Hewlett Packard Enterprise 55010016-1 Wireless Access Point User Manual 43 32 0000 01 AG CN3200 en

Hewlett-Packard Co Wireless Access Point 43 32 0000 01 AG CN3200 en

UserManual.wiki >

Hewlett Packard Enterprise >

55010016-1 User Manual >

Installation Manual Part 2

1. Installation Manual Part 1
2. Installation Manual Part 2

Installation Manual Part 2

Chapter 15: Customizing the public access interface 194

DRAFT

Source code for the internal pages

This section presents commented source code for the default internal pages.

Important: Do not create your own pages by saving a page from within your web

browser. The server side code is removed when you do this and the resulting

pages will not work. Use the examples in this section or those on the CD in

\HTML\Colubris\Internal as the basis for your pages.

<!-- iPass

</Redirect>

</WISPAccessGatewayParam>

-->

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"

"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">

<head>

<title>Login</title>

<!--

.labels {

font-family: verdana, sans-serif;

}

#title {

font-size: 14px;

color: #000000;

padding-left: 5px;

}

#tags {

font-size: 10px;

color: #000000;

}

#error {

font-size: 12px;

color: #CC0000;

font-weight: bold;

}

#input {

font-family: verdana, sans-serif;

font-size: 11px;

Chapter 15: Customizing the public access interface 195

DRAFT

width: 120px;

color: #003366;

}

#submit {

font-family: verdana, sans-serif;

font-size: 10px;

font-weight: bold;

color: #003366;

}

-->

</style>

//Make sure the required information was entered

function setfocus() {

if (document.forms[0]) {

document.forms[0].elements[0].focus();

}

//-->

</script>

</head>

<td>

</td>

</tr>

<tr>

<%GetAuthenticationErrorMessage();%>

<%GetRadiusReplyMessage();%>

<%GetMsChapV2Failed();%>

</span>

</td>

</tr>

</table>

<br>

<tr>

<tr>

<span class="labels" ID="tags">Username:</span>

</td>

<td>

</td>

</tr>

<tr>

<span class="labels" ID="tags">Password:</span>

Chapter 15: Customizing the public access interface 196

DRAFT

</td>

<td>

</td>

</td>

</tr>

<tr>

<td>

</td>

</tr>

</table>

</td>

</tr>

</table>

</td></tr>

</table>

</form>

</body>

</html>

Transport page

<!-- iPass

</AuthenticationReply>

</WISPAccessGatewayParam>

-->

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">

<html>

<head>

<title>Transport</title>

<!--

function opensessionwin(whichone) {

// Define the size of your remote window in pixels with "width" and "height."

remote =

window.open("","sessionwin","width=240,height=400,toolbar=0,location=0,directories=0,status=0,me

nubar=0,scrollbars=1,resizable=1");

if (remote.blur) remote.focus();

// Put the full url of your remote document where you see "URL".

remote.location.href = "<%GetSessionUrl();%>";

Chapter 15: Customizing the public access interface 197

DRAFT

if (remote.opener == null) remote.opener = window;

remote.opener.name = "opener";

}

//-->

</script>

</head>

<h4>This should take 1 second...</h4>

If you are not redirected within a few seconds, please <a href="<%GetWelcomeUrl();%>">click here</

a>.

If you have JavaScript disabled and the session page doesn't appear, please <a

href="<%GetSessionUrl();%>">click here</a>.

</font>

</body>

</html>

Session page

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">

<html>

<head>

<% SetSessionRefreshInterval("20");%>

<title>Session</title>

</head>

<tr>

<td colspan="2" align="center"> <img src="/logo.gif" alt="" width="125" height="50"

border="0"></td>

</tr>

<tr>

<font face="verdana" size="3"><b>Session</b></font>

</td>

</tr>

<tr>

Please bookmark this page for logout

</font>

</td>

</tr>

<tr>

<td align="right"><font face="verdana" size="1">Status:</font></td>

</tr>

<tr>

<td align="right"><font face="verdana" size="1">Session Time (Cur/Left/Max):</font></td>

Chapter 15: Customizing the public access interface 198

DRAFT

<td><font face="verdana" size="1"><b><% GetSessionTime(); %> / <%

GetSessionRemainingTime(); %> / <% GetMaxSessionTime(); %></b></font></td>

</tr>

<tr>

<td><font face="verdana" size="1"><b><% GetSessionIdleTime(); %> / <%

GetSessionRemainingIdleTime(); %> / <% GetMaxSessionIdleTime(); %></b></font></

td>

</tr>

<tr>

<td align="right"><font face="verdana" size="1">Received Packets (Cur/Left/Max):</font></td>

<td><font face="verdana" size="1"><b><% GetSessionInputPackets(); %> / <%

GetSessionRemainingInputPackets(); %> / <% GetMaxSessionInputPackets(); %></

b></font></td>

</tr>

<tr>

<td align="right"><font face="verdana" size="1">Received Octets (Cur/Left/Max):</font></td>

<td><font face="verdana" size="1"><b><% GetSessionInputOctets(); %> / <%

GetSessionRemainingInputOctets(); %> / <% GetMaxSessionInputOctets(); %></b></

font></td>

</tr>

<tr>

<td align="right"><font face="verdana" size="1">Transmit Packets (Cur/Left/Max):</font></td>

<td><font face="verdana" size="1"><b><% GetSessionOutputPackets(); %> / <%

GetSessionRemainingOutputPackets(); %> / <% GetMaxSessionOutputPackets(); %></

b></font></td>

</tr>

<tr>

<td align="right"><font face="verdana" size="1">Transmit Octets (Cur/Left/Max):</font></td>

<td><font face="verdana" size="1"><b><% GetSessionOutputOctets(); %> / <%

GetSessionRemainingOutputOctets(); %> / <% GetMaxSessionOutputOctets(); %></

b></font></td>

</tr>

<tr>

</form>

</td>

</tr>

</table>

</body>

</html>

Fail page

<!-- iPass

</LogoffReply>

</WISPAccessGatewayParam>

-->

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">

<html>

<head>

Chapter 15: Customizing the public access interface 199

DRAFT

<title>Window</title>

</head>

<tr>

</tr>

<tr>

</tr>

</table>

</body>

</html>

Chapter 15: Customizing the public access interface 200

DRAFT

Source code for the external pages

Sample external pages are provided on the CD in the folder

\HTML\Colubris\External. Three versions are included for each page: HTML,

ASP, and PHP.

Welcome page HTML

<!--

This file remains on your webserver and is fully customisable by you.

You also have access to the CGI variables which are defined in the URL

that calls this page.

For example, in this file the calling welcome-url is:

welcome-url=https://207.35.116.198:8888/colubris-php/

welcome.php?site=%s&user=%u&wantedurl=%o

-->

<html>

<head>

<title>Welcome</title>

</head>

<body>

Welcome

</body>

</html>

ASP

<!--

This file remains on your webserver and is fully customisable by you.

You also have access to the CGI variables which are defined in the URL

that calls this page.

For example, in this file the calling welcome-url is:

welcome-url=https://207.35.116.198:8888/colubris-php/

welcome.php?site=%s&user=%u&wantedurl=%o

-->

<%@ Language=VBScript %>

site = Request("site")

user = Request("user")

wantedurl = Request("wantedurl")

<html>

<head>

<title>Welcome</title>

</head>

<body>

Welcome <%=user%>, to <%=site%>

<br>

The URL you were trying to access was <a href="<%=wantedurl%>"><%=wantedurl%></a>.

</body>

</html>

Chapter 15: Customizing the public access interface 201

DRAFT

PHP

<!--

This file remains on your webserver and is fully customisable by you.

You also have access to the CGI variables which are defined in the URL

that calls this page.

For example, in this file the calling welcome-url is:

welcome-url=https://207.35.116.198:8888/colubris-php/

welcome.php?site=%s&user=%u&wantedurl=%o

-->

<? /*

PHP makes QUERY STRING variables immediatly available to any

PHP scripts you embed in your file.

*/ ?>

<html>

<head>

<title>Welcome</title>

</head>

<body>

Welcome <? echo $user; ?>, to <? echo $site; ?>

<br>

The URL you were trying to access was <a href="<? echo $wantedurl; ?>"><? echo $wantedurl; ?></

a>.

</body>

</html>

Goodbye page HTML

<!--

This file remains on your webserver and is fully customisable by you.

For example, in this file the calling goodbye-url is:

goodbye-url=https://207.35.116.198:8888/colubris-php/goodbye.php?site=%s&user=%u

-->

<html>

<head>

<title>Logout</title>

</head>

<body>

Thank you.

</body>

</html>

ASP

<!--

This file remains on your webserver and is fully customisable by you.

For example, in this file the calling goodbye-url is:

goodbye-url=https://207.35.116.198:8888/colubris-php/goodbye.php?site=%s&user=%u

-->

<%@ Language=VBScript %>

site = Request("site")

user = Request("user")

Chapter 15: Customizing the public access interface 202

DRAFT

wantedURL = Request("wantedURL")

<html>

<head>

<title>Logout</title>

</head>

<body>

Thank you <%=user%>

</body>

</html>

PHP

<!--

This file remains on your webserver and is fully customisable by you.

You also have access to the CGI variables which are defined in the URL

that calls this page.

For example, in this file the calling goodbye-url is:

goodbye-url=https://207.35.116.198:8888/colubris-php/goodbye.php?site=%s&user=%u

-->

<? /*

PHP makes QUERY STRING variables immediatly available to any

PHP scripts you embed in your file.

*/ ?>

<html>

<head>

<title>Logout</title>

</head>

<body>

Thank you <? echo $user; ?>.

</body>

</html>

<!--

This file remains on your webserver and is fully customisable by you.

You also have access to the CGI variables which are defined in the URL

that calls this page.

For example, in this file the calling login-err-url is:

-->

<html>

<head>

<title>Login Error</title>

</head>

<body>

There has been a login error.

Chapter 15: Customizing the public access interface 203

DRAFT

</body>

</html>

ASP

<!--

This file remains on your webserver and is fully customisable by you.

You also have access to the CGI variables which are defined in the URL

that calls this page.

For example, in this file the calling login-err-rl is:

-->

<%@ Language=VBScript %>

site = Request("site")

user = Request("user")

wantedurl = Request("wantedurl")

<html>

<head>

<title>Login Error</title>

</head>

<body>

Sorry <%=user%><br>

There has been a login error.

</body>

</html>

PHP

<!--

This file remains on your webserver and is fully customisable by you.

You also have access to the CGI variables which are defined in the URL

that calls this page.

For example, in this file the calling login-err-url is:

-->

<? /*

PHP makes QUERY STRING variables immediately available to any

PHP scripts you embed in your file.

*/ ?>

<html>

<head>

<title>Login Error</title>

</head>

<body>

Sorry <? echo $user; ?>.<br>

There has been a login error.

</body>

</html>

Chapter 15: Customizing the public access interface 204

DRAFT

Remote login page <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"

"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">

<head>

<title>Login</title>

<!--

.labels {

font-family: verdana, sans-serif;

}

#title {

font-size: 14px;

color: #000000;

padding-left: 5px;

}

#tags {

font-size: 10px;

color: #000000;

}

#error {

font-size: 12px;

color: #CC0000;

font-weight: bold;

}

#input {

font-family: verdana, sans-serif;

font-size: 11px;

width: 120px;

color: #003366;

}

#submit {

font-family: verdana, sans-serif;

font-size: 10px;

font-weight: bold;

color: #003366;

}

-->

</style>

//Make sure the required information was entered

function setfocus() {

if (document.forms[0]) {

document.forms[0].elements[0].focus();

}

//-->

</script>

</head>

<form action="https://cn3000.wireless.colubris.com:8090/goform/HtmlLoginRequest"

method="POST">

Chapter 15: Customizing the public access interface 205

DRAFT

<td>

</td>

</td>

</td>

</td>

</tr>

</table>

<br>

<tr>

<tr>

<span class="labels" ID="tags">Username:</span>

</td>

<td>

</td>

</tr>

<tr>

<span class="labels" ID="tags">Password:</span>

</td>

<td>

</td>

</td>

</tr>

</table>

</td>

</tr>

</table>

</td></tr>

</table>

</form>

</body>

</html>

Chapter 15: Customizing the public access interface 206

DRAFT

Chapter 16: Customizing CN3200 and customer settings 207

DRAFT

Chapter 16: Customizing CN3200 and customer settings

Chapter 16

Customizing CN3200 and customer settings

This chapter presents a summary of the configuration settings you can

define to customize the operation of your public access network and

customer accounts.

Chapter 16: Customizing CN3200 and customer settings 208

DRAFT

Overview

The CN3200 uses a third-party RADIUS server to store configuration settings for

customer accounts, accounting data, as well as certain operating settings for the

public access network. The configuration settings are stored in profiles, which

you must create before the public access interface can be used.

The minimum setup you must define is as follows:

• Define RADIUS client settings for the CN3200

Any device that uses the authentication services of a RADIUS server is called

a RADIUS client. Therefore, each CN3200 is considered to be a RADIUS client

and you must define client settings for each one that you intend to install.

See page 213 for details.

• Create a RADIUS profile for the CN3200

Before it can activate the public access interface, the CN3200 must log into a

RADIUS server and retrieve certain operating settings which you must define.

Therefore, you must create at least one RADIUS profile for use by the CN3200.

If you have multiple CN3200s, they can all be associated with a single RADIUS

profile.

See page 214 for details.

• Create a RADIUS profile for one or more customers

The customer profile is used to authenticate customers when they login. It

contains settings that define the characteristics of their account.

Chapter 16: Customizing CN3200 and customer settings 209

DRAFT

RADIUS attributes

Attributes are configuration parameters that you can attach to a RADIUS profile.

The CN3200 supports standard RADIUS attributes and a Colubris Networks

vendor-specific attribute.

Standard RADIUS

attributes

The CN3200 supports the following RADIUS attributes. (Attributes starting with

MS are Microsoft and are not standard.)

Interim accounting updates

To enable interim accounting updates for each customer you must define a value

for the RADIUS attribute Acct-Interim-Interval. This sets the frequency with which

the CN3200 will send accounting information to the RADIUS server.

Access Request

• Acct-Session-Id

• NAS-Port

• NAS-Port-Type

• User-Name

• Calling-Station-Id

• Called-Station-Id

• User-Password

• CHAP-Password

• CHAP-Challenge

• MSCHAP-Challenge

• MSCHAP-Response

• MSCHAPv2-Response

• EAP-Message

• State

• NAS-Identifier

• NAS-Ip-Address

• Framed-MTU

• Connect-Info

• Service-Type

• Message-Authenticator

Access Accept

• MS-MPPE-Recv-Key

• MS-MPPE-Send-Key

• Service-Type

• EAP-Message

• Class

• Idle-Timeout

• Session-Timeout

• Acct-Interim-Interval

• Tunnel-type

• Tunnel-meduim-type

• Tunnel-private-group

Access Reject

• MSCHAP-Error

• Reply-Message

• EAP-Message

Access Challenge

• EAP-Message

• State

Accounting Request

•User-Name

• NAS-Port

• NAS-Port-Type

• NAS-Identifier

• NAS-Ip-Address

• Acct-Status-Type

• Calling-Station-Id

• Called-Station-Id

• Acct-Event-Timestamp

• Acct-Delay-Time

• Acct-Session-Id

• Acct-Authentic

• Acct-Session-Time

• Acct-Input-Octets

• Acct-Input-Gigawords

• Acct-Input-Packets

• Acct-Output-Octets

• Acct-Output-Gigawords

• Acct-Output-Packets

• Acct-Terminate-Cause

• Class

• Framed-Ip-Address

Accounting Response

• No attribute

Chapter 16: Customizing CN3200 and customer settings 210

DRAFT

Colubris Networks

vendor-specific

attributes

In certain cases, the set of standard RADIUS attributes needs to be extended to

specify custom settings for specific types of equipment. These are called vendor-

specific attributes. Colubris Networks has defined two vendor-specific attributes

to support special features on the CN3200, such as the customization of the web

interface and the security certificate. This attribute are:

• Colubris-AVPair

• Colubris-Intercept

These attributes conform to RADIUS RFC 2865.

You may need to define these attributes on your RADIUS server if they are not

already present. In this case, you need to specify the following:

Colubris-AVPair

• SMI network management private enterprise code = 8744

• Vendor-specific attribute type number = 0

• Attribute type = string

Colubris-Intercept

• SMI network management private enterprise code = 8744

• Vendor-specific attribute type number = 1

• Attribute type = integer

Attribute value summary

The following values are permitted for the Colubris-AVPair attribute. These

values are described in greater detail later in this chapter and in Chapter 15.

Important: It is important to specify the attribute values exactly as shown below.

Adding extra spaces between options will result in errors.

CN3200 profile

access-list=

name,action,protocol,address,port,[account,[interval]]

use-access-list=usename

white-list=protocol,address,[port]

ssl-certificate=URL [%s] [%n]

configuration-file=URL [%s] [%n]

mac-address=address[,username[,password]]

default-user-idle-timeout=seconds

default-user-smtp-redirect=hostname:port

default-user-session-timeout=seconds

transport-page= URL_of_page

session-page= URL_of_page

fail-page= URL_of_page

logo= URL_of_gif_file

messages= URL_of_text_file

welcome-url= URL_of_page [placeholder]

goodbye-url= URL_of_page [placeholder]

ssl-noc-certificate= URL_of_the_Certificate

ssl-noc-ca-certificate= URL_of_the_certificate

Customer profile

smtp-redirect=hostname:port

use-access-list=usename

one-to-one-nat=value

max-input-packets=value

max-output-packets=value

max-input-octets=value

max-output-octets=value

welcome-url= URL_of_page [placeholder]

goodbye-url= URL_of_page [placeholder]

group=value

essid=value

Chapter 16: Customizing CN3200 and customer settings 211

DRAFT

RADIUS limitations The maximum number of attributes the CN3200 can receive in one request is

limited by the maximum packet size of the UDP protocol which is 64K. Some

networks may drop fragmented UDP packets which may leave you with less than

the maximum size.

Chapter 16: Customizing CN3200 and customer settings 212

DRAFT

Terminate-Acct-

Cause values

Terminate Acct Cause values are supported as follows:

ID Cause Notes

1 User Request Supported. Indicates that the customer logged

out.

2 Lost Carrier Supported. Indicates that the client station is no

longer alive.

4 Idle Timeout Supported. Customer exceeded the idle timeout

value defind for the session.

5 Session Timeout Supported. Customer exceeded maximum time

defined for the session.

6 Admin Reset Supported. Customer session was terminated by

the CN3200 administrator via SNMP or the

management tool.

7 Admin Reboot Not Supported. (not applicable)

8 Port Error Supported. If two customers are detected using

the same IP address, both are logged out with

this error. Another cause is if an error is

encountered in an access list definition. For

example, an invalid host was specified.

9 NAS Error Not Supported. (not applicable)

10 NAS Request Not Supported. (not applicable)

11 NAS Reboot Supported. Customer was logged out because

the CN3200 was restarted.

12 Port Unneeded Not Supported. (not applicable)

13 Port Preempted Not Supported. (not applicable)

14 Port Suspended Not Supported. (not applicable)

15 Service

Unavailable

Not Supported. (not applicable)

16 Callback Not Supported. (not applicable)

17 User Error Supported. An 801.1x client initiated a second

authentication request for a customer, and this

request was refused.

18 Host Request Not Supported. (not applicable)

0x8744

(34628

decimal)

Termination Colubris-specific termination cause. See page

229 for details.

Chapter 16: Customizing CN3200 and customer settings 213

DRAFT

Creating a RADIUS client entry for the CN3200

Any device that uses the authentication services of a RADIUS server is called a

RADIUS client (or RAS client on some systems). Therefore, each CN3200 is

considered to be a RADIUS client and you must define client settings for each

one that you intend to install.

Configuration

settings

You may need to supply the following information when setting up a RADIUS

client entry:

• Client IP address: This is the IP address assigned to the CN3200’s Internet

port. If the CN3200 is using a PPTP connection to communicate with the

RADIUS server, then this is the address assigned to the CN3200 by the PPTP

server.

• Shared secret: Secret the CN3200 will use to authenticate the packets it

receives from the RADIUS server.

Managing shared

secrets

If you are using a PPPoE, DHCP, or PPTP VPN connection when communicating

with the RADIUS server, make sure that the shared secret for each CN3200 is

the same. Also, ensure that all possible IP addresses have been configured on

the RADIUS server.

The username and password assigned to each CN3200 can be different,

enabling you to differentiate between devices.

Chapter 16: Customizing CN3200 and customer settings 214

DRAFT

Creating a profile for the CN3200 on the RADIUS server

Before it can activate the public access interface, the CN3200 must log into a

RADIUS server and retrieve certain operating settings that you must define.

Therefore, you must create at least one RADIUS profile for use by the CN3200. If

you have multiple CN3200s, they can all be associated with a single RADIUS

profile.

Supported standard

RADIUS attributes

This section presents all standard RADIUS attributes that are supported by a

CN3200 profile.

Note: In the following definitions, strings are defined as 1 to 253 characters in

length.

Access request

• Acct-Session-Id (32-bit unsigned integer): Random value generated per

authentication by the CN3200.

• NAS-Identifier (string): The NAS ID set on the Security > RADIUS page for the

RADIUS profile being used.

• NAS-Ip-Address 32-bit unsigned integer): The IP address of the port the

CN3200 is using to communicate with the RADIUS server.

• NAS-Port (32-bit unsigned integer): Always 0.

• NAS-Port-Type (32-bit unsigned integer): Always set to 19, which represents

WIRELESS_802_11.

• Calling-Station-Id (string): The MAC address of the CN3200’s LAN port in IEEE

format. For example: 00-02-03-5E-32-1A.

• Called-Station-Id (string): The MAC address of the CN3200’s LAN port in IEEE

format. For example: 00-02-03-5E-32-1A.

• User-Name (string): The username assigned to the CN3200 on the Security >

Authentication page.

• User-Password (string): The password assigned to the CN3200 on the

Security > Authentication page. Encoded as defined in RFC 2865. Only

present when the authentication method for the RADIUS profile is set to PAP.

• CHAP-Password (string): The password assigned to the CN3200 on the

Security > Authentication page. Encoded as defined in RFC 2865. Only

present when the authentication method for the RADIUS profile is set to CHAP.

• CHAP-Challenge (string): Randomly generated by the product. As defined in

RFC 2865. Only present when the authentication method for the RADIUS

profile is set to CHAP. Length = 19 bytes.

• MSCHAP-Challenge (string): As defined in RFC 2433. Only present when the

authentication method for the RADIUS profile is set to MSCHAPv1 or

MSCHAPv2. Length = 8 bytes.

• MSCHAP-Response (string): As defined in RFC 2433. Only present when the

authentication method for the RADIUS profile is set to MSCHAPv1. Length =

49 bytes.

• MSCHAPv2-Response (string): As defined in RFC 2759. Only present when

the authentication method for the RADIUS profile is set to MSCHAPv2. Length

= 49 bytes.

• EAP-Message (string): As defined in RFC 2869. Only present when the

authentication method for the RADIUS profile is set to EAP-MD5.

Chapter 16: Customizing CN3200 and customer settings 215

DRAFT

• State (string): As defined in RFC 2865.

• Framed-MTU (32-bit unsigned integer): Hard-coded to 1496.

• Connect-Info (string): The string "HTTPS".

• Service-Type (32-bit unsigned integer): As defined in the config.cfg file. Token

name = service-type-device.

• Message-Authenticator (string): As defined in RFC 2869. Always present even

when not doing an EAP authentication. length = 16 bytes.

• Colubris-AVPair: See the description in the section that follows.

Access accept

• Acct-Interim-Interval (32-bit unsigned integer): When present, it enables the

transmission of RADIUS accounting requests of the Interim Update type.

Specify the number of seconds between each transmission.

• Session-Timeout (32-bit unsigned integer): Maximum time a session can be

active. The CN3200 re-authenticates itself when this timer expires. Omitting

this attribute or specifying 0 will disable the feature. (Note that the

authentication interval is also configurable on the Security > Authentication

page.

• Idle-Timeout (32-bit unsigned integer): Not supported.

• Class (string): As defined in RFC 2865.

• EAP-Message (string): Only supported when authentication is EAP-MD5. Note

that the content will not be read as the RADIUS Access Accept is overriding

whatever indication contained inside this packet.

• Colubris-AVPair: See the description in the section that follows.

Access reject

None.

Access challenge

None.

Accounting request

Accounting information is generated by default. To disable accounting support,

open the Security > Authentication -> Advanced Settings page.

• Acct-Session-Id (32-bit unsigned integer): Random value generated by the

CN3200.

• NAS-Identifier (string): The NAS ID set on the Security > RADIUS page for the

profile being used.

• NAS-Ip-Address (32-bit unsigned integer): The IP address of the port the

CN3200 is using to communicate with the RADIUS server.

• NAS-Port (32-bit unsigned integer): Always 0.

• NAS-Port-Type (32-bit unsigned integer): Always set to 19, which represents

WIRELESS_802_11.

• Calling-Station-Id (string): The MAC address of the CN3200’s LAN port in IEEE

format. For example: 00-02-03-5E-32-1A.

• Called-Station-Id (string): The MAC address of the CN3200’s LAN port in IEEE

format. For example: 00-02-03-5E-32-1A.

Chapter 16: Customizing CN3200 and customer settings 216

DRAFT

• User-Name (string): The RADIUS username assigned to the CN3200 on the

Security > Authentication page.

• Class (string). As defined in RFC 2865.

• Framed-IP-Address (32-bit unsigned integer): IP Address of the CN3200’s LAN

port.

• Acct-Status-Type (32-bit unsigned integer): Supported values are Accounting-

On (7) and Accounting-Off (8).

• Acct-Event-Timestamp (32-bit unsigned integer): As defined in RFC 2869.

• Acct-Delay-Time (32-bit unsigned integer): As defined in RFC 2869.

• Acct-Authentic (32-bit unsigned integer): Always set to 1 which means

RADIUS.

Accounting response

None.

Colubris-AVPair

attribute

For each CN3200 profile you can specify one or more instances of a Colubris-

AVPair attribute that will be returned upon successful authentication (RADIUS

Accept). Possible values for all instance are grouped into the following

categories:

The value of a Colubris-AVPair attribute is always a string. These strings are

always of the form: <item>=<value>

Access lists Access lists enable you to create public areas on your network that all customers

can browse, and protected areas that are restricted to specific customer

accounts or groups.

Feature Description

Custom HTML pages and

URLs, and supporting files

Enables you to customize the public access

interface. See Chapter 15 for details.

Access list Enables you to create one or more access

groups which define the set of network

resources that are available to authenticated

customers.

White list The white list defines the set of network

resources that are available to customers before

they are authenticated.

Custom security certificate Enables you to replace the Colubris Networks

certificate with your own.

Configuration file Enables you to store a configuration file at a

central location to automatically update all your

CN3200s.

MAC authentication Enables you to authenticate devices based on

their MAC addresses.

Default user idle timeout Default idle timeout for all customers.

Default user session timeout Default session timeout for all customers.

Default SMTP server Default SMTP server to use for email redirection.

Chapter 16: Customizing CN3200 and customer settings 217

DRAFT

Each access list is a set of rules that governs how the CN3200 controls access to

network resources. You can create multiple access lists, each with multiple rules

to manage the traffic on your public access network.

Default setting

By default no access lists are defined. This means that:

• Unauthenticated customers cannot reach any network resources other than

the CN3200 login page.

• Authenticated customer have access to any network resource connected to the

CN3200’s Internet port.

How access lists work

Each customer and each access point can be associated with its own access list.

Incoming traffic cascades through the currently active lists. Traffic that is

accepted or denied by a list is not available to the list that follows it. Traffic that

passes through all lists without being accepted or denied is dropped.

How traffic flows through the access lists.

Note: The white list is a less-powerful version of the access list that is maintained

for compatibility with previous releases. Its functionality is completely superseded

by the access list feature. The access list feature should be used in its place.

Customer session

Site Profile Access List

DENY NO MATCH ACCEPT

Customer Profile Access List

DENY NO MATCH ACCEPT

White List

NO MATCH ACCEPT

Authenticated and

an access list exists

Authenticated and no

user access list exists

Unauthenticated

Internet portDropped

Chapter 16: Customizing CN3200 and customer settings 218

DRAFT

Within each access list, traffic cascades through the list rules in a similar manner.

How traffic flows through the access list rules.

Rules are numbered according to the order in which they are added. Only data

that is not accepted or denied by a rule is available to the next rule in the list.

Accounting support

Each rule in an access list can be configured with an account name for billing

purposes. The CN3200 will send billing information based on the amount of

traffic matched by the rule.

This lets you create rules to track and bill traffic to particular destinations.

Tips on using the access list

With certificates

• If you replaced the default SSL certificate on the CN3200 with one signed by a

well-known CA, you should define the access list to permit access to the CA

certificate for all non-authenticated customers. This enables the customer’s

browser to verify that the certificate is valid without displaying any warning

messages.

• Customers may have configured their web browsers to check all SSL

certificates against the Certificate Revocation List (CRL) maintained by the CA

that issued the certificate. The location of the CRL may be configured in the

browser, or embedded in the certificate. The access list should be configured

to permit access to the CRL, otherwise the customer’s browser will time out

before displaying the login page.

Remote login page

If you are using the remote login page feature, make sure that access to the web

server hosting the page must is granted to all unauthenticated customers.

SMTP redirect

If an unauthenticated customer establishes a connection to their email server, the

SMTP redirect feature will not work once the customer logs in. The customer’s

email will still be sent to the original email server.

To avoid this, do not use an access list to open TCP port 25 for unauthenticated

customers.

DENY

NO MATCH

DENY NO MATCH ACCEPT

Rule 1

Rule 2

Rule 3

Incoming traffic

Chapter 16: Customizing CN3200 and customer settings 219

DRAFT

Defining and activating access lists

Access lists are defined by adding the following Colubris-AVPair value string to

the RADIUS profile for a CN3200.

access-list=value

Access lists are activated by adding the following Colubris-AVPair value string to

the RADIUS profile for a CN3200 or a customer.

use-access-list=value

You can define up to 32 access lists. Only one list can be active per profile.

The access list is applied before the white list.

Colubris-AVPair value string

access-list=

name,action,protocol,address,port,[account,[interval]]

use-access-list=usename

Where:

Parameter Description

name Specify a name (up to 32 characters long) to identify the access list

this rule applies to. If a list with this name does not exist, a new list

is created. If a list with this name exists, the rule is added to it.

usename Specify the name of an existing access list. This list is activated for

the current profile. Lists are checked in the order they are activated.

action Specify what action the rule takes when it matches incoming traffic.

Two options are available:

•ACCEPT - Allow traffic matching this rule.

•DENY - Reject traffic matching this rule.

protocol Specify the protocol to check: tcp, udp, icmp, all

address Specify one of the following:

• IP address or domain name (up to 107 characters in length)

• Subnet address. Include the network mask as follows:

address/subnet mask For example: 192.168.30.0/24

• Use the keyword all to match any address.

• Use the keyword none if the protocol does not take an address

range (ICMP for example).

port Specify a specific port to check or a port range as follows:

•none - Used with ICMP (since it has no ports).

•all - Check all ports.

•1-65535[:1-65535] - Specify a specific port or port range.

account Specify the name of the customer account the CN3200 will send

billing information to for this rule. Account names must be unique

and can be up to 32 characters in length.

interval Specify time between interim accounting updates. If you do not

enable this option, accounting information is only sent when a

customer connection is terminated. Range: 5-99999 seconds in 15

second increments.

Chapter 16: Customizing CN3200 and customer settings 220

DRAFT

Note: Spaces can be used instead of commas as separators.

Example

This topology shows wireless deployment for a fictitious university campus.

The RADIUS profile for the CN3200 contains:

access-list=everyone,ACCEPT,tcp,192.168.50.2,80

access-list=students,ACCEPT,tcp,192.168.50.1,80,students_reg,500

access-list=students,ACCEPT,all,192.168.40.0/24,all

access-list=students,DENY,all,192.168.20.0/24,all

access-list=students,DENY,all,192.168.30.0/24,all

access-list=students,ACCEPT,all,all.all,student_internet_use,5000

access-list=faculty,ACCEPT,tcp,192.168.50.1,80,faculty_reg,500

access-list=faculty,ACCEPT,all,192.168.30.0/24,all

access-list=faculty,DENY,all,192.168.20.0/24,all

access-list=faculty,DENY,all,192.168.40.0/24,all

access-list=faculty,ACCEPT,all,all.all,faculty_internet_use,5000

use-access-list=everyone

The RADIUS profile for the students contains:

use-access-list=students

The RADIUS profile for the faculty contains:

use-access-list=faculty

This definition creates three access lists: everyone, students, and faculty.

Everyone

This list applies to all users (students, teachers, guests), whether they are

authenticated or not. This is because the list is active on the CN3200, which is

accomplished with the entry:

use-access-list=everyone

It enables everyone to access the public web server.

Students

This list applies to authenticated students only. It is composed of the following

entries:

access-list=students,ACCEPT,tcp,192.168.50.1,80,students_reg,500

Enables web traffic to the registration web server. Accounting data is recorded in

the account students_reg.

access-list=students,ACCEPT,all,192.168.40.0/24,all

Enables traffic to reach the student segment.

access-list=students,DENY,all,192.168.20.0/24,all

access-list=students,DENY,all,192.168.30.0/24,all

These two entries deny access to the faculty subnet and the NOC.

access-list=students,ACCEPT,all,all.all,student_internet_use,5000

Enables all other traffic to reach the Internet (via routers on the backbone LAN

and the router in the NOC). If this last rule did not exist, this traffic would be

dropped.

Chapter 16: Customizing CN3200 and customer settings 221

DRAFT

Faculty

This list applies to authenticated faculty members only. It is composed of the

following entries:

access-list=faculty,ACCEPT,tcp,192.168.50.1,80,faculty_reg,500

Enables web traffic to the registration web server. Accounting data is recorded in

the account faculty_reg.

access-list=faculty,ACCEPT,all,192.168.30.0/24,all

Enables traffic to reach the faculty segment.

access-list=faculty,DENY,all,192.168.20.0/24,all

access-list=faculty,DENY,all,192.168.40.0/24,all

These two entries deny access to the student subnet and the NOC.

access-list=faculty,ACCEPT,all,all.all,faculty_internet_use,5000

Enables all other traffic to reach the Internet (via routers on the backbone LAN

and the router in the NOC). If this last rule did not exist, this traffic would be

dropped.

White list A white list enables you to specify the set of network resources that an

unauthenticated customer has access to. You can define a specific white list for

each CN3200. These definitions are automatically implemented by the CN3200

by adding the appropriate rules to the firewall.

Note: The white list has been superseded by the access list feature. However,

the white list remains supported for backwards compatibility.

Colubris-AVPair value string

white-list=protocol,address,[port]

Where:

Note: Spaces can be used instead of commas as separators.

The white list applies to the CN3200 itself, and all client stations connected to it.

This means that if you are using customized URLs for the public access interface,

the URLs for the Login Error and Goodbye pages must specify hosts that are

included in the white list.

You can specify up to 128 Colubris-AVPair values containing white list definitions.

Parameter Description

protocol Specify the protocol to allow traffic on: tcp, udp, icmp, all.

address Specify the IP address or domain name of a host, or the IP

address of a subnet. Use the keyword all to match any

address. When specifying an IP subnet you must include the

network mask in the following format:

address/subnet mask

port1 Specify the specific port to allow traffic on, or a range. Not valid if

the all option is used for protocol. Use the following syntax to

specify a range:

1-65535[:1-65535]

A range must be suppled for tcp or udp. A single port must be

specified for icmp.

Chapter 16: Customizing CN3200 and customer settings 222

DRAFT

Examples

white-list=all,192.168.1.10

white-list=tcp,adm.colubris.com,80:90

white-list=udp,192.168.1.0/255.255.255.0,8090:8090

white-list=tcp,192.168.1.0/24,443

Custom SSL

certificate

The CN3200 can retrieve a custom SLL security certificate to replace the

Colubris Networks certificate that is included by default. For more information on

certificates, see Chapter 14.

Colubris-AVPair value string

ssl-certificate=URL [%s] [%n]

Where:

By using the following placeholder, you can customize the URL for each CN3200.

This is useful when you need to update multiple units.

The certificate is encoded using PKCS#12 format, and will contain:

• the private key of the web server

• the certificate of the web server

The file is locked using a password.

Example

ssl-certificate=http://www.colubris.com/%s_certificate

Configuration file The CN3200 can retrieve and load a new configuration file automatically, based

on an URL you specify.

Colubris-AVPair value string

configuration-file=URL [%s] [%n]

Where:

By using the following placeholder, you can customize the URL for each CN3200.

This is useful when you need to update multiple units.

Example

configuration-file=http://www.colubris.com/%s_configfile

Parameter Description

URL Specify the URL that points to the new certificate.

Placeholder Description

%s The login name assigned to the CN3200.

%n The NAS ID assigned to the CN3200.

Parameter Description

URL Specify the URL that points to the new configuration file.

Placeholder Description

%s The login name assigned to the CN3200.

%n The NAS ID assigned to the CN3200.

Chapter 16: Customizing CN3200 and customer settings 223

DRAFT

MAC authentication The CN3200 can authenticate devices based on their MAC address. This is

useful for authenticating devices that do not have a web browser (cash registers,

for example). It can also be used to authenticate the CN300.

To make use of this feature you need to define a RADIUS user account for each

device as follows:

• username: Set this to the username you specified in the mac-address value

string. If no username is specified, set the account name to the MAC address

of the device. Use dashes to separate characters in the address. For example:

00-20-E0-6B-4B-44.

• password: Set this to the password you specified in the mac-address value

string. If no password is specified, set this to the same password that is used

for the user account you defined for the CN3200 on the Security >

Authentication page.

Important: The username and password are not encrypted for transmission so it

is important that the link with the RADIUS server is secure.

Colubris-AVPair value string

mac-address=address[,username[,password]]

Where:

Example

Consider the scenario where several CN300s are installed with a CN3200. If the

CN300s are going to perform firmware upgrades from a remote web or FTP

server, they will need to log in to the public access network. By using MAC-based

authentication, this can easily be accomplished. (This also requires that the

access list on the CN3200 permits access to the web or FTP server.)

Default user idle

timeout

Use this to set the default idle timeout for all customers whose RADIUS profile

does not contain a value for the RADIUS attribute idle-timeout.

Colubris-AVPair value string

default-user-idle-timeout=seconds

Where:

Parameter Description

address Specify the MAC address of the device to authenticate. Use

dashes to separate characters in the address. Do not use

colons (:). For example: 00-20-E0-6B-4B-44.

username Specify the username to associate with this MAC address.

Maximum 253 alphanumeric characters. The username field

cannot contain a comma.

password Specify the password to associate with this MAC address.

Maximum 253 alphanumeric characters. The password field

cannot contain a comma.

Parameter Description

seconds Specify the maximum amount of time a customer session

can be idle. Once this time expires, the session is

automatically terminated. A value of 0 means no timeout.

Chapter 16: Customizing CN3200 and customer settings 224

DRAFT

Default user

session timeout

Use this to set the default session timeout for all customers whose RADIUS

profile does not contain a value for the RADIUS attribute session-timeout.

Colubris-AVPair value string

default-user-session-timeout=seconds

Where:

Default SMTP

server

Use this to set the default SMTP server address for all customer sessions. This

address is used if a specific server is not set for a particular customer. See page

228 for details.

Colubris-AVPair value string

default-user-smtp-redirect=hostname:port

Where:

Parameter Description

seconds Specify the maximum amount of time a customer session

can be connected. Once this time expires, the session is

automatically terminated. A value of 0 means no timeout.

Parameter Description

hostname Specify the the IP address or domain name of the e-mail

server. Maximum length is 253 characters.

port Specify the the on the e-mail server to relay to. Range: 1 to

65535.

Chapter 16: Customizing CN3200 and customer settings 225

DRAFT

Creating customer profiles on the RADIUS server

You must create at least one RADIUS customer profile. Multiple customer

accounts can be associated with a single RADIUS profile.

Supported RADIUS

attributes

This section presents all RADIUS and Colubris attributes that are supported by

for a CN3200 profile.

Note: In the following definitions, strings are defined as 1 to 253 characters in

length.

Access request

• Acct-Session-Id (32-bit unsigned integer): Random value generated by the

CN3200.

• NAS-Identifier (string): The NAS ID set on the Security > RADIUS page for the

profile being used.

• NAS-Ip-Address (32-bit unsigned integer): The IP address of the port the

CN3200 is using to communicate with the RADIUS server.

• NAS-Port (32-bit unsigned integer): A virtual port number starting at 1.

Assigned by the CN3200.

• NAS-Port-Type (32-bit unsigned integer): Always set to 19, which represents

WIRELESS_802_11.

• Calling-Station-Id (string): The MAC address of the CN3200’s LAN port in IEEE

format. For example: 00-02-03-5E-32-1A.

• State (string): As defined in RFC 2865.

• Framed-MTU (32-bit unsigned integer): Hard-coded value of 1496. The value is

always four bytes lower than the wireless MTU maximum which is 1500 bytes

in order to support IEEE802dot1x authentication.

• Connect-Info (string): The string "HTTPS".

• Service-Type (32-bit unsigned integer): As defined in the config.cfg file. Token

name = service-type-user.

• Message-Authenticator (string): As defined in RFC 2869. Always present even

when not doing an EAP authentication. length = 16 bytes.

• User-Name (string): The username assigned to the customer or a device when

using MAC authentication.

• User-Password (string): The password supplied by a customer or device when

logging in. Encoded as defined in RFC 2865. Only present when the

authentication method for the RADIUS profile is set to PAP.

• CHAP-Password (string): The password assigned to the CN3200 on the

Security > Authentication page. Encoded as defined in RFC 2865. Only

present when the authentication method for the RADIUS profile is set to CHAP.

• CHAP-Challenge (string): Randomly generated by the product. As defined in

RFC 2865. Only present when the authentication method for the RADIUS

profile is set to CHAP. Length = 19 bytes.

• MSCHAP-Challenge (string): As defined in RFC 2433. Only present when the

authentication method for the RADIUS profile is set to MSCHAPv1 or

MSCHAPv2. Length = 8 bytes.

• MSCHAP-Response (string): As defined in RFC 2433. Only present when the

authentication method for the RADIUS profile is set to MSCHAPv1. Length =

49 bytes.

Chapter 16: Customizing CN3200 and customer settings 226

DRAFT

• MSCHAPv2-Response (string): As defined in RFC 2759. Only present when

the authentication method for the RADIUS profile is set to MSCHAPv2. Length

= 49 bytes.

• EAP-Message (string): As defined in RFC 2869. Only present when the

authentication method for the RADIUS profile is set to EAP-MD5.

• Colubris-AVPair: See the description in the section that follows.

Access accept

• Acct-Interim-Interval (32-bit unsigned integer): When present, it enables the

transmission of RADIUS accounting requests of the Interim Update type.

Specify the number of seconds between each transmission.

• Session-Timeout (32-bit unsigned integer): Maximum time a session can be

active. The CN3200 re-authenticates itself when this timer expires. Omitting

this attribute or specifying 0 will disable the feature. (Note that the

authentication interval is also configurable on the Security > Authentication

page.

• Idle-Timeout (32-bit unsigned integer): Maximum idle time in seconds allowed

for the customer. Once reached, the customer session is terminated with

termination-cause IDLE-TIMEOUT. Omitting the attribute or specifying 0

disables the feature.

• Class (string): As defined in RFC 2865.

• EAP-Message (string): Only supported when authentication is EAP-MD5. Note

that the content will not be read as the RADIUS Access Accept is overriding

whatever indication contained inside this packet.

• MS-MPPE-Recv-Key: As defined by RFC 3078.

• MS-MPPE-Send-Key: As defined by RFC 3078.

• Tunnel-type: Only used when assigning a specific VLAN number to a

customer. In this case it must be set to "VLAN".

• Tunnel-medium-type = Only used when assigning a specific VLAN number to a

customer. In this case it must be set to "802".

• Tunnel-private-group = Only used when assigning a specific VLAN number to a

customer. In this case it must be set to the VLAN number.

Access reject

• MSCHAP-Error (string): A MSCHAP specific error as defined by RFC 2433.

• Reply-Message (string): This string (as defined in RFC 2865) is recorded and

passed as is to the GetReplyMessage() asp function. Only a single instance is

supported.

• EAP-Message (string): Only supported when authentication is EAP-MD5 or

with IEEE802dot1x. Note that the content will not be read as the RADIUS

Access Reject is overriding whatever indication contained inside this packet.

As defined in RFC 2869.

• Colubris-Intercept: See the description in the section that follows.

• Colubris-AVPair: See the description in the section that follows.

Access challenge

• EAP-Message (string): One or more occurrences of this attribute is supported

inside the same packet. All occurrence are concatenate and transmitted to the

IEEE802dot1x client as is. As defined in RFC 2869.

• State (string): As defined in RFC 2865.

Chapter 16: Customizing CN3200 and customer settings 227

DRAFT

Accounting request

Accounting information is generated by default. To disable accounting support,

open the Security > Authentication page.

• Acct-Session-Id (32-bit unsigned integer): Random value generated by the

CN3200.

• NAS-Identifier (string): The NAS ID set on the Security > RADIUS page for the

profile being used.

• NAS-Ip-Address (32-bit unsigned integer): The IP address of the port the

CN3200 is using to communicate with the RADIUS server.

• NAS-Port (32-bit unsigned integer): A virtual port number starting at 1.

Assigned by the CN3200.

• NAS-Port-Type (32-bit unsigned integer): Always set to 19, which represents

WIRELESS_802_11.

• Calling-Station-Id (string): The MAC address of the CN3200’s LAN port in IEEE

format. For example: 00-02-03-5E-32-1A.

• The MAC address of the wireless port the customer is associated with.Class

(string): As defined in RFC 2865.

• User-Name (string): The username assigned to the customer or to a device

when using MAC authentication.

• Framed-IP-Address (32-bit unsigned integer): IP Address of the customer’s

station.

• Acct-Status-Type (32-bit unsigned integer): Supported value are Start (1),

Interim Update (3), and Stop (2).

• Acct-Event-Timestamp (32-bit unsigned integer): As defined in RFC 2869.

• Acct-Delay-Time (32-bit unsigned integer): As defined in RFC 2865.

• Acct-Authentic (32-bit unsigned integer): Always set to 1 which means

RADIUS.

• Acct-Session-Time (32-bit unsigned integer): Number of seconds this session

since this session was authenticated. Only present when Acct-Status-Type is

Interim-Update or Stop.

• Acct-Input-Octets (32-bit unsigned integer): Low 32-bit value of the number of

octets/bytes received by the customer. Only present when Acct-Status-Type is

Interim-Update or Stop.

• Acct-Input-Gigawords (32-bit unsigned integer): High 32-bit value of the

number of octets/bytes received by the customer. Only present when Acct-

Status-Type is Interim-Update or Stop.

• Acct-Input-Octets (32-bit unsigned integer): Number of packets received by the

customer. Only present when Acct-Status-Type is Interim-Update or Stop.

• Acct-Output-Octets (32-bit unsigned integer): Low 32-bit value of the number of

octets/bytes sent by the customer. Only present when Acct-Status-Type is

Interim-Update or Stop.

• Acct-Output-Gigawords (32-bit unsigned integer): High 32-bit value of the

number of octets/bytes sent by the customer. Only present when Acct-Status-

Type is Interim-Update or Stop. As defined in 2869.

• Acct-Output-Octets (32-bit unsigned integer): Number of packets sent by the

customer. Only present when Acct-Status-Type is Interim-Update or Stop.

• Acct-Terminate-Cause (32-bit unsigned integer): Termination cause for the

session See RFC 2866 for possible values. Only present when Acct-Status-

Type is Stop.

Chapter 16: Customizing CN3200 and customer settings 228

DRAFT

Accounting response

None.

Colubris-AVPair

attribute

For each customer profile you can specify one or more instances of a Colubris-

AVPair attribute that will be sent when requesting authentication (RADIUS

Requrest) or returned upon successful authentication (RADIUS Accept).

Possible values for all instance are grouped into the following categories:

Colubris-Intercept

attribute

For each customer profile, you can specify the Colubris-Intercept attribute to

redirect traffic from this customer into a GRE tunnel.

Attribute value

• 0: Do not intercept customer traffic.

• 1: Intercept customer traffic and redirect into GRE tunnel.

Setting up an intercept

1. Open the Network > GRE page and define a tunnel to carry th e intercepted

traffic.

2. Open the Wireless > WLAN profiles page and click the appropiate WLAN

profile.

3. Enable the Intercepted user traffic option in the Traffic Tunneling (GRE)

box, and set it to the GRE tunnel you just defined.

SMTP redirection The CN3200 is able to provide SMTP email service on a per-customer basis.

This enables customers to send e-mail while on the road without the restrictions

imposed by most ISPs regarding the source address of outgoing mail. It works by

intercepting the call to a customer’s e-mail server and redirecting it to an SMTP

server that you configure.

Feature Description RADIUS packet

SMTP redirection Activates support for the CN3200 e-

mail redirection feature.

Access accept

URLs for custom

HTML pages

Enables you to customize the public

access interface for a particular

customer. See Chapter 15 for details.

Access accept

Access list Activates support for an access list Access accept

One-to-one NAT Activates support for one-to-one NAT

(See page 90 for details).

Access accept

Quotas Enables upload and download limits

to be set individually for each

customer.

Access accept

Group name Sends the group name of the wireless

access point the customer is

associated with.

Access request

SSID Sends the SSID of the wireless

access point the customer is

associated with.

Access request

Chapter 16: Customizing CN3200 and customer settings 229

DRAFT

Important: For mail redirection to work, the customer's email server name must

be publicly known. If the e-mail server name cannot be resolved, mail redirection

will fail.

Important: If an unauthenticated customer establishes a connection to their

email server, the SMTP redirect feature will not work once the customer logs in.

The customer’s email will still be sent to the original email server. To avoid this,

do not use an access list to open TCP port 25 for unauthenticated customers.

Colubris-AVPair value string

smtp-redirect=address

Where:

Example

smtp-redirect=smtp.colubris.com

Access list An access list is a set of rules that govern how the CN3200 controls customer

access to network resources. Access lists are defined in the profile for the

CN3200 (see page 216) and are activated in the customer profiles as needed.

Only one access list can be activated per profile. Access lists are applied before

any white lists.

Colubris-AVPair value string

use-access-list=usename

Where:

One-to-one NAT Add this attribute if the customer requires a unique IP address when NAT is

enabled on the CN3200. For more information see “One-to-one NAT” on

page 90.

Colubris-AVPair value string

one-to-one-nat=value

Where:

Quotas These attributes let you define upload and download limits for each customer.

Limits can be defined in terms of packets or octets (bytes).

Parameter Description

address Specify the IP address or domain name of the e-mail server

which will be used to send outgoing redirected mail.

Parameter Description

usename Specify the name of an existing access list. This list is

activated for the current profile. Lists are checked in the order

they are activated.

Parameter Description

value Set this to 1 to activate one-to-one NAT support.

Chapter 16: Customizing CN3200 and customer settings 230

DRAFT

Colubris-AVPair value string

max-input-packets=value

max-output-packets=value

max-input-octets=value

max-output-octets=value

Where:

When a customer session is terminated based on a quota, a new non-standard

termination cause is used. The value for this termination cause is 0x8744. You

can customize this by modifying the value of "quota-exceeded-cause" in the

"IPRULESMGR" section of the configuration file. See Chapter 16 for instructions

on how to do this.

The text value of for the termination cause is defined in the message.txt file under

the token "stat-quota-exceeded". The default value for this token is "Logged out.

(Quota Exceeded.)". This value can be displayed with the ASP function

GetAuthenticationErrorMessage(). See page 184 for details.

Displaying quota information

A series of ASP functions are available that enable you to display quota

information on the session page. For details, see “Session quotas” on page 188.

Group name This feature only applies when location-aware authenticaiton is being used

(Security > Authentication > Advanced).

Add this attribute to have the CN3200 send the group name of the access point

the customer is associated with in the Access request packet.

Colubris-AVPair value string

group=value

Where:

SSID Add this attribute to have the CN3200 send the SSID of the access point the

customer is associated with in the Access request packet.

Colubris-AVPair value string

ssid=value

Where:

Parameter Description

value For packets: 32-bit unsigned integer value.

For octets: 64-bit unsigned integer value.

Parameter Description

value Name of the access point the customer is associated with.

Parameter Description

value SSID of the access point the customer is associated with.

Chapter 16: Customizing CN3200 and customer settings 231

DRAFT

VLAN support Set the following standard RADIUS attributes to assign VLAN numbers on a per-

customer basis.

Note: The CN3200 does not directly support VLANs. VLAN support is available

when usingg CN300s as satellites stations only.

RADIUS attributes

tunnel-type=VLAN

tunnel-medium-type=802

tunnel-type=value

Where:

Parameter Description

value VLAN number to assign.

Chapter 16: Customizing CN3200 and customer settings 232

DRAFT

Creating administrator profiles on the RADIUS server

If you want to support multiple administrator names and passwords, you must

use a RADIUS server to manage them. The CN3200 only supports a single

admin name and password internally.

Important: Improper configuration of the administrator profile could expose the

CN3200 to access by any customer with a valid account. The only thing that

distinguishes an administrative account from that of a standard customer account

is the setting of the service type. Make sure that a customer is not granted

access if service type is not Administrative,

This is the reason why it may be prudent to use RADIUS Server 2 to handle

administrator logins. This practice reduces the risk of a bad configuration on the

RADIUS server side creating a security hole.

Supported RADIUS

attributes

Admin Access Request

• User-Name (string): The username assigned to the customer or a device when

using MAC authentication.

• NAS-Identifier (string): The NAS ID set on the Security > RADIUS page for the

profile being used.

• Service-Type (32-bit unsigned integer): As defined in RFC 2865. Set to a value

of 6, which indicates SERVICE_TYPE_ADMINISTRATIVE.

• Framed-MTU (32-bit unsigned integer): Hard-coded value of 1496. The value is

always four bytes lower than the wireless MTU maximum which is 1500 bytes

in order to support IEEE802dot1x authentication.

• MSCHAP-Challenge (string): As defined in RFC 2433. Only present when the

authentication scheme on the Security > RADIUS page is set to MSCHAPv1

or MSCHAPv2. Length = 8 bytes.

• MSCHAP-Response (string): As defined in RFC 2433. Only present when the

authentication scheme on the Security > RADIUS page is set to MSCHAPv1.

Length = 49 bytes.

Admin Access Accept

• None supported.

Admin Access Reject

• None supported

Admin Access Challenge

• None supported

Admin Accounting Request

• Not supported

Admin Accounting Response

• Not supported

Chapter 17: Sample setup - Backend software 233

DRAFT

Chapter 17: Sample setup - Backend software

Chapter 17

Sample setup - Backend software

This chapter provides step-by-step instructions for installing and

configuring the necessary backend software to support a public access

hotspot. You can use this setup as a platform to experiment with the

CN3200 feature set.

IMPORTANT: Before reading this chapter you should familiarize

yourself with the concepts discussed in Chapter 15 and Chapter 16.

Chapter 17: Sample setup - Backend software 234

DRAFT

Overview

This sample will be constructed using the following components:

• a fully-functional evaluation version of Funk Steel Belted Radius Server

• an SSL-capable version of the Apache open source web server

• a win32 version of PHP

• a win32 version of MySQL open source database software

• various HTML pages, scripts, RADIUS profiles designed to illustrate how to

exploit the information provided by a CN3200 in a backend system, including

creation of SSL certificates,

• a set of PHP scripts for easy administration of the database

CAUTION The installation described in this chapter should not be used in a live setup

without making the appropriate changes to guarantee the security of the web

server and other components. If you do not know how to do this yourself, you

should contact a security expert for assistance. It is beyond the scope of this

document to address these security issues.

Important: Apache 1.2.x should never be used in a production environment on a

Windows server.

IN NO EVENT SHALL COLUBRIS NETWORKS INC. BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR

CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN IF COLUBRIS

NETWORKS INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. COLUBRIS NETWORKS INC. SPECIFICALLY

DISCLAIMS ANY WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND

FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS ON AN "AS IS" BASIS FOR NON-

PRODUCTION USE ONLY, AND COLUBRIS NETWORKS INC. HAS NO OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT,

UPDATES, ENHANCEMENTS, OR MODIFICATIONS.

Prerequisites Software

• Windows 2000 Professional, Server, or Advanced Server (with Service Pack

3), and all recommended updates

• Steel Belted Radius v 4.0 from Funk Software (evaluation version)

•PHP

•MySQL

• phpMyAdmin

• The Colubris Backend archive.

See “Retrieve software” on page 237 for information on obtaining this software.

Hardware

• a network hub

• a second network hub or a cross-over cable

• a computer capable of running Windows 2000 Professional, Server, or

Advanced Server, connected to the hub

• optionally, you can add a second computer capable of running a web server

• a CN3200

• a second computer with a JavaScript-enabled web browse

Skills

• Familiarity with the installation and operation of TCP/IP-based networks.

• Basic knowledge of Windows 2000, including how to use a Windows

command-line session.

Chapter 17: Sample setup - Backend software 235

DRAFT

Equipment setup

This section illustrates the hardware setup that was used to create the sample

backend configuration described in this chapter. If you duplicate this setup, you

will not have to change any of the IP addresses supplied in the example.

Topology The goal of this setup is to simulate a working environment with the least amount

of equipment. To this end, the ‘public network’ is considered to be any device

connected to the LAN port on the CN3200. The ‘protected network resources’

are connected to the Internet port on the CN3200. In this example, both Server 1

and Server 2 are on the protected network. Server 1 is used to host a remote

server.

See “Wiring details” on page 358 for information on how to build an x-over cable.

To test the setup when installation and configuration is complete, you will use the

client station to browse the web server installed on Server 2. The CN3200 will

intercept the request and redirect the web browser to the public access login

page. After you log in, the CN3200 will display the welcome page. This page will

contain the URL of the originally requested web server (Server 2). You can then

click the URL to reach Server 2.

Chapter 17: Sample setup - Backend software 236

DRAFT

About the

components

Server 1

Server 1 hosts the remote login page and RADIUS server. The following software

is installed on it:

• Funk Steel Belted Radius Server

• Apache web server with SSL support (OpenSA package)

• PHP server-side scripting language

• MySQL database

• Colubris Backend archive which contains configuration files for RADIUS and

MySQL as well as new pages for public access interface

Server 2

Server 2 is can be used to test the setup once it is complete. You should install a

web server on this computer. This example uses IIS running on Windows 2000

professional.

If you are only using one server, then Server 1 already has a web server running

on it.

Client station

The client station is required to test the setup once it is complete. It requires a

web browser. The DHCP server on the CN3200 will assign an IP address to this

computer.

Chapter 17: Sample setup - Backend software 237

DRAFT

Step 1: Retrieve software

Server 1 Create temporary directory on Server 1. For this example, use the directory

c:\opensource.

Download the following software into this directory.

• Funk Steel Belted Radius Server v4.04 (funk.com)

Evaluation version (not open source)

• OpenSA v1.0.4

http://www.opensa.org/files/1.0.4/opensa_1.0.4bin.exe

Contains Apache web server and SSL support

• PHP v4.3.2

http://www.php.net/downloads.php

Filename is php-4.3.2-Win32.zip

• phpMyAdmin v.2.5.2-pl1

http://sourceforge.net/projects/phpmyadmin/

Filename is phpMyAdmin-2.5.2-pl1-php.zip

If this version is not available, then you may be able to find it here:

http://museum.php.net/win32

• MySQL v3.23.49 or higher (www.mysql.com)

• MySQL Connector/ODBC v3.51.06

http://www.mysql.com

• Colubris Backend archive (backend.zip). This file is available on the CD or on

the Colubris web site in the Support section.

Server 2 No software other than Windows 2000 Professional, Server, or Advanced Server

(with Service Pack 3) is required.

Chapter 17: Sample setup - Backend software 238

DRAFT

Step 2: Install configure software on Server 1

Windows 2000 1. Install Windows 2000 Professional, Server, or Advanced Server and then

install Service Pack 3. Make sure you also install all the latest updates.

2. Disable the IAS and IIS services on Windows 2000 Server, or Advanced

Server. This is required so that they do not conflict with Steel-Belted Radius

and Apache.

3. Connect Server 1 to the hub and assign a static IP address to it. For this

example, use the address 192.168.2.99.

4. Shut down and restart Server 1.

Colubris backend

archive

1. Extract the contents of backend.zip into a working directory. For this

example, use the directory c:\colubris.

2. If the address of Server 1is not 192.168.2.99, then:

•Edit c:\colubris\radius\example.rif, and replace all instances of the

address 192.168.2.99 with the IP address (or domain name) of Server 1.

•Edit c:\colubris\web\demo-php\login.php, and replace all instances of

the address 192.168.2.99 with the IP address (or domain name) of Server

•Edit c:\colubris\web\demo-php\noc\noc.asp, and replace all instances of

the address 192.168.2.99 with the IP address (or domain name) of Server

•Edit c:\colubris\web\demo-php\upload\login.html, and replace all

instances of the address 192.168.2.99 with the IP address (or domain

name) of Server 1.

Note: In a production setup you should use the domain name to identify Server 1

to avoid getting security warnings from web browsers due to X.509 certificate

inconsistencies.

Steel-Belted Radius 1. Retrieve Funk Steel Belted Radius Server v4.04 Evaluation version, from

funk.com.

2. Run the executable installation file and accept all default installation settings.

When prompted, select the 30 day trial.

Important

If you encounter the following error message when trying to start the Steel-Belted

Radius NT Service:

Services: Error 1068: The dependency service or group failed to

start.

Refer to Tech Note RD230 on the Funk web site for a solution.

http://notesnt.funk.com/TechNotenewweb.nsf/0/

6aa7095c3c6b0e4f85256aca0003b458?OpenDocument

Chapter 17: Sample setup - Backend software 239

DRAFT

Apache 1. Run c:\opensource\opensa_1.0.4bin.exe and accept all default installation

settings.

2. After installation is complete, open a Windows command-line session.

3. Run c:\opensa\apache\apache.exe. This starts the web server.

4. Launch your web browser and point it to: http://localhost

The following page should open:

5. Close the command-line session. This stops the Apache server.

6. Launch a new command-line session.

7. Run c:\opensa\apache\apache.exe –D SSL. This starts Apache in secure

mode.

Chapter 17: Sample setup - Backend software 240

DRAFT

8. Point your web browser to: https://localhost

The following message box should open:

This message is displayed because:

• the default SSL certificate that comes with the OpenSA version of Apache

does not match the DNS name present in the certificate

and

• the default SSL certificate has not been signed by a certificate authority

known to your web browser.

Later in this example, instructions are provided for eliminating this message.

9. Click Yes. The OpenSA test page will open again. This time in an HTTPS

session.

10. Close the command-line session Apache is running in.

Sample pages Sample pages are provided to enable you to modify the public access interface

as described in Chapter 15: Customizing the public access interface. Install these

sample pages as follows:

1. Copy the directory c:\colubris\web\demo-php to the directory

c:\opensa\apache\htdocs

Chapter 17: Sample setup - Backend software 241

DRAFT

PHP 4.2.3 1. Extract php-4.x.x-Win32.zip into c:\

2. Rename c:\php-4.x.x to c:\php.

3. Copy the following files as indicated. If you are prompted to replace the files,

do so.

MySQL 1. Extract mysql-4.0.14b-win.zip into a temporary directory, and then run

setup.exe. Accept all default installation options.

2. Double click MyODBC-3.51.06.exe. Accept all default installation options.

At the end of the installation procedure, MySQL will be installed in c:\mysql.

Configure the OBDC

data source

The OBDC database acts as the repository for all the parameters for each user

account. The Steel-Belted Radius server retrieves account information from the

database and uses the database to maintain accounting and usage information

for each user.

1. Open a command-line session.

2. Run odbcad32.exe.

The following window opens:

File Source Target

php.ini c:\colubris\php\ %SystemRoot%

This is typically \WINNT. You can

check the actual location using

the following command in a

command-line session: echo

%systemroot%.

phpinfo.php c:\colubris\php\ c:\OpenSA\Apache\htdocs

php4ts.dll c:\Php c:\OpenSA\Apache\

httpd.conf c:\colubris\Apache c:\OpenSa\Apache\conf\

Chapter 17: Sample setup - Backend software 242

DRAFT

3. Click the System DSN tab.

4. Click Add.

5. Select MySQL ODBC 3.51 Driver, then click Finish.

Chapter 17: Sample setup - Backend software 243

DRAFT

6. Fill in the appropriate fields in the Driver configuration window as follows:

• Data Source Name: Name of the datasource. For this example, it must be

set to Radius.

• Host / Server Name (or IP): Location of the datasource. For this example, it

must be set to localhost.

• Database name: Name of the database. For this example, it must be set to

radius.

7. Click OK.

8. Click OK.

phpMyAdmin 1. Extract phpMyAdmin-2.5.2-pl1-php.zip into the

directory: c :\OpenSA\Apache\htdocs.

2. Rename:\OpenSA\Apache\htdocs\phpMyAdmin-2.5.2-pl1 to

phpMyAdmin.

Setting the path To adjust the path, do the following:

1. Right-click My Computer on the desktop.

2. Click Properties.

3. Click Advanced.

4. Click Environment Variables.

5. In the System variables window, click the Path entry, and then click Edit.

6. Make sure that the Variable value field terminates as follows:

;c:\Php;c:\Php\dlls;C:\OpenSA\Apache;C:\OpenSA\OpenSSL\bin;c:\M

ySQL\bin

Important: The order of the entries in this field must be as illustrated above, and no duplicate

entries must exist.

7. Click OK, OK, OK.

Chapter 17: Sample setup - Backend software 244

DRAFT

Start mysql 1. Run c:\mysql\bin\winmysqladmin.exe

2. When prompted to enter a username and password click Cancel.

3. Shut down and restart Server 1.

Test PHP 1. Open a command-line session.

2. Run c:\opensa\apache\apache.exe -D SSL.

3. Point your web browser to http://localhost/phpinfo.php. The following page

opens:

4. Close the command-line session Apache is running in.

Create the sample

RADIUS database

A batch file is provided that will automatically create the database entries needed

for this example. This saves you the trouble of making these entries manually.

1. Start a windows command-line session.

2. Change to the directory: c:\colubris\mysql\

3. Run the batch file: createdb.cmd

For example:

mysqladmin: DROP DATABASE radius failed;

error: 'Can't drop database 'radius'. Database doesn't exist'

Database "radius" created

Displaying users present in database

u_username u_user_type

hotspot 1

user 2

admin 4

www.noc-cn3000.com 1

Note: It is normal to see the following error when the createdb.cmd is run the first

time: DROP DATABASE radius failed

Chapter 17: Sample setup - Backend software 245

DRAFT

Step 3: Configure Steel-Belted Radius on Server 1

Modify the default

configuration files

The backend.zip file contains modified configuration settings for the Steel-Belted

Radius server to make it work in this example.

1. Open a command-line session.

2. Execute the command: net stop “Steel-Belted Radius”

This stops the Steel-Belted Radius server. (It was automatically started after

installation.)

3. Copy the following files from c:\colubris\radius\ to c:\radius\service\.

• Sqlacct.acc

• Sqlacct2.acc

• Sqlauth.aut

If you are prompted to replace the files, do so.

4. If you are using an older version of Steel-Belted Radius, you should also copy

the files in c:\colubris\radius\older_version\ to c:\radius\service\.

Start and connect to

the server

1. Open a command-line session.

2. Execute the command: net start “Steel-Belted Radius”

3. On the Start menu, click Steel-Belted Radius, then click Steel-Belted

Radius Administrator. The following window opens.

Chapter 17: Sample setup - Backend software 246

DRAFT

4. Click Connect. This connects you to the Steel-Belted Radius server.

If you see any error messages in the Status window, you must resolve them

before continuing. For example:

One common error is to forget to terminate the IAS and IIS services and then

reboot. These services will continue to interfere with the Steel-Belted Radius

server until you reboot.

Define a RAS client

for the CN3200

Any device that uses the services of a RADIUS server to perform authentication

tasks is called a RADIUS client, and must have its own RAS Client settings.

To complete this section you need to know the IP address assigned to the

Internet port on the CN3200. For this example, use the address 192.168.2.1.

1. Select RAS Clients.

2. Click Add.

Chapter 17: Sample setup - Backend software 247

DRAFT

3. Choose a name for the CN3200. For this example, use the name COLUBRIS.

This is a nickname that is used by Steel-Belted Radius to identify the client

and is not configured on the CN3200.

4. Click OK.

5. Specify the address of the CN3200’s Internet port. For this example, specify

192.168.2.1.

6. Set Make/model to Colubris Wireless LAN Routers.

7. Click Edit authentication shared secret.

8. Specify a carefully chosen shared secret. In a production environment you

should use a combination of at least eight uppercase/lowercase letters as

well as digits. For simplicity, this example uses the shared secret: secret.

9. Click Set.

10. Click Save.

Chapter 17: Sample setup - Backend software 248

DRAFT

Create RADIUS

profiles

RADIUS profiles must be created for each user group that will be authenticated

on the public access interface. Rather than enter this information manually, you

can import it from the .rif (Radius Interchange Format) files that are included in

the archive.

This will create four profiles:

DEMO-DEVICES

This is the profile used by the CN3200.

• login name: hotspot

• password: hotspot

DEMO-USERS

Profile used by customers of the public access network.

• login name: user

• password: user

DEMO-ADMIN

Profile used by administrators who want to login to the management tool on the

CN3200.

• login name: admin

• password: admin

DEMO-NOC-DEVICES

This is the profile used by the CN3200 when configured for NOC authentication.

• login name: www.noc-cn3000.com

• password: www.noc-cn3000.com

1. On the File menu, click Import.

2. Select the file example.rif in c:\colubris\radius\.

3. Click the Profiles tab, click Select All, then click OK.

This returns you to the main screen. Leave this window open and proceed to

the next section.

Chapter 17: Sample setup - Backend software 249

DRAFT

Update the Steel-

Belted Radius

configuration

1. Return to the Steel-Belted Radius Configurator window.

2. Click Servers.

3. Click Disconnect.

4. Open a command-line session and execute the command:

net stop “Steel-Belted Radius”

net start “Steel-Belted Radius”

5. Return to the Steel-Belted Radius Configurator window.

6. Click Connect.

7. Click Configuration

8. In the Authentication methods box, select SQL and click Activate (if it is

not already active). Deactivate all other authentication methods.

9. Click Save.

Chapter 17: Sample setup - Backend software 250

DRAFT

Step 4: Install web server certificates on Server 1

Certificates enable client station to validate the identity of a web server. Refer to

Chapter 14: SSL certificates for complete discussion of certificates and examples

on how to create them. You can use the sample provided with this demo in

c:\colubris\certificates or create your own. Once you have created your

certificates install them as explained in this section.

Install the public

key certificate

The web server public key certificate will be contained in a password-protected

file. To avoid entering the password every time you start the server, you should

decrypt the certificate before installing it.

1. Open a command-line session.

2. Go to the directory c:\colubris\certificates.

3. Run the command: decryptkey certificate > server.key

Replace certificate with the name of the certificate file. If you are using the

sample provided, the PEM pass phrase is: www.company.com. For example:

C:\colubris\certificates>decryptkey www.company.com >

server.key

read RSA key

Enter PEM pass phrase:

writing RSA key

The unencrypted certificate is written to server.key.

4. Copy server.key to c:\OpenSA\Apache\conf\ssl.key\. Overwrite an existing

file if prompted.

Install the private

key certificate

The web server public key certificate will be contained in a .pem file.

1. Open a command-line session.

2. Copy the certificate file (.pem) to the file server.crt. For example:

c:\colubris\certificates>copy www.company.com.pem server.crt

3. Copy server.crt to c:\OpenSA\Apache\conf\ssl.crt\. Overwrite an existing

file if prompted.

Verify the

certificates

1. Launch a command-line session.

2. Edit the file c:\WINNT\system32\drivers\etc\hosts file and add the following

line:

192.168.2.99 www.company.com

If you generated your own certificate replace www.company.com with the

name you specified in your certificate.

Chapter 17: Sample setup - Backend software 251

DRAFT

3. Go to the directory: c:\OpenSA\Apache

4. Stop the web server with the command: apache -k stop.

5. Restart the web server in SSL mode with the command: apache.exe –D

SSL

6. Close all active web browsers.

7. Open a new browser window and point it to: https://www.company.com

Depending on how you obtained the key, you may see the following message

box:

Chapter 17: Sample setup - Backend software 252

DRAFT

8. Click View Certificate. You should see the details of the certificate you just

installed. For example:

Chapter 17: Sample setup - Backend software 253

DRAFT

Step 5: Install and configure the CN3200

Follow the directions in Chapter 4: Installation then continue with the instructions

in this section.

Start Apache Make sure that the Apache web server is running. If not, then:

1. Launch a new command-line session.

2. Run c:\opensa\apache\apache.exe –D SSL. This starts Apache in secure

mode.

Assign a static

address

Perform the following steps using the CN3200 Management tool.

1. On the Network menu, click Ports.

2. Click Internet port in the table.

3. Select Static and then click Configure.

4. Make the following settings:

• IP address: Assign an address. For this example, use the address:

192.168.2.1

• Address mask: Assign an appropriate mask. For this example, use the

mask: 255.255.255.0.

• Default gateway: Leave blank. In a real setup this would be set to the

address of the router providing access to the Internet.

Chapter 17: Sample setup - Backend software 254

DRAFT

Configure RADIUS

settings

The CN3200 must be configured to communicate with the Steel-Belted Radius

server. For a detailed explanation of configuration issues, see Chapter 16:

“Customizing CN3200 and customer settings” on page 207.

1. On the Security menu, click RADIUS. The RADIUS settings page opens.

2. Configure the following parameters:

• Primary server address: Specify the address of Server 1. For this example,

use the address: 192.168.2.99

• Primary server secret: Specify the secret you defined on when configuring

Steel-Belted Radius. For this example, use the secret: secret

3. Click Save.

Chapter 17: Sample setup - Backend software 255

DRAFT

4. Click Authentication. The Authentications settings page opens.

5. In the Customers box, set Authenticate via to RADIUS profile 1.

6. Configure the CN3200 box as follows:

•Authenticate via: Set to RADIUS profile 1.

•Login name: Set to hotspot.

•Password: Set to hotspot.

7. Enable Authenticate customers with 802.1x.

8. Click Save. The CN3200 will attempt to connect to the Steel-Belted Radius

server. If successful, the status light will change from red to green.

You can use the Statistics page on the Steel-Belted Radius Administrator to

view progress of the connection.

When you click the Save button in the management tool, the number of

Accepts should be incremented. That means that all settings are properly

configured on the CN3200 and Steel-Belted Radius.

If the number of Rejects is incremented instead, there may be a problem with

a badly set username and/or password. Check the log file in

c:\radius\service. It is named yyyymmdd.log, where yyyy is the year, mm

is the month and dd the day. For example, 20030822.log for August 22, 2003.

If the number of Silent Discards is incremented, it probably means that

either the IP address of the CN3200 and/or the shared secret has not been

properly configured on the RAS client tab.

You can increase the amount of information in the log file by changing the

following values in the c:\radius\service\radius.ini file, and restarting Steel-

Belted Radius:

[Configuration]

LogLevel = 0

TraceLevel = 0

Change both values from 0 to 2.

Chapter 17: Sample setup - Backend software 256

DRAFT

Certificates You can replace the certificate that is installed on the CN3200 with your own to

eliminate the warning message clients see when they try to login to the public

access interface. Refer to Chapter 14: SSL certificates for complete discussion of

certificates and examples on how to create and install them.

Important: Do not install the same certificate as the one installed on your web

server. You need to use a valid signed certificate to remove the warning

Chapter 17: Sample setup - Backend software 257

DRAFT

Step 6: Install and configure software on Server 2

Server 2 will be used to test if the customer is successfully redirected to the

originally requested page.

1. Install Windows 2000 Professional, Server, or Advanced Server, and then

install Service Pack 3.

2. Make sure that IIS is running.

3. Connect Server 2 to the hub and assign a static IP address to it. For this

example, use the address 192.168.2.100.

Chapter 17: Sample setup - Backend software 258

DRAFT

Step 7: Test the installation

To test the installation you will use the client station to log onto the public access

interface. For this to work, the CN3200 must be configured as the clients default

gateway. If you set up your equipment to match the setup of this example, this is

automatic. If not, adjust the configuration of the client accordingly.

1. Start the client station’s web browser and enter the IP address (or domain

name) of Server 2.

2. The CN3200 should intercept the URL and redirect the browser to the login

page. You should see the modified login page shown below. (Depending on

the type of certificate you installed on the CN3200 you may see a security

warning first.)

If you see the default login page (Register does not appear), it means that the

CN3200 could not retrieve the URLs for the modified pages. Click Tools in

the management tool and examine the messages in the log file to fix the

error.

The register button shows how to register an unauthenticated customer using

a remote, secure web page.

3. To login, specify user as both the username and password.

4. Once you have been authenticated, the welcome page should open.

Chapter 17: Sample setup - Backend software 259

DRAFT

5. Click the link. You will be redirected to the web server on Server 2.

Chapter 17: Sample setup - Backend software 260

DRAFT

Step 8: Test the remote login page feature

The sample files you installed on Server 1 also include definitions to allow testing

of the remote login page feature. This feature enables the CN3200 to redirect

customers to a remote URL to login instead of using the internal login page. For

more information see “Using a remote login page” on page 173.

Enable the remote

1. On the Start menu, click Steel-Belted Radius, then click Steel-Belted

Radius Administrator. The following window opens.

2. Click Connect. This connects you to the Steel-Belted Radius server.

3. Click Profiles.

Chapter 17: Sample setup - Backend software 261

DRAFT

4. Select DEMO-DEVICES.

5. Click the Return list attributes tab and remove the rem- in front of rem-

6. This overrides the setting for the login-page = entry in the RADIUS profile.

However, it is good practice to remove the login-page entry.

7. Click OK.

8. Click Save.

9. Open the CN3200’s management tool and go to the Security >

Authentication page.

10. Click Force Authenticate.

11. Wait about 1 minute before continuing to let the CN3200 download the

change

Test the remote

1. Start the client station’s web browser and enter the IP address (or domain

name) of Server 2.

2. The CN3200 should intercept the URL and redirect the browser to the remote

installed on the CN3200 you may see a security warning first.)

Chapter 17: Sample setup - Backend software 262

DRAFT

The register button shows how to register an unauthenticated customer using

a remote, secure web page.

3. To login, specify user as both the username and password. The Welcome

page should open.

4. Click the link. You should be redirected to the web server on Server 2.

Chapter 17: Sample setup - Backend software 263

DRAFT

Step 9: Test the NOC authentication feature

The sample files you installed on Server 1 also include definitions that enable you

to test the NOC authentication feature. This feature allows you to validate

customer logins using a remote server instead of using the CN3200. See page

176 for a description of this feature and its benefits.

Enable NOC

authentication

1. Open the CN3200’s management tool.

2. On the Security menu, click Authentication, then click the Advanced

Settings button.

3. Enable NOC Authentication.

4. Select the Internet Port as the Active Interface.

5. Click Save.

Chapter 17: Sample setup - Backend software 264

DRAFT

6. On the Security menu, click Authentication.

7. Specify www.noc-cn3000.com for Login name and Password.

8. Click Save.

9. Wait about 1 minute for the CN3200 to download the changes.

Test NOC

authentication

1. Start the client station's web browser and enter the IP address (or domain

name) of Server 2.

2. The CN3000 should intercept the URL and redirect the browser to the remote

NOC login page on 192.168.2.99.

(Depending on the type of certificate you installed on Server 2 you may see a

security warning first.)

Chapter 17: Sample setup - Backend software 265

DRAFT

3. To login, specify user as both the username and password. The Welcome

page should open.

4. Click the link. You should be redirected to the web server on Server 2.

Chapter 17: Sample setup - Backend software 266

DRAFT

Tools

Batch files Several batch files are included in c:\colubris\scripts to make management of

the web server, MySQL database, and Steel-Belted Radius easier when using a

command-line session. To use this files place them into a directory that appears

in your path.

Apache

apache-start.cmd

apache-ssl-start.cmd

apache-stop.cmd

apache-restart.cmd

If you installed OpenSA in a different location than c:\, edit the scripts and

change the value of the APACHEDIR variable to your installation directory.

Mysql

mysql-start.cmd

mysql-stop.cmd

mysql-restart.cmd

Steel-Belted Radius

radius-start.cmd

radius-stop.cmd

radius-restart.cmd

Starting services

mysql-restart.cmd

apache-restart.cmd

radius-restart.cmd

phpMyadmin phpMyadmin provides an easy-to-use interface to the MySQL database. You can

use this interface to add or edit user accounts. The following is a quick overview.

1. Point your web browser to: https://localhost/phpMyAdmin

The following screen opens:

Chapter 17: Sample setup - Backend software 267

DRAFT

2. Select radius in the column on the left side of the page.

3. Click users on the left and then click the Browse tab.

• By clicking Edit, you can modify the information for an existing user.

• You can add a new user by clicking:

•Insert new row, and fill in all the parameters,

•Edit an existing user, modify its parameters, then choose Insert as new

row and click the Go button. Note that in this case, you should clear the

field u_user_id, since this is a primary key for the user table. Duplicates

are not allowed for this field.

Chapter 17: Sample setup - Backend software 268

DRAFT

Troubleshooting

The CN3200’s authentication system is not up.

1. The IP address for the RADIUS server may be incorrect: check that a

RADIUS server has been configured in the CN3200’s Security > RADIUS

configuration panel, and that the RADIUS server is reachable from the

CN3200.

One way to do this is to ping its IP address using Tools > Ping. If the ping

fails, verify the connection between the CN3200 and the RADIUS server.

2. Check that the RADIUS server is receiving authentication requests from the

CN3200. Launch the Steel-Belted Radius administrator, connect to the

server, and go to Statistics.

• If the total number of Transactions is 0, the CN3200 is not properly

connected to the server, either directly or through other networking devices.

• If the number of Silent Discards is non-zero, it means the CN3200 and the

server have a different shared secret. They should always be the same.

• If the number of Rejects is non-zero, it means the CN3200 is using an

invalid login name/password pair.

• If the number of Accepts is non-zero, it means the positive answer from the

server is not being received by the CN3200. There may be routing

problems between the CN3200 and the RADIUS server.

There is a timeout while the customer is being redirected to

the login page.

In the case, the URL displayed in the address field of the customer’s web browser

is of the form: https://dnsname:8090/index.asp, it means the CN3200 has been

able to perform a DNS reverse-lookup, but the customer’s computer is not able to

resolve the resulting name.

Chapter 17: Sample setup - Backend software 269

DRAFT

There is probably something wrong with the configuration of the DNS for the

entry related to the CN3200.

After logout, the goodbye page cannot be displayed

Check that the IP address and port number for the web server hosting the

goodbye page is defined in the access list for the RADIUS profile for the CN3200.

Chapter 17: Sample setup - Backend software 270

DRAFT

Chapter 18: Sample setup - Steel-Belted Radius 271

DRAFT

Chapter 18: Sample setup - Steel-Belted Radius

Chapter 18

Sample setup - Steel-Belted Radius

This chapter provides a walkthrough of a sample RADIUS configuration

using Steel-Belted Radius.

The CN3200 is compliant with RFC 2865 and RFC 2866 and will work

with a variety of RADIUS servers. This example is for illustrative purposes

only and does not imply that you need to use Steel-Belted Radius over

any other brand.

IMPORTANT: Before reading this chapter you should familiarize

yourself with the concepts discussed in in Chapter 15 and Chapter 16.

Chapter 18: Sample setup - Steel-Belted Radius 272

DRAFT

Overview

This sample will be constructed using a fully-functional evaluation version of

Steel Belted Radius Server from Funk Software that will be installed on a

computer running Windows NT 4.0 or Windows 2000.

The difference between this sample and the backend example in Chapter 18, is

as follows:

• This example illustrates how to manually configure profiles on the Steel-Belted

Radius server. In the backend sample they are automatically created using

predefined scripts.

• The backend sample uses an OBDC database to store profile properties. In

this example, all properties are stored in Steel-Belted Radius. Dynamic

tracking of usage and accounting information is only possible when using an

OBDC database, therefore this example is best suited to installations that

require user authentication only.

Prerequisites Software

• Windows 2000 Professional, Server, or Advanced Server (with Service Pack

3), and all recommended updates

• Steel Belted Radius Server version 4 from Funk Software

• Internet Explorer 6.0 service pack 1, and all recommended updates

Hardware

• a network hub

• a second network hub or a cross-over cable

• two computers capable of running Windows 2000 Professional, Server or

Advanced Server

• a CN3200

• a third computer with a JavaScript-enabled web browser, with or standard

Ethernet adapter

Skills

• Familiarity with the installation and operation of TCP/IP-based networks.

• Basic knowledge of Windows 2000, including how to use a Windows

command-line session.

Chapter 18: Sample setup - Steel-Belted Radius 273

DRAFT

Equipment setup

This section illustrates the hardware setup that was used to create the sample

configuration described in this chapter. If you duplicate this setup, you will not

have to change any of the IP addresses supplied in the example.

Topology The goal of this setup is to simulate a working environment with the least amount

of equipment. To this end, the ‘public network’ is considered to be any device

connected to the LAN port on the CN3200. The ‘protected network resources’

are connected to the Internet port on the CN3200. In this example, both Server 1

and Server 2 are on the protected network. Server 1 hosts the RADIUS server.

Server 2 is used to simulate an external web server.

See “Wiring details” on page 358 for information on how to build a x-over cable.

To test the setup when installation and configuration is complete, you will use the

client station to browse the web server installed on Server 2. The CN3200 will

intercept the request and display public access login page. Your login information

will be validated using the the Funk Steel Belted Radius Server installed on

Server 1. After you are authenticated, the CN3200 will display the welcome page.

This page will contain the URL of the originally requested web server (Server 2).

You can then click the URL to reach Server 2.

About the

components

Server 1

Server 1 hosts the Funk Steel Belted Radius Server.

Server 2

Server 2 is required to test the setup once it is complete. You should install a web

server on this computer. This example uses IIS running on Windows 2000

professional.

Client station

The client station is required to test the setup once it is complete. It requires a

web browser. The DHCP server on the CN3200 will assign an IP address to this

computer.

Chapter 18: Sample setup - Steel-Belted Radius 274

DRAFT

Step 1: Install software on Server 1

Windows 2000 1. Install Windows 2000 Professional, Server, or Advanced Server and then

install Service Pack 3. Make sure you also install all recommended updates.

2. Disable the IAS and IIS services on Windows 2000 Server, or Advanced

Server. This is required to avoid conflicts with Steel-Belted Radius and

Apache.

3. Connect Server 1 to the hub and assign a static IP address to it. For this

example, use the address 192.168.2.99.

4. Shut down and restart Server 1.

Steel-Belted Radius 1. Retrieve Funk Steel Belted Radius Server v4 Evaluation version, from

funk.com.

2. Run the executable installation file and accept all default installation settings.

When prompted, select the 30 day trial.

Important

If you encounter the following error message when trying to start the Steel-Belted

Radius NT Service:

Services: Error 1068: The dependency service or group failed to

start.

Refer to Tech Note RD230 on the Funk web site for a solution.

Internet Explorer Install Internet Explorer 6 SP1 on the server. The support files included with this

application are required for proper operation.

Chapter 18: Sample setup - Steel-Belted Radius 275

DRAFT

Step 1: Add support for Colubris Networks attributes

Note: If you do not want to modify the files yourself, modified versions are

available in the Colubris Backend archive which can be found on the CD or on

the Colubris Networks web site.

Do the following on server 1:

1. Create an file named colubris.dct in the folder: c:\radius\service

2. Edit the file so that it contains the following entries.

@radius.dct

ATTRIBUTE Colubris-AVPAIR 26 [vid=8744 type1=0 len1=+2 data=string] RO

For more information on the format of this file, see

c:\radius\service\readme.dct.

3. Edit c:\radius\service\dictiona.dcm. Add the following line to the end of this

file, just after the last line beginning with an '@'.

@colubris.dct

4. Edit c:\radius\service\vendor.ini. Add the following lines to the end of the

file.

vendor-product = Colubris CN3200

dictionary = Colubris

ignore-ports = no

port-number-usage = per-port-type

help-id = 0

5. Restart Steel-Belted Radius. For example, start a command line session and

then issue the commands:

net stop "Steel-Belted RADIUS"

net start "Steel-Belted RADIUS"

Chapter 18: Sample setup - Steel-Belted Radius 276

DRAFT

Step 2: Connect to the Steel-Belted Radius server

Do the following on server 1:

1. On the Start menu, click Steel-Belted Radius, then click Steel-Belted

Radius Administrator. The following window opens.

2. Click Connect. This connects you to the Steel-Belted Radius server.

Chapter 18: Sample setup - Steel-Belted Radius 277

DRAFT

If you see any error messages in the Status window, you must resolve them

before continuing. For example:

A common cause for these errors is to forget to terminate the IAS and IIS

services and then reboot. These services will continue to interfere with the

Steel-Belted Radius server until you stop and terminate them, then reboot.

Chapter 18: Sample setup - Steel-Belted Radius 278

DRAFT

Step 3: Create a RADIUS client profile for the CN3200

Any device that uses the services of a RADIUS server to perform authentication

tasks is called a RADIUS client, and must have its own RAS Client profile.

Therefore, you must create a profile for the CN3200.

To complete this section you need to know the IP address assigned to the

Internet port on the CN3200. For this example, use the address 192.168.2.1.

Note: The configuration settings you make here will match the settings you make

on the CN3200 later.

1. Select RAS Clients.

2. Click Add.

3. Choose a name for the CN3200. For this example, use the name COLUBRIS.

This is a nickname that is used by Steel-Belted Radius to identify the client

and is not configured on the CN3200.

4. Click OK.

5. Specify the address of the CN3200’s Internet port. For this example, specify

192.168.2.1.

Chapter 18: Sample setup - Steel-Belted Radius 279

DRAFT

6. Set Make/model to Colubris CN3200.

7. Click Edit authentication shared secret.

8. Specify a carefully chosen shared secret. In a production environment you

should use a combination of at least eight uppercase/lowercase letters as

well as digits. For simplicity, this example uses the shared secret: secret.

9. Click Set.

10. Click Save.

Chapter 18: Sample setup - Steel-Belted Radius 280

DRAFT

Step 4: Define RADIUS profiles

RADIUS profiles are used to manage and control all authentication tasks. Each

profile contains two sets of attributes:

• Check list attributes: These attributes must be contained in the user’s

authentication request for the authentication to be successful.

• Return list attributes: These attributes are returned once authentication is

successful.

For this example you will create a RADIUS profile for:

• the CN3200

• Public access customers subscribing to SMTP redirection

• Public access customers not subscribing to SMTP redirection

• CN3200 administrators

Defining a CN3200

profile

1. Click Profiles.

2. Click Add.

3. Specify a name for the profile. For this example, use the name HOTSPOTS.

Click OK.

4. Click the Check list attributes tab.

5. Click the Ins button. The Add New Attribute dialog box opens.

6. Select Service-Type and set it to the value Administrative. Click Add.

7. Click Close.

Chapter 18: Sample setup - Steel-Belted Radius 281

DRAFT

8. Click the Returned list attributes tab.

You can now specify the attributes that will be returned to the CN3200 after it

is successfully authenticated. This enables you to define a number of

important operating characteristics, including:

• The location of custom HTML pages that must be downloaded by the

CN3200.

• One or more access lists for specifying the set of network resources

customers have access to.

For this example, you should create the following three entries:

(Refer to “Creating a profile for the CN3200 on the RADIUS server” on

page 214 for a complete list of all supported attributes.)

To add each entry:

•Click Ins. Select Colubris-AVPair and enter the appropriate string. For

example:

• Once all entries are complete, the Return list attributes tab should look

like this:

Acolubris-AVPair access-list=all,ACCEPT,tcp,192.168.2.99,80

This access list permits all users on the public network to access the web

server at 192.168.2.99. The typical role of such a server would be to

display information about the public access network: how to get an

account, how to login, etc.

BColubris-AVPair access-list=cust,ACCEPT,tcp,192.168.2.100,80

This access list permits only authenticated customers to access the web

server at 192.168.2.100.

CColubris-AVPair use-access-list=all

This activates the access list all for the HOTSPOTS profile. The cust

access list will be activated in the CUSTOMERS-NO-SMTP and

CUSTOMERS-SMTP-REDIRECT profiles.

Chapter 18: Sample setup - Steel-Belted Radius 282

DRAFT

•Click Save.

Defining a

Customer profile

The CN3200 supports an SMTP redirection feature which enables customers to

send outgoing mail without being directly connected to their SMTP server.

To use this feature, the customer profiles need to be split into two types: those

with SMTP redirection and those without it. To this end, this example will create

two profiles: CUSTOMERS-SMTP-REDIRECT and CUSTOMERS-NO-SMTP.

Note: This example assumes the SMTP server is located on Server 2, although

no such software is actually installed.

To define the customer profiles, do the following:

1. Click Profiles.

2. Click Add. The Add New Profile dialog box opens.

3. Specify CUSTOMERS-NO-SMTP as the name and click OK.

4. Click Add.

5. Specify CUSTOMERS-SMTP-REDIRECT as the name and click OK.

6. Click the Check list attributes tab.

7. Click the Ins button. The Add New Attribute dialog box opens.

8. Select Service-Type and set it to the value Framed. Click Add.

9. Click Done.

Chapter 18: Sample setup - Steel-Belted Radius 283

DRAFT

10. Click the Returned list attributes tab.

You can now specify the attributes that will be returned after a customer is

successfully authenticated. This enables you to define a number of important

operating characteristics, including:

• The access list that is in use.

• Support for SMTP mail redirection.

• Settings for session timeouts and accounting updates.

For this example, you should create the following four entries:

(Refer to “Creating a profile for the CN3200 on the RADIUS server” on

page 214 for a complete list of all supported attributes.)

To create the entries:

•Click Ins. The Add New Attribute dialog box opens.

AIdle-Timeout 30

This causes the CN3200 to log the customer out if the session is idle for

more than 30 seconds

BSession-Timeout 360

This causes the CN3200 to log the customer out if the session is active

for more than 360 seconds.

CColubris-AVPair smtp-redirect=192.168.2.100

This provides access to the fictional SMTP server on 192.168.2.100.

Used for the CUSTOMERS-SMTP-REDIRECT profile only.

DColubris-AVPair use-access-list=cust

This access list was defined in the HOTSPOTS profile. It is activated here

to provide access to the web server on 192.168.2.100.

Chapter 18: Sample setup - Steel-Belted Radius 284

DRAFT

• Select Colubris-AVPAIR and enter the appropriate string.

•Click Add.

• Repeat until all entries are done, the click Close.

• Once all entries are complete, the Return list attributes tab should look

like this:

11. In the Profile Name box, select CUSTOMERS-NO-SMTP. Define the same

set of attributes, except for:

Colubris-AVPair smtp-redirect=192.168.2.100

Defining an

CN3200

administrator

profile

By defining an administrator profile you can enable multiple administrators to log

in to the management tool on the CN3200. Each administrator can have their

own login name and password. Refer to “Creating administrator profiles on the

RADIUS server” on page 232 for more information.

Note: Only one administrator can log in at a time.

Note: Setting up administrator profiles is optional and is not required for proper

operation of this sample.

To define the customer profiles, do the following:

1. Click Profiles.

2. Click Add. The Add New Profile dialog box opens.

3. Specify ADMIN as the name and click OK.

4. Click the Check list attributes tab.

5. Click the Ins button. The Add New Attribute dialog box opens.

Chapter 18: Sample setup - Steel-Belted Radius 285

DRAFT

6. Select Service-Type and set it to the value Administrative. Click Add.

7. Click Close.

Return list attributes are not supported for administrators.

8. Click Save.

Chapter 18: Sample setup - Steel-Belted Radius 286

DRAFT

Step 5: Define user accounts

RADIUS user accounts need to be created for each individual user. The account

specifies the login name and password the user will use to login. All other

properties are obtained from one of the profiles that were just defined.

For this example you will create the following RADIUS user accounts:

Defining user

accounts

Repeat the following procedure to create each user account.

1. Click Users.

2. Click Add.

3. Specify the Username and click OK.

4. Click Set password. Define the password and click Set.

Username Password Associate with profile

customer1 customer1 CUSTOMERS-NO-SMTP

customer2 customer2 CUSTOMERS-SMTP-REDIRECT

hotspot hotspot Hotspots

admin admin ADMIN

Chapter 18: Sample setup - Steel-Belted Radius 287

DRAFT

5. In the Profile name box, select the profile which will be used as the basis for

the account. The settings for the profile will appear. For example:

6. Click Save.

Chapter 18: Sample setup - Steel-Belted Radius 288

DRAFT

Step 6: Install and configure the CN3200

Assign a static

address

1. On the Network menu, click Ports.

2. Click Internet port in the table.

3. Select Static and then click Configure.

4. Make the following settings:

• IP address: Assign an address. For this example, use the address:

192.168.2.1

• Address mask: Assign an appropriate mask. For this example, use the

mask: 255.255.255.0.

• Default gateway: Leave blank. In a real setup this would be set to the

address of the router providing access to the Internet.

Configure RADIUS

settings

The CN3200 must be configured to communicate with the Steel-Belted Radius

server. For a detailed explanation of configuration issues, see Chapter 16:

“Customizing CN3200 and customer settings” on page 207.

1. On the Security menu, click RADIUS. The RADIUS settings page opens.

2. Configure the following parameters:

• Primary server address: Specify the address of Server 1. For this example,

use the address: 192.168.2.99

• Primary server secret: Specify the secret you defined on when configuring

Steel-Belted Radius. For this example, use the secret: secret

Chapter 18: Sample setup - Steel-Belted Radius 289

DRAFT

3. Click Save.

4. Click Authentication. The Authentications settings page opens.

5. In the Customers box, set Authenticate via to RADIUS profile 1.

6. Configure the CN3200 box as follows:

•Authenticate via: Set to RADIUS profile 1.

•Login name: Set to hotspot.

•Password: Set to hotspot.

7. Enable Authenticate customers with 802.1x.

8. Click Save. The CN3200 will attempt to connect to the Steel-Belted Radius

server. If successful, the status light will change from red to green.

Note: You can use the Statistics page on the Steel-Belted Radius Administrator to

view progress of the connection.

When you click the Save button in the management tool on the CN3200, the

number of Accepts should be incremented. That means that all settings are

properly configured on the CN3200 and Steel-Belted Radius.

If the number of Rejects is incremented instead, there may be a problem with

a badly set username and/or password. Check the log file in

c:\radius\service. It is named 2001mmdd.log, where mm is the month and

dd the day. For example, 20011022.log for October 22, 2001.

If the number of Silent Discards is incremented, it probably means that

either the IP address of the CN3200 and/or the shared secret has not been

properly configured on the RAS client tab.

You can increase the amount of information in the log file by changing the

following values in the c:\radius\service\radius.ini file, and restarting Steel-

Belted Radius:

[Configuration]

LogLevel = 0

TraceLevel = 0

Change both values from 0 to 2.

Chapter 18: Sample setup - Steel-Belted Radius 290

DRAFT

Chapter 18: Sample setup - Steel-Belted Radius 291

DRAFT

Step 7: Install Server 2

This example assumes Windows 2000 and IIS are installed on Server 2. You can

any another operating system and web server.

1. Install Windows 2000 Professional, Server, or Advanced Server and then

install Service Pack 3.

2. Make sure that IIS is running.

3. Connect Server 2 to the LAN and assign a static IP address to it. For this

example, use the address 192.168.2.100.

Chapter 18: Sample setup - Steel-Belted Radius 292

DRAFT

Step 8: Test the installation

To test the installation, use the client station to log onto the public access

interface. For this to work, the CN3200 must be configured as the client’s default

gateway. If you set up your equipment to match the setup of this example, this is

automatic. If not, adjust the configuration of the client accordingly.

1. Start the client station’s web browser and enter the IP address (or domain

name) of Server 2 in the address bar.

2. The CN3200 should intercept the HTTP request and display the login page.

Depending on the type of certificate that is installed on the CN3200 you may

see a security warning first.

3. To login, specify customer1 as both the username and password. The

CN3200 session page should open.

Chapter 18: Sample setup - Steel-Belted Radius 293

DRAFT

4. You should automatically be redirected to the web server on Server 2.

Testing

administrator

logins

If you configured administrator accounts on the RADIUS server, you can test

them now as follows:

1. Open the CN3200 management tool with your web browser.

2. On the main menu, click Management. The Management tool configuration

page opens.

3. For Authenticate via select RADIUS profile 1.

4. Click Save.

5. Logout.

6. Login with username and password admin.

Chapter 18: Sample setup - Steel-Belted Radius 294

DRAFT

Chapter 19: Sample setup - Microsoft RADIUS 295

DRAFT

Chapter 19: Sample setup - Microsoft RADIUS

Chapter 19

Sample setup - Microsoft RADIUS

This chapter provides a walkthrough of a sample RADIUS configuration

using Microsoft's RADIUS server (called Internet Authentication

Service), that comes with Windows 2000 server and Windows 2000

Advanced server.

The CN3200 is compliant with RFC 2865 and RFC 2866 and will work

with a variety of RADIUS servers. This example is for illustrative purposes

only and does not imply that you need to use Microsoft’s RADIUS server

over any other brand.

IMPORTANT: Before reading this chapter you should familiarize

yourself with the concepts discussed in Chapter 15 and Chapter 16.

Chapter 19: Sample setup - Microsoft RADIUS 296

DRAFT

Overview

The sample setup in this chapter illustrates how to use IAS (Internet

Authentication Service) to authenticate customer logins on the CN3200.

Prerequisites Software

• Windows 2000 Server or Advanced Server (with Service Pack 3), and all

recommended updates

• Internet Explorer 6.0 service pack 1

Hardware

• a network hub

• a second network hub or a cross-over cable

• two computers capable of running Windows 2000 Professional, Server or

Advanced Server

• a CN3200

• a third computer with a JavaScript-enabled web browser, with or standard

Ethernet adapter

Skills

• Familiarity with the installation and operation of TCP/IP-based networks

• Basic knowledge of Windows 2000, including how to use a Windows

command-line session.

Chapter 19: Sample setup - Microsoft RADIUS 297

DRAFT

Equipment setup

This section illustrates the hardware setup that was used to create the sample

configuration described in this chapter. If you duplicate this setup, you will not

have to change any of the IP addresses supplied in the example.

Topology The goal of this setup is to simulate a working environment with the least amount

of equipment. To this end, the ‘public network’ is considered to be any device

connected to the LAN port on the CN3200. The ‘protected network resources’

are connected to the Internet port on the CN3200. In this example, both Server 1

and Server 2 are on the protected network. Server 1 hosts the IAS server. Server

2 is used to simulate an external web server.

See “Wiring details” on page 358 for information on how to build a x-over cable.

About the

components

Server 1

Server 1 is the computer that you install Windows 2000 server and IAS on.

Server 2

Server 2 is required to test the setup once it is complete. You should install a web

server on this computer. The client station will attempt to access this web server

via the CN3200.

Client station

The client station is required to test the setup once it is complete. The DHCP

server on the CN3200 will assign an address to this computer.

Chapter 19: Sample setup - Microsoft RADIUS 298

DRAFT

Step 1: Install software on Server 1

Windows 2000 1. Install Windows 2000 Server or Advanced Server and then install Service

Pack 3 and all recommended updates.

2. Make sure that IAS is also installed.

3. Connect Server 1 to the hub and assign a static IP address to it. For this

example, use the address 192.168.2.99.

4. Shut down and restart Server 1.

Internet Explorer Install Internet Explorer 6 SP1 on the server. The support files included with this

application are required for proper operation.

Chapter 19: Sample setup - Microsoft RADIUS 299

DRAFT

Step 2: Define user accounts

On server 1, accounts need to be created in Windows for three types of users as

follows:

• each CN3200 must have its own account

• each administrator must have their own account

• each customer must have their own account

To create the accounts

1. Click Start > Programs > Administrative Tools > Computer Management.

2. Double click Local Users and Groups.

3. Click Users.

4. Create the following user accounts by clicking New User on the Action

menu:

Username Password

customer1 customer1

customer2 customer2

hotspot hotspot

admin admin1

Chapter 19: Sample setup - Microsoft RADIUS 300

DRAFT

Step 3: Define groups and add users to them

Groups let you define a set of common attributes for one or more users. You will

need to create at least four groups:

• CN3200 devices

• CN3200 administrators

• Customers with SMTP redirection

• Customers without SMTP redirection

To create the groups

1. Click Groups.

2. Create the following groups by clicking New Group on the Action menu.

After you create each group you will be prompted to add users.

3. Click Users.

Group to create Add these users

Public Access Hotspots hotpspot

Customers with SMTP redirect customer1

Customers without SMTP redirect customer2

Hotspot Administrators admin

Chapter 19: Sample setup - Microsoft RADIUS 301

DRAFT

4. All users are automatically added to the Users group. Select customer1 and

customer2 and click Remove. You need to remove these users so they do

not have access to Server 1.

5. Click OK.

Chapter 19: Sample setup - Microsoft RADIUS 302

DRAFT

Step 4: Start the RADIUS server

Start the RADIUS server configuration by selecting Start Menu/Programs/

Administrative Tools/Internet Authenticating Service. The following window will

open.

1. Click Start > Programs > Administrative Tools > IAS.

Chapter 19: Sample setup - Microsoft RADIUS 303

DRAFT

Step 5: Create a RADIUS client account

A RADIUS client is any device that uses the services of a RADIUS server.

Therefore, each CN3200 is considered to be a RADIUS client and must have its

own client account.

1. Click Clients.

2. On the Action menu, click New client. The Add Client dialog box opens.

3. Specify a Friendly name for the CN3200. For this example, use colubris.

This value is used by the RADIUS server only. It is not configured on the

CN3200.

4. Choose RADIUS as the Protocol.

Chapter 19: Sample setup - Microsoft RADIUS 304

DRAFT

5. Click Next. The Add RADIUS Client dialog box opens.

6. In Client address specify the IP address of the CN3200’s Internet port. For

this example, specify 192.168.2.1.

7. Leave Client-Vendor set to RADIUS Standard.

8. Leave Client must always send the signature attribute in the request

checked. The CN3200 always sends the signature attribute.

9. Define a unique Shared secret for the CN3200. For this example, use the

secret secret.

10. Click Finish.

Chapter 19: Sample setup - Microsoft RADIUS 305

DRAFT

Step 6: Create an access policy for the CN3200

A remote access policy is a set of actions that apply to a group of RADIUS users.

This section shows how to define an access policy for the Public Access

Hotspots group.

1. Click Remote Access Policies.

2. On the Action menu, click New remote access policy. The Add Remote

Access Policy dialog box opens.

3. Specify a Policy friendly name. For this example, specify Public Hotspot

Policy.

Chapter 19: Sample setup - Microsoft RADIUS 306

DRAFT

4. Click Next. The Add Remote Access Policy dialog box opens.

5. Click Add. The Select Attribute dialog box opens.

6. Select Service type and click Add.

7. Select Administrative, click Add, and then click OK.

Chapter 19: Sample setup - Microsoft RADIUS 307

DRAFT

8. Yo u r e t u r n Add Remote Access Policy dialog box.

9. Click Add. The Select Attribute dialog box opens.

10. Select Windows-Groups and click Add.

11. The Groups dialog box opens. Click Add.

Chapter 19: Sample setup - Microsoft RADIUS 308

DRAFT

12. The Select Groups dialog box opens. Select Public Access Hotspots and

then click Add and then OK.

13. Return to the Add Remote Access Policy dialog box and click Next.

14. Select Grant remote access permission and click Next.

Chapter 19: Sample setup - Microsoft RADIUS 309

DRAFT

15. Click Edit Profile.

16. The Edit-Dial-in Profile window opens.

17. Click the Authentication tab and enable the options as shown.

Chapter 19: Sample setup - Microsoft RADIUS 310

DRAFT

18. Click the Advanced tab.

This tab is where you specify the values that are returned to the CN3200

when it logs into the RADIUS server.

19. Select Framed-Protocol and click Remove.

20. Select Service-Type and click Edit. The Enumerable Attribute Information

dialog box opens.

Chapter 19: Sample setup - Microsoft RADIUS 311

DRAFT

21. Select Administrative for Attribute value and click OK.

You can now specify the attributes that will be returned to the CN3200 after it

is successfully authenticated. This enables you to define a number of

important operating characteristics, including:

• The location of custom HTML pages that must be downloaded by the

CN3200.

• One or more access lists for specifying the set of network resources

customers have access to.

For this example, you should create the following entry:

Colubris-AVPair access-list=cust,ACCEPT,tcp,192.168.2.100,80

This access list permits only authenticated customers to access the web

server at 192.168.2.100.

(Refer to “Creating a profile for the CN3200 on the RADIUS server” on

page 214 for a complete list of all supported attributes.)

Chapter 19: Sample setup - Microsoft RADIUS 312

DRAFT

To add this entry:

•Click Add. The Add Attributes dialog box opens.

• Select Vendor-Specific and click Add. The Multivalued Attribute

Information dialog box opens.

Chapter 19: Sample setup - Microsoft RADIUS 313

DRAFT

•Click Add to add a new attribute.

• Specify the Colubris Networks vendor code 8744 in Enter Vendor Code.

• Select Yes. It conforms.

•Click Configure Attribute. The Configure VSA (RFC compliant) dialog box

opens.

•For Vendor-assigned attribute number, specify 0.

•For Attribute format, select String.

•For Attribute value, specify the following attribute:

• access-list=all,ACCEPT,tcp,192.168.2.100,80

For example:

22. When done, click OK on all dialog boxes to return to the Add Remote

Access Policy dialog box.

23. Click Finish.

Chapter 19: Sample setup - Microsoft RADIUS 314

DRAFT

Step 7: Create an access policy for customers

This section explains how to create a remote access policy for both Public

Access Customers (SMTP Redirect) and Public Access Customers (no SMTP

Redirect). Creation of both policies is identical expect for a few steps at the end of

the procedure. So repeat this procedure to create both policies.

1. Click Remote Access Policies.

2. On the Action menu, click New remote access policy. The Add Remote

Access Policy dialog box opens.

3. Specify a Policy friendly name for the policy. The first time you execute this

procedure specify Public Access Customers (SMTP Redirect) and the

second time specify Public Access Customers (no SMTP Redirect).

Chapter 19: Sample setup - Microsoft RADIUS 315

DRAFT

4. Click Next. The Add Remote Access Policy dialog box opens.

5. Click Add. The Select Attribute dialog box opens.

6. Select Service-Type and click Add.

7. Select Framed, click Add, then click OK.

Chapter 19: Sample setup - Microsoft RADIUS 316

DRAFT

8. Return to the Add Remote Access Policy dialog box.

9. Click Add. The Select Attribute dialog box opens.

10. Select Windows-Groups and click Add.

11. The Groups dialog box opens. Click Add.

Chapter 19: Sample setup - Microsoft RADIUS 317

DRAFT

12. The Select Groups dialog box opens. Select Customers with SMTP

redirect, click Add, and then OK.

13. Return to the Add Remote Access Policy dialog box and click Next.

14. Select Grant remote access permission and click Next.

Chapter 19: Sample setup - Microsoft RADIUS 318

DRAFT

15. Click Edit Profile.

16. The Edit-Dial-in Profile window opens.

17. Define the maximum idle time for customer sessions by selecting

Disconnect if idle for and setting an appropriate time.

18. Define the maximum duration for customer sessions by selecting Restrict

maximum session to and setting an appropriate time.

Chapter 19: Sample setup - Microsoft RADIUS 319

DRAFT

19. Click the Authentication tab and enable the options as shown.

20. Click the Advanced tab.

This tab is where you specify the values that are returned to the CN3200

when a customer is authenticated by the RADIUS server.

21. Remove all entries.

Chapter 19: Sample setup - Microsoft RADIUS 320

DRAFT

22. If you want to enable support for interim accounting updates, click Add. The

Add Attributes dialog box opens.

23. Select Acct-Interim-Interval and click Add. The Attribute Information dialog

box opens.

24. In the Attribute value field, specify the reporting interval (in seconds) that the

CN3200 will use to send accounting information to the RADIUS server.

25. Click OK.

You can now specify the attributes that will be returned after a customer is

successfully authenticated. This enables you to define a number of important

operating characteristics, including:

• The access list that is in use.

• Support for SMTP mail redirection.

Refer to “Creating customer profiles on the RADIUS server” on page 225 for

a complete list of supported attributes.

Chapter 19: Sample setup - Microsoft RADIUS 321

DRAFT

For this example, you should create the following entries:

smtp-redirect=192.168.2.100

This provides access to the fictional SMTP server on 192.168.2.100. Add this

when defining the Public Access Customers (SMTP Redirect) access

policy.

use-access-list=cust

This access list was defined in the Public Hotspot Policy. It is activated here

to provide access to the web server on 192.168.2.100.

To add each entry:

•Click Add. The Add Attributes dialog box opens.

• Select Vendor-Specific and click Add. The Multivalued Attribute

Information dialog box opens.

Chapter 19: Sample setup - Microsoft RADIUS 322

DRAFT

•Click Add to add a new attribute.

• Specify the Colubris Networks vendor code 8744 in Enter Vendor Code.

• Select Yes. It conforms.

•Click Configure Attribute. The Configure VSA (RFC compliant) dialog box

opens.

•For Vendor-assigned attribute number, specify 0.

•For Attribute format, select String.

•For Attribute value, specify each of the following attributes in turn:

• smtp-redirect=192.168.2.100

• use-access-list=cust

Chapter 19: Sample setup - Microsoft RADIUS 323

DRAFT

26. When done, click OK on all dialog boxes to return to the Add Remote

Access Policy dialog box.

27. Click Finish.

Chapter 19: Sample setup - Microsoft RADIUS 324

DRAFT

Step 8: Create an access policy for CN3200 admins

This section explains how to create a remote access policy to centrally validate

administrator logins via the RADIUS server instead of locally on each CN3200.

Note: Setting up administrator profiles is optional and is not required for proper

operation of this sample.

1. Click Remote Access Policies.

2. On the Action menu, click New remote access policy. The Add Remote

Access Policy dialog box opens.

3. Specify a Policy friendly name for the policy. For example you could use

“Remote Administrators”.

4. Click Next. The Add Remote Access Policy dialog box opens.

Chapter 19: Sample setup - Microsoft RADIUS 325

DRAFT

5. Click Add. The Select Attribute dialog box opens.

6. Select Service-Type and click Add.

7. Select Administrative, click Add, then click OK.

8. Return to the Add Remote Access Policy dialog box.

9. Click Add. The Select Attribute dialog box opens.

Chapter 19: Sample setup - Microsoft RADIUS 326

DRAFT

10. Select Windows-Groups and click Add.

11. The Groups dialog box opens. Click Add.

12. The Select Groups dialog box opens. Select Hotspot Administrators, click

Add and then OK.

Chapter 19: Sample setup - Microsoft RADIUS 327

DRAFT

13. Return to the Add Remote Access Policy dialog box and click Next.

14. Select Grant remote access permission and click Next.

15. Click Edit Profile.

Chapter 19: Sample setup - Microsoft RADIUS 328

DRAFT

16. The Edit-Dial-in Profile window opens.

17. Click the Authentication tab and enable the options as shown.

Chapter 19: Sample setup - Microsoft RADIUS 329

DRAFT

18. Click the Advanced tab.

19. Remove all entries.

20. Click OK.

21. Click Finish.

Chapter 19: Sample setup - Microsoft RADIUS 330

DRAFT

Step 9: Install and configure the CN3200

Assign a static

address

1. On the Network menu, click Ports.

2. Click Internet port in the table.

3. Select Static and then click Configure.

4. Make the following settings:

• IP address: Assign an address. For this example, use the address:

192.168.2.1

• Address mask: Assign an appropriate mask. For this example, use the

mask: 255.255.255.0.

• Default gateway: Leave blank. In a real setup this would be set to the

address of the router providing access to the Internet.

• In a real setup you would also need to define DNS settings.

Configure RADIUS

settings

The CN3200 must be configured to communicate with the RADIUS server. For a

detailed explanation of configuration issues, see Chapter 16: “Customizing

CN3200 and customer settings” on page 207.

1. On the Security menu, click RADIUS. The RADIUS settings page opens.

2. Configure the following parameters:

• Primary server address: Specify the address of Server 1. For this example,

use the address: 192.168.2.99

Chapter 19: Sample setup - Microsoft RADIUS 331

DRAFT

• Primary server secret: Specify the secret you defined on when configuring

Steel-Belted Radius. For this example, use the secret: secret

3. Click Save.

4. Click Authentication. The Authentications settings page opens.

5. In the Customers box, set Authenticate via to RADIUS profile 1.

6. Configure the CN3200 box as follows:

•Authenticate via: Set to RADIUS profile 1.

•Login name: Set to hotspot.

•Password: Set to hotspot.

7. Enable Authenticate customers with 802.1x.

8. Click Save. The CN3200 will attempt to connect to the Microsoft Radius

server. If successful, the status light will change from red to green.

Chapter 19: Sample setup - Microsoft RADIUS 332

DRAFT

Step 10: Install Server 2

This example assumes Windows 2000 and IIS are installed on Server 2. You can

any another operating system and web server.

1. Install Windows 2000 Professional, Server, or Advanced Server and then

install Service Pack 3.

2. Make sure that IIS is running.

3. Connect Server 2 to the hub and assign a static IP address to it. For this

example, use the address 192.168.2.100.

Chapter 19: Sample setup - Microsoft RADIUS 333

DRAFT

Step 11: Test the installation

To test the installation, use the client station to log onto the public access

interface. For this to work, the CN3200 must be configured as the client’s default

gateway. If you set up your equipment to match the setup of this example, this is

automatic. If not, adjust the configuration of the client accordingly.

1. Start the client station’s web browser and enter the IP address of Server 2

(192.168.2.100).

2. The CN3200 should intercept the HTTTP request and display the login page.

Depending on the type of certificate that is installed on the CN3200 you may

see a security warning first.

3. To login, specify customer1 as both the username and password. The

CN3200 session page should open.

4. You should automatically be redirected to the web server on Server 2.

Chapter 19: Sample setup - Microsoft RADIUS 334

DRAFT

Testing

administrator

logins

If you configured administrator accounts on the RADIUS server, you can test

them now as follows:

To test the accounts that were setup to validate administrator logins using the

RADIUS server, do the following:

1. Open the CN3200 management tool with your web browser.

2. On the main menu, click Management. The Management tool configuration

page opens.

3. For Authenticate via select RADIUS profile 1.

4. Click Save and then Logout.

5. Login with username and password admin1.

Chapter 20: Experimenting with NOC authentication 335

DRAFT

Chapter 20: Experimenting with NOC authentication

Chapter 20

Experimenting with NOC authentication

This chapter provides a sample setup that illustrates how the NOC

authentication feature works and lets you experiment with it. This sample

is not a complete working implementation, but rather a test setup that

you can use to become familiar with the feature.

The sample setup in this chapter functions from the command-line using

VPScript. The ASP version of the script can be used as a starting point

for porting or integrating the NOC authentication code into the remote

access page on a production system.

IMPORTANT: Before reading this chapter you should familiarize

yourself with the concepts discussed in Chapter 15 and Chapter 16.

Pay special attention to all topics related to the remote login page and

NOC authentication.

Chapter 20: Experimenting with NOC authentication 336

DRAFT

Overview

This chapter lets you use the sample setup presented in Chapter 17 to evaluate

the NOC authentication feature. For a description of this feature see page 176.

Evaluation of the NOC authentication feature is accomplished using a VBScript

program that lets you send authentication requests to the CN3200 using an SSL

session. This program demonstrates the functionality that would be required in a

remote login page.

A command line interface is used to run the program. No remote login page is

provided.

About the

certificates

To use NOC authentication you need the following three certificates that are

already generated and included with the backend files.

•www.noc-cn3000.com.pfx: Installed on the CN3200 and used to secure the

session it establishes with the VBScript application on the web server. It is

signed by noc-ca.crt.

•noc-ca.crt: Installed on the web server.

•noc-client.pfx: Installed on the web server and used by the VBScript program

to secure the session it establishes with the CN3200. It is signed by noc-

ca.crt.

Requirements • Windows 2000 Server, Advanced Server (with Service Pack 3) or Windows XP,

and all recommended updates

• Internet Explorer 6.0 service pack 1

Hardware

• a network hub

• a second network hub or a cross-over cable

• two computers capable of running Windows 2000 Professional, Server or

Advanced Server with Service Pack 3, or Windows XP with Service Pack 1

• a CN3200

• a third computer with a JavaScript-enabled web browser, with or standard

Ethernet adapter

Skills

• Familiarity with the installation and operation of TCP/IP-based networks.

• Basic knowledge of Windows 2000, including how to use a Windows

command-line session.

Skills

• Familiarity with the installation and operation of TCP/IP-based networks.

• Basic knowledge of Windows 2000, including how to use a Windows

command-line session.

Chapter 20: Experimenting with NOC authentication 337

DRAFT

Equipment setup

This section illustrates the hardware setup that was used to create the sample

configuration described in this chapter. If you duplicate this setup, you will not

have to change any of the IP addresses supplied in the example.

Topology This example uses the same equipment setup presented in Chapter 17. You

should follow the instructions in Chapter 17 to install this sample and get it

working.

For your reference th topology is:

Chapter 20: Experimenting with NOC authentication 338

DRAFT

Step 1: Configure the CN3000

In this step you will install an SSL certificate on the CN3200 and enable NOC

authentication. The certificate has already been created and can be found in the

backend folder.

Install an SSL certificate on the CN3200

1. Login to the management tool and go to Security > Certificates.

2. In the [SSL] Web Server Certificates box, click Browse.

3. Select the following folder on the CN3200 CD-ROM:

\backend\winhttpauth\www.noc-cn3000.com.pfx

4. In the Password field, specify www.noc-cn3000.com.

5. Click Install.

6. The CN3200 will install the certificate. The CN3200 will now be reachable as

www.noc-cn3000.com. (This is an alias to the IP address of the CN3200’s

Internet port.)

Enable NOC authentication

1. Click Security, then click Authentication.

2. Click the Advanced Settings button.

3. Enable the NOC authentication feature.

4. Add the IP address of the Server 1 (192.168.2.99) to the Allowed

Addresses box.

5. Click Save.

Chapter 20: Experimenting with NOC authentication 339

DRAFT

Step 2: Configure the RADIUS profile for the CN3200

Define the profile In the RADIUS profile for the CN3200, define the following:

ssl-noc-certificate= https://192.168.2.99/demo-php/upload/noc-

client.crt

ssl-noc-ca-certificate= https://192.168.2.99/demo-php/upload/noc-

ca.crt

These files are included as part of the backend example.

Force

authentication

For the CN3200 to authenticate to the RADIUS server so it can retrieve the new

settings youjust added to the profile.

1. Open the management tool.

2. Go to Security > Authentication.

3. Click the Force Authentication button. The CN3200 will authenticate itself

and retrieve the newly configured settings.

Chapter 20: Experimenting with NOC authentication 340

DRAFT

Step 3: Configure Server 1

Important: Do not use the certificates supplied with this example as part of a

production system. You should replace these certificates with your own, or

remove them from the list of Trusted Root Certificate Authorities to prevent your

computer from trusting web sites using certificates signed by the private key

present in noc-ca.pfx. As this key is provided as an part of an example, it should

not be considered as a secret key.

Install certificates The certificate noc-ca.crt must be imported into the Trusted Root Certification

Authorities certificate store on Server 1. This is done using Microsoft

Management Console:

1. Login to Windows as administrator.

2. Click Start, then click Run.

3. Specify mmc and press enter.

Chapter 20: Experimenting with NOC authentication 341

DRAFT

4. On the Console menu, click Add/Remove Snap-in.

5. Click Add.

6. Click Certificates, then click Add.

7. Then select Computer account.

8. Click Next.

Chapter 20: Experimenting with NOC authentication 342

DRAFT

9. Choose Local Computer and click Finish.

10. Click Close and OK to return to the mmc console window.

11. Open Certificates under Trusted Root Certification Authorities.

Chapter 20: Experimenting with NOC authentication 343

DRAFT

12. On the Action menu, click All Tasks > Import.

13. Click Next.

14. Click Browse, the open the following file on the CN3200’s CD-ROM:

\backend\winhttpauth\noc-ca.pfx

15. Click Next.

16. Specify the following password to unlock the file: noc-ca.

Import noc-client.pfx into the Personal certificate store using the same

procedure. The password to unlock noc-client.pfx file is noc-client.

When done, click Exit on the console and save the settings of mmc.

Verifying that

winhttpcertcfg.exe

is installed

Users do not automatically gain access to the private key imported from noc-

client.pfx. To grant access, winhttpcertcfg.exe must be executed on a per user

basis.

To check if winhttpcertcfg.exe is installed on the server, do the following:

1. Open a command line session.

2. Execute winhttpcrtcfg.exe.

3. If you get an error, it means winhttp management tools are not installed, or

are not in your path. If you cannot find them on your computer, you can

download the Windows 2003 Server Resource Kit Tools at:

http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-

4ae7-96ee-b18c4790cffd&displaylang=en

Note: This resource kit will only install on Windows XP SP1 or Windows 2003 Server.

Use the procedure that follows to install on Windows 2000 SP3.

4. One the Winhttp SDK has been installed, launch a console-mode session,

and go into the following folder:

C:\Program Files\WinHTTP 5.0 SDK\tools

Chapter 20: Experimenting with NOC authentication 344

DRAFT

Installing on Windows 2000 SP3

To complete this task you must have the Microsoft Windows Installer

(msiexec.exe) installed on your system. If it is not present, you can download

it here:

http://www.microsoft.com/downloads/details.aspx?FamilyID=4b6140f9-2d36-

4977-8 fa1-6f8a0f5dca8f&DisplayLang=en#filelist

1. Open a win32 console session.

2. Go into the directory that rktools.exe was downloaded into.

3. Run the command:

rktools /C

You will be prompted for a temporary directory name.

Once the extraction process is complete, the following files will be available in

the temporary directory:

rktools.msi

rktools_p.cab

rktools_s.cab

4. Go to the temporary directory.

5. Run the command:

msiexec /a rktools.msi

You will be prompted for a destination directory name.

Once the command will be completed, all the files from the ressource kit will

be present in the Program Files\Windows Resource Kits\Tools directory that

is created in the destination directory, including winhttpcertcfg.exe and

winhttptracecfg.exe.

Granting access to

the private key for

noc-client

Using winhttpcertcfg.exe, you need to grant access to the private key imported

from noc-client.pfx to the application that will send customer login information to

the CN3200. In this example, access needs to be granted to two accounts

• The VBscript application will be run under the administrator account, so access

needs to be granted to the administrator.

• (This step only applies if you are using IIS.) The account used to run IIS also

needs access to the certificate. This account is IWAM_COMPUTER, where

COMPUTER is replaced by the windows network name assigned to Server 1.

• Create access by running the command:

winhttpcertcfg -g -c LOCAL_MACHINE\My -s "Test-Only client

certificate for demo" -a Administrator

Microsoft (R) WinHTTP Certificate Configuration Tool

Matching certificate:

E=support@colubris.com

CN=Test-Only Client certificate for demo

OU=Research & Development

O=Colubris Networks Inc.

L=Laval

S=Quebec

C=CA

Granting private key access for account:

COMPUTER\Administrator

To see the list of accounts that have been granted access to the privare key:

winhttpcertcfg -l -c LOCAL_MACHINE\My -s "Test-Only client

certificate for demo"

Chapter 20: Experimenting with NOC authentication 345

DRAFT

Microsoft (R) WinHTTP Certificate Configuration Tool

Matching certificate:

E=support@colubris.com

CN=Test-Only Client certificate for demo

OU=Research & Development

O=Colubris Networks Inc.

L=Laval

S=Quebec

C=CA

Additional accounts and groups with access to the private key

include:

\Everyone

NT AUTHORITY\SYSTEM

BUILTIN\Administrators

COMPUTER\Administrator

Access for the three other accounts is automatically added by winhttpcertcfg.

Use the same procedure to add access for IWAM_COMPUTER.

Configuring the hosts

file on Server 1

Now that a new SSL certificate is installed on the CN3200, the domain name

assigned to its Internet port is www.noc-cn3000.com. In order for requests from

the VBScript application to successfully reach the CN3200, this name must be

added to the WINNT\system32\drivers\etc\hosts file. This ensures that the

CN3200’s domain name will be resolved to the actual IP address of the Internet

port on the CN3000. The host file is located in:

\winnt\system32\drivers\etc\hosts.

Another option

An alternative to updating the hosts file or to adding the name of the CN3000 into

your DNS server would be to uncomment the following line in the script:

HttpsSession.Option(WinHttpRequestOption_SslErrorIgnoreFlags)=4096

This will prevent the script from exiting on error when attempting to connect to a

CN3000 using its IP address instead of its DNS name."

Chapter 20: Experimenting with NOC authentication 346

DRAFT

Experimenting with noc-authenticate.vbs

Now you are ready to use noc-autenticate.vbs to test the NOC authentication

feature.

Retrieve noc-

authenticate.vbs

Retrieve noc-authenticate.vbs from \backend\vb and put it into a working folder.

You will also need cscript, which is a Microsoft tool that enables you to run

VBScript from the command line. If cscript is not installed on your system, go to

the Microsoft site and download it. It is part of Windows 2000 SP3.

Running the

program

The program runs from a command line session with the syntax:

cscript noc-authenticate.vbs "CN3200_domain_name" "username"

"password" “user_IP” “client certificate”

The program posts the information you specify to the following URL:

https://www.noc-cn3000.com:8090/goform/HtmlNocLoginRequest

The CN3200 will answer the post with the results of the RADIUS authentication.

The program will print these results so you can view them. For a complete

description of all possible return values, see “Authentication results” on

page 348.

Examples Example 1 - successful authentication

In this example, authentication is requested for a valid customer account that was

defined during creation of the backend sample with Login name = user and

Password = user.

cscript noc-authenticate.vbs "www.noc-cn3000.com" "user" "user" "192.168.1.10"

"LOCAL_MACHINE\Test-Only client certificate for demo"

Microsoft (R) Windows Script Host Version 5.6

reserved.

result: 10

status: 100

url: https://206.162.167.226:8888/cebit-php/

welcome.php?site=eperie-cn3000&u

Parameter Description

CN3200_domain_name Specify the domain name or IP address of the CN3200.

For this example, use the domain name www.noc-

cn3000.com.

usename Specify the name of an existing user account.

password Specify the password for the user account.

user_IP Specify the the IP address of the client station you want

to grant access to.

client_certificate Specify the name of client certificate. For this example,

the name of the client certificate is Test-Only client

certificate for demo. This is the distinguished name that

was specified when the certificate noc-client.pfx was

created.

Chapter 20: Experimenting with NOC authentication 347

DRAFT

ser=user02&wantedurl=&nasipaddress=&nasid=L003-00069

session-url: http://192.168.1.1:8080/session.asp

A result of 10 with a status of 100 means that authentication was successful. For

a description of this and other return codes, refer to “Authentication results” on

page 348.

Since authentication was successful, the CN3200 returns the welcome page

URL that the customer should be redirected to.

The session page URL is also returned, so that the customer’s web browser can

be asked to open the session window.

Example 2 - successful authentication, already logged-in:

This example re-executes the previous command, resulting in an error because

the customer is already logged in.

cscript noc-authenticate.vbs "www.noc-cn3000.com" "user" "user" "192.168.1.10"

"LOCAL_MACHINE\Test-Only client certificate for demo"

Microsoft (R) Windows Script Host Version 5.6

reserved.

result: 10

status: 400

A result of 10 with a status of 400 means that the customer is already logged in.

Chapter 20: Experimenting with NOC authentication 348

DRAFT

Authentication results

The file noc.h contains the definitions used by the CN3200 when building the

authentication results that are sent in reply to a customer authentication request.

noc.h contents

/******************************************************************************

* noc.h - Definition of messages and constants used for NOC authentication

* This code is provided "as is", without any warranty of any kind, either

* expressed or implied, including but not limited to, any implied warranty

* of merchantability or fitness for any purpose.

* In no event will Colubris Networks Inc. or any party who distributed

* the code be liable for damages or for any claim(s) by any other party,

* including but not limited to, any lost profits, lost data or data rendered

* inaccurate, losses sustained by third parties, or any other special,

* incidental or consequential damages arising out of the use or inability to

* use the program, even if the possibility of such damages has been advised

* against.

* The entire risk as to the quality, the performance, and the fitness of the

* program for any particular purpose lies with the party using the code.

* This file should be usable on both win32 and Unix platforms.

******************************************************************************/

#ifndef _NOC_H_

#define _NOC_H_

// Codes that will be returned by the authentication function

#define ERR_NOC_AUTHENTICATION_BASE 0x1000

#define ERR_NOC_AUTHENTICATION_SUCCESS (ERR_NOC_AUTHENTICATION_BASE + 1)

#define ERR_NOC_AUTHENTICATION_FAILURE (ERR_NOC_AUTHENTICATION_BASE + 2)

#define ERR_NOC_AUTHENTICATION_DISABLED (ERR_NOC_AUTHENTICATION_BASE + 3)

#define ERR_NOC_AUTHENTICATION_LOGGED_IN (ERR_NOC_AUTHENTICATION_BASE + 4)

// Messages that will be sent to the client in reply to an authentication

// request.

#ifdef _WIN32

// Using UNICODE constants

#define NOC_HTML_BEGIN L"<html>"

#define NOC_HTML_END L"</html>"

#define NOC_INFO_STATUS L"status"

#define NOC_INFO_WELCOME_URL L"welcome-url"

#define NOC_INFO_LOGIN_ERR_URL L"login-err-url"

#define NOC_INFO_ERR_MESSAGE L"external-err-msg"

#define NOC_INFO_INT_ERR_MESSAGE L"local-err-msg"

#define NOC_INFO_SESSION_URL L"session-url"

// Possible values for NOC_INFO_STATUS

#define NOC_STATUS_SUCCESS L"success"

#define NOC_STATUS_FAILURE L"failure"

#define NOC_STATUS_DISABLED L"disabled"

#define NOC_STATUS_LOGGED_IN L"already-logged-in"

Chapter 20: Experimenting with NOC authentication 349

DRAFT

Returned values The following examples show the information returned for various authentication

conditions.

NOC authentication mode is not enabled:

<HTML>

NOC_INFO_STATUS=NOC_STATUS_DISABLED

</HTML>

The CN3200 did not receive the login application’s SSL certificate

The login application did not send its certificate. Therefore, the request was

rejected.

<HTML>

NOC_INFO_STATUS=NOC_STATUS_FAILURE

NOC_INFO_INT_ERR_MESSAGE=NOC_CANNOT_GET_PEER_CERT

</HTML>

Certificate mismatch

The login application sent an SSL certificate that does not match the one defined

by ssl-noc-certificate in the RADIUS profile for the CN3200.

<HTML>

NOC_INFO_STATUS=NOC_STATUS_FAILURE

NOC_INFO_INT_ERR_MESSAGE=NOC_CANNOT_GET_PEER_CERT

</HTML>

// Possible values for NOC_INFO_INT_ERR_MESSAGE

#define NOC_CANNOT_GET_PEER_CERT L"cannot-get-peer-cert"

#define NOC_MISSING_USERNAME_OR_PASSWORD L"missing-username-or-password"

#define NOC_CERT_EXPIRED L"cert-expired"

#define NOC_CERT_NOT_YET_VALID L"cert-not-yet-valid"

#define NOC_CERT_NOT_IDENTICAL L"cert-not-identical"

#define NOC_CERT_NOT_SIGNED_BY_AUTHORIZED_CA L"cert-not-signed-by-authorized-ca"

#else

#define NOC_HTML_BEGIN "<html>"

#define NOC_HTML_END "</html>"

#define NOC_INFO_STATUS "status"

#define NOC_INFO_WELCOME_URL "welcome-url"

#define NOC_INFO_LOGIN_ERR_URL "login-err-url"

#define NOC_INFO_ERR_MESSAGE "external-err-msg"

#define NOC_INFO_INT_ERR_MESSAGE "local-err-msg"

#define NOC_INFO_SESSION_URL "session-url"

// Possible values for NOC_INFO_STATUS

#define NOC_STATUS_SUCCESS "success"

#define NOC_STATUS_FAILURE "failure"

#define NOC_STATUS_DISABLED "disabled"

#define NOC_STATUS_LOGGED_IN "already-logged-in"

// Possible values for NOC_INFO_INT_ERR_MESSAGE

#define NOC_CANNOT_GET_PEER_CERT "cannot-get-peer-cert"

#define NOC_MISSING_USERNAME_OR_PASSWORD "missing-username-or-password"

#define NOC_CERT_EXPIRED "cert-expired"

#define NOC_CERT_NOT_YET_VALID "cert-not-yet-valid"

#define NOC_CERT_NOT_IDENTICAL "cert-not-identical"

#define NOC_CERT_NOT_SIGNED_BY_AUTHORIZED_CA "cert-not-signed-by-authorized-ca"

#endif

Chapter 20: Experimenting with NOC authentication 350

DRAFT

Certificate not valid yet

The login application sent an SSL certificate that matches the one defined by ssl-

noc-certificate in the RADIUS profile for the CN3200. However, the certificate

that was sent is not yet valid.

<HTML>

NOC_INFO_STATUS=NOC_STATUS_FAILURE

NOC_INFO_INT_ERR_MESSAGE=NOC_CERT_NOT_YET_VALID

</HTML>

Certificate not valid anymore

The login application sent an SSL certificate that matches the one defined by ssl-

noc-certificate in the RADIUS profile for the CN3200. However, the certificate

that was sent is not valid anymore.

<HTML>

NOC_INFO_STATUS=NOC_STATUS_FAILURE

NOC_INFO_INT_ERR_MESSAGE=NOC_CERT_EXPIRED

</HTML>

Certificate not signed by proper CA

The login application sent a valid SSL certificate that matches the one defined by

ssl-noc-certificate in the RADIUS profile for the CN3200. However, it the

certificate is not signed by the CA defined by noc-ca-certificate in the RADIUS

profile for the CN3200

<HTML>

NOC_INFO_STATUS=NOC_STATUS_FAILURE

NOC_INFO_INT_ERR_MESSAGE=NOC_CERT_NOT_SIGNED_BY_AUTHORIZED_CA

</HTML>

Missing username and/or password

The customer’s username or password was not supplied.

<HTML>

NOC_INFO_STATUS=NOC_STATUS_FAILURE

NOC_INFO_INT_ERR_MESSAGE=NOC_MISSING_USERNAME_OR_PASSWORD

</HTML>

The specified IP address is already logged in

<HTML>

NOC_INFO_STATUS=NOC_STATUS_LOGGED_IN

</HTML>

Authentication was successful

<HTML>

NOC_INFO_STATUS=NOC_STATUS_SUCCESS

NOC_INFO_WELCOME_URL=<welcome url>

NOC_INFO_SESSION_URL=<session url>

</HTML>

Authentication failed

<HTML>

NOC_INFO_STATUS=NOC_STATUS_FAILURE

NOC_INFO_ERR_MESSAGE=<error message>

NOC_INFO_LOGIN_ERR_URL =<login error url>

</HTML>

Logout succeeded

<HTML>

NOC_INFO_STATUS=NOC_STATUS_SUCCESS

</HTML>

Logout failed

<HTML>

NOC_INFO_STATUS=NOC_STATUS_FAILURE

NOC_INFO_INT_ERR_MESSAGE=<error message>

</HTML>

Chapter 20: Experimenting with NOC authentication 351

DRAFT

Examples The following examples show the actual HTML code returned file for various

authentication conditions.

Customer was successfully authenticated by the RADIUS server

<HTML>

status=success

welcome-url=https://206.162.167.226:8888/cebit-php/

welcome.php?site=www.noc-

CN3200.com&user=user00&wantedurl=&nasipaddress=&nasid=L003-00069

session-url=http://192.168.1.1:8080/session.asp

</HTML>

Customer’s IP address is already in use by an active session

<HTML>

status=already-logged-in

</HTML>

Customer authentication was refused by the RADIUS server.

This could be due to an unknown username, or invalid username or password.

<HTML>

status=failure

external-err-msg=Your login was refused.

error.php?site=eperie-cn3000&user=user12&nasipaddress=

</HTML>

Customer could not be authenticated

The CN3200 could not contact a RADIUS server.

<HTML>

status=failure

external-err-msg=You cannot be logged in at this time. Please try

again later.

error.php?site=eperie

-cn3000&user=user12&nasipaddress=

</HTML>

Chapter 20: Experimenting with NOC authentication 352

DRAFT

Chapter 21: The configuration file 353

DRAFT

Chapter 21: The configuration file

Chapter 21

The configuration file

This chapter provides an overview of the configuration file and explains

how to edit it.

Chapter 21: The configuration file 354

DRAFT

Manually editing the config file

The configuration file contains the settings for all customizable parameters on the

CN3200. Almost all of these parameters can be set using the web-based

management tool. However, certain infrequently-used parameters can only be

set by manually editing the configuration file.

Retrieving/

restoring the

configuration file

To edit the configuration file, you must first retrieve it from the CN3200. Once

edited, it then needs to be restored. There are several ways to do this:

• The easiest way to accomplish both tasks is via the management tool. Use the

Config file management page on the Maintenance menu to download/upload

the configuration file.

• HTTPS: The configuration file can be downloaded and uploaded via HTTPS.

Using a tool like cURL makes this easy. See “Configuration management” on

page 53 for details.

• Many configuration file parameters are also accessible via SNMP. For details

see the comments inside the Colubris-Maintenance-MIB which is available on

the the Colubris Networks web site.

Important: The local username and password for the administrator is not saved

when you use the Backup Configuration option. If you upload a configuration file,

the old username and password are therefore not updated.

Important: If you upload a configuration file with an invalid structure, it is

possible to put the CN3200 into an unstable state. To return to normal operation,

do a factory reset.

Chapter 21: The configuration file 355

DRAFT

Configuration file structure

The configuration file is an ASCII file and can be edited in a standard text editor.

Key components in the file are:

•Block: A block contains sections, sub-sections, and parameters. Blocks start

with:

%begin block_name

and end with

%end block_name

•Section: A section contains sub-sections and parameters. Sections start with:

[SECTION_NAME]

and end with another block or section name. Section names are not case

sensitive.

•Sub-section: A sub-section contains parameters. Sub-sections start with:

<SUB-SECTION_NAME>

and end with another block, section, or sub-section name. Sub-section names

are not case sensitive.

•Parameter: A parameter takes the form: parameter = value

Each parameter and value pair must appear on its own line. Parameter names

are not case sensitive. Parameter values are case-sensitive.

•Comments: Comments begin with the pound sign (#) and continue until the

end of the line.

• Dash (-) and underscore (_) characters can be used in section names, sub-

section names, and parameter names, and are strictly equivalent.

• Blank lines are ignored and may be added in to make the file easier to read.

• Strings containing spaces must be contained in double-quotes.

Chapter 21: The configuration file 356

DRAFT

Chapter 22: Building a cross-over cable 357

DRAFT

Chapter 22: Building a cross-over cable

Chapter 22

Building a cross-over cable

This chapter explains how to build a cross-over cable.

Chapter 22: Building a cross-over cable 358

DRAFT

Wiring details

Use the information in the following diagrams to build a cross-over cable.

Construction details for a standard category 5 cable.

Wiring diagram for a standard cable.

Wiring diagram for a cross-over cable.

Note: Some cable manufacturers may use different color codes for their wiring.

Pin numbers

Chapter 23: Troubleshooting 359

DRAFT

Chapter 23: Troubleshooting

Chapter 23

Troubleshooting

This chapter provides troubleshooting tips for a variety of common

problems.

Chapter 23: Troubleshooting 360

DRAFT

CN3200 issues

1 CN3200 cannot connect to the Internet (ISP)

Symptoms

• The current Internet address field on the home page is blank.

• CN3200 cannot contact RADIUS server.

Causes on the CN3200

• Wrong client (PPPoE, DHCP) selected to obtain IP address.

• Wrong username or password specified for PPPoE.

• Cable or xDSL modem was not restarted after connecting it to the CN3200.

• Cable or xDSL modem is not working.

• ISP is not working.

• Ethernet cable plugged into the wrong port on CN3200 or modem.

• Wrong Ethernet cable was used to connect CN3200 to modem.

• DNS settings are not correct or the DNS server is not reachable.

2 CN3200 fails to connect to the RADIUS server

Before you troubleshoot this problem, make sure that condition #1 does not exist.

Symptoms

• Red light on the Security > Authentication page does not change to green.

• Home page shows message “Authentication system is down”.

• Custom public access interface pages do not appear.

• MAC authenticated devices cannot reach Internet.

• Locally authenticated users cannot login.

Causes on the RADIUS server

Check the RADIUS server log file for the specific cause. Common causes are:

• No user profile is defined for the CN3200 or the profile is misconfigured.

Causes on the CN3200

Check the CN3200 log file for the specific cause. Common causes are:

• Wrong shared secret set on the Security > RADIUS page.

• Wrong username and password set on the Security > Authentication page.

• Old RADIUS servers may use a different UDP port or authentication scheme.

Check the settings on the Security > RADIUS page.

• There may be routing issues preventing the CN3200 from reaching the

RADIUS server.

• If you are using a VPN, make sure that it is properly configured on both sides.

• Custom firewall rules were added that block RADIUS packets (by default: 1812

and 1813 for accounting).

3 Lost administrator password

Reset the CN3200 to factory defaults. This sets username and password to

admin.

Chapter 23: Troubleshooting 361

DRAFT

Client station issues

4 Wireless client station cannot establish a wireless link with

the CN3200

Symptoms

• The CN3200 is not visible in the wireless client’s status display.

• The client station is unable to access to access the login page or public

resources on the wireless network.

Causes on the CN3200

• The wireless card on the back of the CN3200 is loose or missing.

• A brown out occurred. Restart theCN3200.

Causes on the client station

• Wireless adapter is not properly installed (wrong drivers, conflicts with other

cards in the system).

• Wireless adapter software is not active.

• Incorrect network name (ESSID). Make sure it matches the setting on the

CN3200.

• Incorrect WEP keys. Make sure that the keys match those set on the CN3200.

• Customer is out of operating range of the access point.

• Client station is using shared network authentication and WEP keys do not

match those configured on the CN3200.

Other causes

• Signal quality to one or more stations is poor or being subject to interference

(interference caused by 2.4 GHz cordless phone, or microwave oven for

example). This can cause excessive retransmissions of data and collisions.

5 Wireless client station cannot get an IP address

Before you troubleshoot this problem, make sure that condition #4 does not exist.

Symptoms

The client station is unable to access the login page or public resources on the

wireless network.

Causes on the CN3200

• DHCP services are not properly configured or reachable.

• WEP configuration does not match on CN3200 and client station.

Causes on the client station

• 802.1x support (if being used), is improperly configured.

Chapter 23: Troubleshooting 362

DRAFT

6 Authenticated customers cannot use the public access network

Symptoms

• Customer’s web browser times out when trying to open an external web page.

Although the session page will appear in most cases.

Causes on the CN3200

• Custom firewall rules are in place to block outgoing traffic.

• The target network resource is blocked by an access list definition.

Causes on the client station

DNS server is down.

7 Authenticated customer using 802.1x cannot use the public

access network

Before you troubleshoot this problem, make sure that condition #4 does not exist.

Symptoms

The client station was authenticated via 802.1x, and may even display an IP

address. However, it is unable to use the features of the public access network.

Causes on the CN3200/client station

• WEP configuration does not match settings on the CN3200.

8 Login page does not appear to unauthenticated wireless

customers

Before you troubleshoot this problem, make sure that conditions #2 and #5 do not

exist.

Symptoms

• Customer’s web browser times out when trying to open an external web page.

Causes on the CN3200

• DNS settings are not correct.

• If a remote login page is being used, then access to this page has not been

defined (using the appropriate access list) for authenticated customers.

Causes on the client station

• Customer’s browser is not installed or configured properly (set to use dial-up

connection instead of LAN).

• Client station has two network adapters and they are not properly configured.

9 Login page does not appear to unauthenticated wired

customers

Before you troubleshoot this problem, make sure that condition #2 does not exist.

Symptoms

• Customer’s web browser times out when trying to open an external web page.

Causes on the CN3200

• If a remote login page is being used, then access to this page has not been

defined (using the appropriate access list) for authenticated customers.

Chapter 23: Troubleshooting 363

DRAFT

• The CN3200 is not assigned an address on the same subnet as the wired LAN.

• The connection to the wired LAN was made on the wrong port (Internet port

was used instead of the LAN port), or with the wrong type of cable.

Causes on the client station

• Customer’s browser is not installed or configured properly (set to use dial-up

connection instead of LAN).

• Client station has two network adapters and they are not properly configured.

10 Login information must be specified manually when using

802.1x

Symptoms

Customers using 802.1x are not automatically logged in. Instead, they must

supply login information manually.

Causes on the CN3200

Support for 802.1x is not enabled on the Security > Authentication page.

11 Customer login is refused

Before you troubleshoot this problem, make sure that condition #2 does not exist.

Symptoms

Customers get the login error page after submitting their login information.

Causes on the CN3200

The settings for the RADIUS profile being used for customer authentication

(Security > RADIUS page) are improperly configured.

Causes on the client station

• Wrong username and/or password was supplied.

• 802.1x client settings configured improperly.

On the RADIUS server

• Customer is not properly configured.

• RADIUS server is not reachable.

12 Customer is automatically logged out.

Symptoms

Customers session is terminated by the CN3200.

Causes on the RADIUS server

• Customer exceeded an upload, or download quota, or session time.

• Customer was out of range of an access point for too long. (Controlled by the

Client station query setting on the Security > Authentication > Advanced

Settings page.)

• Customer session was idle for too long.

• Customer is using the same IP address as another customer. Both customers

are automatically logged out.

• CN3200 was restarted.

Chapter 23: Troubleshooting 364

DRAFT

13 Low wireless throughput

Symptoms

Client computers are experiencing delays when transmitting. One or more of

following statistics on the wireless status page are excessively high: Tx multiple

retry frames, Tx single retry frames, Tx deferred transmissions

Causes

• Too many client stations are using the network, or one or more clients is

monopolizing the bandwidth with excessively large transfers.

• Signal quality to one or more stations is poor or being subject to interference

(which can be caused by 2.4 GHz cordless phone or a microwave oven). This

can cause excessive retransmissions of data and collisions. Both create

overhead that will slow down overall throughput.

• One or more access points are sharing the same operating frequency. This can

cause excessive retransmissions to occur, especially if the units are physically

located close together and are on the same channel.

14 Specific Internet application does not work

Both the firewall and NAT can interfere with the operation of certain applications.

See “Firewall” on page 83 and “Network address translation” on page 89 for

more information.

Chapter 23: Troubleshooting 365

DRAFT

Management issues

15 Web browser cannot connect to management tool

Before you troubleshoot this problem, make sure that condition #1 does not exist.

Symptoms

Management tool home page does not open.

Causes on the CN3200

• Local access

• Web port was changed from default setting (Management > Management tool

page).

• Management tool is set to block access on the LAN port.

• Remote access

• Firewall is blocking HTTPS access.

• Management tool is set to block access on the Internet port or VPN.

• Another client station is currently logged in.

• A web server is running on the internal network using a static mapping for

HTTPS port 443.

Causes on a local client station

• Wrong IP address was specified. Default is 192.168.1.1 on the wireless/LAN

port, but this may have been changed.

• HTTP was specified instead of HTTPS.

• Wrong web port was specified. This will only occur if the web port was changed

from its default setting on the Management Tool configuration page.

Causes on a remote client station (via Internet)

• Wrong IP address was specified. Do not use 192.168.1.1., instead use the

address visible on the Internet port, (visible on the home page). This address

may change if you restart the CN3200 or your modem.

• Wrong web port was specified. This will only occur if the web port was changed

from its default setting on the Management Tool configuration page.

• HTTP was specified instead of HTTPS.

16 Firmware or configuration upload failed

Symptoms

Log file indicates that the upload failed via web or RADIUS profile.

Causes on the CN3200

• Firmware or configuration file is invalid.

• Wrong address was specified when using automatically firmware upload or

RADIUS server to upload the configuration file.

Other causes

• Remote server hosting the firmware is unreachable or down.

Chapter 23: Troubleshooting 366

DRAFT

Chapter 24: Regulatory, wireless interoperability, and health information 367

DRAFT

Chapter 24: Regulatory, wireless interoperability, and health information

Chapter 24

Regulatory, wireless interoperability,

and health information

Chapter 24: Regulatory, wireless interoperability, and health information 368

DRAFT

Regulatory information

The CN3200 complies with the following radio frequency and safety standards.

Canada - Industry Canada (IC)

This device complies with RSS 210 of Industry Canada.

Cet appareil numérique de la classe B est conforme à la norme NMB-003 et

CNR 210 d’Industrie Canada.

Europe - EU Declaration of Conformity

This device is for indoor use only.

Important: Users must select the proper country of operation in the

management tool to ensure wireless operational settings conform to local

regulations.

Important: If more than one unit is deployed users must ensure that the

operating frequencies are spread amoung different channels (according to

channel availability).

USA - Federal Communications Commission (FCC)

The CN3200 complies with Part 15 of FCC Rules. Operation of the CN3200 in a

system is subject to the following two conditions:

• This device may not cause harmful interference.

• This device must accept any interference that may cause undesired operation.

Caution: Exposure to Radio Frequency Radiation

The radiated output power of the CN3200 is far below the FCC radio frequency

exposure limits. Nevertheless, the CN3200 should be used in such a manner as

to minimize the potential for human contact during normal operation. When using

this device in combination with Colubris Networks antenna products, a certain

separation distance between the antenna and nearby persons has to be kept to

ensure FR exposure compliance.

Refer to the Regulatory Statements as identified in the documentation that

comes with those products for additional information.

When an external antenna is connected to the CN3200 it shall be placed in such

a manner as to minimize the potential for human contact during normal

operation. To avoid the possibility of exceeding the FCC radio frequency

exposure limits, human proximity to the antenna shall not be less than 20 cm (8

inches) during normal operation.

When no external antenna is connected, the RF output power of the CN3200 is

far below the FCC radio frequency exposure limits. Nevertheless, it is advised to

use the CN3200 in such a manner that human contact during normal operation is

minimized.

Interference Statement

The CN3200 has been tested and found to comply with the limits for a Class B

digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to

provide reasonable protection against harmful interference in a residential

installation.

The CN3200 generates, uses, and can radiate radio frequency energy. If not

installed and used in accordance with the instructions, it may cause harmful

Chapter 24: Regulatory, wireless interoperability, and health information 369

DRAFT

interference to radio communications. However, there is no guarantee that

interference will not occur in a particular installation.

If the CN3200 causes harmful interference to radio or television reception, which

can be determined by turning the CN3200 on and off, the user is encouraged to

try and correct the interference by one or more of the following measures:

• Reorient or relocate the receiving antenna.

• Increase the distance between the CN3200 and the receiver.

• Connect the CN3200 to an outlet on a circuit different from that which the

receiver is connected.

• Consult your dealer or an experienced radio/TV technician for help.

Colubris Networks Inc. is not responsible for any radio or television interference

caused by unauthorized modification of the CN3200, or the substitution or

attachment of connecting cables and equipment other than that specified by

Colubris Networks Inc.

The correction of interference caused by such unauthorized modification,

substitution or attachment is the responsibility of the user.

Chapter 24: Regulatory, wireless interoperability, and health information 370

DRAFT

Health Information

The CN3200, like other radio devices, emits radio frequency electromagnetic

energy. The level of energy emitted by the CN3200 is much less than the

electromagnetic energy emitted by other wireless devices, such as mobile

phones.

Because the CN3200 operates within the guidelines found in radio frequency

safety standards and recommendations, Colubris Networks believes that the

CN3200 is safe for use by consumers. These standards and recommendations

reflect the consensus of the scientific community and result from deliberations of

panels and committees of scientists who continually review and interpret the

extensive research literature.

In some situations or environments, the use of the CN3200 may be restricted by

the proprietor of the building or responsible representatives of the organization.

These situations may, for example, include:

• Using the CN3200 on board airplanes or,

• In any other environment where the risk of interference to other devices or

services is perceived or identified as harmful.

If you are uncertain of the policy that applies to the use of wireless devices in a

specific organization or environment (e.g. airports), you are encouraged to ask

for authorization to use the CN3200 prior to turning it on.

Chapter 24: Regulatory, wireless interoperability, and health information 371

DRAFT

Important

Ports LAN port

Do not connect this port directly to a metropolitan area network (MAN) or wide area network

(WAN).

Internet port

Do not connect this port directly to a metropolitan area network (MAN) or wide area network

(WAN).

Serial port

For future use. Do not connect this port to telecommunications equipment or a phone line.

Installation Important: Installation must be performed by a professional installer familiar with

local regulations governing wireless devices.

CAUTION: Changes or modifications not expressly approved by Colubris

Networks for compliance could void the user's authority to operate the

equipment.

The installation and operating configurations of this transmitter, including the

antenna gain and cable loss, must satisfy MPE Categorical Exclusion Limits of

2.1091. The antenna(s) used for this transmitter must be installed to provide a

separation distance of at least 20 cm from all persons and must not be co-located

or operating in conjunction with any other antenna or transmitter. Installers and

end users must be provided with operating instructions and antenna installation

conditions for satisfying RF exposure compliance requirements.

Chapter 24: Regulatory, wireless interoperability, and health information 372

DRAFT

Hewlett Packard Enterprise 55010016-1 Wireless Access Point User Manual 43 32 0000 01 AG CN3200 en

Hewlett-Packard Co Wireless Access Point 43 32 0000 01 AG CN3200 en

Contents

Installation Manual Part 2

Navigation menu

Namespaces

Views

Navigation