User’s Manual

V1.00.00

HSG326
Wireless Hotspot Gateway
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Copyright
The contents of this publication may not be reproduced in any part or as a whole, stored,
transcribed in an information retrieval system, translated into any language, or transmitted in any
form or by any means, mechanical, magnetic, electronic, optical, photocopying, manual, or
otherwise, without the prior written permission of 4IPNET, INC.

Disclaimer
4IPNET, INC. does not assume any liability arising out the application or use of any products, or
software described herein. Neither does it convey any license under its parent rights nor the parent
rights of others. 4IPNET further reserves the right to make changes in any products described herein
without notice. The publication is subject to change without notice.

Trademarks
4IPNET (4ipnet) is a registered trademark of 4IPNET, INC. Other trademarks mentioned in this
publication are used for identification purposes only and may be properties of their respective
owners.

ii
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Table of Contents

Chapter 1. Introduction ........................................................................ 6

1.1 4ipnet Solution Overview ........................................................................ 6
1.2 Key Terms & Concepts ............................................................................ 8
1.3 Recommended Configuration Sequence ................................................... 11
1.3.1 Common Settings ............................................................... 11
1.3.2 Advanced Settings and Application ....................................... 11
Chapter 2. WMI .................................................................................. 13
2.1. Web Management Interface ............................................................. 13
Chapter 3. Basic Network Settings ..................................................... 15
3.1. Network Planning ........................................................................... 15
3.1. Uplink (WAN) Configuration ............................................................. 16
3.2.1 WAN Settings .................................................................... 16
3.2.2. WAN Traffic Control ............................................................ 17
3.2.3. Uplink Detection & Failover .................................................. 18
3.3. Downlink (LAN side) VLAN option ..................................................... 19
3.3.1. Port-Based Service Zone ..................................................... 19
3.3.2. Tag-Based Service Zone ...................................................... 20
Chapter 4. User Authentication Database ........................................... 21
4.1. Authentication Database Configuration .............................................. 21
4.2. Built-in Authentication Databases ..................................................... 23
4.2.1. Local User Database ............................................................. 23
4.2.2. On-Demand User Database ................................................... 26
4.2.3. The Guest Authentication Option .......................................... 31
4.3. External Authentication Options ........................................................ 36
4.3.1. RADIUS ............................................................................. 36
4.3.2. Social Media ...................................................................... 39
Chapter 5. Group Attributes & Policy Rules......................................... 41
5.1 Overview of the Concept ................................................................. 41
5.2 Practical Setups of Group and Policies ............................................... 44
Chapter 6. Basic Service Zone Configuration ...................................... 50
6.1 The Concept of Service Zone ........................................................... 50
6.2 Service Zone Setup ........................................................................ 50
6.2.1. Tag-based or Port-based Service Zones ................................. 50
6.2.2. NAT Mode or Router Mode ................................................... 53
6.2.3. Service Zone Network Interface ........................................... 53
6.2.4. DHCP Server options ........................................................... 54
6.2.5. Wireless Settings ............................................................... 55
6.2.6. Authentication Options ........................................................ 55
6.2.7. Portal Customization ........................................................... 58
Chapter 7. Advance Settings for Network Environment ...................... 61
7.1 Network Utilities ............................................................................. 61
7.2 Black List ...................................................................................... 63
7.3 Certification ................................................................................... 65
7.3.1 System Certificate ............................................................... 65
7.3.2 Internal Root CA ................................................................... 67
7.3.3 Internally Issued Certificate ................................................. 68
7.3.4 Trusted Certificate Authorities .............................................. 69
7.4 Management Access ....................................................................... 69

iii
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Chapter 8. Utilities for Controller Management ................................... 70

8.1 Administrator Account Management.................................................. 70
8.2 Configuration Backup & Restore ....................................................... 73
8.3 Firmware Upgrade .......................................................................... 74
8.4 Restart.......................................................................................... 76
Chapter 9. Reports and Logs for Monitoring ....................................... 77
9.1 System Related Status .................................................................... 77
9.1.1 System Summary ............................................................... 77
9.1.2 Network Interface .............................................................. 79
9.1.3 Routing ............................................................................. 80
9.1.4 DHCP Server ..................................................................... 80
9.2 Client Related Status ...................................................................... 82
9.2.1 Online User ....................................................................... 82
9.2.2 Associated Non Login Users ................................................. 83
9.2.3 Roaming Out Users............................................................. 83
9.2.4 Session List ....................................................................... 84
9.3 Logs and Reports ........................................................................... 85
9.3.1 System Related .................................................................. 85
9.3.2 User Events ....................................................................... 86
9.4 Reports & Notification ..................................................................... 87
Chapter 10. Hotspot Application ........................................................... 89
10.1 On-Demand Billing Plans ................................................................. 89
10.2 On-Demand Billing Plan Types.......................................................... 90
10.2.1 Usage-time with Expiration Time .......................................... 90
10.2.2 Usage-time with No Expiration Time ..................................... 92
10.2.3 Hotel Cut-off-time .............................................................. 94
10.2.4 Volume ............................................................................. 95
10.2.5 Duration-time with Elapsed Time .......................................... 97
10.2.6 Duration-time with Cut-off Time ........................................... 99
10.2.7 Duration-time with Begin-and-End Time ............................... 100
10.3 Terminal Server Setup ................................................................... 102
10.4 Customizing POS Tickets ................................................................ 112
10.5 Creating Accounts ......................................................................... 117
10.6 User Self Service ........................................................................... 119
Chapter 11. Account Roaming............................................................. 124
11.1 Roaming Related ........................................................................... 124
11.2 WISPr for ISP Roaming .................................................................. 124
11.3 Local / On-Demand Account Roaming Out ........................................ 126
Appendix A. Installation ...................................................................... 129
Appendix B. External Pages ................................................................ 130
Appendix C. Useful Management & Evaluation Tools ............................ 143
Appendix D. On-Demand Account Types ............................................... 145
Appendix E. UI Reference Index ........................................................... 152
A. System.................................................................................... 153
1) General ................................................................................... 153
2) WAN ..................................................................................... 155
3) WAN Traffic .............................................................................. 156
4) LAN Ports ................................................................................ 156
5) Service Zones .......................................................................... 157
B. Users ...................................................................................... 164

iv
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

1) Groups .................................................................................... 164

2) Internal Authentication .............................................................. 165
3) External Authentication ............................................................. 168
4) On-Demand Accounts................................................................ 169
5) Schedule ................................................................................. 170
6) Policies .................................................................................... 171
7) Blacklists ................................................................................. 172
8) Privilege Lists ........................................................................... 172
9) Additional Control ..................................................................... 173
C. Network .................................................................................. 177
1) NAT ...................................................................................... 177
2) Monitor IP................................................................................ 179
3) Walled Garden and Walled Garden Ad.......................................... 180
4) Proxy Server ............................................................................ 181
5) Local DNS Record ..................................................................... 184
6) DDNS ...................................................................................... 185
7) Client Mobility .......................................................................... 185
F. Utilities .................................................................................... 186
1) Administrator Account ............................................................... 186
2) Backup & Restore ..................................................................... 190
3) Certificates .............................................................................. 192
4) Network Utilities ....................................................................... 195
5) Restart .................................................................................... 197
6) System Upgrade ....................................................................... 197
G. Status ..................................................................................... 198
1) System Summary ..................................................................... 198
2) Interface ................................................................................. 202
3) Monitor Users ........................................................................... 204
4) Process Monitor ........................................................................ 204
5) Logs & Reports ......................................................................... 205
6) Reporting ................................................................................ 207
7) Session List ............................................................................. 212
8) DHCP Lease ............................................................................. 213
9) Routing Table ........................................................................... 214

v
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Chapter 1. Introduction

1.1 4ipnet Solution Overview

4ipnet HSG & WHG are designed for network management over almost all current
network architectures, Layer 2 (Data Link Layer) and Layer 3 (Network Layer).

4ipnet HSG are suitable in Layer 2 network architecture, if you want to develop a
Layer 3 network, we strongly recommend you choose 4ipnet WHG Controller series.

Layer 2 networks are relative simple network deployment topology that span
physically under the LAN ports of 4ipnet HSG & WHG, we two deployment scenarios
are illustrated below.

【Layer 2 Network in Port Based Mode】

6
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

【Layer 2 Network in Tag Based Mode】

Layer 3 networks not only span physically under the LAN ports of 4ipnet WHG, it is
also capable of reaching over different IP networks to manage remote sites with
routable IP address via tunnels.

【Layer 3 Network with tunnels】

7
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

1.2 Key Terms & Concepts

Gateway is an edge device or network node where a small network attaches to a
bigger network. 4ipnet HSG Wireless Hotspot Gateways are in essence gateways in
a network environment. Conventionally, the bigger network is referred as the WAN
side or upstream network (physically connected via the WAN port), while the small
network is referred as the LAN side.

Local User is a type of user whose account credential is stored in the 4ipnet HSG
Wireless Hotspot Gateway’s built-in database named “Local”. The 4ipnet HSG
Wireless Hotspot Gateway’s “Local” database capacity varies with different model. A
local user account does not have an expiration date once they are created. If
administrator wishes to delete local accounts, this must be done manually from the
Web Management Interface. In addition, 4ipnet HSG Wireless Hotspot Gateway’s
Local database can be configured as an external RADIUS database for another
4ipnet HSG Wireless Hotspot Gateway for account roaming.

On-Demand User is a type of user whose account credential is stored in the

4ipnet HSG Wireless Hotspot Gateway’s built-in database named “On-Demand”. The
4ipnet HSG Wireless Hotspot Gateway’s “On-Demand” database capacity varies with
different model. On-Demand User is designed for short term usage purpose; it has
time or volume constraints and an expiration period. An On-Demand account record
will be recycled for creating new On-Demand account if it has expired for over 15
days or has been deleted by the Administrator/Manager manually. In addition,
4ipnet HSG Wireless Hotspot Gateway’s On-Demand database can be configured as
an external RADIUS database for another 4ipnet HSG Wireless Hotspot Gateway for
account roaming.

External Authentication Database is a user account database that is not built-in

the 4ipnet HSG Wireless Hotspot Gateway. Besides Local database and On-Demand
database, 4ipnet HSG Wireless Hotspot Gateway supports RADIUS for additional
types of External Authentication databases. External Authentication Database is

8
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

useful for both implementing account roaming and centralized account

management.

Service Zone is a logic partition of 4ipnet HSG Wireless Hotspot Gateway’s LAN.
The concept of Service Zone is that it is a virtual gateway with customizable login
portal page with its own gateway properties (such as LAN IP address, DHCP server
settings, authentication options, etc.). With up to nine independent Service Zone
profiles, 4ipnet HSG Wireless Hotspot Gateway is capable of servicing multiple
hotspot franchises with a single device.

LAN Port Mapping is the correspondence relationship of logical network partitions,

i.e. Service Zones to physical LAN ports on the 4ipnet HSG Wireless Hotspot
Gateway There are two modes of mapping available namely “Port-Based”, and “Tag-
Based”. Port-Based mode statically maps a Service Zone to clients down stream of a
physical LAN port. This mode will only service the maximum number of service
zones based on the amount of physical LAN ports. Tag-Based mode dynamically
maps a client to a service zone based on the VLAN ID tagged on the traffic packet.

Group is a user role profile which defines the accessibility of a user to different
Service Zones and in turn defines the QoS properties as well as network policy
when access is granted. Each and every connected user will belong to a Group,
determined by the type of user account used for authentication. If the administrator
does not assign a new account to any specific Group or for users not required to
authenticate, they will belong to a catch-all group named “None” by default.

Policy is the second tier of user control once a user’s Group profile has been
determined. Policy defines the firewall rules, privileges, login schedule, routing rules
and session limit which will be enforced to users of a particular Group. A user may
only belong to one Group but can be governed by different policies while accessing
different Service Zones.
For users belonging to the “None” group or users not explicitly assigned a network

9
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Policy, they will be governed by a default catch-all policy named ‘Global-Policy’. The
Global-Policy is a base policy which will be applied to all users if not applied with
another policy.

The following Figure is an example that depicts the relationship between Service
Zone, Group and Policy. In this example, Students and faculties logging into Service
Zone 1 will be governed by Policy-A. Guests only have access to Service Zone 3,
and will be bounded by Policy-C. Faculties have the access to both Service Zone 1
and Service Zone 2 under two different policies.

Service Zone 1 Service Zone 2 Service Zone 3

Policy-A Policy-B Policy-C

Group Group Group

Student Faculty Guest

【Relationship of Service Zone, Group and Policy】

10
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

1.3 Recommended Configuration Sequence

 Set up system’s Time Zone, NTP server, DNS server and WAN address
 Configure LAN address range for at least one Service Zone, and enable its
authentication.
 Create user accounts to test the login page via wire line in the enabled Service
Zone.
 Try to generate an On-Demand user and test the account.
 Configure Wireless Settings of Service Zone.
 Configure necessary Service Zones based on applications.
 Set up Group and Policy (including Firewall rules and Session Limit).
 Customize the portal login page and add walled garden Advertisement links if
needed.
 Set up Payment gateway to allow end user credit card self payment for On-
Demand accounts if needed.
 Load SSL certificate for the Web Server before operation.
 Monitor generated status pages and reports.
 Perform other advanced setting for other specific application.

1.3.1 Common Settings

For the most commonly deployed scenarios in a standard network, please refer to
Chapters 3 to 6.
Chapters 3 to 6 contain configuration topics that encompass the most commonly
used features in a typical network environment. It is recommended for users to
start from Chapter 3 and proceed through Chapter 6 for any deployment.

1.3.2 Advanced Settings and Application

Chapters 7 to 11 discuss about security, system maintenance, and monitoring.

These contents are useful once you have successfully configured the necessary
functionalities and are for operation usage once your network is up and running.

11
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Customers with needs to fulfill specific applications, integration with 3 rd party

devices, customization etc., please refer to Chapters 11 and beyond for advanced
feature setup.

12
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Chapter 2. WMI

2.1. Web Management Interface

The Web Management Interface (WMI) of the HSG Wireless Hotspot Gateway can
be accessed through a web browser (Firefox, Chrome, and Safari recommended) of
any PC connected to the LAN interface with the default IP address of
192.168.1.254.

The default administrator account and password is:

 Username: “admin”
 Password: “admin”

Upon the first login, the system prompts for the administrator to change password
to enforce system security. The password needs to be at least 6 characters long and
include at least one alphabet and one number.

You may refer to part F. of Appendix E for details on admin accounts configuration.

13
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

The WMI Welcome page is as shown below after a successful administrator login.

NOTE
1. To logout, simply click the Logout icon on the upper right corner of the
interface to return to the login screen.

14
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Chapter 3. Basic Network Settings

3.1. Network Planning

Before installing the 4ipnet HSG Wireless Hotspot Gateway, careful network
planning is required in order to meet the networking needs with the most efficient
utilization of network resources. Administrator of any organization should assess
the available network resources at hand, and design a suitable network topology
with resiliency, capacity, and survivability in mind.

Typically, organization networks today are a combination of manageable wired and

wireless LANs, sometimes even remote LANs. The main category of network
topologies supported by 4ipnet HSG Wireless Hotspot Gateway is Layer 2 Topology.

Layer 2 Topology
This network topology aims to build a managed Local Area Network (LAN) which
consists of both wired and wireless capabilities to provide network services to a
limited physical area such as office building, hotel, school premises, and etc.

【Graphical Illustration of Layer 2 Topology】

15
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Layer 2 Network Design Guidelines

 Always connect hierarchically. If there are multiple switches in a building, use an
aggregation switch.
 Locate the aggregation switch close to the network core (e.g. mainframe
housing)
 Locate edge switches close to users (e.g. one per floor)

3.1. Uplink (WAN) Configuration

3.2.1 WAN Settings

Configuration Path: Main Menu >> System >> WAN

The WAN port supports three connection configurations Static, Dynamic and
PPPoE. These connection types are adequate enough to support most ISP. The
Physical Mode drop-down list allows administrators to choose the speed and
duplex of the WAN connection. When Auto-Negotiation is On, the System chooses
the highest performance transmission mode (speed/duplex/flow control) that both
the system and the device connected to the interface support.

Depending on ISP’s interfacing device the WAN port is connecting, you need to

16
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

select the connection type applicable to you. For example, if your ISP is Cable
modem issuing Dynamic address, then you would select Dynamic connection.

Static: Manually specifying the IP address of the WAN Port. The fields with red
asterisks are required to be filled in.
Dynamic: It is only applicable for a network environment where the DHCP server is
available on the upstream network. Click the Renew button to get an IP address
automatically.

PPPoE: If your ISP provides PPPoE Dialup connection, then the ISP will issue you
an account with a password. You would need to enter the account credential in the
WAN configuration page for dialing up to the ISP.

NOTE
1. When in doubt, please consult your ISP provider regarding details of your
subscribed uplink service.

3.2.2. WAN Traffic Control

The Uplink and Downlink bandwidth configured here is the bandwidth for WAN
interface. However, please note that the actual bandwidth is still bounded by the
network speed of your ISP operator. For instance, when the network speed of your
ISP is limited to 1Gbps, the total throughput under such constraint will not be
greater than 1Gbps even if you configure 2Gbps on the Controller.

17
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

3.2.3. Uplink Detection & Failover

Uplink Detection
When the WAN interface has been configured with a valid uplink connection,
administrator may specify up to three outbound sites as detection target for
verifying whether the uplink service is alive or down. The controller will periodically
check the uplink status.
A field of warning message text may be customized by the administrator which will
be displayed on the user’s web browser when all three detection targets fail to
respond.

18
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

3.3. Downlink (LAN side) VLAN option

The Downlink of HSG Wireless Hotspot Gateway is basically your managed network
deployed for service. There are two types of deployment mode for networks
attached to the LAN ports of the HSG Wireless Hotspot Gateway: Port-Based mode
and Tag-Based mode.

NOTE
1. If HA feature is in Enabled status, LAN1 will be transformed into a dedicated
HA port and will not be able to service any Service Zone.

Configuration Path: Main Menu >> System >> LAN Ports

3.3.1. Port-Based Service Zone

Port-Based mode operates with the principle that each physical LAN port can be
mapped to an enabled Service Zone or disabled from providing service. Operating
under port based mode therefore means the maximum amount of Service Zones
available to actually provide service is determined by the number of LAN ports on
the Controller.

19
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

3.3.2. Tag-Based Service Zone

Tag-Based operation mode operates under the principle that different Service Zones
are identified by VLAN ID. This means that Tag-Based operation allows each
physical LAN port to accept traffic for any enabled Service Zones Traffic handling
will be processed internally according to the VLAN ID traffic packets carry.

20
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Chapter 4. User Authentication Database

4.1. Authentication Database Configuration

Authentication database is a storage device where users’ credentials may be
inquired for validity. When a user is associated to an authentication enabled in
Service Zone, the 4ipnet HSG Wireless Hotspot Gateway checks the database to see
if the submitted user ID and password combination exists, in order for the user to
get network access. 4ipnet HSG Wireless Hotspot Gateways support built-in and
external authentication databases.
All the authentication options are listed below:

Built-in Authentication options

Local with user credentials stored in the built-in Local database.
On-Demand with user credentials stored in the built-in On-Demand database.
Guest is an access option that allows users to access networks with any specified
identity token on the login page.

External Authentication Options

These options use external servers to implement the authentication process. 4ipnet
HSG Wireless Hotspot Gateways support the most common external authentication
options: RADIUS.

21
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

【Graphical illustration of authentication databases in relation to HSG Wireless

Hotspot Gateway】

The configurations of authentication options for Internal and External authentication

are done separately. The 2 external authentication servers (RADIUS) are
customizable and can be enabled concurrently.

NOTE
1. Authentication Options may be selectively enabled or disabled to authenticate
users in each Service Zone profile.

22
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

4.2. Built-in Authentication Databases

Configuration Path: Main Menu >> Users >> Internal Authentication

4.2.1. Local User Database

This type of authentication method checks the local database that stores user, often
the staff and credentials internally. The Local user database is designed to store
static accounts which will not be deleted unless manually performed by
administrator.

Configuration Path: Main Menu >> Users >> Internal Authentication >> Local >>
Local User List

Account generation
Click Add User to create one or multiple accounts.

23
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

NOTE
1. The fields with red asterisk are mandatory fields while the others are
optional.
2. MAC Address field once configured will bind this particular account
under the condition that it may only be granted access using the device
specified.
3. The Group field specifies the group profile of the account being created.
4. Remark is for any additional note administrator would like to stress. It
will be shown on the user list.
5. Expiration are optional time constraints which may be enforced to this
account if the Account Span option is checked. This is a useful attribute
if used in complement with Multiple Login, ideal to provide network
access to a group of people for a specified amount of time, for instance
during a seminar event.

Account Import and Export

The Local user database can import and export user credentials by using the Upload
and Download functions respectively. The download file will be a text file in csv
format displayed in a new browser window, administrator can perform “save as” to
backup the user accounts in PC storage for future use. Upload operation is
performed by browsing for a backed up txt file and import the accounts back into
the Local user database.

24
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

NOTE
1. The txt files generated may be inter-used by all HSG Wireless Hotspot
Gateway series as the defined csv format are consistent for all models.
2. Duplicated accounts will result in upload failure and a warning message
will be displayed.

Modifications to Account Credentials

For existing user accounts, further modification is possible simply by clicking the
username hyperlink on the page to reconfigure account attributes.

Deleting Accounts
Accounts in the Local user database may be deleted individually or entirely by
selecting the “Select All” checkbox. There will be a popup window asking if you are
sure to carry out the action.

25
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

4.2.2. On-Demand User Database

The On-Demand user database is designed for guest user account provisioning with
time or traffic volume constraints. Ideal for deployment needs of Hotels, Hotspot
venues, Enterprise visitor reception, and more. The On-Demand Authentication
option offers plenty of options for customization. POS tickets can be customized to
businesses’ needs, and multiple payment options are also available on the HSG
Wireless Hotspot Gateways.

Configuration Path: Main Menu >> Users >> Internal Authentication >> On-
Demand

26
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

On-Demand Account Settings

1. General Settings for the On-Demand Account database can be configured on
this page. General Settings include the customization of POS/Web tickets,
Payment Gateway options, and etc. When Terminal Servers (such as the
SDS200W) are deployed for account generation, remember to configure the IP
and Port in Terminal Server configuration. The HSG Wireless Hotspot Gateway
can work in hand with Clickatell SMS server for On-Demand accounts
credentials to be sent to users via SMS message.

27
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

With a set of Clickatell account Username/Password, the SMS Gateway can be

configured to send SMS messages upon On-Demand account creation. The SMS
service can be used for free access, paid access with payment gateway integration,

28
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

or both. Define an API ID and activate the desired billing plans. Multiple Billing
Plans may be activated if needed. To prevent the SMS Gateway from being flooded
by SMS queries for account generation, an Account Registration Control option is
available. In addition, the administrator has an option of allowing or disallowing
users to register for new accounts prior to account expiration. To block valid
accounts from requesting new accounts, set option to “Enabled”.

With the SMS Gateway enabled, the Billing Plan selection page will appear as such:

Note that the Billing Plan selection page may be customized if needed.

2. Define account usage terms in Billing Plans. Up to 10 billing plan profiles are
available for the administrator to customize the terms of use by selecting an
appropriate account type. The User Group profile for each Billing Plan is also
assigned here.

29
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

NOTE
1. For more detailed information on the four major account types, please
refer to Appendix D.
2. For more detailed information on Ticket Customization, please refer to
the 4ipnet Application Note on Ticket Customization.

On-Demand Accounts

Configuration Path: Main Menu >> Users >> On-Demand Accounts

After enabling the selected Billing Plans, On-Demand Accounts generation can be
done on On-Demand Account Creation. On-Demand accounts can be created
individually or in batches.

The On-Demand Accounts List houses all the existing On-Demand accounts.
Each account’s status, quota, etc. will be displayed for reference. On-Demand
account import, export, deletion and Admin Redeem are also performed on this
page.

The status of On-Demand accounts are defined as valid, out of quota and expired.

30
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Valid = On-Demand account in active or quota remaining

Total = Valid + Out-of-Quota + Expired

Besides, such valid and total number of On-Demand accounts are informed in the
end of this list.

4.2.3. The Guest Authentication Option

The Guest Authentication Option is not technically a user database, but rather a
specially designed option to allow a user to access and surf the network without any
user account or password.

This feature allows the user to associate with a particular Service Zone, enter a
specified string of text which may be a social security number, email, etc. defined by
the administrator, and use the network without actual authentication.

The terms of use as well as usage constraints may be configured in the Guest
authentication option profile.

Configuration Path: Main Menu >> Users >> Internal Authentication >> Guest

31
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Step1: Setting up the Guest authentication profile.

Selecting Visible helps administrators enable Guest Login Input which allows
clients to access internet by entering emails. The E-mail Denial List checks the
email domains for login permission, if prevention of junk mailboxes is desired. Guest
Questionnaire provides administrators with options to customize extra questions on
the login page for guest login, where the access information from guest users would
be collected and viewed in the Guest Information list. Guest Access Time when
set to “Limited” will enforce a usage time constraint based on MAC addresses. If the
Quota is set to 30 minutes, each device may only be allowed 30 minutes of usage,
and a new session will only be possible once the Reactivation time has elapsed.
Administrators also get to decide how many times a device can request for a free
account in a day by configuring Access Limit. Guest users are then mapped to a
selected User Group for policies application.

32
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Email verification ensures that the entered email is a valid email address. When
this option is enabled, an activation time is allocated to the client. The client then has
to activate this account within the activation time to extend his/her usage time by
clicking a link in the mail sent by the mail server. Note that the activation is merely
a timer and does not add to the account’s Quota. The Sender Name, Email Subject,
Email Content are all customizable as soon as the SMTP server is ready. SMTP server
configuration is done by clicking the “Assign SMTP Server” button.

33
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Step2: Setting up the Social Media Login profile.

4ipnet WHG-series Controllers also provide a convenient method for guest

authentication; Social Media Login enables client to access internet by logging in
with their own Social Media Accounts, ex. Facebook, Google+, and Open ID. The
detail configuration can be done with the hyperlink to Social Media Login with these
application registration IDs or secrets (see 4.3.6 Social Media). Some information of
the accounts are available for collection in the Guest Information list for
administrators’ further analysis or marketing purposes. Account names, account
emails, gender, birthdays, and location on the Social Media Account List are
downloadable for administrators’ data manipulation. Guest Questionnaire answer
sheets are displayed over following custom columns as well.

Administrators are able to download the collected guest information by clicking

“Download” button, besides, a ”Delete All” button is available for deleting all the
stored data. Administrator can delete all entries after export to keep the list up-to-
date.

NOTE
 When Social Media Login or Guest Questionnaire is enabled,
the controller collects information from the clients. Please
enable Disclaimer or customized login page to include claims
and reminders.

34
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Step3: Implement into specific Service Zones and login pages

Choose the desired Service Zone where you would like to apply the Guest
authentication option - Go to Main Menu > System > Service Zone > Configure. Scroll
down the page to Authentication Options. Check to enable the option for Guest
Authentication Option as shown in the figure below.

Consequently, after going through configurations from STEP 1 to STEP 3, end users
will see that the an additional section for guest access will show on the Service
Zone’s login page.

By typing an email address and click login or by clicking Social Media Login button,
approving the terms and condition of free accessing public Wi-Fi, the guest users will
be able to access the network with constraints specified in Guest Authentication
Option profile and the Group profile. MAC address will be checked to avoid malicious
use of free access.

35
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

4.3. External Authentication Options

Most organizations have already established a centralized user account servers.

Consequently, 4ipnet HSG Wireless Hotspot Gateways are equipped with a variety of
external authentication options so as to support account roaming and adapt to
existing network. A simple illustration of using external authentication is shown below.

NOTE
1. Please note that having configured the authentication options whether
using built-in or external databases, they will need to be enabled in each
enabled Service Zones individually.

4.3.1. RADIUS

Remote Authentication Dial In User Service (RADIUS) is a networking protocol that

provides centralized Authentication, Authorization, and Accounting (AAA)
management for computers to connect and use a network service. It is also the
most commonly used external authentication mechanism in use today.

Configuration Path: Main Menu >> Users >> External Authentication

36
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Server 2 by default is configured to use RADIUS authentication. 4ipnet HSG

Wireless Hotspot Gateways support RADIUS authentication, RADIUS class mapping,
and RADIUS transparent login with 802.1X.

Below is the detailed configuration page of RADIUS settings. Attributes of the

Primary RADIUS Server and Secondary RADIUS Server can be configured
depending on service deployment.

37
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

38
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Another important setting field is the Class-Group Mapping on the page. It is a

translation setting which maps RADIUS classes to different groups on the 4ipnet HSG
Wireless Hotspot Gateway, enabling different RADIUS accounts to be incorporated
into different Groups.

4.3.2. Social Media

Social Media Login allows Wi-Fi users to access internet without going through a
tedious account registration process. 4ipnet HSG Wireless Hotspot Gateway
supports four kinds of social media accounts, Line, Facebook, Google+ and Open
ID. All administrators have to do is to apply the corresponding ID and secret.

39
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

When a user clicks the button to sign in with social media accounts, he/ she will be
redirected to the social media sites for login and granting permissions. This
configuration page is where how Controller to connect with social media sites.
 Line: visit the website at Facebook developers site
(https://developers.line.me/channels/) and apply “Line Login” APP to get
the app ID and app secret.
 Facebook: visit the website at Facebook developers site
(https://developers.facebook.com/) and apply for “Facebook Login” APP
to get the app ID and app secret.
 Google+: visit the website at Google Developers Console
(https://console.developers.google.com/) and apply for “Google+ API” to get
the client ID and secret.
 Open ID: the login path must be traversed and added into OpenID Walled
Garden and the redirection target depends on OpenID provider.

40
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Chapter 5. Group Attributes & Policy Rules

All 4ipnet HSG Wireless Hotspot Gateway models utilize ‘Group’ and ‘Policy’ to
define user accessibility and network privileges in order to set constraints on users’
behavior. Since grouping, policy setting, and service zones are intertwined with one
another, this section will proceed to clarify the concepts of grouping, policy, and
their relationship with the Service Zone, followed by practical setup processes on
these three attributes.

5.1 Overview of the Concept

 Group

A Group is a set of users that admin considers they share some extent of similar
characteristics, i.e. role based. For example, in a university, there are students, the
faculty staff, and guests, in general. Therefore an IT staff may set up three Groups
that distinguish these three categories of Internet service users apart by giving
these Group different permissions of Internet accessibility. In the 4ipnet WHG
models, there are eight to twenty-four Group profiles, depending on the model
capacity.

41
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

On-Demand users, Local users, may be assigned to different Groups per account.
As for those who are authenticated by external servers, 4ipnet HSG Wireless
Hotspot Gateways also offer Group assignment per account for RADIUS via Class-
Group Mapping.

In each Group profile, there are several attributes that can be defined by
administrator:
1. Quality of Service (QoS):
Traffic class choice of Voice, Video, Best effort, and background.
Total uplink and downlink rates shared by all groups members
Individual maximum downlink and uplink rates
2. Privilege Profile:
On-Demand account privilege to enable authenticated users of a certain Group
to generate On-Demand accounts in Controller’s default / template login success
page.
Password change privilege to allow users to change their own passwords
subsequent to a successful login in Controller’s default / template login success
page.
Maximum Concurrent Sessions determines the number of concurrent log-ins
allowed per user.
3. Service Zone accessibility:
The permission to access or deny access to particular Service Zones as well as
the Policy bundled may be configured.

 Policy

Policy, as the term suggests, are profiles of network governing constraints which
are enforced upon users, including firewall rules, login schedule, routing rules and
session allowances. There is a Global policy, which will be applied if a user belongs
to a Group not bound to any Policy. The number of Policy profiles will be model
dependent.

42
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Group and Policy profiles are separated for more flexibility. This allows users of the
same Groups to be bound with different Policies according to Group-Service Zone
permission mapping settings the administrator defines. For instance, a user from
group 1 may be imposed by policy 1 in service zone 1, but policy 3 when he goes to
service zone 3.

 Relationship Between Group, Policy, and Service Zones

The first figure displays the relationship between group and policy and the
attributes that can be defined in each category. Admin can define the relationships
between policy, group, and service zone from two points of view- the view of
mapping groups to service zones and the other way around. Please see visual
explanation below:

43
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

5.2 Practical Setups of Group and Policies

This section demonstrates with screenshots on how to practically set up the groups
and policies on the WMI of the 4ipnet HSG Wireless Hotspot Gateway.

 Group Overview
Configuration Path: Main Menu >> Users >> Groups >> Overview

The Group Overview table gives a summary of which Authentication Servers are
used for each corresponding Group. User Groups assigned to a Billing Plan for the
On-Demand Authentication Database are also shown here.

 Group Settings
Configuration Path: Main Menu >> Users >> Groups >> Configuration

The Group Configuration – Group x table is for Policy settings to be defined for
the Group. Multiple Device Login (except for On-Demand) can be enabled here.
The Zone Permission Configuration & Policy Assignment – Group x table
enables admin to determine the relationships between Group, Policy, and Service
Zones.

44
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Check the Status checkboxes to allow users of this Group to access the
corresponding Service Zones. To configure from a Service Zone’s perspective please
go to Access Permission and Authorization in Service Zone Settings.

45
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

 Policy Settings
Configuration Path: Main Menu >> Users >> Policies >> Policy Configuration

1. Select Policy allows administrator to choose which Policy Profile to configure.

2. Firewall Profile is for defining service protocols, user firewall rules, and Layer 2
Firewall settings.

46
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

3. Privilege Profile configures the On-Demand Account creation, Password change

privileges and Maximum concurrent sessions.
4. QoS Profile allows administrator to edit traffic configuration.
5. Specific Route Profile is where the administrator may statically assign routing
nodes to forward traffic to a certain destination.

Select one of the policies in the drop-down list and start configuring each attribute
by clicking Configure. After the setting, remember to always click Apply to save
the changes made. Note again that the Global Policy is the policy that applies to all
users in all service zones that is not explicitly governed by a policy profile.

 Schedule

Configuration Path: Main Menu >> Users >> Schedule

The Schedule is the assignment of allowed user login periods from clock time on an
hourly basis. The unchecked time slots imply that user under this policy will be
unable to login under that specific time interval.

Defined Schedules are then applied in Group Configuration.

47
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

 Grouping Users

A Group is determined by authentication servers, class (RADIUS) or accounts

individually (Local, On-Demand).

Generally a Group is assigned to all users of an authentication option

Users > Authentication > Auth Option > Group

However, there are the following flexibilities:

 Local accounts may be assigned a Group per account individually upon
creation or from the following path for existing accounts Users >
Authentication > Local > Configure > Local User List > username (There is
an Applied Group row for admin to determine the attribute)

 On-Demand accounts may be assigned a Group per account individually

upon creation.

 RADIUS users can have users assigned to different Groups based on RADIUS
class. The mapping can be configured at Users > Authentication > RADIUS >
Configure > Class-Group Mapping > Configure

 Policy Priority

Policy can be configured at Group-Service Zone permission mapping or Service

Zone Default policy when authentication is disabled.

48
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

The Policy enforcement priority is as follows:

 Authentication is enabled: Group-Service Zone Mapping > Global Policy

 Authentication is disabled: Service Zone default Policy > Global Policy

49
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Chapter 6. Basic Service Zone Configuration

6.1 The Concept of Service Zone

Service Zones are virtual partitions of the physical LAN side of a 4ipnet Controller.
Similar to VLANs, they can be separately managed and defined, having their own
user landing pages, network interface settings, DHCP servers, authentication
options, policies and security settings, and so on. By associating a unique VLAN Tag
(when it is tag-based) and an SSID with its Service Zone, administrator can flexibly
separate the wired and wireless networks easily.

6.2 Service Zone Setup

6.2.1. Tag-based or Port-based Service Zones

4ipnet HSG Wireless Hotspot Gateways offer two modes of physical LAN port to
service zone mappings, namely port-based mode and tag-based mode. Intuitively
as the name suggests, Port-based mode means that each LAN port services one or
none Service Zones, so the maximum number of service zones is equivalent to the
number of LAN ports on a 4ipnet HSG Wireless Hotspot Gateway.

On the contrary, Tag-based service zones are not limited by the number of ports,
for they are specified by the VLAN tag ID pre-defined by the admin, regardless of

50
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

which LAN port. A simple concept is displayed in the picture below.

As the figure depicts, a staff of a firm is associated with a certain SSID broadcast
by an access point. This SSID belongs to, let’s say, VAP with VLAN ID 15. Therefore
the AP’s traffic when forwarded back to the Controller will be mapped to Service
Zone 1 with configurations set for staff access.

Configuration Mapping
Configuration Path: Main Menu >> System >> LAN Ports

Admin can change the type of service zones. There are some grayed-out service
zones because they have been disabled. Therefore, admin should first go to
‘System > Service Zones > Configure’ to enable the needed service zones.

51
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

If the setting is change to Tag-based, the correspondence of service zones and

ports will be grayed out. Each Service Zone will need to be assigned a unique VLAN
ID, ranging from 1 to 4096.

Note that the Default Service Zone is designed to be tag-less to manage Local
Access Points and process untagged traffic.

52
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

6.2.2. NAT Mode or Router Mode

Configuration Path: Main Menu >> System >> Service Zones >> Configure

NAT is the acronym for Network Address Translation which translates private IP
addresses for devices on the LAN side of a controller to routable IP before
forwarding into uplink network. Private IP addresses are invisible to devices or
routers on the WAN side of the controller, only the controller deploying the NAT
knows their corresponding translation. This mode not only protects users on the
LAN from being ‘seen’ by external devices but also solves the problem of limited
public IP’s.

Router mode as the name suggests, is a network operating without address

translation in and out of the Controller. Router mode is selected when using public
IP or under circumstances where the downstream devices requires a routable IP
address to upstream routers.

6.2.3. Service Zone Network Interface

Configuration Path: Main Menu >> System >> Service Zones >> Configure

IP address will act as the Controller IP to a user connected to this Service Zone.
Subnet mask defines the size of your Service Zone network and defines the range
of IP’s allowed to access this Service Zone. To allow users using addresses that are
out of range, enter the IP’s in the Network Alias List and check Enable. Always
remember to click Apply upon completion.

There are 3 isolation options when the system is set to Tag-based mode: Inter-
VLAN Isolation, Clients Isolation, and None.

 Inter-VLAN Isolation: 2 clients within the same VLAN will not see each other
when coming in from different ports. Note that Isolation is done when traffic

53
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

passes through the gateway. When a switch or AP is being deployed, Station

Isolation has to be enabled on the AP/switch.
 Clients Isolation: All clients on the same Layer 2 network are isolated from one
another in this Service Zone.
 None: No isolation will be applied to clients in this Service Zone.

Note that when “None” is selected, a switch port connecting to the LAN port of the
WHG may be shut down if the switch has loop protection enabled and there are
more than 2 VLANs belong to one Service Zone.

6.2.4. DHCP Server options

Configuration Path: Main Menu >> System >> Service Zones >> Configure

Dynamic Host Configuration Protocol (DHCP) is a network protocol that enables a

server to automatically assign an IP address to a computer from a defined range of
numbers (i.e., a scope) configured for a given network. 4ipnet HSG Wireless
Hotspot Gateways supports independent DHCP settings for each Service Zone
profile. Options include Disable DHCP option, Enable built-in DHCP server or DHCP
Relay.

1. DHCP Server Configuration – The default setting for DHCP Server is “Enable”.
Select other options from the drop-down list.
2. Define the IP range for issuing when using Enable DHCP Server (built-in). There
are a total of six DHCP pools for configuration.
3. DHCP Lease Time at each pool cannot be smaller than the twice value of Idle

54
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Timeout.
4. Reserving IP addresses – A configuration list for reserving certain IP’s within the
DHCP Server IP range for specific devices, for example an internal file server.
5. DHCP lease protection – This is an optional checking mechanism on the
Controller when Enabled, will check to see if the lease expired IP is currently
online. If yes, the Controller will halt the issuing of this IP address until the user
session terminates.
6. Click “Apply” to activate changes.

6.2.5. Wireless Settings

Configuration Path: Main Menu >> System >> Service Zones >> Configure

Beside LAN setting, wireless can be enabled, specify a desired SSID, select the
operation frequency, 2.4G, 5G or both.

For more details on wireless configuration, please refer to part A in Appendix E of

the User Manual.

6.2.6. Authentication Options

Configuration Path: Main Menu >> System >> Service Zones >> Configure

Once the administrator has properly configured the authentication servers under
the Main Menu, each Service Zone can select the authentication option preferred to
downstream clients for login. Note that Authentication is always enabled by default.

55
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

1. Databases
Administrator can designate configured auth servers for use. Postfix will be used as
auth server identifier when more than one auth server is enabled for service.

2. Portal URL
The specification of a desired landing page may be configured here. When enabled,
the administrator can choose to set the URL of an opened browser after users’

initial login.

3. MAC address authentication

RADIUS MAC authentication feature once enabled, if the connected device has its
MAC address entered in the configured RADIUS Server, the Controller will
automatically authenticate and grant access immediately if authentication succeeds.
Users will experience transparent login.

56
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

4. PPP dial-up authentication

Point-to-Point Protocol (PPP) is a data link protocol commonly used in establishing a
direct connection between two networking nodes. When this feature is enabled for
service, end users may configure a dial-up connection setting with a valid username
and password (support only Local and RADIUS users). Once the dial-up connection
has been established, the user would have been authenticated successfully without
further UAM login.

57
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

The IP Address Range Assignment field configures the starting IP range which
PPP can assign IP addresses to dial-up virtual interfaces. The assigned interface IP
address is used to route between the networks on both side of the tunnel.

6.2.7. Portal Customization

Configuration Path: Main Menu >> System >> Service Zones >> Configure

Each Service Zone can be configured to have unique Login Pages or Message Pages.
There are 3 types of Login Pages: The General Login Page, PLM Open Type Login
Page (for Port Location Mapping free access), and PMS Billing Plan Selection Page. A
Service Disclaimer page can be enabled if required. These pages are fully
customizable to give administrators complete flexibility. Message Pages can also be
customized and message pages include: Login Success Pages, Login Success Page
for On-Demand Users, Login Fail Page, Device Logout Page, Logout Success Page,
Logout Failed Page, and Online Device List.

58
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

There are three customization options to choose from apart from the 4ipnet Default
Page: Customize with Template, Upload Your Own, and Use External Page.

4ipnet Default: The gateway has a standard 4ipnet Default Login Page with the
4ipnet logo and Administrators can choose to enable a Service Disclaimer if needed.

Customize with Template: For this option, a template is prepared for the
administrator's easy customization. The general layout has been set for the
administrator but the contents can be customized to his preference. A color theme
and a logo can be uploaded, and contents field such as Service Disclaimer, text colors
can entered within the template presentation layout.

Upload Your Own: The Administrator has the option to upload a html file as the
Login Page. The "Download HTML Sample File" gives administrators a sample HTML
code to edit from. Once this sample HTML code is downloaded, open the file with any
browser, right click and select "View Page Source". You may edit the HTML code with
any text editor as long as the file is saved in .html format.

59
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Use External Page: The Login Page can be a defined external URL. This option
requires extensive knowledge of URL parameter utilization that works together with
the Message Pages and should be organized carefully. For more details on External
Login Page customization, please refer to Appendix B of the User Manual.
For a Preview of the custom page, click “Apply” followed by the “Preview” button.
Similarly, the four options are available for Message Pages.

60
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Chapter 7. Advance Settings for Network

Environment

7.1 Network Utilities

Configure Network Utility; go to: Main Menu >> Utilities >> Network Utilities

The system provides network utilities to help administrators manage the network
easily.

61
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Item Description

IPv4  Ping: It allows administrator to detect a device using

IP address or Host domain name to see if it is
responding.

 Trace Route: It allows administrator to recover the

real path of packets from the gateway to a destination
using IP address or Host domain name.

 ARPing: Allows administrator to send ARP request for a

specific IP address or domain name.

 VLAN ID: Allows administrator to find out the VLAN ID

of an IP or MAC address.

 ARP Table: It allows administrator to view the IP-to-

Physical address translation tables used by address
resolution protocol (ARP).

Sniff With this feature the administrator can listen for packets
from selected Interfaces. The administrator can further filter
the types of packets to capture by using tcpdump
commands under the Expression field.

Status When the administrator is executing any Network Utilities

features, the status of the operation is displayed here.

Result The operation result is displayed here.

62
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

7.2 Black List

Network operators may want to limit the accessibility of certain accounts or devices
from authentication or association from time to time. This section describes the
ways in which user or device restrictions may be achieved.

Configuration Path: Main Menu >> Users >> Black List

The black list is a tool for user access control. Each black list can hold specific user
accounts that will be denied of network access. The administrator can use the pull-
down menu to select the desired black list profile to edit.

63
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

After entering the usernames in the Username blanks fields and the related
information in the Remark blank fields (not required), click Apply to add the users.

To remove a user from the black list, select the user and click Delete to remove that
user from the black list.

After the Black List is setup completed, select the Black List in the desired
Authentication Server for it to become effective.

64
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

7.3 Certification
Configuration path: Main Menu >> Utilities >> Certificate

4ipnet HSG Wireless Hotspot Gateways can issue certificates in its private network.
Administrator can sign certificates issues by the system’s root CA. Also, they could
be used for authentication of Built-in RADIUS Server users roaming out.

‘Certificate Management’ gives a summary of certificates available and which are

currently in use.

To enter settings, click “Edit” icon on the top-left corner of each category.

7.3.1 System Certificate

This is the certificate that identifies the system. These certificates may be used for
applications such as HTTPS login and etc. The Controller has a built-in Factory
Default Certificate (gateway.example.com) that cannot be removed, but allows

65
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

certificates to be uploaded. To view details of the certificate, click the corresponding

"View" button.

Click "Get CERT" and "Get Key" to download the certificate and public key onto your
local disk.

To Upload a Certificate/Private Key/Intermediate CA, click “Browse”, select the

appropriate files, and click Upload Files.

66
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

7.3.2 Internal Root CA

The administrator can upload an Internal Root CA, or generate a root CA for private
use. The created root CA certificate can be downloaded and used to sign certificates
generated by the system. Note that the system only allows one Internal Root CA to
be created.

To upload an Internal Root CA, click browse to select the Certificate and matching
Private Key from your local disk, and click "Upload Files".
Once an Internal Root CA is uploaded/generated, details will be shown in the
following format.

67
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

To view details of the certificate, click the "View" button.

7.3.3 Internally Issued Certificate

Internally Issued Certificates can be generated on this page. Note that an Internal
Root CA needs to be created first before Internally Issued Certificates can be
signed. Certificate Information is an overview that displays all current Internally
Issued Certificates. To view details of the certificate, click the corresponding "View"
button.

68
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

7.3.4 Trusted Certificate Authorities

Apart from self signed certificate and system's root CA, administrators can also
upload other certificates signed by other CA entities or Trusted CAs into the system.
These trusted root CA certificates are intended for the Controller to recognize and
trust certificates of External Payment Gateway and/or CAPWAP capable APs. To
upload a Trusted CA, click browse to select the Certificate and click "Upload Files".
To view details of the certificate, click the corresponding "View" button.

7.4 Management Access

Configuration path: Main Menu >> System >> General >> Management IP Address

On the 4ipnet HSG Wireless Hotspot Gateways, the administrator can grant access
to the web management interface by specifying a list specific IP addresses or
ranges of IP addresses, both from WAN or from LAN. For example, entering
"192.168.3.1" and "192.168.1.0/24" means that only the device at 192.168.3.1
and devices in the range of 192.168.1.0 to 192.168.1.255 are able to reach the
web management interface.

The Console interface may be accessed remotely when the Remote Console is
enabled. For security purposes, console access is disabled by default to prevent
malicious users from accessing the system.

69
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Chapter 8. Utilities for Controller

Management

8.1 Administrator Account Management

Configuration path: Main Menu >> Utilities >> Administrator Account

The HSG Wireless Hotspot Gateway’s root management account is the “admin”
account with full access, modification and application privilege and authority. There
are however, 2nd tier accounts with less authority which may be created for
management personnel to access their designated assigned areas of authority, a
necessary feature for large scale deployment requiring multiple management
personnel.

This configuration path will lead to the page for assigning authority property, and
generation of other management accounts customizable to suit the needs of your
network.

There is only one management account under default status. Group Permission
Settings will allow you to customize the accessible WMI pages for a particular
management group and in turn, create management accounts for that group.

70
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Step 1: Configure Password Safety Settings

Password Safety can be enabled to protect the Web Management Interface from
unauthorized personnel. Note that these settings are disabled by default.

71
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Step 2: Configure Group Access property

The Controller supports customizable administration account types, namely Super

Group, Manager, On-Demand Manager or Operator. Admin is classified under Super
Group, with all access and configuration authorities. Only Super Group members
can generate other administrative accounts (Manager, On-Demand Manager and
Operator). Permission Settings for all administrative accounts can be customized.
With the exception of the Super Group members, other administrative accounts can
be configured to have read-write or read-only access.

72
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Step 3: An Administrator Accounts List is available to display Administrator

Accounts information and their statuses. Create an account by clicking “Add”, then
inputting the desired account name, password and the assigned authority group.
Subsequent to clicking Apply, the newly generated account will be displayed in the
table below.

NOTE
1. The Password Safety Settings contain constraints or rules which must be
followed upon management account creation or password change.
2. Admin List will display all existing management accounts and login status if this
account is currently accessing the WMI.
3. Admin account is the root account and may not be deleted or have its authority
modified.

8.2 Configuration Backup & Restore

Configuration path: Main Menu >> Utilities >> Backup & Restore

This function is used to backup/restore the HSG Wireless Hotspot Gateway settings.
Backup can be done periodically via FTP. Furthermore, HSG Wireless Hotspot
Gateway can be restored to the factory default settings here.

73
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

NOTE
1. The General Backup feature will lead to a pop up window prompting to
save a db file.
2. Restoring previous db configurations may be performed with options such
as keep WAN settings to prevent the loss of WMI connection if this action
is performed remotely.
3. Resetting to factory default will erase all configurations and restore the
controller to factory configuration. This action also has additional options
to keep critical settings.

8.3 Firmware Upgrade

Configuration path: Main Menu >> Utilities >> System Upgrade

The administrator can obtain the latest firmware from 4ipnet’s website or 4ipnet’s
Support Team and upgrade the system.

74
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

When the resource of the system is not enough for upgrade process, system will
request restart and change system to Maintenance mode to ensure the system
upgrade success.

After system restart in Maintenance mode, click Browse to search for the firmware
file on your local drive and click Apply to firmware upgrade. It might take a few
minutes before the upgrade process completes and the system needs to be
restarted afterwards to activate the new firmware. FTP firmware upgrade is also an
option, enter the FTP server IP address, FTP server port, and the FTP account name
and password, and lastly specify the complete firmware filename stored on the FTP
server that will be used to upgrade the system.

Before performing an upgrade, the system checks for version compatibility ensure
system sanity. You may contact the 4ipnet Support Team regarding version
compatibility.

NOTE
The system MUST be restarted before resetting to factory defaults after
firmware upgrade.

75
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

8.4 Restart

Configuration path: Main Menu >> Utilities >> Restart

This function allows the administrator to safely restart HSG Wireless Hotspot
Gateway, and the process might take several minutes to complete. Select Restart
the system in Regular mode, click Apply to restart HSG Wireless Hotspot
Gateway. If the power needs to be turned off, it is highly recommended to restart
HSG Wireless Hotspot Gateway first and then turn off the power after completing
the restart process. The administrator may enter Reason for Restart for
maintenance purposes.

NOTE
1. The connection of all online users of the system will be disconnected when
system is in the process of restarting.

76
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Chapter 9. Reports and Logs for Monitoring

9.1 System Related Status

9.1.1 System Summary

Configuration path: Main Menu >> Status >> System Summary

The system status page displays a table of contents including system firmware
version, report servers configured, WAN optional settings, User log profile, system
time and session control settings. This overview is designed for main configuration
items. For detailed status, please proceed to corresponding configuration pages.

77
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

78
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

A selection of Reports is available when the “See Reports” button is clicked. These
reports can be sorted based on interface and intervals.

9.1.2 Network Interface

Configuration path: Main Menu >> Status >> Interface

This section provides the details of each of the network interfaces for the
administrator to inspect, including WAN1,Default, SZ1 ~ SZ4.

Select the network interface that you are interested to see. If the selected interface
is enabled, the corresponding network settings will be displayed. Scrolling down the
page, the traffic statistics for different scales, including traffic summary, traffic of
the day, traffic of the month, and traffic of the top 10 days is presented in a
graphical manner.

79
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

NOTE
1. If statistics are required to be saved for long term keeping, See Report &
Notification section for instructions to send and save network traffic on
external servers.

9.1.3 Routing

Configuration path: Main Menu >> Status >> Routing Tables

This status page displays all the Policy Route rules, and Global Policy Route rules
will be listed here. It provides a fast reference window for the administrator to see
the routing rules enforcements for users belonging to different Policies. It also
shows the System Route rules specified for each network interface.

IPv6 are available for Global policy, and the rules configured there will also be
shown in the IPv6 routing table page along with System interface settings for IPv6
traffic.

9.1.4 DHCP Server

Configuration path: Main Menu >> Status >> DHCP Leases

The DHCP IP lease statistics can be viewed after clicking on Show Statistics List on
this page.

80
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

 Statistics of offered list

Valid lease counts of the Last 10 Minutes, Hours and Days are shown here. The
header 1 ~ 10 are unit multipliers; for instance the number under column 2
indicates the lease count in the last 20 minutes/hours/days, the number under
column 3 indicated the lease count in the last 30 minutes/hours/days and so on.

 Statistics of expired list

IP leased to clients that have expired in the Last 10 Minutes, Hours and Days are
shown here. The header 1 ~ 10 are unit multipliers; for instance the number under
column 2 indicates the expired count in the last 20 minutes/hours/days, the
number under column 3 indicated the expired count in the last 30
minutes/hours/days and so on.

 DHCP Lease List

Valid IP addresses issued from the DHCP Server and related information of the
client using this IP address is displayed here.

81
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

9.2 Client Related Status

9.2.1 Online User

Configuration path: Main Menu >> Status >> Monitor Users >> Online Users

Users displayed on this page are the ones that are authenticated by this Controller
under its managed network either LAN or remotely tunneled site.

There are 2 modes to select from. Select ‘Detail’ to display more information, such
as Pkts In/Out, Bytes In/Out and etc. Administrators can force out a specific online
user by clicking Kick Out and check the user access wireless status. A “Search”
tool is available for searching IP or MAC address of specific online user. Click
Refresh to update the current users list or you can select the time interval for
automatic refresh from the drop-down box in the lower right corner of this page.

82
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

9.2.2 Associated Non Login Users

Configuration path: Main Menu >> Status >> Monitor Users >> Non-Login Devices

This page shows users that have acquired an IP address from the system’s DHCP
server but have not yet been authenticated, either under the LAN or remotely
tunneled site. This feature is designed for administrators to keep track of systems’
resources from being exhausted. The list shows the client’s MAC Address, IP
Address and associated VLAN ID, Service Zone as well as wireless status if the
client uses wireless connection.

9.2.3 Roaming Out Users

Configuration path: Main Menu >> Status >> Monitor Users >> Roaming Out Users

This page shows the users that are authenticated by other Controllers using this
Controller’s database as RADIUS database.

83
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

9.2.4 Session List

Configuration path: Main Menu >> Status >> Sessions

This page allows the administrator to inspect sessions currently established

between a client and the system. Each result displays the IP and Port values of the
Source and Destination. You may define the filter conditions and display only the
results you desire.

84
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

9.3 Logs and Reports

9.3.1 System Related

Configuration path: Main Menu >> Status >> Logs and Reports

This page displays the system’s local log and User events since system boot up.
Administrators can examine the log entries of various events. However, since all
these information are stored on volatile memory, they will be lost during a
restart/reboot operation. Therefore if the log information needs to be documented,
the administrator will need to make back up manually.

 Configuration Change Log: This page shows the account, and IP of the
person that has made changes to Controllers WMI configurations.
 Local Monthly Usage: This page shows the aggregated statistics for Local
users, showing the transmitted traffic for the month
 Local Web Log: This page shows which of the web pages have been accessed
on the Controllers built-in web server.
 On-Demand User Billing Report Log: This page displays a summary of On-
Demand account transactions.
 RADIUS Server Log: This page displays the RADIUS messages that pass
through the controller.
 System Log: This page displays system related logs for event tracing.
 UAMD Log: Displays the UAM related information output from the UAM
daemon.
 User Events: Please refer to the next session.
 Wireless Log: Displays the wireless related information.

85
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

9.3.2 User Events

Configuration path: Main Menu >> Status >> Logs and Reports >> User Events

This page is packed with all user logs and events. User logs and events can be
stored up to 40 days. Displays all user related information customizable to
administrator's preference. The administrator gets to choose the number of rows
(20, 40, 60, 80, 100) to display per page. Select the Begin and End date from the
calendar to filter unwanted User Events. After the Begin and End dates are
selected, click "Display" to display all User Events within the selected dates.

The "Download" button downloads the displayed User Events into a comma
separated .txt file. Save as a new file with .csv extension to sort the downloaded
data into cells. The "Clear" button deletes current User Events displayed on the
User Interface.

Note that different User Types contain different user information. Categories will be
left blank if inapplicable to the User Type.

86
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

9.4 Reports & Notification

Configuration path: Main Menu >> Status >> Reporting

HSG Wireless Hotspot Gateway can automatically send various kinds of user and/or
system related reports to configured E-mail addresses, SYSLOG Servers, or FTP
Server.

87
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

 SMTP Settings: Allows the configuration of 5 recipient E-mail addresses and

necessary mail server settings where various user related logs will be sent to.
 SYSLOG Settings: Allows the configuration of two external SYSLOG servers
where selected users logs as well as system logs will be sent to.
 FTP Settings: Allows the configuration of an external FTP Server where selected
users logs as well as system logs will be sent to.
 Notification Settings: Provides an overview of all the available users and system
logs for selection. Selected logs can be sent to the chosen location (E-mail,
SYSLOG, FTP) on customizable time intervals.

88
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Chapter 10. Hotspot Application

10.1 On-Demand Billing Plans

Configuration path: Main Menu >> Users >> Internal Authentication >> On-
Demand >> Billing Plans

Billing plan profiles define the terms and conditions of guest internet access. Click
the Billing Plan Number link to enter the configuration page of a selected Billing
Plan profile. Once you have finished configuring a billing plan profile, go back to the
screen of Billing Plans, check the Active checkbox and click Apply to activate.

 Plan: The number of the selected Billing Plan profile.

 Plan Type: The account type chosen for this plan. Different account types
have different properties. A suitable account type should be selected that will
best meet guest usage requirements.
 Quota: The usage terms on how much or how long an On-Demand users are
allowed to access the network.
 Price: The unit price of the respective billing plan.
 Active: Check the checkbox to activate the billing plan. Deactivated billing
plans cannot be used to generate On-Demand guest accounts.
 Group: Group assignment of On-Demand users associated with the
respective billing plan.
 Function: Click the “Reset” button to clear settings on the selected Billing
plan Profile.

89
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

10.2 On-Demand Billing Plan Types

10.2.1 Usage-time with Expiration Time

Users can access internet as long as account is valid with remaining quota (usable
time). Users need to activate the purchased account within a given time period by
logging in. This is ideal for short term usage such as in coffee shops, airport
terminals etc. Quota is deducted only while in use, however the count down to
Expiration Time is continuous regardless of logging in or out. Account expires when
Valid Period has been used up or quota depleted.
 Quota is the total period of time (xx days yy hrs zz mins), during which On-
Demand users are allowed to access the network. The total maximum quota is
“364Days 23hrs 59mins 59secs” even after redeeming.
 Account Activation is the time period for which the user must execute a first
login. Failure to do so in the time period set in Account Activation will result in
account expiration.
 Valid Period is the valid time period for using. After this time period, even with
remaining quota the account will still expire.
 Price is the unit price of this plan.
 Group will be the applied Group to users created from this plan.
 Reference field allows administrator to input additional information.

90
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

91
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

10.2.2 Usage-time with No Expiration Time

Users can access internet as long as account has remaining quota (usable time).
Users need to activate the purchased account within a given time period by logging
in. This is ideal for short term usage such as in coffee shops, airport terminals etc.
Quota is deducted only while in use and account expires only when quota is
depleted.
 Quota is the total period of time (xx days yy hrs zz mins), during which On-
Demand users are allowed to access the network. The total maximum quota is
“364Days 23hrs 59mins 59secs” even after redeem.
 Account Activation is the time period for which the user must execute a first
login. Failure to do so in the time period set in Account Activation will result in
account expiration.
 Price is the unit price of this plan.
 Group will be the applied Group to users created from this plan.
 Reference field allows administrator to input additional information.

92
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

93
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

10.2.3 Hotel Cut-off-time

Hotel Cut-off-time is the clock time (normally check-out time) at which the On-
demand account is cut off (made expired) by the system on the following day or
many days later. On the account creation UI of this plan, operator can enter a Unit
value which is the number of days to Cut-off-time according to customer stay time.
For example: Unit = 2 days, Cut-off Time = 13:00 then account will expire on
13:00 two days later. Grace Period is an additional, short period of time after the
account is cut off that allows user to continue to use the On-Demand account to
access the Internet without paying additional fee. Number of Devices is to define
the number of allowed simultaneous logged in devices per account. Unit Price is a
daily price of this billing plan. This is mainly used in hotel venues to provide
internet service according to guests’ stay time. Group will be the applied Group to
users created from this plan. Reference field allows administrator to input
additional information.

94
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

10.2.4 Volume

Users can access internet as long as account is valid with remaining quota (traffic
volume). Account expires when Valid Period is used up or quota is depleted. This is
ideal for small quantity applications such as sending/receiving mail, transferring a

95
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

file etc. Count down of Valid Period is continuous regardless of logging in or out.
 Account Activation is the time period for which the user must execute a first
login. Failure to do so in the time period set in Account Activation will result in
account expiration.
 Expiration is the valid time period for using. After this time period, the account
expires even with quota remaining.
 Quota is the total Mbytes (1~1000000), during which On-Demand users are
allowed to access the network.
 Number of devices is to define the number of allowed simultaneous logged in
devices per account. (0: unlimited)
 Unit Price is the unit price of this plan.
 Group will be the applied Group to users created from this plan.
 Reference field allows administrator to input additional information.

96
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

10.2.5 Duration-time with Elapsed Time

Account is activated upon account creation. Count down begins immediately after
account is created and is continuous regardless of logging in or out. Account expires
once the Elapsed Time is reached. This is ideal for providing internet service
immediately after account creation throughout a specific period of time.
 Begin Time is the time that the account will be activated for use. It is set to
account creation time.

97
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

 Elapsed Time is the time interval for which the account is valid for internet
access (xx hrs yy mins).
 Number of Devices is to define the number of allowed simultaneous logged in
devices per account.
 Price is the unit price of this plan.
 Group will be the applied Group to users created from this plan.
 Reference field allows administrator to input additional information.

98
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

10.2.6 Duration-time with Cut-off Time

Cut-off Time is the clock time at which the On-Demand account is cut off (made
expired) by the system on that day. For example if a shopping mall is set to close at
23:00; operators selling On-Demand tickets can use this plan to create ticket set to
be Cut-off on 23:00. If an account of this kind is created after the Cut-off Time, the
account will automatically expire.
 Begin Time is the time that the account will be activated for use. It is set to
account creation time.
 Cut-off Time is the clock time when the account will expire.
 Number of Devices is to define the number of allowed simultaneous logged in
devices per account.
 Price is the unit price of this plan.
 Group will be the applied Group to users created from this plan.
 Reference field allows administrator to input additional information.

99
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

10.2.7 Duration-time with Begin-and-End Time

The Begin Time and End Time of the account are defined explicitly. Count down
begins immediately after account activation and expires when the End Time has

100
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

been reached. This is ideal for providing internet service throughout a specific
period of time. For example during exhibition events or large conventions such as
Computex where each registered participant will get an internet account valid from
8:00 AM Jun 1 to 5:00 PM Jun 5 created in batch like coupons.
 Begin Time is the time that the account will be activated for use, defined
explicitly by the operator.
 End Time is the time that the account will expire defined explicitly by the
operator.
 Number of Devices is to define the number of allowed simultaneous logged in
devices per account.
 Price is the unit price of this plan.
 Group will be the applied Group to users created from this plan.
 Reference field allows administrator to input additional information.

101
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

10.3 Terminal Server Setup

Configuration path: Main Menu >> Users >> Authentication >> On-Demand User
>> General Settings >> Terminal Server

Terminal Configuration is a list of serial-to-Ethernet devices that communicate with

the system only; and does not need to go through authentication.

Overview of Network Ticket Generator

SDS200W is an innovative product 4ipnet offers to facilitate the communication

between 4ipnet hotspot gateway and serial POS printer. It is mainly used to have
the connected printer fast-print necessary account information extracted from a
4ipnet hotspot gateway for a user who would like to access the Internet or
managed networks, making provisioning of wired or wireless connection easier and
more user-friendly. What is noteworthy is that, SDS200W supports wireless
connectivity to the uplink gateway. That is, operators now can deploy a network
with lesser physical wires.

102
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Keypad Panel Overview

Useful Shortcut Keys

Combination Function
‘Number’ + To create and print out an On-Demand account of an
Enter enabled billing plan of the uplink Hotspot gateway
mainly for the user who purchased an account.
‘Number 1’ + Print a ticket of billing ‘Number 1’ with ‘Number 2’
‘asterisk (*)’ + units. For example, ‘8’ + asterisk(*) + ‘3’ + ENTER
‘Number 2’ + is equal to create an On-Demand account of billing plan
ENTER 8 with 3 units and have the POS printer print out the
corresponding ticket. That is, the quota that billing plan
8 grants is multiplied by 3.
FUNC + ‘1’ + To print out the information of SDS200W, including (1)
ENTER its IP address (2) the firmware version and the build
number (3) the current listening port (4) uplink
connection status (5) the IP address of the uplink

103
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

4ipnet gateway (HSG/WHG).

FUNC + ENTER To clear what is pressed. This is used when the operator
pressed a wrong button or combination. The system will
also clear it automatically after five seconds.
FUNC + ‘0’ + To activate Safe Mode – disabling the FUNC + ‘1’ +
ENTER ENTER shortcut key in order to protect SDS200W’s
information leakage.
‘4-digit’ + To unlock Safe Mode. This 4-digit password can be
ENTER changed on the WMI at “System >> Safe Mode
(Password).” The default value is ‘0000.’
‘asterisk (*)’ + To lock the keypad, excluding the TAS and the Reset
ENTER button. In Lock Mode, the Status indicator will enter
into special flashing. Press asterisk (*) + ENTER
again to disable the function, and the LED indicator
Status will go back to short illuminated intervals or
long illuminated intervals.

LED Indicators
Power When the power adapter is connected, Power will
become constantly on; when disconnected, the light
turns into constantly off. Always check if Power is on
before using SDS200W.
Status 1. Short illuminated intervals means SDS200W
successfully booted up. It flashes slowly.
2. Long illuminated intervals means SDS200W and
uplink device connected
3. Special flashing means the keypad locked. The
indicator fast-blinks twice periodically.

104
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Note: <TAS Mode only>

4. Fast flashing means SDS200W trying to connect to
uplink device.
5. Constantly off for ten seconds means SDS200W fails
to connect to uplink device after step 4. Afterwards,
Status will go back to step 1.
6. Constantly on for ten seconds means SDS200W
succeeds in connecting to uplink device after step 4.
Afterwards, Status will go to step 2.
Ethernet Ethernet turns into constantly on when an Ethernet
cable is connected. Ethernet blinks when the system
detects wired traffic passing Ethernet. It is constantly
off when no cable is connected.
WLAN WLAN behaves similarly as Ethernet - becoming
constantly on when wireless connectivity is enabled
(not necessarily connected. It just means that the RF
card is ready to serve). WLAN blinks when the system
detects wireless traffic. It is constantly off if the RF card
is disabled.

105
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

LED Panel

Understanding the LED indicators

There are four LED indicators on the panel : Power, Status, LAN, and WLAN from
left to right. Below summarizes all indication types in different states:
Amplitude Amplitude Amplitude

long illuminated
t Constantly on t Fast Flashing t
intervals
Amplitude Amplitude Amplitude

Constantly off Short illuminated

t Special flashing t t
intervals

Right Side Panel Overview

Ride Side Panel

1. Kensington Be used to lock the device to a pole.
Lock
2. Restart / Press once to reboot the system. Hold for five seconds
Reset to make SDS200W set back to factory default settings.
3. TAS Terminal Auto Setup (TAS). Press three seconds to
initiate the auto uplink connection process. This will be
introduced later.

106
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Left Side Panel Overview

Left Side Panel

1. Console Serial port for connecting to a POS printer.

2. Ethernet RJ-45 Ethernet port Serial port for connecting to the
uplink gateway via wire.
3. 5V / 1.5A The DC power socket for connecting to an external
power source through a DC power supply.
4. Antenna Assemble the dipole antenna within the package here.
Connector

Including SDS200W into Your Network

The following diagram illustrates a deployment example that shows how the
SDS200W can be connected to the POS printer and the 4ipnet Gateway/Controller.

1. Put the devices in place.

2. Attach a SDS200W to a power adaptor provided in the package.

3. Attach a POS printer to a power adaptor provided in the package and turn on the
power switch situated on the left side of the device.

4. Connect a POS printer to the Console port of SDS200W by a RS-232 cable

provided within the POS printer package.

107
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

5. Connect SDS200W to your 4ipnet Gateway/Controller via Ethernet port.

You need to connect to the correct LAN port if your

 Note:
Gateway/Controller is operating in Port-based mode.

6. To verify if the connection, press FUNC + ‘1’ + ENTER to see if SDS200W is

attached to a correct gateway and is able to get an IP address from it.
Additionally, press ‘Number’ + ENTER to see if an account with a certain billing
plan can be printed out.

Managing SDS200W on the Web Management Interface

SDS200W is designed specifically to operate in conjunction with all 4ipnet

Gateways/Controllers, including both HSG and WHG series. If you are not using
default settings, before connecting SDS200W to your 4ipnet Gateway/Controller,
some configurations steps are required.

Go to the Web Management Interface (WMI) for SDS200W’s relevant

configurations. The default values are:
IP address: 192.168.1.10
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.1.254

Remember to set the TCP/IP settings of the computer you use with a static IP
address that is under the same subnet as SDS200W. For example: 192.168.1.20.

108
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

The settings of SDS200W are separated into seven categories, which are
1. System – to setup the system name and device control.
2. Uplink – to determine wired / wireless relevant parameters. Any change on this
page will take effect after rebooting the system.
3. Console – to change console related settings for POS printers.
4. Utility – to upgrade the firmware version or backup/ restore SDS200W’s
configuration settings.
5. Password – to change administrator’s password.
6. Reboot – to reboot (restart) the system.
7. Status – to overview device, system, uplink, and radio status if available.

Setting Up SDS200W with the POS Printer

Serial Settings
To make a POS printer properly functions with SDS200W, set up serial settings in
advance in Console on SDS200W’s WMI.

Printing On-Demand Tickets for Your Customers

Operators have two ways of printing On-Demand account tickets for their
customers. One is to go onto the WMI of 4ipnet Gateway/Controller and create one
(or more). See the manual of the 4ipnet Gateway/Controller you use; the other is
to use SDS200W by the following two shortcut keys.
(1) ‘Number’ + ENTER or
(2) ‘Number 1’ + asterisk (*) + ‘Number 2’ + ENTER

For example,
‘3’ + ENTER is to have POS printer print out a billing 3 ticket;
‘4’ + asterisk (*) + ‘2’ + ENTER allows operator to print a single ticket of billing
plan 4 with two units of the quota. That is, the given quota is multiplied by two.
Note that the keys can only print out tickets one at a time. To Batch-create tickets,
turn to

109
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Main Menu > Users > Authentication > On-Demand User Server
Configuration > On-Demand Account Batch Creation
on 4ipnet controller’s WMI.

Use FUNC + ENTER or wait 5 seconds to clear the wrong number just pressed.

Setting Up SDS200W with the 4ipnet Gateway/Controller

SDS200W offers ‘manual’ and ‘auto’ connection to uplink 4ipnet Gateway/Controller.

The former requires the administrator to go on to SDS200W’s WMI to enter
necessary columns that are supposed to fit what is set up on the controller end.
However, the auto connection – called Terminal Auto Setup (TAS) – is particularly
designed to establish a quick connection without previous setting.

Manual setup
To connect SDS200W manually to a 4ipnet Gateway/Controller, connect the
SDS200W to the 4ipnet Gateway/Controller via an Ethernet cable. Enter the
When wired connection is established, the wireless connectivity will
be turned off by the system automatically, meaning wireless and
 Note:
wired connection will not co-exist at any time. Wired connection has
a higher priority.
Network Settings and make sure they match what is determined on the controller.
The change will take effect after (1) clicking Save and (2) rebooting the system.
After SDS200W and the uplink device has built a successful connection, the Status
indicator will blink with long illuminated intervals.

The recommended step-by-step setup process is shown as follows.

110
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

When the settings are done completely on the 4ipnet Gateway/Controller side, go
to SDS200W’s WMI and check if every uplink setting matches that on the controller.

111
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Terminal Auto Setup (TAS – Only available on SDS200W)

TAS refers to an automatic connection mechanism that requires NO previous
network settings. Just press the TAS button on SDS200W for three seconds, and
it will automatically look for and associate to a suitable 4ipnet gateway that
supports this function.

The TAS connection will rewrite previous manual settings. You will see the Uplink
page of the WMI grayed out and the Status page will show that the system is in
TAS mode. The TAS process takes about thirty seconds to complete. Whether the
connection attempt succeeds or fails, the SDS200W will always have the printer
print out if the connection is ‘successful’ or it ‘failed.’ Please make sure beforehand
that the Ethernet cable is plugged in

The SDS100 can be set up the same way but it does not support
wireless connections.
Wired TAS uses port 5000 as the default value. The controller has to
 Note: set the port to the right number, as well. Additionally, when trying to
deploy TAS, make sure that the table of Terminal Server
Configuration on the controller side is not filled up. Otherwise, the
connection will fail.
.

10.4 Customizing POS Tickets

Configuration path: Main Menu >> Users >> Internal Authentication >> On-
Demand >> POS Tickets

For deployment flexibility on your hotspot, customization of POS tickets using

templates is supported on the HSG Wireless Hotspot Gateway. Up to 5 ticket
templates can be saved on the system.

112
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

- An image can be uploaded (such as your company logo) in TMB format if

needed.
- There are 2 Width types, 2” for PRT100 and 3” for PRT200.
- Select the desired language for the configured ticket template. WHG
supports English, French, German, Japanese, Spanish, Simplified Chinese,
and Traditional Chinese.
- For accounts generated with the SDS200W, passwords are random, but the
administrator has the option of selecting between a 4-character and a 8-
character password.
- Select the appropriate Ticket Type depending on the configured billing plan.

113
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

You may start customizing your POS ticket from the window below manually typing
or by inserting parameters from the drop-down list as shown in the above example.

Once this is done, you may start assigning Billing Plans and Ticket Templates for
your Terminal Servers.

114
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

The administrator can now select the desired Ticket Template for a specific ticket
generator from the drop-down list.

Applications for QR Code Log-in

On-Demand Account generation with a ticket generator is a very common
deployment for hotspot providers. What makes it a hassle is to manually enter
the Username and Password of the account, especially for mobile devices which
require typing on small keyboards and are not easy on the eyes.

Log-in credentials including your Username, Password, Usage quota, Price and
etc. are all embedded in the QR code.

Simply associate with the SSID, scan QR Code, and you are ready to surf the
internet!

Configuring your web ticket to support QR Code

The ticket needs to be customized in order to support the printing of QR Code.

Under Main Menu >> Users >> Authentications, click On-Demand User and
Configure for Ticket Template Customization.
QR Code Login
Scan the OR code your device to login automatically

115
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

For the utilized Billing Plan, the corresponding ticket template needs to be
customized to support QR Code.
1) The width needs to be changed to 3” (default value = 2”)
2) The parameter needs to be added by typing in “$qr” on the template, or
select “$qr” from the drop-down menu and click Insert Parameters.

116
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Only 4ipnet PRT200 thermal printers support the printing of QR code.

Installation of a QR Code scanning App on your mobile device is required (such as
 Note: QuickMark, QR Reader, Barcode Scanner).
Switch off Auto-Join and Auto-Login to prevent the mobile device from jumping back to the
remembered network.

10.5 Creating Accounts

Configuration path: Main Menu >> Users >> On-Demand Accounts >> Accounts
Creation

Administrators have the option of creating single accounts or batch accounts. For
potential hotspot operators who may wish to pre-generate guest accounts for sale,
On-Demand feature has a batch create functionality which allows the administrator
or operator with access authority to On-Demand page, to create multiple accounts
for an enabled billing plan in batch, and send them to POS printer for generating
physical ticket printout for sale.

Administrator can choose to use random generated Usernames and Passwords or

custom-create them when creating batch On-Demand accounts. For random
generated passwords, they can be short (4 characters) or long (8 characters).

117
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

When creating custom Usernames, the Prefix and Postfix will be kept constant while
the Serial Number for the accounts will have single increments.

The generated accounts may be downloaded for safe keeping, or sent to printer for
batch printout.

118
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

10.6 User Self Service

Credit Card via External Payment Gateway

Configuration path: Main Menu >> Users >> Authentication >> On-Demand User
>> External Payment Gateway

HSG Wireless Hotspot Gateway supports different types of payment gateway

options depending on the account types possessed by the operator, including
Authorize.net, PayPal, SecurePay, WorldPay, and PeleCard.

The most commonly used PayPal is used as an illustration example below.

Before setting up “PayPal”, it is required that the hotspot owners have a valid PayPal
“Business Account”.
After opening a PayPal Business Account, the hotspot owners should find the
“Identity Token” of this PayPal account to continue “PayPal Payment Page
Configuration”.

Fill in the necessary merchant account credentials in the Payment Page

Configuration. Please be careful that if your controller’s WAN IP is under a NAT, you
will need to configure IP forwarding information in the Instant Payment
Notification (IPN) field in order for the paying end user to receive transaction
outcome.

119
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Select the enabled billing plans that are allowed for end users to self purchase
through the payment gateway.

The service disclaimer can be customized by configuring Web Page Customization.

Subsequently after the configuration of your external payment gateway, the login
page will be shown with a hyperlink which guides the end user step by step to

120
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

purchase an account with a valid credit card.

In order for users to get account info via SMS after buying a new account online,
and eliminate the risk of forgetting his/her username and password at the next
time of login, administrators may choose to integrate SMS gateway with the
payment gateway.

Upon successful set up, the Number of SMS Quota field will be available.

Account buyers enter a cellphone number after paying a fee for the account online.

121
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

The account buyers can then re-send the SMS no more than the configured
number.

To preview your External Payment Portal, click “Configure” for Web Page
Customization at the bottom of the page. Just like all customizable web pages in
the system, this page also supports customization with templates, uploading html,
or using an external page. An example of what will be displayed when External
Payment Gateway is used with SMS Gateway is shown below:

PMS Self Service

After planning your VLAN network and completing all the Port Location Mapping
settings, you should verify whether the configurations are working properly.
According to the Port Type set, when a user tries to access the internet from a VLAN
mapped room, the pages or messages displayed are as follows:

122
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

When a user tries to access internet from a room, the browser will show the Login
page with a list of available plans and service agreement. The Service Agreement
body can be configured at the applied Service Zone’s Custom Pages settings. User
may choose a billing plan, click the Confirm button and the system will display the
generated account name and password. If you already have a user account, you
can click the “here” link to login with the user account that you possess.

123
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Chapter 11. Account Roaming

11.1 Roaming Related

Roaming capability is an essential feature requirement for large scale deployments
or alliance co-operation for operators who seek to provide network access for other
ISP subscribers to generate more sources of profit.

HSG Wireless Hotspot Gateways support the WISPr attributes required to establish
roaming relationship with most roaming brokers in the market such as Boingo,
iPass Connect etc.

For more in depth support regarding compatibility and technical evaluation on your
telecom operator, please contact 4ipnet support team.

11.2 WISPr for ISP Roaming

Configuration path: Main Menu >> System >> Service Zones >> Service Zone
Configuration

WISPr or Wireless Internet Service Provider roaming - Pronounced "whisper," is a

draft protocol submitted to the Wi-Fi Alliance that allows users to roam between
wireless internet service providers, in a fashion similar to that used to allow cell
phone users to roam between carriers. A RADIUS server is used to authenticate the
subscriber's credentials.

If a RADIUS server has been configured, the WISPr attributes used during RADIUS
authentication can be defined here in this Service Zone.

124
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

WISPr Smart Client: Select Enable if you wish to allow customers with a roaming
account from a WISPr agent (iPass, WiFi Skype, Boingo, and etc.) to access your
internet. Make sure to Enable the HTTPS Protected Login field under System >>
General in order for roaming software on the client’s device to work properly.

Smart Client Black List: Fill in the WISPr agent names and enable to block users
from that particular WISPr roaming agent to access your internet. For example, if
you fill in “ipassconnect”, the iPass clients will be denied roaming access in your
network.

WISPr Location ID: These attributes, which enable wireless hotspot providers to
customize their web portals, are based on the client device location and are RADIUS
vendor-specific attributes (VSAs).

WISPr Location Name: These attributes, which enable wireless hotspot providers
to customize their web portals, are based on the client device location and are
RADIUS vendor-specific attributes (VSAs).

WISPr Billing Time: Set RADIUS account billing time.

125
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

11.3 Local / On-Demand Account Roaming Out

The built-in user account databases both Local and On-Demand of the HSG Wireless
Hotspot Gateway may be used for other Controllers as their external RADIUS
authentication database.

This application offers the ability to refer to a single central Controller for account
credential lookup during the authentication process, and is ideal for enterprises or
businesses with multiple branch offices.

To use Local user database as the RADIUS database of another Controller:

Configuration path: Main Menu >> Users >> Internal Authentication >> Local

To use On-Demand user database as the RADIUS database of another Controller:

Configuration path: Main Menu >> Users >> Internal Authentication >> On-
Demand

126
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

After enabling the Roaming out feature for Local or On-Demand, click the RADIUS
Client Device Settings hyperlink. The redirected page allows the administrator to
specify the Controller IP which is allowed to behave as a RADIUS client and
authenticate against this Controller’s enabled user databases.

127
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

NOTE
1. Please make sure that the user database postfixes are configured without
conflicting with one another over the two Controllers.

128
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Appendix A. Installation

Installation Instruction

Preparations
1. Unpack the HSG Wireless Hotspot Gateway and go through the package checklist.
2. Review the front panel and the back panel and identify each control and network
interface that is described in the Hardware & Specification section.
3. Prepare Ethernet cables with RJ-45 connectors.
4. Prepare a PC with Web browser for accessing the Web Management Interface.
5. Identify an upstream device for HSG Wireless Hotspot Gateway to connect to
your network, such as ADSL, CABLE modem or other edge devices. Collect the
DNS server address provided by your ISP.

Installation
1. Connect the power adaptor or power cord to the power socket on the rear panel.
The Power LED should be on to indicate a proper connection.
2. Connect an Ethernet cable to the WAN (Uplink) Port. Connect the other end of
the Ethernet cable to an xDSL/cable modem, or a switch/hub of an internal
network. The LED of this port should be on to indicate a proper connection.
3. Connect an Ethernet cable to a LAN Port on the front panel. Connect the other
end of the Ethernet cable to an administrator PC for configuring the system. A
switch can be used to connect multiple devices to the LAN port of the Controller.

NOTE
1. It is highly recommended to use all the supplies in the package instead of
substituting any components by other suppliers to guarantee best performance.

129
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Appendix B. External Pages

External Page Concept

Choose External Page if you desire to use an external web page for your custom
pages. Simply enter the URL of your external webpage, click Preview button to
check if it is reachable, take a look at how your external webpage will be displayed,
then click Apply button.

Main Menu>System>Service Zone>Service Zone Configuration>Login Page

When a user connects to this Service Zone, opens a web browser and attempts to
access the internet, the system will address the user to the external login page
configured. Gateway while addressing users to the external web page will also send
URL parameters required for the operation, for instance user authentication.
Therefore, each self-defined external page (Login, Logout, Login Success, Logout
Success, etc.) requires codes to handle URL parameters to and from the Gateway.
A simple example is illustrated below for Login Page. Please refer to External
Login Page Parameters for URL parameter relating to other pages such as Login
Success Page ... and etc.
Therefore it is important that your external pages are designed by someone with
good knowledge of URL parameter utilization.

130
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

The diagram below explains how External Page operates using user login/logout
flow as illustration:

Login:

131
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Logout:

The URL parameters sent by the Gateway to the external login page are as follows:
Field Value Description
loginurl String (URL encoded) The URL to be submitted when a user
logs in.
remainingurl String (URL encoded) The URL to be submitted when a user
wants to get remaining quota.
vlanid Integer (1 ~ 4094) VLAN ID
iface Integer (0~8) Service Zone ID, 0 for default service
zone
gwip IP format Gateway activated WAN IP address
gwmac MAC format Gateway activated WAN MAC address

132
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

(separated by ':')
client_ip IP format Client IP address
ipv6_addr IPv6 format Client IPv6 address
umac MAC format Client MAC address
(separated by ':')
session String Encrypted session information, includes:
client IP address, MAC address, date,
and return URL.

You will need to parse the required parameters in your html code. The following
HTML code segment is an example of parsing loginurl parameter with a self defined
javascript function:
<FORM action="" method="post" name="form">
<script language="Javascript">
form.action = getVarFromURL(window.location.href, 'loginurl');
</script>
<INPUT type="text" name="myusername" size="25">
<INPUT type="password" name="mypassword" size="25">
<INPUT name="button_submit" type="submit" value="Enter">
<INPUT name="button_clear" type="button" value="Clear">
</FORM>

The following shows the corresponding self-defined javascript function used to

parse the loginurl parameter:

function getVarFromURL(url, name) {

if(name == "" || url == "") { return ""; }
name = name.replace(/[\[]/|"\\\[").replace(/[\]]/|"\\\]");
var regObj = new RegExp("[\\?&]"+name+"=([^&#]*)");
var result = regObj.exec(url);
if(result == null) { return ""; }
else { return decodeURIComponent(result[1]); }
}

133
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

An external page example that the user will see upon launching a browser is
shown, and you can see the URL parameters sent from the system highlighted in
red:

External Page Design Variables

This section displays all the URL parameters that are sent from the Gateway to the
various external pages. It is essential to use the correct variable for your self
designed user page to function properly.

1. External Login Page

Variables:
Field Value Description
loginurl String (URL encoded) The URL to be submitted when a user
logs in.
remainingurl String (URL encoded) The URL to be submitted when a user
wants to get remaining quota.
vlanid Integer (1 ~ 4094) VLAN ID
iface Integer (0~8) Service Zone ID, 0 for default service
zone
gwip IP format Gateway activated WAN IP address
client_ip IP format Client IP address
ipv6_addr IPv6 format Client IPv6 address
umac MAC format (separated by Client MAC address
':')
session String Encrypted session information, include:
client IP address, MAC address, date,
and return URL.

134
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

2. Login Successful Page

Variables:
Field Value Description
uid String User ID (postfix is included)
original_uid String Original User ID
utype String (LOCAL, RADIUS, Authentication server name
ONDEMAND, POP3, LDAP,
SIP, NT Domain)
umac MAC format (separated by Client MAC address
':')
sessionlength Integer (Sec.) RADIUS user session length (Only
available for RADIUS user)
byteamount Integer (Bytes) RADIUS user volume limit (Only
available for RADIUS user)
idletimeout Integer (Sec.) Idle timeout
acct-interim-interval Integer (Sec.) RADIUS accounting interim
update interval (Only available for
RADIUS user)
logouturl String (URL encoded) The URL to be submitted when a
user wants to log out.
change_passwd_url String (URL encoded) The URL to be submitted when a
user wants to change password.
(Only available for LOCAL users)
ondemand_creation_url String (URL encoded) The URL to be submitted when a
user wants to create an On-
Demand user. (Only available for
LOCAL users)
vlanid Integer (1~4094) VLAN ID
gwip IP format Gateway activated WAN IP
address
client_ip IP format Client IP address
ipv6_addr IPv6 format Client IPv6 address
sz Integer Service Zone ID
group Integer Group index
policy Integer Policy index
available_plan billing plan:usage, billing For local user to create on
plan: usage, demand user
max_uplink Integer (b/s) Maximum up-link rate
max_downlink Integer (b/s) Maximum down-link rate
req_uplink Integer (b/s) Minimum up-link rate
req_downlink Integer (b/s) Minimum down-link rate
next_page String Leads client to URL
CLASS String RADUIS CLASS attribute (Only
available for RADIUS user)
WISPR-REDIRECTION-URL String Leads client to URL
WISPR-SESSION- String, format: WISPr Session-Terminate-Time
TERMINATE-TIME YYYY-MM-DDThh:mm:ssTZD attribute (Only available for
RADIUS user)
WISPR-SESSION- Integer (0/1) WISPr Session-Terminate-End-Of-
TERMINATE-END-OF-DAY Day attribute, 0 or 1 to indicate
termination rule. (Only available
for RADIUS user)
WISPR-BILLING-CLASS-OF- String WISPr Billing-Class-Of-Service
SERVICE attribute (Only available for
RADIUS user)

135
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

WISPR-LOCATION-ID String WISPr Location-ID attribute (Only

available for RADIUS user)
WISPR-LOCATION-NAME String WISPr Location-Name attribute
(Only available for RADIUS user)
WISPR-BILLING-TIME String, format: WISPr Billing-Time attribute (Only
HH:MM available for RADIUS user)
session String Encrypted session information

3. External Error Page

Variables:
Field Value Description
msg String, includes: Error message

The system is busy. Please try again

later.

Cannot find session related information.

<BR>Please enable the Cookie in the
browser setting or open a website to get
a Cookie.

Invalid IP address. Please check the IP

address and try again.

Invalid MAC address. Please check the

MAC address and try again.

Sorry, your account is not usable,

because the authentication option is
currently disabled.<BR> Please contact
your network administrator.

Sorry, your account is not usable,

because the authentication option
(associated with the postfix) is not
found.<BR>Please contact your network
administrator.

Sorry, you are not allowed to log in,

because your account is currently on the
Black List.

Sorry, you are not allowed to log in,

because it is currently not the service
hour for your account.

You have already logged in.

Sorry, there is a system problem

checking the information of your
account (XXX).<BR>Please contact your
network administrator.

Invalid username or
password.<BR>Please check your

136
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

username and password and try again.

Cannot identify the policy for your

account.<BR>Please contact your
network administrator.

User of this device (the MAC address) is

not allowed to use this
account.<BR>Please contact your
network administrator.

Sorry, the external authentication server

is currently unreachable. <BR>Please
contact your network administrator.

Sorry, you are not allowed to create a

remote VPN connection.

Reply-message form radius server.

(radius attribute: Reply-Message)
vlanid Integer (1~4094) VLAN ID
client_ip IP format Client IP address
gwip IP format Gateway activated IP
address
original_uid String Original User ID

4. External Logout Successful Page

Variables:
Field Value Description
uid String User ID (postfix is included)
original_uid String Original User ID
vlanid Integer (1~4094) VLAN ID
gwip IP format Gateway activated IP address
used_time Integer User’s Used time

5. External On-Demand login successful page

Variables:
Field Value Description
uid String User ID (postfix is included)
original_uid String Original User ID
utype String (LOCAL, RADIUS, Authentication server name
ONDEMAND, POP3, LDAP,
SIP, NT Domain)
umac MAC format (separated by Client MAC address
':')
sessionlength Integer (Sec.) On-Demand user's quota of time
type
byteamount Integer (byte) On-Demand user's quota of
volume type
chargetype String User Accounting Type
idletimeout Integer (Sec.) Idle timeout
logouturl String (URL encoded) Logout URL
redeemurl String (URL encoded) Redeem URL
Vlanid Integer (1~4094) VLAN ID

137
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

gwip IP format Gateway activated WAN IP

address
client_ip IP format Client IP address
sz Integer Service Zone ID
group Integer Group index
policy Integer Policy index
next_page String Leads client to URL
max_uplink Integer (b/s) Maximum up-link rate
max_downlink Integer (b/s) Maximum down-link rate
req_uplink Integer (b/s) Minimum up-link rate
req_downlink Integer (b/s) Minimum down-link rate
session String Encrypted session information

6. External Logout Fail Page

Variables:
Field Value Description
uid String User ID
gwip IP format Gateway activated WAN IP
address
vlanid Integer (1~4094) VLAN ID

External Page Design Variables

This page collects and shows all the variables that are can be accepted by the
Controller from the external pages. Some are mandatory. The destination path is
also specified for designer reference.

1. User Login
Path:
(LAN IP address or Internal Domain Name) /loginpages/userlogin.shtml

Input:
Field Required Value Description
myusername Required String User ID

alternative variables:
(username, user, account)
mypassword Required String User password

alternative variables
(passwd, password, pass)
session Optional String Encoded string which
contains some
information of this
session, default is taken
from cookie.

Output:
No output, return user to login successful page.

138
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

2. User Logout
Path:
(LAN IP address or Internal Domain Name) /loginpages/logoff.shtml

Input:
Field Required Value Description
Uid Optional String User ID, default is taken
from cookie
session Optional String Encoded string which
contains some
information of this
session, default is taken
from cookie

Output:
No output, return user to logout successful page.

3. Remaining quota (Credit balance)

Path:
(LAN IP address or Internal Domain Name) /loginpages/reminder.shtml

Input:
Field Required Value Description
myusername Required String User name

alternative variables:
(username, user, account)
mypassword Required String Password

alternative variables
(passwd, password, pass)
ret_url Optional String (URL encoded) Returned URL, default is
pop_reminder.shtml
command Optional String getValue: If command is
set to “getValue”, the
return URL would be
ignored, and the page
would only print out the
available quota.

Output:
If command is set to “getValue”, the output is simply a “value”.(secs. or bytes
according to user type)
If command is not set and there is no ret_url presented, client would be led to
pop_reminder.shtml page, which shows the remaining quota in our UI style. If
ret_url is presented, client would be returned to ret_url, and gateway would add
these four variables in URL.
Field Value Description
msg String, including: Error messages

139
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Sorry, this feature is available for

On-Demand user only.

Sorry, this username: XXX is not

found.

Sorry, this username: XXX is out of

quota.

Sorry, this username: XXX is

expired.

Sorry, this username: XXX is

redeemed.
Value Integer (Sec. Or Byte) Remaining quota, if user
is time type, the value is
or error no. remaining seconds, if user
is volume type, the value
-1: Account not found. remaining bytes.
-2: Out of quota.
-3: Expired.
-4: Redeemed.

Uname String User name

Type String, includes: On-Demand user billing
type
TIME: Time type
DATA: Volume type
CUTOFF: Cut-off type

4. Change Password
Path:
(LAN IP address or Internal Domain Name)/loginpages/user_change_password.shtml

Input:
Field Required Value Description
Save Required 1 (has to be 1)
Opw Required String Old password
Npw Required String New password
Npwc Required String Confirmed new password
ret_url Required String (URL encoded) Return URL

Output:
Client would return to ret_url and gateway would add result in ret_url which
indicates the result of changing password.
Field Value Description
Result String, including: Result and error
messages
Change password successfully

140
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

User password is incorrect

Invalid password format

5. Redeem (On-Demand user)

Path:
(LAN IP address or Internal Domain Name) /loginpages/redeemuserlogin.shtml

Input:
Field Required Value Description
Uid Optional String Current user ID (If not
presented, user name
stored in cookie is the
default value)
upassword Optional String Current user password (If
not presented, password
stored in cookie is the
default value)
myusername Required String Redeem user ID

alternative variables:
(username, user, account)
mypassword Required String Redeem user password

alternative variables
(passwd, password, pass)
ret_url Optional String (URL encoded) Return URL, login
successful page is the
default value

Output:
If no ret_url is presented, client would be led to the login successful page, and in
addition, a JavaScript window would pop-up and show the result. If ret_url is
presented, client would be returned to ret_url and gateway would add an additional
variable rmsg to indicate redeem procedure result.
Field Value Description
rmsg String, including: Result and error
messages
Redeem process completed.

Original user name can not be found

from the database.

Redeem user name can not be found

from the database.

Original user password is incorrect.

Redeem user password is incorrect.

141
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Original user type and on demand

user type do not match.

Original user has not logged in.

Redeem user logged in already.

Had been redeemed before.

User has run out of quota.

Maximum allowable time has

exceeded.

Maximum allowable memory space

has exceeded.

Wrong postfix please check it.

This account is expired.

6. On-Demand Account Creation

Path:
(LAN IP address or Internal Domain Name)
/loginpages/UserAuthentication/OnDemandRecept.shtml

Input:
Field Required Value Description
buttonNo Required Integer (1~10) Billing Plan No.
random Optional Integer A random number, this
number is to prevent
quick-click issue in IE 6.0.
ret_url Optional String (URL encoded) Return URL.

Output:
If no ret_url is presented, the client would be led to a ticket page in our UI style. If
ret_url is presented, client would return to ret_url and receive the result containing
created On-Demand account information.
Field Value Description
Result String, the format is: (separated by If ret_url is presented,
',') the client would return to
ret_url page and carry the
username, result valuable.
password, expiretime is account
expiretime, expiration time which is a
usage, Linux time stamp, and
price, duration is account
duration, duration time and the unit
serial number is 'day', serial number is
account s/n.

142
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Appendix C. Useful Management & Evaluation

Tools

Useful Management Tools

Here are the top six open source IT management products that do a solid job of
replacing the big suites from HP, IBM, CA and BMC. Each offer low-cost professional
services and free software downloads. They differ primarily in the features they
offer and in the operating systems they support.

QUEST BIG BROTHER

This Web-based systems and network monitor supports most Windows, Unix and Linux OSes, plus a
repository of user-contributed scripts allow you to easily customize Big Brother to your network. Its
GUI features a universally understood color code, where red means bad and green means good.

GROUNDWORK MONITOR PROFESSIONAL

Launched in 2004, it’s one of the first enterprise-scale open source network management offerings.
It integrates more than 100 best-of-breed open source projects, including Nagios, Apache and
NMap, onto one framework with additional features, such as a Web-based interface. Monitor
Professional provides centralized management and monitoring of your enterprise network, including
Linux, Unix and Windows servers, apps, databases and network boxes.

HYPERIC HQ ENTERPRISE
Aimed at the datacenter, Hyperic’s software is built to manage and monitor all layers of Web
infrastructures, including hardware, middleware, virtualization and Web and open applications. It
also offers trending and analysis. It supports Apache, JBoss, Linux and more.

OPENNMS
This Java-based network management tool focuses on service polling, data collection and event and
notification management. It currently supports a variety of open operating systems, including Linux,
Mandrake and Solaris, as well as Mac OS X; Windows support is planned for OpenNMS 2.0.

OPENQRM
Also targeting datacenter management, OpenQRM can manage thousands of Linux and Windows
servers as well as track your datacenter’s usage and utilization. It also does automatic, policy-based
provisioning. It, too, integrates Nagios for monitoring.

ZENOSS CORE
Written mostly in Python, this management platform offers events management and availability and
performance monitoring of servers, network devices, OSes and applications. Zenoss runs on Linux,
FreeBSD and Mac OS X; it will run on Windows with a VMplayer and the Zenoss Virtual Appliance.

143
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Evaluation Tools

Wireshark (for packet capturing and debug analysis)

Wireshark is the world's foremost network protocol analyzer. It lets you capture
and interactively browse the traffic running on a computer network. It is the de
facto (and often de jure) standard across many industries and educational
institutions.

Wireshark development thrives thanks to the contributions of networking experts

across the globe. It is the continuation of a project that started in 1998.

http://www.wireshark.org/

inSSIDer (for wireless scanning & frequency analyzer)

inSSIDer is a useful tool for scanning the air for nearby AP signals and in depth
frequency, channel analysis of deployment site.
You can:
– Inspect your Wi-Fi and surrounding networks
– Scan and filter hundreds of nearby access points
– Troubleshoot competing access points and clogged Wi-Fi channels
– Highlight access points for areas with high Wi-Fi concentration
– Track the strength of received signals in dBm over time
– Sort results by MAC Address, SSID, Channel, RSSI, Time Last Seen
– Export Wi-Fi and GPS data to a KML file in Google Earth

http://www.metageek.net/products/inssider/

144
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Appendix D. On-Demand Account Types

There are four main types of On-Demand account type:

 Usage-time (Buy quota: usable time)
 Volume (Buy quota: usable traffic volume)
Pre-paid concept, only deducts quota while using. Account expires when quota
is depleted or account expiration time reached.

 Hotel Cut-off (Buy the time interval for a valid account)

 Duration-time (Buy the time interval for a valid account)
Define the time interval for usage. Count down begins when account activated
and expires when the expiration time/date reached.

Usage-time
 Users can access internet as long as account valid with remaining quota and
need to activate the purchased account within a given time period by logging
in.

 Usage-time accounts have the option of selecting:

 With Expiration Time
• Counting down begins immediately after first login. Account
expires when Valid Period is used up or quota is depleted.
 No Expiration Time
• Account expires only when quota is used up.

145
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Volume
 Users can access internet as long as account is valid with remaining quota
and need to activate the purchased account within a given time period by
logging in.

146
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

 Account expires when Valid Period is used up or quota is depleted.

Hotel Cut-off Time

 Operator can set the clock time for when the account will expire.
 Account automatically activates when it is created.
 Unit is the number of days to execute “Cut-off”. For example: Unit = 2 days,
Cut-off Time = 10:00 then account will expire at 10:00AM two days after
creation.
 Account usability disabled once Cut-off-time has been reached unless it has
been granted a Grace Period.
 Primarily used in hotel venues to provide internet service according to guests’
stay time.

147
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Duration Time
 Users can access internet while account is within valid time interval. Count
down begins once account activates and expires when Expiration Time is
reached.

 Duration-time accounts can be further classified into:

 Elapsed Time
• Relative to Activation Time which is the account creation time.
Account expires when the Expiration Time has been reached.
 Begin-End Time

148
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

• Define explicitly the Begin Time and End Time of the account.
Account expires when the End Time has been reached.
 Cut-off Time
• Define explicitly the clock time to “Cut-off” within the day of
creation.

149
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

NOTE
1. Since there are only 10 billing plans, if you wish to create accounts of the same type but
with various quotas, this may be achieved via the Unit field.

Network operator is able to multiply the quota by an integer ranging from 1 to 9 in the Unit field.
Please note that only Usage-time, Volume, and Duration-Elapsed time account types support
multiple unit quota generation for a single account.

150
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

151
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Appendix E. UI Reference Index

After login success, it will redirect to the Main Menu page.

Main Menu is the link that leads to all the configuration pages in the Web
Management Interface. A screenshot of the main menu is captured below, the
iconic button on the top row will redirect to configuration pages relating to its
category.

152
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

A. System

System: This section relates to system configuration. It includes, General

Information, WAN Configurations, LAN Ports, Service Zones, and etc.

1) General

 System Name: This is a mnemonic name you can give to the controller. Once
configured, it will show on the web browser’s frame.
 Contact Information: This is the email, cell phone, or other means of contact

153
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

which will be displayed on the web browser of the client in the event of internet
disconnection.
 HTTPS Certificate: Your own network certificate may be uploaded and selected
here as site safety verification.
 User HTTPS Login: Presents the option to allow end users authenticated with
HTTPS for encrypted content transfer. The ‘Secure’ option supports only “High”
encryption cipher suites.
 Internal Domain Name: A self designated domain name. Ideal for accessing
the Controller instead of remembering the IP address of the LAN interfaces.
Certificate’s name may also be used.
 Portal URL Exceptions (User Agent): The desired landing page may be
directed after users’ initial login except specific opened browsers listed here.
 User Log Access IP Address: The reserved IP address of the administrator
may be entered here. Once configured, user logs can only be accessed via the
entered IP.
 Pre-Login Page: A HTML customizable pre-portal page before landing the
Login Page.
 UAM Filter: The Universal Access Method Filter drops non-browser http
requests from user agents before authentication to prevent system overloading
from excessive traffic.
 Management IP Address List: This configuration button allows the network
administrator to enter a selection of reserved IP addresses/ range that are
authorized to see the Web Management Interface. The remote console interface
is disabled by default. You may enable remote access from this page.
 SNMP: Presents an option to enable or disabled system info retrieval via SNMP
protocol. Administrators can choose to assign specific port to transmit SNMP
trap messages. Detailed thresholds such as CPU Usage, Memory Usage, DHCP
Scope, and Heart Beat Period may be configured.
 Suspend Warning Message: A field for administrator to enter the message to
users when a Service Zone’s service is temporarily suspended
 Time: This section presents automatic time synchronization by specifying

154
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

external NTP servers.

2) WAN

 Physical Mode: Select the mode (Auto/1000Mbps Full/100Mbps Full/100Mbps

Half) based on your WAN connection
 Static: This option enables the administrator to configure a static IP address on
the WAN interface. Applicable if your subscribed internet package comes with a
static IP address.
 Dynamic: This option enables the WAN interface to be assigned with an IP
address automatically by upstream DHCP server.
 PPPoE: This is the option of connecting WAN interface to your ISP network via
PPP protocol, please select this option if your subscribed network service uses
PPP.
 PPTP: This is the option of connecting WAN interface to your ISP network via
PPP tunneling protocol, please select this option if your subscribed network
service uses PPP tunneling.
 WAN Interface Type: This section enables the selection of actual Port to be
deployed as WAN servicing port.

155
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

3) WAN Traffic

 Available Bandwidth on WAN Interface: This section of the configuration

page allows the administrator to specify uplink and downlink limitations to be
enforced on the servicing WAN interface.
 Target for Detecting Internet Connection: This section of the configuration
page enables the administrator to specify external targets to check for uplink
status.

4) LAN Ports

A "Service Zone" in the system, by default, contains wired and wireless coverage
areas in the organization. When "Port-Based" mode is enabled, each physical LAN
port can be set individually to map to a specific Service Zone for later use. By

156
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

contrast, under "Tag-Based" mode, Service Zones will be distinguished by VLAN

tagging, instead of physical LAN ports.

5) Service Zones

The table will list the Service Zones and related settings.

Click the Service Zone Name will go to the service zone configuration page.

157
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

 Service Zone Status: Each service zone can be enabled or disabled except for
the default service zone.
 Service Zone Name: The name of service zone could be input here.
 Network Interface:
 VLAN Tag (Tag Base Only): The VLAN tag number that is mapped to
the Service Zone.
 Tag-Based LAN Port Isolation: Administrators can choose different
isolation options in each Service Zone when in Tag-based mode. In
Port-based mode, administrators have 3 options: Disabled,
Authentication Required, and Enable.
 Inter LAN Port Isolation: Select Enable or Disable. When the option
is “Enabled”, clients under different LAN ports cannot ping each other.
When the option is “Disabled”, clients under different LAN ports can
ping each other.
 Inter-VLAN Isolation (Tag Based): 2 clients within the same VLAN
will not see each other when coming in from different ports. Note that
Isolation is done when traffic passes through the gateway. When a
switch or AP is being deployed, Station Isolation has to be enabled on

158
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

the AP/switch.
 Clients Isolation (Tag Based): When this option is selected, unicast
transmission is prevented between any clients in the same Layer 2
subnet.
 Operation Mode: Contain NAT mode and Router mode. When NAT
mode is chosen, service zone runs in NAT mode. When Router mode is
chosen this service zone runs in Router mode.
 IP Address: The IP Address of this service zone.
 Subnet Mask: The subnet Mask of this service zone.
 Network Alias List: Administrator may optionally set many alias
network segments for a service zone. This feature can allow a single
service zone to be seen as many service zones, also hide the IP address
of a Service Zone’s network interface and to some degree, provide
protection from possible attacks from LAN clients. Click the Configure
button to enter the Network Alias List page.

 Fill in the desired alias IP address and select the preferred Subnet Mask,
Operation mode, check the Enable box and click Apply button to activate
the settings.

 DHCP Server: The system supports three types of DHCP modes; Disable
Built-in DHCP Server, Enable Built-in DHCP server, and Enable DHCP
relay. Select Disable Built-in DHCP Server to disable the built-in DHCP

159
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

server when clients are assigned static IP addresses. Select Enable Built-in
DHCP Server to enable the built-in DHCP server. When the built-in DHCP
server is chosen, the system will act as a DHCP server and assign IP addresses
to its clients. Select Enable DHCP Relay when a service zone is connected to
an external DHCP server. When Enable DHCP Relay is chosen, the IP addresses
of clients will be assigned by an external DHCP server. The system will only
relay DHCP information from the external DHCP server to downstream clients of
this service zone.

Item Description
DHCP Server Scope 1
Start IP A range of IP addresses that are built in DHCP server
Address / End will be assigned to clients. Note: please change the
IP Address Management IP Address List accordingly (at System
Configuration >> System Information >> Management
IP Address List) to permit the administrator to access
the HSG WIRELESS HOTSPOT GATEWAY admin page
after the default IP address of the network interface is
changed.
Preferred DNS The primary DNS server that is used by this Service
Server Zone.
Alternate DNS The substitute DNS server that is used by this Service
Server Zone.
Domain Name Enter the domain name for this service zone.
WINS Server The IP address of the WINS (Windows Internet Naming
Service) server that if WINS server is applicable to this
service zone.
Lease Time This is the time period that the IP addresses issued
from the DHCP server are valid and available.
Disregard When enabled the system will not record the name of
Client Name the device requesting for an IP address. On the other
hand, when disabled is selected, the system will record
the device’s name when issuing IP addresses. The
devices name (Host Name) can be seen under DHCP
Lease tab.
DHCP Server Scope 2
Enable/Disable When Enabled, an additional DHCP server can be
configured to assign IP address to clients associated to

160
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

the alias IP of this Service Zone. The configurable fields

are the same as DHCP Server Scope 1.

Reserved IP Address List: Each service zone can reserve specific IP

addresses from predefined DHCP range to prevent the system from issuing
these IP addresses to downstream clients. Click the Configure button to edit
the Reserved IP List.

The administrator can reserve a list of specific IP addresses for special device
with certain MAC address. Fill a set of IP address and MAC address as reserve,
additional information can be entered in the Description field. Click Apply to
activate your settings.

DHCP Lease Protection: When “Enabled”, whenever the Service Zone’s built-in
DHCP server receives a DHCP request, it will automatically bind the MAC
address with an IP address permanently. This means that once all the IP
addresses have been assigned, it will be bound with the MAC address that first
acquired this IP. Subsequent devices with new MAC address will be unable to
acquire an IP address. When “Disabled” DHCP server will operate as usual,
assigning available IP addresses upon DHCP request.

 Wireless Settings: In SZ1 ~ SZ4, system support wireless connection. Each

service zone can be assigned a SSID and operating Band, 2.4G, 5G or Both.

But in SZ1, it’s wireless is reserve for TAS usage in default, if you do not need
TAS, you can disable TAS in SZ1, then it will provide wireless connection as
other service zone.

161
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

For advance wireless configure, click VAP Configuration.

Under Security tab, system support different security type, such as, Open, WEP,
WPA-Personal and WPA-Enterprise.

Under Advance tab, administrator can enable or disable Broadcast SSID and
IAPP feature, also the Receiving RSSI Threshold can be adjusted here. System
can ensure connected stations have quality connection speeds, a station will not

162
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

be able to associate to the network unless its receiving sensitivity meets the
configured threshold.

Under Access Control tab, administrator can restrict the total number of clients
connected to the Access Point, as well as specify particular MAC addresses that
can or cannot access.
To restrict the station number of wireless connections, simply change the
Maximum Number of Clients to a desired number.
 Authentication Settings: The system supports several authentication options,
namely: Local, On-Demand, RADIUS and Guest (Free). All authentication option
can be enabled and applied concurrently. This is to be emphasized in the next
section “Users”.
 Page Customization: Each Service Zone can be configured to have unique
Login Pages or Message Pages. These pages are fully customizable to give
administrators complete flexibility. Message Pages can also be customized and
message pages include: Login Success Pages, Login Success Page for On-
Demand Users, Login Fail Page, Logout Page, Logout Succeeded Page, and
Logout Fail Page.

163
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

B. Users

Users: This section relates to user authentication, authorization and accounting. It

includes Groups Configuration, Internal/External Authentication Configuration, On-
Demand Accounts, Policies Configuration, Privilege Lists Configuration and
Additional Controls.

1) Groups

The Group Overview page gives a summary of which Authentication Servers are
used for the corresponding Group.

Group options and Zone Permission Configuration & Policy Assignment can be
defined respectively to enforce the access management for different groups of
users in different Service Zones. The correspondence can be configured on the
“Group Configuration” page.

164
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

To allow multiple devices to log in with the same account credentials, define the
number here at “Number of devices which are allowed to login”. Multiple device
login for the On-Demand authentication option can be configured at selected Billing
Plans.

2) Internal Authentication

The system supports multiple authentication options, which include both internal
and external databases. Internal Authentication databases include “Local”, “On-
Demand”, and “Guest”.

165
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

The default Authentication for “Local” is set at Authentication Server 1. The User
Postfix is used for the system to identify which authentication option will be used
for the specific user account when multiple options are concurrently in use. To
manipulate Local accounts, go to “Configure” for Local User List.

The On-Demand Authentication option is typically used for short term usage, such
as public hotspots. Settings related to the On-Demand Authentication option can be
configured here, such as Billing Plan profiles, POS ticket customization, Terminal
Server list, External Payment Gateway setup and etc.

166
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

The Guest Authentication Option is not technically a user database, but rather a
specially designed option to allow a user to access and surf the network without any
user account or password. This feature allows the user to associate with a particular
Service Zone, enter guest email or a specified string of text by guest questionnaire
which may be social security number etc. defined by the administrator, and use the
network without actual authentication. The accounts can have limited or limited
access time, and guest users can be bound to a User Group to apply Policies.

167
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

By enabling the “Email Denial List”, some guest email addresses which are
disclaimed by certain email domain names would be blocked from internet access.
By enabling “Email Verification”, limited free access is provided when an activation
link sent by email is clicked by the user.

By enabling “ Social Media Login” and entering the Social Media ID and secret
registered from Social Media Sites, guest users could directly login with their
already own social media accounts. Selected guest information would be collected
from Social Media sites and displayed in Guest Information page.

3) External Authentication
External Authentication servers can be set up and enabled concurrently to facilitate
existing user account databases on your network.

168
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

4) On-Demand Accounts

 Account Creation: Administrators can choose to create a single account or

multiple accounts using the "Batch Create" function. Before accounts can be
created, at least one Billing Plan needs to be set up and activated. Accounts can be
created with random Usernames and Passwords or created manually (up to 8
characters). Usernames and Passwords can also be created manually for batch
creation. (eg. Prefix = ABC, Postfix = DEF, Serial Number 0001.)

169
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

 Account List: All created On-Demand accounts and related information are listed
on this page. The list also allows administrators to manipulate On-Demand
accounts, such as restoring/deleting accounts and Admin Redeem.

5) Schedule

The Administrator gets to set different Login Hour permissions to be applied to User
Groups in enabled Service Zones. To apply the configured Schedule Profile, go to
Groups Configuration.

170
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

6) Policies

Global policy is the system's universal policy including Firewall Profile, Specific
Route Profile, Schedule Profile, and Maximum Concurrent Sessions
management which will be applied to all users unless the user has been regulated
and applied to another policy.

Each policy consists of Firewall Profile, Privilege Profile, QoS Profile, Specific
Route Profile and Prefer DHCP Pool management as well. Policies can be defined
in the Policy tab. The administrator can select one of the defined policies to apply it
to groups within a certain Service Zone. A group of users within different Service
Zones can be applied with different policies. For example, sales can be applied with
different network access right while accessing from sales department region or
finance department region.

 Select Policy: The number of different policy profiles available depends on the
model type.
 Firewall Profile: Firewall profile specifies the protocols & rules that will be
enforced to users governed by this policy. Each Policy profile has its own
customizable firewall profile.
 Privilege Profile: User generated session number limit may be configured
here. Please adjust this attribute carefully based on your network usage.
 QoS Profile: Specifies the uplink and downlink bandwidth, also adjust the
Traffic Class mapping.

171
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

 Specific Route Profile: The routing rules to be applied to users under this
policy may be set here.
 Preferred DHCP Pool: (defined in Service Zone DHCP configurations) It may
be selected here as well.

7) Blacklists

Blacklist profiles can be defined and each active authentication option may be
configured with one of these blacklist profiles. A user account listed on the blacklist
is not allowed to log into the system, the client's access will be denied. The
administrator may select one blacklist from the drop-down menu and this blacklist
will be applied to this specific authentication option. Note that names on the
Blacklists can be configured to be case insensitive.

8) Privilege Lists

The Privilege function supports two types of privilege list based on IP address and
MAC address. Devices specified in the list require NO authentication to access the
network. Note that a User Group can be assigned to Devices on the IP Privilege List
but not on the MAC Privilege List.

172
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

9) Additional Control

Additional configurations are in this section. They are User Session Control, Built-in
RADIUS Server Settings, Customization, Remaining Time Reminder, and MAC ACL.
The administrator can control user session such as idle timeout in User Session
Control. Three functions are provided in Built-in RADIUS Server Settings such as
session timeout. In Customization, the administrator can upload certificate to the
system. Remaining Time Reminder provides remaining time information to clients
on the screen. The administrator can manage the access control to the system via
clients' MAC address in the MAC ACL (Access Control List).

173
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

User Session Control

 Idle Timeout: Configure the time base without activity to deem as idle
timeout.
 Idle Detect Interval: The time interval for checking for whether the idle
criteria are reached. Successive accumulation of idle intervals exceeding the
Idle time configure above, will induce an idle timeout action where the user
will be logged out.
 Traffic Direction for Idle Timeout: The user’s activity inspection may be
checked as uplink or both.
 Threshold for Idle Traffic Detection: Designate the threshold where traffic
flow smaller than the value configured will be considered as being idle.

174
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

 Charge Traffic to/from Host in Walled Garden List: For usage or volume
type accounts in the On-Demand user database, administrator has the option
to charge or not charge visits to websites that are listed in the walled garden
or walled garden ad list.
 Kick out user when user’s IP change: An option for the administrator
whether or not disconnection is forced by the system whenever a user
changes IP address.
 Log NAT Mapped in User Session Log: To show mapping for each
connection from Private IP/Port to Public IP/Port, this option must be enabled.

Built in RADIUS Server Settings

 Session Timeout: For created sessions generated by users authenticated via
build-in RADIUS server (could be account roaming user), the timeout range
may be configured here manually. Please configure this attribute carefully.
 Idle Timeout: For users authenticated via build-in RADIUS server (could be
account roaming user), the idle timeout range may be configured here
manually. Please configure this attribute carefully.
 Interim Update: For users authenticated via build-in RADIUS server (could
be account roaming user), the accounting interval may be configured here
manually. Please configure this attribute carefully.
 Certificate: Certificate for built-in RADIUS server will be selectable

Remaining Quota Reminder

 Time and Cut-off reminder: This is the option for the system to display a
warning message to On-Demand users that their time based account quota is
about to run out.
 Volume Reminder: This is the option for the system to display a warning
message to On-Demand users that their volume based account quota is about
to run out.
 Reminder Refresh Time: The Login Success page with the remaining quota

175
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

can set to refresh every 10/15/20 minutes to show the updated remaining
quota.

MAC Access Control List

 MAC ACL: The administrator may configure restraining measures to MAC
address, either MAC allow or deny list.

176
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

C. Network

Network: This section is used to configure all the network settings.

1) NAT

The NAT function supports 3 types of network address translation: DMZ

(Demilitarized Zone), Public Accessible Server and IP/Port Forwarding.

Demilitarized Zone

The system supports specific sets of Internal IP address (LAN) to External IP

address (WAN) mapping in the Static Assignments. The External IP Address of the
Automatic WAN IP Assignment is the IP address of External Interface (WAN) that
will change dynamically if WAN Interface is Dynamic. When Assign WAN IP
Automatically is checked, the entered Internal IP Address under will be bound to
the WAN interface. Each Static Assignment could be bound with the chosen
External Interface, WAN. There are specific sets of static Internal IP Address and

177
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

External IP Address available. Internal and External IP Addresses are entered

as a set. After the setup, accessing the WAN will be mapped to access the Internal
IP Address. These settings will become effective immediately after clicking the
Apply button.

Public Accessible Servers

Public Accessible Servers allow the administrator to set virtual servers, so that
client devices outside the managed network can access these servers within the
managed network. Different virtual servers can be configured for different sets of
physical services, such as TCP and UDP services in general. Enter the “External
Service Port”, “Local Server IP Address” and “Local Server Port”. Select
“TCP” or “UDP” for the service’s type. In the Enable column, check the desired
server to enable. These settings will become effective immediately after clicking the
Apply button.

178
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Port & IP Forwarding

This function allows the administrator to set specific sets of the IP addresses at
most for redirection purpose. When the user attempts to connect to a destination IP
address listed here, the connection packet will be converted and redirected to the
corresponding destination. Please enter the “IP Address” and “Port” of
Destination, and the “IP Address” and “Port” of Translated to Destination.
Select “TCP” or “UDP” for the service’s type. These settings will become effective
immediately after clicking Apply.

2) Monitor IP

Multiple IP addresses can be defined in the Monitor IP function. System can monitor
these IP based network devices and periodically report online status via email
based on a configurable interval. These monitored devices can be accessed via
HTTP or HTTPS connection. The management interface of the monitored device can

179
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

be accessed via a hyperlink of device's IP address when the system is operated

under NAT mode.

3) Walled Garden and Walled Garden Ad

This function provides certain free services for users to access the websites listed
here before login and authentication. Specific addresses or domain names of the
websites can be defined in this list. Users without the network access right can still
have a chance to experience the actual network service free of charge. Enter the
website IP Address or Domain Name in the list and click Apply to save the
settings. The Walled Garden List can be backed up or restored.

180
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Walled Garden Advertisements are advertisement links for clients to access

before they are authenticated by the system. For example, guests without the
network access right in hotels can still visit these sites free of charge.

 Click Add to add a new entry. Enter the Domain Name/IP Address/URL and
select the “Active” checkbox. Click Apply, and the items will be added and shown
on the list.
 Display: Choose Display to display advertisement hyperlinks on the login
pages, corresponding to Service Zone configuration.

Note that entries selected as Walled Garden Ad must be a URL and cannot be an
IP address with prefix.
Note that both the checkboxes of walled garden and advertisement check should be
checked for enabling walled garden advertisement feature.

4) Proxy Server

The system provides a Built-in Proxy Server and External Proxy Server function.
After successful authentication, the clients’ will be directed back to the desired
proxy servers.
Basically, a proxy server can help clients access the network resources more
quickly. This section presents basic examples for configuring the proxy server
settings of the HSG WIRELESS HOTSPOT GATEWAY.

 Using Internet Proxy Server

A built in proxy server in the controller can be Enabled, even with a Proxy Server

181
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

placed outside the LAN environment or in the Internet. For example, the following
diagram illustrates how a proxy server of an ISP is used.

Follow the following steps to complete the proxy configuration:

Step 1. Log into the system by using the admin account.
Step 2. Network >> Proxy Server >> Web Proxy Settings page.
Enable the Built-in Proxy Server. Click Apply to save the settings.

Step 3.Enable Proxy Server Settings in Internet Options on Client Stations.

182
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

By enabling the built-in Proxy Server, all traffic is forwarded to the local Proxy
Server on the controller.

Using an External Proxy Server

To specify an External Proxy Server, choose the option “External” and fill in the
appropriate IP address of the Proxy Server and the utilized port.

Follow the following steps to complete the proxy configuration:

Step 1. Log in to the system by using the admin account.
Step 2. Network >> Proxy Server >> Web Proxy Settings. Select
External for Proxy Server. Add the IP address and port number of the
Proxy server into External Proxy Servers setting. Click Apply to save
the settings.
Step 3. Enable Authentication, if the Proxy Server require authentication.

183
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

NOTE
By Enabling the Proxy Server, clients are required to manually check Proxy Server
Settings on client stations’ Internet Options. To apply Transparent Proxy, please use
Port and IP forwarding.

5) Local DNS Record

The administrator could statically assign a Domain Name to IP mappings for all
clients connected to the HSG Wireless Hotspot Gateway’s LAN network. This feature
can be used to dispatch clients to preferred IP address for certain Domain Names.

184
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

6) DDNS

Before activating this function, you must have your Dynamic DNS hostname
registered with a Dynamic DNS provider. HSG WIRELESS HOTSPOT GATEWAY
supports DNS function to create aliases from the dynamic IP address for the WAN
port to a static domain name, allowing the administrator to easily access HSG
Wireless Hotspot Gateway’s WAN. If the dynamic DHCP is activated at the WAN
port, it will update the IP address of the DNS server periodically. These settings will
become effective immediately after clicking Apply.

 DDNS: Enable or disable this function.

 Provider: Select the DNS provider.
 Host name: The IP address/domain name of the WAN port.
 Username/E-mail: The register ID (username or e-mail) for the DNS provider.
 Password/Key: The register password for the DNS provider.

7) Client Mobility

 IP PNP: Enable this feature so devices with static / DHCP IP, DNS, and
Gateways can obtain internet access from the controller.

185
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

F. Utilities

Utilities: This section provides functions for modifying accounts, Backup/Restore

system, Firmware upgrade, Restart service, Network utilities, and Certificate.

1) Administrator Account

This can be used to create, to edit, to remove, and to check administrator account.

The login account for the administrator is "admin". The admin password of the
system can be changed here by clicking the admin Name and entering the original
password and new password. The default admin password of the system is "admin".
The Elementary School’s Name field may also be entered for security purposes in
case the admin username or password has been forgotten. Noted that Email and
Elementary School’s Name should be both empty or both filled.

It also allows the administrator to create other administrator accounts with different
permission.

186
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Admin has authority to change his/her own password or add more accounts to the
admin list to take (some of) the management responsibility.

 Password Complexity enables the admin to limit how the passwords the sub-
admins use should be formed.
Min password Length sets a limit on the minimum length of a password string;
Min password Category allows an admin to define how complex the passwords
of the sub-admins are required. Below shows what each number stands for:

Number Definition
0 passwords will not be checked

187
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

1 Passwords should include at least 1 form

(capitalized letters/ small letters/ digits/
special characters )
2 Passwords should include at least 2 forms
3 Passwords should include at least 3 forms
4 Passwords should include at least 4 forms

 Limit Login Attempts (if enabled): enter the number of times you would like
sub-admins to retry their passwords. If trying out more than this number, the
sub-admins are not allowed to type in strings again.
 Password expiration (if enabled): this is a function for admins to decide the
number of days the password will expire in. A valid period can be defined for
each password, counting from the first login. When a password expires, the
operator will need to setup a new password for future use. Expired passwords
cannot be reused.
 Password Limits (if enabled): it is to determine how many utilized passwords
in the past should be checked. For instance, if the admin enters ‘5,’ the system
will check if the newly added password is identical to one of the five most-recent
ones; if it is, the server would ask the admin to choose a new password string
again.
 Sub-admin creation

188
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Go to the Generate table to create a sub-admin and define his/her authority limits.
In case the administrator forgets his/her password, by entering both email and the
Elementary School Name, the account credential will be email to the assigned email
address. Note that an SMTP Server needs to be setup for the system to send email
reminders.

(There are 6 categories a sub-admin can fall into – Super Group, Manager,
Operator, OnDemand Manager, Custom1, Custom2, and Custom3. Click configure at
the right of the drop-down list to see and modify the differences. Be aware that the
authority limits of ‘Super Group’ are unchangeable.) Create an account to the list by
pressing the Apply button after finishing the settings.

189
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

 The admin list serves as a list for admins to track the dynamics of each
management accounts, i.e., the number of the online admins and the state of
each sub-admin.

Please note that only the created sub-admins can be deleted. Check the boxes
to ‘Lock’ or ‘Unlock’ to forbid certain sub-admins to access the management
page. Besides, admin can also click the hyperlinks in the ‘name’ column to edit
admins’/ sub-admins’ related settings.

2) Backup & Restore

This is used to backup and restore system settings. System factory default can also

190
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

be restored.

Click the Backup button under General Backup to save the current system
configurations to a backup file on a local disk of the management console. A backup
file will keep the current system settings as well as the local user accounts.
A backup file can be restored to the system by clicking Browse button to choose
the backup file and then clicking Restore button to execute the process.

Backup can be done periodically over FTP. Enable this feature by clicking on the
Configure button under Period Backup.

191
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

 Restore System Settings: Click Browse to search for a .db database backup
file created by the controller and click Restore to restore to the same settings
at the time when the backup file was saved. The option of “Keep WAN1 setting
and Management IP Address List” can be selected to retain WAN1 setting for
remote access.
 Reset to Factory Default: Click Reset to load the factory default settings of
the controller.
 Remote Sync Status (WHG311/WHG315): When Enabled, 2 controllers can
synchronize their settings remotely on the LAN network.

3) Certificates

On this tab, administrators have the ability to manage the system certificate, create
Root CA, sign certificates from Root CA, and upload certificate. The "Used By"
column indicates current in use certificates and their corresponding applications. To
further configure the different types of certificates, click the “Pencil” icon.

192
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

 System Certificate

This is the certificate that identifies the system. These certificates may be used for
applications such as HTTPS login, CAPWAP, and etc. The Controller has a built-in
Factory Default Certificate (gateway.example.com) that cannot be removed, but
allows certificates to be uploaded. To view details of the certificate, click the
corresponding "View" button. Click "Get CERT" and "Get Key" to download the
certificate and public key onto your local disk.

Internal Root CA

The administrator can generate a root CA for private use. The created root CA
certificate can be downloaded and used to sign certificates generated by the
system. Note that the system only allows one Internal Root CA to be created.

193
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

A root CA certificate may also be uploaded with a matching Private Key.

 Internally Issued Certificates

When an Internal Root CA needs to be created, Internally Issued Certificates can be
signed.

The generated certificate will be listed and the certificate/key pair can be

194
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

downloaded with Get Cert, Get key in View.

 Trusted Certificate Authorities

Apart from self signed certificate and system’s root CA, administrators can also
upload other certificates signed by other CA entities or Trusted CAs into the system.
These trusted root CA certificates are intended for the Controller to recognize and
trust certificates of External Payment Gateway and/or CAPWAP capable APs.

To upload a Trusted CA, click browse and upload a trusted CA certificate from your
local disk into the System.

4) Network Utilities

Some network utilities such as web-based Ping, Trace Route, and ARP table are
supported on the system.

195
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Item Description

IPv4  Ping: It allows administrator to detect a device using IP address or

Host domain name to see if it is alive or not.

 Trace Route: It allows administrator to recover the real path of

packets from the gateway to a destination using IP address or Host
domain name.

 ARPing: Allows the administrator to send ARP request for a specific

IP address or domain name.

 ARP Table: It allows administrator to view the IP-to-Physical

address translation tables used by address resolution protocol
(ARP).

Sniff With this feature the administrator can listen for packets from
selected Interfaces. The administrator can further filter the types of
packets to capture by using tcpdump commands under the
Expression field.

196
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Status When the administrator is executing any Network Utilities features,

the status of the operation is displayed here.

Result The operation result is displayed here.

5) Restart

Click Restart button to restart the system. Please wait for the blinking timer to
finish before accessing the system web management interface again.

6) System Upgrade

The administrator can download the latest firmware from website and upgrade the
system here. Click Browse to search for the firmware file and click Apply for the
firmware upgrade. It may take a few minutes before the upgrade process
completes and the system needs to be restarted afterwards to activate the new
firmware.

When the resource of the system is not enough for upgrade process, system will
request restart and change system to Maintenance mode to ensure the system
upgrade success.

197
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

FTP firmware upgrade is also an option. Enter the FTP server IP address, FTP server
port, and the FTP account name and password, and lastly specify the complete
firmware filename stored on the FTP server that will be used to upgrade the
system.

To upgrade the system firmware, click Browse button to choose the new firmware
file and then click Apply button to execute the process. There will be a prompt
confirmation message appearing to notify the administrator to restart the system
after successful firmware upgrade. (** Firmware upgrade may take up to several
minutes, please wait for the confirmation message)

The system must be rebooted before resetting to factory defaults after firmware
upgrade.

G. Status

Status: Provides information for System Status, Interface Status, Hardware Status,
Routing Table, Online Users, Session List, User Logs and set up Notification
Configuration.

1) System Summary

A display of current settings on the system.

An overview of the system is provided here for the administrator's reference.

198
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

199
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

200
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

General
System The system name. Firmware The present firmware
Name The default name is Version version of HSG
the model number. WIRELESS HOTSPOT
GATEWAY
System Displays for how Build Number The current build
Up Time long the system has number.
operated.
System The local time is NTP Server The network time
Time shown as the server that the system
system time. is set to align.
Preferred IP address of the Alternate IP address of the
DNS preferred DNS DNS Server alternate DNS Server.
Server Server.
Proxy Enabled/disabled Start Page The preset URL upon
Server displays if the URL users’ initial successful
system is currently login.
using the proxy
server.
SNMP Enabled/Disabled Warning of Enabled/Disabled
Internet
Disconnection
Idle The minutes allowed Multiple Enabled/Disabled
Timeout for the users to be Login
inactive before their
account expires
automatically.
Wireless Interface
RF Card A / Tx Power The selected Tx power level
RF Card B Channel The current channel

201
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Band The band status, 2.4G, 5G or disabe

Report
Syslog server 1 The IP address and port number of the external
Syslog Server. N/A means that it is not configured.
Syslog server 2 The IP address and port number of the external
Syslog Server. N/A means that it is not configured.
User Logs Retained The maximum number of days for the system to
Days retain the users’ information.
Receiver The email address to which the traffic history or
Email user’s traffic history information will be sent.
Address
(es)

Click “See Reports” for the following available reports, sorted by interface: Network
Traffic, CPU Load, Memory Usage, Storage Usage, Online Users, Successful Logins,
Sessions, DHCP Leases and DNS Queries. The reports can also be customized to
your preference by selecting the Time range and Interval. These reports can be
sent via email, syslog, or FTP.

2) Interface

A display of the current settings of all network interfaces. Select Interface from the
drop-down menu.

Each service zone represents a virtual system; therefore, the information of the
system's network interface is grouped by service zone.

202
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Item Description
Interface Mode Operating mode of this interface.
(WAN) MAC Address The MAC address of the WAN1 port.
IP Address The IPv4 address of the WAN1 port.
Subnet Mask The Subnet Mask of the WAN1 port.
Service Zone Mode The operation mode of the SZ.
– Default, MAC Address The MAC address of the SZ.
SZ1~SZ4 IP Address The IP address of the SZ.
Subnet Mask The Subnet Mask of the SZ.
Service Zone Status Enable/disable stands for status of the DHCP
– DHCP server in Default Service Zone
Scope WINS IP The WINS server IP on DHCP server. N/A
(Default, Address means that it is not configured.
SZ1~SZ4) Start IP The start IP address of the DHCP IP range.
Address
End IP The end IP address of the DHCP IP range.
address
Lease Time Minutes of the lease time of the IP address.

203
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

3) Monitor Users

All online users/devices will be listed here. The administrator can terminate any
user session by clicking the Kick Out button. Non-login users will be listed here as
well.

 Online Users: Successfully authenticated Local Users.

 Cross Gateway Roaming In User: Roaming Users authenticated at roaming
peer controllers.
 On-Demand Roaming Out User: On-Demand users authenticated at external
controllers via RADIUS protocol.
 Non-Login Local User: Obtained IP address but has not yet authenticated
Local Users.
 MAC Login Devices: Disconnected MAC authenticated devices need not be re-
plugged physically, and can be MAC authenticated on the MAC Login Devices
List

4) Process Monitor

The Process Monitor is a network utility that shows the active status of process
daemons on the gateway. Administrators can choose to Enable or Disable the
Process Monitor by clicking the radio button.

204
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

5) Logs & Reports

This page is used to check the traffic history of the system which includes Logs such
as Configuration Change Log, Local Web Log, RADIUS Server Log, System Log and
UAMD Log. User logs are summarized in User Events, and the system also keeps a
cumulated record of the traffic data generated by each user in the latest calendar
month. However, since all these information are stored on volatile memory, they
will be lost during a restart/reboot operation. Therefore if the log information needs
to be documented, the administrator will need to make back up manually.

 Configuration Change Log: This page shows the account, and IP of the person
that has made changes to Controllers WMI configurations.
 Local Monthly Usage: The system keeps a cumulated record of the traffic data
generated by each Local user in the latest 2 calendar months. Each line in a
monthly network usage of local user record consists of 6 fields, System Name,
Connection Time Usage, Packets In, Bytes In, Packets Out and Bytes Out.
 Local Web Log: This page shows which of the web pages have been accessed on
the Controllers built-in web server.
 On-Demand Billing Report: This page is a summary of On-Demand account

205
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

transactions.
 RADIUS Server Log: This page displays the RADIUS messages that pass through
the controller.
 SIP Call Usage: The log provides the login and logout activities of SIP clients
(device and soft clients) such as Start Time, Caller, Callee and Duration (seconds)
 System Log: This page displays system related logs for event tracing.
 UAMD Log: Displays the UAM related information output from the UAM daemon.
 User Events: Displays all user related information customizable to administrator's
preference.

The "Download" button downloads the displayed User Events into a comma
separated .txt file, which can be imported into cells (MS Excel).

Note that different User Types contain different user information. Categories will be
left blank if inapplicable to the User Type.

Applicable User Event categories for Local Users:

Date, Type, Name, IP, IPv6, MAC, Pkts In, Bytes In, Pkts Out, Bytes Out,
VLAN ID, Group, Policy, MaxDnLoad, MaxUpload, ReqDnLoad, and
ReqUpload.

Applicable User Event categories for On-Demand Users:

206
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

Date, System Name, Type, Name, Unit, Price, Total Price, IP, IPv6, MAC,
Pkts In, Bytes In, Pkts Out, Bytes Out, Activation Time, 1st Login
Expiration Time, Account Valid Through, Remark, VLAN ID, Group, Policy,
MaxDnLoad, MaxUpload, ReqDnLoad, and ReqUpload.

Applicable User Event categories for Roaming Out Users:

Date, Type, Name, NSID, NASIP, NASPort, UserMAC, SessionID,
SessionTime, Bytes in, Bytes Out, Pkts In, Pkts Out and Message.

Applicable User Event Categories for Roaming In Users:

Date, Type, Name, NSID, NASIP, NASPort, UserMAC, UserIP, SessionID,
SessionTime, Bytes in, Bytes Out, Pkts In, Pkts Out and Message.
 Wireless Log: Displays all wireless related information.

6) Reporting

HSG WIRELESS HOTSPOT GATEWAY can automatically send various kinds of user
and/or system related reports to configured E-mail addresses, SYSLOG Servers, or
FTP Server.

Notification Settings Page:

This configuration page allows the selection of log types to send, either to
preconfigured E-mail, SYSLOG Servers or FTP Server based on the chosen time
Interval.

 Sending Logs to E-mail

The following log types can be sent to E-mail addresses configured in “SMTP
Settings”: Monitor IP Report, Users Log, On-Demand Users Log, Trial Users Log,
Roaming Out Users Log, Roaming In Users Log, External User Log, Session Log,
Firewall Log, Local Area AP Status Change, On-Demand User Billing Report,
Wide Area AP Status Change, and Configuration Change Log. The numbers 1 to

207
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

5 represent the corresponding E-mail addresses configured in “SMTP Settings”.

Click the desired E-mail address profile (1 ~ 5) and select the time interval for
sending a report or log.

 Detail: Clicking this radio button allows the configuration of the E-mail subject
for the corresponding log.
 Send: Clicking this radio button sends a test log to the selected E-mail address.

208
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

 Sending Logs to SYSLOG

The following log types can be sent to external SYSLOG servers configured in
“SYSLOG Settings”: Local Users Log, On-Demand Users Log, Trial Users Log,
Roaming Out Users Log, Roaming In Users Log, External User Log, Session Log,
Firewall Log, Local HTTP Web Log, HTTP Web Log and DHCP Server Log. Click
the desired log type and select the time interval for sending log.

 Detail: Clicking this button allows the configuration of SYSLOG attributes such
as Tag, Severity and Facility which will be assigned to the corresponding log to
meet the filtering requirements on the SYSLOG Server.
Note: The “System Log” option needs to be enabled under SYSLOG Settings in
order to send the selected logs to the configured SYSLOG Servers.

 Sending Logs to FTP

The following log types can be sent to external FTP servers configured in “FTP
Settings”: Local Users Log, On-Demand Users Log, Trial Users Log, Roaming Out
Users Log, Roaming In Users Log, External User Log, Session Log, On-Demand
Billing Report Log, Wide Area AP Report, Local HTTP Web Log, HTTP Web Log,
Configuration Change Log, DHCP Lease Log, System Report and Traffic Report.
Click the desired log type and select the time interval for sending log.

Detail: Clicking this button allows the specification of the FTP server folder where
the logs sent will be stored on the FTP server.

Note: The outputted log files to the FTP server will be named according to the
format $Topic_$ExtraDesc_$SystemName_$Date_Time.txt. For example:
HTTPWebLog_GW1_2010-10-15_0800.txt

 FTP Settings: Allows the configuration of an external FTP Server where selected
users logs as well as system logs will be sent to.

209
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

FTP Settings Page:

 FTP Destination: This specifies the IP address and port number of your FTP
server. If your FTP needs authentication, enter the Username and Password. The
“Send Test File” button can be used to send a test log for testing your current FTP
destination settings.

 SMTP Settings: Allows the configuration of 5 recipient E-mail addresses and

necessary mail server settings where various user related logs will be sent to.

210
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

 SMTP Server: Enter the IP address of the sender’s SMTP server.

 SMTP Port: By default the port number is 25. Administrator can specify other
ports if the SMTP server runs SMTP over SSL.
 Encryption: Enable this option if your SMTP server runs SMTP over TLS or SSL.
 SMTP Authentication: The system provides four authentication methods, Plain,
Login, CRAM-MD5 and NTLMv1, or “None” to use none of the above.
Depending on which authentication method is selected, enter the Account
Name, Password and Domain.
 NTLMv1 is not currently available for general use.
 Plain and CRAM-MD5 are standardized authentication mechanisms while
Login and NTLMv1 are Microsoft proprietary mechanisms. Only Plain and
Login can use a UNIX login and password. Netscape uses Plain. Outlook
and Outlook express use Login as default, although they can be set to use
NTLMv1.
 Pegasus uses CRAM-MD5 or Login but which method to be used can not
be configured.
 Sender E-mail Address: The e-mail address of the administrator in charge of
the monitoring. This will show up as the sender’s e-mail.
 Receiver E-mail Address (1 ~ 5): Up to 5 E-mail addresses can be set up here
to receive notifications.

 SYSLOG Settings: Allows the configuration of two external SYSLOG servers

where selected users logs as well as system logs will be sent to.
SYSLOG settings page:

211
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

 SYSLOG Destinations: Up to two external SYSLOG servers may be configured.

Please enter the IP address and port number of the external SYSLOG server
here.
 System Log: This controls the enabling/disabling of the SYSLOG logging
feature. When enabled, the selected logs from “Notification Settings” will be
sent to the SYSLOG server configured above. However, when disabled, no logs
will be sent to the SYSLOG server configured above.

7) Session List

This page allows the administrator to inspect sessions currently established

between a client and the system. Each result displays the IP and Port values of the
Source and Destination. You may define the filter conditions and display only the
results you desire.

212
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

8) DHCP Lease

The DHCP IP lease information can be viewed on this page.

 Statistics of IP Offered
Valid lease counts of the Last 10 Minutes, Hours and Days are shown here. The
header 1 ~ 10 are the unit multipliers. For instance the number under column 2
indicates the lease count in the last 20 minutes/hours/days, the number under
column 3 indicated the lease count in the last 30 minutes/hours/days and so on.

 Statistics of IP Expired
IP leased to clients that have expired in the Last 10 Minutes, Hours and Days
are shown here. The header 1 ~ 10 are the unit multipliers. For instance the
number under column 2 indicates the expired count in the last 20
minutes/hours/days, the number under column 3 indicates the expired count in the
last 30 minutes/hours/days and so on.

 DHCP Lease Log

The DHCP Lease Log is displayed here and a search can be performed by IP
Address, MAC Address or Service Zone.

213
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

 DHCP Lease List

Valid IP addresses issued from the DHCP Server and related information of the
client using this IP address is displayed here.

9) Routing Table

The routing table lists all IPv4 Route rules. The System Route rules are shown here
as well. The Policy Route rule has higher priority than the Global Policy route rule,
and the System Route rule has the lowest priority.

214
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

 Policy 1~n: Shows the information of the individual Policy from 1 to n.

 Global Policy: Shows the information of the Global Policy.
 System: Shows the information of the system administration.
 Destination: The destination IP address of the device.
 Subnet Mask: The Subnet Mask IP address of the port.
 Gateway: The Gateway IP address of the port.
 Interface: The choice of interface network, including WAN1, WAN2, Default,
or the named Service Zones to be applied for the traffic interface.

P/N: V10000201601020

215
 User’s Manual
HSG326 Wireless Hotspot Gateway ENGLISH

216