Sie sind auf Seite 1von 25

Access Controller

Manual for Diamond series v.4.5-x

Introduction

This document is a guide on how to install, set-up and maintain an AmazingPorts Access Controller. The Access controller is a firewall that will allow or deny access to resources on the other side of itself. It does this by acting as gateway in a LAN, Local area network we often refer to this LAN as a public LAN. The access controller receives its settings and rules to a large extent from two internet servers, one called the LDS (Login Directory Service) and one called the AMS (Access Controller Management Service). As a rule of thumb the LDS provides rules, and the AMS provide management just like the names indicate.

Table of contents Installing the Access Controller............................................................................3 Registering the AC Mandatory and free of charge..............................................5 NEW REGISTRATION SERVICE............................................................................5 Default settings....................................................................................................6 Default WAN settings (eth0)..............................................................................6 Default LAN settings (eth1-n)............................................................................6 Configuration scenarios........................................................................................7 Fully automatic configuration............................................................................7 Fixed IP configuration........................................................................................7 Verifying that your AC works properly..................................................................8 Advanced configurations......................................................................................9 Local web administration of the Access Controller............................................9 Configuring manual IPs on the AC WAN interface (Networking).......................10 Configure the WAN interface manually: IP address, netmask and gateway. .10 Configure name servers - DNS.....................................................................11 Changing the IP if the Public LAN interface (Eth1-n).....................................11 The Administration portal...................................................................................12 The main menu...............................................................................................12 Managing vouchers.........................................................................................12 Make Vouchers............................................................................................13 Managing administration accounts on the Access Controller..............................14 Enabling password rotation.............................................................................14 Changing default passwords not using password rotation............................15 Default passwords.......................................................................................15 Accessing passwords with password rotation...............................................15 Troubleshooting.................................................................................................16 Accreditations....................................................................................................18 Appendix A.........................................................................................................20 Internet over Fibre..........................................................................................20 Internet over Cable/DSL..................................................................................20 Dial-Up............................................................................................................21 Appendix B The difference to other hotspot solutions......................................21 Appendix C Service Oriented Provisioning.......................................................23 Real time Service Oriented Provisioning.......................................................23 A service oriented provisioning architecture................................................23 What is the real life advantage?...................................................................24

Page 2 (25) Version: 1.5

customer-service@amazingports.com

Installing the Access Controller


This installation assumes that you have fundamental knowledge of networking and access to two computers one to become your Access Controller and the other to perform the registration after installation. 1. Obtain the ISO of the Access Controller - AC (download it from the web site or you may have gotten it with this manual) 2. Obtain a standard computer with two NICs and a CD drive or equivalent. a. Preferably use simple old computers as some modern motherboards will cause kernel panic. 3. Set bios to boot from CD, ignore keyboard error and auto power-on on power-loss. 4. Burn the Installation CD 5. Install AC (notice this will erase everything on the Access Controller) 6. Once you the installation completes, the CD will eject and the AC will beep a. REMOVE THE CD Otherwise it may boot from the CD again.

7. Connect the other computer to the public network of the AC (IP will be DHCP assigned and in the range of 172.23.12.xx) note that 12 may be 13 or 14 depending on the number of NICs that your AC has. 8. Open the local web admin interface on https://172.23.12.1:8443 (you may have to replace the C network 12 with 13 depending on how many NICs your AC has. (default credentials are username: admin, password: admin) 9. Configure all network settings correctly (The AC assumes it will be served its WAN address etc from a DHCP server). 10. Reboot the Access Controller (whether you have done any changes or not) 11. Re-connect to the local web admin interface and click the registration link in the top right hand corner. 12. Follow the link (automatically or manually) to the NEW registration site. Page 3 (25) Version: 1.5 customer-service@amazingports.com

13. Complete the registration process to obtain an admin account to make vouchers and customise your landing page.

Page 4 (25) Version: 1.5

customer-service@amazingports.com

Registering the AC Mandatory and free of charge


Before you will be able to make vouchers/codes/coupons you must register your AC. Start the registration process by clicking the Register AC semaphore and link in the main Menu. The registration process is 100% Free of charge and will set up your free service.

NEW REGISTRATION SERVICE


Since January 2010 the registration service has changed and you have to follow the link through to the new registration service that will (unlike the old service) automatically let you register one or several admin accounts with different user rights. When you register an Access Controller, you automatically become the Administrator of this Access Controller and the associated network.

Page 5 (25) Version: 1.5

customer-service@amazingports.com

Default settings
Default WAN settings (eth0)
The AC will attempt to get a dynamic address for its WAN interface using the DHCP protocol. It will attempt to automatically use the information it receives through the DHCP request to apply correct IP and DNS settings. If the access controller for some reason does not receive IP information on the WAN connection it will not be possible to connect through the access controller. In the section below called Manual WAN settings you can read more about configuring these settings manually. Note that this manual covers only configuration considerations referring to the Access Controller (AC) we assume that any network equipment between the wan interface and the Internet is configured appropriately and that it will either provide IP and DNS settings through DHCP or that the AC must be configured manually (with Fixed IP). Currently (2008) the publicly available AC version does not support PPPoE nor PPPoA as means of acquiring a network connection.

Default LAN settings (eth1-n)


The AC will automatically apply functional settings for each of your LAN NICs. It is possible to mount several network adapters, these will then be automatically named eth1,2,3,n etc They will all automatically receive settings according to the following schema: Network IP adapter Eth 1 Eth 2 Eth 3 Eth n 172.23.12.1 172.23.13.1 172.23.14.1 172.23.(n+11).1

Page 6 (25) Version: 1.5

customer-service@amazingports.com

Configuration scenarios
The access controller can be configured in two basic ways, fully automatic or with fixed IP. Note that which ever case you prefer it is mandatory that the Private LAN (WAN) and the Public LAN (LAN/WLAN) ALWAYS use different IP subnets. In English this translates to: If the Private LAN (WAN) in the examples below use IP addresses in the 192.168.xx.yy range, then the Public LAN must NOT use addresses that same 192.168.xx.yy range but a different one, for example 172.23.12.xx.

Fully automatic configuration

In the fully automatic configuration scenario the Internet router will have a DHCP server that provide the Access controller with IP settings.

Fixed IP configuration

In a scenario where the Access controller will use a fixed IP to connect to the internet it is important to remember that DNS settings need to be entered manually. Without proper DNS settings the AC will fail to operate.

Page 7 (25) Version: 1.5

customer-service@amazingports.com

Verifying that your AC works properly


To ensure that your AC is working properly connect to the AC and surf to: http://login.amazingports.com This should always bring you to the landing page of your AC. If it doesnt something is wrong and you need to verify that all settings are correct. See Trouble shooting for further assistance.

Page 8 (25) Version: 1.5

customer-service@amazingports.com

Advanced configurations
Local web administration of the Access Controller
Connect a computer to the Public LAN port of the Access controller. URL: https://172.23.12.1:8443 Default username: admin Default password: admin Normally for improved security an access controller is always set to password rotate. To receive the password for your AC, if the default password does not work, please contact AmazingPorts customer service. After login you will reach this web page:

In the following we will guide you through the settings that can be made locally in the AC admin interface. Once you have set up your AC use the Register AC link to register your access controller. Occasionally it might be necessary to restart your AC, this can be done by clicking Reboot device, this will reboot the hardware, or click Restart AC services to restarts the main AC services without rebooting the hardware.

Page 9 (25) Version: 1.5

customer-service@amazingports.com

Configuring manual IPs on the AC WAN interface (Networking)


To configure IP settings in the AC click the Configure Networking link in the web admin interface.

Configuring IPs contains three important sections. ALWAYS begin by configuring the WAN / Gateway Interface.

Configure the WAN interface manually: IP address, netmask and gateway To configure an IP address manually Set the Get from dhcp server to No. Then enter an appropriate IP address, Net mask and Gateway for the WAN interface. Remember that the gateway referred to in this menu is the IP gateway on the private LAN (WAN)(see configuration scenarios). After setting the IP, confirm that you wish to enter the new settings, and let the AC implement the new settings. It can often be good to restart the AC after this has been done. You can restart it by using the re-boot link in the menu. Let the AC a good two minutes to stop and restart.

Page 10 (25) Version: 1.5

customer-service@amazingports.com

Configure name servers - DNS Next step is to enter DNS settings for the AC these settings you find in the main menu under Configure Networking -> Global Settings Name servers.

Enter correct name servers for your network and click the set button. Would you need to enter more than 2 name servers, just go into the same menu after you have configured the first two, and you will be able to add more name servers. At this stage, when you have set both the IP address and DNS (name server) settings make sure you reboot the AC so that it can start with correct IP and DNS settings. Changing the IP if the Public LAN interface (Eth1-n) Start by clicking Configure Networking in the main menu and then choose the connection point wish to configure.

Normally there is no reason to change these settings!

Page 11 (25) Version: 1.5

customer-service@amazingports.com

The Administration portal


The administration portal is your key to managing your Access Controller(s), users, make vouchers and any other aspect of running your network. https://ams.amazingports.com

The main menu


Depending on your credential your menu will adapt to only show menu choices you actually have access to.

There are 5 tabs that each addresses different needs: Network let you see your ACs current report status and manage traffic control (QoS) Look & Feel let you customise the landing portal and certain other aspects of the look and feel. Products & services lets you customise and manage the products that are available to your voucher maker(s), manage the general rules that are valid for the entire network, an AC, a hotspot, or a single product. Support lets you ask questions to AmazingPorts if you are an Administrator, or lets your users ask you questions if you are an administrator User Management lets you add/edit and manage all aspects of your users including assigning them special rights and managing their role (if any) o Administrator Can administer all aspects of this Network o Voucher Maker Can make vouchers o Accountant Can see/export transactions, vouchers etc.. o Support Agent Can answer support chats

Managing vouchers
You manage vouchers under the Products and services tab, that is divided into two main sections, Vouchers and products on one side and Default rules on the other side.

Page 12 (25) Version: 1.5

customer-service@amazingports.com

Make Vouchers To create a voucher you select the product that the voucher should give the user. The product defines what service the user will get. Valid to and valid from indicates the dates and time for which the vouchers created should be valid. A shorter validity will generate a shorter voucher secret meaning that the user will have less to fill in. Repetitions are the number of times this voucher can be used by a user.. Example: A user get a voucher with 3 repetitions for a product Internet Access 1 hour, this means that the user will actually get 3 hours of access. Vouchers are automatically repeated as long as a user is logged in or if a user is anonymous as long as his session is valid. Quantity is the number of vouchers to create, if a number bigger than 1 is chosen the output is in excel format instead of a single voucher. The look and feel of single vouchers can be customised under the Look & Feel tab. Language is drop down that will contain all the languages you have enabled in the Look & Feel section for your network.

Page 13 (25) Version: 1.5

customer-service@amazingports.com

Managing administration accounts on the Access Controller


The access controller can be administered in any of three ways. Normally all configurations and settings are performed via an XML file that the Access Controller receives from the AmazingPorts Access Controller management system. Never the less occasionally it can be necessary to manage the access controller locally. To secure this access recommend that all access controllers use password rotation, this password rotation ensures that the access controller has a complex and hard to guess passwords. If your access controller doesnt have password rotation activated you should always change the default passwords for the root account and the web admin account.

Enabling password rotation


To activate password rotation, login to the administration portal and click the spanner icon to edit your access controller. Then enable password rotation and click Save Changes Once the Access Controller has enabled the password rotation (will happen within an hour, the new passwords for Root access and local web admin access will be visible in the portal. Passwords normally rotate every 20 minutes.

Page 14 (25) Version: 1.5

customer-service@amazingports.com

Changing default passwords not using password rotation


Click the Manage admin accounts link in the main menu.

Usernames and passwords are case sensitive. Default passwords Context Shell access SSH Local web admin (https://172.23.12.1: 8443) User root admin Password _change_me_ admin

Accessing passwords with password rotation Login to the administration portal at https://ams.amazingports.com, selecting to edit your access controller under the Network -> Status/Home tab.

Page 15 (25) Version: 1.5

customer-service@amazingports.com

Troubleshooting
To make it easier to find out about your problem we have created a list of problems and possible solutions. Problem - You receive no IP - Because you are using an incorrect cable Solution If your computer is connected directly to the access controller the network cable must be a cross over cable or your network adapter must support MDIX. If this is jibberish to you? Then connect to the Access Controller through a hub, switch or WiFi access point. If you are connecting to the AC trough a WiFi network, make sure that you are really connected. Specifically check that: If you are using any encryption that your keys are CORRECT (you can do this by setting fixed IP on your machine, and verify that you can connect to the web interface of the Access Point or the access controller). That you have set your computer to actually connect to the WiFi network in question

- Because you do not have a WiFi connection

- Because your computer is NOT set to receive IP settings from a DHCP server - Because you connected to the wrong NIC (network adapter).

- Because the NIC on the computer or the AC is broken.

You need to make sure that the IP settings of the network adapter you are using to connect to the access controller is set to use Automatic IP settings or DHCP. Verify that you connected to the correct NIC on the Access controller, there are at least two of them and if the one you are connected to doesnt work try the other one. First ensure that the AC actually is connected to power, no were not kidding you this is a common reason for not working. customer-service@amazingports.com

Page 16 (25) Version: 1.5

Normally when connecting to the AC, the link light of the network adapter should lighten up. Connect the AC to a switch and verify that the switch indicates that link is up. If this is not the case exchange the cable for another one to make sure that your problem is not a cable failure. If you determine that the NIC is physically broken, this is VERY unusual, than just replace it with another suitable network adapter.

Page 17 (25) Version: 1.5

customer-service@amazingports.com

Problem - You receive an IP but can not browse anywhere and you are not redirected. - Because DNS isnt working properly

Solution Verify that your DNS settings are correct and that you are able to resolve domain names. A way to do this is to open a command prompt in windows and run nslookup. In nslookup be aware if the primary DNS fails. If that is the case then correct the DNS settings in the AC and make sure you have a functional DNS as primary DNS. After correcting the DNS settings restart the AC and VERIFY that your settings were properly accepted by the Access Controller. Try connecting to http://172.23.xx.1, replace xx with the specific subnet you are in. What you are doing here is actually to connect directly to the redirector of the Access Controller. You should then be redirected to the landing page of the Access controller. If you are not the most likely cause is that the Access Controller need to reboot. Reboot by connecting to the local web admin interface and select the reboot option. First make sure that you renew your IP, if you are still receiving an IP from the AC but can NOT ping the AC, that indicates a more complex routing problem between your client and the AC. If you are connected directly to the AC, check that your cables are OK. Reboot the AC. Reboot your computer.

- DNS is working but any web page you are looking at time-out instead of showing.

- You can not browse anywhere AND you are unable to ping the Access Controller

Accreditations
AmazingPorts is part of the FireVentures Ltd Group, a Private limited company with registered offices in 30, BasePoint Business Centre, Metcalf Way, Crawley, Page 18 (25) Version: 1.5 customer-service@amazingports.com

RH11 7XX, West Sussex. All copyright and other rights vest with FireVentures Ltd.

Page 19 (25) Version: 1.5

customer-service@amazingports.com

Appendix A
Where as this manual isnt supposed to cover generic network/internet configuration issues we have added this section to cover a few common situations you as a user might encounter. We have described key aspects under each and hope that this will help you resolve any configuration issues you might encounter. As a general rule it is very good to ensure that outbound ports are open, and that inbound ports 22 and 8443 are mapped and forwarded to the Access Controller. Remember that this forwarding might require you to create several port forwards depending on your network configuration and that these forwards are an advantage not a requirement.

Internet over Fibre


Normally the fibre connection is translated into Ethernet (standard network) in the basement of your building. If the access controller is connecting to the Internet over such a connection: If a login client/software needed (PPPoE or PPPoA) you will need a router between the AC and the connection. Configure the router according to the ISPs instructions and then set the router to assign IPs (provide DHCP service) on the LAN (where the AC WAN interface connects).

Internet over Cable/DSL


Normally this kind of connection will require a Modem of some kind. The exception is VDSL using full Ethernet frames and no modulation in such a case only a splitter is needed. Enquire with your provider how their service configured. If a login client/software is needed (PPPoE or PPPoA) you will need a modem and/or router between the AC and the connection. Configure the modem/router according to the ISPs instructions and then set the modem/router to assign IPs (provide DHCP service) on the LAN (where the AC WAN interface connects). Today most modems will provide the above functionality and no separate router is needed. A special case can occur with modems that perform transparent IP forwarding to next device. These modems will usually manage login if necessary and then forward all packets to the next device ( for example your AC) - In such a case make sure your next device is set to use DHCP to receive IP and other settings. It is worth noting that often these devices tend to create a relation with the previously used next device and the one you just connected often creating severe configuration problems contact your modem provider for instructions on how to configure the modem and normally configure the AC to use DHCP verify this with your modem provider. This way of connecting is more complicated to set-up but gives the advantage of a completely transparent connection to the internet enabling Page 20 (25) customer-service@amazingports.com Version: 1.5

certain advanced features in the Access Controller.

Dial-Up
We do not recommend using dial-up internet connections unless the modem is set to dial automatically when needed. Please be aware that the Access Controller will communicate with internet servers on an almost perpetual basis thus potentially raising your connection time to 100%.

Appendix B The difference to other hotspot solutions


Rules vs Profiles
A fundamental difference between AmazingPorts and other "similar" software is how authorizations are transmitted from the AMS to the Access Controller. In a traditional access control system an authenticated user will be assigned a profile that contains information about what he can and cannot do. In AmazingPorts the authorization is transmitted in the form of a set of rules in XML format. Compare: Traditional system: User X can use service Y with AmazingPorts: User X can fetch email from pop.company.com and surf the internet using port 80 and 443 Clearly if we know that service Y is: Fetch email from pop.company.com and surf the internet using port 80 and 443, than the difference between the two approaches is irrelevant.

What if you want to provide multiple services in the same network?


The difference from other systems becomes clearer when you decide that one set of rules or a profile does not meet your requirements. Imagine that you have four different services, for example email, surfing, a VoIP service and a gaming service. Any one user should be able to get any of the services, this means that you will have to build and maintain 15 different profiles so that for each combination of services there is a profile that matches. Servic Profile 1 (all 4 e services) Email x Surfin x g VoIP x Game x 23456789 x x x x x xx xxx x x x x x 1 1 1 1 1 15 0 1 2 3 4 x x x x x x x x x x x x x

- In a traditional system you have to build and maintain 15 profiles Page 21 (25) Version: 1.5 customer-service@amazingports.com

- With AmazingPorts you only have to build and maintain 4 rule sets At this level the reduced amount of administration is clear, actually the relation between a traditional system and AmazingPorts in terms of administrative work can be expressed mathematically as: 2n-(n+1) where "n" represents the number of services you wish to be able to offer your users.

What about individualised services?


Imagine that you run a mobile operator, and wish to charge your clients a fixed monthly fee for using e-mail. Every client will obviously have his own e-mail provider. We also know that some e-mail services are more popular than other. For the sake of this presentation we will assume that on any given market there are the 10 big known e-mail operators yahoo, Google, hotmail etc... and at least another 100 smaller. On top of this every corporate customer will have their own e-mail service. Let's just assume that there are 500 different e-mail providers in total. Using the formula above we can then calculate the increased administration if you don't use AmazingPorts 2500-(500+1)= 3 273 390 607 896 140 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 This example makes it clear that AmazingPorts is significantly more efficient from an administrative perspective than the profiles based approach used by competing technologies.

Page 22 (25) Version: 1.5

customer-service@amazingports.com

Appendix C Service Oriented Provisioning


Real time Service Oriented Provisioning Precise and timely application of rules for a specific user is as much a security requirement in corporate networks, as a tool to create new and innovative products in a public network environment. No other system on the market enables as easy and swift - yet precise control over who does what. A service oriented provisioning architecture When a user is detected in a network controlled by an Access Controller (AC) the AC instantly requests rules for this user. This pro-active way of working means that we can achieve seamless roaming, and a really comfortable and user friendly network - despite that every bit sent over the network is analyzed, traffic managed and approved. The LDS receives these requests for service and makes an individual evaluation each time. This is how users in our networks can purchase multiple and diverse products during the same session. It also makes it possible to combine a free service with a paying service. An example of this could be a hotel that offers free internet access to guests, but sell higher quality internet access to guests with specific quality requirements.

Page 23 (25) Version: 1.5

customer-service@amazingports.com

What is the real life advantage? The capability of defining and working with true product management instead of "on/off" one size fits all mentality create the extra revenue that hotspots need to survive. Our statistics show that in most hotspots, around 20-30% of all products are "non" standard, without AmazingPorts technology you may be loosing out on those sales. It is also a way to entice new users to try services or cross sell a quality service to an existing customer. In short this structure makes it possible for you to define and sell almost any imaginative access product to any user in any location....

Really fast internet Really slow internet Free services - but limited priority Selective services - like "only VoIP from VoipLtd", or "only e-mail from email.com" A yearly subscription

A temporary broadband boost Page 24 (25) customer-service@amazingports.com Version: 1.5

Priority to your favourite gaming server Only give access to people with green hair to the "dye-my-hair-now.com" web site. Cut a deal with local "Big Co" and sell them E-mail only access for their sales force.

Obviously you can price everything differently and according to your comprehension of what is "smart" pricing. Please notice the unique capability of selling any combination of these services to any user. Don't wait - upgrade your venue to AmazingPorts technology now!

Page 25 (25) Version: 1.5

customer-service@amazingports.com