue to provide network services even if a hardware failure occurs. High Availability Services provides the tools required to achieve this goal. These tools include service clustering, fault tolerance, database replication, configuration replication, automatic failover and automatic recovery.

PAGE 348

A cluster’s virtual IP address is a unique IP address that will always be assigned to the primary node of the cluster. In order to take advantage of the cluster’s fault tolerance, all clients that use the cluster must use the cluster’s virtual IP address, rather than each node’s IP address. Replication is the process of ensuring that the secondary node maintains an exact copy of the primary node’s database contents and configuration.

PAGE 349

 The cluster relies on DNS for name lookup. Each node must have a unique hostname, and each node must be able to resolve the other node’s IP address by performing a DNS lookup. The nodes in the cluster must be connected to the same local network. Use high quality network cables and reliable switching equipment to ensure the nodes have an uninterrupted network connection. There should be no routers, gateways, firewalls, or network address translation (NAT) between the two nodes.

PAGE 350

accounting information, are replicated from the primary node to the secondary node. The replication delay will depend on the volume of database updates and system load but is generally only a few seconds. Replicating the database contents ensures that in the event of a primary node failure, the secondary node is up to date and can continue to deliver the same network services to clients.

PAGE 351

 SMTP settings for email receipts ( See “Email Receipt Options” in the Guest Management chapter)  SNMP server settings ( See “SNMP Configuration” in the Administrator Tasks chapter)  The set of currently installed plugins ( See “Plugin Manager” in the Administrator Tasks chapter)  Web Login pages ( See “Web Logins” in the RADIUS Services chapter) Certain configuration items are not replicated.

PAGE 352

The cluster will continue operating without service interruption. Network services will be unaffected as the cluster’s virtual IP address is assigned to the primary node. While the secondary node is offline, the cluster will no longer be fault-tolerant. A subsequent failure of the primary node will leave the cluster inoperable. To recover the cluster, the secondary node must be brought back online.

PAGE 353

Table 27 Cluster Status Descriptions (Continued) The primary node is running, but the secondary node is down or stopped.  The secondary is no longer available. Check the Remote Status on the primary node to determine the cause of the problem.  To clear the error condition, bring the secondary node back online. The cluster will return to faulttolerant mode automatically.  If the secondary node needs to be replaced, the cluster must be rebuilt. See “Recovering From a Hardware Failure” in this chapter.

PAGE 354

Prepare Primary Node Use the Cluster Configuration form to enter the basic network and control parameters for the cluster. If you have not already set a unique hostname for this server, you can do so here. Each node in the cluster must have a unique hostname. You can selec a single virtual IP address by entering one IP address in the Virtual IP Address field, or specify more than one virtual IP by entering a comma-separated list of multiple IP addresses.

PAGE 355

If you have not already set a unique hostname for this server, you can do so here. Each node in the cluster must have a unique hostname. A valid hostname is a domain name that contains two or more components separated by a period (.). Hostname parameters are as follows:  Each component of the hostname must not exceed 63 characters  The total length of the hostname must not exceed 255 characters  Only letters, numbers, and the hyphen (-) and period (.

PAGE 356

You can select a single virtual IP address by entering one IP address in the Virtual IP Address field, or specify than one virtual IP by entering a comma-separated list of multiple IP addresses. Each node in the cluster must be able to resolve the other node by using a DNS lookup. This is verified during the cluster initialization. In practice, this means that you must configure your local DNS or DHCP server with appropriate entries for each node. You must enter a shared secret for this cluster.

PAGE 357

The Cluster Initialization form is displayed. Select the check box and click the Initialize Cluster button to proceed. During the cluster initialization process, the entire contents of the RADIUS database (including guest accounts, user roles, and accounting history) and all configuration settings of the primary node will be replicated to the secondary node. The existing database contents and configuration settings on the secondary node will be destroyed.

PAGE 358

The maintenance commands that are available on this page will depend on the current state of the cluster as well as which node you are logged into. Some maintenance commands are only available on the secondary node. Other commands may change the active state of the cluster. For this reason it is recommended that cluster maintenance should only be performed by logging into a specific node in the cluster using its IP address.

PAGE 359

6. Recovery is complete. The secondary node is now the new primary node for the cluster. The cluster is back in a fault-tolerant mode of operation. The Recover Cluster command will only work if the node that failed is brought back online with the same cluster configuration. This is normally the case in all temporary outages. See “Recovering From a Hardware Failure” in this chaper, in this case, for a description of how to recover the cluster.

PAGE 360

To check the current status of a node, log into that node and click the Show details link displayed with the cluster status on the High Availability page. The node’s current status is displayed under the Local Status heading. Use this procedure to make the current primary node the secondary node: 1. Log into the current secondary node of the cluster. 2. Click Cluster Maintenance, and then click the Swap Primary Server command link. 3. A progress meter is displayed while the primary node is switched.

PAGE 361

To avoid unexpected failover of the cluster, ensure that the network connection to the nodes of the cluster is always available. Use high quality network equipment, including cables, and secure physical access to the servers to prevent accidental dislodgement of cables. If network access to the cluster is intermittent, this may indicate a possible hardware failure on the current primary node.

PAGE 362

| High Availability Services Amigopod 3.

PAGE 363

Chapter 11 Reference Basic HTML Syntax The Amigopod Visitor Management Appliance allows different parts of the user interface to be customized using the Hypertext Markup Language (HTML). Most customization tasks only require basic HTML knowledge, which is covered in this section. HTML is a markup language that consists primarily of tags that are enclosed inside angle brackets, for example,

PAGE 364

Table 29 Standard HTML Tags (Continued) Styled text (block)

Uses CSS formatting

Uses predefined style

Hypertext Hyperlink Link text to click on Inline image

– XHTML equivalent Floating image

For more details about HTML syntax and detailed examples of its use, consult a HTML tutorial or reference guide.

PAGE 365

Table 30 Formatting Classes (Continued) nwaTop Table Header Table heading at top nwaLeft Table Header Left column of table nwaRight Table Header Right column of table nwaBottom Table Header Table heading at bottom nwaBody Table Cell Style to apply to table cell containing data nwaHighlight Table Cell Highlighted text (used for mouseover) nwaSelected Table Cell Selected text (table row after mouse click) nwaSelectedHighlight Table Cell Selected text with mouseover highlight nwaInfo A

PAGE 366

Comments To remove text entirely from the template, comment it out with the Smarty syntax {* commented text *}. Note that this is different from a HTML comment, in that the Smarty template comment will never be included in the page sent to the Web browser.

PAGE 367

{/section} Note that the content after a {sectionelse} tag is included only if the {section} block would otherwise be empty.

PAGE 368

Table 31 Smarty Modifiers (Continued) Modifier Description nwamoneyformat Formats a monetary amount for display purposes; an optional modifier argument may be used to specify the format string. This modifier is equivalent to the NwaMoneyFormat() function; see “NwaMoneyFormat” in this chapter for details.

PAGE 369

 The “text” parameter is the explanatory text describing the action that lies behind the command link. (This is optional.)  The “linkwidth” parameter, if specified, indicates the width of the command link in pixels. This should be at least 250; the recommended value is 400.  The “width” and “height” parameters, if specified, provide the dimensions of the icon to display. If not specified, this is automatically determined from the image.

PAGE 370

 The “width” and “height” parameters, if specified, provide the dimensions of the icon to display. If not specified, this is automatically determined from the image.  The “alt” parameter, if specified, provides the alternate text for the icon.  The “class” parameter, if specified, is the style name to apply to a containing DIV element wrapped around the content. If this is empty, and a default is not provided through the “type” parameter, no wrapper DIV is added.

PAGE 371

{nwa_radius_query _method=GetCallingStationTraffic callingstationid=$dhcp_lease.mac_address from_time=86400 in_out=out _assign=total_traffic} This example uses the GetCallingStationTraffic query function. , and passes the “callingstationid”, “from_time” and “in_out” parameters. The result is assigned to a template variable called total_traffic, and will not generate any output. See “GetCallingStationTraffic()” .

PAGE 372

 GetCurrentSession($criteria)  GetUserCurrentSession($username)  GetIpAddressCurrentSession($ip_addr = null)  GetCallingStationCurrentSession($callingstationid, $mac_format = null)  GetSessionTimeRemaining($username, $format = “relative”)  ChangeToRole($username, $role_name) The $criteria array consists of of one or more criteria on which to perform a databased search. This array is used for advanced cases where pre-defined helper functions do not provide required flexiblity.

PAGE 373

nwa_makeid {nwa_makeid …} Smarty registered template function. Creates a unique identifier and assigns it to a named page variable. Identifiers are unique for a given page instantiation. Usage example: {nwa_makeid var=some_id} The “var” parameter specifies the page variable that will be assigned. Alternative usage: {nwa_makeid var=some_id file=filename} The “file” parameter specifies a file which contains a unique ID. This allows issued IDs to be unique across different page loads.

PAGE 374

The “reset” parameter may be specified to clear any existing navigation settings. Usage example: {nwa_nav block=level1_active}

@a@

{/nwa_nav} {nwa_nav block=level1_inactive}

@a@

{/nwa_nav} ...

PAGE 375

 The ‘output’ parameter specifies the metadata field to return If ‘output’ is not specified, the default is ‘output=id’; that is, the plugin ID is returned. nwa_privilege {nwa_privilege} … {/nwa_privilege} Smarty registered block function. Includes output only if a certain kind of privilege has been granted. Usage examples: {nwa_privilege access=create_user} .. content .. {/nwa_privilege} The “access” parameter specifies the name of a privilege to check for any access.

PAGE 376

Usage examples: {nwa_userpref name=prefName} {nwa_userpref name=prefName default=10} {nwa_userpref has=prefName}  “name”: return the named user preference  “default”: supply a value to be returned if the preference is not set  “has”: return 1 if the named preference exists for the current user, 0 if the preference does not exist nwa_youtube {nwa_youtube video=ID width=cx height=cy …} … {/nwa_youtube} Smarty registered block function.

PAGE 377

Table 33 Date and Time Formats (Continued) hh:mm:ss %H:%M:%S 14:13:45 iso8601 %Y%m%d 20080407 iso8601t %Y%m%d%H%M%S 20080407141345 iso-8601 %Y-%m-%d 2008-04-07 iso-8601t %Y-%m-%d %H:%M:%S 2008-04-07 14:13:45 longdate %A, %d %B %Y, %I:%M %p Monday, 07 April 2008, 2:13 PM rfc822 %a, %d %b %Y %H:%M:%S %Z Mon, 07 Apr 2008 14:13:45 EST displaytime %I:%M %p 2:13 PM recent – 2 minutes ago The % items on the right hand side are the same as those supported by the php function strftime().

PAGE 378

Date/Time Format String Reference Table 34 Date and Time Format Strings 378 | Reference Format Result %a Abbreviated weekday name for the current locale %A Full weekday name for the current locale %b Abbreviated month name for the current locale %B Full month name for the current locale %c Preferred date and time representation for the current locale %C Century number (2-digit number, 00 to 99) %d Day of the month as a decimal number (01 to 31) %D Same as %m/%d/%y %e Day of the month as

PAGE 379

Programmer’s Reference NwaAlnumPassword NwaAlnumPassword($len) Generates an alpha-numeric password (mixed case) of length $len characters. NwaBoolFormat NwaBoolFormat($value, $options = null) Formats a boolean value as a string. If 3 function arguments are supplied, the 2nd and 3rd arguments are the values to return for false and true, respectively. Otherwise, the $options parameter specifies how to do the conversion:  If an integer 0 or 1, the string values “0” and “1” are returned.

PAGE 380

NwaDigitsPassword($len) NwaDigitsPassword($len) Generates digit-only passwords of at least $len characters in length. NwaDynamicLoad NwaDynamicLoad($func) Loads the PHP function $func for use in the current expression or code block. Returns true if the function exists (that is, the function is already present or was loaded successfully), or false if the function does not exist. Attempting to use an undefined function will result in a PHP Fatal Error.

PAGE 381

The $format argument may be null, to specify the default behavior (U.S. English format), or it may be a pattern string containing the following:  currency symbol (prefix)  thousands separator  decimal point  number of decimal places The format “€1.000,00” uses the Euro sign as the currency symbol, “.” as the thousands separator, “,” as the decimal point, and 2 decimal places. If not specified explicitly, the default format is “$1,000.00”.

PAGE 382

NwaParseXml NwaParseXml($xml_text) Parses a string as an XML document and returns the corresponding document structure as an associative array.

PAGE 383

NwaVLookup NwaVLookup($value, $table, $column_index, $range_lookup = true, $value_column = 0, $cmp_fn = null) Table lookup function, similar to the Excel function VLOOKUP(). This function searches for a value in the first column of a table and returns a value in the same row from another column in the table. This function supports the values described in the table below.

PAGE 384

Field, Form and View Reference GuestManager Standard Fields The table below describes standard fields available for the GuestManager form. Table 37 GuestManager Standard Fields 384 | Reference Field Description account_activation String. The current account activation time in long form. This field is available on the change_expiration and guest_enable forms.

PAGE 385

Table 37 GuestManager Standard Fields (Continued) Field Description do_expire Integer that specifies the action to take when the expire time of the account is reached. See “expire_time” .  0—Account will not expire  1—Disable  2—Disable and logout  3—Delete  4—Delete and logout “Disable” indicates that the enabled field will be set to 0, which will prevent further authorizations using this account.

PAGE 386

Table 37 GuestManager Standard Fields (Continued) 386 | Reference Field Description expire_time Integer. Time at which the account will expire. The expiration time should be specified as a UNIX timestamp. Setting an expire_time value also requires a non-zero value to be set for the do_expire field; otherwise, the account expiration time will not be used. Set this field to 0 to disable this account expiration timer. expire_usage Integer.

PAGE 387

Table 37 GuestManager Standard Fields (Continued) Field Description modify_expire_usage String. Value indicating how to modify the expire_usage field. This field is only of use when editing a visitor account.

PAGE 388

Table 37 GuestManager Standard Fields (Continued) 388 | Reference Field Description netmask String. Network address mask to use for stations using the account. This field may be up to 20 characters in length. The value of this field is not currently used by the system. However, a RADIUS user role may be configured to assign network masks using this field by adding the Framed-IP-Netmask attribute, and setting the value for the attribute to:

PAGE 389

Table 37 GuestManager Standard Fields (Continued) Field Description password_last_change Integer. The time that the guest’s password was last changed. The password change time is specified as a UNIX timestamp. This field is automatically updated with the current time when the guest changes their password using the self-service portal. random_password String. This field contains a randomly-generated password. This field is set when modifying an account (guest_edit form). random_password_length String.

PAGE 390

Table 37 GuestManager Standard Fields (Continued) 390 | Reference Field Description random_username_method String. Identifier specifying how usernames are to be created. It may be one of the following identifiers:  nwa_sequence to assign sequential usernames. In this case, the multi_prefix field is used as the prefix for the username, followed by a sequential number; the number of digits is specified by the random_username_length field.

PAGE 391

Table 37 GuestManager Standard Fields (Continued) Field Description simultaneous_use Integer. Maximum number of simultaneous sessions allowed for the account. sponsor_email Email address of the sponsor of the account. If the sponsor_email field can be inserted into an email receipt and used future emails, the “Reply-To” email address will always be the email address of the original sponsor, not the current operator. sponsor_name String. Name of the sponsor of the account.

PAGE 392

Table 38 Hotspot Standard Fields (Continued) Field Description personal_details No Type. Field attached to a form label. purchase_amount No Type. Total amount of the transaction. This field is only used during transaction processing. purchase_details No Type. Field attached to a form label. state String. The visitor’s state or locality name. submit_free No Type. Field attached to a form submit button. visitor_accept_terms Boolean.

PAGE 393

Table 40 SMPT Services Standard Fields Field Description auto_send_smtp Boolean. Flag indicating that an email receipt should be automatically sent upon creation of the guest account. Set this field to a non-zero value or a non-empty string to enable an automatic email receipt to be sent. This field can be used to create an opt-in facility for guests.

PAGE 394

Table 40 SMPT Services Standard Fields (Continued) (Continued) Field Description smtp_warn_before_receipt_format String. This field overrides the format in the Email Receipt field under Logout Warnings. It may be one of “plaintext” (No skin – plain text only), “html_embedded” (No skin – HTML only), “receipt” (No skin – Native receipt format), “default” (Use the default skin), or the plugin ID of a skin plugin to specify that skin.

PAGE 395

Any other alphanumeric characters in the picture string will be used in the resulting username or password. Some examples of the picture string are shown below: Table 42 Picture String Example Passwords Picture String Sample Password #### 3728 user#### user3728 v^^#__ vQU3nj @@@@@ Bh7Pm Form Field Validation Functions See “Form Validation Properties” in this chapter and “Examples of Form field Validation” in the Guest Management chapter for details about using validation functions for form fields.

PAGE 396

'corp-domain.com', 'other-domain.com', ), 'deny' => array( 'blocked-domain.com', 'other-blocked-domain.com', ), ) The keys ‘whitelist’ and ‘blacklist’ may also be used for ‘allow’ and ‘deny’, respectively.  An ‘allow’ or ‘deny’ value that is a string is converted to a single element array.  Wildcard matching may be used on domain names: the prefix ‘*.’ means match any domain that ends with the given suffix.

PAGE 397

 username – specifies the name of the field containing the username. If empty or unset, the password is not checked against this field for a match.  minimum_length – specifies the minimum length of the password in characters.  disallowed_chars – if set, specifies characters that are not allowed in the password.  complexity_mode – specifies the set of rules to use when checking the password.  complexity – if set, specifies rules for checking the composition of the password.

PAGE 398

 NwaConvertStringToOptions – Converts a multi-line string representation of the form key1 | value1 key2 | value2 to the array representation array ( 'key1' => 'value1', 'key2' => 'value2', )  NwaImplodeComma – Converts an array to a string by joining all of the array values with a comma.  NwaTrim – Removes leading and trailing whitespace from a string value.  NwaTrimAll – Removes all whitespace from a string (including embedded spaces, newlines, carriage returns, tabs, etc).

PAGE 399

Table 44 Form Field Display Functions (Continued) Function Description NwaDateFormat Format a date like the PHP function strftime(), using the argument as the date format string. Returns a result guaranteed to be in UTF-8 and correct for the current page language.

PAGE 400

View Display Expression Technical Reference A page that contains a view is displayed in an operator’s Web browser. The view con tains data that is loaded from the server dynamically. Because of this, both data formatting and display operations for the view are implemented with JavaScript in the Web browser. For each item displayed in the view, a JavaScript object is constructed. Each field of the item is defined as a property of this object.

PAGE 401

Table 45 Display Expressions for Data Formatting (Continued) (Continued) Value Description Nwa_NumberFormat(value[, if_undefined]) Nwa_NumberFormat(value, decimals) Nwa_NumberFormat(value, decimals, dec_point, thousands_sep[, if_undefined]) Converts a numerical value to a string. If the value has an undefined type (in other words, has not been set), and the if_undefined parameter was provided, returns if_undefined.

PAGE 402

If the expression evaluates to true, the AccessReject() will cause authorization to be refused. If the expression evaluates to false, the AccessReject() is not called, and authorization process will continue (however, the attribute will not be included in the Access-Accept, as the condition expression has evaluated to false). EnableDebug() EnableDebug($flag = 1) Enables debugging for the remainder of the processing of this request. The flag may also be set to false or 0 to disable debugging.

PAGE 403

MacEqual() MacEqual($addr1, $addr2) Compares two MAC addresses for equality, using their canonical forms. Example usage as a condition expression for an attribute: return MacEqual(GetAttr('Calling-Station-Id'), '00-01-02-44-55-66') MacAddrConvert() MacAddrConvert($mac, $mac_format) Converts a MAC address to a specified format. This function accepts anything that can be interpreted as a MAC address using some fairly liberal guidelines and returns the address formatted with the $mac_format string.

PAGE 404

If $to_time is specified, the interval considered is between $from_time and $to_time. Returns the total session time for all matching accounting records in the time interval specified. GetSessions() GetSessions($criteria, $from_time, $to_time = null) Calculate the number of sessions from accounting records in the database.

PAGE 405

 Limit by MAC address, 50 MB download in past 24 hours: return GetCallingStationTraffic(86400, 'out') > 50000000 && AccessReject() GetUserTraffic() GetUserTraffic($from_time, $to_time = null, $in_out = null) Calculate sum of traffic counters in a time interval. Sessions are summed if they have the same User-Name attribute as that specified in the RADIUS Access-Request. See “GetCallingStationTraffic()” for details on how to specify the time interval.

PAGE 406

GetCallingStationSessions() GetCallingStationSessions($from_time, $to_time = null, $mac_format = null) Calculate the number of sessions for accounting records matching a specific calling-station-id. The calling station id address is looked up automatically from the RADIUS Access-Request (Calling-Station-ID attribute). Because different NAS equipment can send differently-formatted MAC addresses in the Calling-Station-Id attribute, the $mac_format argument may be specified.

PAGE 407

'acctuniqueid' => 'c199b5a94ebf5184', 'username' => 'demo@example.com', 'realm' => '', 'role_name' => 'Guest', 'nasipaddress' => '192.168.2.20', 'nasportid' => '', 'nasporttype' => '', 'calledstationid' => '', 'callingstationid' => '', 'acctstarttime' => '1249258943', 'connectinfo_start' => '', 'acctstoptime' => NULL, 'connectinfo_stop' => NULL, 'acctsessiontime' => 0, 'acctinputoctets' => 0, 'acctoutputoctets' => 0, 'acctterminatecause' => NULL, 'servicetype' => '', 'framedipaddress' => '192.168.2.

PAGE 408

GetUserStationCount() GetUserStationCount($from_time = null, $to_time = null, $exclude_mac = null) Count the total number of unique MAC addresses used in a time interval, for all sessions with the same User-Name attribute as that specified in the RADIUS Access-Request. If $exclude_mac is set, any sessions matching that MAC address are excluded from the count.

PAGE 409

Example: Use the following as a conditional expression for an attribute. If the user's traffic in the past 24 hours exceeds 50 MB, the user is changed to the "Over-Quota" role. return GetUserTraffic(86400) > 50e6 && ChangeToRole("Over-Quota"); RADIUS Server Options These are the advanced server options that may be configured using the RADIUS Server Options text field. Where applicable, the default value for each configuration option is shown.

PAGE 410

General Configuration Table 47 General Configuration Settings 410 | Reference Value Description max_request_time = 30 The maximum time (in seconds) to handle a request. Requests which take more time than this to process may be killed, and a REJECT message is returned. cleanup_delay = 5 The time to wait (in seconds) before cleaning up a reply which was sent to the NAS. The RADIUS request is normally cached internally for a short period of time, after the reply is sent to the NAS.

PAGE 411

Table 47 General Configuration Settings (Continued) Value Description log_auth_goodpass = no Log correct passwords with the authentication requests. Allowed values are no and yes. lower_user = no lower_pass = no Convert the username or password to lowercase “before” or “after” attempting to authenticate. If set to “before”, the server will first modify the request and then try to authenticate the user.

PAGE 412

Security Configuration Table 48 Security Configuration Settings Value Description security.max_attributes = 200 The maximum number of attributes permitted in a RADIUS packet. Packets which have more than this number of attributes in them will be dropped. If this number is set too low, then no RADIUS packets will be accepted. If this number is set too high, then an attacker may be able to send a small number of packets which will cause the server to use all available memory on the machine.

PAGE 413

Table 49 Proxy Configuration Settings (Continued) (Continued) Value Description proxy.dead_time = 120 If the home server does not respond to any of the multiple retries, then the RADIUS server will stop sending it proxy requests, and mark it ‘dead’. If there are multiple entries configured for this realm, then the server will failover to the next one listed. If no more are listed, then no requests will be proxied to that realm.

PAGE 414

Table 50 Thread Pool Settings (Continued) (Continued) Value Description thread.max_requests_per_server = 0 Set the maximum number of requests a server should handle before exiting. Zero is a special value meaning “infinity”, or “the servers never exit”. thread.max_queue_size = 65536 414 | Reference Set the maximum number of incoming requests which may be queued for processing. After the queue reaches this size, new requests are dropped. The default value is recommended for most deployments.

PAGE 415

Authentication Module Configuration Table 51 Authentication Module Configuration Settings Value Description module.pap = yes PAP module to authenticate users based on their stored password. pap.encryption_scheme = crypt The PAP module supports multiple encryption schemes:  clear: Clear text  crypt: Unix crypt  md5: MD5 encryption  sha1: SHA1 encryption module.chap = yes Authenticates requests containing a CHAP-Password attribute. module.pam = yes Pluggable Authentication Modules for Linux.

PAGE 416

Database Module Configuration Table 52 Database Modeule Configuration Settings Value Description sql.case_insensitive_usernames = 0 Set this option to 1 to match usernames in the local user database without regard to case. This will allows basic RADIUS authentication to work when the case of the username provided by the NAS is different from the case of the username in the local user database.

PAGE 417

Table 53 Optional EAP Module Options (Continued) Function Description eap.default_eap_type = md5 Invoke the default supported EAP type when EAP-Identity response is received. The incoming EAP messages DO NOT specify which EAP type they will be using, so it MUST be set here. Only one default EAP type may be used at a time. If the EAP-Type attribute is set by another module, then that EAP type takes precedence over the default type configured here. eap.

PAGE 418

Table 53 Optional EAP Module Options (Continued) 418 | Reference Function Description module.eap_tls = no Enables EAP-TLS module. The following functions onfigure digital certificates for EAP-TLS. If the private key and certificate are located in the same file, then private_key_file and certificate_file must contain the same filename.  eap.tls.private_key_password = not set  eap.tls.private_key_file = "${raddbdir}/certs/cert-srv.pem"  eap.tls.certificate_file = "${raddbdir}/certs/cert-srv.

PAGE 419

Table 53 Optional EAP Module Options (Continued) Function Description module.eap_peap= no PEAP authentication. The PEAP module needs the TLS module to be installed and configured, in order to use the TLS tunnel inside of the EAP packet. You will still need to configure the TLS module, even if you do not want to deploy EAP-TLS in your network. Users will not be able to request EAP-TLS, as it requires them to have a client certificate. EAP-PEAP does not require a client certificate.  eap.peap.

PAGE 420

Table 54 LDAP Module Settings (Continued) 420 | Reference Setting Description ldap.password_attribute = “nspmPassword” To support Novell eDirectory Universal Password, this option must be set to “nspmPassword”. Retrieves the user’s plain-text password from the directory and uses in the RADIUS server for user authentication. Universal Password requires a secure connection to the LDAP server. Required for Novell eDirectory support.

PAGE 421

Table 54 LDAP Module Settings (Continued) Setting Description ldap.tls_certfile = not set The PEM Encoded certificate file that should be presented to clients that connect. ldap.tls_keyfile = not set The PEM Encoded private key that should be used to encrypt the session. ldap.tls_randfile = not set A file containing random data to seed the OpenSSL PRNG. Not needed if your OpenSSL is already properly random. ldap.tls_require_cert = not set Certificate Verification requirements.

PAGE 422

Table 54 LDAP Module Settings (Continued) Setting Description ldap.groupmembership_filter = not set The filter to search for group membership of a particular user after we have found the DN for the group. Example filter: (|(&(objectClass=GroupOfNames)(member=%{LdapUserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember= %{Ldap-UserDn}))) ldap.groupmembership_attribute = not set The attribute in the user entry that states the group the user belongs to.

PAGE 423

Table 55 Rewrite Module Configuration Settings (Continued) Value Description module.attr_rewrite.name.replacewith = not set The replacement value which will be used for the attribute value, if the attribute matches the “searchfor” regular expression.

PAGE 424

| Reference  Framed-IP-Address: This attribute indicates the address to be configured for the user. In an Accounting-Request packet, it indicates the IP address of the user.  Framed-IP-Netmask: This attribute indicates the IP netmask to be configured for the user when the user is a router to a network.  Framed-Routing: This attribute indicates the routing method for the user, when the user is a router to a network. It is only used in Access-Accept packets.

PAGE 425

RADIUS Server Internal Attributes The Simultaneous-Use attribute is used by the RADIUS server during the processing of a request. It never returned to a NAS. Simultaneous-Use specifies the maximum number of simultaneous logins a given user is permitted to have. When the user is logged in this number of times any additional attempts to log in are rejected. LDAP Standard Attributes for User Class The following list provides some of the attributes for the LDAP User class.

PAGE 426

Table 56 Regular Expressions for Pattern Matching (Continued) (Continued) ^a Any string starting with “a” ^a$ Only the string “a” a$ Any string ending with “a” . Any single character \. A literal “.

PAGE 427

Chapter 12 Glossary Access-Accept Response from RADIUS server indicating successful authentication, and containing authorization information. Access-Reject Response from RADIUS server indicating a user is not authorized. Access-Request RADIUS packet sent to a RADIUS server requesting authorization. Accounting-Request RADIUS packet type sent to a RADIUS server containing accounting summary information.

PAGE 428

| Glossary operator profile The characteristics assigned to a class of operators, such as the permissions granted to those operators. operator/operator login User of Amigopod Visitor Management Appliance to create guest accounts or perform system administration. ping Test network connectivity using an ICMP echo request (“ping”). print template Formatted template used to generate guest account receipts. RFC Request For Comments; a commonly-used format for Internet standards documents.

PAGE 429

Index A Application log ........................................................ 334 Export ............................................................... 334 Files .................................................................. 334 Filtering ............................................................. 333 Search .............................................................. 335 AAA...................................................................... 23, 45 Attribute values .......................

PAGE 430

Check for updates................................................... 317 Classification groups............................................... 261 Closed session ........................................................ 220 Cluster ..................................................................... 347 Concurrent sessions................................................ 241 Configuration replication ......................................... 350 Configure Active Directory authentication.......................

PAGE 431

Download Content ............................................................. 310 Download content ................................................... 311 Downtime threshold ................................................ 351 duplicate fields ........................................................ 159 Dynamic authorization............................. 156, 218, 220 E EAP............................................................................ 77 EAP-TLS ...............................................

PAGE 432

secret_answer................................................... 195 secret_question ................................................ 195 Show forms....................................................... 159 Show views ....................................................... 159 simultaneous_use ..................................... 152, 154 sms_auto_send_field ................................ 234, 392 sms_enabled............................................. 233, 392 sms_handler_id ..........................

PAGE 433

Create multiple.................................................. 137 Delete................................................................ 141 Disable .............................................................. 141 Edit............................................................ 123, 142 Email receipt ..................................................... 137 Export ............................................................... 148 Filtering .....................................

PAGE 434

Time server ......................................................... 40 Update plugins.................................................... 43 Virtual machine ................................................... 32 Intermediate certificate............................................ 303 K Keep-alive ............................................................... 349 L LDAP Advanced options ............................................... 98 Create translation rule.......................................

PAGE 435

Create LDAP server .......................................... 119 LDAP ................................................................. 119 Navigation ......................................................... 109 Password complexity........................................ 130 Password options ............................................. 111 User roles.......................................................... 112 Operator profile Privileges...........................................................

PAGE 436

Local RADIUS accounting ................................ 249 Managing.......................................................... 242 Parameters ....................................................... 253 Print .......................................................... 242, 243 Reset to defaults............................................... 247 Run default ....................................................... 242 Run options ...................................................... 243 Run preview............

PAGE 437

session filter creating ..................................................... 112, 117 Sessions Active ................................................................ 220 Closed............................................................... 220 Stale .................................................................. 220 sessions filtering .............................................................. 221 Setup wizard.............................................................. 34 Shared Secret............

PAGE 438

Virtual IP address .................................................... 348 Virtual machine.......................................................... 32 NTP and timekeeping ......................................... 41 NTP configuration ............................................. 322 Visitor......................................................................... 27 Visitor Account .......................................................... 27 VLAN RADIUS Attributes .........................................

guest name	{$u.guest_name}