ac manual en

7/31/2019 AC Manual En

1/25

Access Controller

Manual

forDiamond series v.4.5-x

Introduction

This document is a guide on how to install, set-up and maintain an AmazingPortsAccess Controller.

The Access controller is a firewall that will allow or deny access to resources onthe other side of itself. It does this by acting as gateway in a LAN, Local areanetwork we often refer to this LAN as a public LAN. The access controllerreceives its settings and rules to a large extent from two internet servers, onecalled the LDS (Login Directory Service) and one called the AMS (AccessController Management Service). As a rule of thumb the LDS provides rules, andthe AMS provide management just like the names indicate.


2/25

Table of contents

Installing the Access Controller ............................................................................3Registering the AC Mandatory and free of charge ..............................................5

NEW REGISTRATION SERVICE ............................................................................5Default settings ....................................................................................................6

Default WAN settings (eth0) ..............................................................................6Default LAN settings (eth1-n) ............................................................................6

Configuration scenarios ........................................................................................7Fully automatic configuration ............................................................................7Fixed IP configuration ........................................................................................7

Verifying that your AC works properly ..................................................................8

Advanced configurations ......................................................................................9Local web administration of the Access Controller ............................................ 9Configuring manual IPs on the AC WAN interface (Networking) .......................10

Configure the WAN interface manually: IP address, netmask and gateway . . 10Configure name servers - DNS .....................................................................11Changing the IP if the Public LAN interface (Eth1-n) .....................................11

The Administration portal...................................................................................12The main menu ...............................................................................................12Managing vouchers .........................................................................................12

Make Vouchers ............................................................................................13Managing administration accounts on the Access Controller ..............................14

Enabling password rotation .............................................................................14Changing default passwords not using password rotation ............................ 15

Default passwords .......................................................................................15Accessing passwords with password rotation ...............................................15

Troubleshooting .................................................................................................16Accreditations ....................................................................................................18Appendix A .........................................................................................................20

Internet over Fibre ..........................................................................................20Internet over Cable/DSL ..................................................................................20Dial-Up ............................................................................................................21

Appendix B The difference to other hotspot solutions ......................................21Appendix C Service Oriented Provisioning .......................................................23

Real time Service Oriented Provisioning .......................................................23A service oriented provisioning architecture ................................................23What is the real life advantage? ...................................................................24

Page 2 (25) [email protected]: 1.5
mailto:[email protected]:[email protected]


3/25

Installing the Access Controller

This installation assumes that you have fundamental knowledge of networkingand access to two computers one to become your Access Controller and theother to perform the registration after installation.

1. Obtain the ISO of the Access Controller - AC (download it from the web siteor you may have gotten it with this manual)

2. Obtain a standard computer with two NICs and a CD drive or equivalent.

a. Preferably use simple old computers as some modern motherboardswill cause kernel panic.

3. Set bios to boot from CD, ignore keyboard error and auto power-on onpower-loss.

4. Burn the Installation CD

5. Install AC (notice this will erase everything on the Access Controller)

6. Once you the installation completes, the CD will eject and the AC will beep

a. REMOVE THE CD Otherwise it may boot from the CD again.

7. Connect the other computer to the public network of the AC (IP will beDHCP assigned and in the range of 172.23.12.xx) note that 12 may be 13or 14 depending on the number of NICs that your AC has.

8. Open the local web admin interface on https://172.23.12.1:8443 (you mayhave to replace the C network 12 with 13 depending on how manyNICs your AC has. (default credentials are username: admin, password:admin)

9. Configure all network settings correctly (The AC assumes it will be servedits WAN address etc from a DHCP server).

10. Reboot the Access Controller (whether you have done any changesor not)

11. Re-connect to the local web admin interface and click theregistration link in the top right hand corner.

12. Follow the link (automatically or manually) to the NEW registrationsite.

https://172.23.12.1:8443/https://172.23.12.1:8443/


4/25

13. Complete the registration process to obtain an admin account tomake vouchers and customise your landing page.



5/25

Registering the AC Mandatory and free of charge

Before you will be able to make vouchers/codes/coupons you must register yourAC. Start the registration process by clicking the Register AC semaphore andlink in the main Menu.

The registration process is 100% Free of charge and will set up your freeservice.

NEW REGISTRATION SERVICE

Since January 2010 the registration service has changed and you have to followthe link through to the new registration service that will (unlike the old service)automatically let you register one or several admin accounts with different userrights.

When you register an Access Controller, you automatically become theAdministrator of this Access Controller and the associated network.



6/25

Default settings

Default WAN settings (eth0)

The AC will attempt to get a dynamic address for its WAN interface using theDHCP protocol. It will attempt to automatically use the information it receivesthrough the DHCP request to apply correct IP and DNS settings. If the accesscontroller for some reason does not receive IP information on the WANconnection it will not be possible to connect through the access controller. In thesection below called Manual WAN settings you can read more about configuringthese settings manually.Note that this manual covers only configuration considerations referring to theAccess Controller (AC) we assume that any network equipment between thewan interface and the Internet is configured appropriately and that it will eitherprovide IP and DNS settings through DHCP or that the AC must be configuredmanually (with Fixed IP). Currently (2008) the publicly available AC version doesnot support PPPoE nor PPPoA as means of acquiring a network connection.

Default LAN settings (eth1-n)

The AC will automatically apply functional settings for each of your LAN NICs. It ispossible to mount several network adapters, these will then be automaticallynamed eth1,2,3,n etc They will all automatically receive settings according to

the following schema:Networkadapter

IP

Eth 1 172.23.12.1

Eth 2 172.23.13.1

Eth 3 172.23.14.1

Eth n 172.23.(n+11).1



7/25

Configuration scenarios

The access controller can be configured in two basic ways, fully automatic orwith fixed IP.

Note that which ever case you prefer it is mandatory that the Private LAN (WAN)and the Public LAN (LAN/WLAN) ALWAYS use different IP subnets.

In English this translates to: If the Private LAN (WAN) in the examples below useIP addresses in the 192.168.xx.yy range, then the Public LAN must NOT useaddresses that same 192.168.xx.yy range but a different one, for example172.23.12.xx.

Fully automatic configuration

In the fully automatic configuration scenario the Internet router will have a DHCPserver that provide the Access controller with IP settings.

Fixed IP configuration

In a scenario where the Access controller will use a fixed IP to connect to theinternet it is important to remember that DNS settings need to be enteredmanually. Without proper DNS settings the AC will fail to operate.



8/25

Verifying that your AC works properly

To ensure that your AC is working properly connect to the AC and surf to:

http://login.amazingports.com

This should always bring you to the landing page of your AC.

If it doesnt something is wrong and you need to verify that all settings arecorrect.

See Trouble shooting for further assistance.

http://login.amazingports.com/http://login.amazingports.com/


9/25

Advanced configurations

Local web administration of the Access Controller

Connect a computer to the Public LAN port of the Access controller.

URL: https://172.23.12.1:8443

Default username: admin

Default password: admin

Normally for improved security an access controller is always set to passwordrotate. To receive the password for your AC, if the default password does notwork, please contact AmazingPorts customer service.

After login you will reach this web page:

In the following we will guide you through the settings that can be made locallyin the AC admin interface.

Once you have set up your AC use the Register AC link to register your accesscontroller.

Occasionally it might be necessary to restart your AC, this can be done byclicking Reboot device, this will reboot the hardware, or click Restart ACservices to restarts the main AC services without rebooting the hardware.

https://172.23.12.1:8443/https://172.23.12.1:8443/


10/25

Configuring manual IPs on the AC WAN interface (Networking)

To configure IP settings in the AC click the Configure Networking link in theweb admin interface.

Configuring IPs contains three important sections. ALWAYS begin by configuringthe WAN / Gateway Interface.

Configure the WAN interface manually: IP address, netmask and gateway

To configure an IP address manually Setthe Get from dhcp server to No. Thenenter an appropriate IP address, Netmask and Gateway for the WANinterface.

Remember that the gateway referred toin this menu is the IP gateway on theprivate LAN (WAN)(see configuration

scenarios).

After setting the IP, confirm that youwish to enter the new settings, and letthe AC implement the new settings. Itcan often be good to restart the AC afterthis has been done. You can restart it byusing the re-boot link in the menu. Letthe AC a good two minutes to stop andrestart.



11/25

Configure name servers - DNS

Next step is to enter DNS settings for the AC these settings you find in themain menu under Configure Networking -> Global Settings Name servers.

Enter correct name servers for your network and click the set button. Wouldyou need to enter more than 2 name servers, just go into the same menu afteryou have configured the first two, and you will be able to add more nameservers.

At this stage, when you have set both the IP address and DNS (name server)settings make sure you reboot the AC so that it can start with correct IP and

DNS settings.

Changing the IP if the Public LAN interface (Eth1-n)

Start by clicking Configure Networking in the main menu and then choose theconnection point wish to configure.

Normally there is no reason to change these settings!



12/25

The Administration portalThe administration portal is your key to managing your Access Controller(s),users, make vouchers and any other aspect of running your network.

https://ams.amazingports.com

The main menu

Depending on your credential your menu will adapt to only show menu choicesyou actually have access to.

There are 5 tabs that each addresses different needs:

Network let you see your ACs current report status and manage trafficcontrol (QoS)

Look & Feel let you customise the landing portal and certain otheraspects of the look and feel.

Products & services lets you customise and manage the products thatare available to your voucher maker(s), manage the general rules that are

valid for the entire network, an AC, a hotspot, or a single product. Support lets you ask questions to AmazingPorts if you are an

Administrator, or lets your users ask you questions if you are anadministrator

User Management lets you add/edit and manage all aspects of your users including assigning them special rights and managing their role (if any)

o Administrator Can administer all aspects of this Network

o Voucher Maker Can make vouchers

o Accountant Can see/export transactions, vouchers etc..

o Support Agent Can answer support chats

Managing vouchers

You manage vouchers under the Products and services tab, that is divided intotwo main sections, Vouchers and products on one side and Default rules on theother side.



13/25

Make Vouchers

To create a voucher you select the product that the voucher should give theuser. Theproductdefines what service the user will get.

Valid to and valid from indicates the dates and time for which the voucherscreated should be valid. A shorter validity will generate a shorter voucher secretmeaning that the user will have less to fill in.

Repetitions are the number of times this voucher can be used by a user..Example: A user get a voucher with 3 repetitions for a product Internet Access 1hour, this means that the user will actually get 3 hours of access. Vouchers areautomatically repeated as long as a user is logged in or if a user is anonymousas long as his session is valid.

Quantityis the number of vouchers to create, if a number bigger than 1 ischosen the output is in excel format instead of a single voucher. The look andfeel of single vouchers can be customised under the Look & Feel tab.

Language is drop down that will contain all the languages you have enabled inthe Look & Feel section for your network.



14/25

Managing administration accounts on the Access Controller

The access controller can be administered in any of three ways. Normally allconfigurations and settings are performed via an XML file that the AccessController receives from the AmazingPorts Access Controller managementsystem.

Never the less occasionally it can be necessary to manage the access controllerlocally. To secure this access recommend that all access controllers usepassword rotation, this password rotation ensures that the access controller hasa complex and hard to guess passwords.

If your access controller doesnt have password rotation activated you shouldalways change the default passwords for the root account and the web adminaccount.

Enabling password rotation

To activate password rotation, login to the administration portal and click thespanner icon to edit your access controller. Then enable password rotation andclick Save Changes

Once the Access Controller has enabled the password rotation (will happen

within an hour, the new passwords for Root access and local web admin accesswill be visible in the portal.

Passwords normally rotate every 20 minutes.



15/25

Changing default passwords not using password rotation

Click the Manage admin accounts link in the main menu.

Usernames and passwords are case sensitive.

Default passwords

Context User PasswordShell access SSH root _change_me_ Local web admin(https://172.23.12.1:8443)

admin admin

Accessing passwords with password rotation

Login to the administration portal at https://ams.amazingports.com, selecting toedit your access controller under the Network -> Status/Home tab.

https://ams.amazingports.com/https://ams.amazingports.com/


16/25

TroubleshootingTo make it easier to find out about your problem we have created a list ofproblems and possible solutions.

Problem - You receive no IP Solution- Because you are using an incorrectcable

If your computer is connected directly tothe access controller the network cablemust be a cross over cable or yournetwork adapter must support MDIX.If this is jibberish to you? Then connect to

the Access Controller through a hub,switch or WiFi access point.- Because you do not have a WiFiconnection

If you are connecting to the AC trough aWiFi network, make sure that you arereally connected. Specifically checkthat:

If you are using any encryption that your keys are CORRECT (youcan do this by setting fixed IP onyour machine, and verify that youcan connect to the web interface of

the Access Point or the accesscontroller).

That you have set your computer toactually connect to the WiFinetwork in question

- Because your computer is NOT set

to receive IP settings from a DHCPserver

You need to make sure that the IP

settings of the network adapter you areusing to connect to the access controlleris set to use Automatic IP settings orDHCP.

- Because you connected to thewrong NIC (network adapter).

Verify that you connected to the correctNIC on the Access controller, there are atleast two of them and if the one you areconnected to doesnt work try the otherone.

- Because the NIC on the computeror the AC is broken.

First ensure that the AC actually isconnected to power, no were not kidding

you this is a common reason for notworking.



17/25

Normally when connecting to the AC, thelink light of the network adapter should

lighten up.Connect the AC to a switch and verify thatthe switch indicates that link is up. Ifthis is not the case exchange the cablefor another one to make sure that yourproblem is not a cable failure.If you determine that the NIC is physicallybroken, this is VERY unusual, than justreplace it with another suitable networkadapter.



18/25

Problem - You receive an IP butcan not browse anywhere andyou are not redirected.

Solution

- Because DNS isnt working properly Verify that your DNS settings are correctand that you are able to resolve domainnames.A way to do this is to open a commandprompt in windows and run nslookup.In nslookup be aware if the primary DNSfails. If that is the case then correct the

DNS settings in the AC and make sureyou have a functional DNS as primaryDNS. After correcting the DNS settingsrestart the AC and VERIFY that yoursettings were properly accepted by theAccess Controller.

- DNS is working but any web pageyou are looking at time-out insteadof showing.

Try connecting to http://172.23.xx.1,replace xx with the specific subnet youare in. What you are doing here isactually to connect directly to theredirector of the Access Controller. You

should then be redirected to the landingpage of the Access controller.If you are not the most likely cause isthat the Access Controller need to reboot.Reboot by connecting to the local webadmin interface and select the rebootoption.

- You can not browse anywhere ANDyou are unable to ping the AccessController

First make sure that you renew your IP, ifyou are still receiving an IP from the ACbut can NOT ping the AC, that indicates amore complex routing problem betweenyour client and the AC. If you areconnected directly to the AC, check thatyour cables are OK. Reboot the AC.Reboot your computer.

Accreditations

AmazingPorts is part of the FireVentures Ltd Group, a Private limited companywith registered offices in 30, BasePoint Business Centre, Metcalf Way, Crawley,

http://172.23.xx.1/http://172.23.xx.1/


19/25

RH11 7XX, West Sussex.All copyright and other rights vest with FireVentures Ltd.



20/25

Appendix AWhere as this manual isnt supposed to cover generic network/internetconfiguration issues we have added this section to cover a few commonsituations you as a user might encounter.We have described key aspects under each and hope that this will help youresolve any configuration issues you might encounter.As a general rule it is very good to ensure that outbound ports are open, andthat inbound ports 22 and 8443 are mapped and forwarded to the AccessController. Remember that this forwarding might require you to create severalport forwards depending on your network configuration and that these

forwards are an advantage not a requirement.

Internet over Fibre

Normally the fibre connection is translated into Ethernet (standard network) inthe basement of your building. If the access controller is connecting to theInternet over such a connection:

If a login client/software needed (PPPoE or PPPoA) you will need a routerbetween the AC and the connection. Configure the router according to theISPs instructions and then set the router to assign IPs (provide DHCPservice) on the LAN (where the AC WAN interface connects).

Internet over Cable/DSL

Normally this kind of connection will require a Modem of some kind. Theexception is VDSL using full Ethernet frames and no modulation in such a caseonly a splitter is needed. Enquire with your provider how their service configured.

If a login client/software is needed (PPPoE or PPPoA) you will need amodem and/or router between the AC and the connection. Configure themodem/router according to the ISPs instructions and then set themodem/router to assign IPs (provide DHCP service) on the LAN (where theAC WAN interface connects).

Today most modems will provide the above functionality and no separaterouter is needed. A special case can occur with modems that perform transparent IP

forwarding to next device. These modems will usually manage login ifnecessary and then forward all packets to the next device ( for exampleyour AC) - In such a case make sure your next device is set to use DHCPto receive IP and other settings. It is worth noting that often these devicestend to create a relation with the previously used next device and theone you just connected often creating severe configuration problems contact your modem provider for instructions on how to configure themodem and normally configure the AC to use DHCP verify this with

your modem provider.This way of connecting is more complicated to set-up but gives theadvantage of a completely transparent connection to the internet enabling



21/25

certain advanced features in the Access Controller.

Dial-UpWe do not recommend using dial-up internet connections unless the modem isset to dial automatically when needed. Please be aware that the AccessController will communicate with internet servers on an almost perpetual basisthus potentially raising your connection time to 100%.

Appendix B The difference to other hotspot solutions

Rules vs Profiles

A fundamental difference between AmazingPorts and other "similar" software is how authorizationsare transmitted from the AMS to the Access Controller. In a traditional access control system an au-thenticated user will be assigned a profile that contains information about what he can and cannot do.In AmazingPorts the authorization is transmitted in the form of a set of rules in XML format.

Compare:

Traditional system: User X can use service Y

with

AmazingPorts: User X can fetch email from pop.company.com and surf the internet using port 80 and

443

Clearly if we know that service Y is:Fetch email from pop.company.com and surf the internet usingport 80 and 443, than the difference between the two approaches is irrelevant.

What if you want to provide multiple services in the samenetwork?

The difference from other systems becomes clearer when you decide that one set of rules or a profiledoes not meet your requirements. Imagine that you have four different services, for example email,surfing, a VoIP service and a gaming service. Any one user should be able to get any of the services,

this means that you will have to build and maintain 15 different profiles so that for each combinationof services there is a profile that matches.

Service

Profile 1 (all 4services)

2345678910

11

12

13

14

15

Email x x x x x x x x

Surfing

x x x x x x x x

VoIP x x x x x x x x

Game x x x x x x x x

- In a traditional system you have to build and maintain 15 profiles



22/25

- With AmazingPorts you only have to build and maintain 4 rule sets

At this level the reduced amount of administration is clear, actually the relation between a traditionalsystem and AmazingPorts in terms of administrative work can be expressed mathematically as:

2n-(n+1)

where "n" represents the number of services you wish to be able to offer your users.

What about individualised services?

Imagine that you run a mobile operator, and wish to charge your clients a fixed monthly fee for usinge-mail. Every client will obviously have his own e-mail provider. We also know that some e-mail ser-vices are more popular than other. For the sake of this presentation we will assume that on any given

market there are the 10 big known e-mail operators yahoo, Google, hotmail etc... and at least another100 smaller. On top of this every corporate customer will have their own e-mail service.

Let's just assume that there are 500 different e-mail providers in total.

Using the formula above we can then calculate the increased administration if you don't use Amazing-Ports

2500-(500+1)= 3 273 390 607 896 140 000 000 000 000 000 000 000 000 000 000 000 000 000 000000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000000 000 000 000 000 000 000 000

This example makes it clear that AmazingPorts is significantly more efficient from an administrativeperspective than the profiles based approach used by competing technologies.



23/25

Appendix C Service Oriented Provisioning

Real time Service Oriented Provisioning

Precise and timely application of rules for a specific user is as much a securityrequirement in corporate networks, as a tool to create new and innovativeproducts in a public network environment.No other system on the market enables as easy and swift - yet precise controlover who does what.

A service oriented provisioning architecture

When a user is detected in a network controlled by an Access Controller (AC) the AC instantly re-quests rules for this user. This pro-active way of working means that we can achieve seamless roam-ing, and a really comfortable and user friendly network - despite that every bit sent over the networkis analyzed, traffic managed and approved.

The LDS receives these requests for service and makes an individual evaluation each time. This ishow users in our networks can purchase multiple and diverse products during the same session. It alsomakes it possible to combine a free service with a paying service.

An example of this could be a hotel that offers free internet access to guests, but sell higher quality in-

ternet access to guests with specific quality requirements.



24/25

What is the real life advantage?

The capability of defining and working with true product management instead of "on/off" one size fitsall mentality create the extra revenue that hotspots need to survive. Our statistics show that in mosthotspots, around 20-30% of all products are "non" standard, without AmazingPorts technology youmay be loosing out on those sales.

It is also a way to entice new users to try services or cross sell a quality service to an existing custom-er.

In short this structure makes it possible for you to define and sell almost any imaginative accessproduct to any user in any location....

Really fast internet

Really slow internet

Free services - but limited priority

Selective services - like "only VoIP from VoipLtd", or "only e-mail from e-mail.com"

A yearly subscription

A temporary broadband boostPage 24 (25) [email protected]: 1.5


25/25

Priority to your favourite gaming server

Only give access to people with green hair to the "dye-my-hair-now.com"web site.

Cut a deal with local "Big Co" and sell them E-mail only access for theirsales force.

Obviously you can price everything differently and according to your comprehension of what is"smart" pricing.

Please notice the unique capability of selling any combination of these services to any user.

Don't wait - upgrade your venue to AmazingPorts technology now!

ac manual en

Documents