Edgecore MAN EWSSeries 3.45
Edgecore MAN EWSSeries 3.45
Edgecore MAN EWSSeries 3.45
EWS-Series Controller
Version 3.45.00
Copyright Notification
Disclaimer
Edgecore, INC. does not assume any liability arising out the application or use of any products, or
software described herein. Neither does it convey any license under its parent rights nor the parent
rights of others. Edgecore further reserves the right to make changes in any products described herein
without notice. The publication is subject to change without notice.
Trademarks
Edgecore is a registered trademark of Edgecore, INC. Other trademarks mentioned in this publication are
used for identification purposes only and may be properties of their respective owners.
I
FCC CAUTION
EWS100
This equipment has been tested and proven to comply with the limits for a class B digital device, pursuant to
part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful
interference in a residential installation. This equipment generates uses and can radiate radio frequency energy
and, if not installed and used in accordance with the instructions, may cause harmful interference to radio
communications. However, there is no guarantee that interference will not occur in a particular installation. If
this equipment does cause harmful interference to radio or television reception, which can be determined by
turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of
the following measures:
---Reorient or relocate the receiving antenna.
---Increase the separation between the equipment and receiver.
---Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
---Consult the dealer or an experienced radio/TV technician for help.
II
Table of Contents
Chapter 1. Introduction ........................................................................ 1
1.1 EWS WLAN Gateway-Controller Series ...................................................... 1
1.2 EWS Controller Models ............................................................................ 3
1.3 Edgecore Solution Overview .................................................................... 3
1.4 Key Terms & Concepts ............................................................................ 5
1.5 Recommended Configuration Sequence ..................................................... 8
1.5.1 Common Settings .................................................................... 8
1.5.2 Advanced Settings and Application ............................................ 8
Chapter 1. WMI & Setup Wizard ......................................................... 10
2.1. Web Management Interface ............................................................. 10
2.2 Running the Wizard .............................................................................. 12
Chapter 3. Basic Network Settings ..................................................... 16
3.1. Network Planning ........................................................................... 16
3.2. Uplink (WAN side) Configuration ...................................................... 19
3.2.1 WAN Settings .................................................................... 19
3.2.2. Dual Uplink ....................................................................... 20
3.2.3. WAN Port Selection for dual WAN1 / WAN2 models ................. 22
3.2.4. WAN Traffic Control ............................................................ 23
3.2.5. Uplink Detection & Failover .................................................. 24
3.3. Downlink (LAN side) VLAN option ..................................................... 26
3.3.1. Port-Based Service Zone ..................................................... 26
3.3.2. Tag-Based Service Zone ...................................................... 27
Chapter 4. User Authentication Database ........................................... 28
4.1. Authentication Database Configuration .............................................. 28
4.2. Built-in Authentication Databases .......................................................... 30
4.2.1. Local User Database ............................................................. 30
4.2.2. On-Demand User Database ................................................... 33
4.2.3. The Guest Authentication Option ............................................ 38
4.2.4. One Time Password .............................................................. 43
4.3. External Authentication Options ............................................................ 44
4.3.1. RADIUS............................................................................... 44
4.3.2. POP3 .................................................................................. 47
4.3.3. LDAP .................................................................................. 48
4.3.4. NT Domain .......................................................................... 48
4.3.5. SIP ..................................................................................... 49
4.3.6. Social Media ........................................................................ 51
Chapter 5. Group Attributes & Policy Rules......................................... 54
5.1 Overview of the Concept ....................................................................... 54
5.2 Practical Setups of Group and Policies ..................................................... 56
Chapter 6. Basic Service Zone Configuration ...................................... 63
6.1 The Concept of Service Zone ................................................................. 63
6.2 Service Zone Setup .............................................................................. 63
6.2.1. Tag-based or Port-based Service Zones ................................... 63
6.2.2. NAT Mode or Router Mode ................................................... 66
6.2.3. Service Zone Network Interface ............................................. 66
6.2.4. DHCP Server options ............................................................ 67
6.2.5. Authentication Options .......................................................... 68
6.2.6. Captive Portal Customization ................................................. 71
Chapter 7. Basic AP Management ....................................................... 74
7.1. Introduction .................................................................................. 74
7.2 Local Area AP Management.................................................................... 76
7.2.1 AP List ................................................................................. 77
7.2.2 AP Adding and Configuration Applying ...................................... 78
i
7.2.3 Templates Configuration ......................................................... 80
7.2.4. AP Firmware Management ..................................................... 82
7.2.5 WDS Links ............................................................................ 83
7.2.6 Rogue AP Scanning ................................................................ 85
7.2.7 AP Load Balancing Feature ..................................................... 86
7.3 Wide Area AP Management .................................................................... 88
7.3.1. Adding an Access Point ......................................................... 89
7.3.2. AP Discovery to find Multiple Access Points .............................. 89
7.3.3 AP Configuration with Templates ............................................. 90
7.3.4 AP auto Discovery and Configuration using CAPWAP .................. 91
7.3.5 Tunneled VAP Location Mapping Setup ..................................... 97
7.3.6 Access Points Monitoring on Google Map .................................. 98
7.3.7 AP Grouping ........................................................................ 104
7.3.8 Rogue AP Scanning ............................................................... 106
7.3.9 AP Load Balancing Feature .................................................... 107
Chapter 8. Advanced Settings for Network Environment ........................ 110
8.1 IPv4 / IPv6 Dual Stack Network ............................................................ 110
8.2 User Access Control ............................................................................. 114
8.3 Certification ........................................................................................ 117
8.3.1. System Certificate ............................................................... 117
8.3.2. Internal Root CA ................................................................. 119
8.3.3. Internally Issued Certificate ................................................ 120
8.3.4. Trusted Certificate Authorities ............................................. 120
8.4 Management Access ............................................................................ 121
Chapter 9. Utilities for Controller Management ................................. 122
9.1 EWS Controller Management ................................................................ 122
9.2 Configuration Backup & Restore ............................................................ 124
9.3 Firmware Upgrade ............................................................................... 126
9.4 Restart............................................................................................... 126
Chapter 10. Reports and Logs for Monitoring ..................................... 128
10.1 System Related Status ................................................................... 128
10.1.1 The Dashboard ................................................................... 128
10.1.2 System Summary ............................................................... 129
10.1.3 Network Interface ............................................................... 131
10.1.4 Routing ............................................................................ 132
10.1.5 DHCP Server .................................................................... 133
10.2 Client Related Status ..................................................................... 134
10.2.1 Online User ...................................................................... 134
10.2.2 Associated Non Login Users ................................................ 135
10.2.3 Cross Gateway Roaming Users ............................................ 136
10.2.4 On-Demand Roaming Out Users .......................................... 136
10.2.5 MAC Login Devices ............................................................ 136
10.2.6 Authenticated Users .......................................................... 137
10.2.7 Smart Login Users ............................................................. 138
10.2.8 Session List ...................................................................... 138
10.3 Logs and Reports .......................................................................... 140
10.3.1 System Related ................................................................. 140
10.3.2 User Events ...................................................................... 141
10.4 Reports & Notification .................................................................... 142
Chapter 11. Hotspot Application ......................................................... 145
11.1 On-Demand Billing Plans ................................................................ 145
11.2 On-Demand Billing Plan Types ............................................................. 146
11.2.1 Usage-time with Expiration Time .......................................... 146
11.2.2. Usage-time with No Expiration Time .................................... 148
ii
11.2.3. Hotel Cut-off-time.............................................................. 150
11.2.4. Volume............................................................................. 151
11.2.5. Duration-time with Elapsed Time ......................................... 153
11.2.6. Duration-time with Cut-off Time .......................................... 155
11.2.7. Duration-time with Begin-and-End Time ............................... 156
11.3 POS Printer Setup ......................................................................... 157
11.4 Customizing POS Tickets ................................................................ 161
11.5 Creating Accounts ......................................................................... 165
11.6 User Self Service ........................................................................... 167
Chapter 12. PMS Integration .............................................................. 172
12.1 Hotel Room Location Mapping ......................................................... 172
12.2 PMS Configuration ......................................................................... 174
Chapter 13. Account Roaming............................................................. 177
13.1 Roaming Related ........................................................................... 177
13.2 WISPr for ISP Roaming ...................................................................... 177
13.3 Cross Gateway Roaming ..................................................................... 179
13.4 Local / On-Demand Account Roaming Out ............................................ 180
Chapter 14. VPN ................................................................................. 183
14.1 Site-to-Site................................................................................... 183
14.2 Remote Client ............................................................................... 185
Chapter 15. Switch Management ........................................................ 187
15.1 Switch List .................................................................................... 187
15.2 PoE Schedule Template .................................................................. 188
15.3 Backup Configuration ..................................................................... 189
Chapter 16. Platform Dependent Features .......................................... 190
16.1 High Availability (HA) (EWS5203, EWS5204, EWS5207) ..................... 190
16.2 WiFi Monitor (EWS5203, EWS5204, EWS5207) ................................. 192
16.2.1. Add a Floor Plan ................................................................ 192
16.2.2. Simulation AP ................................................................... 194
16.2.3. AP Monitoring on floorplan .................................................. 196
Appendix A. EWS Models & Installation .............................................. 198
Appendix B. External Pages ................................................................ 203
Appendix C. Useful Management & Evaluation Tools ............................ 216
Appendix D. On-Demand Account Types ............................................... 218
Appendix E. UI Reference Index ........................................................... 224
I. Dashboard ................................................................................ 224
II. Setup Wizard ........................................................................... 225
A. System.................................................................................... 226
1) General ................................................................................... 226
2) WAN 229
3) IPv6 231
4) LAN Ports ................................................................................ 231
5) MGMT Port ............................................................................... 232
6) High Availability ........................................................................ 232
7) Service Zones .......................................................................... 233
8) Port Location Mapping ............................................................... 239
9) PMS Interface .......................................................................... 242
B. Users ...................................................................................... 244
1) Groups .................................................................................... 244
2) Internal Authentication .............................................................. 245
a) Local Authentication .......................................................... 246
b) On-Demand Authentication ................................................ 247
c) Guest Authentication ......................................................... 253
d) One Time Password ........................................................... 254
iii
3) External Authentication ............................................................. 255
a) Social Media Authentication ................................................ 255
4) On-Demand Accounts................................................................ 256
5) Schedule ................................................................................. 257
6) Policies .................................................................................... 257
7) Blacklists ................................................................................. 259
8) Privilege Lists ........................................................................... 260
5) Additional Control ..................................................................... 260
C. Devices ................................................................................... 263
1) Local Area AP Management ........................................................ 263
a) Overview ................................................................................. 263
b) List 263
c) Adding ..................................................................................... 264
d) Discovery ................................................................................ 265
e) Templates ................................................................................ 266
f) Firmware.................................................................................. 272
g) Upgrade .................................................................................. 273
h) WDS Management .................................................................... 274
i) Rogue AP Detection ................................................................... 274
j) AP Load Balancing ..................................................................... 276
2) Wide Area AP Management ........................................................ 277
a) AP List ..................................................................................... 277
b) AP Grouping ............................................................................. 280
c) Map 287
d) Discovery ................................................................................ 289
e) Adding .................................................................................... 290
f) Template .................................................................................. 291
g) WDS List ................................................................................. 297
h) Backup Config .......................................................................... 298
i) Firmware .................................................................................. 298
j) CAPWAP ................................................................................... 299
k) Rogue AP Detection................................................................... 300
l) AP Load Balancing ..................................................................... 300
m) Third Party AP Management ...................................................... 301
3) Switches .................................................................................. 303
a) Switch List ............................................................................... 303
b) PoE Schedule Template .............................................................. 303
c) Backup Configuration ................................................................ 305
E. Network................................................................................... 306
1) NAT 306
2) Monitor IP................................................................................ 308
3) Walled Garden and Walled Garden Ad.......................................... 308
4) VPN 309
5) Proxy Server ............................................................................ 310
6) Local DNS Record ..................................................................... 313
7) Dynamic Routing ...................................................................... 313
8) DDNS ...................................................................................... 317
9) Client Mobility .......................................................................... 318
F. Utilities .................................................................................... 319
1) Administrator Account ............................................................... 319
2) Backup & Restore ..................................................................... 322
3) Certificates .............................................................................. 324
4) Network Utilities ....................................................................... 326
5) Restart .................................................................................... 328
6) System Upgrade ....................................................................... 328
iv
G. Status ..................................................................................... 329
1) System Summary ..................................................................... 329
2) Interface ................................................................................. 331
3) Monitor Users ........................................................................... 333
4) WiFi Monitor............................................................................. 333
6) Process Monitor ........................................................................ 336
7) Logs & Reports ......................................................................... 336
8) Reporting ................................................................................ 338
9) Session List ............................................................................. 345
10) DHCP Lease ........................................................................... 345
11) Routing Table ......................................................................... 347
v
Chapter 1. Introduction
Edgecore EWS WLAN Gateway-Controllers are feature rich network edge devices designed for network
service provisioning, authentication, security, and management. Depending on the scale of deployment,
there are a selection Edgecore EWS WLAN Gateway-Controller models to meet the network demands
with various scale of capacities.
Edgecore EWS Controllers are designed to cater for the fundamental needs of any network environment,
namely triple A (AAA) which stands for Authentication, Authorization, and Accounting. With Edgecore
EWS Controllers, various users are authenticated based on user role, from there it will define the user’s
accessible network segments, the user’s network portfolio including accessible time, QoS, routing rules,
firewall rules, usage terms and privileges which are collectively known as authorization. Finally
accounting are performed by Edgecore EWS Controllers periodically while a client is using the network,
updating the accounting information for this client to either the internal user database or an external
user database depending on deployment.
Wireless network provisioning is no easy task when the scale reaches multiple AP deployments.
Edgecore EWS Controllers are equipped with comprehensive AP management feature to cover not only
4ipent AP devices deployed locally under the Local Area Network (LAN) but also Edgecore AP devices
deployed remotely in the Wide Area Network (WAN), relative to the location of your Edgecore EWS
Controllers. Furthermore, with a 3rd party AP management interface, Edgecore EWS Controllers are
capable of performing generic AP management features including associated online user monitoring,
shortcut to GUI interface, and location planning for non-Edgecore APs.
Network safety and traffic control are other big areas of concern for network owners, hoteliers as these
are major factors in determining the quality and stability of your network environment as a whole.
Edgecore EWS Controllers addresses these needs with the following major features: equipped with static
and dynamic routing features for optimized path selection, QoS mapping for enforcing bandwidth
control to each individual user, system uplink bandwidth control, and customization firewall protocols
and rules.
1
Common networking features can be found well packed into the Edgecore EWS Controllers. Providing
three varieties of NAT function, Walled Garden for free website surfing, Network device monitoring tool,
Static DNS translation, Proxy Server, VPN and more. Edgecore EWS Controllers simplify network
deployment by incorporation multiple networking features into one device, avoiding the need to setup
external NAT servers, Proxy servers, VPN gateway, etc. thereby reducing deployment complexity.
Network Maintenance and Network monitoring tasks are made easy with built in displays of system
traffic, system resource utilization such as CPU usage and memory consumption, online user record,
DHCP lease record, and more. Event logs can be sent to external servers for long term record keeping or
in depth analysis.
2
1.2 EWS Controller Models
Edgecore EWS Controller product line comes with the following models for targeting
network deployment of variable scale.
Note: Edgecore may continue to introduce new platforms, and may retire old
platforms, please refer to our website http://www.Edgecore.com for the latest
product line status. For more detailed listing of each model hardware and
installation know how, please refer to Appendix A.
Layer 2 networks are relative simple network deployment topology that span
physically under the LAN ports of Edgecore EWS Controllers, two deployment
scenarios are illustrated below.
3
【Layer 2 Network in Port Based Mode】
Layer 3 networks not only span physically under the LAN ports of Edgecore EWS
Controller, it is also capable of reaching over different IP networks to manage
remote sites with routable IP address via tunnels.
4
【Layer 3 Network with tunnels】
Local User is a type of user whose account credential is stored in the Edgecore
EWS Controller’s built-in database named “Local”. The Edgecore EWS Controller’s
“Local” database capacity varies with different model. A local user account does not
have an expiration date once they are created. If administrator wishes to delete
local accounts, this must be done manually from the Web Management Interface. In
addition, Edgecore EWS Controller’s Local database can be configured as an
external RADIUS database for another Edgecore EWS Controller for account
roaming.
5
EWS Controller’s “On-Demand” database capacity varies with different model. On-
Demand User is designed for short term usage purpose; it has time or volume
constraints and an expiration period. An On-Demand account record will be recycled
for creating new On-Demand account if it has expired for over 15 days or has been
deleted by the Administrator/Manager manually. In addition, Edgecore EWS
Controller’s On-Demand database can be configured as an external RADIUS
database for another Edgecore EWS Controller for account roaming.
Service Zone is a logic partition of Edgecore EWS Controller’s LAN. The concept of
Service Zone is that it is a virtual gateway with customizable login portal page with
its own gateway properties (such as LAN IP address, DHCP server settings,
authentication options, etc.). With up to nine independent Service Zone profiles,
Edgecore EWS Controller is capable of servicing multiple hotspot franchises with a
single device.
Group is a user role profile which defines the accessibility of a user to different
Service Zones and in turn defines the QoS properties as well as network policy
when access is granted. Each and every connected user will belong to a Group,
determined by the type of user account used for authentication. If the administrator
6
does not assign a new account to any specific Group or for users not required to
authenticate, they will belong to a catch-all group named “None” by default.
Policy is the second tier of user control once a user’s Group profile has been
determined. Policy defines the firewall rules, privileges, login schedule, routing rules
and session limit which will be enforced to users of a particular Group. A user may
only belong to one Group but can be governed by different policies while accessing
different Service Zones.
For users belonging to the “None” group or users not explicitly assigned a network
Policy, they will be governed by a default catch-all policy named ‘Global-Policy’. The
Global-Policy is a base policy which will be applied to all users if not applied with
another policy.
The following Figure is an example that depicts the relationship between Service
Zone, Group and Policy. In this example, Students and faculties logging into Service
Zone 1 will be governed by Policy-A. Guests only have access to Service Zone 3,
and will be bounded by Policy-C. Faculties have the access to both Service Zone 1
and Service Zone 2 under two different policies.
7
1.5 Recommended Configuration Sequence
Set up system’s Time Zone, NTP server, DNS server and WAN1 address
Configure LAN address range for at least one Service Zone, and enable its
authentication.
Create user accounts to test the login page via wire line in the enabled Service
Zone.
Try to generate an On-Demand user and test the account.
Configure Wireless Settings of Service Zone and add in AP.
Configure necessary Service Zones based on applications.
Set up Group and Policy (including Firewall rules and Session Limit).
Customize the portal login page and add walled garden Advertisement links if
needed.
Set up Payment gateway to allow end user credit card self-payment for On-
Demand accounts if needed.
Load SSL certificate for the Web Server before operation.
Monitor generated status pages and reports.
Perform other advanced setting for other specific application.
8
Customers with needs to fulfill specific applications, integration with 3rd party
devices, customization etc., please refer to Chapters 11 and beyond for
advanced feature setup.
9
Chapter 1. WMI & Setup Wizard
Upon the first login, the system prompts for the administrator to change password
to enforce system security. The password needs to be at least 6 characters long and
include at least one alphabet and one number.
You may refer to part E. of Appendix F for details on admin accounts configuration.
10
The Dashboard page is as shown below after a successful administrator login.
NOTE
1. To logout, simply click the Logout icon on the upper right corner of the
interface to return to the login screen.
11
2.2 Running the Wizard
The Setup Wizard provides a collection of configuration steps which are essential in
the setup and operation of your network with minimum configurations.
To quickly configure EWS by using the Setup Wizard, click on the Setup Wizard
button on the top right corner of the WMI homepage to start the configuration
process.
Step 1. General
Select an appropriate time zone from the Time Zone drop-down list.
Click Next to continue.
12
Step 3. Add Local User Account (Optional)
A new user can be added to the Local User database. To add a user here,
enter the Username (e.g. testuser), Password (e.g. testuser), and assign
an Applied Group to this particular user (or use the default Group 1).
Click Next to continue.
13
Step 4. Confirm and Restart EWS
Click Finish to save current settings and restart the system.
A confirmation dialog box will then appear. Click OK to continue.
14
A Confirm and Restart message will appear on the screen during the
restarting process. Please do not interrupt the system until the
Administrator Login Page appears.
Please do NOT interrupt EWS restart process until the admin login page
reappears – which indicates the restart process has been completed.
15
Chapter 3. Basic Network Settings
Before installing the Edgecore EWS Controller, careful network planning is required
in order to meet the networking needs with the most efficient utilization of network
resources. IT staff of any organization should assess the available network
resources at hand, and design a suitable network topology with resiliency, capacity,
and survivability in mind.
Layer 2 Topology
This network topology aims to build a managed Local Area Network (LAN) which
consists of both wired and wireless capabilities to provide network services to a
limited physical area such as office building, hotel, school premises, and etc.
16
Layer 2 Network Design Guidelines
Always connect hierarchically. If there are multiple switches in a building, use an
aggregation switch.
Locate the aggregation switch close to the network core (e.g. mainframe
housing)
Locate edge switches close to users (e.g. one per floor)
Layer 3 Topology
This network topology aims to build a managed Local Area Network (LAN) which
consists of both wired and wireless capabilities to provide network services to local
and remote physical areas such as enterprise buildings, hotel chains, college
campuses, and etc.
17
Remote site’s device (Edgecore AP or Edgecore EWS Controller) uplink should
either have a public IP address or an IP address in the same subnet as the
main EWS Controller’s WAN IP address.
18
3.2. Uplink (WAN side) Configuration
Depending on ISP’s interfacing device the WAN port is connecting, you need
to select the connection type applicable to you. For example, if your ISP is
Cable modem issuing Dynamic address, then you would select Dynamic
connection.
Static: Manually specifying the IP address of the WAN Port. The fields with
red asterisks are required to be filled in.
Dynamic: It is only applicable for a network environment where the DHCP
server is available on the upstream network. Click the Renew button to get
19
an IP address automatically.
PPPoE: If your ISP provides PPPoE Dialup connection, then the ISP will issue
you an account with a password. You would need to enter the account
credential in the WAN configuration page for dialing up to the ISP.
PPTP: Although not a popular method, PPTP protocol for dialup connections is
adapted by some ISPs (in European Countries). Your PPTP ISP will issue you
an account with a password as well as the PPTP server address.
NOTE
1. When in doubt, please consult your ISP provider regarding details of your
subscribed uplink service.
EWS Controllers are designed with 2 WAN ports for load balancing and
failover support. WAN2 can be enabled for service once WAN1 connection is
established.
If you would like to use a second Internet feed, select one of the three
connection types applicable to WAN2 port: Static, Dynamic, and PPPoE.
The Physical Mode of the WAN2 port can be selected.
Static: Manually specifying the IP address of the WAN Port. The fields with
red asterisks are required to be filled in.
20
Dynamic: It is only applicable for a network environment where the DHCP
server is available on the upstream network. Click the Renew button to get
an IP address automatically.
PPPoE: If your ISP provides PPPoE Dialup connection, then the ISP will issue
you an account with a password. You would need to enter the account
credential in the WAN configuration page for dialing up to the ISP.
NOTE
1. When in doubt, please consult your ISP provider regarding details of your
subscribed uplink service.
2. Please note that WAN load balancing and WAN failover features are only
available when WAN2 is configured.
21
3.2.3. WAN Port Selection for dual WAN1 / WAN2 models
EWS Controller models EWS5204 and above are carrier grade models
designed with a SFP and Ethernet port for both WAN1 and WAN2 respectively.
Administrator can further decide which physical port to be deployed as WAN1
or WAN2, Ethernet port, SFP port, Ethernet and SFP port, or both port bonded
with aggregated throughput.
22
The deployment options are:
Ether Port: Deploy the copper Ethernet WAN port for service.
Fiber Port: Deploy the SFP port for service.
Fiber Port and Ether Port: Bridge Fiber port and Ethernet port,
physically only connect one uplink either via SFP port or Ether port.
Bonding: Deploy both SFP port and copper Ethernet port for service.
This option aggregates the two connections and will result in aggregated
higher throughput.
23
The Uplink and Downlink bandwidth configured here is the combined
bandwidth for WAN interface including WAN1 and WAN2. However, please
note that the actual bandwidth is still bounded by the network speed of your
ISP operator. For instance, when the network speed of your ISP is limited to
1Gbps, the total throughput under such constraint will not be greater than
1Gbps even if you configure 2Gbps on the Controller.
Uplink Detection
When the WAN interface has been configured with a valid uplink connection,
administrator may specify up to three outbound sites as detection target for
verifying whether the uplink service is alive or down. The controller will
periodically check the uplink status.
A field of warning message text may be customized by the administrator
which will be displayed on the user’s web browser when all three detection
targets fail to respond.
24
Load Balancing
Administrator can spread the system traffic across WAN1 and WAN2 ports
based on percentage load, calculated using session, bytes, or packets.
WAN Failover
Once enabled, whenever WAN1 is down, WAN2 will service the traffic
originally handled by WAN1. If the nested option is selected, service will be
returned to WAN1 link if it is up again. This feature is not available to be used
concurrently with Load Balancing.
NOTE
1. Please note that WAN Failover feature cannot be enabled concurrently
with Load Balancing feature.
25
3.3. Downlink (LAN side) VLAN option
The Downlink of EWS Controller is basically your managed network deployed for
service. There are two types of deployment mode for networks attached to the LAN
ports of the EWS Controller: Port-Based mode and Tag-Based mode.
NOTE
1. If HA feature is in Enabled status, LAN1 will be transformed into a dedicated
HA port and will not be able to service any Service Zone.
Port-Based mode operates with the principle that each physical LAN port can
be mapped to an enabled Service Zone or disabled from providing service.
Operating under port based mode therefore means the maximum amount of
Service Zones available to actually provide service is determined by the
number of LAN ports on the Controller.
26
3.3.2. Tag-Based Service Zone
Tag-Based operation mode operates under the principle that different Service
Zones are identified by VLAN ID. This means that Tag-Based operation allows
each physical LAN port to accept traffic for any enabled Service Zones
Traffic handling will be processed internally according to the VLAN ID traffic
packets carry.
27
Chapter 4. User Authentication Database
28
【Graphical illustration of authentication databases in relation to EWS Controller】
NOTE
1. Auth Options may be selectively enabled or disabled to authenticate users in
each Service Zone profile.
29
4.2. Built-in Authentication Databases
Configuration Path: Main Menu >> Users >> Internal Authentication
This type of authentication method checks the local database that stores user,
often the staff and credentials internally. The Local user database is designed
to store static accounts which will not be deleted unless manually performed
by administrator.
Configuration Path: Main Menu >> Users >> Internal Authentication >> Local
>> Local User List
Account generation
Click Add User to create one or multiple accounts.
NOTE
30
1. The fields with red asterisk are mandatory fields while the others are
optional.
2. MAC Address field once configured will bind this particular account
under the condition that it may only be granted access using the device
specified.
3. The Group field specifies the group profile of the account being created.
4. Remark is for any additional note administrator would like to stress. It
will be shown on the user list.
5. You can check the Enable Local VPN checkbox to build up a secure VPN
tunnel between the device using the account and the controller.
6. Expiration are optional time constraints which may be enforced to this
account if the Account Span option is checked. This is a useful attribute
if used in complement with Multiple Login, ideal to provide network
access to a group of people for a specified amount of time, for instance
during a seminar event.
31
NOTE
1. The txt files generated may be inter-used by all EWS controller series as
the defined csv format are consistent for all models.
2. Duplicated accounts will result in upload failure and a warning message
will be displayed.
Deleting Accounts
Accounts in the Local user database may be deleted individually or entirely by
selecting the “Select All” checkbox. There will be a popup window asking if
you are sure to carry out the action.
32
4.2.2. On-Demand User Database
Configuration Path: Main Menu >> Users >> Internal Authentication >> On-
Demand
33
On-Demand Account Settings
1. General Settings for the On-Demand Account database can be
configured on this page. General Settings include the customization of
POS/Web tickets, Payment Gateway options, and etc. When ticket printers
(such as EC-PP200) are deployed for account generation, remember to
configure the IP and Port in Terminal Server configuration. The EWS
Controller can work in hand with Clickatell SMS server for On-Demand
accounts credentials to be sent to users via SMS message.
34
With a set of Clickatell account Username/Password, the SMS Gateway
can be configured to send SMS messages upon On-Demand account
creation. The SMS service can be used for free access, paid access with
payment gateway integration, or both. Define an API ID and activate the
desired billing plans. Multiple Billing Plans may be activated if needed. To
prevent the SMS Gateway from being flooded by SMS queries for account
35
generation, an Account Registration Control option is available. In
addition, the administrator has an option of allowing or disallowing users
to register for new accounts prior to account expiration. To block valid
accounts from requesting new accounts, set option to “Enabled”.
With the SMS Gateway enabled, the Billing Plan selection page will appear
as such:
Note that the Billing Plan selection page may be customized if needed.
36
NOTE
1. For more detailed information on the four major account types, please
refer to Appendix D.
2. For more detailed information on Ticket Customization, please refer to
Online Help or the Edgecore Application Note on Ticket Customization.
On-Demand Accounts
After enabling the selected Billing Plans, On-Demand Accounts generation can
be done on On-Demand Account Creation. On-Demand accounts can be
created individually or in batches.
The status of On-Demand accounts are defined as valid, out of quota and
expired.
Valid = On-Demand account in active or quota remaining
37
Total = Valid + Out-of-Quota + Expired
Besides, such valid and total number of On-Demand accounts are informed in
the end of this list.
The Guest Authentication Option is not technically a user database, but rather
a specially designed option to allow a user to access and surf the network
without any user account or password.
This feature allows the user to associate with a particular Service Zone, enter
a specified string of text which may be a social security number, email, etc.
defined by the administrator, and use the network without actual authentication.
The terms of use as well as usage constraints may be configured in the Guest
authentication option profile.
Configuration Path: Main Menu >> Users >> Internal Authentication >>
Guest
38
The E-mail Denial List checks the email domains for login permission, if
prevention of junk mailboxes is desired. Guest Questionnaire provides
administrators with options to customize extra questions on the login page for
guest login, where the access information from guest users would be collected
and viewed in the Guest Information list. Guest Access Time when set to
“Limited” will enforce a usage time constraint based on MAC addresses. If the
Quota is set to 30 minutes, each device may only be allowed 30 minutes of
usage, and a new session will only be possible once the Reactivation time has
elapsed. Administrators also get to decide how many times a device can request
for a free account in a day by configuring Access Limit. Guest users are then
mapped to a selected User Group for policies application. Guest Quota List
provides administrators to check how many times of allowance remaining for
the access-limited Guest accounts by MAC address and Email Address. (It
would be automatically refreshed daily at the midnight, and the oldest entries
are removed when reaching maximum quota of 12000).
39
Email verification ensures that the entered email is a valid email address.
When this option is enabled, an activation time is allocated to the client. The
client then has to activate this account within the activation time to extend
his/her usage time by clicking a link in the mail sent by the mail server. Note
that the activation is merely a timer and does not add to the account’s Quota.
The Sender Name, Email Subject, Email Content (max. 2000 characters) are
all customizable as soon as the SMTP server is ready. SMTP server configuration
is done by clicking the “Assign SMTP Server” button.
40
Some information of the accounts are available for collection in the Guest
Information list for administrators’ further analysis or marketing purposes. E-
mail address, device MAC address, last login time, and the answer for the Guest
Questionnaire.
NOTE
When Guest Questionnaire is enabled, the controller collects
information from the clients. Please enable Disclaimer or
customized login page to include claims and reminders.
Choose the desired Service Zone where you would like to apply the Guest
authentication option - Go to Main Menu > System > Service Zone > Configure.
Scroll down the page to Authentication Options. Check to enable the option
for Guest Authentication Option as shown in the figure below.
41
Consequently, after going through configurations from STEP 1 and STEP 2, end
users will see that an additional section for guest access will show on the
Service Zone’s login page.
By typing an email address and click login, approving the terms and condition
of free accessing public Wi-Fi, the guest users will be able to access the network
with constraints specified in Guest Authentication Option profile and the Group
profile. MAC address will be checked to avoid malicious use of free access.
42
4.2.4. One Time Password
For One Time Password (OTP) authentication option, clients are able to access
the internet by entering their own mobile numbers and then receiving an SMS
message with one time password which is needed to enter in the authentication
page. Later, clients can start surfing the Internet.
Typically, the user login flow may involve the following steps and pages:
A. Service Disclaimer: (if enabled) to agree with the terms and service to
continue the login process
B. General Login Page: click the button of sign in with one time password
C. OTP Registration Page: to enter their mobile number and, if enabled,
other questionnaires
D. Receive SMS with OTP: to client’s mobile and the text with the passcode
will be received
E. OTP Authentication Page: to enter the OTP to verify and authenticate
F. Login Success Page: great, it’s time to surf the Internet
43
4.3. External Authentication Options
NOTE
1. Please note that having configured the authentication options whether
using built-in or external databases, they will need to be enabled in each
enabled Service Zones individually.
4.3.1. RADIUS
44
Server 2 by default is configured to use RADIUS authentication. Edgecore
EWS controllers support RADIUS authentication, RADIUS class mapping, and
RADIUS transparent login with 802.1X.
45
46
Another important setting field is the Class-Group Mapping on the page. It is
a translation setting which maps RADIUS classes to different groups on the
Edgecore EWS controller, enabling different RADIUS accounts to be
incorporated into different Groups.
4.3.2. POP3
47
4.3.3. LDAP
If you wish to deploy LDAP server for user authentication, proceed for a
complete setup.
Server 4 by default is selected to use LDAP database for user credential check.
Click on the Server Name to enter the detailed setup page of LDAP (a
secondary LDAP server can be designated as a backup server). Furthermore,
LDAP configuration page has an Attribute-Group Mapping page which maps
LDAP attributes to different groups on the Edgecore EWS controller, enabling
different accounts to be incorporated into different Groups.
4.3.4. NT Domain
48
credential authentication.
4.3.5. SIP
SIP, or the session initiation protocol, is the IETF protocol defined for Voice over
Internet Protocol (VoIP) and other multi-media sessions. Edgecore EWS
controllers support SIP authentication as well as the use of SIP phones. In
addition to an Edgecore EWS controller, admin has to set up other devices as
to making successful SIP phone calls. This includes: A valid SIP Registrar, SIP
phones.
49
(1) A user is making a call through a SIP-based phone (e.g. #301 --> #303).
(2) The user gets authenticated transparently, if the user is registered in the
SIP Registrar.
(3) The call is established successfully.
By default SIP is not selected as database for any Auth option. Enable SIP from
Authentication Settings in the respective Service Zones. The administrator will
need to enter at least one valid SIP Registrar as the call center to provide call
service; up to four may be specified. Please note that the corresponding Group
profile should have its QoS settings appropriately configured to support voice
applications.
Please also make sure that the corresponding Service Zone also has ‘Enable’
50
checked in the SIP Interface Configuration in order to function properly.
Social Media Login allows Wi-Fi users to access internet without going through
a tedious account registration process. Edgecore EWS-Series Controller
supports several kinds of social media accounts, LINE, Facebook, Twitter,
Weibo, VK, dAccount, and Open ID. All administrators have to do is to apply
the corresponding ID and secret.
When a user clicks the button to sign in with social media accounts, he/ she
will be redirected to the social media sites for login and granting permissions.
It is not necessary to be bothered by the walled garden dilemma. Connected
clients will get 5 minutes free permission as long as they are clicking one of
the social login buttons. Then, they have to complete the login process with
the required social account information during 5 minutes. Later, it is time to
start surfing the internet as below figure.
51
This configuration page is where how Controller to connect with social media
sites.
LINE: visit the website at LINE Developers site
(https://developers.line.me/console/) and apply for “LINE Login” APP to
get the Channel ID and Channel secret as the App type is WEB.
Facebook: visit the website at Facebook developers site
(https://developers.facebook.com/) and apply for “Facebook Login” APP
to get the app ID and app secret.
Twitter: visit the website at Twitter developers site
(https://developer.twitter.com/) and apply for “Twitter API” to get the API key
and API secret.
Weibo: visit the website at Weibo Developers site
(http://open.weibo.com/liveapi/index.php) and apply for “LINE Login”
APP to get the Channel ID and Channel secret as the App type is WEB.
VK: visit the website at VK Developers site (https://vk.com/dev) and
apply for “LINE Login” APP to get the Channel ID and Channel secret as
the App type is WEB.
dAccount: visit the website at dAccount Connect site
(https://id.smt.docomo.ne.jp/src/index_business.html?btn01) and apply for getting the
client ID and client secret.
Open ID: the login path must be traversed and added into OpenID Walled
Garden and the redirection target depends on OpenID provider.
52
53
Chapter 5. Group Attributes & Policy Rules
All Edgecore EWS Controller models utilize ‘Group’ and ‘Policy’ to define user
accessibility and network privileges in order to set constraints on users’ behavior.
Since grouping, policy setting, and service zones are intertwined with one another,
this section will proceed to clarify the concepts of grouping, policy, and their
relationship with the Service Zone, followed by practical setup processes on these
three attributes.
Group
A Group is a set of users that admin considers they share some extent of similar
characteristics, i.e. role based. For example, in a university, there are students, the
faculty staff, and guests, in general. Therefore an IT staff may set up three Groups
that distinguish these three categories of Internet service users apart by giving
these Group different permissions of Internet accessibility. In the Edgecore EWS
models, there are eight to twenty-four Group profiles, depending on the model
capacity.
On-Demand users, Local users, may be assigned to different Groups per
account. As for those who are authenticated by external servers, Edgecore EWS
controllers also offer Group assignment per account for RADIUS and LDAP option
54
via Class-Group Mapping and Attribute-Group Mapping respectively.
In each Group profile, there are several attributes that can be defined by
administrator:
1. Quality of Service (QoS):
Traffic class choice of Voice, Video, Best effort, and background.
Total uplink and downlink rates shared by all groups’ members
Individual maximum downlink and uplink rates
2. Privilege Profile:
On-Demand account privilege to enable authenticated users of a certain Group
to generate On-Demand accounts in Controller’s default / template login success
page.
Password change privilege to allow users to change their own passwords
subsequent to a successful login in Controller’s default / template login success
page.
Maximum Concurrent Sessions determines the number of concurrent log-ins
allowed per user.
3. Service Zone accessibility:
The permission to access or deny access to particular Service Zones as well as
the Policy bundled may be configured.
Policy
Policy, as the term suggests, are profiles of network governing constraints which
are enforced upon users, including firewall rules, login schedule, routing rules and
session allowances. There is a Global policy, which will be applied if a user belongs
to a Group not bound to any Policy. The number of Policy profiles will be model
dependent.
Group and Policy profiles are separated for more flexibility. This allows users of the
same Groups to be bound with different Policies according to Group-Service Zone
permission mapping settings the administrator defines. For instance, a user from
group 1 may be imposed by policy 1 in service zone 1, but policy 3 when he goes to
service zone 3.
55
Relationship Between Group, Policy, and Service Zones
The first figure displays the relationship between group and policy and the
attributes that can be defined in each category. Admin can define the relationships
between policy, group, and service zone from two points of view- the view of
mapping groups to service zones and the other way around. Please see visual
explanation below:
56
and policies on the WMI of the Edgecore EWS Controller.
Group Overview
Configuration Path: Main Menu >> Users >> Groups >> Overview
The Group Overview table gives a summary of which Authentication Servers are
used for each corresponding Group. User Groups assigned to a Billing Plan for the
On-Demand Authentication Database are also shown here.
Group Settings
Configuration Path: Main Menu >> Users >> Groups >> Configuration
The Group Configuration – Group x table is for Policy settings to be defined for
the Group. Multiple Device Login (except for On-Demand) can be enabled here.
The Zone Permission Configuration & Policy Assignment – Group x table
enables admin to determine the relationships between Group, Policy, and Service
Zones.
57
Check the Status checkboxes to allow users of this Group to access the
corresponding Service Zones. To configure from a Service Zone’s perspective please
go to Access Permission and Authorization in Service Zone Settings.
58
Policy Settings
Configuration Path: Main Menu >> Users >> Policies >> Policy Configuration
59
6. IPv6 traffic class and 802.1p mapping (for global policy only) - to map IPv6
traffic class to 802.1p when IPv6 traffic is being forwarded into VLAN IPv4
networks.
Select one of the policies in the drop-down list and start configuring each attribute
by clicking Configure. After the setting, remember to always click Apply to save
the changes made. Note again that the Global Policy is the policy that applies to all
users in all service zones that is not explicitly governed by a policy profile.
Schedule
Configuration Path: Main Menu >> Users >> Schedule
The Schedule is the assignment of allowed user login periods from clock time on an
hourly basis. The unchecked time slots imply that user under this policy will be
unable to login under that specific time interval.
Grouping Users
60
or accounts individually (Local, On-Demand).
RADIUS users can have users assigned to different Groups based on RADIUS
class. The mapping can be configured at Users > Authentication > RADIUS >
Configure > Class-Group Mapping > Configure
LDAP users can have users assigned to different Groups based on LDAP
attributes, the mapping can be configured at Users > Authentication > LDAP
> Configure > Map LDAP Attributes to Group
Policy Priority
61
The Policy enforcement priority is as follows:
Group-Service Zone Mapping > Service Zone default Policy > Global Policy
Therefore, if the administrator does not specify a Group or Policy in the hierarchy of
configurations for a particular user, the system will govern them by Global Policy.
62
Chapter 6. Basic Service Zone Configuration
Edgecore EWS controllers offer two modes of physical LAN port to service zone
mappings, namely port-based mode and tag-based mode. Intuitively as the name
suggests, Port-based mode means that each LAN port services one or none Service
63
Zones, so the maximum number of service zones is equivalent to the number of
LAN ports on an Edgecore EWS controller.
On the contrary, Tag-based service zones are not limited by the number of ports,
for they are specified by the VLAN tag ID pre-defined by the admin, regardless of
which LAN port. A simple concept is displayed in the picture below.
As the figure depicts, a staff of a firm is associated with a certain SSID broadcast
by an access point. This SSID belongs to, let’s say, VAP with VLAN ID 15. Therefore
the AP’s traffic when forwarded back to the Controller will be mapped to Service
Zone 1 with configurations set for staff access.
Configuration Mapping
Configuration Path: Main Menu >> System >> LAN Ports
Admin can change the type of service zones. There are some grayed-out service
zones because they have been disabled. Therefore, admin should first go to
‘System > Service Zones > Configure’ to enable the needed service zones.
64
If the setting is change to Tag-based, the correspondence of service zones and
ports will be grayed out. Each Service Zone will need to be assigned a unique VLAN
ID, ranging from 1 to 4096.
Note that the Default Service Zone is designed to be tag-less to manage Local
Access Points and process untagged traffic.
65
6.2.2. NAT Mode or Router Mode
Configuration Path: Main Menu >> System >> Service Zones >> Configure
NAT is the acronym for Network Address Translation which translates private IP
addresses for devices on the LAN side of a controller to routable IP before
forwarding into uplink network. Private IP addresses are invisible to devices or
routers on the WAN side of the controller, only the controller deploying the NAT
knows their corresponding translation. This mode not only protects users on the
LAN from being ‘seen’ by external devices but also solves the problem of limited
public IP’s.
Configuration Path: Main Menu >> System >> Service Zones >> Configure
IP address will act as the Controller IP to a user connected to this Service Zone.
Subnet mask defines the size of your Service Zone network and defines the range
of IP’s allowed to access this Service Zone. To allow users using addresses that are
out of range, enter the IP’s in the Network Alias List and check Enable. Always
remember to click Apply upon completion.
There are 3 isolation options when the system is set to Tag-based mode: Inter-
VLAN Isolation, Clients Isolation, and None.
o Inter-VLAN Isolation: 2 clients within the same VLAN will not see each other
when coming in from different ports. Note that Isolation is done when traffic
66
passes through the gateway. When a switch or AP is being deployed, Station
Isolation has to be enabled on the AP/switch.
o Clients Isolation: All clients on the same Layer 2 network are isolated from
one another in this Service Zone.
o None: No isolation will be applied to clients in this Service Zone.
Note that when “None” is selected, a switch port connecting to the LAN port of the
EWS may be shut down if the switch has loop protection enabled and there are
more than 2 VLANs belong to one Service Zone.
Configuration Path: Main Menu >> System >> Service Zones >> Configure
1. DHCP Server Configuration – The default setting for DHCP Server is “Enable”.
Select other options from the drop-down list.
2. Define the IP range for issuing when using Enable DHCP Server (built-in). There
are a total of six DHCP pools for configuration.
67
3. DHCP Lease Time at each pool cannot be smaller than the twice value of Idle
Timeout.
4. Reserving IP addresses – A configuration list for reserving certain IP’s within the
DHCP Server IP range for specific devices, for example an internal file server.
5. DHCP lease protection – This is an optional checking mechanism on the
Controller when Enabled, will check to see if the lease expired IP is currently
online. If yes, the Controller will halt the issuing of this IP address until the user
session terminates.
6. Click “Apply” to activate changes.
Configuration Path: Main Menu >> System >> Service Zones >> Configure
Once the administrator has properly configured the authentication servers under
the Main Menu, each Service Zone can select the authentication option preferred to
downstream clients for login. Note that Authentication is always enabled by default.
1. Databases
Administrator can designate configured auth servers for use. Postfix will be used as
auth server identifier when more than one auth server is enabled for service.
68
2. Portal URL
The specification of a desired landing page may be configured here. When enabled,
the administrator can choose to set the URL of an opened browser after users’
initial login.
69
MAC address entered in the configured RADIUS Server, the Controller will
automatically authenticate and grant access immediately if authentication succeeds.
Users will experience transparent login.
70
The IP Address Range Assignment field configures the starting IP range which
PPP can assign IP addresses to dial-up virtual interfaces. The assigned interface IP
address is used to route between the networks on both side of the tunnel.
Configuration Path: Main Menu >> System >> Service Zones >> Configure
Each Service Zone can be configured to have unique Login Pages or Message Pages.
There are 3 types of Login Pages: The General Login Page, PLM Open Type Login
Page (for Port Location Mapping free access), and PMS Billing Plan Selection Page. A
Service Disclaimer page can be enabled if required. These pages are fully
customizable to give administrators complete flexibility. Message Pages can also be
customized and message pages include: Login Success Pages, Login Success Page
for On-Demand Users, Login Fail Page, Device Logout Page, Logout Success Page,
Logout Failed Page, and Online Device List.
71
There are several customization options to choose from apart from the Edgecore
Default Page: Customize with Template, Upload Your Own, Use External Page, and
Editor.
Edgecore Default: The gateway has a standard Edgecore Default Login Page with
the Edgecore logo and Administrators can choose to enable a Service Disclaimer if
needed.
Customize with Template: For this option, a template is prepared for the
administrator's easy customization. The general layout has been set for the
administrator but the contents can be customized to his preference. A color theme
and a logo can be uploaded, and contents field such as Service Disclaimer, text colors
can entered within the template presentation layout.
Upload Your Own: The Administrator has the option to upload an html file as the
Login Page. The "Download HTML Sample File" gives administrators a sample HTML
code to edit from. Once this sample HTML code is downloaded, open the file with any
browser, right click and select "View Page Source". You may edit the HTML code with
any text editor as long as the file is saved in .html format.
72
Use External Page: The Login Page can be a defined external URL. This option
requires extensive knowledge of URL parameter utilization that works together with
the Message Pages and should be organized carefully. For more details on External
Login Page customization, please refer to Appendix C of the User Manual.
Editor: The Login Page can be edited with a What You See Is What You Get
(WYSIWYG) editor. With the editor, administrator can add, delete, or configure the
elements in the page in a simple and intuitive way. Currently, this option is only
available for General Login Page.
For a Preview of the custom page, click “Apply” followed by the “Preview” button.
Similarly, the four options are available for Message Pages.
73
Chapter 7. Basic AP Management
7.1. Introduction
Management of access points are always of vital importance for a network
administrator. Thus Edgecore delivers a simple, straightforward set of management
tools to help you achieve it. Generally, we suggest a centralized network with a
controller in charge of access points both on the WAN side and the LAN side. We
call the WAN-side AP management ‘Wide Area AP Management,’ due to its
scalability across the Internet or intranet, and the LAN-side AP management ‘Local
Area AP Management.’ Below illustrates the concept of these two types of
management.
Edgecore EWS models have different manageability with Edgecore access points,
i.e., admin should make sure what AP models your Edgecore EWS controller
supports.
74
Manageable Edgecore Access Points for Local AP Management may be checked at:
Main Menu >> Devices >> Local Area AP Management >> Overview.
Manageable Edgecore Access Points for Wide Area AP Management may be checked
at:
Main Menu >> Devices >> Wide Area AP Management >> Overview.
75
Under Local Area AP Management, there are up to 8 templates available for each AP
model containing configuration attributes primarily on wireless band, data rate,
transmit power, data rate, etc. They may be applied to manage APs automatically
or manually, avoiding the process of tedious one by one AP configuration.
Under Wide Area AP Management, there also are templates for the administrator to
configure AP by central management.
This chapter further explores how a wireless network environment can be set up in
terms of AP management, explaining the aspects such AP discovery & Adding,
general AP settings, and so on. It is noteworthy that this section only deals with a
clear setting process of various common AP management settings, not advanced
ones, for instance, ‘rogue AP detection’ or ‘AP load balancing.’ The higher-level
applications are introduced in the reference guide.
NOTE
1. Before the adding of AP’s to any service zone, admin should set up a general
wireless environment for the zone in advance, which will be only be applied to
Locally managed APs.
2. Each AP will also be assigned one distinctive IP address once under
management. In the tag-based mode, the AP addresses are given by the DHCP
server in the default service zone; while in the port-based one, an AP will be
allocated an IP address by the DHCP server in its affiliated service zone.
This section handles the management of access points on the LAN side of your
Edgecore EWS controller. It starts with a methodology of adding access points to
the AP management list of a controller, all the way to the utilities that can be
applied on the controller to its managed AP’s.
76
7.2.1 AP List
Configuration path: Main Menu >> Devices >> Local Area AP Management >> AP
List
All of the supported APs under management of the system will be shown in the list.
Check the checkbox for the desired AP Types and click "Apply" to display on the AP
List. A search can be performed based on AP Name, IP Address, MAC Address, and
Channel by selecting from the drop-down list. The AP's name will be shown as a
hyperlink. Click the hyperlink of each managed AP to further configure (General
Setting, LAN Setting, Wireless LAN, Layer 2 Firewall) the AP. Click the hyperlink of
the shown Status of each managed AP for detailed status information of the AP
(System Status, Service Zone Status, Wireless Status, Access Control Status, and
Associated Client Status).
Administrators may filter the AP List by selecting the desired AP Models. Check the
AP Models under AP Type and click “Apply” to apply the filter.
To add an AP or multiple APs, click the “Add” button. This is elaborated in Section
7.2.2 AP Adding and Discovery.
Options such as Enabling or Disabling an AP, applying Templates and Service Zones
can be done by checking the checkboxes on the left of the AP List and clicking the
respective buttons. Details on AP Templates configuration are elaborated in Section
7.2.3 Templates Configuration. For monitoring, there is a refresh interval option to
allow administrator realize what the exact status of each managed AP.
Note that not all firmware versions are fully compatible with EWS’s AP Management
feature. Check for compatibility under the “Status” column.
77
7.2.2 AP Adding and Configuration Applying
Configuration path: Main Menu >> Devices >> Local Area AP Management >> AP
List >> Add
Once all AP’s are properly connected, admin can then start adding them to the
management list. This can be accomplished by clicking “Add” above the AP List. APs
can be added individually or in batches. This is determined by the “Add Method”;
Select “Add AP” from the drop-down list to add APs individually, or select “Find
Multiple APs” to add in batches.
To add an AP, specify an AP Name and enter its IP and MAC address. These rows
with red asterisks are mandatory information that needs to be provided. After filling
in all the fields, click Apply at the bottom of the page to add the AP (to add an AP,
it doesn’t necessarily have to be online). Check the AP List to confirm the adding.
To Add APs in batches, the admin scans an IP address range and collectively
discover the AP’s of the same type, either by
1. ‘Factory Default’ scanning – used if the administrator has not changed any of the
78
configuration on their AP’s. And there is no need to fill in any fields. Just click
Scan Now
2. ‘Manual’ scanning- used if the IP addresses of the AP’s have been changed to
those other than 192.168.1.1. Type in the range of the IP addresses you would
like to scan through and click Scan Now.
The Discovery Results Table will then display all the AP’s found currently alive.
After finding the AP, admin can further set up the template to be applied and the
operating channel, and furthermore put the AP under a specific service zone you
have enabled.
NOTE
1. It might take some time for the controller to discover AP’s. Please wait for a
moment until the AP you are scanning for is displayed on the Discovery
Results list.
2. Note that the Background above the discovery list could be enabled to scan the
wireless environment every fixed period of time based on admin’s setting. Click
Configure to set up the function.
79
intuitive in terms of the names for changing the content of the AP list. Choose one
or more AP’s in advance and perform one of the functions.
Configuration path: Main Menu >> Devices >> Local Area AP Management >>
Templates
80
General Settings such as the Default Gateway of the AP and etc. are configured
here. Wireless Settings and applicable Service Zones/SSIDs are also configurable
here.
The SSID and Wireless Security can be specified per Service Zone. Depending on
deployment needs, access filtering may be imposed on individual Service Zone’s
managed AP devices. The Wireless Settings section under the VAP Configuration list
allows the specification of wireless settings including Access Control list.
For each Service Zone, administrators can set up the wireless security profile,
including Authentication and Encryption. The options available are Open System,
Share Key, WPA, WPA2 or WPA/WPA2 Mixed.
81
WEP: When Authentication is Open System or Share Key, WEP will be enabled.
WPA2: When Authentication is WPA, WPA-Personal or WPA-Enterprise will be the
options of WPA. For WPA-Personal, Passphrase or HEX can be selected for the pre-
shared key.
WPA/WPA2 Mixed: When Authentication is WPA, WPA-Personal or WPA-
Enterprise will be the options of WPA. For WPA-Personal, Passphrase or HEX can be
selected for the pre-shared key.
The MAC address field is for admin to type in the MAC addresses you would like to
deny or allow. Status ‘Denied’ implies that you are configuring a black list. ‘Allowed’
implies that you are configuring a white list. ‘Disable’ implies that no access filtering
is imposed regardless of the MAC entries configured below.
82
released periodically for enhanced standards / features. Edgecore offers an easy
firmware upgrade process from the controller’s AP management interface, allowing
the administrator to upgrade multiple AP devices at once.
1. First add a firmware and select the firmware file at Devices >> Local Area AP
Management >> Firmware and click Upload next to the row to store the AP
firmware within the Controller.
2. Upgrade the necessary AP’s by going to Devices >> Local Area AP Management
>> Upgrade, select the AP’s you would like to import the version to. When
done with the selection, click Upgrade at the bottom of the page.
NOTE
1. Please read through the release note of each AP firmware release to avoid any
unexpected outcome.
Configuration path: Main Menu >> Devices >> Local Area AP Management >>
WDS Management
WDS is the acronym for Wireless Distribution System, a function for extending the
wireless coverage of the network with additional APs.
83
【A simple concept diagram illustrating WDS connection】
The WDS management function helps administrators plan and setup a "Tree"
structure of WDS network with managed APs.
84
WDS Status: Shows the added APs in the WDS Tree with Security and Channel
settings. More than one WDS Tree can be set up in your network. Click "Edit" to
change the WDS connection settings for the associated WDS Tree. This list can be
set to refresh automatically at fixed intervals (10s, 20s, 30s, 40s, 50s, and 60s).
WDS Update: To add a new WDS connection, select New Parent AP and New Child
AP from the respective drop-down list and click "Add". Note that a new WDS Tree
will be added if the selected Parent AP is not in any of the current WDS Trees. To
update the current WDS tree, select Update Parent AP and Update Child AP from
the respective drop-down list and click "Move". Note that the link to the original
parent AP of the selected Update Child AP will be removed. To delete a WDS link,
select the AP from the drop-down list and click "Delete". Note that all WDS
connections of the selected AP will be deleted including the WDS connections to its
Child APs, and the Child APs without wired connection will become unreachable.
85
Discovered access points are temporarily put in the Rogue AP list. Click one of the
hyperlinked BSSID’s to see its detailed information. However, if admin recognized
some of the listed APs as trusted, just check the checkboxes before the BSSID
column and then click Add to Trusted AP List. This action will be recorded in the
Trusted AP Configuration.
This is a function that prevents managed APs from overloading. When the system
detects the occurrence of APs' associated-client numbers exceeding a predefined
threshold at circumstances and other APs in the same group are still below the
threshold, the balancing function will be activated to decrease the overloading APs'
transmit power and increase other available APs' transmit power; this will let other
available APs have more chance to be associated. The system can divide the
managed APs into groups; define the group threshold, and a time interval which will
trigger the AP load balancing.
Local Area AP Management feature also supports the grouping of various managed
APs and perform transmit power management to spread the network load as evenly
as possible among APs of the same group.
The administrator can specify the criteria under which AP load balancing feature will
be enforced. The attributes that can be customized for creating your own load
balancing initiation criteria includes the enforcement interval and the associated
86
client threshold.
87
7.3 Wide Area AP Management
Configuration path: Main Menu >> Devices >> Wide Area AP Management
This section goes on to explain how to centrally manage the access points on the
WAN from an Edgecore EWS controller. It is worth noting that WAN-side AP’s are
supposed to have public IP addresses that are routable on the Internet.
NOTE
1. Wide Area AP Management can be used to manage APs physically deployed on
the WAN side and LAN side of the controller.
88
7.3.1. Adding an Access Point
Configuration path: Main Menu >> Access Points >> Wide Area AP Management
>> AP List >> Add
The Adding page allows administrator to directly add a single Access Point to the
management list regardless of its Status. Simply configure the device’s IP address,
name and login credentials, set a SNMP community string and click the Apply
button.
Configuration path: Main Menu >> Access Points >> Wide Area AP Management
>> AP List >> Add
With the AP Discovery feature, administrator can scan for APs regardless of their
physical location as long as their IP addresses can be reached. An IP scanning
range may be configured. Select the target Device Type, define the scan IP range
and Admin Settings, and then click “Discover”. After the discovery process, newly
found AP’s will be listed under Device Results where the administrator can specify
the individual APs Device Name and SNMP Community string. Select and click the
Add button and the discovered APs will be added into List.
89
7.3.3 AP Configuration with Templates
Configuration path: Main Menu >> Devices >> Wide Area AP Management >>
Template
90
Up to 30 Templates are available and all functions configurable for wireless on the
access point can be configured from the template.
General Settings on the Access Point include basic wireless settings such as the
Band, Channel, Transmit Power, Transmit Rates and etc. VAP Settings allows the
administrator to enable/disable a VAP, designate an ESSID, and assign VLAN ID
with/ without corresponding tunnel if needed. Configure Security Settings, such
as WEP, 802.1X, WPA-Personal, and WPA-Enterprise if needed. Advanced
Wireless Settings allows the administrator to fine-tune performance and
efficiency on the Access Points to maintain good wireless connection quality for
associated clients. Hotspot 2.0 Settings is for supporting roaming between WLAN
networks of different service provider. In Firewall Settings, proxy ARP feature is
allowed to be enabled/disabled. As for Linkyfi’s Location Engine, RTLS and DPI
DNS can be enabled to integrate with Linkyfi Location Engine for user tracking.
91
Complete Tunnel uses the CAPWAP protocol to communicate with an Access Point
so that all management traffic, authentication traffic and data traffic from the
service area AP provided are transmitted back to the Controller, before forwarding
data traffic to the internet. The EWS Controller is able to implement role-based
policies over Layer 3 networks, with user access control available in the remote
sites. This feature allows the Edgecore EWS Controller to fully support centralized
AP management and user management.
For Split tunnel, only user authentication related traffic will be directed back to the
controller. For authenticated users, data traffic will go to the Internet through the
local network directly. The user data can be transmitted with a shorter path and the
network load of the controller can also be reduced.
92
Configuration Steps:
1. On the Edgecore controller: Enable CAPWAP from Main Menu >> Devices >>
Wide Area AP Management >> CAPWAP
2. Make sure that the Controllers’ CAPWAP settings uses a security certificate that
is issued by the same CA. For information on Certificate management on the
controller please refer to the subsequent chapter in this guide.
3. Upload the necessary security certificate into the AP in order for the Controller to
validate CAPWAP discovery and join requests.
4. Configure the CAPWAP template from VAP Settings in the Template. VAP traffic
may be selected to be tunneled back to the controller’s enabled SZ profile. There
are three types of tunnel interfaces. Disabled doesn’t establish any tunnel,
Complete Tunnel creates the tunnel that transfers all data back to the
Controller, while Split Tunnel collects only management traffic and
authentication traffic back for the Controller. Only the latter two tunnel
interface require the administrator to select mapping Service Zones for each
VAP.
93
5. On the AP side: Enable the CAPWAP function from System >> CAPWAP, where
the administrator will see several discovery methods to be activated, namely:
94
proper setup on the routing paths of the AP. Please make sure you enable it with
the related settings in place.
Successful CAPWAP joining will lead to the AP being listed in the managed AP list,
as illustrated below:
CAPWAP column will display a ‘RUN’ status, and the tunnel status will show a
clickable ‘edit’ button in black if a VAP is configured to be tunneled back to the
controller.
AP WMI will show with the VAP enabled and tunnel status as well on the System
Overview page:
95
The VAP Configuration on the AP WMI also displays which kind of CAPWAP Tunnel
Interface is operation in different VAP.
NOTE
1. AP tunnels will be established automatically when the CAPWAP template has
selected VAP to be enabled and tunneled back to a SZ.
2. If the CAPWAP discovery process fails, please check the certificate settings used
on the Controller and the certificate uploaded into the AP.
96
3. Controllers CAPWAP Log may be referenced during trouble shooting process.
Configuration path: Main Menu >> Devices >> Wide Area AP Management >> List
For VAPs which are tunneled back to the controller from remote APs. Administrator
may wish to allocate a NAS Identifier as well as designate an IP pool for service.
97
Once the VAP tunneled back, complete tunnel or split tunnel, has been configured
with PLM (Port Location Mapping), remote sites may also benefit from the PMS
system or other centrally managed hotspot operations which require location
attributes or information.
The Map is implemented with Google Map API version3 which allows administrators
to view at a glance the whereabouts of all of the AP’s under Wide Area AP
Management (WAPM). This feature is helpful when it comes to network planning
and management.
Once the administrator has added APs to the managed list, these APs can be tagged
or marked on the Google Map API to show its’ geographical location, as shown
below:
98
Here is the procedure to create a Map:
Step 1. Get a Public IP Address from your ISP and configure this address to
WAN interface.
Step 2. Apply for a Google Maps Registration key.
Step 3. Click Add a New Map button on the Map page. Configure Map Name
and registration key.
Step 4. Discover APs and add these APs to managed List.
Step 5. From the List page, add some APs to the created Map.
The necessary steps required to configure your map with AP information are
described in the subsequent sections.
99
obtain Maps API v3 key. The key info into the field of “Google Maps Registration
Key” under Map Configuration page.
In this Map Configuration page, you can also configure the Map Name for this map
and its geographical location as defined by Longitude and Latitude, choose the
Zoom Level and Map Type to be displayed.
To add APs to a map, firstly you have to go to the AP List and click the AP name to
define the latitude and longitude of the APs. The latitude and longitude should be
around the location of the target map. In this page, administrator can also set up
links and remarks to be shown on the map for each AP.
100
After defining the location for each AP, return to the AP List page. Select the AP’s
that you wish to mark on the map and click the “Add to Map” button, choose the
name of the map on which you wish to mark these APs and click OK button.
The selected APs will show up as marker images on the map at the physical
coordinates configured, as shown below.
101
Administrators are able to click on the AP icon to see the dialogue box for additional
information or links that you have configured. Besides, administrators can click the
more info link for information on AP Link, AP Statistic, AP Status, Client List, WDS
List and Links related to this AP, which are collected from the remote AP via SNMP.
102
NOTE
1. The “Overview” map is the default map of the system. This map provides an
overview for all managed APs.
2. When an AP is added to the managed list, it belongs to “Overview” map.
3. After an AP is added to a map, it can still be monitored in the “Overview” map.
103
7.3.7 AP Grouping
Configuration path: Main Menu >> Devices >> Wide Area AP Management >> AP
Grouping >> Map Configuration
To use AP grouping function, go to Main Menu >> Devices >> Wide Area AP
Management >> AP Grouping >> AP Grouping List to add or delete the AP group.
104
Click Add to add an AP group, each AP group can include maps and templates to be
managed.
After an AP group is created, you may assign access permission to each AP group
by adding an Administrator Group to the Administrator Group List.
105
Assigning permission to an AP group.
106
manually identified as a safe source.
The discovered access points are temporarily put in the Rogue AP list. Click on one
of the hyperlinked BSSID’s to see its detailed information. However, if admin
recognizes some of the listed APs as trusted, just check the checkboxes before the
BSSID column and then click Add to Trusted AP List. This action will be recorded
in the Trusted AP Configuration.
It is a function to prevent managed APs from overloading. When the system detects
the occurrence of APs' associated-client numbers or network traffic exceeding a
predefined threshold at circumstances and other APs in the same cluster are still
below the threshold, the balancing function will be activated to decrease the
overloading APs' transmit power and increase other available APs' transmit power;
this would increase chances for other available APs to be associated. The system
can divide the managed APs into clusters; define the threshold, and a time interval
which will trigger the AP load balancing.
Wide Area AP Management feature also supports the clustering of various managed
107
APs and perform transmit power management to spread the network load as evenly
as possible among APs of the same cluster.
The administrator can specify the criteria under which AP load balancing feature will
be enforced. The attributes that can be customized for creating your own load
balancing initiation criteria includes the enforcement interval and the associated
client or traffic threshold.
To create AP load balancing clusters, the administrator must add the APs to maps.
The APs in the same load balancing cluster must be in the same map. After adding
APs to the map, go to Main Menu >> Devices >> Wide Area AP Management >> AP
Load Balancing to select map under Map Cluster Setting. Then, click the Create
button to automatically generate clusters on this map based on the distance
between each pair of APs. After the clusters are created, you can click the Configure
button to enable/disable AP load balancing function for each cluster.
If the location of an AP is modified (e.g. drag the AP icon to different location on the
map and click “Save Modification” button), the APs will not be re-clustered
automatically. The administrator have to delete the existing clusters on the map
first, and click the Create button to generate clusters according to the updated
108
location information.
On the other hand, if “AP Distance” is modified, the existing clusters will be deleted
automatically. You have to click the Create button to generate clusters based on the
updated criteria of clustering.
Finally, once AP load balancing function is enabled on a cluster, the logs of transmit
power management actions for each AP are available for check.
109
Chapter 8. Advanced Settings for Network
Environment
6to4: 6to4 is an Internet transition mechanism for migrating from IPv4 to IPv6,
a system that allows IPv6 packets to be transmitted over an IPv4 network
(generally the IPv4 internet) without the need to configure explicit tunnels. 6to4
option can only be chosen when the selected WAN interface is set with a static
IPv4 address.
110
IPv4 / IPv6 Network Utilities
Configure Network Utility; go to: Main Menu >> Utilities >> Network Utilities
The system provides network utilities to help administrators manage the network
easily.
111
112
Item Description
Sniff With this feature the administrator can listen for packets
from selected Interfaces. The administrator can further filter
the types of packets to capture by using tcpdump
commands under the Expression field.
113
IP Discovery With this feature, controller can discover the IP address of
the APs connected within the same Layer 2 network.
Administrator can also modify the IP configuration for the
discovered APs.
The black list is a tool for user access control. Each black list can hold specific
user accounts that will be denied of network access. The administrator can
use the pull-down menu to select the desired black list profile to edit.
114
After entering the usernames in the Username blanks fields and the related
information in the Remark blank fields (not required), click Apply to add the
users.
To remove a user from the black list, select the user’s Delete hyperlink to
remove that user from the black list.
After the Black List is setup completed, select the Black List in the desired
Authentication Server for it to become effective.
115
8.2.2 MAC ACL
Configuration Path: Main Menu >> Users >> Additional Controls
MAC ACL is a MAC address Access Control List where specific MAC addresses
may be listed for access filtering, either allow or deny. User authentication is
still required for MAC ACL Allowed users. Click Configure to enter the MAC
Address Control list. Click Add MACs to fill in the desired MAC addresses,
select Allow or Deny and then click Apply.
NOTE
116
1. The format of the MAC address is: xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-
xx. Colon will be automatically inserted by the system.
8.3 Certification
Configuration path: Main Menu >> Utilities >> Certificate
EWS Access Controller can issue certificates to APs that it manages in its private
network. Administrator can sign certificates issues by the system’s root CA and load
these certificates to managed APs. These security certificates will be used in
verifying the identity and authenticity of CAPWAP discovery requests between AP
and AC. Also, they could be used for authentication of Built-in RADIUS Server users
roaming out. ‘Certificate Management’ gives a summary of certificates available
and which are currently in use.
To enter settings, click “Edit” icon on the top-left corner of each category.
This is the certificate that identifies the system. These certificates may be used for
applications such as HTTPS login, CAPWAP, and etc. The Controller has a built-in
Factory Default Certificate (gateway.example.com) that cannot be removed, but
117
allows certificates to be uploaded. The Re-generate button allows administrator to
automatically generate a unique certificate based on the MAC address of the
gateway. To view details of the certificate, click the corresponding "View" button.
Click "Get CERT" and "Get Key" to download the certificate and public key onto your
local disk.
118
8.3.2. Internal Root CA
The administrator can upload an Internal Root CA, or generate a root CA for private
use. The created root CA certificate can be downloaded and used to sign certificates
generated by the system. Note that the system only allows one Internal Root CA to
be created.
To upload an Internal Root CA, click browse to select the Certificate and matching
Private Key from your local disk, and click "Upload Files".
Once an Internal Root CA is uploaded/generated, details will be shown in the
following format.
119
To view details of the certificate, click the "View" button.
Internally Issued Certificates can be generated on this page. Note that an Internal
Root CA needs to be created first before Internally Issued Certificates can be
signed. Certificate Information is an overview that displays all current Internally
Issued Certificates. To view details of the certificate, click the corresponding "View"
button.
Apart from self-signed certificate and system's root CA, administrators can also
120
upload other certificates signed by other CA entities or Trusted CAs into the system.
These trusted root CA certificates are intended for the Controller to recognize and
trust certificates of External Payment Gateway and/or CAPWAP capable APs. To
upload a Trusted CA, click browse to select the Certificate and click "Upload Files".
To view details of the certificate, click the corresponding "View" button.
On the EWS Access Controller, the administrator can grant access to the web
management interface by specifying a list specific IP addresses or ranges of IP
addresses, both from WAN or from LAN. For example, entering "192.168.3.1" and
"192.168.1.0/24" means that only the device at 192.168.3.1 and devices in the
range of 192.168.1.0 to 192.168.1.255 are able to reach the web management
interface.
The Console interface may be accessed remotely when the Remote Console is
enabled. For security purposes, console access is disabled by default to prevent
malicious users from accessing the system.
121
Chapter 9. Utilities for Controller
Management
The EWS controller’s root management account is the “admin” account with full
access, modification and application privilege and authority. There are however, 2nd
tier accounts with less authority which may be created for management personnel
to access their designated assigned areas of authority, a necessary feature for large
scale deployment requiring multiple management personnel.
This configuration path will lead to the page for assigning authority property, and
generation of other management accounts customizable to suit the needs of your
network.
There is only one management account under default status. Group Permission
Settings will allow you to customize the accessible WMI pages for a particular
management group and in turn, create management accounts for that group.
122
Password Safety can be enabled to protect the Web Management Interface from
unauthorized personnel. Note that these settings are disabled by default.
123
table below.
NOTE
1. The Password Safety Settings contain constraints or rules which must be
followed upon management account creation or password change.
2. Admin List will display all existing management accounts and login status if this
account is currently accessing the WMI.
3. Admin account is the root account and may not be deleted or have its authority
modified.
124
NOTE
1. The General Backup feature will lead to a pop up window prompting to
save a db file.
2. Restoring previous db configurations may be performed with options such
as keep WAN settings to prevent the loss of WMI connection if this action
is performed remotely.
3. Resetting to factory default will erase all configurations and restore the
controller to factory configuration. This action also has additional options
to keep critical settings.
125
9.3 Firmware Upgrade
Configuration path: Main Menu >> Utilities >> System Upgrade
The administrator can obtain the latest firmware from Edgecore’s website or
Edgecore’s Support Team and upgrade the system. Click Browse to search
for the firmware file on your local drive and click Apply to firmware upgrade.
It might take a few minutes before the upgrade process completes and the
system needs to be restarted afterwards to activate the new firmware. FTP
firmware upgrade is also an option, enter the FTP server IP address, FTP
server port, and the FTP account name and password, and lastly specify the
complete firmware filename stored on the FTP server that will be used to
upgrade the system.
NOTE
The system MUST be restarted before resetting to factory defaults after
firmware upgrade.
9.4 Restart
Configuration path: Main Menu >> Utilities >> Restart
126
This function allows the administrator to safely restart EWS Controller, and
the process might take several minutes to complete. Click Apply to restart
EWS Controller. If the power needs to be turned off, it is highly recommended
to restart EWS Controller first and then turn off the power after completing
the restart process. The administrator may enter Reason for Restart for
maintenance purposes.
NOTE
1. The connection of all online users of the system will be disconnected when
system is in the process of restarting.
127
Chapter 10. Reports and Logs for Monitoring
The “Display Mode” button on the top-right corner allows the administrator to
decide items displayed in Dashboard.
The download button on the top-right corner is a tool that captures system
settings. This is used for maintenance or troubleshooting purposes.
128
10.1.2 System Summary
129
A selection of Reports is available when the “See Reports” button is clicked.
These reports can be sorted based on interface and intervals.
130
10.1.3 Network Interface
This section provides the details of each of the network interfaces for the
administrator to inspect, including WAN1, WAN2, SZ Default, SZ1 ~ SZ8.
Select the network interface that you are interested to see. If the selected
interface is enabled, the corresponding network settings will be displayed.
Scrolling down the page, the traffic statistics for different scales, including
traffic summary, traffic of the day, traffic of the month, and traffic of the top
10 days is presented in a graphical manner.
131
NOTE
1. If statistics are required to be saved for long term keeping, See Report &
Notification section for instructions to send and save network traffic on
external servers.
10.1.4 Routing
Configuration path: Main Menu >> Status >> Routing Tables >> IPv4/IPv6
This status page displays all the Policy Route rules, and Global Policy Route
132
rules will be listed here. It provides a fast reference window for the
administrator to see the routing rules enforcements for users belonging to
different Policies. It also shows the System Route rules specified for each
network interface.
IPv6 are available for Global policy, and the rules configured there will also be
shown in the IPv6 routing table page along with System interface settings for
IPv6 traffic.
The DHCP IP lease statistics can be viewed after clicking on Show Statistics
List on this page.
133
DHCP Lease List
Valid IP addresses issued from the DHCP Server and related information of
the client using this IP address is displayed here.
Page path: Main Menu >> Status >> Monitor Users >> Online Users
Users displayed on this page are the ones that are authenticated by this
Controller under its managed network either LAN or remotely tunneled site.
134
There are 2 modes to select from. Select ‘Detail’ to display more information,
such as Pkts In/Out, Bytes In/Out and etc. Administrators can force out a
specific online user by clicking Kick Out and check the user access AP status
by clicking the hyperlink of the AP name for Access From. A “Search” tool is
available for searching IP or MAC address of specific online user. Click
Refresh to update the current users list or you can select the time interval
for automatic refresh from the drop-down box in the lower right corner of this
page.
Page path: Main Menu >> Status >> Monitor Users >> Non-Login Devices
This page shows users that have acquired an IP address from the system’s
DHCP server but have not yet been authenticated, either under the LAN or
remotely tunneled site. This feature is designed for administrators to keep
track of systems’ resources from being exhausted. The list shows the client’s
MAC Address, IP Address and associated VLAN ID, Service Zone as well
as Associated AP if the client uses wireless connection.
135
10.2.3 Cross Gateway Roaming Users
Page path: Main Menu >> Status >> Monitor Users >> Roaming In Users
This page displays the users that are physically under this controller but are
authenticated by a roaming peer controller. The users listed here will have
their traffic tunneled back to their home controller and forwarded into the
internet.
Page path: Main Menu >> Status >> Monitor Users >> Roaming Out Users
This page shows the users that are authenticated by other Controllers using
this Controller’s On-Demand database as RADIUS database.
Page path: Main Menu >> Status >> Monitor Users >> MAC Login Devices
136
This page displays the devices that are not able to complete MAC
authentication by itself. The administrator can select the devices and click
“MAC Authenticate” button to manually help them authenticate. The
authentication results will be shown it the text area in this page.
Page path: Main Menu >> Status >> Monitor Users >> Authenticated Users
Administrator can logout the authenticated users by selecting the users and
click the “Logout” button.
137
10.2.7 Smart Login Users
Page path: Main Menu >> Status >> Monitor Users >> Smart Login Users
This page displays the On-Demand users within the Smart Login period. The
user in this list will login automatically when he/she accesses the network
next time.
Administrator can delete the users in the Smart Login Users list. The deleted
users have to login manually next time.
138
139
10.3 Logs and Reports
Configuration path: Main Menu >> Status >> Logs and Reports
This page displays the system’s local log and User events since system boot
up. Administrators can examine the log entries of various events. However,
since all these information are stored on volatile memory, they will be lost
during a restart/reboot operation. Therefore if the log information needs to be
documented, the administrator will need to make back up manually.
140
Management Events can be configured in “Alarms & Events Settings” page.
Configuration path: Main Menu >> Status >> Logs and Reports >> User
Events
This page is packed with all user logs and events. User logs and events can
be stored up to 40 days. Displays all user related information customizable to
administrator's preference. The administrator gets to choose the number of
rows (20, 40, 60, 80, and 100) to display per page. Select the Begin and End
date from the calendar to filter unwanted User Events. After the Begin and
End dates are selected, click "Display" to display all User Events within the
selected dates.
The "Download" button downloads the displayed User Events into a comma
separated .txt file. Save as a new file with .csv extension to sort the
downloaded data into cells. The "Clear" button deletes current User Events
displayed on the User Interface.
The “Configure” button for Display Mode allows administrator to modify the
141
columns shown in User Events.
Note that different User Types contain different user information. Categories
will be left blank if inapplicable to the User Type.
EWS Controller can automatically send various kinds of user and/or system related
reports to configured E-mail addresses, SYSLOG Servers, or FTP Server.
142
SMTP Settings: Allows the configuration of 5 recipient E-mail addresses and
necessary mail server settings where various user related logs will be sent to.
SYSLOG Settings: Allows the configuration of two external SYSLOG servers
where selected users logs as well as system logs will be sent to.
FTP Settings: Allows the configuration of an external FTP Server where selected
users logs as well as system logs will be sent to.
Notification Settings: Provides an overview of all the available users and system
143
logs for selection. Selected logs can be sent to the chosen location (E-mail,
SYSLOG, and FTP) on customizable time intervals.
Alarms & Events Settings: Provides a list of the available management events
for selection. If an item is selected as Management Events, the related logs will
be recorded on the Management Events page and Dashboard. If an item is
selected as Alarm, the warning message or error message will be displayed when
related faults occur. Once the fault is resolved, the message will be removed from
Alarm, while it is still recorded as Management Events.
144
Chapter 11. Hotspot Application
Billing plan profiles define the terms and conditions of guest internet access. Click
the Billing Plan Number link to enter the configuration page of a selected Billing
Plan profile. Once you have finished configuring a billing plan profile, go back to the
screen of Billing Plans, check the Active checkbox and click Apply to activate.
145
11.2 On-Demand Billing Plan Types
Users can access internet as long as account is valid with remaining quota
(usable time). Users need to activate the purchased account within a given
time period by logging in. This is ideal for short term usage such as in coffee
shops, airport terminals etc. Quota is deducted only while in use, however the
countdown to Expiration Time is continuous regardless of logging in or out.
Account expires when Valid Period has been used up or quota depleted.
Quota is the total period of time (xx days yy hrs zz mins), during which
On-Demand users are allowed to access the network. The total
maximum quota is “364Days 23hrs 59mins 59secs” even after
redeeming.
Account Activation is the time period for which the user must execute
a first login. Failure to do so in the time period set in Account Activation
will result in account expiration.
Valid Period is the valid time period for using. After this time period,
even with remaining quota the account will still expire.
Price is the unit price of this plan.
Group will be the applied Group to users created from this plan.
Reference field allows administrator to input additional information.
146
147
11.2.2. Usage-time with No Expiration Time
Users can access internet as long as account has remaining quota (usable
time). Users need to activate the purchased account within a given time
period by logging in. This is ideal for short term usage such as in coffee
shops, airport terminals etc. Quota is deducted only while in use and account
expires only when quota is depleted.
Quota is the total period of time (xx days yy hrs zz mins), during which
On-Demand users are allowed to access the network. The total maximum
quota is “364Days 23hrs 59mins 59secs” even after redeem.
Account Activation is the time period for which the user must execute
a first login. Failure to do so in the time period set in Account Activation
will result in account expiration.
Price is the unit price of this plan.
Group will be the applied Group to users created from this plan.
Reference field allows administrator to input additional information.
148
149
11.2.3. Hotel Cut-off-time
Hotel Cut-off-time is the clock time (normally check-out time) at which the
On-demand account is cut off (made expired) by the system on the following
day or many days later. On the account creation UI of this plan, operator can
enter a Unit value which is the number of days to Cut-off-time according to
customer stay time. For example: Unit = 2 days, Cut-off Time = 13:00 then
account will expire on 13:00 two days later. Grace Period is an additional,
short period of time after the account is cut off that allows user to continue to
use the On-Demand account to access the Internet without paying additional
fee. Number of Devices is to define the number of allowed simultaneous
logged in devices per account. Unit Price is a daily price of this billing plan.
This is mainly used in hotel venues to provide internet service according to
guests’ stay time. Group will be the applied Group to users created from this
plan. Reference field allows administrator to input additional information.
150
11.2.4. Volume
Users can access internet as long as account is valid with remaining quota
(traffic volume). Account expires when Valid Period is used up or quota is
depleted. This is ideal for small quantity applications such as
sending/receiving mail, transferring a file etc. Count down of Valid Period is
continuous regardless of logging in or out.
151
Account Activation is the time period for which the user must execute
a first login. Failure to do so in the time period set in Account Activation
will result in account expiration.
Expiration is the valid time period for using. After this time period, the
account expires even with quota remaining.
Quota is the total Mbytes (1~1000000), during which On-Demand users
are allowed to access the network.
Number of devices is to define the number of allowed simultaneous
logged in devices per account. (0: unlimited)
Unit Price is the unit price of this plan.
Group will be the applied Group to users created from this plan.
Reference field allows administrator to input additional information.
152
11.2.5. Duration-time with Elapsed Time
153
internet access (xx hrs yy mins).
Number of Devices is to define the number of allowed simultaneous
logged in devices per account.
Price is the unit price of this plan.
Group will be the applied Group to users created from this plan.
Reference field allows administrator to input additional information.
154
11.2.6. Duration-time with Cut-off Time
Cut-off Time is the clock time at which the On-Demand account is cut off
(made expired) by the system on that day. For example if a shopping mall is
set to close at 23:00; operators selling On-Demand tickets can use this plan
to create ticket set to be Cut-off on 23:00. If an account of this kind is
created after the Cut-off Time, the account will automatically expire.
Begin Time is the time that the account will be activated for use. It is
set to account creation time.
Cut-off Time is the clock time when the account will expire.
Number of Devices is to define the number of allowed simultaneous
logged in devices per account.
Price is the unit price of this plan.
Group will be the applied Group to users created from this plan.
Reference field allows administrator to input additional information.
155
11.2.7. Duration-time with Begin-and-End Time
The Begin Time and End Time of the account are defined explicitly. Count
down begins immediately after account activation and expires when the End
Time has been reached. This is ideal for providing internet service throughout
a specific period of time. For example during exhibition events or large
conventions such as Computex where each registered participant will get an
internet account valid from 8:00 AM Jun 1 to 5:00 PM Jun 5 created in batch
like coupons.
Begin Time is the time that the account will be activated for use,
defined explicitly by the operator.
End Time is the time that the account will expire defined explicitly by
the operator.
Number of Devices is to define the number of allowed simultaneous
logged in devices per account.
Price is the unit price of this plan.
Group will be the applied Group to users created from this plan.
Reference field allows administrator to input additional information.
156
11.3 POS Printer Setup
157
tickets using the built-in On-Demand billing plan feature inside Edgecore Wireless
LAN Controllers. What is noteworthy is that, EC-PP200 can be connected to 4pnet
Controllers via Ethernet without additional equipment.
The following diagram shows a simple use case and quick setup to utilize EC-PP200
in your network.
3. Fill the IP address and Port of the EC-PP200 in Terminal Server page of Controller.
158
The default values are:
IP address: 192.168.123.100
Subnet Mask: 255.255.255.0
Remember to set the TCP/IP settings of the computer you use with a static IP
address that is under the same subnet as EC-PP200. For example: 192.168.123.20.
159
After reboot the EC-PP200, use the new IP address to access the WMI, and check
“Interface Status” of EC-PP200 is correct.
Configuration path: Main Menu >> Users >> Internal Authentication >> On-
Demand Authentication >> POS Printer Configuration
160
1. Create and enable Billing Plans. (Please refer to 11.1 and 11.2)
2. Configure POS ticket templates. (Please refer to 11.4)
3. Select “POS Printer via Ethernet”, enter the IP address of the POS printer in the
Server IP field. Select ticket template, and check the billing plans to be enabled.
NOTE
1. When adding EC-PP200 to POS printer list, the port must be 9100.
161
- An image can be uploaded (such as your company logo) in TMB format if
needed.
- There are 2 Width types, 3” is recommended for EC-PP200.
- Select the desired language for the configured ticket template. EWS supports
English, French, German, Japanese, Spanish, Simplified Chinese, and
Traditional Chinese.
- For accounts generated with Ticket Menu, passwords are random, but the
administrator has the option of selecting between a 4-character and an 8-
character password.
- Select the appropriate Ticket Type depending on the configured billing plan.
162
You may start customizing your POS ticket from the window below manually typing
or by inserting parameters from the drop-down list as shown in the above example.
Once this is done, you may start assigning Billing Plans and Ticket Templates for
your Terminal Servers.
163
The administrator can now select the desired Ticket Template for a specific ticket
generator from the drop-down list.
QR Code Login
Scan the OR code your device to login automatically Configuring your web ticket to support QR Code
164
For the utilized Billing Plan, the corresponding ticket template needs to be
customized to support QR Code.
1) The width needs to be changed to 3” (default value = 2”)
2) The parameter needs to be added by typing in “$qr” on the template, or
select “$qr” from the drop-down menu and click Insert Parameters.
Administrators have the option of creating single accounts or batch accounts. For
potential hotspot operators who may wish to pre-generate guest accounts for sale,
On-Demand feature has a batch create functionality which allows the administrator
or operator with access authority to On-Demand page, to create multiple accounts
for an enabled billing plan in batch, and send them to POS printer for generating
165
physical ticket printout for sale.
When creating custom Usernames, the Prefix and Postfix will be kept constant while
166
the Serial Number for the accounts will have single increments.
The generated accounts may be downloaded for safe keeping, or sent to printer for
batch printout.
Configuration path: Main Menu >> Users >> Authentication >> On-Demand
User >> External Payment Gateway
Before setting up “PayPal”, it is required that the hotspot owners have a valid
PayPal “Business Account”.
After opening a PayPal Business Account, the hotspot owners should find the
“Identity Token” of this PayPal account to continue “PayPal Payment Page
Configuration”.
167
receive transaction outcome.
Select the enabled billing plans that are allowed for end users to self-
purchase through the payment gateway.
168
step to purchase an account with a valid credit card.
In order for users to get account info via SMS after buying a new account
online, and eliminate the risk of forgetting his/her username and password at
the next time of login, administrators may choose to integrate SMS gateway
with the payment gateway.
Upon successful set up, the Number of SMS Quota field will be available.
Account buyers enter a cellphone number after paying a fee for the account
online. The account buyers can then re-send the SMS no more than the
configured number.
169
To preview your External Payment Portal, click “Configure” for Web Page
Customization at the bottom of the page. Just like all customizable web
pages in the system, this page also supports customization with templates,
uploading html, or using an external page. An example of what will be
displayed when External Payment Gateway is used with SMS Gateway is
shown below:
After planning your VLAN network and completing all the Port Location
Mapping settings, you should verify whether the configurations are working
properly. According to the Port Type set, when a user tries to access the
internet from a VLAN mapped room, the pages or messages displayed are as
follows:
When a user tries to access internet from a room, the browser will show the
Login page with a list of available plans and service agreement. The Service
170
Agreement body can be configured at the applied Service Zone’s Custom
Pages settings. User may choose a billing plan, click the Confirm button and
the system will display the generated account name and password. If you
already have a user account, you can click the “here” link to login with the
user account that you possess.
171
Chapter 12. PMS Integration
This section introduces the Port Location Mapping feature used with PMS
integration. This feature is designed for creating multiple VLAN divisions (as if they
were separate LAN ports) under a Service Zone and mapping these VLANs to
different locations individually. This feature can be utilized to provide separate VLAN
to separate clients in MTU/MDU deployments where a VLAN switch is deployed
under the gateway to provide VLAN connection to individual rooms.
The Port Location Mapping feature is also commonly used in hospitality venues to
manage the internet service for their guest rooms and public areas. In addition it
can operate in conjunction with third party hospitality applications and has been
tested with the Net Retriever middleware which provides seamless integration
between the gateway and the popular High Speed Internet Access (HSIA) hardware
and Front Office System (FOS) software.
Each Port Location Mapping entry can be configured to provide charged (single or
multiple user), free or blocked internet service at the location corresponding to the
entry’s VLAN Tag. Please note that for charged service to work, it is required that at
least one or more On-Demand Billing Plans are created, allowing the user to choose
a desired plan to pay for their internet access.
NOTE
1. EWS Controllers default support Micros PMS, InnKeyPMS, and IDS interfaces. If
you require dedicated support in creating or customizing your own interfacing
hospitality software, please contact your Edgecore sales representative.
172
The Port Location Mapping feature allows each Service Zone to own multiple VLANs
(as if each VLAN is a port) in order to identify where the clients are coming from.
Before the configuration of the PMS Middleware or adding VLANs to a Service Zone,
the Port Mapping feature must be enabled first.
Administrator could use Port Location Mapping feature to map a location (such as a
hotel room) to a VLAN port of VLAN switch or a DSLAM device. Each Room is
mapped to a VLAN Tag. And each Room can be assign to different Service Zone to
get different policy. Furthermore, according to your application, you can configure
the different rooms to different Port Type: Open, Block, or Auth. Required.
Open, this port type means the user can access internet in this room
without any charge.
If you do not want to provide any internet access right in the rooms, you
may change the Port type of the rooms to Block. If the user opens a
browser and tries to access internet, it will pop up a Blocking message to
notify the user.
Auth. Required port type is used mainly for hospitality application to
charge users. When the user opens a browser and tries to access internet, a
page with disclaimer and billing plan options will be displayed. The user can
173
select the desired plan and click confirm button to purchase an account.
The account cost will be sent to the PMS and added to the hotel bill via the
configured middleware.
NOTE
1. VLAN Ports may be created one by one or batch at once. Subsequent changes
are possible by Change Port Type configuration box.
2. The VLAN Tags configured in Port Location Mapping must not conflict with any
of the VLAN Tags that has been assigned to each Service Zone.
The Port Location Mapping List displays all the profile entries with information
such as its’ VLAN ID, Room Num/Location ID, Port Type and Service Zone. Clicking
the Delete link can erase an individual Port Location Mapping profile. Clicking
Delete All button will erase all of the Port Location Mapping profiles.
174
Micros Opera / IDS
When the interface type is Micros Opera or IDS, fill in the PMS IP and Port as
configured on the PMS system end. Administrators may define User Account
credentials using a combination of RN (Room number), GN (Guest Name), G#
(Guest Number) or G+ (Profile Name) to designate the protocol parameter for
carrying the username and password information. More information on Micros
Opera Users may also be monitored from the On-Demand Account List.
175
Innkey PMS
When the interface type is Innkey PMS, Query API, Post API and Shared Key of the
PMS system are requisite information for integration. Room Number and Guest
Number will be the user account credentials.
PMS API provides administrator a flexible implement with customized login page,
where login information, billing plan chosen, purchase unit and so on could
complete the accessing process. Administrator also could utilize its own username
and password to secure the API protocol between external web server and EWS
Controller. Furthermore, there is a downloadable example which administrator could
easily modify from.
Please note that PMS API for External Login Page is available for Micros Opera and
IDS interface only.
176
Chapter 13. Account Roaming
For more in depth support regarding compatibility and technical evaluation on your
telecom operator, please contact Edgecore support team.
If a RADIUS server has been configured, the WISPr attributes used during
RADIUS authentication can be defined here in this Service Zone.
177
WISPr Smart Client: Select Enable if you wish to allow customers with a
roaming account from a WISPr agent (iPass, WiFi Skype, Boingo, and etc.) to
access your internet. Make sure to Enable the HTTPS Protected Login field
under System >> General in order for roaming software on the client’s device
to work properly.
Smart Client Black List: Fill in the WISPr agent names and enable to block
users from that particular WISPr roaming agent to access your internet. For
example, if you fill in “ipassconnect”, the iPass clients will be denied roaming
access in your network.
WISPr Location ID: These attributes, which enable wireless hotspot providers
to customize their web portals, are based on the client device location and are
RADIUS vendor-specific attributes (VSAs).
178
13.3 Cross Gateway Roaming
Configuration path: Main Menu >> Network >> Client Mobility
With Cross Gateway roaming enabled, the end user would not experience
network interruption. The traffic would be tunneled back to the original
Controller for forwarding into the internet.
179
Configure the Slave Node’s Master Node and secret key.
This application offers the ability to refer to a single central Controller for
account credential lookup during the authentication process, and is ideal for
enterprises or businesses with multiple branch offices.
180
To use On-Demand user database as the RADIUS database of another
Controller: Configuration path: Main Menu >> Users >> Internal
Authentication >> On-Demand
181
After enabling the Roaming out feature for Local or On-Demand, click the
RADIUS Client Device Settings hyperlink. The redirected page allows the
administrator to specify the Controller IP which is allowed to behave as a
RADIUS client and authenticate against this Controller’s enabled user
databases.
NOTE
1. Please make sure that the user database postfixes are configured without
conflicting with one another over the two Controllers.
182
Chapter 14. VPN
14.1 Site-to-Site
Configuration path: Main Menu >> Network >> VPN
EWS Controller supports Site-to-Site VPN for more than 2 EWS Controllers to
create VPN tunnel to each other over the WAN network. For example, if there are 2
EWS Controllers, you can create a VPN tunnel to let a subnet of one EWS Controller
to access the subnet of another EWS Controller.
First, you need to add a Remote Site with at least one remote subnet.
183
NOTE
1. The IPSec settings in both sites must be same.
Then create a Local Site with subnet for mapping to the remote site. Such as
“192.168.11.0/24” of EWS Controller_A >> “192.168.111.0/24” of EWS
Controller_B, after the tunnel is created, the users within these two subnets can
reach each other.
184
NOTE
1. You can create more than one VPN tunnel, but the IP segment mapping cannot
be overlap, because one IP segment cannot have two routing rules.
EWS Controller supports Remote VPN for user login to system from a remote area.
After the user is logged in to system from the outside network of WAN, it will
appear to the user that the login to EWS Controller is under the service zone locally.
The data transferred between the remote user and the controller will be encrypted
with IKEv2 VPN tunnel. Policy can also be applied and users are controlled by
system to access the network.
All settings are similar to the settings in a Service Zone. Remote VPN can also be
setup with a dedicated subnet, Certificate, WISPr configuration and
Authentication Options.
After Remote VPN is enabled, users can use the VPN tool on the client devices to
setup the VPN link with the username and password from enabled authentication
185
options.
NOTE
1. The Remote VPN clients can be applied by different user policies at the page of
Main Menu >> Users >> Groups >> Configuration.
186
Chapter 15. Switch Management
The EWS Controller gives administrators one comprehensive interface for managing
your Edgecore switches.
Switches connected either to a WAN port or LAN port of the EWS Controller can be
added manually or by discovery.
Once the Switch is successfully added to the list, we can see that its Status is now
shown:
187
The Switch List displays the Switch Name, Switch Type, Status, IP Address, MAC
Address, Power Budget, and a shortcut link to the Switch’s management web
interface.
The PoE Schedule Template allows administrators to set a schedule for delivering
power on the assigned ports of the managed switch. This function can be used to
control AP schedules when the APs are powered by PoE from the managed switch.
188
15.3 Backup Configuration
Configuration path: Main Menu >> Devices >> Switch Management >> Backup
Configuration
189
Chapter 16. Platform Dependent Features
Feature Description:
1. Edgecore HA feature is a software determined feature which can be Enabled or
Disabled.
Software determined Ethernet role:
190
When enabled, LAN1 port will become the dedicated HA port.
When disabled, LAN1 remain its normal function as LAN port.
2. The Web UI has a configuration item to designate this AC as either “Active” or
“Standby” when HA feature is enabled.
3. All HA configuration are manually applied. This includes AC role as an Active or
Standby as well as the HA pair restoration after an AC goes down.
191
Standby-AC-is-DOWN email will be sent from Active AC(s) when there is no
Standby AC detected when HA is already enabled.
9. HA feature can only be enabled for up to 3 ACs of the same brand and same FW
version and build number.
The WiFi Monitor is designed to help administrators decide where APs should be
placed and whether the number of APs would satisfy the throughput requirement
during initial installation. First, a map or a floor plan in .jpg format is required, with
partitions drawn in .xml or .osm format.
192
Managed AP Simulation is a used for monitoring of Access Points based on location.
The APs on the Managed AP Simulation floor plan are real managed Access Points
on the Controller (either by Local AP Management or Wide AP Management).
Access Points here are linked to APs managed by the EWS Controller, and we can
see real AP information such as the IP address, MAC address, and Associated Client
number. This allows the administrator to easily visualize the wireless network with
respect to the APs’ location.
Once these managed APs are created, simply drag and drop these APs onto the
floor plan. 2.4GHz is indicated blue and 5GHz is indicated red for signal strength
193
(hence purple when both bands are overlapping).
The Signal Strength and Coverage of the managed APs would depend on factors
such as the AP model, transmit power, AP Height, and etc.
16.2.2. Simulation AP
WiFi Monitor is able to simulated Edgecore APs, placing into the floor plan and
checking the correlated configuration in optimization. Meanwhile, the Signal
Strength and Coverage of the simulation APs would depend on factors such as the
AP model, transmit power, AP Height, and etc.
194
With the floor plan and partitions in place, simulation APs can now be added to the
floor plan for simulation as shown below.
Click “Simulate 2.4G” or “Simulate 5G” to see if the deployed APs are adequate for
your requirement.
195
Configurations can then be saved conveniently to a template to be used for AP
Management.
In an area with operating APs, administrators may view AP statuses from the
created floorplan.
The AP status shows Online, Offline or Disabled. Administrators may also obtain
CPU Idle and Memory Usage when APs are managed by Wide area AP Management.
196
AP statistic information, such as AP density and AP average traffic, and AP average
traffic are also supported when APs are managed using Wide area AP Management.
197
Appendix A. EWS Models & Installation
2 x GbE
2 x GbE 2 x GbE,
WAN (1 or 2)*1 x GbE 1 x GbE or
2 x 1G SFP 2 x 10Gb SFP+
2 x 1G SFP
6 x GbE 6 x GbE,
LAN (4 or 3)*1 x GbE 4 x GbE 8 x GbE
2 x 1G SFP 2 x 10Gb SFP+
Local
2000 2000 10000 30000 50000
Accounts
On-Demand
2000 2000 10000 30000 50000
Accounts
Managed AP
Capacity
10 50 300 1000 3000
(Local & Wide
Combined)
Maximum
Concurrent 100 200 3000 10000 30000
Users
OAP100
EAP100
ECW100
ECW5210-L
Manageable ECW5211-L
AP Models ECW5410-L
ECWO5210-L
ECWO5211-L
ECWO5212-L
ECWO5213-L
Monitored AP 100 100 250 500 500
198
Hardware Overview
EWS100 Hardware
1 Buttons Reset: Press and hold the Reset button for over 3 seconds and status of
LED on front panel will start to blink, release button at this stage to restart
the system. Press and hold the Reset button for more than 10 seconds and
status of LED on the front panel will turn from blinking to off, release at
this stage to reset the system to default configuration.
Power: This button is the main on/off power of the system.
2 LED Displays Power: Power LED lights up as constant green when power supply is on.
Status: Blinking indicates that the system OS is booting up. When the system is
ready for operation, the LED is lit up constantly.
3 WAN1 WAN port (10/100/1000 Base-T RJ45) for uplink connections to the
(optional external network, such as the ADSL Router from your ISP (Internet Service
WAN2) Provider). Configurable WAN2 option.
4 LAN1~ LAN4 Client machines or switch connect to EWS controller via LAN ports
(10/100/1000 Base-T RJ45).
5 USB Function Reserved for future use.
EWS101 Hardware
1 Reset/Restart Press and hold the Reset button for over 3 seconds and status of LED on
Button front panel will start to blink, release button at this stage to restart the
system. Press and hold the Reset button for more than 10 seconds and
status of LED on the front panel will turn from blinking to off, release at
this stage to reset the system to default configuration.
2 Console The system can be configured via a serial console port. The administrator
can use a terminal emulation program such as Microsoft’s Hyper Terminal
to login to the configuration console interface to change admin password
or monitor system status, etc.
3 LAN1~ LAN4 Client machines or switch connect to EWS controller via LAN ports
(10/100/1000 Base-T RJ45).
4 WAN1 WAN port (10/100/1000 Base-T RJ45) for uplink connections to the
external network, such as the ADSL Router from your ISP (Internet Service
Provider).
5 USB Function Reserved for future use.
6 LED Displays Power: Power LED lights up as constant green when power supply is on.
Status: Blinking indicates that the system OS is booting up. When the system is
ready for operation, the LED is lit up constantly.
199
EWS5203 Hardware
1 Reset/Restart Press and hold the Reset button for about 5 seconds and status of LED on
Button front panel will start to blink before restarting the system.
Press and hold the Reset button for more than 10 seconds and status of
LED on the front panel will start to speed up blinking before resetting the
system to default configuration.
2 USB Reserved for future use.
3 WAN1/ WAN2 Two combo WAN ports (SFP) for uplink connections to the external
(SFP) network, such as the ADSL Router from your ISP (Internet Service
Provider).
4 WAN1/ WAN2 Two Gigabit WAN ports (10/100/1000 Base-T RJ45) for uplink connections
(RJ45) to the external network, such as the ADSL Router from your ISP (Internet
Service Provider).
5 Console The system can be configured via a serial console port. The administrator
can use a terminal emulation program such as Microsoft’s Hyper Terminal
to login to the configuration console interface to change admin password or
monitor system status, etc.
6 LED Power: Power LED lights up as constant green when power supply is on.
Indicators Status: Blinking indicates that the system OS is booting up. When the system is
ready for operation, the LED is lit up constantly.
7 LAN1 ~ LAN8 Eight Gigabit LAN ports for servicing LAN traffic (10/100/1000 Base-T
RJ45).
EWS5204 Hardware
1 LCD Display Allows network administrator to check important system settings such as
network interface, SZ configurations, etc. The navigations buttons from
left to right respectively are “Esc”, “Up”, “Down”, and “Enter”.
2 LED Indicators There are two LED indicators, Power, and HDD (Hard Disk), to indicate
different status of the system.
3 Restart Button Press and hold the restart button for about 5 seconds and the system will
restart.
4 Console The system can be configured via a serial console port. The administrator
can use a terminal emulation program such as Microsoft’s Hyper Terminal
to login to the configuration console interface to change admin password
or monitor system status, etc.
5 USB Reserved for future use.
6 WAN1/ WAN2 Two WAN ports (10/100/1000 Base-T RJ45) are connected to the
200
(RJ45) external network, such as the ADSL Router from your ISP (Internet
Service Provider).
7 LAN1 ~ LAN6 Client machines connect to EWS Controller via these LAN ports
(RJ45) (10/100/1000 Base-T RJ45).
8 WAN1/ WAN2 Two combo WAN ports (SFP) are connected to the external network, such
(SFP) as the ADSL Router from your ISP (Internet Service Provider).
9 LAN1/ LAN2 Client machines connect to EWS Controller via these LAN ports (SFP).
(SFP)
EWS5207 Hardware
1 LED Indicators ERR (Power Error): Off if PSU status normal, orange light on if either
one of powers fail.
STBY (System Standby): Orange light always on if system is ready.
HDD (Hard Disk): Off if no data is transferring, green light blinking if
HDD read/write is taking place.
PWR (Power): Green light on when power on.
2 LCD Display Allows network administrator to check important system settings such
as network interface, SZ configurations, etc. The navigations buttons
from left to right respectively are “Esc”, “Up”, “Down”, and “Enter”.
3 Console The system can be configured via a serial console port. The
administrator can use a terminal emulation program such as Microsoft’s
Hyper Terminal to login to the configuration console interface to change
admin password or monitor system status, etc.
4 USB Reserved for future use.
5 MGMT Ports For administrator to manage the EWS controller.
6 Restart Button Press and hold the restart button for about 5 seconds and the system
will restart.
7 WAN1/ WAN2 Two WAN ports (10G SFP+) are connected to the external network,
(SFP+) such as the ADSL Router from your ISP (Internet Service Provider).
8 LAN7 / LAN8 Client machines connect to EWS Controller via these LAN ports (10G
(SFP+) SFP+).
9 WAN1/ WAN2 Two WAN ports (10/100/1000 Base-T RJ45) are connected to the
(RJ45) external network, such as the ADSL Router from your ISP (Internet
Service Provider).
10 LAN1 ~ LAN6 Client machines connect to EWS Controller via these LAN ports
(RJ45) (10/100/1000 Base-T RJ45).
201
Installation Instruction
Preparations
1. Unpack the EWS Controller and go through the package checklist.
2. Review the front panel and back panel and identify each control and network
interface that is described in the Hardware & Specification section.
3. Prepare Ethernet cables with RJ-45 connectors.
4. Prepare a PC with Web browser for accessing the Web Management Interface.
5. Identify an upstream device for EWS Controller to connect to your network, such
as ADSL, CABLE modem or other edge devices. Collect the DNS server address
provided by your ISP.
Installation
1) Connect the power adaptor or power cord to the power socket on the rear panel.
The Power LED should be on to indicate a proper connection.
2) Connect an Ethernet cable to the WAN1 Port on the front panel. Connect the
other end of the Ethernet cable to an xDSL/cable modem, or a switch/hub of an
internal network. The LED of this port should be on to indicate a proper
connection.
3) Connect an Ethernet cable to a LAN Port on the front panel. Connect the other
end of the Ethernet cable to an administrator PC for configuring the system. A
switch can be used to connect multiple devices to the LAN port of the Controller.
NOTE
1. It is highly recommended to use all the supplies in the package instead of
substituting any components by other suppliers to guarantee best performance.
202
Appendix B. External Pages
When a user connects to this Service Zone, opens a web browser and attempts to
access the internet, the system will address the user to the external login page
configured. Gateway while addressing users to the external web page will also send
URL parameters required for the operation, for instance user authentication.
Therefore, each self-defined external page (Login, Logout, Login Success, Logout
Success, etc.) requires codes to handle URL parameters to and from the Gateway.
A simple example is illustrated below for Login Page. Please refer to External
Login Page Parameters for URL parameter relating to other pages such as Login
Success Page ... and etc.
Therefore it is important that your external pages are designed by someone with
good knowledge of URL parameter utilization.
The diagram below explains how External Page operates using user login/logout
flow as illustration:
203
Login:
Logout:
204
The URL parameters sent by the Gateway to the external login page are as follows:
205
ipv6_addr IPv6 format Client IPv6 address
umac MAC format Client MAC address
(separated by ':')
session String Encrypted session information, includes:
client IP address, MAC address, date,
and return URL.
You will need to parse the required parameters in your html code. The following
HTML code segment is an example of parsing loginurl parameter with a self-defined
JavaScript function:
An external page example that the user will see upon launching a browser is
shown, and you can see the URL parameters sent from the system highlighted in
red:
206
External Page Design Variables
This section displays all the URL parameters that are sent from the Gateway to the
various external pages. It is essential to use the correct variable for your self-
designed user page to function properly.
207
umac MAC format (separated by Client MAC address
':')
sessionlength Integer (Sec.) RADIUS user session length (Only
available for RADIUS user)
byteamount Integer (Bytes) RADIUS user volume limit (Only
available for RADIUS user)
idletimeout Integer (Sec.) Idle timeout
acct-interim-interval Integer (Sec.) RADIUS accounting interim
update interval (Only available for
RADIUS user)
logouturl String (URL encoded) The URL to be submitted when a
user wants to log out.
change_passwd_url String (URL encoded) The URL to be submitted when a
user wants to change password.
(Only available for LOCAL users)
ondemand_creation_url String (URL encoded) The URL to be submitted when a
user wants to create an On-
Demand user. (Only available for
LOCAL users)
vlanid Integer (1~4094) VLAN ID
gwip IP format Gateway activated WAN IP
address
client_ip IP format Client IP address
ipv6_addr IPv6 format Client IPv6 address
sz Integer Service Zone ID
group Integer Group index
policy Integer Policy index
available_plan billing plan:usage, billing For local user to create on
plan: usage, demand user
max_uplink Integer (b/s) Maximum up-link rate
max_downlink Integer (b/s) Maximum down-link rate
req_uplink Integer (b/s) Minimum up-link rate
req_downlink Integer (b/s) Minimum down-link rate
next_page String Leads client to URL
CLASS String RADUIS CLASS attribute (Only
available for RADIUS user)
WISPR-REDIRECTION-URL String Leads client to URL
WISPR-SESSION- String, format: WISPr Session-Terminate-Time
TERMINATE-TIME YYYY-MM-DDThh:mm:ssTZD attribute (Only available for
RADIUS user)
WISPR-SESSION- Integer (0/1) WISPr Session-Terminate-End-Of-
TERMINATE-END-OF-DAY Day attribute, 0 or 1 to indicate
termination rule. (Only available
for RADIUS user)
WISPR-BILLING-CLASS-OF- String WISPr Billing-Class-Of-Service
SERVICE attribute (Only available for
RADIUS user)
WISPR-LOCATION-ID String WISPr Location-ID attribute (Only
available for RADIUS user)
WISPR-LOCATION-NAME String WISPr Location-Name attribute
(Only available for RADIUS user)
WISPR-BILLING-TIME String, format: WISPr Billing-Time attribute (Only
HH:MM available for RADIUS user)
split_tunnel Integer (0/1) 1 if the client is from split tunnel;
0 otherwise.
nat_ip IP format The internal IP address for
identifying the client from split
tunnel.
custom String Customization parameter
208
3. External Error Page
Variables:
Field Value Description
msg String, includes: Error message
Invalid username or
password.<BR>Please check your
username and password and try again.
209
Sorry, the external authentication server
is currently unreachable. <BR>Please
contact your network administrator.
210
logouturl String (URL encoded) Logout URL
redeemurl String (URL encoded) Redeem URL
Vlanid Integer (1~4094) VLAN ID
gwip IP format Gateway activated WAN IP
address
client_ip IP format Client IP address
ipv6_addr IPv6 format Client IPv6 address
sz Integer Service Zone ID
group Integer Group index
policy Integer Policy index
next_page String Leads client to URL
max_uplink Integer (b/s) Maximum up-link rate
max_downlink Integer (b/s) Maximum down-link rate
req_uplink Integer (b/s) Minimum up-link rate
req_downlink Integer (b/s) Minimum down-link rate
nat_ip IP format The internal IP address for
identifying the client from split
tunnel.
1. User Login
Path:
(LAN IP address or Internal Domain Name) /loginpages/userlogin.shtml
Input:
Field Required Value Description
myusername Required String User ID
alternative variables:
(username, user, account)
mypassword Required String User password
alternative variables
(passwd, password, pass)
session Optional String Encoded string which
contains some
information of this
session, default is taken
from cookie.
211
Output:
No output, return user to login successful page.
2. User Logout
Path:
(LAN IP address or Internal Domain Name) /loginpages/logoff.shtml
Input:
Field Required Value Description
uid Optional String User ID, default is taken
from cookie
Output:
No output, return user to logout successful page.
Input:
Field Required Value Description
myusername Required String User name
alternative variables:
(username, user, account)
mypassword Required String Password
alternative variables
(passwd, password, pass)
ret_url Optional String (URL encoded) Returned URL, default is
pop_reminder.shtml
command Optional String getValue: If command is
set to “getValue”, the
return URL would be
ignored, and the page
would only print out the
available quota.
Output:
If command is set to “getValue”, the output is simply a “value”.(secs. or bytes
according to user type)
If command is not set and there is no ret_url presented, client would be led to
pop_reminder.shtml page, which shows the remaining quota in our UI style. If
ret_url is presented, client would be returned to ret_url, and gateway would add
these four variables in URL.
Field Value Description
msg String, including: Result and error
messages
212
Remaining Quota: XXX byte(s)
4. Change Password
Path:
(LAN IP address or Internal Domain Name)/loginpages/user_change_password.shtml
Input:
Field Required Value Description
save Required 1 (has to be 1)
opw Required String Old password
npw Required String New password
npwc Required String Confirmed new password
ret_url Required String (URL encoded) Return URL
Output:
Client would return to ret_url and gateway would add result in ret_url which
indicates the result of changing password.
Field Value Description
result String, including: Result and error
messages
Change password successfully
213
5. Redeem (On-Demand user)
Path:
(LAN IP address or Internal Domain Name) /loginpages/redeemuserlogin.shtml
Input:
Field Required Value Description
username Optional String Current user ID (If not
presented, user name
stored in cookie is the
default value)
upassword Optional String Current user password (If
not presented, password
stored in cookie is the
default value)
myusername Required String Redeem user ID
mypassword Required String Redeem user password
ret_url Optional String (URL encoded) Return URL, login
successful page is the
default value
Output:
If no ret_url is presented, client would be led to the login successful page, and in
addition, a JavaScript window would pop-up and show the result. If ret_url is
presented, client would be returned to ret_url and gateway would add an additional
variable rmsg to indicate redeem procedure result.
Field Value Description
rmsg String, including: Result and error
messages
Redeem process completed.
214
Maximum allowable memory space
has exceeded.
215
Appendix C. Useful Management & Evaluation
Tools
Here are the top six open source IT management products that do a solid job of
replacing the big suites from HP, IBM, CA and BMC. Each offer low-cost professional
services and free software downloads. They differ primarily in the features they
offer and in the operating systems they support.
HYPERIC HQ ENTERPRISE
Aimed at the datacenter, Hyperic’s software is built to manage and monitor all layers of Web
infrastructures, including hardware, middleware, virtualization and Web and open applications. It
also offers trending and analysis. It supports Apache, JBoss, Linux and more.
OPENNMS
This Java-based network management tool focuses on service polling, data collection and event and
notification management. It currently supports a variety of open operating systems, including Linux,
Mandrake and Solaris, as well as Mac OS X; Windows support is planned for OpenNMS 2.0.
OPENQRM
Also targeting datacenter management, OpenQRM can manage thousands of Linux and Windows
servers as well as track your datacenter’s usage and utilization. It also does automatic, policy-based
provisioning. It, too, integrates Nagios for monitoring.
ZENOSS CORE
Written mostly in Python, this management platform offers events management and availability and
performance monitoring of servers, network devices, OSes and applications. Zenoss runs on Linux,
FreeBSD and Mac OS X; it will run on Windows with a VMplayer and the Zenoss Virtual Appliance.
Evaluation Tools
216
Wireshark (for packet capturing and debug analysis)
Wireshark is the world's foremost network protocol analyzer. It lets you capture
and interactively browse the traffic running on a computer network. It is the de
facto (and often de jure) standard across many industries and educational
institutions.
http://www.wireshark.org/
http://www.metageek.net/products/inssider/
217
Appendix D. On-Demand Account Types
Usage-time
Users can access internet as long as account valid with remaining quota and
need to activate the purchased account within a given time period by logging
in.
218
Volume
Users can access internet as long as account is valid with remaining quota
and need to activate the purchased account within a given time period by
logging in.
Account expires when Valid Period is used up or quota is depleted.
219
Hotel Cut-off Time
Operator can set the clock time for when the account will expire.
Account automatically activates when it is created.
Unit is the number of days to execute “Cut-off”. For example: Unit = 2 days,
Cut-off Time = 10:00 then account will expire at 10:00AM two days after
creation.
Account usability disabled once Cut-off-time has been reached unless it has
been granted a Grace Period.
Primarily used in hotel venues to provide internet service according to guests’
stay time.
220
Duration Time
Users can access internet while account is within valid time interval. Count
down begins once account activates and expires when Expiration Time is
reached.
221
NOTE
1. Since there are only 10 billing plans, if you wish to create accounts of the same type but
with various quotas, this may be achieved via the Unit field.
222
Network operator is able to multiply the quota by an integer ranging from 1 to 9 in the Unit field.
Please note that only Usage-time, Volume, and Duration-Elapsed time account types support
multiple unit quota generation for a single account.
223
Appendix E. UI Reference Index
I. Dashboard
This page displays important system related information that the administrator might need to be aware of at a
glance, which includes General System settings, Network Interface and Online Users etc. A drop-down menu is
available for selecting the information refresh rate for this page.
The “Download” button on the top-right corner is a tool that provides system status snapshot. The information can
be used for maintenance or troubleshooting purpose.
In addition, administrator can choose the items to show in Dashboard by editing “Display Mode”. Dashboard can
be customized only to show necessary information.
224
II. Setup Wizard
This wizard is to provide express setup procedures. Follow the instructions given at each step to change the
system admin password; select time zone; configure WAN1 interface, and create local user accounts. Upon
completing the setup procedures, the system has to be restarted to have the setting take effect. The system is
ready for operation after restart with minimal configuration.
225
A. System
System: This section relates to system configuration. It includes, General Information, WAN Configurations, LAN
Ports, Service Zones, and etc.
1) General
System Name: This is a mnemonic name you can give to the controller. Once configured, it will
show on the web browser’s frame.
Contact Information: This is the email, cell phone, or other means of contact which will be
226
displayed on the web browser of the client in the event of internet disconnection.
HTTPS Certificate: Your own network certificate may be selected here as site safety
verification. Certificate can be uploaded and managed at “Utilities > Certificates > System
Certificate”.
User HTTPS Login: Presents the option to allow end users authenticated with HTTPS for
encrypted content transfer. The ‘Secure’ option supports only “High” encryption cipher suites.
HTTPS Automatic Redirect: provides an option for allowing or denying HTTPS requests when
a user first connects to a network. When enabled, HTTPS traffic will be redirected but may
prompt a certificate security warning. When HTTPS is disabled, all HTTPS traffic is denied and
will be timed-out. This option will effectively prevent all security warnings being shown on the
user’s devices. When HTTPS requests are timed-out, some browsers may automatically request
a HTTP webpage to redirect to a Captive Portal.
- Enable HTTPS Automatic Redirect: users browsing with HTTPS may be shown a
certificate security alert when browsing before they access the Captive Portal.
- Block HTTPS Automatic Redirect: users browsing with HTTPS will be timed-out,
meaning their webpage will appear blank since they never reach their destination
- Bypass non-HTTP Traffic Prior to Sign-In: all HTTPS websites are allowed for browsing
even though the user have not accepted the disclaimer page or completed the sign-in
process on the Captive Portal.
Internal Domain Name: A fully qualified domain name (FQDN) of the system. Ideal for
accessing the Controller instead of remembering the IP address of the LAN interfaces. When the
administrator enters a desired domain name in the Internal Domain Name field, the entered
Internal Domain Name will be shown in the URL of the Login Success page instead of a LAN IP
address. In addition, when HTTPS is enabled, enter the domain name of the uploaded certificate
will increase login speed and the URL in the User Login page will be changed. On the Social
Media Login, this Internal Domain Name help redirect the login succeeded clients back the Login
Success page.
Portal URL Exceptions (User Agent): The desired landing page may be directed after users’
initial login except specific opened browsers listed here.
User Log Access IP Address: Once configured, user logs can only be accessed via the
entered IP.
UAM Filter: The Universal Access Method (UAM) Filter drops non-browser HTTP requests from
user agents before authentication to prevent system overloading from excessive traffic.
Management IP Address List: This configuration button allows the network administrator to
enter a selection of reserved IP addresses/ range that are authorized to see the Web
Management Interface. The remote console interface is disabled by default.
SNMP: Presents an option to enable or disabled system info retrieval via SNMP protocol.
Administrators can choose to assign specific port to transmit SNMP trap messages. Detailed
thresholds such as CPU Usage, Memory Usage, DHCP Scope, and Heart Beat Period may be
configured.
Suspend Warning Message: A field for administrator to enter the message to users when a
Service Zone’s service is temporarily suspended
Time: This section presents manual system time configuration option or automatic time
synchronization by specifying external NTP servers.
- Current Time: The system time right away following below configuration.
- Time Zone: a dropdown list to select the local time zone the system is.
- Time Update (NTP): The system completes automatic time synchronization by specifying
external NTP servers in the order of NTP Server 1 to 5. The checkbox of Use this controller
as an NTP server is checked by default so as to synchronize the time of managed-APs.
- Time Update (Manually Set Up): The system time is manually configured.
227
Management Service: Options to enable or disable remote console management interface.
- SSH Service: The encrypted remote console interface in port 22. For security purposes,
SSH Service is recommended to disable to prevent malicious users from accessing the
system. However, if the remotely troubleshooting is required by Edgecore Support team,
please help enable in advance.
- Telnet Service: The non-encrypted remote console interface in port 23. For security
purposes, Telnet Service is disabled by default to prevent malicious users from accessing
the system.
Management Service Zone List: Given the enabled Service Zone(s), which is configured in
“System > Service Zone, chapter2.4”, administrators could Active to let the devices matching the
range of IP address could access the WMI of the system.
Management IP Address List: For remote access purpose, the IP Address/ Segment could be
customized for the administrators to access the WMI of the system. Please confirm the entries
are Active in the table by checking the checkboxes. For example, entering "192.168.3.1" and
"192.168.1.0/24" means that only the device at 192.168.3.1 and devices in the range of
192.168.1.0 to 192.168.1.255 are able to reach the web management interface. If administrators
would like to type a specific IP address, there is not necessary to type the segment. (type
192.168.5.44, instead of 192.168.5.44/32)
228
2) WAN
Physical Mode: A drop-down list allows administrators to choose the speed and duplex of the
WAN connection. When Auto-Negotiation is ON, the system chooses the highest performance
transmission mode (speed/duplex/flow control) that both the system and the device connected to
the interface support.
Static: Manually specifying the IP address of the WAN port.
Dynamic: It is only applicable for a network environment where the DHCP server is available in
the upstream network. Renew button to get an IP address automatically.
PPPoE: It is for PPPoE dialup connection provided by your ISP, and the ISP will issue you an
account with a password so as to complete the configuration.
PPTP: Some IPSs (in European countries) may provide PPTP protocol for dialup connection.
The issued PPTP account and password for PPTP server are required.
Transmission Option: (EWS5204, EWS5207 only) Edgecore carrier grade models designed
with SFP fiber ports, which could be configured as:
- Ether Port: Deploy the copper Ethernet WAN port for service.
- Fiber Port: Deploy the SFP fiber port for service.
- Fiber Port and Ether Port: Bridge Fiber port and Ethernet port, physically only connect
one uplink either via SFP port or Ether port.
- Bonding: Deploy both SFP port and copper Ethernet port for service. This option
aggregates the two connections and will result in aggregated higher throughput.
Physical Mode: A drop-down list allows administrators to choose the speed and duplex of the
WAN connection. When Auto-Negotiation is ON, the system chooses the highest performance
229
transmission mode (speed/duplex/flow control) that both the system and the device connected to
the interface support.
None: Disable the WAN2 interface from providing service.
Static: Manually specifying the IP address of the WAN port.
Dynamic: It is only applicable for a network environment where the DHCP server is available in
the upstream network. Renew button to get an IP address automatically.
PPPoE: It is for PPPoE dialup connection provided by your ISP, and the ISP will issue you an
account with a password so as to complete the configuration.
Transmission Option: (EWS5204, EWS5207 only) Edgecore carrier grade models designed
with SFP fiber ports, which could be configured as:
- Ether Port: Deploy the copper Ethernet WAN port for service.
- Fiber Port: Deploy the SFP fiber port for service.
- Fiber Port and Ether Port: Bridge Fiber port and Ethernet port, physically only connect
one uplink either via SFP port or Ether port.
- Bonding: Deploy both SFP port and copper Ethernet port for service. This option
aggregates the two connections and will result in aggregated higher throughput.
Bandwidth Limitation: Disable by default. The limitation is combined for both WAN1 and
WAN2, while the bandwidth is still bounded by the network speed of the ISP operator.
Function of WAN2: The following functions only when WAN2 is enabled.
- Disable: WAN2 acts as another uplink for the system without Load Balancing and WAN
Failover.
- Load Balancing: Select the option for administrator to spread the system traffic across
WAN1 and WAN2 ports based on percentage load, calculated using session, bytes, or
packets.
- WAN Failover: Select the option for WAN2 taking into service the traffic originally handled
by WAN1 if WAN1 is down. If the nested option is selected, service will be returned to
WAN1 link if it is up again. This feature is not available to be used concurrently with Load
Balancing.
Address for Detecting Internet Connection: Up to three outbound sites as detection target for
verifying whether the uplink service is alive or down. A field of warning message text may be
customized which will be displayed on the user’s web browser when all three detecting targets
fail to respond.
230
3) IPv6
4) LAN Ports
A "Service Zone" in the system, by default, contains wired and wireless coverage areas in the
organization. This page provides options for identifying the Service Zone mapping.
LAN Port Mode: Select the option for identifying the port and Service Zone mapping.
- Port-based: Each physical LAN port can be mapped to an enabled Service Zone or
disabled from providing service. Noted that the maximum amount of Service Zones
available to actually provide service is determined by the number of LAN ports on the
Controller.
- Tag-based: Different Service Zones are identified by VLAN ID no matter which physical
LAN ports. This means that Tag-Based mode dynamically maps a client to a Service zone
based on the VLAN ID tagged on the traffic packet.
Port – Service Zone Mapping: The configuration of the physical LAN port by enabled Service
231
Zone when Port-based mode is selected.
5) MGMT Port
(Available on EWS5207)
The IP configuration for the management port can be configured in this page.
6) High Availability
(Available on EWS5203, EWS5204, and EWS5207)
Configuration:
Status: This feature can be turn on or off here.
232
Number of Active(s): Selecting up to 3 Actives for N+1 HA
Mode: The role of this particular controller must be determined here manually.
HA Port IP Address: The IP address configured for the dedicated HA port. Should make sure
that all controller’s HA port IP are under the same subnet.
HA Port Subnet Mask: The subnet mask for HA communication.
Peer IP Address: Fill in the IP address of the peer Controller’s HA port.
Shared Key: Enter a secret string on both of the controller. The Shared Key must be the same
for a successful HA connection.
Switch Support: when HA N+1, N=2 or 3, Edgecore SW1024 is highly recommended since the
related LAN port and VLAN ID can automatically be modified when HA is happening. If admin
would like to set port1, port 4 and port 2 on SW1024 for #1 Active AC with VLAN 101, 41, 42,
respectively, please enter 1,4,2 on #1 Active Related Port(s) and type 101, 41, 42 on #1 Active
LAN Port VLAN ID(s).
Action: This function may be triggered on the primary controller, switching service to the
secondary controller manually. (Available on 1+1 HA only).
Current Status:
Dedicated Port: Currently LAN1 for all Controller models.
Status: Reflects the current status of the HA link.
Link to peer’s UI: A quick access to the peer Web UI by selecting the page. Available only on
Active ones.
Version: Shows the HA feature revision.
7) Service Zones
The table will list the Service Zones and related settings.
Status: Status of each Service Zone. It is always “ON” for Default Service Zone.
Service Zone Name: The name of service zone.
IP Address: The IP address of the Controller for each Service Zone.
IPv6 Address: The IPv6 address of the Controller for each Service Zone.
VLAN Tag: (Only in Tag-based Mode) The VLAN tag number mapped to each Service Zone.
LAN Port Mapping: (Only in Port-based Mode) The mapping between LAN Ports and Service Zones.
Default Auth. Option: The default authentication server designated for each Service Zone.
Network Alias: Alias subnets for each Service Zone.
DHCP Pool: The DHCP server status or the IP range for DHCP Pools.
233
Router Mode
NAT Mode
Service Zone Status: Each service zone can be enabled or disabled except for the default service zone.
Service Zone Name: The name of service zone could be input here.
Network Interface:
VLAN Tag (Tag-based Mode Only): The VLAN tag number that is mapped to the Service Zone.
Tag-Based Isolation (Tag-based Mode only): Administrators can choose different isolation options in
each Service Zone.
- Inter-VLAN Isolation: 2 clients within the same Service Zones will not see each other when coming
in from different VLANs and different LAN ports. Note that Isolation is done when traffic passes
through the gateway. When a switch or AP is being deployed, Station Isolation has to be enabled on
the AP/switch.
234
- Clients Isolation: All clients on the same Layer 2 network are isolated from one another in this
Service Zone.
- None: No isolation will be applied to clients in this Service Zone.
Port-Based Isolation (Port-based Mode only): Administrators can choose different isolation options in
each Service Zone.
- Inter-Port Isolation: 2 clients within the same Service Zone will not see each other when coming in
from different ports. Note that Isolation is done when traffic passes through the gateway. When a
switch or AP is being deployed, Station Isolation has to be enabled on the AP/switch.
- Clients Isolation: All clients on the same Layer 2 network are isolated from one another in this
Service Zone.
- Until Auth.: All clients on the same Layer 2 network are isolated from one another in this Service
Zone before authentication.
- None: No isolation will be applied to clients in this Service Zone.
Operation Mode
- NAT: The acronym for Network Address Translation mode. Translates private IP addresses for
devices on the LAN side of a controller to routable IP before forwarding into uplink network. Private
IP addresses are invisible to devices or routers on the WAN side of the controller, only the controller
deploying the NAT knows their corresponding translation. This mode not only protects users on the
LAN from being ‘seen’ by external devices but also solves the problem of limited public IP’s.
- Router: A network operating mode without address translation in and out of the Controller. Router
mode is selected when using public IP or under circumstances where the downstream devices
requires a routable IP address to upstream routers.
IP Address: The IP Address of this Service Zone.
Subnet Mask: The subnet mask of this Service Zone.
IPv6 Settings: The IPv6 Address and configuration of this Service Zone (only when IPv6 is enabled).
Network Alias List: Administrator may optionally set many alias network segments for a service zone.
This feature can allow a single service zone to be seen as many service zones, also hide the IP address
of a Service Zone’s network interface and to some degree, provide protection from possible attacks from
LAN clients. Click the Configure button to enter the Network Alias List page.
Fill in the desired alias IP address and select the preferred Subnet Mask, Operation mode,
check the Enable box and click Apply button to activate the settings.
DHCP: From the drop down menu, DHCP server for this particular service zone may be Disabled,
Enabled or Relayed.
Please note that when “Enable DHCP Relay” is enabled, fill in the IP address of the external DHCP
Server, and the IP address of clients will be assigned by an external DHCP server. The system will only
relay DHCP information from the external DHCP server to downstream clients of this service zone. A
redundant DHCP server can be configured when set to DHCP Server Relay mode. Please note that
Controller should be in the same subnet as the DHCP server.
235
- Start IP Address / End IP Address: A range of IP addresses that are built in DHCP server will be
assigned to clients. Note: please change the Management IP Address List accordingly (at System
Configuration >> System Information >> Management IP Address List) to permit the administrator to
access the EWS CONTROLLER admin page after the default IP address of the network interface is
changed.
- Preferred DNS Server: The primary DNS server that is used by this Service Zone.
- Alternate DNS Server: The substitute DNS server that is used by this Service Zone.
- Domain Name: Enter the domain name for this service zone.
- WINS Server: The IP address of the WINS (Windows Internet Naming Service) server that if WINS server is
applicable to this service zone.
- Lease Time: This is the time period that the IP addresses issued from the DHCP server are valid and available.
- Disregard Client Name: When enabled the system will not record the name of the device requesting for an IP
address. On the other hand, when disabled is selected, the system will record the device’s name when issuing
IP addresses. The devices name (Host Name) can be seen under DHCP Lease tab.
- Reserved IP Address List: A configuration list for reserving certain IP’s within the DHCP Server IP
range for specific devices (MAC), for example an internal file server. Click the Configure button to
edit the Reserved IP List.
- DHCP Lease Protection: This is an optional checking mechanism on the Controller when Enabled,
will check to see if the lease expired IP is currently online. If yes, the Controller will halt the issuing of
this IP address until the user session terminates.
Assigned IP Address for AP Management: IP segment for IP address assignment to the managed AP
when the newly discovered AP by LAPM is added into the service zone.
Authentication Settings
The system supports several authentication options, namely: Local, On-Demand, Guest, One Time Password,
RADIUS, SIP, LDAP, NT Domain, POP3, and Social Media. All authentication option can be enabled and
applied concurrently. This is to be emphasized in the next section “Users”.
236
Authentication Options: Administrators can designate configured auth servers for use. Postfix will be
used as auth server identifier when more than one auth server is enabled for service.
Portal URL: The specification of a desired landing page may be configured here. When enabled, the
administrator can choose to set the URL of an opened browser after users’ initial login.
MAC Authentication: RADIUS MAC authentication feature once enabled, if the connected device has its
MAC address entered in the configured RADIUS Server, the Controller will automatically authenticate and
grant access immediately if authentication succeeds. Users will experience transparent login.
PPP Authentication: Point-to-Point Protocol (PPP) is a data link protocol commonly used in establishing
a direct connection between two networking nodes. When this feature is enabled for service, end users
may configure a dial-up connection setting with a valid username and password (support only Local and
RADIUS users). Once the dial-up connection has been established, the user would have been
authenticated successfully without further UAM login.
Assign IP Address From: The starting IP range which PPP can assign IP addresses to dial-up virtual
interfaces. The assigned interface IP address is used to route between the networks on both side of the
tunnel.
Page Customization
Each Service Zone can be configured to have unique Login Pages or Message Pages. There are 3 types of
Login Pages: The General Login Page, PLM Open Type Login Page (for Port Location Mapping free access),
and PMS Billing Plan Selection Page. A Service Disclaimer page can be enabled if required. These pages are
fully customizable to give administrators complete flexibility. Message Pages can also be customized and
237
message pages include: Login Success Pages, Login Success Page for On-Demand Users, Login Fail Page,
Device Logout Page, Logout Success Page, Logout Failed Page, and Online Device List.
There are three customization options to choose from apart from the Edgecore Default Page: Customize with
Template, Upload Your Own, and Use External Page.
Edgecore Default: The gateway has a standard Edgecore Default Login Page with the Edgecore logo
and Administrators can choose to enable a Service Disclaimer if needed.
Customize with Template: For this option, a template is prepared for the administrator's easy
customization. The general layout has been set for the administrator but the contents can be customized
to his preference. A color theme and a logo can be uploaded, and contents field such as Service
Disclaimer, text colors can entered within the template presentation layout.
Upload Your Own: The Administrator has the option to upload an html file as the Login Page. The
"Download HTML Sample File" gives administrators a sample HTML code to edit from. Once this sample
HTML code is downloaded, open the file with any browser, right click and select "View Page Source". You
may edit the HTML code with any text editor as long as the file is saved in .html format.
Use External Page: The Login Page can be a defined external URL. This option requires extensive
knowledge of URL parameter utilization that works together with the Message Pages and should be
organized carefully. For more details on External Login Page customization, please refer to the Technical
Guide.
238
Managed AP(s): APs managed with LAPM and operating under the Service Zone will be listed here. The
list is organized by AP Types, and APs can be configured by clicking the shortcut links on the AP Names
(link to Main > Access Points > Local Area AP Management > List > AP Configuration). This works like a
summary and provides administrators with a quick status check in a glance.
The Port Location Mapping feature allows each Service Zone to own multiple VLANs (as if each VLAN is
a port) in order to identify where the clients are coming from. Administrator could use Port Location
Mapping feature to map a location (such as a hotel room) to a VLAN port of VLAN switch or a DSLAM
device. Each Room is mapped to a VLAN Tag. And each Room can be assign to different Service Zones
to get different policy. Furthermore, according to your application, you can configure the different rooms
to different Port Type: Authentication Required, Open or Block.
Open: This port type means the user can access internet in this room without any charge.
Block: If you do not want to provide any internet access right in the rooms, you may change the
Port type of the rooms to Block. If the user opens a browser and tries to access internet, it will pop
up a Blocking message to notify the user.
Auth. Required: This port type is used mainly for hospitality application to charge users. If the user
opens a browser and tries to access internet, a page with disclaimer and billing plan options will be
displayed. User can select the desired plan and click confirm button to purchase an account. The
account cost will be sent to the PMS and added to the hotel bill via the configured middleware.
239
Create Single Mapping
Port Type: The default state of the rooms, it may be: Open, Block, Auth. Required.
Choose LAN Port: Select the LAN Port for which traffic is received
Service Zone: The service zone profile used to provide internet service to the corresponding location.
DHCP Scope: Select which DHCP Pool to use from corresponding Service Zone.
Assign VLAN ID: The VLAN ID.
Location ID: A numeric identification number (or typically the room number).
Location Description: Optional description for reference.
User Limit: Maximum number of users in batch on corresponding port
NAS Identifier: An optional parameter for RADIUS attribute.
Class: An optional parameter for RADIUS attribute.
HTTP Parameter: Used only when an External Login Page is configured and additional HTTP
parameters are required.
240
Create Multiple Mappings
Port Type: The default state of the rooms, it may be: Free, Block, Single User, Multiple User.
Choose LAN Port: Select the LAN Port for which traffic is received
Service Zone: The service zone profile used to provide internet service to the corresponding location.
DHCP Scope: Select which DHCP Scope to use from corresponding Service Zone.
Assign VLAN ID From: The starting VLAN ID.
Number of VLAN: The total number of VLAN.
Location ID: A numeric identification number (or typically the room number).
Location ID Prefix: The prefix (of room number).
Location ID Postfix: The postfix (of room number).
User Limit Per Port: Maximum number of users in batch on corresponding port.
NAS Identifier From/Prefix/Postfix: An optional RADIUS Attribute
Subinterface
A Subinterface ID can be entered to allow multiple VLAN headers to be incorporated into a single
Ethernet frame. This feature is commonly used in large networks which requires more than a single VLAN
header for further segregation
The Port Location Mapping List displays all the profile entries with information such as its’ VLAN ID,
Room Num/Location ID, Port Type and Service Zone.
241
Delete: Erase an individual Port Location Mapping profile.
Export List: Back up the existed Port Location Mapping List.
Import List: Restore the Port Location Mapping List.
Change All Port Type: To configure Port Type for all rooms: Free, Block, Single User, Multiple User.
For VAPs which are tunneled back to the controller from remote APs. Administrator may wish to allocate a
NAS Identifier as well as designate an IP pool for service.
In the managed AP list in Wide Area AP Management, administrator can allocate NAS Identifier and
designate an IP pool for service for each VAP of a Managed AP. This can be configured while establishing
tunnels between the AP and Controller.
9) PMS Interface
By setting up the connection to the PMS interface, the system can listen to specific messages from PMS
server. When hotel guest is buying an in-room billing plan for Internet access, the system will post a
record to PMS server.
242
PMS Interface Type: Select the PMS interface type to be integrated.
Innkey PMS
Query API: Enter the IP for Query API.
243
Post API: Enter the IP for Post API.
Shared Key: Enter the shared key for Innkey PMS APIs.
Account Credential: Room Number and Guest Number will be the user name and password for user
login.
Case and Diacritics Insensitive for Password: Enable this option to ignore case and diacritics when
verifying password.
Login Error Message: To customize the error message content.
User Account Log: The events occurred in the background relating to this feature are recorded and may
be displayed here.
B. Users
Users: This section relates to user authentication, authorization and accounting. It includes Groups Configuration,
Internal/External Authentication Configuration, On-Demand Accounts, Policies Configuration, Privilege Lists
Configuration and Additional Controls.
1) Groups
The Group Overview page gives a summary of which Authentication Servers are used for the
corresponding Group.
16 sets of Group options (models dependency) and Zone Permission Configuration & Policy Assignment
can be defined respectively to enforce the access management for different groups of users in different
Service Zones. The correspondence can be configured on the “Group Configuration” page.
244
To allow multiple devices to log in with the same account credentials, define the number here at “Number
of devices which are allowed to login”. Multiple device login for the On-Demand authentication option can
be configured at selected Billing Plans.
2) Internal Authentication
The system supports multiple authentication options, which include both internal and external
databases. Internal Authentication databases include “Local”, “On-Demand”, and “Guest”.
245
a) Local Authentication
This type of authentication method checks the local database that stores user, often the staff and
credentials internally. The Local user database is designed to store static accounts which will not be
deleted unless manually performed by administrator.
The default Authentication for “Local” is set at Authentication Server 1. The User Postfix is used for the
system to identify which authentication option will be used for the specific user account when multiple
options are concurrently in use. To manipulate Local accounts, go to “Configure” for Local User List.
Local User List: Click “Configure” to view Local Account list and configure the accounts.
Account Roaming Out: Enable/Disable Local account database when the Controller is used as RADIUS
server for external RADIUS authentication requests.
802.1X Authentication: Enable/Disable Local account database when the Controller is used as RADIUS
server for external 802.1X authentication requests.
RADIUS Client Device Settings: Configure the client list and secret key for those devices allowed to
do RADIUS or 802.1X authentication with the Controller.
Add: To create one or multiple accounts with account information, including Username, Password, MAC
Address, Group, Account Span, and Remark.
Delete: To deleted individually or entirely by selecting the “Select All” checkbox.
Backup: To export user credentials as a text file in csv format in a new window.
Upload: To import the accounts back into the Local user database which is a convenient way to create a
great amount of Local accounts.
Edit Account Information: For existing user accounts, further modification is possible simply by clicking
the username hyperlink on the page to reconfigure account attributes.
246
Username: The username for the new local account. Mandatory when adding new account.
Password: The password for the new local account. Mandatory when adding new account.
MAC Address: Bind this particular account under the condition that it may only be granted access using
the device with the specified MAC address.
Group: The group profile of the account being created.
Account Span: Time constraints which will be enforced to this account.
Remark: Additional note administrator would like to stress. It will be shown on the user list.
b) On-Demand Authentication
The On-Demand Authentication option is typically used for short term usage, such as public hotspots.
Settings related to the On-Demand Authentication option can be configured here, such as Billing Plan
profiles, POS ticket customization, Terminal Server list, External Payment Gateway setup and etc.
User Postfix: The User Postfix is used for the system to identify which authentication option will be used
for the specific user account when multiple options are concurrently in use.
Billing Plans: Click “Configure” button to edit billing plans.
Currency: Indicate the price of each On-Demand credential.
Expired Account Cache: The day to eliminate the On-Demand accounts from database since which have
been expired already.
247
Out-of-quota Account Cache: The day to eliminate the On-Demand accounts from database since which
have been out of quota already.
On-Demand Access Code: Allow/Disallow On-Demand users login with Access Code, other than
username and password.
Smart Login: Allow/Disallow On-Demand users to be logged-in automatically within a specific time period.
Set Ticket's Serial Number: Set the serial number for the next POS ticket print out.
Web Printout: Click “Configure” button to customize the account information page when creating a single
On-Demand account. You can also preview the result here.
POS Tickets: Click “Configure” button to customize account tickets to be printed out by POS printer.
POS Printer: Click “Configure” button to add/delete POS printers.
Payment Gateway: Click “Configure” button to setup payment gateway interface, which allows users to
buy account by themselves.
SMS Gateway: Click “Configure” button to setup SMS gateway integration. On-Demand account
information can be sent via SMS message upon account creation.
Email Verification: Click “Configure” button to setup Email verification feature. Users are able to access
additional quota for the account by activating the link sent via Email.
Account Roaming Out: Enable/Disable On-Demand account database when the Controller is used as
RADIUS server for external RADIUS authentication requests.
RADIUS Client Device Settings: Configure the client list and secret key for those devices allowed to
do RADIUS or 802.1X authentication with the Controller.
Billing Plans
10 billing plans can be configured at most. There are 4 types of billing plans: Usage-time, Volume, Hotel
Cut-off Time, and Duration-time. The concept of the billing plan types, please see Appendix D.
Payment Gateway
248
Payment Page Configuration: There are different required information to be filled for each type of
payment gateways. You should be able to find those information in your payment gateway accounts.
Instant Payment Notification (IPN): (Paypal only) When enabling IPN, Paypal will send notification to the
controller when transaction is occurring. Please be careful that if your controller’s WAN IP is under a NAT,
you will need to configure IP forwarding information in order for the paying end user to receive transaction
outcome.
Choose Billing Plans for Payment Page: Select available billing plans when users purchase account.
Web Page Customization: Click “Configure” to customize Service Disclaimer Page, Billing Plan Selection
Page, and Account Credential Page.
SMS Gateway
249
Parameter (SMS API only): API parameters and values for sending an SMS request.
Response Format (SMS API only): JSON or HTML. Selected choice will depend on the type of response
provided by the SMS service. The Response Format will be used by the WLAN controller to determine
whether the SMS text message has been sent successfully.
Key of JSON Array (SMS API only): Key Path of the value from the SMS request’s response in JSON
format. Example: ['data'][0]['status']
Return Value of Successful Request (SMS API only): The text of the successful response is entered
here.
Send Test Message (SMS API only): A mobile number is entered and a “test” SMS message is sent. On-
Demand accounts will not be created when sending the SMS message. Noted that the “Test” button can be
used to troubleshoot your SMS request and view the response message sent from your SMS provider.
Message Content (SMS API only): Customize the SMS Text Message received by Wi-Fi users in the
Message Editor box. Four parameters regarding the created On-Demand account can be entered; the
username, username without the postfix, password, and the quota description.
Parameter Definition
$username Username of the created On-Demand account.
$Username_without_postfix Same as $username, but without the postfix.
$password Password of the created On-Demand account.
$quota Quota description for the created On-Demand
account.
250
Billing Plans: Created and “Active” Billing Plans are displayed and used for creating On-Demand account
via SMS. Noted that at least 1 Billing Plan must be selected.
Account Registration Control: Disable, Black List, White List. Disable to not restrict or allow only
251
specified mobile numbers. Black List will deny specific mobile numbers from registering. White List will only
allow specific mobile numbers to register.
Web Page Customization: Customize the Service Disclaimer and Billing Plan Selection Page using the
Default, Customize with Template, Upload Your Own and Use External Page options.
Email Verification
252
Default and Customize with Template.
c) Guest Authentication
The Guest Authentication Option is not technically a user database, but rather a specially designed
option to allow a user to access and surf the network without any user account or password. This feature
allows the user to associate with a particular Service Zone, enter guest email or a specified string of text
by guest questionnaire which may be social security number etc. defined by the administrator, and use
the network without actual authentication.
Group: The User Group the guest-login clients belong to, which can be mapped to specific Service Zone
and applied with limitation of user policy profile.
Guest Information: Some information of the accounts is available for administrators’ further analysis or
marketing purposes. Account emails and other questionnaire-enabled fields are able to be downloadable
for administrators’ data manipulation. It doesn’t clear the entries automatically, but having email notification
when 1000 remaining entries (11000/12000, maximum is 12000 entries).
Download: Administrators are able to download the collected guest information.
Delete All: Administrators are able to delete all the stored data. Administrator can delete all entries
after export to keep the list up-to-date.
Questionnaire: It provides administrators with options to customize extra questions on the login page for
guest login, where the access information from guest users would be collected and viewed in the Guest
Information list.
Guest Access Time: To define the user time constrain based on MAC addresses.
Unlimited: There is no limitation about the allowance usage time.
1 Day Access: Clients are enforced with a usage time constraint.
Multi-Day Access: Clients are enforced with a usage time constraint.
253
Quota: The permitted duration and volume for each Guest client.
Reactivation (1 Day Access only): To define a new session will be possible once the time has elapsed.
Access Limit (1 Day Access only): To define how many times a device can request for a free account in
a day.
Email Verification: To ensure that the entered email is a valid email address. The client has to activate this
account within the activation time to extend his/her usage time by clicking a link in the mail sent by the mail
server. Note that the activation is merely a timer and does not add to the account’s Quota.
SMTP Server Settings: To assign SMTP server for sending the mail for redeem clients. This SMTP is
shared with On-Demand Email Verification. Taking Gmail as SMTP server example, the configurations are
SMTP server address: smtp.gmail.com
SMTP port: 465
Encryption: SSL
Authentication: Login: Account Name: admin’s Gmail email address
Authentication: Login: Password: admin’s Gmail email’s password
Sender Email Address: Administrator’s Gmail email address.
Sender Name: The Sender Name displays in the client mail box.
Activation Email Subject: Customizable email subject displays in the client mail box.
Activation Email Content: Customizable email content displays in the client mail box (max. 2000
characters).
Activation Link: The name with hyperlink to redeem the account in the client email content.
Guest Quota List: To check how many times of allowance remaining for the access-limited Guest
accounts by MAC address and Email Address. (It would be automatically refreshed daily at the midnight,
and the oldest entries are removed when reaching maximum).
Email Denial List: To check the email domains for login permission, if prevention of junk mailboxes is
desired.
Group: The OTP-authenticated clients will be applied by configured User Policy in each Service Zone.
OTP Client Information: Clients’ information collected who have asked the one time password.
Download: Administrators are able to download the collected OTP clients’ information.
Delete All: Administrators are able to delete all the stored data. Administrator can delete all entries
after export to keep the list up-to-date.
Default Country Code: To set the default country code displayed in the login page.
Length of Mobile Number: To set the mobile number format with amount of digits.
Quota (Duration Time): To specify the OTP-authenticated clients’ duration. The maximum duration is 364
days 23 hours 59 Minutes.
Questionnaire: 5 entries displayed in OTP Registration Page.
SMS Gateway: Clickatell (Legacy/ New), and SMS API (confirm the text content customization), related
setting please refer to SMS Gateway setting in On-Demand User Database”
254
Web Page Customization: Different customized types are selectable, but now only support Edgecore
Default and Customize with Template.
3) External Authentication
Up to 5 External Authentication servers can be set up and enabled concurrently to facilitate existing user
account databases on your network. External Authentication options include RADIUS, POP3, LDAP, NT
Domain, and SIP.
255
Social Account Quota List: To check how many times of allowance remaining for the access-limited
Guest accounts by MAC address and Email Address. (It would be automatically refreshed daily at the
midnight, and the oldest entries are removed when reaching maximum).
Punishment: Enable/Disable the punishment mechanism. If the pre-authorized clients have not completed
the login process within 5 minutes. The client entry would be displayed in the table. If the clients have
retried to click the social login button in 3 times and still failed, it takes 15 minutes as punishment.
Punishment List: The clients being punished are listed here. Administrators could help release the
restriction in Punishment List.
4) On-Demand Accounts
Account Creation: Administrators can choose to create a single account or multiple accounts
using the "Batch Create" function. Before accounts can be created, at least one Billing Plan needs
to be set up and activated. Accounts can be created with random Usernames and Passwords or
created manually (up to 8 characters). Usernames and Passwords can also be created manually
for batch creation. (E.g. Prefix = ABC, Postfix = DEF, Serial Number 0001.)
256
Account List: All created On-Demand accounts and related information are listed on this page.
The list also allows administrators to manipulate On-Demand accounts, such as restoring/deleting
accounts and Admin Redeem.
5) Schedule
The Administrator gets to set different Login Hour permissions to be applied to User Groups in enabled
Service Zones. To apply the configured Schedule Profile, go to Groups Configuration.
6) Policies
Global policy is the system's universal policy including Firewall Profile, Specific Route Profile,
Schedule Profile, and Maximum Concurrent Sessions management which will be applied to all users
unless the user has been regulated and applied to another policy.
257
Each policy consists of Firewall Profile, Specific Route Profile, and Schedule Profile and Maximum
Concurrent Sessions management as well. Policies can be defined in the Policy tab. The administrator
can select one of the defined policies to apply it to groups within a certain Service Zone. A group of
users within different Service Zones can be applied with different policies. For example, sales can be
applied with different network access right while accessing from sales department region or finance
department region.
Select Policy: The number of different policy profiles available depends on the model type.
Firewall Profile: Firewall profile specifies the protocols & rules that will be enforced to users
governed by this policy. Each Policy profile has its own customizable firewall profile.
Service Protocol: This link leads to a policy's Service List page where the administrator can
defined a list of services by protocols (TCP/UDP/ICMP/IP). The service names defined here
forms a choice list for configuring firewall rules.
User Firewall Rules: This link leads to the policy's Firewall Rules page. Rule No. 1 has the
highest priority; rule No. 2 has the second priority, and so on. Each firewall rule is defined by
Source, Destination, a Service out of the policy's Service List and a Pass/Block action.
Optionally, a Firewall Rule Schedule can be set to specify when the firewall rule is enforced;
it can be set to Always, Recurring or One Time.
DoS Protection (Global Profile only): Configure the options for protect against DoS
attacks.
Privilege Profile: User generated session number limit may be configured here. Please adjust
this attribute carefully based on your network usage
Password Change (Non-Global Profile only): To set “Allow” so that when a user with the
applied Privilege Profile has the flexibility to change their login password.
Maximum Concurrent Sessions: When a user with this Privilege Profile reaches the
session limit, this user will be implicitly suspended from any new connection for a fixed time
period.
Disable timeout for this group (Non-Global Profile only): To set “Enable” so that the
clients who are applied by this policy will not be logged out automatically. Note that enable
this option may increase the loading of the system.
QoS Profile (Non-Global Policy only): To edit traffic configuration. If the bandwidth throttling is
required, administrators are able to check the checkbox and select the second QoS after the
specific duration when clients complete authentication.
Traffic Class: Each policy can be configured its own traffic class and different Traffic Class
Remarking can be set for IPv4 and IPv6 in the same Traffic Profile.
Group Total Downlink: To define the maximum bandwidth allowed to be shared by clients
within this group.
Group Total Uplink: To define the maximum bandwidth allowed to be shared by clients
within this group.
Individual Maximum Downlink: To define the maximum bandwidth allowed for an individual
client within this group; the Individual Maximum Downlink cannot exceed the value of Group
258
Total Downlink.
Individual Maximum Uplink: To define the maximum bandwidth allowed for an individual
client within this group; the Individual Maximum Uplink cannot exceed the value of Group
Total Uplink.
Individual Request Downlink: To define the guaranteed minimum bandwidth allowed for an
individual client within this group; the Individual Request Downlink cannot exceed the value
of Group Total Downlink and Individual Maximum Downlink.
Individual Request Uplink: To define the guaranteed minimum bandwidth allowed for an
individual client within this group; the Individual Request Uplink cannot exceed the value of
Group Total Uplink and Individual Maximum Uplink.
Specific Route Profile: The routing rules to be applied to users under this policy may be set
here.
Specific IPv6 Route Profile: The routing rules to be applied to users under this policy may be
set here.
IPv4 DSCP and 802.1p Mapping (Global Policy only): This criteria enables the static mapping
configuration from IPv4 DSCP tag into the desired 802.1p traffic class for sending in the
managed VLAN network.
IPv6 Traffic Class and 802.1p Mapping (Global Policy only): This criteria enables the static
mapping configuration from IPv6 traffic tag into the desired 802.1p traffic class for sending in the
managed VLAN network.
Policy 1~x (model dependent) can be applied to specific group of users in different Service Zones.
Policy 1 has the highest priority, and Policies with the higher priority shall be the first applied Policy.
A Preferred DHCP Pool (defined in Service Zone DHCP configurations) may be selected here as well.
7) Blacklists
Blacklist profiles can be defined and each active authentication option may be configured with one of
these blacklist profiles. A user account listed on the blacklist is not allowed to log into the system, the
client's access will be denied. The administrator may select one blacklist from the drop-down menu and
this blacklist will be applied to this specific authentication option. Note that names on the Blacklists can
be configured to be case insensitive.
259
8) Privilege Lists
The Privilege function supports three types of privilege list based on IP address, MAC address and IPv6
address. Devices specified in the list require NO authentication to access the network. Note that a User
Group can be assigned to Devices on the IP Privilege List but not on the MAC Privilege List.
Privilege List: There are three types of authentication free lists where the administrator can
designate privileged individual access without the need of authentication. This may be achieved
either via IP address, IPv6 Address or MAC address.
9) Additional Control
Additional configurations are in this section. They are User Session Control, Built-in RADIUS Server
Settings, Customization, Remaining Time Reminder, and MAC ACL. The administrator can control user
session such as idle timeout in User Session Control. Three functions are provided in Built-in RADIUS
Server Settings such as session timeout. In Customization, the administrator can upload certificate to the
system. Remaining Time Reminder provides remaining time information to clients on the screen. The
administrator can manage the access control to the system via clients' MAC address in the MAC ACL
(Access Control List).
260
User Session Control
Idle Timeout: Configure the time base without activity to deem as idle timeout.
Idle Detect Interval: The time interval for checking for whether the idle criteria are reached.
Successive accumulation of idle intervals exceeding the Idle time configure above, will induce an
idle timeout action where the user will be logged out.
Traffic Direction for Idle Timeout: The user’s activity inspection may be checked by uplink
traffic only or both direction.
Threshold for Idle Traffic Detection: Designate the threshold where traffic flow smaller than
the value configured will be considered as being idle.
Charge Traffic to/from Host in Walled Garden List: For usage or volume type accounts in the
On-Demand user database, administrator has the option to charge or not charge visits to
websites that are listed in the walled garden or walled garden ad list.
Kick out user when user’s IP change: An option for the administrator whether or not
disconnection is forced by the system whenever a user changes IP address.
Log NAT Mapped in User Session Log: To show mapping for each connection from Private
IP/Port to Public IP/Port, this option must be enabled.
261
Idle Timeout: For users authenticated via build-in RADIUS server (could be account roaming
user), the idle timeout range may be configured here manually. Please configure this attribute
carefully.
Interim Update: For users authenticated via build-in RADIUS server (could be account roaming
user), the accounting interval may be configured here manually. Please configure this attribute
carefully.
Certificate: Certificate for built-in RADIUS server will be selectable
262
C. Devices
Devices: This section is used to manage the APs and switches. Besides showing the various attributes of APs
and switches, there are different functions provided for various configurations.
a) Overview
A summary is used to list the basic information of each AP type. It includes: number of AP, number
Online, number Offline, and total number of associated clients in each AP type.
All of the supported APs under management of the system will be shown in this table and listed by AP
type.
Select any AP by checking the checkbox and then click the button below to Reboot, Enable, Disable,
Delete, Apply Template and Apply Service Zone (Tag-Based) the selected AP if desired.
b) List
A list is used to show the information of each managed AP, including Type, Name, IP Address, MAC
Address, and online Status. Functions in this section also include the operations such as reboot, enable,
disable, delete, apply a new template, and apply by service zone and other configuration.
All of the supported APs under management of the system will be shown in the list. The administrator can
add supported APs from the Discovery or the Adding tabs. After APs are added, this list will show the
263
current managed APs including AP type, AP name, IP Address, MAC Address, Service Zone and Status.
The administrator can then perform reboot, enable, disable, delete the managed APs, or apply template
or apply service zone to them by checking the check box in front of each individual AP or selecting all the
APs together by checking the top check box.
Select any AP by checking the checkbox on the list and then click the buttons to Reboot, Enable, Disable,
Delete, Apply Template, Reset to Default, Apply By Service Zone and Add to Floor Plan to the
selected AP if desired.
c) Adding
The Adding function is used to manually set up an AP via filling in the required information for that AP.
The system provides templates that can be used to simplify the AP configuration.
The administrator can add supported APs into the List table manually by clicking “Add” and selecting
“Add AP”. The system will attempt to configure the AP with the value specified. After processing, the AP's
status will display "online" or "offline" on the AP List.
264
d) Discovery
This Discovery function is to manually or automatically detect the supported types of APs when
connected to the LAN ports and automatically assign a unique IP address to each AP discovered. Click
“Add” from the AP List and select “Find Multiple APs”.
When Background AP Discovery function is enabled, the system will scan once every 10 minutes or
according to the time set by the administrator. If any AP is discovered and Auto Adding AP to the List is
enabled, it will be assigned an available IP from the starting IP address set in checked Service Zone
profile and applied with the selected template. You can also set the channel the AP would use.
AP Type: Select the AP model name which you like for the system to find.
Service Zone: Select the Service Zone for which the device connected AP is to be managed in.
VLAN for management: Set VLAN for management for the discovered AP.
Admin Settings Used to Discover: Select factory default if the connected AP’s interface and
management credentials have not been changed. Otherwise, choose manual and specify the IP
range and management settings accordingly. The administrator may stop the controller from
scanning at any time during the discovery process.
Background AP Discovery: When configured, the system will periodically scan the configured
IP range for newly connected AP devices and automatically display the discovery results.
Discovery Results: Shows the AP devices detected that match the discovery criteria configured
above.
265
e) Templates
The AP setting templates can be defined. Up to 8 templates can be edited, saved, and used in "Adding"
and "Discovery" sections.
Templates by AP Model
The system supports up to eight templates which include configurations of APs. The administrator can
configure the setting together in the template instead of logging the AP management interface to set the
configurations one by one. Select the AP type, and then click Edit icon to enter the Template Editing
page.
Template Editing: The administrator can set the template configuration manually or copy the
configurations from a specific existing managed AP by Copy Settings From option. Click Configure
button to have detailed configurations.
Name: The name shown for this particular template.
Copy Settings From: Select a pre-configured existing AP and click Apply to save its settings as
the template settings.
Remark: The remark or additional information for this template profile.
Action: Click Edit depicted by a pencil icon to enter configurations or click the red cross to delete
template
266
General: In this section, revise the Subnet Mask and Default Gateway here if desired. Configure the NTP
Servers and Time Zone. In addition, administrator can enable SYSLOG server to receive the log from AP
and enable SNMP read/write ability. Also, Port Configure allows administrator to set VLAN tag to each
LAN port.
Wireless:
SSID Broadcast: Select this option to enable the AP’s SSID to broadcast in your network. It is
suggested to disable SSID broadcast feature when you have an authentication disabled network
intended for private use.
Band: Depending on the AP model template you are editing, there are different modes to select,
802.11a, 802.11b, 802.11g, 802.11a+802.11n, 802.11b+802.11g, 802.11g+802.11n and 802.11ac.
267
Channel Width (802.11g+n, 802.11a+n and 802.11ac only): Choose between 20MHz, 40MHz or
Auto. Doubling channel bandwidth to 40 MHz is supported to enhance throughput. 80MHz is available
for selection in 802.11ac mode.
Antenna Mode (802.11g+n, 802.11a+n and 802.11ac only): Select the stream number to be used
for MIMO. The max stream number available depends on models.
Transmit Power: On select AP models, the signal strength transmitted from the system can be
selected by Levels. Each level signifies a decrement of 1 dBm from the highest power. Level 1 is the
actual highest power, Level 2 is the highest power minus 1 dBm, so on and so forth.
Beacon Interval (ms): Enter a value between 20 and 1000 msec. The default value is 100
milliseconds. The entered time means how often the beacon signal is transmitted between the access
point and the wireless network.
ACK Timeout: The time interval for waiting for the “acknowledgement (ACK) frame”. If the ACK is not
received within the interval then the packet will be re-transmitted. Higher ACK Timeout interval will
decrease the packet lost, but the throughput will be decreased/worsened.
Airtime Fairness: When set to “Fair Access”, this feature ensures all devices with different band
compatibilities have the same air time. When set to “Preferred Access”, N clients are prioritized. This
feature is ideal for networks with devices supporting different bands.
Packet Delay Threshold (ms): This is the Tx Queue flushing mechanism, which purpose is to drop
packets and immediately process others if the queue has been processed for more than x
milliseconds. This is disabled by default (=0).
Idle Timeout (s): Clients disconnects when inactivity reaches the configured amount of time in
seconds, where default = 300s.
Band Steering: When enabled, clients with 5GHz connectivity will be steered towards the 5GHz
band to reduce congestion in the 2.4GHz band. This is applicable only when the AP is set to 2.4GHz
and 5GHz on the 2 RF Cards. When “Aggressive” is checked, clients with 5GHz connectivity are
forced to connect to the 5GHz band.
Interference Detection: When utilization of the current channel reaches the configured threshold (in
%), the AP switches to a different Channel.
Transmission Rate Threshold: The associated client will be kicked when transmission rate is lower
than the configured threshold. This ensures high connection speed for all associated clients.
UAPSD: Enable/Disable USPAD support.
WME Configuration: Access priority can be configured using with different parameters. AP side
parameter and client side parameter can be configured respectively. CW Min: Contention Window
Minimum, CW Max: Contention Window Maximum, AIFS: Arbitration Inter Frame Spacing, TXOP
Limit: Transmission Opportunity Limit.
VAP Configuration: Enable/Disable VAP under the ‘Status’ column. Configuration of VAPs can be
done by clicking the edit icon under ‘Action’.
268
Status: VAP can be Enabled or Disabled here
Profile Name: The profile name of a specific RF card and its VAP for identity / management
purposes.
Service Zone: Select the mapping Service Zone for the VAP from the drop-down list
VLAN ID: Select the VLAN ID for this VAP
SSID: The SSID serves as an identifier for clients to associate with the specific VAP. It can be coupled
with different service levels like a variety of wireless security types.
RTS Threshold: Enter a value between 1 and 2346. RTS (Request to Send) Threshold determines
the packet size at which the system issues a request to send (RTS) before sending the fragment to
prevent the hidden node problem. The RTS mechanism will be activated if the data size exceeds the
value provided. A lower RTS Threshold setting can be useful in areas where many client devices are
269
associating with the AP or in areas where the clients are far apart and can detect only the AP but not
each other.
DTIM Period: Input the DTIM Interval that is generated within the periodic beacon at a specified
frequency. Higher DTIM will allow the wireless client to save more energy, but the throughput will be
lowered.
Consecutive Retries Threshold: This is the maximum number of transmission retries the AP will
attempt when packet transmission fails before deciding the client is out of transmission reach. When
transmission retries fails for the set number of times, the Access Point kicks the client to optimize
performance for other connected clients.
SSID Broadcast: Disabling this function will stop the system from broadcasting its SSID. If broadcast
of the SSID is disabled, only devices that have the correct SSID can connect to the system.
Wireless Client Isolation: By enabling this function, all stations associated with the system are
isolated and can only communicate with the system.
IAPP: IAPP (Inter Access Point Protocol) is a protocol by which access points share information
about the stations connected to them. When this function is enabled, the system will automatically
broadcast information of associated wireless stations to its peer access points. This will help wireless
stations roam smoothly among IAPP-enabled access points in the same wireless LAN.
Multicast-to-Unicast Conversion: When Multicast-to-Unicast Conversion is enabled, multicast
packets are transferred via the Access Point’s network interface and the IP multicast host.
Registration information is recorded and sorted into multicast groups. The internal switch can then
intelligently forward traffic only to those ports that request multicast traffic. Adversely, without
Multicast-to-Unicast conversion, multicast traffic is treated like broadcast traffic, with packets
forwarded to all ports causing network inefficiencies.
Multicast/Broadcast Rate: Bandwidth configuration for multicast/broadcast packets. If your wireless
clients require a larger or smaller bandwidth for sending multicast/ broadcast packets, the
administrator can customize the Access Point’s multicast/ broadcast bandwidth here.
Management Frame Rate: This feature controls the bandwidth for Management Frames. The higher
the rate it, the shorter range the transmission covers.
Receiving RSSI Threshold: To keep connected stations with high connection speeds, the station is
kicked out when its receiving sensitivity is lower than the threshold.
Security: The Access Point supports various wireless authentication and data encryption methods in
each VAP profile. With this, the administrator can provide different service levels to clients. The
security type includes Open, WEP, 802.1X, WPA-Personal, and WPA-Enterprise.
Access Control: The administrator can restrict the wireless access of client devices based on their
MAC addresses.
Disable Access Control: When Disable is selected, there is no restriction for client
devices to access the system.
MAC ACL Allow List: When selecting MAC ACL Allow List, only the client devices
(identified by their MAC addresses) listed in the Allow List (“allowed MAC addresses”)are
granted access to the system. The administrator can temporarily block any allowed MAC
address by checking Disable, until the administrator re-Enables the listed MAC.
MAC ACL Deny List: When selecting MAC ACL Deny List, all client devices are granted
access to the system except those listed in the Deny List (“denied MAC addresses”).
270
The administrator can allow any denied MAC address to connect to the system
temporarily by checking Disable.
RADIUS ACL: When client is trying to associate with the AP, the AP will send RADIUS
request with the MAC address of the client to the configured RADIUS server. Only the
MAC addresses accepted by the RADIUS server can associate to the AP. Please note
that, the RADIUS server settings here are shared with WPA-Enterprise and 802.1X
settings for the same VAP.
Hotspot 2.0: Hotspot 2.0 is also known as WiFi Certified Passpoint initiated by the WiFi Alliance to
provide better bandwidth and services for public WiFi subscribers. The HotSpot 2.0 feature is
designed only for service providers and their partners. Please consult your service providers or our
service team to complete the configuration.
The Wireless Setting for RF Card B is available for dual Radio Access Points. Configuration parameters
may differ on select AP Models.
Layer 2 Firewall:
271
State: Enable or Disable the respective rules
Rule: The numbering of this specific rule will decide its priority among available firewall rules in
the table.
Rule name: The rule name can be specified here.
EtherType: The drop-down list will provide the available types of traffics subject to this rule.
Interface: This indicates inbound/outbound direction with desired interfaces.
DSAP/SSAP (when EtherType is IEEE 802.3): The value can be further specified for the fields in
802.2 LLC frame header.
Type (when EtherType is IEEE 802.3): The field can be used to indicate the type of encapsulated
traffic.
Source: MAC Address/Mask indicates the source MAC; IP Address/Mask indicates the source IP
address (when EtherType is IPv4); ARP IP/MAC & MASK indicate the ARP payload fields.
Destination: MAC Address/Mask indicates the destination MAC; IP Address/Mask indicates the
destination IP address (when EtherType is IPv4); ARP IP/MAC & MASK indicate the ARP
payload fields.
Action: The rule can be chosen to be Block or Pass
Remark: Notes of this rule can be specified here.
f) Firmware
The Firmware function provides the tools to see the AP firmware version and upload new AP firmware
into the system.
The system supports the firmware management of APs to upload new firmware, delete the existing
firmware, and download the firmware to managed APs. Note that the AP's firmware version must be one
272
that has been integrated.
Firmware Upload displays the current version of the AP’s firmware. New firmware can be uploaded here
to update the current firmware. To upload, first click Add, and then Browse to select the file and then
click Upload.
g) Upgrade
The Upgrade function allows administrators to upgrade the AP firmware using the firmware files stored in
the system.
The administrator can upgrade the firmware of selected APs individually or at the same time by checking
the check box of the APs in Selection column. Note that both the version before upgrade and the next
version must be ones that have been integrated with the system.
273
h) WDS Management
WDS (Wireless Distribution System) is a function used to connect APs (access points) wirelessly. The
WDS management function of the system can help administrators to setup a "Tree" structure of WDS
network.
WDS Status: Status shows the added APs in the WDS Tree with the Security and Channel settings. The WDS
could be set up for more than one tree. Click Edit to change the WDS connection settings for the associated
WDS Tree.
WDS Update: Update the WDS connection with the following operations.
Add: Add a new WDS connection with a Child AP not in the WDS and a Parent AP from the AP List. A new
WDS Tree will be added if the selected Parent AP is not in any of the current WDS Trees. Click Edit to
change the WDS connection settings for the new added WDS Tree.
Move: Update a WDS connection with a Child AP from WDS and a Parent AP which could be connected
by WDS, and the previous WDS connection of the Child AP to the previous Parent AP will be deleted.
Delete: All the WDS connections of the selected AP will be deleted including the WDS connections to its
Child APs, and the Child APs without wired connection will become unreachable.
i) Rogue AP Detection
It is designed to detect the non-managed or possibly malicious AP in the deployed environment. It takes
the managed APs as sensors to find the non-managed AP even if the AP uses the same SSID with
managed AP's. It shows the AP's BSSID, ESSID, Type, Channel, Encryption, and report time.
274
General Config: This configuration item contains the switch for turning on features within this tab page.
i.e. Rogue AP Detection as well as an optional “Channel Switching” feature.
Sensor List Config: This configuration item contains a listing of all currently managed APs under Wide
Area AP Management. Administrator may select one or more APs as sensors to scan for rogue AP.
Trusted AP Config: This configuration item allows the administrator to maintain a list of detected rogue
APs and remark them as trusted AP.
Rogue AP List: This window lists all the detected Rogue AP. Each rogue AP will be presented with
relevant information such as its BSSID, Channel, Encryption, Report Time etc. From the radio buttons at
the bottom of the window, the selected Rogue AP on this list can be added into the trusted list or deleted
if it can be ignored.
General Configuration
Scanning Interval: The unit for this field is minute. Enter 0 to disable “Rogue AP Detection”. To enable
“Rogue AP Detection”, please enter an integer ranging from 1 ~ 999 as the detection interval.
AP Type: The drop down menu will contain the manageable model type for selection. The managed
APs of the selected model type will be listed in the scroll window below.
Administrator can check on one or more of the listed AP and click apply button at the bottom to designate
these APs as scanners.
Trusted AP Config
BSSID: Administrator can statically assign the BSSID of a known trusted AP in this list. If an AP is
entered into this list but not managed yet is present in the environment, it will not show up in the Rogue
AP device list.
Remark: Administrator can type in a string of additional information that relates to the trusted AP on the
275
list.
j) AP Load Balancing
This is a function to prevent managed APs from overloading. When the system detects the occurrence of
APs' associated-client numbers exceeding a predefined threshold and other APs in the same group are
still below the threshold, the balancing function will be activated to decrease the overloading APs' transmit
power and increase other available APs' transmit power; this will allow other available APs to have more
chance of being associated. The system can divide the managed APs into groups; define the group
threshold, and the time interval which will trigger the AP load balancing.
Load Balancing: This configuration item enables the administrator to specify the criteria under which
AP load balancing feature will be enforced.
Balance Interval: The administrator specifies the time interval for which the system synchronizes the
number of clients within the cluster.
Cluster: This item when entered to its configuration page will display all the current AP groups and their
status info.
Device List: The scrollable window displays all the managed APs sorted by model name with relative
information such as Group, Name, MAC, IP, Power Lv, Loading, etc. The managed APs will have a
Group column for indicating which AP group it belongs to for AP Load Balancing feature to be enforced.
276
2) Wide Area AP Management
a) AP List
A list is to show the information of each managed AP, including Type, Name, IP Address, MAC Address,
AP Online/ Offline Status, # of Users, tunnel Status, AP Firmware version, and Geographic location.
Functions in this section also include the operations such as Delete, Add to Map, Backup Config, Restore
Config, Upgrade, Applying Settings, and Reboot.
All of the supported APs under management of the system will be shown on the list. In the beginning, the
list is empty. The administrator can add supported APs from the Discovery or Adding tabs. After APs are
added, this list will show the current managed APs including AP type, AP name, IP Address, MAC Address,
Status, number of Clients, Tunnel Status, AP Firmware Version, and geographic location. The
administrator can Delete, Add to Map, Backup Config, Restore Config, Upgrade, Applying Settings, Reboot
the managed AP by checking the check box in front of each individual AP or select all the APs together by
checking the top check box.
After adding APs to the managed List, some operations can be executed for managing the listed AP’s.
Go: The EWS Controller cannot directly configure Wide Area AP’s settings remotely. However, the Goto
button is a convenient link for accessing the remote AP’s WMI.
Please note that the Goto button will only become active when the listed AP’s status is Online.
277
The drop down list on the column header is for specifying which WMI page to go to.
Delete: Remove the checked AP from the List.
Add to Map/Floor Plan: Clicking this button will open a popup window. Administrator can Mark the
selected APs on the Map or on the floor plan from the drop down list. If no map profile or floor plan has
been configured, there will be no available map/floor plan to choose in the drop down list.
Backup Config: Clicking this button will open a popup window where administrator can backup the
chosen AP’s configuration settings into a .db file stored in the EWS Controller’s storage. The Backup up
files are listed under Backup Config tab page for download or deletion.
Restore Config: Clicking this button will open a popup window where administrator can restore the
chosen AP’s configuration settings using a .db file stored locally in administrator PC or in the EWS
Controller’s storage.
Upgrade: Clicking this button will open a popup window where administrator can upgrade the chosen
AP’s firmware using a firmware file stored locally in administrator PC or in the EWS Controller’s memory
(under Firmware tab page).
Apply Settings: Apply the already prepared WAPM templates to selected AP so as to implement some
AP’s configuration or change AP Admin’s password for certain administration application.
Reboot: clicking this button will restart the selected AP.
Export: Export current AP List with selectable columns.
Edit (AP Name): Click this button to enter the AP’s attribute editing page where administrator can
specify the Device Name and SNMP community. If the AP is to be marked on a map, this page also
allows administrator to configure the geographical location, coverage, related links and customize
marker or icon images that will be displayed on the map.
Edit (Tunnel Status): Click this button to setup Port Location Mapping parameters of the complete
tunnel VAPs. Administrator can allocate NAS Identifier and designate an IP pool for service for each
complete-tunneled VAP of a Managed AP.
Go to: Main >> Devices >> Wide Area AP Management >> AP List.
278
Service Zone / Prefer DHCP Pool: This field entry shows the SZ to which this VAP will be tunneled to.
Preferred DHCP pool allows the admin to specify the IP pool allocated to issuing IP to clients in this VAP.
User Limitation: Administrator can specify the number of clients which can be allocated an IP address for
service from this VAP.
ESSID: The ESSID of this VAP is displayed here.
Room Number / Location ID: Administrator can input a string of text describing the location ID of this VAP.
Room Description/ Location Name: Administrator can input a string of text describing the location name of
this VAP.
NAS Identifier: Administrator can assign an additional NAS ID to be coupled with this VAP if necessary.
279
b) AP Grouping
Map Configuration
The Map tab page is implemented with Google Map API version 3 which allows administrators to view at a glance
the whereabouts of all of the AP’s under Wide Area AP Management. This feature is helpful when it comes to
network planning and management.
Once the administrator has added APs to the managed list, these APs can be tagged or marked on the Google
Map API to show its’ geographical location, as shown below:
The necessary steps required to configure your map with AP information are described in the subsequent sections.
Before starting to add a new map in wide-area AP management, it’s necessary to sign up for a Google account or if
the Google account is already available, this step can be skipped; this account will be used to apply for a Google
Maps API v3 key. For details, please follow the instructions from Google at https://cloud.google.com/maps-
platform/ to obtain such Maps API v3 key and provide the key info into the field of “Google Maps Registration
Key” under Map Configuration page.
280
Click on “Sign up for a Google Maps API key”.
Click the terms and conditions check box and fill in your EWS Controller’s WAN IP address.
Google will generate an API key for your EWS Controller.
Now, return to the Map tab page in EWS Controller’s WMI and Scroll down to the bottom of the page, click on the
Add a New Map button.
281
An editing page will open for configuration, please fill in a Map Name for this map and its geographical
location as defined by Longitude and Latitude, remember to also fill in the Key issued by Google. Finally
choose the Zoom Level and Map Type and click the Save button.
The above screenshot is an example showing Taipei City with Map Name as Taipei Bridge, Zoom Level of
14 and Normal Map Type.
If you have several APs deployed and listed in List under Wide Area AP Management, their geographical
location can be marked on a particular map.
Firstly, go to the List tab page and click on the Edit button of the AP’s that you wish to mark on the map. In
the AP configuration page, set the coordinates (Latitude and Longitude) of this AP and the radius of
signal coverage.
282
Fill in the coordinates where you wish to mark this particular AP. Link 1 ~ Link 3 is for configuring a http
link that will show up in the dialogue box on the map for referencing additional information related to this
AP; for instance the IP address of a IP surveillance camera connected to this AP or the URL of the Venue
Website where this AP is deployed.
Administrator can upload customized thumbnail images shown on the map. After configuring all the
necessary settings and uploading your images, click Apply button and return to AP List page.
Check the AP’s that you wish to mark on the map and click the “Add to Map/Floor Plan” button, choose
the name of the map on which you wish to mark these APs and click OK button.
283
The selected APs will show up as marker images on the map at the physical coordinates configured, as shown
below.
You can click on the AP icon to see the dialogue box for additional information or links that you have configured.
Click the more info link for information on AP status, Client List, WDS List and Links related to this AP.
284
AP status, Client List and WDS List information listed are collected from the remote AP via SNMP.
AP Grouping
In Wide Area AP Management, all the managed APs must be designated to an AP Group by Maps. Each AP must
be configured to belong to a map. All APs will be added to the Default Map, or you may create a new map for
selection before you add a new AP.
AP grouping allows different levels of administrators to manage APs by different AP group. An AP Group can
include multiple maps and AP templates. On the other hand, a map can be included by different AP groups. You
may assign different administrator groups to have different read/write permission for each AP group.
Edgecore controller supports adding AP’s on Google Map. The process is shown below:
1. Create your own map by clicking Add under Map List at the bottom page and then fill in the
necessary fields shown in the popup window. Click Apply.
2. Add the deployment location of the AP in the AP’s attribute profile (longitude and latitude). “Main
Menu > Devices > Wide Area AP Management > List - AP Attribute (Edit)”
285
3. Go back to the List page, choose the AP, and then click the “Add to Map/Floor Plan” button, and
choose the desired map. After the settings, admin should be able to see an icon of the AP on the
selected map.
4. Overview path: “Main Menu > Devices > Wide Area AP Management > Map”
5. Go to “Main Menu > Devices > Wide Area AP Management > AP Grouping > AP Grouping List” to
add or delete the AP group.
6. Click Add to add an AP group, each AP group can include maps and templates to be managed.
7. After an AP group is created, you may assign access permission to each AP group by adding an
Administrator Group to the Administrator Group List.
286
8. Assigning permission to an AP group.
c) Map
Map shows the managed APs and their WDS links on Google Maps. It is a utility for wireless network
planning and management.
287
Goto Map: When you have configured multiple map profiles, this function allows switching between
different maps.
Goto AP: This function is for administrator to select an AP on the list, and the map will shift to show the
selected AP in the center of the map.
Save Modification (except Overview map): This function is for saving the changes made to the map
and overwriting the maps’ profile attributes. For instance if you have altered or panned the original map,
clicking this button will save the changes made.
Show Longitude and Latitude: This function when pressed will display in a pop up window the
longitude and latitude of the map’s current center point.
List AP in this Map: Clicking this button will open a new page on your browser redirecting to the List
tab page for displaying a list of APs in the Map.
List WDS in this Map: Clicking this button will open a new page on your browser redirecting to the
WDS List tab page for displaying a list of WDS links on the Map.
Map/Satellite: To switch the view of graphical view or real satellite images.
Search: To find locations or places from Google Map, instead of searching the managed APs.
Distance Calculation: Calculation the distance between the two selected APs.
288
d) Discovery
This Discovery function is to detect the supported types of APs through Internet or Intranet. The
discovered AP can be added into managed devices, and automatically assigned the SNMP read
community string, which will be used for periodical status collection. To Discover APs, click Add from the
AP List and select Discovery from the Add Method dropdown list.
When the administrator tries to discover a new AP, select the Device Type. Second, enter the current IP
range of the APs; Login ID and Password. Then click Discovery button. If the new AP is discovered, it will
appear in the following Discovery Results list.
Start / End IP address: Administrator needs to specify the IP address range for AP discovery, and the
specified IP address can be external or internal network IP addresses. This is useful when scanning for
multiple devices connected to the managed network. APs with an IP address that is not within the
specified range will not be listed after discovery.
Login ID / Password: Filling in the Login ID and Password of the target AP’s management interface will
allow the administrator to remotely configure the AP’s SNMP community.
Discover: When the administrator tries to discover a new AP, select the Device Type. Second, enter the
current IP range of the APs, Login ID and Password. Then click Discover button. If the new AP is
discovered, it will appear in the following Discovery Results list. The administrator may stop the
controller from scanning at any time during the discovery process.
Device Results: When the discovery process is complete, the APs found will be listed here. The
administrator can click Add to register the APs to the List for management.
Device Type: The AP model of the discovered AP.
IP Address: The IP address of the discovered AP.
Device Name: To identify the device by setup the device name.
SNMP Community: The SNMP Read Community string used for status access.
SNMP Write Community: The SNMP Write Community string used for configuration modification.
Map: To specify the managed device in certain Map for tier administration or graphical view.
289
e) Adding
The Adding function is used to manually set up an AP via filling in the required information for that AP.
Besides the Discovery feature that can search and list multiple APs for adding to the management list,
administrators can also select Add an AP to directly add a single Access Point to the management list.
Simply configure the devices IP address, name and login credentials, set a SNMP community string and
click the Apply button.
The administrator can add supported APs onto the List table manually here. A manually added AP will
show up with a status of "offline" in the AP List initially. The system will attempt to connect to the AP by
SNMP protocol. After successful SNMP Reads, the manually added AP will become online.
290
f) Template
Select a country code depending on the firmware version on your Access Point. This dynamically
changes the available channels on your access point.
General Settings
291
RF Card Name: Select an RF Card for your AP.
Band: Depending on the AP model template you are editing, there are different modes to select,
802.11a, 802.11b, 802.11g, 802.11a+802.11n, 802.11b+802.11g, 802.11g+802.11n and 802.11ac.
Short Preamble: The short preamble with a 56-bit synchronization field can improve WLAN
transmission efficiency. Select Enable to use Short Preamble or Disable to use Long Preamble with a
128-bit synchronization field.
Short Guard Interval (available when Band is 802.11g+802.11n or 802.11a+802.11n): The guard
interval is the space between symbols (characters) being transmitted to eliminate inter-symbol
interference. In order to further boost throughput with 802.11n, short guard interval is half of what it
used to be; please select Enable to use Short Guard Interval or Disable to use normal Guard Interval.
Channel Width (802.11g+n, 802.11a+n and 802.11ac only): Choose between 20MHz, 40MHz or
292
Auto. Doubling channel bandwidth to 40 MHz is supported to enhance throughput. 80MHz is available
for selection in 802.11ac mode.
Channel: Select the appropriate channel from the drop-down menu to correspond with your network
settings. When configured as “Auto” and Band is “802.11a”, “802.11a+n”, or “802.11ac”, there is a
channel selector table when the chosen channel is interfered or DFS channel signal is detected.
Antenna Mode (802.11g+n, 802.11a+n and 802.11ac only): Configure the number of spatial
streams for transmission and receiving.
Transmit Power: On select AP models, the signal strength transmitted from the system can be
selected by Levels. Each level signifies a decrement of 1 dBm from the highest power. Level 1 is the
actual highest power, Level 2 is the highest power minus 1 dBm, so on and so forth.
Beacon Interval (ms): Enter a value between 20 and 1000 msec. The default value is 100
milliseconds. The entered time means how often the beacon signal is transmitted between the access
point and the wireless network.
ACK Timeout: The time interval for waiting for the “acknowledgement (ACK) frame”. If the ACK is not
received within the interval then the packet will be re-transmitted. Higher ACK Timeout interval will
decrease the packet lost, but the throughput will be decreased/worsened.
Airtime Fairness: When set to “Fair Access”, this feature ensures all devices with different band
compatibilities have the same air time. When set to “Preferred Access”, 802.11n and 802.11ac clients
are prioritized. This feature is ideal for networks with devices supporting different bands.
Packet Delay Threshold (ms): This is the Tx Queue flushing mechanism, which purpose is to drop
packets and immediately process others if the queue has been processed for more than x
milliseconds. This is disabled by default (=0).
Idle Timeout (s): Clients disconnects when inactivity reaches the configured amount of time in
seconds, where default = 300s.
Band Steering: When enabled, clients with 5GHz connectivity will be steered towards the 5GHz
band to reduce congestion in the 2.4GHz band. This is applicable only when the AP is set to 2.4GHz
and 5GHz on the 2 RF Cards. When “Aggressive” is checked, clients with 5GHz connectivity are
forced to connect to the 5GHz band.
Interference Detection: When utilization, latency, and invalid packet rate of the current channel or
adjacent channels reaches the configured threshold, the AP switches to a different Channel.
Transmission Rate Threshold: The associated client will be kicked when transmission rate is lower
than the configured threshold. This ensures high connection speed for all associated clients.
WME Configuration: Wireless Multimedia Extensions (WME), also known as Wi-Fi Multimedia
(WMM), is a Wi-Fi Alliance interoperability certification, based on the IEEE 802.11e standard. It
provides basic Quality of service (QoS) features to IEEE 802.11 networks. Access priority can be
configured using with different parameters. CW Min: Contention Window Minimum, CW Max:
Contention Window Maximum, AIFS: Arbitration Inter Frame Spacing, TXOP Limit: Transmission
Opportunity Limit.
UAPSD: U-APSD stands for Unscheduled Automatic Power Save Delivery, an 802.11 power save
mechanism that works with WMM. When a client device is in Power Save mode (i.e. its receiver is
turned off and thus cannot receive any data frames), the AP will temporarily buffer all frames destined
to the client.
293
VAP Configuration
294
Access Control Type: Configure a list of devices (MAC address) to decide which devices are allowed to
associate to the VAP.
- Disable: There is no restriction for client device to access.
- MAC ACL Allow List: Only the client devices (MAC addresses) listed are granted access to the
system.
- MAC ACL Deny List: The client devices (MAC addresses) are granted access to the system expect
for the ones listed in the Deny List.
Security Settings
Select the desired Security Type from the drop-down menu, which includes Open, WEP, WPA-Personal,
WPA-Enterprise, and OSEN.
295
RTS Threshold: Enter a value between 1 and 2346. RTS (Request to Send) Threshold determines the
packet size at which the system issues a request to send (RTS) before sending the fragment to prevent the
hidden node problem. The RTS mechanism will be activated if the data size exceeds the value provided. A
lower RTS Threshold setting can be useful in areas where many client devices are associating with the AP
or in areas where the clients are far apart and can detect only the AP but not each other.
Fragmentation Threshold (802.11a, 802.11b and 802.11g Modes): Enter a value between 256 and 2346.
A packet size larger than this threshold will be fragmented (sent with several pieces instead of one chunk)
before transmission. A smaller value results in smaller frames but allows a larger number of frames in
transmission. A lower Fragment Threshold setting can be useful in areas where communication is poor or
disturbed by a serious amount of radio interference.
DTIM Period: Input the DTIM Interval that is generated within the periodic beacon at a specified frequency.
Higher DTIM will allow the wireless client to save more energy, but the throughput will be lowered.
Consecutive Retries Threshold: This is the maximum number of transmission retries the AP will attempt
when packet transmission is dropped before deciding the client is out of transmission reach. When
transmission retries fails for the set number of times, the Access Point kicks the client to optimize
performance for other connected clients.
Broadcast SSID: Disabling this function will stop the system from broadcasting its SSID. If broadcast of
the SSID is disabled, only devices that have the correct SSID can connect to the system.
Wireless Station Isolation: By enabling this function, all stations associated with the system are isolated
and can only communicate with the system.
IAPP: IAPP (Inter Access Point Protocol) is a protocol by which access points share information about the
stations connected to them. When this function is enabled, the system will automatically broadcast
information of associated wireless stations to its peer access points. This will help wireless stations roam
smoothly among IAPP-enabled access points in the same wireless LAN.
296
Multicast-to-Unicast Conversion: When Multicast-to-Unicast Conversion is enabled, the Access Point
intelligently forwards traffic only to those ports that request multicast traffic. Adversely, when disabled,
multicast traffic is treated like broadcast traffic, with packets forwarded to all ports causing network
inefficiencies.
TX STBC: STBC is a pre-transmission encoding done by MIMO transmitter that allows it to improve the
signal-to-noise ratio even at a single RF receiver (non-MIMO).
Multicast/Broadcast Rate: Bandwidth configuration for multicast/broadcast packets. If your wireless
clients require a larger or smaller bandwidth for sending multicast/ broadcast packets, the administrator can
customize the Access Point’s multicast/ broadcast bandwidth here.
Management Frame Rate: This feature controls the bandwidth for Management Frames. The higher
the rate it, the shorter range the transmission covers
Receiving RSSI Threshold: To ensure connected stations have quality connection speeds, a station will
not be able to associate to the network unless its receiving sensitivity meets the configured threshold.
Hotspot 2.0 is also known as WiFi Certified Passpoint initiated by the WiFi Alliance to provide better
bandwidth and services for public WiFi subscribers. The HotSpot 2.0 feature is designed only for service
providers and their partners. Please consult your service providers or our service team to complete the
configuration.
Firewall Settings
Proxy ARP: When enabled, AP will reply ARP requests on behalf of downlink stations. The ARP table
maintained by the AP will be used as a look up table upon receipt of ARP request from AP uplink.
Adversely, without Proxy ARP, ARP request is broadcasted down into the AP’s wireless network causing
network inefficiencies.
g) WDS List
This list is to show the information of each WDS link configured in the managed AP, including Peer AP,
Band, Channel, Security, TX Power, Link Speed, RSSI, TX Bytes, TX Packets, STP and Status.
297
The WDS link if established between APs listed on List will be listed here with related information such as
the Band and Channel of the link, Security settings if any and the Transmit Power, Byte, Packets etc.
h) Backup Config
Backed up Config files can be used to restore an AP’s settings in List. When administrator backs up an
AP’s configuration settings, all the backup files are listed on the Backup Config tab page and can be
downloaded to a local storage device or deleted from EWS Controller’s memory.
Also, automatic Daily Backup is available. Configure backup time in 24-hour clock, then it will do backup
configuration for the APs on the hour automatically.
i) Firmware
The EWS Controller can store AP’s firmware in its’ built-in memory. Under the Firmware tab page
administrator can upload new AP firmware to the EWS Controller’s memory allowing for easy remote AP
upgrade and restore operations from the AP List page. The AP firmware listed under this page can be
downloaded or deleted from EWS Controller memory if desired.
298
j) CAPWAP
CAPWAP is a standard interoperable protocol that enables a EWS Controller to manage a collection of
wireless access points.
CAPWAP Status: The configuration status of CAPWAP function. Click Enable to turn on the Access EWS
Controller to allow CAPWAP supported AP’s to automatically add to the managed AP List.
Apply Certificate to APs: This configuration item allows the administrator to select which of the certificates
will be used during CAPWAP negotiation between AC and AP. If the certificate selected is invalid, the
negotiation will be unsuccessful and the AP will not be automatically added in the managed List.
IP Address For Control Channel: The IP address for AC side to negotiate the CAPWAP tunnel AP over the
other side of control channel.
IP Netmask For Control Channel: The netmask size could be automatically/ manually set according to the
maximum number of managed APs.
Control Channel IP Range: The IP pool for assigning to AP side, establishing the control channel to
communicate. The number of IPs is defined by above IP Address and IP Netmask For Control Channel.
Access Controller IP List: The AC can statically designate other CAPWAP supported ACs as backup AC
for CAPWAP APs in case it can no longer provide service. The number designates the priority of these
backup ACs to the AP, in the event that the original AC is down, the AP will first attempt to join the No. 1
backup AC and so on.
299
k) Rogue AP Detection
It is designed to detect the non-managed or possibly malicious AP in the deployed environment. It takes
the managed APs as sensors to find the non-managed AP even if the AP uses the same SSID with
managed AP's. It shows the AP's BSSID, ESSID, Type, Channel, Encryption, and found time.
l) AP Load Balancing
This is a function to prevent managed APs from overloading. When the system detects the occurrence of APs'
associated-client numbers exceeding a predefined threshold and other APs in the same group are still below the
threshold, the balancing function will be activated to decrease the overloading APs' transmit power and increase
other available APs' transmit power; this will allow other available APs to have more chance of being associated.
The system can divide the managed APs into groups; define the group threshold, and a time interval which will
trigger the AP load balancing.
Wide Area AP Management feature also supports the grouping of various managed APs and perform transmit
power management to spread the network load as evenly as possible among APs of the same group.
300
WAPM Load Balancing: This configuration item enables the administrator to specify the criteria under
which AP load balancing feature will be enforced.
AP Distance: This parameter allows the administrator to specify the distance which will be used as a
measure of grouping managed APs. The unit is in meters, the administrator can configure an integer
ranging from 0 ~ 999 where 0 signifies that the function is Disabled. APs which are distanced within the
configured distance from one another will be regarded as the same group.
Interval: This parameter allows the administrator to specify a time interval when the controller will check
the loading of each APs in the same group and initiate load balancing if necessary.
Threshold: This parameter allows the administrator to select between client loading Number of Client
or traffic loading Number of Packets as the measure of an AP’s system load. Administrator can specify
the system threshold which will initiate the load balancing mechanism.
Map: Select the map to show the clusters and APs on this map.
Cluster: Show the number of the clusters on this map.
Configure: Entering a page to enable/disable AP Load Balancing function on each cluster.
Create: Create clusters on current map according to AP distance.
Delete: Delete clusters on current map.
Cluster and Device List: The scrollable window display all the managed APs sorted by model name
with relative information such as Group, Name, IP, Power Level, Loading, etc. The managed APs will
have a Group column for indicating which AP cluster it belongs to for AP Load Balancing feature to be
enforced. Clear “View” button to see the logs of AP Load Balancing for each AP.
301
To check and manage the List of third Party AP; go to: Access Points >> Enter Wide Area AP Management >>
List.
Manage this third party AP from the Type Lists. Edit its AP Attribute and Administration from the column.
Go to Map icon. The added third party AP could also be placed on Google Map features and all map functions.
302
3) Switches
Switches: This section is used to configure all Switch Management related settings.
a) Switch List
The EWS Controller is capable of managing the Edgecore switches. Switches under management of the
system will be shown on this list.
The Switch's name will be shown as a hyperlink. Click the hyperlink of each managed switch for further
configuration (General Setting, PoE Setting, VLAN Membership Setting, Port Setting, PoE Schedule) on the
switch.
Click the hyperlink of the shown Status of each managed AP for detailed status information of the AP (General
Setting, PoE Setting, VLAN Membership Setting, Port Setting, PoE Schedule).
Add: The “Add” function is used to set up a switch via filling in the required information. After the switch
is added to the List, the switch's status will display "online" or "offline”.
Delete: Select the switches you wish to remove from the list by clicking the corresponding checkboxes
followed by the Delete button.
Restart: Select the switches you wish to reboot from the list by clicking the corresponding checkboxes
followed by the Restart button.
Backup: The “Backup” button saves the configuration .db file for the switch on the controller. This file
can be used for restoring settings on a switch.
Restore: When a Backup configuration file is saved on the controller, check the checkbox for the switch
and click the “Restore” button to restore settings on a switch.
303
The first template is the default template and cannot be deleted. The Template Name may be customized for easy
reference (e.g. Switch-Core1).
Click "Configure", illustrated by the pencil icon, to enter settings for the Template. The following can be set on the
PoE Schedule Template:
- Power Supply Schedule
- Apply to: The band, channel width, transmit power and etc.
304
If there is an existing managed switch online and you would like the same settings to be applied to newly added
switches, choose from the drop-down list under "Copy Settings From" and click "Apply".
Additional remarks can be added to the Remark section for administrators' reference.
c) Backup Configuration
The list gives an overview of the backed up configurations. Administrators may download the configuration file for
restoration. Or check the checkboxes to delete the selected configuration files.
305
E. Network
Network: This section is used to configure all the network settings.
1) NAT
The NAT function supports 3 types of network address translation: DMZ (Demilitarized Zone), Public
Accessible Server and IP/Port Forwarding.
Demilitarized Zone
The system supports specific sets of Internal IP address (LAN) to External IP address (WAN) mapping in the
Static Assignments. The External IP Address of the Automatic WAN IP Assignment is the IP address of
External Interface (WAN1) that will change dynamically if WAN1 Interface is Dynamic. When Assign WAN IP
Automatically is checked, the entered Internal IP Address under will be bound to the WAN1 interface. Each
Static Assignment could be bound with the chosen External Interface, WAN1 or WAN2. There are specific
sets of static Internal IP Address and External IP Address available. Internal and External IP Addresses
are entered as a set. After the setup, accessing the WAN will be mapped to access the Internal IP Address.
These settings will become effective immediately after clicking the Apply button.
306
Public Accessible Servers allow the administrator to set virtual servers, so that client devices outside the managed
network can access these servers within the managed network. Different virtual servers can be configured for
different sets of physical services, such as TCP and UDP services in general. Enter the “External Service Port”,
“Local Server IP Address” and “Local Server Port”. Select “TCP” or “UDP” for the service’s type. In the
Enable column, check the desired server to enable. These settings will become effective immediately after clicking
the Apply button.
307
This function allows the administrator to set specific sets of the IP addresses at most for redirection purpose.
When the user attempts to connect to a destination IP address listed here, the connection packet will be
converted and redirected to the corresponding destination. Please enter the “IP Address” and “Port” of
Destination, and the “IP Address” and “Port” of Translated to Destination. Select “TCP” or “UDP” for
the service’s type. These settings will become effective immediately after clicking Apply.
2) Monitor IP
Multiple IP addresses can be defined in the Monitor IP function. System can monitor these IP based network
devices and periodically report online status via email based on a configurable interval. These monitored
devices can be accessed via HTTP or HTTPS connection. The management interface of the monitored
device can be accessed via a hyperlink of device's IP address when the system is operated under NAT
mode.
308
Walled Garden Advertisements are advertisement links for clients to access before they are authenticated
by the system. For example, guests without the network access right in hotels can still visit these sites free of
charge.
The system supports up to 200 Walled Garden entries, and 40 of the 200 can be selected as Walled Garden
Advertisements.
Click Add to add a new entry. Enter the Domain Name/IP Address/URL and select the “Active” checkbox. Click
Apply, and the items will be added and shown on the list.
Display: Choose Display to display advertisement hyperlinks on the login pages, corresponding to Service
Zone configuration.
Note that entries selected as Walled Garden Ad must be a URL and cannot be an IP address with prefix.
Note that both the checkboxes of walled garden and advertisement check should be checked for enabling
walled garden advertisement feature.
4) VPN
On this tab, 2 types of VPN are available on the system: Remote VPN, and Site-to-Site VPN. For Remote
VPN, the system allows the VPN tunnel between a remote client and the system to encrypt the data
transmission via iKEv2. For the Site-to-Site VPN, an IPSec tunnel can be used to connect to other IPSec
capable device over the Internet.
309
5) Proxy Server
The system provides a Built-in Proxy Server and External Proxy Server function. After successful authentication,
the clients’ will be directed back to the desired proxy servers.
Basically, a proxy server can help clients access the network resources more quickly. This section presents basic
examples for configuring the proxy server settings of the EWS CONTROLLER.
310
Using Internet Proxy Server
A built in proxy server in the controller can be Enabled, even with a Proxy Server placed outside the LAN
environment or in the Internet. For example, the following diagram illustrates how a proxy server of an ISP is used.
311
By enabling the built-in Proxy Server, all traffic is forwarded to the local Proxy Server on the controller.
NOTE
By Enabling the Proxy Server, clients are required to manually check Proxy Server
Settings on client stations’ Internet Options. To apply Transparent Proxy, please use
Port and IP forwarding.
312
6) Local DNS Record
The administrator could statically assign a Domain Name to IP mappings for all clients connected to the EWS
Controller’s LAN network. This feature can be used to dispatch clients to preferred IP address for certain Domain
Names.
7) Dynamic Routing
The function supports three dynamic routing protocols: RIP, OSPF and IS-IS.
ISIS Configuration: It is a routing protocol designed to move information efficiently within a computer network,
a group of physically connected computers or similar devices. You can configure each interface Circuit Type to
Level 1 or Level 2.
313
Net ID: It is the ISO address Network Entity Title (NET). The NET is used just like an IP
address to uniquely identify a router on the inter-network.
Route Level: Level 1 systems route within an area; when the destination is outside an area, they route toward
a Level 2 system. Level 2 intermediate systems route between areas and toward other routing domains. The
level type of each network interface can be assigned.
OSPF Configuration: It is an adaptive routing protocol for Internet Protocol (IP) networks. You can configure
each interface Area, Stub and authentication.
314
Area: An Area is a set of networks and hosts within a routing domain that have been
administratively grouped together. Area 0, known as the backbone area, resides at the top
level of the hierarchy and provides connectivity to the non-backbone areas (numbered 1, 2).
Stub: Are areas through which or into which AS external advertisements are not flooded.
Authentication: Allows the authenticating of OSPF neighbors. The authentication method
"none" means that no authentication is used for OSPF and it is the default method. With MD5
authentication, enter the MD5 password, the password does not pass over the network.
Advertise as Default Gateway: Inform neighboring nodes that this controller is the default
gateway.
Advertise Global Policy Route: Inform neighboring nodes the Global Policy route on this
controller.
Redistribute RIP: Check this option to enable using OSPF to distribute routing information
acquired via RIP.
315
RIP Configuration: It is a dynamic routing protocol used in local and wide area networks. You can configure
each interface to be a Passive or supportive version, and authentication.
316
Passive: RIP packets will not be sent from network interfaces if they are checked as Passive.
Version: Select the RIP version for this interface, RIPv1 uses broadcast to deliver RIP packets, RIPv2
uses Multicast to deliver RIP packets, both uses broadcast and multicast.
Authentication: Allows the authenticating of RIP neighbors. The authentication method "none" means
that no authentication is used for RIP and it is the default method. The two modes of authentication on
an interface for which RIP authentication is enabled: plain text authentication and MD5 authentication.
Advertise as Default Gateway: Inform neighboring nodes that this controller is the default gateway.
Advertise Global Policy Route: Inform neighboring nodes the Global Policy route on this controller.
Redistribute OSPF: Check this option to enable using RIP to distribute routing information acquired via
OSPF.
RIP Timer:
Update timer: Specify the time in seconds when the system will request for immediate update in
routing information.
Timeout Timer: Routes are only kept in the routing table for a limited amount of time. A special
Timeout timer is started whenever a route is installed in the routing table. Whenever the router
receives another RIP Response with information about that route, the route is considered
“refreshed” and its Timeout timer is reset. When this timer expires, the route is marked as invalid.
Garbage Collection Timer: Specify the time in seconds before erasing invalid route from the routing
table.
8) DDNS
Before activating this function, you must have your Dynamic DNS hostname registered with a Dynamic DNS
provider. EWS CONTROLLER supports DNS function to create aliases from the dynamic IP address for the WAN
port to a static domain name, allowing the administrator to easily access EWS Controller’s WAN. If the dynamic
DHCP is activated at the WAN port, it will update the IP address of the DNS server periodically. These settings will
become effective immediately after clicking Apply.
317
Username/E-mail: The register ID (username or e-mail) for the DNS provider.
Password/Key: The register password for the DNS provider.
9) Client Mobility
IP PNP: Enable this feature so devices with static/ DHCP IP, DNS, and Gateways can obtain internet access
from the controller.
Cross Gateway Roaming: Configure this gateway to Master or Slave. In Master mode, you may also need
to input the Slave IP and Secret Key. In Slave Mode, input Master IP and Key.
Master Node: While configure Master Node, one master could active up to 15 Slave node setting.
Slave Node: While configuring the Slave Node, enter its master node setting.
318
F. Utilities
Utilities: This section provides functions for modifying accounts, Backup/Restore system, Firmware upgrade,
Restart service, Network utilities, and Certificate.
1) Administrator Account
This can be used to create, to edit, to remove, and to check administrator account.
The login account for the administrator is "admin". The admin password of the system can be changed
here by clicking the admin Name and entering the original password and new password. The default
admin password of the system is "admin". The Elementary School’s Name field may also be entered for
security purposes in case the admin username or password has been forgotten. Noted that Email and
Elementary School’s Name should be both empty or both filled.
It also allows the administrator to create other administrator accounts with different permission.
Admin has authority to change his/her own password or add more accounts to the admin list to take (some of) the
management responsibility.
319
Password Complexity enables the admin to limit how the passwords the sub-admins use should be
formed.
Min password Length sets a limit on the minimum length of a password string;
Min password Category allows an admin to define how complex the passwords of the sub-admins are
required. Below shows what each number stands for:
Number Definition
0 passwords will not be checked
1 Passwords should include at least 1 form (capitalized
letters/ small letters/ digits/ special characters )
Limit Login Attempts (if enabled): enter the number of times you would like sub-admins to retry their
passwords. If trying out more than this number, the sub-admins are not allowed to type in strings again.
Password expiration (if enabled): this is a function for admins to decide the number of days the
password will expire in. A valid period can be defined for each password, counting from the first login.
When a password expires, the operator will need to setup a new password for future use. Expired
passwords cannot be reused.
Password Limits (if enabled): it is to determine how many utilized passwords in the past should be
checked. For instance, if the admin enters ‘5,’ the system will check if the newly added password is
identical to one of the five most-recent ones; if it is, the server would ask the admin to choose a new
password string again.
Sub-admin creation
320
Go to the Generate table to create a sub-admin and define his/her authority limits. In case the administrator
forgets his/her password, by entering both email and the Elementary School Name, the account credential will
be email to the assigned email address. Note that an SMTP Server needs to be setup for the system to send
email reminders.
(There are 6 categories a sub-admin can fall into – Super Group, Manager, Operator, On-Demand Manager,
Custom1, Custom2, and Custom3. Click configure at the right of the drop-down list to see and modify the
differences. Be aware that the authority limits of ‘Super Group’ are unchangeable.) Create an account to the
list by pressing the Apply button after finishing the settings.
321
The admin list serves as a list for admins to track the dynamics of each management accounts, i.e., the
number of the online admins and the state of each sub-admin.
Please note that only the created sub-admins can be deleted. Check the boxes to ‘Lock’ or ‘Unlock’ to forbid
certain sub-admins to access the management page. Besides, admin can also click the hyperlinks in the
‘name’ column to edit admins’/ sub-admins’ related settings.
322
Click the Backup button under General Backup to save the current system configurations to a backup file
on a local disk of the management console. A backup file will keep the current system settings as well as
the local user accounts.
A backup file can be restored to the system by clicking Browse button to choose the backup file and then
clicking Restore button to execute the process.
Backup can be done periodically over FTP. Enable this feature by clicking on the Configure button under
Period Backup.
323
Restore System Settings: Click Browse to search for a .db database backup file created by the controller and
click Restore to restore to the same settings at the time when the backup file was saved. The option of “Keep
WAN1 setting and Management IP Address List” can be selected to retain WAN1 setting for remote access.
Reset to Factory Default: Click Reset to load the factory default settings of the controller.
3) Certificates
On this tab, administrators have the ability to manage the system certificate, create Root CA, sign
certificates from Root CA, and upload certificate. The "Used By" column indicates current in use certificates
and their corresponding applications. To further configure the different types of certificates, click the
“Pencil” icon.
System Certificate
This is the certificate that identifies the system. These certificates may be used for applications such as HTTPS
login, CAPWAP, and etc. The Controller has a built-in Factory Default Certificate (gateway.example.com) that
cannot be removed, but allows certificates to be uploaded. Click “Regenerate” button, a new default certificate with
a unique CN will be created. To view details of the certificate, click the corresponding "View" button. Click "Get
CERT" and "Get Key" to download the certificate and public key onto your local disk.
324
Internal Root CA
The administrator can generate a root CA for private use. The created root CA certificate can be downloaded and
used to sign certificates generated by the system. Note that the system only allows one Internal Root CA to be
created.
325
Internally Issued Certificates
When an Internal Root CA needs to be created, Internally Issued Certificates can be signed.
The generated certificate will be listed and the certificate/key pair can be downloaded with Get Cert, Get key in
View.
To upload a Trusted CA, click browse and upload a trusted CA certificate from your local disk into the System.
4) Network Utilities
Some network utilities such as web-based Ping, Trace Route, and ARP table are supported on the
system.
326
Item Description
IPv4 Ping: It allows administrator to detect a device using IP address or Host domain name
to see if it is alive or not.
Trace Route: It allows administrator to recover the real path of packets from the
gateway to a destination using IP address or Host domain name.
ARPing: Allows the administrator to send ARP request for a specific IP address or
domain name.
ARP Table: It allows administrator to view the IP-to-Physical address translation tables
used by address resolution protocol (ARP).
IPv6 Ping: It allows administrator to detect a device using IPv6 address or Host domain
name to see if it is alive or not.
Trace Route 6: It allows administrator to recover the real path of packets from the
gateway to a destination using IPv6 address or Host domain name.
Neighbor Discovery: The administrator can use this feature to learn about IPv6
Neighbor nodes that are on the same IP segment or domain name.
Neighbor Cache: a node that manages the information about its neighbors in the
Neighbor Cache. This feature allows the administrator to view the information stored
on system’s neighbor cache.
Sniff With this feature the administrator can listen for packets from selected Interfaces. The
administrator can further filter the types of packets to capture by using tcpdump commands
under the Expression field.
327
IP Discovery With this feature, controller can discover the IP address of the APs connected within the
same Layer 2 network. Administrator can also modify the IP configuration for the discovered
APs.
Status When the administrator is executing any Network Utilities features, the status of the operation
is displayed here.
5) Restart
Click Restart button to restart the system. Please wait for the blinking timer to finish before accessing the
system web management interface again.
6) System Upgrade
The administrator can download the latest firmware from website and upgrade the system here. Click
Browse to search for the firmware file and click Apply for the firmware upgrade. It may take a few minutes
before the upgrade process completes and the system needs to be restarted afterwards to activate the new
firmware.
FTP firmware upgrade is also an option. Enter the FTP server IP address, FTP server port, and the FTP
account name and password, and lastly specify the complete firmware filename stored on the FTP server
that will be used to upgrade the system.
To upgrade the system firmware, click Browse button to choose the new firmware file and then click Apply
button to execute the process. There will be a prompt confirmation message appearing to notify the
administrator to restart the system after successful firmware upgrade. (** Firmware upgrade may take up to
several minutes, please wait for the confirmation message)
The system must be rebooted before resetting to factory defaults after firmware upgrade.
328
G. Status
Status: Provides information for System Status, Interface Status, Hardware Status, Routing Table, Online Users,
Session List, User Logs and set up Notification Configuration.
1) System Summary
329
General
System Name The system name. The default Firmware Version The present firmware version of
name is the model number. EWS CONTROLLER
System Up Time Displays for how long the system Build Number The current build number.
has operated.
System Time The local time is shown as the NTP Server The network time server that the
system time. system is set to align.
Preferred DNS IP address of the preferred DNS Alternate DNS IP address of the alternate DNS
Server Server. Server Server.
Proxy Server Enabled/Disabled/External APM Version The version of AP Management
330
Module.
Report
Syslog server 1 The IP address and port number of
the external Syslog Server. N/A
means that it is not configured.
Syslog server 2 The IP address and port number of
the external Syslog Server. N/A
means that it is not configured.
User Logs Retained Days The maximum number of days for
the system to retain the users’
information.
Receiver Email Address (es) The email address to which the
traffic history or user’s traffic history
information will be sent.
Click “See Reports” for the following available reports, sorted by interface: Network Traffic, CPU Load, CPU
Temperature, Memory Usage, Storage Usage, Online Users, Successful Logins, Sessions, DHCP Leases
and DNS Queries. The reports can also be customized to your preference by selecting the Time range and
Interval. These reports can be sent via email, syslog, or FTP.
2) Interface
A display of the current settings of all network interfaces. Select Interface from the drop-down menu.
Each service zone represents a virtual system; therefore, the information of the system's network
interface is grouped by service zone.
331
Item Description
Interface Mode Operating mode of this interface.
(WAN1/WAN2) MAC Address The MAC address of the WAN port.
IP Address The IPv4 address of the WAN port.
Auto-Negotiation When Auto-Negotiation is On, the System chooses the highest performance
transmission mode (speed/duplex/flow control) that both the system and the
device connected to the interface support.
Speed/Duplex Displays current speed and duplex of the selected interface.
Traffic Summary Displays daily, monthly and all time graphical summary of the TX and Rx rate
for this interface.
Daily Traffic Displays traffic information of the day in a table.
332
Top 10 Traffic Shows the top 10 traffic of the day records.
3) Monitor Users
All online users/devices will be listed here. The administrator can terminate any user session by clicking
the Kick Out button. Non-login users will be listed here as well.
4) WiFi Monitor
To run the WiFi Monitor, first create a floor plan to start the managed AP monitoring or the simulation and
then a 2-D floor plan needs to be uploaded to the EWS Controller. Click the Add Floor Plan button to add
a floor plan.
333
Floor Plan Type: Type of the floor plan. Select “Local” or “Wide” for monitoring managed APs from
Local Area AP Management or Wide Area AP Management. Select “Virtual” for AP simulation.
Floor Plan Name: Self-defined name for Administrator’s reference.
Floor Plan: Select file for floor plan (.jpg format).
Wall: Select file for wall (.xml or .osm format).
Map Width: Actual width of floor plan.
Map Length: Actual length of floor plan.
Country Code: Select the country code (EU/US). This will determine the max output power of access
points
Height of Receiving Device (m): The assumed average height of receiving client devices.
334
Virtual Type
Simulation can be done by clicking the Simulate 2.4G or the Simulate 5G button. If the results are
satisfactory, the settings on each AP may be saved as a template to be used to apply to APs in AP
Management.
Signal Strength: The darker the color, the stronger the signal strength is.
Coverage: Different colors depict the different coverage area of each AP.
Distribution: Use different colors to illustrate the strength of signals.
AP Status: Visualize the online/offline status, CPU usage (Wide type only), and memory usage (Wide
type only).
335
Statistics: Show device density, and average traffic rate (Wide type only) for each AP.
Coverage: Similar to Virtual type, showing coverage of each AP in different ways.
6) Process Monitor
The Process Monitor is a network utility that shows the active status of process daemons on the gateway.
Administrators can choose to Enable or Disable the Process Monitor by clicking the radio button.
CAPWAP Log: This page shows the CAPWAP message communicated between the Controller and CAPWAP
enabled APs.
Configuration Change Log: This page shows the account, and IP of the person that has made changes to
Controllers WMI configurations.
Local Monthly Usage: The system keeps a cumulated record of the traffic data generated by each Local user
in the latest 2 calendar months. Each line in a monthly network usage of local user record consists of 6 fields,
System Name, Connection Time Usage, Packets In, Bytes In, Packets Out and Bytes Out.
Local Web Log: This page shows which of the web pages have been accessed on the Controllers built-in web
server.
336
On-Demand Billing Report: This page is a summary of On-Demand account transactions.
RADIUS Server Log: This page displays the RADIUS messages that pass through the controller.
SIP Call Usage: The log provides the login and logout activities of SIP clients (device and soft clients) such as
Start Time, Caller, Callee and Duration (seconds)
System Log: This page displays system related logs for event tracing.
UAMD Log: Displays the UAM related information output from the UAM daemon.
User Events: Displays all user related information customizable to administrator's preference.
The "Download" button downloads the displayed User Events into a comma separated .txt file, which can be
imported into cells (MS Excel).
Note that different User Types contain different user information. Categories will be left blank if inapplicable to the
User Type.
337
Alarm: Error or warning messages for the selected items. An alarm remains on the alarm list until the fault is
resolved.
Management Events: Management related logs for the selected items.
8) Reporting
EWS CONTROLLER can automatically send various kinds of user and/or system related reports to configured E-
mail addresses, SYSLOG Servers, or FTP Server.
338
Detail: Clicking this radio button allows the configuration of the E-mail subject for the corresponding log.
Send: Clicking this radio button sends a test log to the selected E-mail address.
339
Detail: Clicking this button allows the configuration of SYSLOG attributes such as Tag, Severity and
Facility which will be assigned to the corresponding log to meet the filtering requirements on the SYSLOG
Server.
Note: The “System Log” option needs to be enabled under SYSLOG Settings in order to send the selected logs to
the configured SYSLOG Servers.
340
Sending Logs to FTP
The following log types can be sent to external FTP servers configured in “FTP Settings”: Local Users Log, On-
Demand Users Log, Trial Users Log, Roaming Out Users Log, Roaming In Users Log, External User Log,
Session Log, On-Demand Billing Report Log, Wide Area AP Report, Local HTTP Web Log, HTTP Web Log,
Configuration Change Log, DHCP Lease Log, System Report and Traffic Report. Click the desired log type and
select the time interval for sending log.
341
Detail: Clicking this button allows the specification of the FTP server folder where the logs sent will be stored on
the FTP server.
342
Note: The outputted log files to the FTP server will be named according to the format
$Topic_$ExtraDesc_$SystemName_$Date_Time.txt. For example: HTTPWebLog_GW1_2010-10-15_0800.txt
FTP Settings: Allows the configuration of an external FTP Server where selected users logs as well as system
logs will be sent to.
FTP Destination: This specifies the IP address and port number of your FTP server. If your FTP needs
authentication, enter the Username and Password. The “Send Test File” button can be used to send a test
log for testing your current FTP destination settings.
SMTP Settings: Allows the configuration of 5 recipient E-mail addresses and necessary mail server settings
where various user related logs will be sent to.
343
SMTP Server: Enter the IP address of the sender’s SMTP server.
SMTP Port: By default the port number is 25. Administrator can specify other ports if the SMTP server runs
SMTP over SSL.
Encryption: Enable this option if your SMTP server runs SMTP over TLS or SSL.
SMTP Authentication: The system provides four authentication methods, Plain, Login, CRAM-MD5 and
NTLMv1, or “None” to use none of the above. Depending on which authentication method is selected,
enter the Account Name, Password and Domain.
o NTLMv1 is not currently available for general use.
o Plain and CRAM-MD5 are standardized authentication mechanisms while Login and NTLMv1 are
Microsoft proprietary mechanisms. Only Plain and Login can use a UNIX login and password.
Netscape uses Plain. Outlook and Outlook express use Login as default, although they can be set
to use NTLMv1.
o Pegasus uses CRAM-MD5 or Login but which method to be used cannot be configured.
Sender E-mail Address: The e-mail address of the administrator in charge of the monitoring. This will
show up as the sender’s e-mail.
Receiver E-mail Address (1 ~ 5): Up to 5 E-mail addresses can be set up here to receive notifications.
SYSLOG Settings: Allows the configuration of two external SYSLOG servers where selected users logs as well
as system logs will be sent to.
SYSLOG Destinations: Up to two external SYSLOG servers may be configured. Please enter the IP
address and port number of the external SYSLOG server here.
Severity Level: The logs more severe than this level will be sent out to the external SYSLOG server.
Alarms & Events Settings: Configure the items to be monitored as Alarm or Management Events. Alarms are
error or warning messages for the selected items to be displayed on the Alarms page and Dashboard. An alarm
remains on the alarm list until the fault is resolved. Management Events are logs for the selected items to be
displayed on the Management Events page. The latest few events will also be listed in Dashboard.
344
9) Session List
This page allows the administrator to inspect sessions currently established between a client and the
system. Each result displays the IP and Port values of the Source and Destination. You may define the
filter conditions and display only the results you desire.
345
Statistics of IP Offered
Valid lease counts of the Last 10 Minutes, Hours and Days are shown here. The header 1 ~ 10 are the unit
multipliers. For instance the number under column 2 indicates the lease count in the last 20
minutes/hours/days, the number under column 3 indicated the lease count in the last 30 minutes/hours/days
and so on.
Statistics of IP Expired
IP leased to clients that have expired in the Last 10 Minutes, Hours and Days are shown here. The header 1
~ 10 are the unit multipliers. For instance the number under column 2 indicates the expired count in the last 20
minutes/hours/days, the number under column 3 indicates the expired count in the last 30 minutes/hours/days
and so on.
346
DHCP Lease List
Valid IP addresses issued from the DHCP Server and related information of the client using this IP address is
displayed here.
The routing table lists all IPv6 and IPv4 Route rules. The System Route rules are shown here as well. The
Policy Route rule has higher priority than the Global Policy route rule, and the System Route rule has the
lowest priority.
347
Clicking either IPv4 or IPv6 will show the routing rules for each policy or interface.
P/N: V345000020201110
348