User Manual EWS-Series WLAN Gateway-Controller ECH-Series Wireless Hotspot Gateway Verion 3.43.00 Copyright Nofification Edgecore, INC. This document contains proprietary information which is the property of Edgecore, INC. and is strictly confidential. No part may be reproduced except as authorized by written permission of the contributing companies.
Table of Content 1 EDGECORE WLAN QUICK DEPLOYMENT ........................................................................................................................ 5 1.1 1.2 1.3 1.4 2 CHECK YOUR NETWORK ENVIRONMENT ................................................................................................................................ 5 HOW TO ENABLE YOUR SERVICE ZONE ............................................................................................................................
GLOBAL POLICY ...................................................................................................................................................... 60 1.2 6 HOW TO GENERATE YOUR SCENARIOS ........................................................................................................................ 61 6.1 6.2 6.3 7 HOW TO CONFIGURE ACCESS POINT IN LAPM ............................................................................................................ 67 7.1 7.2 7.3 7.
11.3 SITE-TO-SITE VPN ........................................................................................................................................................ 105 12 HIGH AVAILABILITY ................................................................................................................................................... 106 13 PORT LOCATION MAPPING ..................................................................................................................................
17.5 REPORTS AND NOTIFICATION .......................................................................................................................................... 139 SMTP Settings ................................................................................................................................................ 140 SYSLOG Settings ............................................................................................................................................. 140 FTP Settings.
1 Edgecore WLAN Quick Deployment 1.1 Check your Network Environment Before installing the Edgecore WLAN controller, careful network planning is required in order to meet the networking needs with the most efficient utilization of network resources. IT staff of any organization should assess the available network resources at hand, and design a suitable network topology with resiliency, capacity, and survivability in mind.
hyperlink of Service Zone Name for further configuration about its own VLAN tag, LAN IP address, DHCP server settings, authentication options, etc. For more details, please refer to “chapter 3 How to configure Service Zone.” 1.3 How to add an User Accounts Local User is a type of user whose account credential is stored in the WLAN controller’s built-in database named “Local”. The WLAN controller’s “Local” database capacity varies with different model.
2 How to configure System Setup 2.1 System General Setting This section relates to fundamental system configuration. The General displays the following tabs: General Settings System Time General Settings System Name: This is a mnemonic name admin can give to the controller. Once configured, it will show on the web browser’s frame. Contact Information: This is the email, cell phone, or other means of contact, displayed on the clients’ web browser in the event of internet disconnection.
matching the entered IP. UAM Filter: The Universal Access Method (UAM) Filter drops non-browser http requests from user agents before authentication to prevent system overloading from excessive traffic. Management IP Address List: This allows the network administrator to enter a selection of reserved IP addresses/ range that are authorized to see the Web Management Interface, which is configured in “System > General > Management IP Address List, chapter2.2”.
Management Service Zone List Given the enabled Service Zone(s), which is configured in “System > Service Zone, chapter2.4”, administrators could Active to let the devices matching the range of IP address could access the WMI of the system. Management IP Address List For remote access purpose, the IP Address/ Segment could be customized for the administrators to access the WMI of the system. Please confirm the entries are Active in the table by checking the checkboxes. For example, entering "192.168.3.
- Fiber Port and Ether Port: Bridge Fiber port and Ethernet port, physically only connect one uplink either via SFP port or Ether port. Bonding: Deploy both SFP port and copper Ethernet port for service. This option aggregates the two connections and will result in aggregated higher throughput. WAN2 Configuration Physical Mode: a drop-down list allows administrators to choose the speed and duplex of the WAN connection.
2.4 LAN Configuration The LAN of WLAN controller is managed by Edgecore unique Service Zone, which is configured in “System > Service Zone, chapter2.4”, while administrators could decide one of the Service Zone modes to serve in this page. The LAN screen displays the following tabs: LAN Ports Management Port Note: If HA feature is in Enabled status, LAN1 will be transformed into a dedicated HA port and will not be able to service any Service Zone.
3 How to configure Service Zone Service Zones are virtual partitions of the physical LAN side of a Edgecore Controller. Similar to VLANs, they can be separately managed and defined, having their own user landing pages, network interface settings, DHCP servers, authentication options, policies and security settings, and so on. By associating a unique VLAN Tag (when it is tag-based) and an SSID with its Service Zone, administrator can flexibly separate the wired and wireless networks easily.
Router mode as the name suggests, is a network operating without address translation in and out of the Controller. Router mode is selected when using public IP or under circumstances where the downstream devices requires a routable IP address to upstream routers. 3.2 DHCP Server Option Dynamic Host Configuration Protocol (DHCP) is a network protocol that enables a server to automatically assign an IP address to a computer from a defined range of numbers (i.e., a scope) configured for a given network.
Authentication Options: Administrators can designate configured auth servers for use. Postfix will be used as auth server identifier when more than one auth server is enabled for service. Portal URL: The specification of a desired landing page may be configured here. When enabled, the administrator can choose to set the URL of an opened browser after users’ initial login.
For a Preview of the custom page, click “Apply” followed by the “Preview” button. Similarly, the four options are available for Message Pages.
4 How to enable User Authentication Databases 4.1 Internal Authentication Internal authentication database is a storage device where users’ credentials in the system may be inquired for validity. Each type has its own application in different scenarios Local User Database On-Demand User Database Guest User Database Local User Database This type of authentication method checks the local database that stores user, often the staff and credentials internally.
Note: 1. The txt files generated may be inter-used by all WLAN controller series as the defined csv format is consistent for all models. 2. Duplicated accounts will result in upload failure and a warning message will be displayed. Account Roaming Out 802.1X Authentication On-Demand User Database The On-Demand user database is designed for guest user account provisioning with time or traffic volume constraints. Ideal for deployment needs of Hotels, Hotspot venues, Enterprise visitor reception, and more.
- Reference field allows administrator to input additional information. Volume: Users can access internet as long as account is valid with remaining quota (traffic volume). Account expires when Valid Period is used up or quota is depleted. This is ideal for small quantity applications such as sending/receiving mail, transferring a file etc. Count down of Valid Period is continuous regardless of logging in or out. - Activation is the time period for which the user must execute a first login.
Duration Time with Cut-off Time: It is the clock time at which the On-Demand account is cut off (made expired) by the system on that day. For example if a shopping mall is set to close at 23:00; operators selling On-Demand tickets can use this plan to create ticket set to be Cut-off on 23:00. If an account of this kind is created after the Cut-off Time, the account will automatically expire. - Begin Time is the time that the account will be activated for use. It is set to account creation time.
POS Tickets and Terminal Server When Terminal Servers (such as the SDS200W) are deployed for account generation, remember to configure the IP and Port in Terminal Server configuration. Payment Gateway The WLAN controller supports different types of payment gateway options depending on the account types possessed by the operator, including Authorize.net, PayPal, SecurePay, WorldPay, and PeleCard. The most commonly used PayPal is used as an illustration example below.
The service disclaimer can be customized by configuring Web Page Customization. Subsequently after the configuration of your external payment gateway, the login page will be shown with a hyperlink which guides the end user step by step to purchase an account with a valid credit card.
Account buyers enter a cellphone number after paying a fee for the account online. The account buyers can then re-send the SMS no more than the configured number. To preview your External Payment Portal, click “Configure” for Web Page Customization at the bottom of the page. Just like all customizable web pages in the system, this page also supports customization with templates, uploading html, or using an external page.
SMS Gateway With a set of Clickatell account Username/Password, the SMS Gateway can be configured to send SMS messages upon On-Demand account creation. The SMS service can be used for free access, paid access with payment gateway integration, or both. Define an API ID and activate the desired billing plans. Multiple Billing Plans may be activated if needed. To prevent the SMS Gateway from being flooded by SMS queries for account generation, an Account Registration Control option is available.
Demand account even though the 1st account hasn’t expired or been used yet. Block will restrict users to sending a 2nd On-Demand account only after their 1st account has expired. Parameter: API parameters and values for sending an SMS request. Response Format: JSON or HTML. Selected choice will depend on the type of response provided by the SMS service. The Response Format will be used by the WLAN controller to determine whether the SMS text message has been sent successfully.
API URL: https://www.smsglobal.com/http-api.php Registration before Accounts Expired: Allow Parameter No. Parameter Parameter Value to Text Action sendsms 1 User G******* 2 Password eZ************ 3 from Edgecore 4 Remark Phone Number SMS Content Action to be taken. [Default: sendsms] Your SMSGlobal username Your SMSGlobal password MSIDSN or Sender ID that the message will appear from.
Email Verification For email verification option, clients are able to access additional quota of On-Demand accounts by activating the link sent to clients’ mail box. What’s more, administrators could check the Logs and Reports to realize what the client status and related information for further marketing purposes.
with Guest Email Verification. Please refer to “session 17.5.1 SMTP Setting”. Taking Gmail as SMTP server, the configurations are - SMTP server address: smtp.gmail.com - SMTP port: 465 - Encryption: SSL - Authentication: Login: Account Name: admin’s Gmail email address - Authentication: Login: Password: admin’s Gmail email’s password - Sender Email Address: admin’s Gmail email address Sender Name: The Sender Name displays in the client mail box.
Account Creation – System Created: to use system randomly generated Usernames and Passwords - Password: the generated passwords can be short (4 characters) or long (8 characters). Account Creation – Manual Created: to generate Usernames and Passwords by manually typing - Username: the Prefix and Postfix will be kept constant while the Serial Number for the accounts will have single increments.
Guest User Database The Guest Authentication Option is not technically a user database, but rather a specially designed option to allow a user to access and surf the network without any user account or password. It allows the user to associate with a particular Service Zone, enter a specified string of text which may be a social security number, email, etc. defined by the administrator, and use the network without actual authentication.
Email Verification: to ensure that the entered email is a valid email address. The client has to activate this account within the activation time to extend his/her usage time by clicking a link in the mail sent by the mail server. Note that the activation is merely a timer and does not add to the account’s Quota. SMTP Server Settings: to assign SMTP server for sending the mail for redeem clients. This SMTP is shared with Guest Email Verification. Please refer to “session 17.5.1 SMTP Setting.
One Time Password For One Time Password (OTP) authentication option, clients are able to access the internet by entering their own mobile numbers and then receiving an SMS message with one time password which is needed to enter in the authentication page. Later, clients can start surfing the Internet. Typically, the user login flow as below figure A. B. C. D. E. F.
4.2 How to integrate Edgecore EC-PP200 printer Manual setup To connect the EC-PP200 to the WLAN controller via an USB cable.
Configure and Active Billing Plans For deployment flexibility on your hotspot, customization of POS tickets using templates is supported on the WLAN controller. Up to 5 ticket templates can be saved on the system. Image: an image can be uploaded (such as your company logo) in TMB format if needed. Width: there are 2 Width types, 2” for PRT100 and 3” for EC-PP200. Language: to select the desired language for the configured ticket template.
Administrators may start customizing your POS ticket from the window below manually typing or by inserting parameters from the drop-down list as shown in the above example. Once this is done, you may start assigning Billing Plans and Ticket Templates for your Terminal Servers. The administrator can now select the desired Ticket Template for a specific ticket generator from the drop-down list.
Applications for QR Code Log-in On-Demand Account generation with a ticket generator is a very common deployment for hotspot providers. What makes it a hassle is to manually enter the Username and Password of the account, especially for mobile devices which require typing on small keyboards and are not easy on the eyes. Log-in credentials including your Username, Password, Usage quota, Price and etc. are all embedded in the QR code.
For the utilized Billing Plan, the corresponding ticket template needs to be customized to support QR Code. The width needs to be changed to 3” (default value = 2”) The parameter needs to be added by typing in “$qr” on the template, or select “$qr” from the drop-down menu and click Insert Parameters. Note: Only Edgecore EC-PP200 thermal printers support the printing of QR code. If clients has installed a QR Code scanning App (such as QuickMark, QR Reader, Barcode Scanner), the login process is simple now.
4.3 External Authentication The WLAN controllers are equipped with a variety of external authentication options so as to support account roaming and adapt to existing network. There are POP3 LDAP RADIUS NT Domain SIP Social Media POP3 POP3 is a common mail service protocol where e-mail is kept by a certain Internet server.
Server 2 by default is configured to use RADIUS authentication. The WLAN controllers support RADIUS authentication, RADIUS class mapping, and RADIUS transparent login with 802.1X. Below is the detailed configuration page of RADIUS settings. Attributes of the Primary RADIUS Server and Secondary RADIUS Server can be configured depending on service deployment.
Another important setting field is the Class-Group Mapping on the page. It is a translation setting which maps RADIUS classes attributes to different groups on the WLAN controller, enabling different RADIUS accounts to be incorporated into different Groups. NT Domain NT Domain option supports Windows Domain databases to perform user credential authentication. By default Server 3 is selected to use NT Domain.
profile should have its QoS settings appropriately configured to support voice applications. Please also make sure that the corresponding Service Zone also has ‘Enable’ checked in the SIP Interface Configuration in order to function properly. Social Media Social Media Login allows Wi-Fi users to access internet without going through a tedious account registration process. The WLAN controller supports six kinds of social media accounts, LINE, Facebook, Google+, Weibo, VK and Open ID.
further analysis or marketing purposes. Account names, account emails, gender, birthdays, and location on the Social Media Account List are able to be downloadable for administrators’ data manipulation (if Social Medias permit to provide). It doesn’t clear the entries automatically, but having email notification when 1000 remaining entries (11000/12000, maximum is 12000 entries).
4.4 How to apply Social Media Login The WLAN controllers also provide a convenient method for Social Media Login which enables clients to access internet by logging in with their own Social Media Accounts, ex. LINE, Facebook, Google+, Weibo, VK, and Open ID. Prepare the desired Social API Credential with access the App ID and Secret by entering social developers’ site All administrators have to do is to copy and paste for a corresponding ID and secret.
Implement into specific Service Zones and login pages Choose the desired Service Zone where you would like to apply the Guest authentication option - Go to “Main Menu > System > Service Zone > Configure.” Scroll down the page to Authentication Options. Check to enable the option for Social Media Login Option as shown in the figure below.
Clients are now able to access the login pages Consequently, after going through configurations from STEP 1 to STEP 3, end users will see that the an additional “Sign-in with Social button(s)” will show on the Service Zone’s login page. By clicking Social Media Login button, approving the terms and condition of free accessing public Wi-Fi, the free users will be able to access the network with constraints specified in Social Media Login Option profile and the Group profile.
4.5 RADIUS Authentication Application 802.1X Authentication/ WPA2-Enterprise Authentication WLAN controller configuration Since the WLAN controller needs to communicate with external RADIUS server, the authentication server and accounting server settings should follow the RADIUS server. For the clients associated to the managed APs, the RADIUS Client Device Settings should set the 802.1x service range as the managed APs with the corresponding RADIUS Secret Key.
start the RADIUS authentication request and follow the AAA settings from the WLAN controller and the RADIUS server.
Local/ On-Demand Account Roaming Out The built-in user account databases both Local and On-Demand of the WLAN controller may be used for other WLAN controllers as their external RADIUS authentication database. This application offers the ability to refer to a single central WLAN controller for account credential lookup during the authentication process, and is ideal for enterprises or businesses with multiple branch offices.
After enabling the Account Roaming Out feature for Local or On-Demand database, administrators are able to click the button of RADIUS Client Device Settings to specify the WLAN controller IP Address/Subnet Mask which is allowed to behave as a RADIUS client and authenticate against this WLAN controller’s builtin databases. Note: Please make sure that the user database postfixes are configured without conflicting with one another over the two Controllers.
It is recommended to select “Leave Unmodified” for Username Format Leave Unmodified: WLAN controller will directly transfer what client types in Username Complete: both the username and postfix will be transferred to the RADIUS server for authentication Only ID: only the username will be transferred to the external RADIUS server for authentication The Main Office Gateway acts as Primary RADIUS Server. The related configuration follows the network environment of main office gateway.
Note: If both the Local and On-Demand databases are configured as roaming out server, please set the Postfix in the remote controller as “.” (dot).
WLAN Controller as an Internal RADIUS Server Thanks to the built-in Local and On-Demand database, the WLAN controller is able to act as the RADIUS server and the gateway in the same box. The Edgecore AP can act as the authenticator for clients with 802.1x authentication. Please check below topology and configuration.
52
DM and CoA The WLAN controller supports RADIUS authentication through UAM (Universal Access Method), which is to say that the auth-request is sent out by the WLAN controller. The DM&CoA feature allows an External Web Server to directly send auth-requests to the RADIUS Server. Subsequently, the External Web Server sends the authentication result to the WLAN controller in the form of CoA exchange. Likewise, the WLAN controller is able to accept Disconnect Messages from the External Web Server.
WLAN controller DM&CoA configuration over Main › Users › External Authentication › RADIUS › Roaming Out & 802.1X DM & CoA Supported Attributes Authentication with CoA-Request requires the following attributes: 1. Called-Station-Id (Controller WAN's MAC) 2. Calling-Station-Id (Client's MAC) User-Name Framed-IP-Address Change of Authorization with CoA-Request for an authenticated user requires the following attributes: 1. Called-Station-Id (Controller WAN's MAC) 2.
ZVendor-MaxByteIn-4GB ZVendor-MaxByteIn ZVendor-MaxByteOut-4GB ZVendor-MaxByteOut ZVendor-Group Chargeable-User-Identity HTTPparameters sent from the WLAN controller to the External Web Server includes: 1. loginurl (Login URL) 2. remainingurl (Remaining URL) 3. vlanid (VLAN ID) 4. iface (Service Zone) 5. gwip (Controller’sIP) 6. gwmac (Controller’sMAC) 7. client_ip (Client IP) 8. ipv6_addr (Client IPv6 Address) 9. umac (Client MAC) 10.
Primary RADIUS Server: to configured the RADIUS authentication server from Main › Users › External Authentication › RADIUS Authentication Server: to enter the IP address of RADIUS authentication server Authentication Port: to enter the port number of RADIUS authentication server, default is 1812 Authentication Secret Key: to enter the shared secret that will be used to validate communication with the RADIUS authentication server.
to the Wi-Fi Alliance that allows users to roam between wireless internet service providers, in a fashion similar to that used to allow cell phone users to roam between carriers. A RADIUS server is used to authenticate the subscriber's credentials. WLAN controllers support the WISPr attributes required to establish roaming relationship with most roaming brokers in the market such as Boingo, iPass Connect etc.
5 How to configure User Policies User Policy, as the term suggests, are profiles of network governing constraints which are enforced upon users, including firewall rules, login schedule, routing rules and session allowances. There is a Global policy, which will be applied if a user belongs to a Group not bound to any Policy. The number of Policy profiles will be model dependent. 1.1 User Policy Select Policy: to choose which User Policy profile to configure.
- Password Change: to set “Allow” so that when a user with the applied Privilege Profile has the flexibility to change their login password Maximum Concurrent Sessions: when a user with this Privilege Profile reaches the session limit, this user will be implicitly suspended from any new connection for a fixed time period. Disable timeout for this group: to set “Enable” so that the clients who are applied by this policy will not be logged out automatically.
1.2 Global Policy Firewall Profile: to specify the protocols & rules that will be enforced to users governed by Global Policy. - Service Protocol: This link leads to a policy's Service List page where the administrator can defined a list of services by protocols (TCP/UDP/ICMP/IP). The service names defined here forms a choice list for configuring firewall rules. - User Firewall Rules: This link leads to the policy's Firewall Rules page. Rule No. 1 has the highest priority; rule No.
6 How to generate your scenarios 6.1 User Groups, User Policies, Service Zones and Schedule A User Group within different Service Zones can be applied with different policies, or the administrator can select one of the defined policies to apply it to groups within a certain Service Zone. For example, students can be applied with different network access right while accessing from classroom region instead of teacher or staff office region.
Group Overview User Group is a set of users that admin considers they share some extent of similar characteristics, i.e. role based. For example, in campus, there are teachers, students, and visitor, in general. Therefore an IT staff may set up three Groups that distinguish these three categories of Internet service users apart by giving these Group different permissions of Internet accessibility.
In the WLAN controllers, there are eight to twenty-four Group profiles, depending on the model capacity.
6.2 Blacklists and Privilege Lists Network operators may want to limit the accessibility of certain accounts or devices from authentication or association from time to time. This section describes the ways in which user or device restrictions may be achieved. Blacklists IP Privilege List IPv6 Privilege List MAC Privilege List MAC Access Control List Blacklists Blacklist profiles can be defined and each active authentication option may be configured with one of these blacklist profiles.
address. Devices specified in the list require NO authentication to access the network. Add: IP Address in IPv6 format and User Group fields are required. MAC Address field can be an option for the matching condition with the IP Address. Noted that the privileged clients are still able be applied the user policy.
Traffic Direction for Idle Timeout: The user’s activity inspection may be checked as uplink or both. Threshold for Idle Traffic Detection: Designate the threshold where traffic flow smaller than the value configured will be considered as being idle. Charge Traffic to/from Host in Walled Garden List: For usage or volume type accounts in the On-Demand user database, administrator has the option to charge or not charge visits to websites that are listed in the walled garden or walled garden ad list.
7 How to configure Access Point in LAPM Management of access points are always of vital importance for a network administrator. Thus Edgecore delivers a simple, straightforward set of management tools to help you achieve it. Generally, we suggest a centralized network with a controller in charge of access points both on the WAN side and the LAN side.
List. The AP's name will be shown as a hyperlink. Click the hyperlink of each managed AP to further configure (General Setting, LAN Setting, Wireless LAN, Layer 2 Firewall) the AP. Click the hyperlink of the shown Status of each managed AP for detailed status information of the AP (System Status, Service Zone Status, Wireless Status, Access Control Status, and Associated Client Status). Add: This is elaborated in Section 7.
Background AP Discovery: the feature could be enabled to scan the wireless environment every fixed period of time based on admin’s setting. Click Configure to set up the function and the configurations are similar to above method. Discovery Results: the table displays all the AP’s found currently alive. After finding the AP, admin can further set up the template to be applied and the operating channel, and furthermore put the AP under a specific service zone you have enabled.
The SSID and Wireless Security can be specified per Service Zone. Depending on deployment needs, access filtering may be imposed on individual Service Zone’s managed AP devices. The Wireless Settings section under the VAP Configuration list allows the specification of wireless settings including Access Control list. For each Service Zone, administrators can set up the wireless security profile, including Authentication and Encryption.
Denied Disabled Denied Enabled It allows devices with these addresses to associate with the APs of this Service Zone AP does not allow devices with these addresses to associate with the APs of this Service Zone 7.4 AP Firmware Management Firmware upgrade matters because much of the software enhancements are released periodically for enhanced standards / features.
Tree can be set up in your network. This list can be set to refresh automatically at fixed intervals (10s, 20s, 30s, 40s, 50s, 60s). Edit: Click "Edit" to change the WDS connection settings for the associated WDS Tree. WDS Update Add WDS Connection: to select New Parent AP and New Child AP from the respective drop-down list and click "Add". Note that a new WDS Tree will be added if the selected Parent AP is not in any of the current WDS Trees.
available APs have more chance to be associated. The system can divide the managed APs into groups; define the group threshold, and a time interval which will trigger the AP load balancing.
8 How to configure Access Point in WAPM Management of access points are always of vital importance for a network administrator. Thus Edgecore delivers a simple, straightforward set of management tools to help you achieve it. Generally, we suggest a centralized network with a controller in charge of access points both on the WAN side and the LAN side.
WDS Management Rogue AP Detection AP Load Balancing 8.1 AP List All of the supported APs under management of the system will be shown on the list. The administrator can add supported APs from the Adding tabs or CAPWAP tunnel back from AP. After APs are added, this list will show the current managed APs including AP type, AP name, IP Address, MAC Address, Status, number of Clients, Tunnel Status, AP Firmware Version, and geographic location. Add: This is elaborated in Section 8.
Map Goto Map: When you have configured multiple map profiles, this function allows switching between different maps. Goto AP: This function is for administrator to select an AP on the list, and the map will shift to show the selected AP in the center of the map. Save Modification: This function is for saving the changes made to the map and overwriting the maps’ profile attributes. For instance if you have altered or panned the original map, clicking this button will save the changes made.
Map Configuration Customize Image: Administrator can upload desired images for each AP model that will be used as AP markers on the MAP. Add a New Map: Click to add a new map profile. Delete this Map: Delete the current map profile. Edit this Map: Click to modify the current map’s attribute settings. Procedure to create a Map Get a Public IP Address from your ISP and configure this address to WAN interface. Apply for a Google Maps Registration key. Click Add a New Map button on the Map page.
Click the terms and conditions check box and fill in your WLAN controller’s WAN IP address. Google will generate an API key for your WLAN controller. Now, return to the Map tab page in WLAN controller’s WMI and Scroll down to the bottom of the page, click on the Add a New Map button. An editing page will open for configuration, please fill in a Map Name for this map and its geographical location as defined by Longitude and Latitude, remember to also fill in the Key issued by Google.
The above screenshot is an example showing Taipei City with Map Name as Taipei Songshan Airport, Zoom Level of 14 and Normal Map Type. If you have several APs deployed and listed in List under Wide Area AP Management, their geographical location can be marked on a particular map. Firstly, go to the List tab page and click on the Edit button of the AP’s that you wish to mark on the map. In the AP configuration page, set the coordinates (Latitude and Longitude) of this AP and the radius of signal coverage.
link that will show up in the dialogue box on the map for referencing additional information related to this AP; for instance the IP address of a IP surveillance camera connected to this AP or the URL of the Venue Website where this AP is deployed. Administrator can upload customized thumbnail images shown on the map. After configuring all the necessary settings and uploading your images, click Apply button and return to AP List page.
Administrators are able to click on the AP icon to see the dialogue box for additional information or links that you have configured. Besides, administrators can click the more info link for information on AP Link, AP Statistic, AP Status, Client List, WDS List and Links related to this AP, which are collected from the remote AP via SNMP.
AP Grouping In Wide Area AP Management, all the managed APs must be designated to an AP Group by Maps. Each AP must be configured to belong to a map. All APs will be added to the Default Map, or you may create a new map for selection before you add a new AP. AP grouping allows different levels of administrators to manage APs by different AP group. An AP Group can include multiple maps and AP templates. On the other hand, a map can be included by different AP groups.
fields shown in the popup window. Click Apply. Add the deployment location of the AP in the AP’s attribute profile (longitude and latitude). “Main Menu > Devices > Wide Area AP Management > List - AP Attribute (Edit)” Go back to the List page, choose the AP, and then click the Add to Map button, and choose the desired map. After the settings, admin should be able to see an icon of the AP on the selected map.
Assigning permission to an AP group. 8.3 AP adding and configuration AP discovery Add an AP The Adding page allows administrator to directly add a single Access Point to the management list regardless of its Status.
Discovery AP With the AP Discovery feature, administrator can scan for APs regardless of their physical location as long as their IP addresses can be reached.
On WLAN controller side CAPWAP Status: to enable the CAPWAP feature for establish CAPWAP tunnel between system and managed APs Apply Certificate to AP: to make sure that the Controllers’ CAPWAP settings use a security certificate that is issued by the same CA. Upload the necessary security certificate into the AP in order for the Controller to validate CAPWAP discovery and join requests. For information on Certificate management on the controller please refer to the subsequent chapter in this guide.
controller in order for the AP to get an IP address that is in the same subnet of that of the Edgecore WLAN controller it is trying to connect. Broadcast Discovery: The AP sends broadcast requests to all the IP addresses in a subnet. Edgecore WLAN controllers, and other gateways mostly, do not allow broadcasts to go over subnets. Make sure the controller is in the same subnet as the AP when you enable the function.
4. On AP: to check the AP WMI showing Data Channel is “Active” with the VAP tunnel status in “Green” light on the System Overview page 5.
CAPWAP with Split Tunnel For Split tunnel, only user authentication related traffic will be directed back to the controller. For authenticated users, data traffic will go to the Internet through the local network directly. The user data can be transmitted with a shorter path and the network load of the controller can also be reduced. The following procedures may be helpful 1. On AP: type the IP address for Static Discovery, and wait until the CAPWAP column displays a “RUN” status. 2.
5. On AP: to reconfirm the specific VAP Configuration is under Split Tunnel 8.4 Template Select a country code depending on the firmware version on your Access Point.This dynamically changes the available channels on your access point.
RF Card Name: Select an RF Card for your AP. Band: Depending on the AP model template you are editing, there are different modes to select, 802.11a, 802.11b, 802.11g, 802.11a+802.11n, 802.11b+802.11g, 802.11g+802.11n and 802.11ac. Short Preamble: The short preamble with a 56-bit synchronization field can improve WLAN transmission efficiency. Select Enable to use Short Preamble or Disable to use Long Preamble with a 128-bit synchronization field. Channel Width (802.11g+n, 802.11a+n and 802.
Spacing, TXOP Limit: Transmission Opportunity Limit. VAP Configuration VAP: Enable or Disable this VAP. Profile Name: The profile name of a specific RF card and its VAP for identity / management purposes. ESSID: ESSID (Extended Service Set ID) serves as an identifier for clients to associate with the specific VAP. It can be coupled with different service levels like a variety of wireless security types. VLAN ID: The Edgecore Access Point supports tagged VLANs (virtual LANs).
prioritizes wireless data packets based on four access categories: voice, video, best effort, and background. Applications without WMM and applications that do not require QoS are assigned to the best-effort category, which receives a lower priority than that of voice and video. Therefore, WMM decides which data streams are more important and assigns them a higher traffic priority. This option works with WMM-capable clients only. The application must support WMM.
Firmware The WLAN controller can store AP’s firmware in its’ built-in memory. Under the Firmware tab page administrator can upload new AP firmware to the WLAN controller’s memory allowing for easy remote AP upgrade and restore operations from the AP List page. The AP firmware listed under this page can be downloaded or deleted from WLAN controller memory if desired. 8.7 Rogue AP Detection Rogue AP detection is another essential way of protecting your network environment.
measure of grouping managed APs. The unit is in meters, the administrator can configure an integer ranging from 0 ~ 999 where 0 signifies that the function is Disabled. APs which are distanced within the configured distance from one another will be regarded as the same group.
9 How to configure Switch Management The Edgecore SW1024 is a powerful 24+2 Port VLAN switch with 500W of power budget. The WLAN controller gives administrators one comprehensive interface for managing your Edgecore equipment including the Edgecore SW1024. There are several features for centralized managed switches Switch List PoE Schedule Template Backup Configuration 9.
9.3 Backup Configuration The list gives an overview of the backed up configurations. Administrators may download the configuration file for restoration, or check the checkboxes to delete the selected configuration files.
10 How to realize Wi-Fi Monitor WiFi Monitor allows the administrator to simulate WiFi signal coverage of Access Points; be it a virtual area or a real managed APs signal coverage. It also monitors AP statuses and statistic information of the managed APs. This is designed to help administrators with network survey, planning and performance enhancement during the initial installation stage, and also monitoring managed APs in an existing deployment.
Wall: Select file for wall (.xml format). Map Width: Actual width of floor plan. Map Length: Actual length of floor plan. Country Code: Select the country code (EU/US). This will determine the max output power of access points Height of Receiving Device (m): The assumed average height of receiving client devices. Managed AP Simulation is a used for monitoring of Access Points based on location.
The Signal Strength and Coverage of the managed APs would depend on factors such as the AP model, transmit power, AP Height, and etc.
10.2 Simulation AP WiFi Monitor is able to simulated Edgecore APs, placing into the floor plan and checking the correlated configuration in optimization. Meanwhile, the Signal Strength and Coverage of the simulation APs would depend on factors such as the AP model, transmit power, AP Height, and etc. With the floor plan and partitions in place, simulation APs can now be added to the floor plan for simulation as shown below. Click “Simulate 2.
Configurations can then be saved conveniently to a template to be used for AP Management.
10.3 AP Monitoring on Floor Plan In an area with operating APs, administrators may view AP statuses from the created floorplan. The AP status shows Online, Offline or Disabled. Administrators may also obtain CPU Idle and Memory Usage when APs are managed by Wide area AP Management. AP statistic information, such as AP density and AP average traffic, and AP average traffic are also supported when APs are managed using Wide area AP Management.
11 How to enable VPN feature Multiple types of VPN are available on the system: Remote VPN, and Site-to-Site VPN. For Remote VPN, the system allows the VPN tunnel between a remote client and the system to encrypt the data transmission via PPTP or IKEv2. For the Site-to-Site VPN, an IPSec tunnel can be used to connect to other IPSec capable device over the Internet. 11.1 Remote VPN PPTP WLAN controller supports Remote VPN for user login to system from a remote area.
11.3 Site-to-site VPN WLAN controller supports Site-to-Site VPN for more than 2 WLAN controllers to create VPN tunnel to each other over the WAN network. It is based on open source site-to-site VPN protocol and it is backward compatible with previous WLAN controllers’ site-to-site VPN feature. For example, if there are 2 WLAN controllers, you can create a VPN tunnel to let a subnet of one WLAN controller to access the subnet of another WLAN controller.
12 High Availability The Edgecore HA design principle is to use redundancy in achieving higher availability with minimum impact during service transition. The Edgecore HA approach implements a dedicated message link between ACs (Access Controller) to create an N + 1 redundancy system where N is ≤ 3.
5. 6. 7. 8. 9. There is a HA link monitoring mechanism by the standby AC when HA links have been established. This link monitoring module checks the status of the Active ACs. During an event when an Active AC is not responding, this module will regard this AC as no longer providing service and take over network service. Local APM managed APs will experience little network interruption as they are L2 devices.
13 Port Location Mapping The Port Location Mapping feature allows each Service Zone to own multiple VLANs (as if each VLAN is a port) in order to identify where the clients are coming from. Administrator could use Port Location Mapping feature to map a location (such as a hotel room) to a VLAN port of VLAN switch or a DSLAM device. Each Room is mapped to a VLAN Tag. And each Room can be assign to different Service Zone to get different policy.
User Limit Per Port: Maximum number of users in batch on corresponding port. NAS Identifier From/Prefix/Postfix: An optional RADIUS Attribute Note: VLAN Ports may be created one by one or batch at once. Subsequent changes are possible by Change Port Type configuration box. Note: The VLAN Tags configured in Port Location Mapping must not conflict with any of the VLAN Tags that has been assigned to each Service Zone.
Once the VAP tunneled back, complete tunnel or split tunnel, has been configured with PLM (Port Location Mapping), remote sites may also benefit from the PMS system or other centrally managed hotspot operations which require location attributes or information.
14 PMS Integration Administrator may choose to select the interfacing protocol that is compatible with their site’s hospitality management system or PMS system. Net Retriever Micros Opera Net Retriever Net Retriever Setup: Enter the Secret, Interface Port, MI ID, AC ID, and Link Test Interval for Middleware connection. Secret: The secret key between Guest Service Device and PMS Middleware for challenge and response (MD5 Hash) to test the authenticity of the link.
- - - All req_type could use the filed “format” with Json req_type=1 (equals: bpinfo) could show the billing plan information, if add the fields “all”, it would show all billing plans, including inactive one req_type=2 (equals:check) confirm available billing plans, units and the users whether is allowed to buy a certain billing plan, if there is any error, it would return the error code and message for admin req_type=3 (equals:userinfo) could show the user’s information and status.
15 Utilities for WLAN Controller 15.1 Network Utilities There are dozens of built-in Network Utilities for troubleshooting or setup verification. IPv4 IPv6 Sniff IP Discovery IPv4 Ping: It allows administrator to detect a device using IP address or Host domain name to see if it is alive or not. Trace Route: It allows administrator to recover the real path of packets from the gateway to a destination using IP address or Host domain name.
Sniff With this feature the administrator can listen for packets from selected Interfaces. The administrator can further filter the types of packets to capture by using tcpdump commands under the Expression field. IP Discovery The network administrators need to access or modify some information without entering AP interface, such as forget the IP address of the AP, forget the admin’s password, or configure the IP address of the AP.
System Certificate This is the certificate that identifies the system. These certificates may be used for applications such as HTTPS login, CAPWAP, and etc. The Controller has a built-in Factory Default Certificate (gateway.example.com) that cannot be removed, but allows certificates to be uploaded. To view details of the certificate, click the corresponding "View" button. Certificate: to upload the certificate file in .
15.3 Administrator Accounts General Settings Password Complexity: to limit how the passwords the sub-admins use should be formed. - Min Password Length: to set a limit on the minimum length of a password string - Min Password Category: to allow an admin to define how complex the passwords of the subadmins are required.
- Permission-Read/Write: the specific page can be configured, edited, monitored, viewed or everything administrator desire to do. Administrator Accounts Admin has authority to change his/her own password or add more accounts to the admin list to take (some of) the management responsibility. Administrator Accounts List: to serve as a list for admins to track the dynamics of each management accounts, including the number of the online admins and the state of each sub-admin.
Restore System Restore System Settings: Click Browse to search for a .db database backup file created by the controller and click Restore to restore to the same settings at the time when the backup file was saved. There are some options to check to decide whether to keep the system current settings instead of overwrite by the .db file. - Keep WAN1 setting. (default checked) - Keep Management IP Address List.
of restarting. 15.6 System Upgrades The administrator can obtain the latest firmware from Edgecore’s Partner Center or Edgecore’s Support Team and upgrade the system. Click Browse to search for the firmware file on your local drive and click Apply to firmware upgrade. It might take a few minutes before the upgrade process completes and the system needs to be restarted afterwards to activate the new firmware.
16 Advanced Settings for Network Environment 16.1 IPv4/ IPv6 Dual Stack Network WLAN controller supports operating in an IPv6 networking environment. When IPv6 configuration option is enabled, administrator may assign IPv4 IP address as well as IPv6 address to either WAN1 or WAN2 of the network interface. There are three ways to configure an IPv6 address for the chosen WAN interface, namely Static, 6to4, and go6. Please select the option applicable to your environment.
16.2 NAT The NAT function supports 3 types of network address translation DMZ (Demilitarized Zone) Public Accessible Server IP/Port Forwarding DMZ (Demilitarized Zone) The system supports specific sets of Internal IP address (LAN) to External IP address (WAN) mapping in the Static Assignments. The External IP Address of the Automatic WAN IP Assignment is the IP address of External Interface (WAN1) that will change dynamically if WAN1 Interface is Dynamic.
Port & IP Forwarding This function allows the administrator to set specific sets of the IP addresses at most for redirection purpose. When the user attempts to connect to a destination IP address listed here, the connection packet will be converted and redirected to the corresponding destination. Please enter the “IP Address” and “Port” of Destination, and the “IP Address” and “Port” of Translated to Destination. Select “TCP” or “UDP” for the service’s type.
“UDP” for the service’s type. These settings will become effective immediately after clicking Apply. 16.3 Monitor IP List Multiple IP addresses can be defined in the Monitor IP function. System can monitor these IP based network devices and periodically report online status via email based on a configurable interval. These monitored devices can be accessed via HTTP or HTTPS connection.
Add: to create a new walled garden entry. Domain Name/IP Address/URL: which pages should be added into walled garden list. However, the entries selected as Walled Garden Ad must be a URL, not an IP address with prefix.
Enable Built-in: A built-in proxy server in the WLAN controller can be enabled, even with a Proxy Server placed outside the LAN environment or in the Internet. For example, the above diagram illustrates how a proxy server of an ISP is used. Select Enable Built-in and click Apply to save the settings Enable Proxy Server Settings in Internet Options on Client Stations. By enabling the built-in Proxy Server, all traffic is forwarded to the local Proxy Server on the controller.
Using an External Proxy Server External: to specify an External Proxy Server and fill in the appropriate IP address of the Proxy Server and the utilized port. Please refer the following steps to complete the proxy configuration: Add the External Proxy IP address and External Port Number into External Proxy Servers setting. Click Apply to save the settings Enable Proxy Server Settings in Internet Options on Client Stations.
or Level 2. Net ID: It is the ISO address Network Entity Title (NET). The NET is used just like an IP address to uniquely identify a router on the inter-network. Route Level: Level 1 systems route within an area; when the destination is outside an area, they route toward a Level 2 system. Level 2 intermediate systems route between areas and toward other routing domains. The level type of each network interface can be assigned.
special Timeout timer is started whenever a route is installed in the routing table. Whenever the router receives another RIP Response with information about that route, the route is considered “refreshed” and its Timeout timer is reset. When this timer expires, the route is marked as invalid. RIP Timer – Garbage Collect Timer: Specify the time in seconds before erasing invalid route from the routing table. 16.
traffic would be tunneled back to the original Controller for forwarding into the internet. Cross Gateway roaming architecture design adopted is a star topology design where one Master Node may have up to 15 Slave Node peers. The term Master Node simply means that this node takes its place in the center of the star topology. The role determination is completely dependent on the administrator settings.
17 Status for Logs and Reports 17.1 Dashboard This page displays important system related information that the administrator might need to be aware of at a glance, which includes General System settings, Network Interface and Online Users etc. The download button on the top-right corner is a tool that captures system settings. This is used for maintenance or troubleshooting purposes.
17.2 System Related Status System Summary The system summary displays a table of contents including firmware version, report servers configured, WAN optional settings, User log profile, system time and session control settings. For detailed status, please proceed to corresponding configuration pages. A selection of reports is available when the “See Reports” button is clicked. These reports can be sorted based on interface and intervals.
Network Interface This section provides the details of each of the network interfaces for the administrator to inspect, including WAN1, WAN2, SZ Default, SZ1 ~ SZ8. Select the network interface that you are interested to see. If the selected interface is enabled, the corresponding network settings will be displayed.
Process Monitor It is an engineer quick overview of the active status for each network utility process daemon on the gateway. Administrators can choose to Enable or Disable the Process Monitor. If enable, the green light of the status indicates the process daemon works normally. Routing This status page displays all the User Policy Route rules, and Global Policy Route rules will be listed here.
DHCP Server The DHCP IP lease statistics can be viewed after clicking on Show Statistics List on this page. Statistics of offered list: Valid lease counts of the Last 10 Minutes, Hours and Days are shown here. The header 1 ~ 10 are unit multipliers; for instance the number under column 2 indicates the lease count in the last 20 minutes/hours/days, the number under column 3 indicated the lease count in the last 30 minutes/hours/days and so on.
DHCP Lease List: Valid IP addresses issued from the DHCP Server and related information of the client using this IP address is displayed here. 17.3 Client Related Status Online User Users displayed on this page are the ones that are authenticated by this Controller under its managed network either LAN or remotely tunneled site.
There are 2 modes to select from. Select ‘Detail’ to display more information, such as Pkts In/Out, Bytes In/Out and etc. Administrators can force out a specific online user by clicking Kick Out and check the user access AP status by clicking the hyperlink of the AP name for Access From. A “Search” tool is available for searching IP or MAC address of specific online user.
On-Demand Roaming Out User This page shows the users that are authenticated by other Controllers using this Controller’s On-Demand database as RADIUS database. Session List This page allows the administrator to inspect sessions currently established between a client and the system. Each result displays the IP and Port values of the Source and Destination. You may define the filter conditions and display only the results you desire.
17.4 Logs and Reports System Related Logs and Reports This page displays the system’s local log and User events since system boot up. Administrators can examine the log entries of various events. However, since all these information are stored on volatile memory, they will be lost during a restart/reboot operation. Therefore if the log information needs to be documented, the administrator will need to make back up manually.
Note that different User Types contain different user information. Categories will be left blank if inapplicable to the User Type. Applicable User Event categories for Local Users: Date, Type, Name, IP, IPv6, MAC, Pkts In, Bytes In, Pkts Out, Bytes Out, VLAN ID, Group, Policy, MaxDnLoad, MaxUpload, ReqDnLoad, and ReqUpload.
SMTP Settings Allows the configuration of 5 recipient E-mail addresses and necessary mail server settings where various user related logs will be sent to. SMTP Server: Enter the IP address of the sender’s SMTP server. SMTP Port: By default the port number is 25. Administrator can specify other ports if the SMTP server runs SMTP over SSL. Encryption: Enable this option if your SMTP server runs SMTP over TLS or SSL.
address and port number of the external SYSLOG server here. System Log: This controls the enabling/disabling of the SYSLOG logging feature. When enabled, the selected logs from “Notification Settings” will be sent to the SYSLOG server configured above. However, when it is disabled, no logs will be sent to the SYSLOG server configured above. FTP Settings Allows the configuration of an external FTP Server where selected users logs as well as system logs will be sent to.
142
Appendix A. Hardware Overview EWS100 1 Reset 2 3 Power button LED Displays 4 Port1 5 6 7 Port2 Port3-Port5 USB EWS5203 1 Reset 2 Console 3 4 USB1/USB2 WAN1/WAN2 5 6 LAN1 ~ LAN2 LED Indicators Press and hold for over 3 seconds and status of LED on front panel will start to blink, release button at this stage to restart the system.
EWS5204 1 LCD Display 2 Reset 3 Console 4 5 USB1/USB2 WAN1/WAN2 6 7 LAN1 ~ LAN2 LED Indicators EWS5207 1 LED Indicators 2 LCD Display 3 Reset 4 Console 5 6 USB WAN1/ WAN2 7 LAN1 ~ LAN4 Allows network administrator to check important system settings such as network interface, SZ configurations, etc. The navigation buttons from left to right respectively are “Esc”, “Up”, “Down”, and “Enter”.
