Overview
The revenue eXtraction gateway (rXg) is RG Nets' next-generation IP data and voice revenue generating network gateway, combining the latest technologies to maximize operator profitability and minimize cost. This operation manual describes how to use the features and functionality present on each corresponding view of the rXg administrative console.
This operation manual assumes that the rXg device has been properly installed by a certified technician or qualified engineer associated with an entity that has a current RG Nets operator support agreement. Before continuing to use this manual on a newly installed rXg, please review the rXg installation and initial configuration guide. You can always find the latest version of the rXg quick start guide in the FAQ section of the RG Nets customer portal. Once you have gone through the rXg installation process, you will have the URL and access credentials for the RG Nets customer portal.
Navigation and Organization
The primary mechanism used to navigate within the rXg administrative console is the menu at the top of each page. The menu is present at the top of all views of the console and allows quick access to all functionality.
Each of the buttons of the main menu represents a subsystem of the rXg. The primary link on each button leads to a dashboard of that subsystem. The menu text of the primary button becomes red to indicate which subsystem is currently being viewed.
Bringing the mouse pointer over a primary menu button and holding it there will reveal a sub-menu for each section. The links in the sub-menu bring up views to configure the various aspects of the subsystem. Once again, red indicates the subsystem that is currently being displayed.
A side panel menu can be accessed by clicking the arrow icon to the left of the screen. This side panel menu contains a history of the 4 most recently visited pages, as well as context-sensitive links to related configuration and informational pages.
Data Display, Sorting and Searching
Operator manipulation of data in the rXg administrative console is accomplished through AJAX enabled scaffolds. Each view consists of one or more scaffolds for various data aspects that can be manipulated to configure the subsystem.
Scaffolds display pertinent properties directly in the list view. Each of the column headers may be clicked to sort the data. Clicking the same column header again toggles the sort between ascending and descending. For example, if the first field header is clicked on the Accounts scaffold, the records are sorted by login.
Clicking on the login field header again reverses the sort. The data is now presented as a descending list.
Similarly, clicking on the third field header twice changes the sort to be descending by time.
Scaffolds containing a large number of records are automatically paginated. Navigation through the pages is accomplished through a set of links on the lower right corner of the scaffold. If the scaffold does not contain enough records for pagination, the pagination controls will not be displayed.
The previous and next links move backward and forward through the pages of records. The numbers enable quick access to a specific page.
The search link displays a form that enables the list display to be limited to items that match the data entered into the search field.
This is extremely useful when looking for a particular record in a scaffold that has a large data-set. In the example below, entering "baker" into the search field reduces the dataset from 94 to 2.
Clicking on the show link at the right of each record displays all of the detailed information available for that record.
Screen space limitations dictate that a reduced set of fields be present in the list view. Using the show link gives access to the other fields stored in the record. In addition to payload fields, meta-data fields such as the create and last update time, as well as the creator's administrative login and last updater may be seen in the detailed display.
Some scaffolds have additional per-record display capabilities. These can be accessed by using the additional links displayed at the right side of the list view. For example, several scaffolds can display per-record graphs.
To close a show, graph, help or other detailed display drop down, click on the white X in the red box at the top right of the detailed display area.
Data Entry and Export
The create new link found at the upper right is used to add data to the scaffold. Some scaffolds, such as those found in instruments , do not have a create new link because data cannot be directly added to the scaffold. When the create new link is clicked, a drop down appears with the fillable form elements available when creating a new record.
A new record is created immediately upon clicking the create button. If any errors are detected during the record creation, they are displayed inline in the form. The original data entered is preserved. Simply change the data to conform to the requirements and hit create to try to create the record again.
The export link allows the operator to download the data in the scaffold as a separated value text format. By clicking the export link, a drop down will appear that enables the configuration of the download. By default, the export mechanism will download all data in the scaffold with headers in a comma separated value (CSV) format.
Once downloaded, the data can be imported into a broad spectrum of software. For example, Microsoft Excel can import the data to create graphs and Crystal Reports can import the data for customized report generation.
System
The operator must configure and maintain several aspects of the rXg in order to properly deploy and operate an rXg powered revenue generating network. The rXg requires the operator to create an administrator , install an SSL certificate signed by a trusted third-party, and configure the appropriate time zone and time server options before an RGN may be brought into production. These prerequisites, as well as many other global configuration settings, are configured via the views of the System menu.
System Dashboard
The System dashboard presents an overview of options and configuration settings governing the global behavior of the rXg.
At the top of the system dashboard are graphs depicting CPU and Memory usage over the last 12 hours.
At the bottom left of the System dashboard is a dialog that presents currently utilized and maximum values for both transient and configuration license parameters.
Click on the details link to navigate to the License view of the administrative console to update the license key. Further information about the purpose and restriction of the parameters listed may be found on the manual page for the License view.
Click on the details link of either dialog to go to the options view of the administrative console where device and network options may be changed. Further information about the function of each option may be found on the manual page for the Options view.
At the bottom center of the system dashboard is a dialog that allows the administrator to view the status of the routine backup mechanism, and download the most recent backup of the rXg.
To back up the configuration, simply click on the download link. When clicked, the button will start a download process, resulting in the web browser prompting a download destination for the configuration to the administrator's computer. Save the backup file in a secure location, as the file may contain sensitive information about the end-users of the network that the rXg manages.
At the bottom right of the system dashboard is a dialog that allows the administrator to reboot , shutdown , and reset the rXg.
To prevent accidental shutdown , reboot , or factory reset , a dialog box will pop-up when any of the buttons is pressed asking for a confirmation.
The reboot option will cause the rXg to power cycle. This is useful if the rXg is behaving erratically after an abnormal condition such as overflow of the persistent storage device.
The shutdown option performs a clean power down of the rXg. Using this option is extremely important before disconnecting the power cord to ensure integrity of data.
The factory reset option erases the configuration data stored on the rXg and brings it back to factory defaults. Extreme caution should be used as a factory reset is a destructive and irreversible process. Important data such as the license key and SSL certificate for the rXg should be backed up before executing a factory reset.
Admins
The rXg administrative console implements all five tenets of a trustworthy system. Three of the five tenets (authentication, authorization and non-repudiation) are controlled on this view.
L3 authentication is enabled through the admin ACLs scaffold. By default, no active records are present in the Admin ACLs scaffold. In this default configuration, all devices may access the web administrative console. When an active Admin ACL record is present, the web administrative console may only be accessed by devices specified in the record.
L5-L7 authentication and non-repudiation are enabled through the Administrators scaffold. Each person that is involved with the administration of the rXg must have an independent record in the Administrators scaffold. Using strong login and password credentials enforces authentication. Enforcing administrative protocol to maintain distinct records for each administrator, prohibiting shared role accounts, and prohibiting revelation of credentials between administrators ensures non-repudiation.
Authorization is enabled through the Administrative Roles scaffold. Each administrator belongs to a role, and each role is granted a specific level of access to a subsystem of the rXg administrative console. As with any secure communication mechanism, adherence to proper protocol is of paramount concern to maintaining security. In order to ensure trust, there is no substitute or alternative to creating an individual administrative account for each administrator and using the Administrative Roles scaffold to apply an appropriate policy.
The remaining tenets of information security (confidentiality and integrity) are ensured by the use of SSL to protect communication between the administrator and the rXg. The configuration of the SSL subsystem is on a different view.
Access
The rXg web administrative console supports two access work flows: browser-based access and API-based access. Browser-based access is intended for human consumption and utilizes the login and password credentials configured when the administrator record is created. API-based access utilizes an rXg generated API key and is intended for computer consumption.
Browser-based Access for Human Consumption
Browser-based access is initiated when the operator wishes to access the web administrative console through a web browser to configure and instrument the rXg. To accomplish this, the operator uses a web browser to open the location https://rxg.dns.entry/admin/
. If admin ACLs are in place, the device running the web browser must be listed in order to gain access to the admin login page. Credentials (as defined in the Administrators scaffold) must be specified to continue.
Once credentials are supplied, the web browser is automatically redirected to the Instruments dashboard. The operator may then use the web browser to access the administrative console according to the access restrictions defined by the administrative role that is associated with the administrator.
API-based Access for Computer Consumption
The rXg also supports direct API access to the console web application via HTTP. When an administrator record is created, the API key field is automatically populated with a random string. The operator must pass the generated value of the API key field, as a CGI parameter named api_key
, to the console web applications controllers and actions.
One common use for API-based access is to perform automated backups from a third-party server or workstation. For example, an administrative workstation or server could be configured to periodically run the following command:
curl -O http://rxg.dns.entry/admin/menu/download_backup?api_key=fb9c5e...f6349
API-based access enables the operator to integrate simply with a broad spectrum of possibilities through standard HTTP. Nearly any task that is accomplished via browser-based access with a human present may be automated via API-based access. Some simple tasks are executed by hitting specialized actions with an HTTP GET such as the backup example described above. Most other tasks are executed through the RESTful API.
It is highly recommended that operators create specific accounts for API-based access rather than sharing an account between a human operator and computer automation. This enables the operator to quickly and easily discern between automated and manual requests through the admin log as well as helps keep the system more secure.
Administrators
The Administrators scaffold enables creation, modification, and deletion of accounts for administrators of the rXg.
To ensure authentication and non-repudiation of operator actions, each rXg administrator must have their own individual account protected by a set of strong credentials. Shared accounts and role accounts must be avoided as they represent a breach in security protocol.
The login and password fields are the credentials that identify an individual administrator. No administrators should be aware of the credentials of any other administrator. When creating a new administrator, the password must be entered twice for confirmation.
The service account checkbox, if selected, creates an admin that is used only to generate an API key and does not allow the service account to have access to the admin GUI.
The email field is used as the destination email address for system-generated email notifications. The selection of email notifications that the administrator will receive is governed by the notifications chosen in the administrative role that the administrator is associated with.
The role field defines an authorization policy for this administrator. The permissions for the roles in the list are defined by the Administrative Roles scaffold.
The first name , last name , and department fields are informational fields. They are only used in the Administrators scaffold to identify the administrator.
The public SSH key field is an optional field that the administrator uses to specify the credentials for secure FTP (SFTP) and command-line secure shell (SSH) access to the rXg. To enable SFTP/SSH access to the rXg, the administrator must generate a key pair using an SSH client and place the public key into the field. The key must be at least 4096-bit RSA or stronger. In addition, the administrator must be in an administrative role that has SSH access enabled.
Password authentication through SSH is not supported. Numerous resources are available for those that are unfamiliar withSSH public key authentication. In addition, a good book that covers this subject is SSH, The Secure Shell: The Definitive Guide (ISBN 0596008953) by Daniel J. Barrett, Richard E. Silverman and Robert G. Byrnes.
The API Key is an automatically generated string that is populated when an administrator record is created. The API key may be used by the operator to script operations by supplying the value as a CGI parameter named api_key
to the administrative console web application. The value is determined by the rXg and is not editable through the create and edit actions.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Administrative Roles
The Administrative Roles scaffold enables creation, modification and deletion of authorization policies that govern authenticated administrators within the rXg administrative console.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The SSH checkbox authorizes secure FTP (SFTP) and command-line secure shell (SSH) access to the rXg. Valid public SSH keys must be present in the accounts of administrators for which SFTP/SSH access is desired.
The SMB checkbox authorizes Samba access to the rXg. Must be accompanied by an active SMB Server which contains to the policy or WAN targets which will be accessing the SMB Server.
The API checkbox authorizes access to the rXg admin web interface when providing a member Admin's API Key as the api_key_query parameter or the _apikey HTTP header.
The MFA Option specifies a Multi-Factor Authentication configuration to use for members of this Admin Role. When enabled, Admins must perform MFA when logging into the Admin console. Multi-Factor Authentication is configured in the Multi-Factor Authentication scaffold on this dashboard.
The MFA for SSH checkbox enables Multi-Factor Authentication for this role when logging in via SSH. Admins may perform public key authentication OR password + MFA authentication to access the SSH server. Fallback behavior in the event that the MFA provider is unreachable or has an invalid configuration is controlled within the associated Multi-Factor Authentication scaffold.
Each of the permission sets can be configured to be readwrite , readonly , or none. The readwrite setting allows full access. The readonly setting only allows administrators to view configuration for the section and disallows updates. The none setting does not allow any access to the section.
The master permission authorizes control over global hardware-specific configuration options. Licensing, SSL, configuration backup, and restore are governed by this permission.
The system permission authorizes control over core services and network configuration. Device options, IP addresses, routing, DNS, DHCP, and other configuration options that affect the rXg software as a whole are governed by this permission.
The identities permission authorizes control over configuration and options that affect the authentication of end-users. Management of end-user accounts, groups, definitions and applications are governed by this permission.
The policies permission authorizes control over configuration options that affect the end-user control and communication mechanisms. Configuration of the end-user experience via traffic shaping, HTML payload rewriting, content and packet filtering, etc. is governed by this permission.
The billing permission authorizes control over configuration options and log retrieval for the rXg accounting mechanisms. Management of access and usage plans, download quotas, recurring billing, and other accounting related activities are governed by this permission.
The instruments permission authorizes control over the viewing, manipulating, and downloading of real-time and archival data. Graphing, logs, and all other end-user cognizance mechanisms of the rXg are governed by this permission.
The various options in the notifications section determine which of the automatically generated emails the administrators who are a member of this administrative role receive. The rXg emails correspond to the custom messages configured via the email view of the Services menu.
The rXg emails are primarily used for event-driven notifications. For example, an administrative role for billing support personnel would want to receive failed transaction notifications. Similarly, an administrative role for network engineering would want to receive notifications for event triggers.
The Location Areas field is used to correlate this Admin Roles with that have APs with associated clients whose transactions will be discoverable for this Admin Role, so that Admins within this Admin Role may choose to approve those transactions.
Multi-Factor Authentication
The rXg supports verifying an administrator's identity by initiating Multi-Factor Authentication through a third-party provider. The Multi-Factor Authentication scaffold configures the rXg for multi-Factor Authentication.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The provider dropdown specifies the third-party MFA mechanism to be used for confirming administrator's identity.
The integration key , secret key , and API hostname fields should be completed using information from an application created within the provider's control panel.
The fallback mode determines the behavior that should be used when primary login is initiated, but the provider's service is unreachable or misconfigured. Completing Multi-Factor Authentication from the Admin UI requires that the administrator's device have Internet access, and in the case of SSH access, requires that the rXg have Internet access. If the rXg does not have Internet access, the fallback mode will be used to determine the login behavior.
When configured to allow access , errors with the configuration file or connection to the Duo service will allow SSH login without Multi-Factor Authentication.
When configured to prevent access , errors with the configuration file or connection to the Duo service will deny SSH access. This option is more secure but may result in you being locked out of SSH access to the system, and should be used with caution.
The admin roles selection determines which roles will trigger Multi-Factor Authentication after completing primary authentication.
Multi-Factor Authentication may be enabled for SSH access by enabling the MFA for SSH checkbox when editing an individual admin role. When MFA is used with SSH, the administrator may continue using a public key, if configured, but will fall back to username and password authentication with a Multi-Factor Authentication prompt before completion.
Duo Multi-Factor Authentication
In order to set up Duo Multi-Factor Authentication with the rXg, you will need to login to your Duo account, or create a new account at https://duo.com/
Once you are logged into the admin panel (https://admin.duosecurity.com/), you will need create a new Application to protect, and retrieve your integration key, secret key, and API hostname to be entered into the corresponding fields in the rXg.
To do so, click on the applications link on the Duo Dashboard, and then on "Protect an Application".
Next, search for the term "SDK" and click the protect button for the web SDK Application.
Copy the fields in the application details to the appropriate fields in the rXg
Select the admin roles for which Multi-Factor Authentication should be enforced.
Multi-Factor Authentication may optionally be applied to SSH access. If MFA for SSH is enabled in the admin role, the admin may log into the rXg via SSH by providing a public key OR providing a valid username and password combination. When providing a username and password, a push notification will be sent to the mobile device, or the admin may register by visiting a generated URL (if the Duo application policy allows it).
To configure Duo for SSH navigate to System::Admins and edit the administrative role for which you would like to enable MFA for SSH.
Single Sign-On Strategies
The Single Sign-On scaffold enables use of a centralized identity management store for administrative accounts of the rXg.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The role attribute field tells the rXg what user attribute to observe for an admin role assignment. An attribute value received which matches the name of an admin role will apply that admin role to the user.
The admin role dropdown enables the operator to select a fallback admin role. If the role attribute value is blank, or cannot be interpreted, the fallback role is used.
The provider dropdown selects the type of SSO application
The ID and key fields are used to authenticate to a specific application.
The scope field overrides default permissions requested by the app. Entries in the scope field may require an app review.
The alternate redirect hostname enables the operator to override the redirect URL to utilize a different FQDN than is configured on the rXg. This requires a DNS record pointing to the node and should fall under an existing wildcard certificate.
The button text field allows the operator to override the default text displayed within the button on the administrative portal login screen.
The IdP metadata URL (Identity Provider) can be used to import the SSO URL and certificate fingerprint of the remote identity provider. If the IdP provides this URL, the rXg will try to import the remaining fields.
The IdP SSO URL is provided by the identity provider as the URL to redirect logon requests to.
The IdP SLO URL is optionally provided by the identity provider as a URL to redirect log-off requests to.
The IdP cert fingerprint enables the operator to provide a SHA1 fingerprint of the identity providers certificate, for validation. Leaving this field blank disables certificate validation.
The SP EntityID (Service Provider) field enables an operator to override the default EntityID of the rXg. The default value is the active FQDN defined under System::Options::Device Options
.
SMB Servers
The SMB Servers scaffold configures the rXg integrated SMB file sharing server. The rXg exposes several aspects of the onboard filesystem as SMB shares including, but not limited to, the portals, logs, backups, and TFTP datastores.
The rXg SMB share is accessible via the UNC \ip.address.of.rxg\datastore. For example, if the rXg IP address is 192.168.5.1 and the operator desires to modify the captive portal, the appropriate UNC is \192.168.5.1\portals. Datastores are appropriately flagged as read-only or read-write depending on their nature. For example, logs and backups are read-only whereas the portals and TFTP datastores are writable. The following named shares are available: admin login - the admin's home directory; "backups" - routine backups (read only); "logs" - raw log files (read only); "portals" - custom portals (read/write); "tftp" - TFTP boot directory (read/write);
The active field enables an option set. Exactly one option set may be active at any time. Enabling a particular option set will automatically disable another existing active option set.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
IP layer access control to the SMB file sharing mechanism is controlled by the policy and WAN target fields. LAN access to the SMB shares must be initiated from an IP address that is a member of a group listed in the policy linked to the SMB server. WAN access must be initiated from an IP address that is listed in a linked WAN target.
User layer access control is configured via the administrator accounts configured on the system. The operator must supply a valid administrator account login and password that is linked to an administrative role with SMB enabled in order to access the SMB file shares.
Admin ACLs
The Admin ACLs scaffold enables operators to configure L3 access restrictions to the web administrative console. Since L3 ACLs take effect before L5-L7 credentials may be presented, the Admin ACLs are typically used to restrict access to the web admin console to a set of known devices. This helps thwart dictionary attacks against the L5-L7 authentication mechanism of the web administrative console.
The active field enables an option set. Exactly one option set may be active at any time. Enabling a particular option set will automatically disable another existing active option set.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The WAN targets and policies fields specify which sets of hosts should be allowed access to the web administrative console. By default, all devices are allowed access to the web administrative console. When an active record in the web admin console ACLs exists, then access to the web administrative console is restricted on L3 to the specified hosts.
It is extremely important to be careful when creating a web admin console ACL. Incorrect data entry may disable administrative access and may be unrecoverable. Once an admin ACL is active, the operator must specifically list hosts to be granted access on the WAN by creating WAN targets and enabling the appropriate check boxes. Hosts on the LAN may be granted access by placing the hosts into a group and then linking them into a policy selected here.
RADIUS Realms
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The read role from class field allows you to override the selected default Administrative Role.
The administrative role drop down box allows you to specify the default administrative role for admins tied to the Radius Realm. For example, if an admin logs in and the read role from class box is unchecked, all admins will be tied to the role specified here; if read role from class is checked but the role doesn't match, the role specified in administrative role will be applied.
The encoding drop down lets the operator specify between PAP , CHAP , and MSCHAP.
The servers field allows you to specify the Radius Realm Servers the realm(s) authenticates against.
Using the Request Attribute settings, the operator can specify which attributes will be sent to the Radius Server.
Send NAS-IP-Address attribute indicates the identifying IP Address of the NAS which is requesting authentication of the user. This can be set to use Uplink IP of the rXg, or it can be specified using the NAS-IP-Address field.
The operator can Send Called-Station-ID , this can be set to use the uplink MAC or the operator can specify using the Called-Station-Id field.
The operator can send a NAS-Identifier. If the use domain name box is checked it will send the active Device Option's domain name as NAS-Identifier , or the operator can manually set a static NAS-Identifier using the NAS-Identifier field.
The operator can send the NAS-Port. If Use client VLAN is checked, the VLAN tag of the client will be sent as NAS-Port, or 1 if untagged. The NAS-Port field will manually set static NAS-Port.
When Send NAS-Port-Type is checked, the operator can specify the type by using the NAS-Port-Type dropdown and selecting from the list.
When Send requesting node IP is checked, requesting node IP attribute can be selected from the drop-down box.
When Send requesting node MAC is checked, the requesting node MAC attribute will be sent and can be selected from the drop down box.
RADIUS Servers
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The priority field dictates the order servers are tried, where highest is first.
The host field is the RADIUS service IP address or domain name.
The secret field is the RADIUS shared secret.
The port field is the RADIUS service port (Default 1812).
The accounting port field is the RADIUS Accounting service port (Default 1813).
The tries field is the number of failed tries before moving on to the next least priority server.
The timeout field is the number of seconds per try to wait for a response from the server.
The realms field lets the operator select which Realms will be tied to the RADIUS Server.
TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server. TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation. You must have access to and must configure a TACACS+ server before the configured TACACS+ features on your network access server are available.
TACACS+ Realms
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The service name field is used to specify the custom TACACS+ service name.
The role attribute field is used to specify the custom TACACS+ authorization attribute to map to an administravite role name.
The administravite role drop down box allows the operator to specify the fallback role when the server does not provide the name of an existing role.
The operator can specify the TACACS+ servers to use the TACACS+ Realm by selecting servers in the servers field.
TACACS+ Servers
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The priority field dictates the order servers are tried, where highest is first.
The host field is the TACACS+ service IP address or domain name.
The port field is the TACACS+ service port (Default 49).
The encoding drop down lets the operator specify between PAP, CHAP, and MSCHAP.
The secret field is the TACACS+ shared secret.
The tries field is the number of failed tries before moving on to the next least priority server.
The timeout field is the number of seconds per try to wait for a response from the server.
The realms field lets the operator select which Realms will be tied to the TACACS+ Server.
Backup
The Backup view presents the dialogs and scaffolds associated with creating backups, automated push-based remote backups, and restoring backups of the rXg.
Backup is a critical aspect of network continuity. Proper backups enable the RGN operator to quickly and easily recover from a rXg hardware failure. In addition, the rXg backup and restore mechanism enables operators to quickly replicate a rXg configuration across a fleet of rXgs.
The rXg supports operator initiated on-demand backups as well as rXg initiated periodic scheduled backups. On-demand backups are initiated via a dialog presented on the Backup view. Periodic backups are configured via the Routine Backups and Backup Servers scaffolds.
On-demand and Pull Backup
The operator may initiate a backup at any time via a dialog present on the Backup view. Backups always include the configuration of the rXg. Backups may optionally include custom portals, graph databases, and/or historical data by selecting the appropriate checkbox.
The on-demand backup mechanism may also be used by an operator as part of a pull backup system. The most common use case for this is when an operator wishes to have a server periodically initiate a backup. For example, a UNIX server that has cron and curl might be configured with the following crontab:
30 4 * * * curl -O https://rxg.host/admin/menu/download_backup?api_key=a...123
30 5 * * * rm -f `ls -ot | head -10`
The value for the api_key parameter is obtained from the Admins view. It is highly recommended that the operator creates a specific account for the purpose of enabling pull-based backup on both the rXg and the backup server. There are two additional parameters that may also be present in the URL:portalsWhen set to 1, custom portals are included in the backuprrdsWhen set to 1, graph databases are included in the backupThe two parameters mirror the check box options that are present in the dialog box. The configuration of the rXg is always included in the backup. If the operator wishes to be explicit, the parameterconfig=1
may also be passed.
Scheduled and Push Backup
The rXg supports scheduled backups that are stored on the local persistent storage device, pushed to external servers, and other rXgs. Backup schedules are determined by routine backup records. External servers that will receive push-based backups are configured via backup server records.
Routine Backups
Entries in the Routine Backups scaffold configures the schedule according to which the rXg will perform automated system backups.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The frequency field specifies the execution frequency of the automatic backup defined by this record.
An rXg routine backup will be limited to the configuration of the system by default. Routine backups may include the installed custom portals , recorded graph databases , and recorded historical data by selecting the appropriate check boxes.
The number of backups to keep on the rXg configures the length of the FIFO storage queue. The rXg creates and stores new backups on the rXg persistent storage mechanism according to the schedule defined by this record. When the number of stored backups reaches the value specified in this field, the rXg deletes the oldest stored backup.
The backup servers field associates this routine backup record with a remote server to which the backup will be pushed. The specification of a backup server is optional. The default behavior when no backup server is specified is to store the backup file on the local persistent storage.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Backup Servers
Entries in the backup servers scaffold contain the configuration data needed to establish a file transfer to a remote server for the purpose of pushing a backup file created by a routine backup.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The protocol field specifies the application layer protocol that will be used to transport the file.
The host field specifies the DNS name or IP address of the server that will be the destination of the file transfer.
The username , password , and SSH private key fields contain the authentication credentials for the server specified in the host field. When the FTP protocol is selected, only the username and password fields are relevant. When the SFTP protocol is selected, the operator may choose to use either password or public-key based authentication. Public-key authentication is enabled by copying and pasting a key into the SSH private key field and entering the key passphrase into the password field.
The path field specifies the destination on the remote filesystem for the backup file that is being pushed. The location specified by the path field must exist or the routine backup will fail. If the path is left blank, the default path on the server will be used as the destination on for the backup file.
The port field specifies the TCP port that will be used when a connection is made by the rXg to the server specified by the host field. If the port is not specified, port 21 is used for FTP and 22 is used for SFTP.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Receiving Backups
A secondary warm spare rXg may be configured to receive push backups from a primary active rXg. This mechanism enables operators to rapidly recover from rXg hardware failures. If the primary active rXg hardware fails, the operator simply logs into the secondary warm spare rXg and initiates a restore. The secondary warm spare rXg will then immediately take over the operation of the primary active rXg. This mechanism is most often as a redundancy solution for rXg cluster controllers.
To configure an rXg to receive backups, create a backup server on the primary active rXg. Configure the following settings in the new backup server record:
ProtocolSFTPHostDNS entry of the secondary warm spare rXg.Usernamebackup
SSH private keyThe SSH private key from the secondary warm spare (a 4096-bit RSA key or stronger is required).All other fields may be left as their default. The SSH private key for the secondary warm spare rXg may be found on a dialog in the Backup view.
The backup server must be associated with a routine backup record that defines the transmission frequency of backups from the primary active rXg to the secondary warm spare rXg. Backups from the primary active rXg are displayed in the restore dialog of the secondary warm spare rXg.
Restore
An rXg may be restored with a backup that is uploaded by the operator or that is chosen from one or more that are stored on the local persistent storage. A dialog on the Backup view is presented to accomplish this task.
To restore a backup that has been previously created via a pull mechanism, use the file chooser dialog to select a rXg backup file that is accessible via the administrator's workstation. To restore a backup that has been previously created via a local routing backup or remotely pushed to the rXg, select a backup from the drop down.
If no local routine backups or remotely pushed backups are present on the rXg persistent storage, then the option to select a file stored on the rXg will not appear.
When restoring a backup, it is important to note that the rXg will maintain the license that is present on the rXg. Furthermore, when a backup is restored to a rXg that does not have the same Ethernet interfaces, the restore mechanism enables the operator to reconfigure the interfaces before the rXg comes online. This behavior enables operators to use a single rXg to build a configuration template that may be replicated across a fleet of rXgs.
Keep in mind that the flexibility of the backup and restore mechanism must be used in a reasonable manner. In general, the backup and restore mechanism is designed for similar machines. Restoring a secondary warm spare rXg that has fewer capabilities than a failed primary active rXg will likely result in disastrous consequences.
Config Templates
Entries in the Config Templates scaffold provide the ability to configure the rXg with YAML configuration files.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
You can either paste in your configuration template into the config field, or you can load one from either a local file with the upload file field or a remote file with the remote URL field. If the remote URL requires basic authentication, then use the username and password fields.
The apply template field applies the config template immediately after saving.
The recurring method field instructs the backend to regularly fetch the file at the remote URL and apply it on a schedule.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Configuration Syntax
The top-level YAML object must be a key-value store (also called a hash, map, or dictionary) or an array of key-value stores. There are two types of top-level keys in the YAML configuration template: model/scaffold keys and smart keys.
Model keys (or scaffold keys ) are entries in the YAML template which create/modify entries in the database. These keys are based on the underlying ActiveRecord models, or scaffolds. You may use the PascalCase
or snake_case
version of the scaffolds (e.g., AdminRole
, admin_role
, or admin_roles
); however, the PascalCase
version ensures you don't conflict with a smart key. Fields are always written in snake_case
.
For example, to add an administrator:
Admin:
- login: my_admin
password: 'testPassword1!'
password_confirmation: 'testPassword1!'
admin_role: Super User
ssh_keypairs:
- name: my_admin authorized public key
public_key: 'ssh-rsa AAAA...Q=='
authorized: true
If you wanted to edit an existing record, ensure that the lookup field is defined first. For example, to set the time zone:
DeviceOption:
- name: Default
time_zone: America/Chicago
Smart keys are snake_case
entries in the YAML template which, in addition to creating entries in the database, perform some other operations. An example of this is the license_key
. It is not enough to just create the entry; the backend also needs to process the key so the licensing limitations are removed. Otherwise, (for example) if later in the config template, the operator tries to set the Uplink to 1Gbps, the licensing limitations would not allow this until the backend processed the new license key. To set the license_key
in a config template:
license_key: |
abcdQabcduUzuo5IxtjuDabcdx6zVfEgnjl30Q4lDiabcdpCYmNrQa5x
...
xKdOy1PabcdHydNCvs5CU5JLRabcdn0yHZIpv6FvDxFdmku7XiDEGuI=
Advanced Usage
Top-Level Data Structure
If your top-level data structure is a hash, then you cannot replicate keys, or they will overwrite one-another. So, to organize your config template to support duplicate keys, you need to use an array as your top-level data structure:
# configure management network
- Address:
- name: mgmt
cidr: 10.0.0.1/24
- Vlan:
- name: mgmt
interface: igb3
tag: 4
addresses: mgmt
# configure onboarding network
- Address:
- name: onboarding
cidr: 172.16.0.1/23
- Vlan:
- name: onboarding
interface: igb3
tag: 5
addresses: onboarding
Nested Associations
Rather than creating associated records in their own keys, you can also nest the associations, like so:
Address:
- name: mgmt # configure management network
cidr: 10.0.0.1/24
create_dhcp_pool: true
vlan:
name: mgmt
interface: igb3
tag: 4
- name: onboarding # configure onboarding network
cidr: 172.16.0.1/23
create_dhcp_pool: true
vlan:
name: onboarding
interface: igb3
tag: 5
Notice that this pattern is more concise and readable, and naturally groups associated records together, without having to convert your top-level data structure into an array.
Custom Lookups and Mutating Records
Normally, the first key/value pair under a model key will be used to lookup the record. For example, to edit an admin's role, you can do this:
Admin:
- login: someuser
admin_role: Super User
However, suppose you wanted to edit a user's login. Then you should use the special _lookup
field:
Admin:
- _lookup:
login: sumusr
login: someuser
Only Update Existing Records
Typically, when a config template is run, the rXg will look up an existing record and modify it, or attempt to create a new record if there is no existing record.
Sometimes you may wish to only update an existing record if it is found and never create a new record. To do this, you may use the special _update
field:
AccountGroup:
- name: test
priority: 5
_update: true
- name: test2
priority: 7
_update: true
The template above would look for existing account groups with the name "test" and "test2" and update their priorities as needed. If the groups do not already exist, they will not be created, and the template will fail and be rolled back.
Delete Existing Records
A config template that contains an _delete
key can be used to delete an existing record. See the following example:
Admin:
- login: testadmin
_delete: true
The template above would look for an existing administrator account with the name "testadmin" and delete the administrator if it does exist.
Association Lookups
When defining a nested association, normally you can just provide a string with a "natural key", which usually refers to the name
field on the associated record. There are exceptions for models which don't have aname
field, such as the Admin
model, and for those we try to use the most sensible field (login
in the case of theAdmin
model). However, you can also provide a full record definition, for which the normal rules apply (first key/value pair will be used for lookup), and you can even provide a nested custom _lookup
field. If the record doesn't exist, it will be created, assuming you provided all the required fields.
Supported Model/Scaffold Keys
We are not going to enumerate the model keys, since they map directly to scaffolds. You can refer to the rXg API documentation, or you can SSH into the rXg and run console
to inspect the various models.
ActiveRecord models should generally be referenced using theirPascalCase
name, to ensure you are not accidentally using a smart key. However, to accommodate flexibility, you may also use thesnake_case
version of the model name in your config template.
Supported Smart Keys
license_key
Configure the system with the provided license key. This key only takes a single string as an argument, but you do need to use YAML formatting to send multiple lines. For example:
license_key: |
abcdQabcduUzuo5IxtjuDabcdx6gnjl30Q4lDiabcdpCYbK4VmNrQa5x
...
xKdOy1PabcdHydNCvs5CU5JLRabcdn0yHZIpv6FvDxFdmku7XiDEGuI=
Use Config Template to Bootstrap New rXg Installation
Prerequisites
- USB Drive containing bootable rXg image
- USB Drive containing config template YAML file Procedure
- Insert bootable USB drive into machine and follow normal rXg installation procedure
- After installation has completed and machine is rebooting, remove bootable USB drive.
- Insert USB Drive containing config template YAML file.
- Do not create an admin user
- rXg will automatically scan the USB drive for YAML files, and apply them as a config template.
Use Cases
- Bootstrap an initial installation with license and all Admin Users and Roles already created
---
license_key: "CVBB/4+t7KfT7mwgg+VqhnCusC5SCdF7o+jMeK4U82yV343JSAE0sWnc1F6V\n
/0RrJON/unT2XMvAwZXMKxbpdpYIC3WHcaqw24vaqGl2QNFxrj6KDvo5CJ9P\n
hj8aPuU7zX4nrUjQEEYU25lOa/Y/cVdS+jh+Gd3iopB5+/CEuBfSVcKIRSx1\n
EpDV0l58/0WXkDL1WBgumfviduVzrPyebA26+yjGlRsdlMbuQLWcE0qaiJDJ\n
aJI8cAbz2ehD7bTfVv65Tg4swAEKuENNxO9qIY8v7SALAshAhi6ONZcja32u\n
YjZSWk51GZuUdkbRxPdddebprB1Ab1/d7Ob0utFBhfh+OQVSqr7pVynNaRpv\n
P9YXdq86dflyUQ+dGnKZmtrogMFINj8Rv8k7RD6Slp644tZ9YDaDH4AGCFPs\n
xRzNXfDLhgCMyx7t9VHwCXsTHzsaFxhNFD77qHTyAf4rEkPJQTGuxC2VN46F\n
SmTMLztNJxKz7ud0Y9mQVrVr+24R+bNwT83jlYwx9a/YIgF3+oE1eZpXgK3F\n
z+BP0Ey5R5MClNxE+FEtH7/KYpY0iufb1Y9lUcelw9ppmNJNVcEG/OmJzy40\n
3phGQLMbRw7r2v+VMiBvRJRqsdY0EFoPa2PxWhWQNJeWCCAQODi239PfBcCG\n
JCQMedN0fyi8RtZuibWHZfFOXYJo1mJA202/4W/TPxfL2HoZeZuZ6AjB9iqP\n
ji2DFOLVhfHo4t8L4ZfEtu/TAtxhgUjTQ9St26+SB21P5VSmt7V31IIeBSco\n
+vM61bCObLdlapA9dalqBARDqTmjLAn+jgEh6sQ8oe655tK4M7Dd2RLN0VO+\n
nTxHa5/He2c5ROKG8HWrs4Vj0sZQknfyIkStyYUolI66DSKU2VbUImEJ4Y5v\n
8HlSXZjCQ7SbC+v3VUWI83akAX9hhKpxp2NDWlk77gwRkvmX9fpb/wwBENmH\n
eOIWqYlXYoRYNWTo5x327fzwv6bUv0tYSIk1eQ0xArzF546O1MX0C2T/5ptf\n
zTEmB/IJgQ3NTZRP+yFGOVim3SV05/0hJBsykkUt+Ked3Xpa7RsUQeT8pyMq\n
1ggtm66+M+jTFl7SsHemrc3vzQu/OUrGMEgeNaHO1Dx9KLn1p5CQumhkrSUN\n
Lzd+mSUnxOkD+fOLDduNRX9mSG8zTQz8GYF2+pqx2BAnzUxjrUs+HBpfSvlU\n
4USn6LYVtDyoBPpL"
AdminRole:
- name: RG Nets
system_permission: readwrite
policies_permission: readwrite
identities_permission: readwrite
instruments_permission: readwrite
ssh_enabled: true
master_permission: readwrite
billing_permission: readwrite
archives_permission: readwrite
conference_mode: admin
custom_emails:
- Health Notice Create (notification)
- Health Notice Cured (notification)
- name: WebGUI Only
system_permission: readwrite
policies_permission: readwrite
identities_permission: readwrite
instruments_permission: readwrite
ssh_enabled: false
master_permission: readwrite
billing_permission: readwrite
archives_permission: readwrite
conference_mode: admin
custom_emails:
- Health Notice Create (notification)
- Health Notice Cured (notification)
Admin:
- login: rg
first_name: Romeo
last_name: George
email: [email protected]
crypted_password: "$2a$11$NRMhuaklja/lksdjfglhkUe9Y/GP0jceg6hZRYDrbLufnO0Y2ZN4tO"
admin_role: Super User
company: RG Nets
preferred_contact: email
ssh_keypairs:
name: ndk authorized SSH key
public_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAgYhNrfb8Kncs1H7fHc1AhEJzgQ......
authorized: true
- login: dgray
first_name: Dorian
last_name: Gray
email: [email protected]
crypted_password: "$2a$11$Dpl1oXpIv9r3yt5mATWujeDQ255NuQ8L0edjAKGuox3ByAO7y2lUK"
admin_role: WebGUI Only
Integrating with Ansible
Ansible is an automation engine that can automate configuration management, deployment, and many other IT needs. Ansible relies on OpenSSH, making it very lightweight and secure. Furthermore, Ansible does not require any remote agent for configuration management. By utilizing the rXg config template mechanism, Ansible can automate tasks across many installations.
Procedure
- Install Ansible on a host machine. See Installation Guide.
- Create Hosts file "/etc/ansible/hosts"
- Populate hosts file (here I create a group called lab, and add my host to it).
lab:
hosts:
lab.rgnets.net:
production:
hosts:
production.rgnets.net:
- Ad-Hoc Ping all hosts
ndk@MBP ansible % ansible all -m ping
[WARNING]: Platform freebsd on host production.rgnets.com is using the discovered Python interpreter at
/usr/local/bin/python3.7, but future installation of another Python interpreter could change this. See
https://docs.ansible.com/ansible/2.9/reference_appendices/interpreter_discovery.html for more information. **production.rgnets.com | SUCCESS =\> {**"ansible_facts": {
"discovered_interpreter_python": "/usr/local/bin/python3.7"
},
"changed": false,
"ping": "pong"
}
[WARNING]: Platform freebsd on host lab.rgnets.com is using the discovered Python interpreter at
/usr/local/bin/python3.7, but future installation of another Python interpreter could change this. See
https://docs.ansible.com/ansible/2.9/reference_appendices/interpreter_discovery.html for more information. **lab.rgnets.com | SUCCESS =\> {**"ansible_facts": {
"discovered_interpreter_python": "/usr/local/bin/python3.7"
},
"changed": false,
"ping": "pong"
}
- Ad-Hoc Ping all hosts in 'lab' group
ndk@MBP ansible % ansible lab -m ping
[WARNING]: Platform freebsd on host lab.rgnets.com is using the discovered Python interpreter at
/usr/local/bin/python3.7, but future installation of another Python interpreter could change this. See
https://docs.ansible.com/ansible/2.9/reference_appendices/interpreter_discovery.html for more information. **lab.rgnets.com | SUCCESS =\> {**"ansible_facts": {
"discovered_interpreter_python": "/usr/local/bin/python3.7"
},
"changed": false,
"ping": "pong"
}
- Ad-Hoc copy a file to all hosts in 'lab' group
ansible lab -m copy -a "src=/etc/ansible/test.yaml dest=~/"
- Create an Ansible "Playbook". In Ansible, a playbook is a list of "plays". Plays are a collection of Ansible modules, or tasks to execute against one or more remote machines. In this example, we will utilize two "plays":
template
which is used to copy a file from our Ansible host to the desired rXg, andshell
to execute a command on the rXg.
- Create a rXg config-template YAML. Example:
admins.yaml
Admin:
- login: dgray
first_name: Dorian
last_name: Gray
email: [email protected]
crypted_password: "$2a$11$NRMhuglh/HgEvB3Um2skUe9Y/GP0jceg6hZRYDrbLufnO0Y2ZN4tO"
admin_role: Super User
- Create an Ansible "Playbook" YAML. Example:
adminmgmt.yml
---
- hosts: lab
tasks:
- name: Copy Admins YAML to host(s)
template:
src: /etc/ansible/admins.yaml
dest: ~/admins.yaml
- name: Apply the YAML as a config-Template
shell: "/space/rxg/rxgd/bin/apply_template ~/admins.yaml"
register: apply_template_output
- debug:
var: apply_template_output
- Execute the Ansible Playbook:
ndk@MBP ansible % ansible-playbook adminmgmt.yml
PLAY [lab] ***************************************************************************************************************
TASK [Gathering Facts] ***************************************************************************************************
[WARNING]: Platform freebsd on host lab.rgnets.com is using the discovered Python interpreter at
/usr/local/bin/python3.7, but future installation of another Python interpreter could change this. See
https://docs.ansible.com/ansible/2.9/reference_appendices/interpreter_discovery.html for more information.
ok: [lab.rgnets.com]
TASK [Copy Admins YAML to host(s)] ***************************************************************************************
ok: [lab.rgnets.com]
TASK [Apply the YAML as a config-Template] *******************************************************************************
changed: [lab.rgnets.com]
TASK [debug] *************************************************************************************************************
ok: [lab.rgnets.com] => {
"apply_template_output": {
"changed": true,
"cmd": "/space/rxg/rxgd/bin/apply_template ~/admins.yaml",
"delta": "0:00:07.626886",
"end": "2020-04-01 12:04:32.647933",
"failed": false,
"rc": 0,
"start": "2020-04-01 12:04:25.021047",
"stderr": "/space/rxg/console/vendor/bundle/ruby/2.6/gems/activesupport-4.2.11.1/lib/active_support/core_ext/....
"stderr_lines": [
"/space/rxg/console/vendor/bundle/ruby/2.6/gems/activesupport-4.2.11.1/lib/active_support/core_ext/object....
"Creating new ConfigTemplate with name Generated by ndk at Apr 1, 12:4 PM"
],
"stdout": "INFO : Initiated Apr 1, 12:04 PM",
"stdout_lines": [
"INFO : Initiated Apr 1, 12:04 PM"
]
}
}
PLAY RECAP ***************************************************************************************************************
lab.rgnets.com : ok=4 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Certificates
The Certificates view enables the operator to manipulate the cryptographic keys that are used in conjunction with rXg services that employ public key cryptography.
Cryptography in the form of transport layer security via SSL and IPsec protocols is present in several rXg services to ensure the privacy and integrity of the data being transferred. The RADIUS server, IPsec VPN concatenator, and of course, the web multiplexer that serves the captive portal and administrative console all require asymmetric cryptographic keypairs. The creation, import, and export of keypairs is accomplished by manipulating the Certificates scaffold.
The rXg web multiplexer and RADIUS server employ transport layer security (TLS) in the form of the SSL protocol. The VPN concatenator conforms to the IPsec protocol. Both TLS and the IPsec protocol suites incorporate signed certificates as part of their trust mechanisms. The Certificate Signing Requests scaffold enables the operator to generate trusted third-party certification requests. A trusted third-party signature is required for the certificate used by the web multiplexer to serve a captive portal in a production environment.
Third-party Signatures
Operation of an rXg served captive portal requires at least one administrator to have working knowledge of public-key cryptography and TLS/SSL. In particular, an administrator must be familiar with the process of obtaining a signed SSL certificate. This process must be repeated periodically since signed SSL certificates have a limited life time.
There are many references available on the Internet that provide detailed information about howpublic-key cryptographyworks as well as specific information about thetransport layer security protocol. Practical Cryptography (ISBN 0471223573) by Niels Ferguson and Bruce Schneier provides an excellent overview of this subject. Network Security with OpenSSL (ISBN 059600270X) provides detailed step-by-step instructions on the process of generating certificate signing requests as well as obtaining and installing third-party signed certificates.
To obtain and install a signed SSL certificate for an rXg:
- Choose a domain name for the rXg.
- Configure your DNS server to resolve the chosen domain to the WAN address of the rXg.
- Set the domain name in the Device Options scaffold.
- Click on the create new action on the Certificate scaffold. A drop-down dialog will appear.
- Enter a name for the new key chain. A good choice for the name of the new key chain is the domain name that you have chosen.
- Leave all other fields blank (except note if you have a note). The rXg will automatically generate a private key.
- Click the create button.
- Click on the create new action on the Certificate Signing Requests scaffold. A drop-down dialog will appear.
- Give the new CSR a name.
- Choose the certificate key chain that was created in the previous step.
- Completely fill out the form.
- Choose the appropriate option to generate a CSR for a trusted third-party to sign. Do not use the self-sign or local CA options as this will automatically create a certificate that is not automatically trusted by most browsers.
- Click the create button.
- A CSR will now be shown in the Certificate Signing Requests scaffold. Send the CSR to a trusted third-party signer to obtain a signed certificate to load into the rXg.
- Copy the CSR out of the list or show view of the certificate signing requests field into the clipboard.
- Contact a trusted third-party SSL certificate signer such asGo Daddy. Paste the CSR from the clipboard into the appropriate form along with payment.
- If the signer gives a choice of formats, choose X509 PEM, Apache, mod_ssl, or OpenSSL, as the rXg SSL web multiplexer is compatible with all of the above formats.
- Contact your domain administrator to authorize certificate issuance by clicking on a URL in an email sent by the third-party signer.
- Open the signed certificate and intermediate certificate(s) using a text editor such as WordPad, TextEdit.app, or vi.
- Edit the key chain record in the Certificates scaffold. Copy and paste the certificates into the appropriate fields in the record.
- Enable the key chain by setting on the check box next to the active field and clicking the update button.
- Wait for the web server to restart. When the web server comes back up it will be using the signed certificate.
Local CA Signatures
The Certificate Signing Requests scaffold also enables the operator to sign certificates using the rXg integrated certificate authority. This feature is typically used in conjunction with the IPsec concatenator to issue client certificates for IPsec host-to-site connectivity with the rXg. The rXg integrated certificate authority may also be employed as a powerful revenue generation tool. Operators with wireless distribution and access networks that have open connectivity at locations with high transient traffic are particularly suited to using the integrated rXg local certificate authority as a revenue generation mechanism.
In a typical usage scenario, one or more usage plans are created with misc. items specifying an additional charge for a secure connection. The captive portal is then configured to create a new certificate linked to a local certificate authority when these plans are purchased. In addition, the portal creates a new certificate signing request that is set to automatically sign chain with the local certificate authority. The portal would then present the certificate for the local CA, as well as the private key and signed certificate from the newly created certificate. Thus, an operator can generate significant additional revenue without any intervention once the configuration of the rXg and portal is established.
To setup a local certificate authority and begin signing certificates , use the following procedure:
- Click on the create new action on the Certificate Authorities scaffold. A drop-down dialog will appear.
- Give the new CA a name. Use a name that reflects the purpose of the CA, for example "CA for VPN."
- Fill out the C, ST, L, O, OU, CN, and email fields appropriately. The information listed here should reflect your actual organization. The information in the fields is meant to allow the recipient of the certificate a method to contact the owner and confirm validity of the key.
- Click the create button. You now have a local CA that may be used to sign certificates.
- Click on the create new action on the Certificate Key Chains scaffold. A drop-down dialog will appear.
- Enter a name for the new key chain. A good choice for the name of the new key chain is the name of the device for which it will be issued (e.g., "VPN srv CKC", "VPN client CKC 1", etc.)
- Select the CA that we just created in the previous step, which is "CA for VPN" if you followed our example.
- The rXg automatically populates the server field.
- Leave the intermediate and certificate fields blank.
- Click the create button.
- Repeat the steps above. At least two key chains (one for the rXg and one for the client) are needed to support most applications such as the IPsec VPN.
- Click on the create new action on the Certificate Signing Requests scaffold. A drop-down dialog will appear.
- Give the new CSR a name.
- Choose from one of the certificate key chains that were created in the previous step ("VPN src CKC" and "VPN client CKC 1" if you followed our example).
- Completely fill out the form.
- Choose the appropriate option to generate a CSR and sign with linked local Certificate Authority. The CA that was generated in the first step and linked in the second step will be used to sign the certificate.
- Click the create button.
- Repeat the steps above. At least two key chains (one for the rXg and one for the client) are needed to support most applications such as the IPsec VPN.
- Export all of certificates that we have just created along with the private key for the client so that they may be loaded into the client software. Specifically, you need to copy and paste the following items into files that must be copied onto the client:
- The certificate field from "CA for VPN"
- The certificate field from "VPN src CKC"
- The certificate field from "VPN client CKC 1"
- The server field from "VPN client CKC 1"
The procedure for installation of certificates and private keys onto the client device is highly dependent upon the client device software. The vast majority of client software will have a certificate manager with specific keystores for CA certificates, regular certificates and private keys. For example:
In the client software shown above, the operator must combine the contents of the certificate and server fields from "VPN client CKC 1" into a single file before importing with the "PEM/DER encoded certificate with private key" option. This may be accomplished by copying and pasting both sets of data into a text editor and saving the file. The "VPN srv CKC" certificate must be imported using the "PEM/DER encoded certificate without private key" option. The "VPN CA" certificate must be imported with the "PEM/DER encoded CA certificate" option.
The rXg integrated certificate authority may be used to support an unlimited number of clients. The same procedure as described above (omitting step #1) is used to create certificates and keys for additional clients. Once the certificate authority is set up, automating the creation of certificates for clients is very easy. For example:
ca = CertificateAuthority.find_by_name('VPN CA')
ckc = SslKeyChain.new
ckc.certificate_authority = ca
cc.save!
csr = CertificateSigningRequests.new
csr.SslKeyChain = ckc
csr.country = 'US'
csr.state = 'NV'
csr.locale = 'Reno'
csr.organization_name = 'RG Nets'
csr.common_name = 'vpn.rgnets.com'
csr.email_address = '[email protected]'
csr.sign_mode = 'ca'
csr.save!
If the code above were to be included in a customized portal, the country, state, locale, organization, etc., should be changed to reflect the operator. The certificates that the end-user would need to install may be presented in a portal view using the Ruby code shown below: Server Certificate <%= SslKeyChain.find_by_name('VPN srv CKC').certificate %>
CA Certificate <%= ca.certificate %>
Client Certificate <%= ckc.certificate %>
Client Private Key <%= ckc.server_key %>
Integrating and fully automating the generation of client certificates is a simple way to provide an IPsec VPN premium service offering. The IPsec VPN offering may be marketed as a wireless security mechanism, a remote access mechanism, or both at the same time. See the IPsec documentation for more details.
Active Certificate
The Active Certificate dialog at the top of the Certificate view presents a scrollable view port that contains the certificate currently in use. The details of the certificate are presented in text format. The certificate itself, in PEM format, can be found by scrolling to the bottom of the view port.
Certificates
The Certificate Key Chains scaffold enables the operator to manage the public and private keys used to ensure privacy and integrity of communication between the administrator and the operator.
The active field enables an option set. Exactly one option set may be active at any time. Enabling a particular option set will automatically disable another existing active option set.
If no keychain is set active, the rXg uses a self-signed keychain for bootstrap purposes. The bootstrap keychain is completely unsuitable for production environments. The captive portal will behave erratically when used with the self-signed bootstrap keychain. Replace the bootstrap keychain with one that has a certificate signed by a reputable trusted third-party signer immediately.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The server key algorithm dictates what algorithm is used for the private key of the certificate. When creating a certificate for the purpose of OpenRoaming RadSec, the key algorithm must be secp384r1
The certificate authority field associates this record with a local certificate authority. This field is optional and should be left blank if a trusted third-party will be used to sign this certificate. When this field is set, the linked certificate authority will be used to sign the certificate chain if a certificate signing request is created with a request for a local signature.
The server field contains the private key part of the keychain. In most cases a new keychain is created when the operator expects the rXg to generate the key. In this case, please leave this field blank when creating a new keychain to have the rXg automatically generate a private key. When installing a chain that was generated and/or signed elsewhere, this field must be populated with the server private key in PEM format.
The intermediate field contains the certificate(s) issued to the trusted third-party signer by a trusted root certificate authority. In most cases, this field must be populated with an intermediate certificate that can be downloaded from the website of the trusted third-party signer.
The certificate field contains the certificate issued to the domain administrator by the trusted third-party signer. This field must be populated with a signed certificate before the certificate chain may be made active. If the operator generates a CSR with a local certificate authority signature, this field will be populated with the signed certificate automatically.
Certificate Signing Requests
The Certificate Signing Requests scaffold enables the administrator to generate X.509 public key signing requests for submission to trusted third-party signers.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The certificate field chooses a key pair for which to generate the certificate signing request.
The certificate identification fields are used to identify and describe the organization making the certificate signing request. It is extremely important to be very careful when entering the data in the following fields. If a trusted third-party signer is used to sign a certificate, it may choose to validate each of the fields with arbitrarily high precision. If a local CA is being created, the end-users who will load the CA cert may choose to verify the trustworthiness of the CA based on the data in these fields.
The country code field is the ISO 3166-1-alpha-2 country code of the requesting organization.
The state field is the state or province of the requesting organization.
The locality field is the city or town of the requesting organization.
The organization field is the company name of the requesting organization.
The organizational unit field is the section or division of the requesting organization.
The common name field is the fully qualified domain name of the rXg. This field must match what is set in the active device option.
The email address field is a contact email address for the requesting organization.
When creating a RadSec certificate for the purpose of WBA OpenRoaming, there are a few considerations that must be met:
- The certificate's Server key algorithm must be secp384r1
- The key usage must be set to client+server.
- The Organizational Unit (OU) must be set to WBA:WRIX End-Entity
- The UID should be set to the WBA member ID, e.g. MYCORP:US
- The Policy identifier must be 1.3.6.1.4.1.14122.1.1.7
The sign mode field specifies how the operator intends to execute the signing for the CSR that is to be generated. The operator may choose to simply generate the certificate without any local signing. This is the option that should be used when the certificate will be signed by a trusted third-party. The operator may also choose to sign with a local certificate authority. This option is only valid if the certificate chain is associated with a local certificate authority. Finally, the operator may choose to self-sign the CSR. This option is for testing and demonstration purposes only and should never be used in a production environment.
The certbot credential is a necessary association if, and only if, a sign mode has been selected that requires a certbot credential.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Certificate Authorities
The Certificate Authorities scaffold enables the operator to create and manage local CAs that are used to sign certificate chains. The certificates that are signed by local certificate authorities take part in a chain of trust that begins with the CA certificate.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The certificate identification fields are used to identify and describe the organization making the certificate signing request. It is extremely important to be very careful when entering the data in the following fields. If a trusted third-party signer is used to sign a certificate, it may choose to validate each of the fields with arbitrarily high precision. If a local CA is being created, the end-users who will load the CA cert may choose to verify the trustworthiness of the CA based on the data in these fields.
The country code field is the ISO 3166-1-alpha-2 country code of the requesting organization.
The state field is the state or province of the requesting organization.
The locality field is the city or town of the requesting organization.
The organization field is the company name of the requesting organization.
The organizational unit field is the section or division of the requesting organization.
The common name field is the fully qualified domain name of the rXg. This field must match what is set in the active device option.
The email address field is a contact email address for the requesting organization.
The days field specifies the number of days that a signature for a certificate will be valid for. An expired certificate must be resigned before it can be used.
The CA keypair are automatically generated when the operator creates a new record in this scaffold. The certificate and private key fields contain the two halves of the keychain and may be accessed via the show option once a record is created. The certificate is what needs to be distributed to clients that wish to verify the trustworthiness of certificates signed by this certificate authority. The private key should never be copied out of the rXg except for backup purposes or if the CA keychain is to be used on a third-party CA for signing certificates.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
EST Certificate Servers
Enrollment over Secure Transport (EST) is a certificate management protocol for PKI clients needing to acquire client and associated CA certificates. The EST Certificate Servers scaffold enables the operator to create and manage EST servers that are used to retrieve signed certificate chains and CAs.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The host field specifies the FQDN or IP address of the EST server.
The port field specifies the remote TCP port the EST server is listening on for incoming connections.
The certificate authority allows the operator to select which imported CA will be used as the explicit trust anchor.
The label field is optional and denotes the EST partition to interact with.
The client certificate drop-down can be used to select a certificate used for authentication against the EST server.
The username and password fields can be used for basic authentication against an EST server.
Certbot Credentials
The Certificate Credentials scaffold enables the administrator to define api_key/email/provider records for 3rd party ACME-enabled, and API Key-enabled Certificate Authorities.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The Email field defines the username for the API Key.
The API Key field defines the API Key shared secret.
The Provider field defines which provider this credential is meant to be used with.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Let's Encrypt Examples
This example will show the creation process to setup and retrieve a certificate to be used for the FQDN using Let's Encrypt. NOTE: The use of Let's Encrypt requires the Let's Encrypt servers to reach out to the system via the FQDN to make sure the requester owns the domain, if an ACL is in place this can prevent Let's Encrypt from retrieving the required information. An ACL will also prevent the certificates from being automatically renewed.
First navigate to Systems::Certificates.
Create a new Certificate.
For Let's Encrypt the top section can be ignored (shown below).
The Certificate signing request section needs to be completed. Give the record a name, this can be the FQDN but does not need to be. Leave the Usage field set to server. Change the Sign mode field to Generate CSR and obtain certificate from Let's Encrypt. Enter the FQDN into the Common Name (CN) field. Enter the 2 letter country code into the*Country Code (C)* field. Enter the state into the State (ST) field, this should be spelled out and not the 2 letter abbreviation. Enter the city into the Locality (L) field. The Orgainization (O) field is optional, along with the Organizational Unit (OU)field. Enter a valid email address into the Email address field, this should be an email specifcally for this and not a personal email address. Click Create , this will start the certificate retrieval process.
It will take a minute or two to retrieve the certificate, one retrieved it will display the following. If for some reason the certificate cannot be retrieved a health notice will be generated with information regarding why it failed, this is usually because the system cannot be reached, either because the FQDN does not resolve to the primary IP address of the system, or an ACL is in place.
The final step is to edit the record, check the active box and click Update. This makes the certificate active and now when you use the FQDN name to access the system it will be secure.
Let's Encrypt Certificates for Virtual HTTP Hosts
Generating a Let's Encrypt Certificate for use with HTTP Virtual Hosts follows the above example with the exception that the Active box is not checked after retrieving the certificate. The FQDN being used to access the HTTP Virtual Host must resolve to the primary IP address of the system.
Next the HTTP Virtual Host must be created by navigating to System::Portals.
Create a new HTTP Virtual Hosts.
Give the record a Name , this is arbitrary and does not affect how the HTTP Virtual Host performs. Enter the FQDN used in the certificate in the previous step in the Hostname for remote access. The Target server IP field is the private IP address of the device to be accessed via the FQDN. Enter the port the device is listening on in the Target listening port field. If the device is listening for HTTPS connections check the HTTPS box. Select the certificate created in the previous step in the Certificate field. Click Create.
Now the device can be accessed via the FQDN we configured in the virtual host. This allows the operator to access devices behind the rXg over a secure connection even if the device itself is not HTTPS. To access the device enter https://esxi.neurotic.ninja into the browser.
Cluster
The rXg clustering solution simplifies and unifies the management of large scale rXg deployments.
An rXg cluster controller centralizes the configuration, instrumentation, and all operationally relevant persistent storage of a cluster of rXg devices. Synchronized, parallel, highly available, and cost-effective operation of an rXg cluster is easily achieved, enabling clear communication, authoritative control, and complete cognizance over a diverse RGN end-user population.
Load Balancing, Scaling and Failover
In a typical clustered rXg deployment, the distribution network is divided into parallel segments that are configured to be independent collision domains for the purposes of load balancing. Each rXg cluster node is then assigned one or more LAN segments to manage. A single, unified identity management and policy enforcement configuration is then applied to the entire cluster. This enables a cluster of rXg devices to support networks of virtually unlimited scale.
An rXg cluster automatically provides a failover configuration. In the event of a node failure, L2s and L3s of the failed node are automatically moved to operational nodes. End-users experience no downtime, and the process requires no operator intervention.
Topology
The approved cluster deployment topology is creating a private network solely for the purpose of cluster internal communications. It is highly recommended that the physical layer of the cluster internal communications network be gigabit Ethernet. Cluster nodes must use a native port to communicate directly with the controller (not a VLAN trunk port). The cluster intercommunication network (CIN) may be provisioned via a VLAN switch if and only if the cluster nodes are connected via untagged ports. In general, an Ethernet interface that is associated with an uplink on the node or controller should never be used for the CIN. In theory, the cluster may be connected over the public Internet, however this configuration is not officially supported.
The segmentation of the distribution LAN is usually accomplished via a VLAN switch. The segment assigned to the rXg cluster nodes is usually accomplished via VLAN trunk ports in order to ease management. There is no fundamental issue with using native ports to achieve the same goal, though naturally the management of the additional physical cabling may be more cumbersome.
Configuration
By default, the rXg stores its configuration database locally on the same hardware that executes the administrative console, portal web application, and enforcement engine. The rXg can be configured as part of a cluster using the Cluster Node Bootstrap scaffold of the Cluster view.
When operating as a node of a cluster , the rXg shares a remote database with all of its peers. By sharing a single database between all nodes, the operator uses a single, unified console to configure settings that are global to the cluster (e.g., end-user identity management, policy enforcement, etc.) as well as unique to the individual node (e.g., networking, SSL certificates, etc.). In addition, instrumentation and logging from all nodes in the cluster is centrally stored in the same shared database that resides on the cluster controller. This enables the operator to obtain complete cognizance over any end-user that is on any node of the cluster through the cluster controller administrative console.
To enable an rXg as a cluster controller, the operator creates an entry in the Cluster Nodes scaffold. The first entry will always be for the master controller. Subsequent entries will be made for standby controllers , nodes , and witnesses. The operator will need to provide the IUI, IP address, and HA Role for each subsequent system.
Each cluster should only contain one master controller entry which will contain the read-write copy of the database.
Standby controllers can be defined to receive read-only copies of the database and have the ability to promote to master controller in the event of a failure.
Nodes contain no copy of the database and participate in the cluster by managing individual LAN segments.
A witness does not contain a local copy of the database or manage any LAN segments. The function of a witness is to maintain quorum in the event of a failure.
A cluster controller presents a Cluster Nodes scaffold on the Cluster view that configures the member nodes that are attached to the cluster controller. The operator must create a record for each and every cluster node that is to take part in a cluster managed by the cluster controller. Each record contains the credentials that authorize the cluster node to share the cluster controller database.
Deployment Procedure
A successful cluster deployment begins with a proper plan and documentation of the cluster topology. At very least, a network diagram must be created that has all relevant IP addresses labelled. Every cluster node must have at least three connections (LAN, WAN, CIN). The cluster controller must be connected to the CIN. The LAN and WAN connections are optional on the cluster controller , though recommended to ease remote and local access to the management console as well as enable ping targets for multiple uplink control.
- Install the rXg cluster controller(s), and all rXg cluster node hardware according to RG Nets guidelines.
- Power on the devices and connect to the administrative console of each device.
- Use the WAN IP address to connect to the administrative console as all units will have the same default LAN IP address at this time. If necessary, connect a serial terminal or VGA monitor to the rXg and hit CTRL-D to see what WAN IP address the rXg has acquired.
Create at least one administrator and install a valid license on the master controller.
On the master controller , bring up the LAN view and create an Ethernet interface along with an associated network address. This will define the CIN and allow all nodes to communicate with one another once configured.
Bring up two web browsers side-by-side. In one browser, open the administrative console of the cluster controller and navigate to the cluster view. You should see the Cluster Nodes scaffold with a single entry (the cluster controller ). In the second browser, bring up the administrative console of a cluster node (still in default state) and you should see the Cluster Node Bootstrap scaffold. The master database should be currently set to local master.
Create a new Cluster Node scaffold entry on the master controller by copying the IUI of the second system and defining the IP Address. Use the dual browser setup to repeat the process outlined here for each node that will take part in this cluster.
A new record in the Cluster Nodes scaffold must be created for every rXg device that will participate in this cluster.
- Copy the IUI from the browser displaying the cluster node console and paste it into the appropriate field displayed in the cluster node record creation form.
- Enter the CIN IP address that will be configured on this node into the IP field.
Choose the appropriate mode for the rXg device. Use the dual browser setup to repeat the process outlined here for each node that will take part in this cluster.
Click the edit link next to the record in the Cluster Node Bootstrap scaffold in the administrative console of the node. Enter the CIN IP address of the cluster controller in the Controller IP field. The settings for the username and password fields are displayed in the list view of the Cluster Nodes scaffold on the administrative console of the master controller. Copy and paste those values into the appropriate fields.
Choose the CIN port for the interface setting and enter the CIN IP address in CIDR notation for the cluster node into the local IP address fields. Click update to save the settings.
When the cluster node connects to the remote database on the cluster controller for the first time, a cluster node initialization process is automatically executed. First, the cluster controller incorporates the MAC addresses and media-types available to the cluster node into the set of all available Ethernet ports. Then, records for the CIN Ethernet interface and address are added to the cluster configuration and marked for application to the particular cluster node that is being initialized. In addition, a default device option for the new cluster node is created.
When all cluster nodes have been initialized, the deployment of the cluster is complete. The operator can input licensing for each node in the License Keys scaffold in the Cluster view. The cluster may now be configured with settings in a similar manner as a standalone rXg, by using the master controller administrative console.
Symmetric Cluster
In a symmetric cluster a node can operate as both the data plane and control plane. Because each node requires large, high endurance SSDs as well as enough CPU and RAM to operate as both the control plane and data plane, symmetric clustering is recommended for smaller deployments.
Asymmetric Cluster
An asymmetric cluster separates the control plane from the data plane. This enables the operator to scale requirements for nodes individually. Only nodes allocated as controllers need large high endurance SSDs, more CPU, and RAM. Data plane nodes require minimal SSD, CPU, and RAM to manage their individual LAN Segments.
All transit networking features are executed on the cluster nodes. The controller does not forward packets nor does it run any proxies for web experience manipulation. All billing, user management, and instrument collection features are executed on the cluster controller. Cluster nodes do not run recurring billing, system status, or traffic rate collection tasks.
Implementation Details
The gateway setting in the Database Storage scaffold of cluster nodes should not be configured unless absolutely necessary. Setting this implies that the cluster node will connect to the cluster controller via an uplink interface and is not officially supported.
All CIN traffic is passed through the rXg policy enforcement engine unfettered. No packet filter states are created and traffic is not queued. Ensure proper cluster operation by making sure that the CIN is properly deployed using high performance gigabit Ethernet equipment and high-quality cables.
A valid license must be present in the license view of the cluster controller for every node associated with the cluster.
Device and network configurations are associated with a particular node while almost every other kind of configuration is global. If a scaffold does not have a field that associates a node with the record, the record will apply globally to the entire cluster. When the scaffold has an active setting, only one record per cluster node may be made active. The records that are not active are shared by the cluster.
When configuring Ethernet interfaces , one port will be available for each physical port in the cluster. Since all networking configuration (e.g., addresses , uplinks , VLANs , binats and even all the DHCP server settings) are ultimately linked to an Ethernet interface , the port field determines which node the configuration applies to.
A single uplink control record may contain uplinks that span several nodes of the cluster. However, on each node, only the relevant uplinks are used to determine the weighted connection pools.
Ping targets may be configured as node-specific (associated with a cluster node record). Ping targets that are node-specific are pinged and status-updated by their associated node only.
Ping targets that have no cluster_node association are global to the cluster. Global ping targets are status-updated by only the cluster controller. However, global ping targets may and should be used to instrument the condition of multiple uplinks configured throughout devices in the cluster. In this case, all nodes having an uplink associated with the global ping targets ping the target through the respective uplink(s), but only the online state of the uplink record is changed, not the state of the global ping target itself, except by the controller. Creating a ping target with an uplink(s) association automatically clears any cluster node associated with it.
System graphs must be cluster node specific and represent data for only that node or the cluster controller.
Network graphs are global. Graphs of IPs , MACs , login sessions , bandwidth queues , and policies represent cluster-wide data. For example, traffic rate stats for the same IP that may somehow be behind two different nodes is accumulated at the controller and collated into a single database entry for that IP. Similarly, traffic rates statistics for a single bandwidth queue or policy are collected from all nodes, summed at the controller, and written to a single database entry. Cluster node specific items defined by the records that are directly or indirectly associated with an Ethernet interface record are stored in node specific records.
Cluster Node Bootstrap
The Cluster Node Bootstrap scaffold configures the mechanism by which this rXg will join a cluster.
The controller IP field specifies the IP address of the rXg cluster controller.
The username and password fields are the credentials assigned to this node by the cluster controller. Obtain the values for these fields by entering the IUI for this node into the Cluster Nodes scaffold of the Cluster view on the console of the cluster controller.
The interface field configures the Ethernet interface that will be used by this cluster node to communicate with the cluster controller. An Ethernet interface must be dedicated for the sole purpose of cluster communications.
The local bootstrap configuration options ( local IP address and gateway ) are used as the bootstrap configuration of the rXg when operated in cluster mode. This is needed to enable the cluster node to communicate with the cluster controller and retrieve the complete rXg configuration from the controller.
Cluster Nodes
Cluster nodes define the members of an rXg cluster.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The auto registration box enables automatic registration of cluster nodes. Allows for automatic cluster configuration.
The permit new nodes box allows new nodes that have never been a member of the cluster to join the cluster.
The auto approve new nodes box allows new nodes to be automatically approved without operator intervention.
The pending auto registration box, if checked, will mark the node as pending auto registration. When the node connects to the master controller for the first time it will automatically become a member of the cluster.
The mode dropdown indicates the type of node defined by this record. Only one node may be defined as the master controller for each cluster.
The IUI is the installation unique identifier for the node that is defined by this record. The installation unique identifier for an rXg may be found by visiting the license view of the system menu.
The IP is the IP address that will be used by the cluster node for communicating with the cluster controller. This will also be the bootstrap IP address that is configured in the Database Storage scaffold of the Cluster view on the cluster node.
The priority field indicates the priority of an individual node. A higher precedence node takes over for lower precedence gimps within the same team.
The networking HA enabled field defines the HA behavior of this node in the cluster; if checked this node will take over networking for a failed node, if unchecked the node will not.
The networking HA backoff (seconds) field specifies the amount of time a node will try to reach the controller before moving on to the next controller. Default value is 300 seconds.
The networking HA timeout (seconds) field specifies the amount of time that must elapse before a node is considered offline, and another node will take over the networking configured on the failed node. Default value is 300 seconds.
The username and password fields are the credentials assigned to this node by the cluster controller. Enter these into the cluster view of the appropriate cluster node to enable access.
Example Cluster Setup: 2 CC's, 2 GW's
For this example, there will be 4 machines: 2 CC's and 2 GW's. For different cluster layouts there may be more CC's or GW's. The example below will provide details on adding each type. The first step will be to install the rXg software on all 4 machines. Once this is done, two browser windows should be opened: one for the primary CC, and the 2nd for all additional nodes (this includes any CC's or GW's that will be added).
Create a new administrator on the Master Controller , by clicking "Create New" on the Administrators scaffold. Each admin account should be unique for every operator.
At a minimum a Login and Password are required. Click create.
Next edit the License Keys scaffold.
Paste in the license key and click update. This will restart the webserver.
Next the CIN (Cluster Interconnect Network) will be created. Navigate to Network::LAN , and create a new network address.
Name: cc1 CIN Address. Set the interface , and specify the IP address in CIDR notation. Leave both autoincrement and span values at 1. Do not check create DHCP pool. Click create.
Turn rXg into Master Controller by navigating to System::Cluster. Create a new cluster node by clicking create new on the Cluster Node scaffold.
Uncheck networking HA enabled this will ensure that the CC doesn't take over the networking for the other nodes before they are integrated into the cluster. Verify that the default information is correct and click create.
Create a new cluster node record for each CC and GW that will be added to the cluster. The easiest way to do this is to have 2 browser windows open, one with the Master Controller admin GUI loaded, and the other with the admin GUI with a tab for each CC and GW. Click create new on the Cluster Nodes scaffold.
Verify the name and mode is correct. Copy the IUI from the secondary controller into the IUI field on the Master Controller , verify that the mode , IP , and priority are configured as desired. Uncheck the networking HA enabled box. Click create.
Next repeat for the 2 GW nodes. Click create new on the Cluster Nodes scaffold, copy the IUI from the first GW node into the IUI field. Verify that the mode , IP , and priority are configured as desired. Uncheck the networking HA enabled box. Click create.
Repeat for GW 2. Verify that the mode , IP , and priority are configured as desired. Uncheck the networking HA enabled box. Click create.
All the CC's and GW's now have cluster node records on the Master Controller.
Next, we will integrate the secondary CC and GW's into the cluster using the Cluster Node Bootstrap scaffold. On the secondary cc admin GUI in the second browser edit the cluster node bootstrap record.
Copy controller IP , username , password from the Master Controller's Cluster Nodes scaffold to the secondary controller. Set the interface , and the local IP address in CIDR notation. Click update.
Repeat the process for GW 1 and GW 2 nodes.
Next add the license for each node. On the Master Controller edit the license key entry for cc2 paste the license in. Repeat for each node.
After the licenses have been installed on the remaining nodes the cluster configuration is complete. The operator will now use the Master Controller to continue configuring the system. The System::Cluster page will now show Replication and HA status as green.
Example Cluster Setup: Using Autoconfiguration 2 CC's
For this example, we will use auto configuration to configure a cluster consisting of 2 CC's. Unlike the previous example, we will use the auto configuration option instead of manually creating the cluster. After installing the rXg software on each machine, open a separate browser tab for each machine in the cluster.
Create a new administrator on the Master Controller , by clicking "create new" on the Administrators scaffold. Each admin account should be unique for every operator.
At a minimum a login and password are required. Click create.
Next, edit the License Keys scaffold.
Paste in the license key and click update , this will restart the webserver. Note: if an asset exists in the licensing portal with the IUI of the node, the node will automatically retrieve its license.
Next the CIN (Cluster Interconnect Network) will be created. Navigate to Network::LAN, and create a new network address.
Name : cc1 CIN Address. Set the interface , and specify the IP address in CIDR notation. Leave both autoincrement and span values at 1. Do not check create DHCP pool. Click create.
Turn the rXg into a Master Controller by navigating to System::Cluster. Create a new cluster node by clicking create new on the Cluster Node scaffold.
Verify that the default information is correct. Check the auto registration box, this will allow the automatic registration of cluster nodes. Once that is done, it will open up the permit new nodes option, check this as well. This will allow new nodes to join the cluster so they can auto-register.
Now the auto approve new nodes option will become available. Check this box. By checking this box, the operator of the rXg will not need to approve new nodes that join the cluster. Checking all the boxes makes it so new nodes will not only auto join the cluster but will also be approved without any intervention. If you wish to disallow the auto-approval process, then the opererator will need to approve each node before it will become part of the cluster.
For this example, we are checking all the options so that the process is as automatic as possible. Click create.
Now go to the tab that was opened with the secondary CC's admin GUI. Do not create an admin or apply a license at this time. Scroll down to the bottom of the page and edit the cluster node bootstrap record.
Under the Auto Registration section check the auto registration box, which will enable the node automatically register to the Master Controller. This will unlock the create CIN option and the join as new option. Create CIN will create the cluster interconnect network on the node using the data provided on the form. Check the create CIN box.
The join as new box should be checked if this node has never been a member of this cluster before (such as having a node fail and re-adding it to the cluster after repair - it would not be a new node in this case), check this box. This will allow the operator to select the join role for this node. In this case, it should be set to*standby controller (HA)*.
Enter the controller's IP address in the controller IP field. Set the interface that will be used to connect to the CIN network in the interface field. Set the CIN IP of this node in the local IP address field. The gateway field does not need to be set because the node belongs to the same network as the Master Controller. Click update.
The cluster node bootstrap record will now show that it is awaiting auto-registration.
On the Master Controller navigate to System::Cluster. Both nodes should not be listed in the Cluster Nodes scaffold.
Note that their status may be unlicensed; the licenses can be added via the License Key scaffold below. Edit the record for CC2 and paste in the license. In this case, the nodes have pulled their licenses automatically.
Now that the licenses have been added, it is a fully functional cluster that created itself without the operator needing to copy and paste information between the Master Controller and nodes.
How to change which Cluster Controller is the Master Controller
Turn off network HA on the nodes, leave the Master Controller for last.
Make sure the priority of the standby you want to become the new master is higher than all other standby controllers. Typically, the standby controllers will be a priority of 7 by default. Set the standby that you want to be master to 9.
SSH into the current master. Stop rxgd and kill postgres (you will need to become root for this). Running ' kr' will stop rxgd and then running ' killall postgres' will stop postgres. Once this is done, the highest priority standby will take over as master. You can reduce the HA timeout to make this faster (default is 5 minutes).
Open GUI on the new master. Edit the cluster node record for the current master node and set to standby.
SSH into the node that will be the new master. Run ' console' to access the rails console. Find the BootstrapOption record for the NEW master and set the host , username , and password fields to nil. In this case, the record that will be edited is the last record, since there is only CC1 and CC 2. The record can be found by running ' BootstrapOption.last'.
Edit cluster node record in GUI for new master and set to master.
Edit the bootstrap option record in GUI for old master and set it as if it is a new node.
SSH to OLD master and edit the bootstrap.yml located at /space/rxg/bootstrap.yml. Change the order under _controllers so that the NEW master is on top of the list followed by any other standbys. Repeat for bootstrap_live.yml. After editing the 2 files on the OLD master run ' rr' to restart rxgd. If you changed the controller HA timeout , be sure to set it back. Finally, edit the cluster node records and re-enable network HA starting , doing the master CC last.
Note: Doing this will not copy over graphing information so it will be lost.
Node Integration After Failure
With HA 3.0 , the process to get a failed node back into the cluster is straight forward. For example, if a node loses a power supply, once it's replaced and the node is turned back on, the node will automatically join the cluster and take over networks configured on it (if another node took over for it).
If the node is replaced with new hardware, meaning the IUI has changed, the cluster node record for the downed node can be edited. Once the IUI is replaced with the new node's IUI , the username and password for the new node will be generated. These can then be entered into the bootstrap and the node will integrate into the cluster and replace the failed node.
Fleet
The Fleet view allows the operator to configure the rXg to be used as a fleet manager or to join a node to an existing fleet manager.
The Fleet Nodes scaffold allows the operator to turn the rXg into a fleet manager and to add nodes to be managed.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The this checkbox indicates that this fleet node record refers to this system.
The manager field, if checked, indicates that this node is the fleet manager.
The host field is used to enter the FQDN or IP address of the Node.
The key will contain the key to be used to authenticate with the fleet manager , or if on a fleet node, it will be a record of the key generated for the node by the fleet manager.
The ignore SSL cert errors field, if checked, will allow the fleet manager to ignore any certificate errors when communicating with the nodes. Note: this is not recommended.
The stat reporting interval field is the interval in seconds that the node will report its stats. When set on the fleet manager node, this value will set the default value, unless overridden on a node record. Default value is 10 seconds.
The fleet groups field allows the operator to set which fleet groups the node will belong to. It is possible for a node to belong to multiple groups.
The PMS properties field allows the operator to set which PMS properties the node belongs to (if configured).
The config templates field allows the operator to select which, if any, templates should be pushed to the node.
The software package field allows the operator to select an upgrade software package to push to the node.
The proxy hostname field is the hostname to use for proxying web and/or SSH traffic. When set on a fleet manager record, it enables cookie-based proxying via the operator portal. When set on a Fleet Node record, enables persistant anonymous Virtual Host behavior.
The certificate field sets the certificate to present for traffic destined to the proxy hostname.
The operator can use the Fleet Groups scaffold to create groups, which can then be used to control who can access those groups by specific admin or administrative roles.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The fleet nodes field allows the operator to specify which nodes belong to the fleet group.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The admins field allows the operator to specify which admins will have explicit access to the nodes in this group, in addition to the admin roles.
The admin roles field allows the operator to select the admin roles that have access to the nodes in this group.
The config templates field allows the operator to push selected config templates to the nodes that are members of this group.
The Software Packages scaffold allows the operator to upload software packages that can then be pushed to fleet nodes for upgrades.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The file field allows the operator to upload an upgrade package to the fleet manager.
The remote URL field allows the operator to specify a URL to retrieve the package from (if not uploading via the file field).
The username field is used for HTTP authentication if required.
The password field is used for HTTP authentication if required.
The fleet nodes field allows the operator to specify which nodes the upgrade package should be pushed to. This is optional; the operator can use the Scheduled Upgrade scaffold to specify which nodes and when the upgrade should take place.
The Scheduled Upgrades scaffold allows the operator to schedule upgrades. Upgrades can be pushed out immediately or can be rolled out over several days, starting at a specific time of day.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The software package field allows the operator to specify which upgrade package is scheduled for install. By default, it will be set to use latest available for OS version. The operator can also specify any software package that has been uploaded using the Software Packages scaffold.
The start at field allows the operator to specify on what day and at what time the upgrade will begin.
The fleet node field is used to specify which node the upgrade will be pushed from.
The this system field specifies that the upgrade will also be pushed to the fleet manager.
The fleet nodes field allows the operator to select specific nodes that will be upgraded regardless of fleet group membership.
The fleet groups field allows the operator to select which fleet groups will be included in the upgrade. If a fleet group is selected, it will push the upgrade to all nodes that belong to that group.
The node CSV field allows the operator to upload a CSV file containing a single column with the names or host values of the fleet nodes to include in this job. This will overwrite any existing nodes that have been selected.
The minimum version field designates that the node must be running at least the specified version in order to upgrade.
If the no alpha builds box is checked, then nodes that are running an alpha build will not be upgraded.
The schedule mode field is by default set to immediate; if set to staggered , it allows the operator to set the number of days the upgrade will take place over and how many nodes should be upgraded per day. The number of days can be changed by deleting or adding a day.
The max concurrent upgrades field sets the maximum number of nodes that can be updated at a time.
The max failures field will pause the job when the specified number of nodes have failed.
The max failure % field will pause the job when the specified percentage of nodes have failed.
Example Fleet Manager Setup
For initial fleet setup, navigate to https://FQDN/admin/menu/fleet.
Create a new fleet node. Name is arbitrary.
This box should be checked if the record being created is for the node being created.
Manager should be checked if the node being created will be the fleet manager node.
Host is the FQDN or IP address of the node.
Fleet groups should be selected to allow the node to be seen by specific groups.
Proxy host can be set if required for proxying web and/or SSH traffic. Select certificate to present for traffic destined to the proxy hostname. Click create.
Fleet groups can be used to group nodes together. For example, nodes can be grouped by property owner. Name is arbitrary.
Fleet nodes is used to select the nodes that will belong to the group.
The admin field sets admins with explicit access to the nodes in this group. The admin roles field sets the admin roles that have access to the nodes in this group.
To add a node to the fleet manager navigate to System::Fleet on the fleet manager node.
Create a new fleet node record by clicking create new.
The name field is arbitrary. Leave both the this and manager boxes unchecked.
Enter the FQDN of the node in the HOST field. Select a group this node will belong to, if applicable. Copy the key in the key field. Click create.
Navigate to https://FQDN/admin/menu/fleet on the node being added to the fleet manager. Enter the FQDN of the fleet manager into the fleet manager host field, and copy the key into this node's key field and click join.
Example Fleet Templates
The operator can use the fleet manager to push config templates to the nodes connected to the fleet manager. This can be done on a per-node basis or to specific groups as defined by the fleet groups.
To push a config template to a node navigate to System::Backup on the fleet manager , and create a new config template.
In this example, a new usage plan will be pushed to nodes in the Lab02 group. The config template must be given a name.
The config to be pushed goes in the config field, or a .yml file containing the config can be added.
Lastly, we select Lab02 Group via the fleet group field. Optionally, the apply template box can be checked which will run the template after creation.
Below is an example showing that the config template was successfully applied to both fleet nodes in the group.
Below are two screenshots. The first is from Billing::Plans before the config template is applied, and the second shows the same scaffold after applying the config template.
Example Fleet Templates #2 - Speedtests
In this example, a template will be used to push speedtest config to all the nodes that the fleet manager controls. Navigate to System::Backup on the fleet manager , and create a new config template.
A speedtest will be configured on all fleet nodes which will then run a speedtest every 8 hours.
The config template must be given a name.
The config to be pushed goes in the config field, or a .yml file containing the config can be added.
Lastly, we want to select all nodes. Optionally, the apply template checkbox can be checked, which will run the template after creation. Click create.
Below is an example showing that the config template was successfully applied to all fleet nodes controlled by the fleet manager.
Below is a screenshot of the configuration of the speedtest pushed to all nodes.
Example Fleet Proxy Setup
Fleet proxy allows the operator to access nodes behind the fleet manager that may not be otherwise accessible due to ACL's in place. To setup the proxy feature we first need to create a certificate.
Navigate to System::Certificates and create a new certificate. Note: the domain name you are using for the certificate should resolve to the primary IP address of the fleet manager node.
Give the certificate a name , then scroll down to the certificate signing request section. Give that a name as well, leave usage set to server, and set the sign mode to generate CSR. Obtain certificate from Let's Encrypt.
Fill out the common name , country code , state , locality , and email address fields with the appropriate information (the other fields are optional). Click create. After a minute or so the new certificate will be retrieved.
Now that the certificate is created, navigate to System::Fleet and edit the fleet node record for the fleet manager.
In the proxy behavior section, set the proxy hostname field to match the FQDN of the certificate created earlier. Select the certificate that matches the FQDN. Click update.
Navigate to the fleet operator portal and there will now be the option to proxy to each node, even nodes that would not be accessible, like the nodes in this example with private IP addresses on the WAN (which is not an officially supported deployment).
Now the fleet manager can be used as a proxy to either access the Admin UI or SSH. To access a node, click on the proxy drop-down for that node and select either admin UI or SSH.
Once the proxy is established the operator will have access to the admin UI of the fleet node , the proxy connection can be ended by clicking end proxy at the top of the admin UI.
Example Fleet Upgrade Setup
To setup a fleet upgrade the operator must first upload the software package that will be used for the upgrade. To upload the software package , navigate to System::Fleet and create a new software package.
Give the software package a name and choose the file, or enter the remote URL and username and password. For this example, the package will be uploaded directly. Once the file is chosen, click create.
Next, create a new scheduled upgrade.
Give the schedule a name. Select the software package uploaded in the previous step. Select a start at date/time.
Next, select the fleet node or fleet groups that should be included in the upgrade. For this example, the scheduling rate will be left at immediate since we are only pushing the upgrade to single node. Click create.
The operator can use the Scheduled Upgrades scaffold to view the status of the upgrade.
Licenses
The Licenses view presents all information and controls necessary to review, obtain, and install a license key for the current rXg.
Detailed View
The licensing summary dialog displays the permitted values of all aspects of the installed license key alongside current utilization.
The accounts field describes the number of end-user accounts in the local database. This represents the total number of end-user accounts that are present in the persistent storage mechanism. The activity of the end-user accounts (or lack thereof) does not have any effect on this parameter.
The login session field describes the number of simultaneous end-users logged in via the captive portal. This includes end-users who have logged in via RADIUS , LDAP , tokens (including free access) as well as locally stored accounts.
The IP sessions field describes the number of simultaneous IP addresses that have traffic transiting the rXg. This parameter is fully inclusive of all sessions regardless of whether they originate from end-users who have logged into the portal or are authorized for access by other means (e.g., MAC groups that have portal disabled).
The MAC entries field describes the number of devices that are L2 connected to the rXg. This parameter is fully inclusive of all L2 devices regardless of whether they are generating traffic that transits the rXg.
The connection states field describes the total number of simultaneous TCP and UDP connections transiting the rXg. A state is a connection between an end-user on the LAN and a server on the WAN. For example, opening Microsoft Outlook to read email from a single email account will typically result in 2 states: one for downloading new emails and a second one to transmit unsent emails. Typical web surfing results in approximately 5 simultaneous states, most of which are TCP HTTP connections downloading web page assets such as images. Some programs such as peer-to-peer file sharing programs may create upwards of 50 or even 100 states. Malicious software such as worms attempting to spread through the Internet will often generate thousands of states.
The VLANs field describes the number of logical interfaces configured on the rXg. Each physical interface of the rXg can have many logical VLAN interfaces. This parameter represents the sum total of all logical VLAN interfaces on all physical interfaces present on this rXg.
The uplinks field describes the number of logical WAN uplinks configured on the rXg. This parameter enables rXg link control features. The rXg can aggregate, fail-over, diversify, and affine traffic among multiple uplinks when configured and licensed to do so.
The RADIUS realms field describes the number of RADIUS realms that are configured on the rXg. In a typical configuration, each realm represents a roaming partner or entity with whom the operator has an agreement to authenticate the partner's database of end-user accounts.
The RADIUS groups field describes the number of RADIUS groups that are configured on the rXg. Each RADIUS group is a pool of end-users who have been authorized by a server specified by one or more RADIUS realms.
The LDAP domains field describes the number of LDAP domains that are configured on the rXg. Each LDAP domain represents a separate administrative group of end-users that can be authenticated via the rXg captive portal via LDAP.
The LDAP groups field describes the number of LDAP groups that are configured on the rXg. Each LDAP group is a pool of end-users who have been authorized by a server specified by one or more LDAP domains.
The account groups field describes the number of account groups that are configured on the rXg. Account groups affect end-users who have logged in via the captive portal using credentials matching a locally stored account. Account groups are often employed to logically group end-users who have purchased different levels of service (e.g., standard versus premium). The rXg integrated billing system employs account groups as destinations for end-users when a purchase of a usage plan is made.
The IP groups field describes the number of IP groups that are configured on the rXg. IP groups are used to logically group operator specified CIDR blocks that should experience similar policy. In a typical deployment, IP groups are used to define the IP addresses that will experience forced browser redirect. Members of IP groups can be as small as a single IP address (/32) or as large as a class A (/8).
The MAC groups field describes the number of MAC groups that are configured on the rXg. MAC groups are used to logically group one or more MAC addresses for policy enforcement purposes. In a typical scenario, MAC groups are used for exceptions to policies enforced globally via IP groups or specifically via account groups. For example, a MAC group may contain the MAC addresses of the operator laptops to enable unfettered and priority access to network administrators.
Installation Unique Identifier
The installation unique identifier (IUI) is a string of characters that uniquely identifies a particular piece of rXg hardware.
The IUI must be supplied with all license requests. License keys are generated for a particular IUI and will not install nor work with an rXg that does not present a matching IUI. The IUI is hardware dependent and cannot be changed by the administrator of the system.
License Keys Scaffold
The License Key scaffold interprets and presents the several dates present in the license key as well as the lifetime of the currently installed license.
In addition, the License scaffold enables the operator to view the current key as well as install a new license key.
To install a new license key , click on the edit link and copy and paste the new key string into the text box provided. Be very careful and precise when copying and pasting. Leaving out a line or even a single character will result in the rXg rejecting the key.
Confirm that the rXg is connected to the WAN before installing a license for the first time. This is needed for time synchronization, which is a prerequisite to installing a license with temporal restrictions. Also, be sure to install the right license key as the keys are generated to match the IUI that is also presented on this view.
Options
The Options view enables the operator to configure global configuration options for the rXg.
The Options scaffolds are designed to easily store and swap between profiles. For example, one set of device options can be stored for each node in an rXg cluster using the Device Options scaffold. This allows a single configuration database to be shared across a cluster. To give the rXg the identity of a particular node, simply mark the appropriate profile as being active. The Network Options scaffold comes pre-populated with a series of packet option profiles for different kinds of networks. If the complexion of the network changes, simply mark the appropriate profile active and the rXg will be reconfigured.
Device Options
The Device Options scaffold enables configuration of global settings governing various core services of the rXg.
The active field enables an option set. Exactly one option set may be active at any time. Enabling a particular option set will automatically disable another existing active option set.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The FQDN setting is the fully qualified domain name that is used to identify this rXg. This will be the domain name that users will be redirected to if using a local splash portal. Your upstream DNS servers and DNS glue records must be configured to resolve the specified DNS name into an IP address configured on the rXg.
The time zone setting configures the GMT offset for the rXg. It is critically important to make sure that this is set correctly to ensure proper billing functionality.
The NTP server field specifies the network time synchronization server. Change this to your internal network time servers for increased time synchronization reliability. If you do not have an internal network time server, choose from one of manypublic NTP servers or use the publicNTP pool.
The SMTP section is used to configure the outbound SMTP server. These settings are used for the email notification and mass email campaign subsystems.
The server address and server port settings enable configuration of an upstream proxy email server. By default, emails are queued to an email MTA locally on the rXg which then delivers directly to the recipients. Setting an SMTP server causes the rXg, to deliver all emails through the specified host.
The username and password fields are the credentials used for the email relay server specified by the server address and server password settings. Leave these fields blank if the email relay server does not require authentication credentials.
The log rotate hour field configures the hour during which the rXg rotates its system log files, restarts critical services, and performs nightly database maintenance. This should be set to the time of least end-user activity, likely in the middle of the night. A time of 4AM is not supported because it conflicts with the Daylight Savings Time (DST) shift.
The start limiting at field is the minimum amount of unauthenticated ssh connections necessary to begin dropping new connections at the percentage defined in the drop rate (%) field. Must be set if drop rate (%) is set. The drop rate (%) field is the rate which new unauthenticated ssh connections will be dropped once the start limiting at number of unauthenticated connections is reached. This will scale linearly up to 100% once the block all at number of connections is reached. Must be set if start limiting at is set. The block all at field is the maximum number of unauthenticated ssh sessions that will be allowed.
DKIM Domains
An entry in the DKIM Domains scaffold enables DKIM message signing of outbound email for the domain specified in the record. DKIM message signing is a technique that allows a sending mail server to prove that it is authorized to send email for that domain.
When enabling DKIM signing, a cryptographic keypair is generated, which will be used to sign the outgoing email. A DNS record must be defined in the public DNS records of the desired domain, which specifies the public key of the generated keypair.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The domain field specifies the domain for which DKIM signing should be enabled. By default, the rXg will use the FQDN of the system to send outbound emails, unless a different "from" address is specified in the Custom Message being sent. If a different domain is used in the Custom Message, then a DKIM Domain should be created for that domain in order to sign outbound email.
The selector field specifies the unique selector that identifies _this_system's public key, since there could potentially be many servers sending email for the same domain. The selector must be the same across all domains that are enabled for a single system. In a cluster, each node could use its own selector, although it is not a requirement. A different DNS TXT record will need to be created for each domain/selector combination.
After creating a DKIM Domain, refreshing the scaffold should show the DNS record name that must be created in the public DNS records, and a button allows the operator to copy the contents that should go into the data field of the DNS record. If the DNS record is not created, servers that receive email that has been signed by this server will not be able to validate the DKIM signature, and may reject the email.
Network Options
The Network Options scaffold enables configuration of global settings that govern the rXg packet manipulation engine.
The active field enables an option set. Exactly one option set may be active at any time. Enabling a particular option set will automatically disable another existing active option set.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The state timeout field governs the expiration of UDP / TCP connection states. The normal setting is the default recommended selection for most applications. The high-latency setting increases the time before expiration occurs and is recommended for satellite uplinks. The aggressive setting reduces expiration timeouts and should be used for highly reliable uplinks, such as a leased-line (e.g., T-1) and situations where a large number of connections are constantly being created and destroyed. The conservative setting changes the expiration policy so that the system goes to great lengths to preserve states even when they are idle despite a much higher memory utilization.
The MAC <=> IP setting affects how the rXg translates a MAC address into an IP address , and vice versa. A value of dhcp,arp configures the rXg to utilize the DHCP leases table and ARP table cooperatively, where the MAC sent by an IP's DHCP client is favored over the MAC determined by the ARP protocol for a given IP address. The arp,dhcp value means the ARP table takes precedence over active DHCP leases. The dhcp and arp values configure the rXg to use only the DHCP leases table or ARP table. Appropriate configuration of this setting is critical for correct operation of numerous rXg features including automatic login.
Using the ARP table is the preferred method of determining the MAC to IP mapping on L2 connected networks. This is because the ARP table is most likely to have up to-the-second information and will also be able to map MAC addresses to statically assigned and misconfigured IP addresses. However, the ARP table will be unreliable in L2 connected networks that have intermediate devices that engage in ARP spoofing. Some wireless radios perform MAC spoofing when used in bridged, mesh or WDS mode. When working with such equipment, the DHCP leases table must be used to determine the MAC to IP mapping.
Using the DHCP lease table to discover MAC to IP mapping is required in L3 routed networks. This is because the rXg will see the MAC address of the next hop router rather than the MAC address of the end-user device for all IPs that are not L2 bridged. Furthermore, intermediate routers must be configured for DHCP relay and use the rXg as the DHCP server. The rXg is unable to use the DHCP leases table to create a MAC to IP mapping for devices that do not use the rXg as the DHCP server , for statically assigned addresses and for otherwise misconfigured IP addresses. The DHCP leases table is also most likely to contain out-of-date information compared to the near real-time ARP table. Thus, it is recommended that the DHCP lease table be used only when the ARP table cannot be used to acquire the correct IP to MAC mapping.
Using either the dhcp,arp and arp,dhcp settings is only recommended when deploying an rXg in a mixed L2 and L3 connected LAN environment. If a rXg deployed to manage a L3 routed fixed wireless broadband network and then is also used to manage a local hotzone that is L2 bridged, then it is necessary to use both the DHCP leases table and the ARP table in order to determine the MAC to IP address mapping. In most cases, it is best to prefer the ARP table over the DHCP lease table because the ARP table is most likely to have the most recent and hence the most correct mapping.
The dhcp,arp and arp,dhcp settings should only be used when absolutely necessary. Conflicts and/or confusion may occur when both the DHCP leases table and ARP table are both used to map MACs to IPs. For example: if the DHCP issues a lease to client A, then client A leaves the network, then at a later time, client B joins the network and acquires a lease for the same IP address, then client A returns to the network, there will be a conflict. The DHCP leases table will report the IP MAC mapping as client B whereas the ARP table may report the IP MAC mapping as client A. This issue is exasperated in situations where long DHCP leases are issued.
Correct IP to MAC mapping is prerequisite for proper operation of several critical rXg features including automatic login. Careful consideration of all available options as well as thorough examination of all available ARP and DHCP instrumentation is strongly advised when configuring this option.
The ARP timeout field dictates how long an ARP entry is held in the cache, in minutes, until it needs to be refreshed.
The maximum MSS setting enforces amaximum segment size on all packets transiting the rXg to be less than or equal to the specified number of bytes. Make sure that the MSS is set less than the MTU of any transit network, otherwise fragmentation will occur again. Typical values of MSS and MTU for Ethernet are 1460 and 1500 respectively. Reductions in MSS are necessary to support certain forms of IP-IP tunneling (e.g., IPsec VPN).
The minimum TTL setting modifies the minimum time-to-live on all packets transiting the rXg. The TTL is a value from 1 to 255 that is decremented each time a packet crosses a router. When the TTL reaches zero, the packet can no longer cross any routers (unless the router is capable of and has been specifically configured to ignore and rewrite the TTL). This modifier is useful for fine tuning performance of very large networks. Boosting the TTL helps in situations where packets are not reaching their targets. Reducing the TTL helps reduce looping of stray traffic. A minimum TTL set to zero disables the TTL normalization. Note that setting a minimum TTL prevents traceroute utilities from operating correctly.
The prioritize ACK setting will prioritize packets with a TOS of low delay and for TCP ACKs with no data payload.
The clear DF bit setting enables or disables the removal of the don't fragment (DF) bit in the IP flags field of packets transiting the rXg. IP fragmentation is a mechanism that enables packets to be broken into smaller pieces to pass through links with a smaller MTU than the original size. In particular, packets with DF unset can be fragmented along their way to their destination by other routers. Enable this option if the packets transiting the rXg (upstream or downstream) are too large for one of the transit routers to handle. The two most common uses of this option are to enable NFS traffic to pass over the WAN and to permit fragmenting of inbound WAN traffic to support IP-IP tunneling (e.g., IPsec VPN) between the end-user client and the rXg.
The randomize ID setting enables or disables the randomization of the data inside IP identification fields. Enabling this prevents fingerprinting of a network from the outside world. Outsiders on the WAN can use the sequential nature of the IP packet ID field to discover the topology of a network protected by NAT. It is recommended that this option be enabled whenever clear DF bit is enabled.
The block policy field defines the response to devices when packets are blocked. The drop setting will silently drop all blocked packets, whereas the return setting will send an ICMP unreachable packet for UDP requests, a TCP Reset for TCP requests, and will silently drop all others.
The Queueing Mode option affects the traffic shaping mechanism and the queues that are built for client devices. When queueing is disabled, no queues are built and ALTQ is disabled. When set to normal mode, a single queue tree is built and packet scheduling and throughput is limited to a single CPU core. When set to parallel mode, packet processing is parallelized across multiple queue trees allowing multiple CPU cores to increase throughput. The number of parallel trees is set by the Tx/Rx Queues option, which requires a reboot if changed. NOTE: use of parallel queueing can result in inaccurate throttling if traffic for a single client traverses more than one tree, since the queue discipline is distinct for each queue tree.
In order to reduce the frequency of firewall queue and ruleset reloads, a set of semi-static queues pools is created, and queues are assigned to clients as needed. The Default Leaf Queue Count field specifies how many queues should be generated for a given pool when there is no prior knowledge of the number of queues required by that pool. When the number of clients nears the size of the pool, the pool is expanded. When a client disappears from the network, its queue assignment can be reclaimed so the queue can be reused by another client without growing the queue pool, since system performance is impacted when there are many queues. The Queue Assignment Timeout option controls how long (in minutes) a queue assignment will be retained before being reclaimed for another client. A shorter timeout will keep queue pools smaller. Setting a value of 0 will disable queue assignment reclamation.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Database Purgers
Entries in the Database Purgers scaffold define rules by which database records are automatically deleted.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The tables field specifies which tables of the database will be affected by this record. Multiple database tables may be selected so that a single purging policy may be applied across several facets of the rXg configuration database.
The timestamp column field determines the database timestamp that will be used in the calculations to determine if a database record is to be purged.
created_at and updated_at Any table may be purged of records using the created_at and updated_at timestamp columns. expires_at Only useful when used in conjunction with coupons. usage_expiration Only useful when used in conjunction with tokens. logged_in_at Only useful when used in conjunction with accounts.
The age field specifies the length of time that must elapse between the current time and the stored value in the timestamp column in order for a record to be chosen for deletion.
The retain records with usage remaining checkbox prevents the deletion of account records that have a non-zero value in their usage (time) field. This checkbox has no effect when the selected table is anything other than account.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Portals
The Portals view configures the rXg captive portal web application framework enabling self-provisioning and advertising communication for the end-users population.
The primary purpose of the captive portal is to provide a destination for end-users after a forced browser redirect. The end-user population that experiences a forced browser redirect is controlled through the policies subsystem.
The rXg is prepackaged with a default captive portal containing several revenue-generating web applications. Prepackaged end-user self-provisioning modules include sign-up via account creation, payment via real-time credit card processing, usage plan selection, coupon code redemption, viewing and editing of current profile , and more. In addition, the default captive portal includes several modules that assist with the delivery of pre authentication , post authentication , HTML injected , and web session interstitial advertising.
The captive portal infrastructure includes small format device detection and automatic routing of requests made by such devices to alternative layouts and stylesheets. This enables the portal to have unique and independent views for smart phones, PDAs, gaming devices, and other handheld devices.
While the default captive portal is fully functional, it is designed to be a basis for operators to create their own customized portal with operator specific art, identity, and even functionality. The process of customizing the captive portal begins with the creation of a new record in the Custom Portals scaffold on this view.
The rXg employs a caching mechanism to maximize performance of the captive portal web application server infrastructure. Use the restart web server dialog to bring the web application infrastructure into development mode in order to disable caching so that changes made to the custom portal files are immediately reflected in the pages being served. If pages are being loaded onto the rXg via SFTP, click the development button when the pages are finished being uploaded to dump the cache by restarting the web server. Restart the web server back into production mode when done making changes.
In order to customize a portal, the administrator must be enabled with SSH access via the Admins view. In addition, a working knowledge of how to use SSH, SFTP and Ruby on Railsare required. Some excellent books that cover these subjects are SSH, The Secure Shell: The Definitive Guide (ISBN 0596008953), Agile Web Development with Rails (ISBN 0977616630) and The Rails Way (ISBN 0321445619).
Custom Portals
An rXg can have multiple custom captive portals residing on it simultaneously. Each captive portal must have a record in the Custom Portals scaffold. Each captive portal may be assigned to serve a different subset of the end-user population. The mapping between portals and end-users is defined by the policies subsystem.
The name field is an arbitrary string used to identify the portal. This string is used for identification purposes only.
The controller name field is the string used to uniquely identify the portal within the Ruby on Rails web application infrastructure. If the controller name is left blank when a new custom portal is created, the rXg administrative console will automatically generate a reasonable default based on the name field.
The controller name becomes the suffix of the direct access URL. For example, if the controller name is abc
the direct access URL is https://rxg.local/portal/abc
. The controller name also determines the directory and file name structure that is used to store the custom portal on the filesystem of the rXg. It is very important be precise about the controller name when editing and uploading files to customize the portal.
The Google Analytics web property field stores a Google Analytics web property ID. The format of a Google Analytics web property ID is UA-xxxxxx-xx where the x's are numbers. The web property ID is listed next to the name of a configured profile in a Google Analytics account home page.
When the Google Analytics web property field is populated, the captive portal will automatically include a Google Analytics site tracking code. This allows the operator to easily integrate external, third-party verifiable portal traffic tracking for the purposes of revenue verification and advertising/impression count marketing.
It is the responsibility of the operator to create and maintain a Google Analytics account along with an appropriate profile for the desired web property. For most portals, it is recommended that the operator configure the portal post authentication landing page as a goal so that it is easy to see the ratio of potential end-users to end-users who commit to subscribe.
Operator Portals
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The controller name field sets the name of the controller and how you access the operator portal. For example, if the controller name is set to FOM, then the operator portal would be accessed by going to https://FQDN.OF.SYSTEM/FOM.
The default dashboard field allows the operator to specify which dashboard should be displayed when first logging in. By default, this is set to Template Default, but can be changed to any other custom dashboard that exists on the system.
The additional dashboards field allows the operator to select other custom dashboards that are visible in this operator portal, in addition to the default dashboard.
The single sign-on strategies field is used to select which, if any, single sign-on strategies that may be used to log into this operator portal.
The admin ACL field allows the operator to override the active admin controller ACL with the one specified here; the ACL selected here does not need to be marked as active.
The template field lets the operator choose which template this operator portal will be created from. Views and assets that do not exist will be sourced from the selected template. If portal source is set to duplicate, all views and assets will be copied from the selected template when created.
The initial contents field sets how the portal will be created. A portal with ' create directory structure only' selected will inherit all views and assets from the FOM portal unless overridden. If ' duplicate files from template or existing portal' is selected, then a new operator portal will be created and all files will be copied to the directory from the selected source, allowing the operator to edit any of the preexisting views. If ' Git' is selected then the source portal will be pulled from the Git repository. It is also possible to set a sync frequency when using Git so that any changes made to the repository can automatically be pulled to all systems. Checking ' restart after sync' will restart the webserver if there is change that was pulled and automatically restart the webserver so the changes will take effect. If ' Archive file via HTTP GET' is selected then the portal can be pulled from a remote site and sync frequency can be configured as well. It is also possible to use ' rsync' which provides the same sync options.
The module configuration section allows the operator to specify not only which admin roles have access to the operator portal but can also be used to disable specific modules contained within the operator portals.
Location Manager
The Location Manager is a portal that is aimed at presenting network information in a spatially aware way.
One of its key functionalities is creating and placing POIs (Points of Interest).
Click Here to Create a new POI.
After you name it, click here to save it
When you first create it, it will be placed in the center of the floorplan. Make sure dragging is turned on, then simply drag it to where it should be.
Omniauth Strategies
The Social Login Strategies scaffold enables creation, modification, and deletion of login strategies for supported Omniauth providers.
The name field identifies this login strategy in the system.
The provider name field determines which Oauth provider this strategy relates to. Select a supported provider from the list.
The app ID field defines the ID of the application that has been created with the provider chosen in the provider name field. For Facebook, this is the App ID , but for Twitter this is the API Key. This value should be obtained from the developer console of the associated provider.
The app secret field defines the app's secret value which authenticates the app. This value should be obtained from the developer console of the associated provider.
The captive portals selections define for which captive portals this strategy is enabled. This strategy will not be available unless it is associated with at least one captive portal.
The usage plans selections determine which usage plans are available for users who log in using this strategy. The plans selected here must also be associated with the end user's effective portal; however, users who have not logged in via this strategy won't be able to see these plans in the usage plan list. If there are no usage plans associated with this strategy, an account will be created for the user, who will then be redirected to the usage plan list view. If there is only one associated usage plan, and it is free, the plan will automatically be applied to the account.
The SAML section contains configuration options which pertain only to SAML login strategies. When utilizing a SAML strategy, the App ID and App Key are not necessary.
A SAML configuration requires at a minimum, an Identity Provider (IdP) SSO URL, and optionally, a IdP Cert Fingerprint to enable validation of the IdP's certificate. Both the SSO URL and Fingerprint may be determined automatically by providing a IdP metadata URL.
The Service Provider (SP) Entity ID is a unique identifier for the service provider, which will be entered into the IdP when adding the SP.
After creating the login strategy , the webserver will restart. Clicking the show link will provide the metadata URL that can be provided out-of-band to the Identity Provider in order to establish a login trust.
Users who log in with an Omniauth strategy only have access to usage plans that are associated with their strategy AND the current captive portal. Users who log in with a non-social account do not have access to the usage plans associated with the portal's Omniauth strategies.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
A WAN target should be associated with the captive portal where the operator intends to use the strategy which allows the user to access the provider's site for the login process. Twitter, Facebook, and Google WAN targets are created automatically and should be selected when utilizing these providers.
For more information, see the Social Login manual entry.
Remote Access to Local Web Servers
The rXg web multiplexor may be configured to recognize operator specified name-based virtual hosts. This feature enables the operator to configure remote access to web servers that are on the LAN side of the rXg in a reasonable, maintainable and understandable manner. Name-based virtual hosts are most often used for remote access to the web management consoles of privately addressed LAN equipment without VPN. VPNs are the preferred mechanism for enabling remote access to LAN equipment. The next best thing is to use name-based virtual hosts through this feature.
The operator must configure DNS records for each and every name-based virtual host that is desired. The DNS records must resolve to the WAN IP of the rXg. Web requests to the DNS record will contain the HTTP headers that enable the rXg web multiplexor to send the request to the appropriate backend server on the LAN.
The rXg must be configured with either a wildcard SSL certificate or individual certificates per destination host. Each HTTP virtual host entry can be configured to use unique SSL Certificates and should match the configured DNS entry for that host. This is required because HTTP headers are read after the SSL handshake is complete.
The hostname for remote access field specifies the DNS record that has
been configured. For example, if the rXg is given the domain name
gw.somewhere.net
it would be appropriate to use name-based virtual hosts such
as wc.gw.somewhere.net
, ap003.gw.somewhere.net
, sw18.gw.somewhere.net
,
etc. The chosen domain does not need to be a subdomain of the rXg.
The local server IP field specifies the target IP address(es) of the back-end server(s) for the name-based Virtual Host that is configured by this record. Web traffic sent to the rXg using the hostname configured in this record will be proxied to this IP. Multiple IP addresses can be defined, separated by spaces or newlines. When multiple IPs are defined, requests are load-balanced to the IPs in the list according to the configured Load balancing method.
The available load balanding methods are as follows:
- Round-Robin: This is the default behavior. Traffic is distributed in a round robin fashion.
- Least Connections: The next request is assigned to the server with the least number of active connections.
- Source IP Hash: A hash-function is used to determine what server should be selected for the next request (based on the client's IP address). Subsequent requests from the same client should be send to the same backend server.
- Source IP:Port Hash: A hash function based on the client's IP and Port combination
- Request URI Hash: A hash function based on the full request URI.
- Random: Each request will be passed to a randomly selected server.
- Random + Least Connections: Two servers are chosen at random, and the one with the least number of active connections is used.
The WAN Targets association restricts access to this virtual host to only the hosts included in the WAN Target. All other source IPs will receive a 403 Forbidden response when attempting to access using this FQDN.
Custom Data Set
The name field will be used to call the data set in a portal so choose a name that reflects the purpose of the record.
The policies field allows the operator to restrict which policies have access to the custom data set.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The key field specifies which custom data keys belong to the custom data set. When creating a custom data set this field is required; however, a custom data keys does not need to belong to a custom data set to be used.
Custom Data Keys
The dataset field is used to tie a custom data key to custom data set. This is optional when creating a custom data key , but can be used to tie a collection of custom data keys into a single custom data set.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The name field will be used to call the data set in a portal, so choose a name that reflects the purpose of the record.
The value section allows the operator to set what value or values are contained within the custom data key.
The string field is used to store a string value.
The text field is similar to the string field but should be used for large blocks of text.
The Boolean field can be used as a true/false flag. It is false by default.
The decimal field is used to store decimal numbers.
The integer field is used to store whole numbers.
The date field is used to store a specific date.
The time field is used to store the time.
The date-time field is used to store both the date and time.
Attachments
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The description field can be used to describe the purpose or a description of the content.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The custom portals field is used to select which customs portals the content will be available for use. Selecting a custom portal here will make the content available to any Captive or Landing portals based off of the Custom Portal selected.
The captive portals field is used to select which specific Splash portals the content will be available on.
The landing portals field is used to select which specific Splash portals the content will be available on.
The file field is used to select the file to upload and make available to the selected portals.
Simple Webpacker Example
Webpacker allows the operator to import pre-compiled JavaScript into a custom portal. In this example, a new custom portal will be created then add the necessary files. Navigate to System::Portals and create a new custom portal. Note: an existing portal if one already exists.
Give the portal a name, and specify the controller name. For this example, just the default portal will be used so no other information needs to be provided. Click create. Note: webserver will restart when a new portal is created.
Once the portal has been created, access the portal files. This can be done via SSH or SMB ; see the Portal Customization section of the help manual for instructions on setting up access. In this example, SSH to the machine and become root.
Now navigate to the portal directory cd /space/portals/demo. Note: portal path may be different if using a different portal or used a different controller name.
Next, create a src directory within the root portal directory. This will be where any desired js files imported using webpacker will be placed. To create directory, use the following command: mkdir src
Navigate to the src directory that was created with the following command: cd src
Next, create a hello.js file. This file will contain the following code:
let hello = "Hello, world!" console.log(hello)
Save the file and go back to the root portal directory cd ..
Edit the pack.js file and add the following line:
import "./src/hello.js"
This will import the JavaScript file created in the previous step. Once the line is added, save the file.
Now the portal JavaScript was added can be hit to and see in the developer tools console as the following:
Update
The Update view presents dialogs enabling the operator to change the version of the rXg software currently running. The operator may choose to automatically update or manually update the rXg.
It is imperative that the operator make a full backup of the rXg (including, but not limited to, the database configuration and the customized captive portals ) before initiating an update. If an update fails for any reason, it may be necessary to restore the rXg from backup.
The rXg automatic update process requires that the operator have a valid support contract with RG Nets. By supplying a valid support credential ( email and password ) assigned to the operator, the rXg will contact RG Nets servers, download the latest rXg software, and automatically perform the update.
The rXg manual update process requires that the operator have a version of the rXg software stored on their local filesystem. The latest versions of the rXg software are available on the rXg servers. Access to the rXg servers requires a valid support contract. The manual update process is useful for operators who have multiple rXgs deployed and wish to minimize the number of times that the rXg software package needs to be downloaded over the Internet.
The Update rXg from a mounted USB or local ISO Disk Image checkbox in this section allows you to use a bootable USB that is connected to the host as the source, OR an ISO file that is loaded into the disk images scaffold (currently only available when there is a virtualization host record defined or when manually loaded into the /space/disk_images directory). This dialog is intended for performing an rxg upgrade not an OS upgrade. The OS upgrade form becomes visible when the official FreeBSD version has changed.
When the box is unchecked, you can also upload an ISO file there to upgrade the rxg version.
Additional Resources
YouTube Playlist - Upgrading an rXg
Admins
The rXg administrative console implements all five tenets of a trustworthy system. Three of the five tenets (authentication, authorization and non-repudiation) are controlled on this view.
L3 authentication is enabled through the admin ACLs scaffold. By default, no active records are present in the Admin ACLs scaffold. In this default configuration, all devices may access the web administrative console. When an active Admin ACL record is present, the web administrative console may only be accessed by devices specified in the record.
L5-L7 authentication and non-repudiation are enabled through the Administrators scaffold. Each person that is involved with the administration of the rXg must have an independent record in the Administrators scaffold. Using strong login and password credentials enforces authentication. Enforcing administrative protocol to maintain distinct records for each administrator, prohibiting shared role accounts, and prohibiting revelation of credentials between administrators ensures non-repudiation.
Authorization is enabled through the Administrative Roles scaffold. Each administrator belongs to a role, and each role is granted a specific level of access to a subsystem of the rXg administrative console. As with any secure communication mechanism, adherence to proper protocol is of paramount concern to maintaining security. In order to ensure trust, there is no substitute or alternative to creating an individual administrative account for each administrator and using the Administrative Roles scaffold to apply an appropriate policy.
The remaining tenets of information security (confidentiality and integrity) are ensured by the use of SSL to protect communication between the administrator and the rXg. The configuration of the SSL subsystem is on a different view.
Access
The rXg web administrative console supports two access work flows: browser-based access and API-based access. Browser-based access is intended for human consumption and utilizes the login and password credentials configured when the administrator record is created. API-based access utilizes an rXg generated API key and is intended for computer consumption.
Browser-based Access for Human Consumption
Browser-based access is initiated when the operator wishes to access the web administrative console through a web browser to configure and instrument the rXg. To accomplish this, the operator uses a web browser to open the location https://rxg.dns.entry/admin/
. If admin ACLs are in place, the device running the web browser must be listed in order to gain access to the admin login page. Credentials (as defined in the Administrators scaffold) must be specified to continue.
Once credentials are supplied, the web browser is automatically redirected to the Instruments dashboard. The operator may then use the web browser to access the administrative console according to the access restrictions defined by the administrative role that is associated with the administrator.
API-based Access for Computer Consumption
The rXg also supports direct API access to the console web application via HTTP. When an administrator record is created, the API key field is automatically populated with a random string. The operator must pass the generated value of the API key field, as a CGI parameter named api_key
, to the console web applications controllers and actions.
One common use for API-based access is to perform automated backups from a third-party server or workstation. For example, an administrative workstation or server could be configured to periodically run the following command:
curl -O http://rxg.dns.entry/admin/menu/download_backup?api_key=fb9c5e...f6349
API-based access enables the operator to integrate simply with a broad spectrum of possibilities through standard HTTP. Nearly any task that is accomplished via browser-based access with a human present may be automated via API-based access. Some simple tasks are executed by hitting specialized actions with an HTTP GET such as the backup example described above. Most other tasks are executed through the RESTful API.
It is highly recommended that operators create specific accounts for API-based access rather than sharing an account between a human operator and computer automation. This enables the operator to quickly and easily discern between automated and manual requests through the admin log as well as helps keep the system more secure.
Administrators
The Administrators scaffold enables creation, modification, and deletion of accounts for administrators of the rXg.
To ensure authentication and non-repudiation of operator actions, each rXg administrator must have their own individual account protected by a set of strong credentials. Shared accounts and role accounts must be avoided as they represent a breach in security protocol.
The login and password fields are the credentials that identify an individual administrator. No administrators should be aware of the credentials of any other administrator. When creating a new administrator, the password must be entered twice for confirmation.
The service account checkbox, if selected, creates an admin that is used only to generate an API key and does not allow the service account to have access to the admin GUI.
The email field is used as the destination email address for system-generated email notifications. The selection of email notifications that the administrator will receive is governed by the notifications chosen in the administrative role that the administrator is associated with.
The role field defines an authorization policy for this administrator. The permissions for the roles in the list are defined by the Administrative Roles scaffold.
The first name , last name , and department fields are informational fields. They are only used in the Administrators scaffold to identify the administrator.
The public SSH key field is an optional field that the administrator uses to specify the credentials for secure FTP (SFTP) and command-line secure shell (SSH) access to the rXg. To enable SFTP/SSH access to the rXg, the administrator must generate a key pair using an SSH client and place the public key into the field. The key must be at least 4096-bit RSA or stronger. In addition, the administrator must be in an administrative role that has SSH access enabled.
Password authentication through SSH is not supported. Numerous resources are available for those that are unfamiliar withSSH public key authentication. In addition, a good book that covers this subject is SSH, The Secure Shell: The Definitive Guide (ISBN 0596008953) by Daniel J. Barrett, Richard E. Silverman and Robert G. Byrnes.
The API Key is an automatically generated string that is populated when an administrator record is created. The API key may be used by the operator to script operations by supplying the value as a CGI parameter named api_key
to the administrative console web application. The value is determined by the rXg and is not editable through the create and edit actions.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Administrative Roles
The Administrative Roles scaffold enables creation, modification and deletion of authorization policies that govern authenticated administrators within the rXg administrative console.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The SSH checkbox authorizes secure FTP (SFTP) and command-line secure shell (SSH) access to the rXg. Valid public SSH keys must be present in the accounts of administrators for which SFTP/SSH access is desired.
The SMB checkbox authorizes Samba access to the rXg. Must be accompanied by an active SMB Server which contains to the policy or WAN targets which will be accessing the SMB Server.
The API checkbox authorizes access to the rXg admin web interface when providing a member Admin's API Key as the api_key_query parameter or the _apikey HTTP header.
The MFA Option specifies a Multi-Factor Authentication configuration to use for members of this Admin Role. When enabled, Admins must perform MFA when logging into the Admin console. Multi-Factor Authentication is configured in the Multi-Factor Authentication scaffold on this dashboard.
The MFA for SSH checkbox enables Multi-Factor Authentication for this role when logging in via SSH. Admins may perform public key authentication OR password + MFA authentication to access the SSH server. Fallback behavior in the event that the MFA provider is unreachable or has an invalid configuration is controlled within the associated Multi-Factor Authentication scaffold.
Each of the permission sets can be configured to be readwrite , readonly , or none. The readwrite setting allows full access. The readonly setting only allows administrators to view configuration for the section and disallows updates. The none setting does not allow any access to the section.
The master permission authorizes control over global hardware-specific configuration options. Licensing, SSL, configuration backup, and restore are governed by this permission.
The system permission authorizes control over core services and network configuration. Device options, IP addresses, routing, DNS, DHCP, and other configuration options that affect the rXg software as a whole are governed by this permission.
The identities permission authorizes control over configuration and options that affect the authentication of end-users. Management of end-user accounts, groups, definitions and applications are governed by this permission.
The policies permission authorizes control over configuration options that affect the end-user control and communication mechanisms. Configuration of the end-user experience via traffic shaping, HTML payload rewriting, content and packet filtering, etc. is governed by this permission.
The billing permission authorizes control over configuration options and log retrieval for the rXg accounting mechanisms. Management of access and usage plans, download quotas, recurring billing, and other accounting related activities are governed by this permission.
The instruments permission authorizes control over the viewing, manipulating, and downloading of real-time and archival data. Graphing, logs, and all other end-user cognizance mechanisms of the rXg are governed by this permission.
The various options in the notifications section determine which of the automatically generated emails the administrators who are a member of this administrative role receive. The rXg emails correspond to the custom messages configured via the email view of the Services menu.
The rXg emails are primarily used for event-driven notifications. For example, an administrative role for billing support personnel would want to receive failed transaction notifications. Similarly, an administrative role for network engineering would want to receive notifications for event triggers.
The Location Areas field is used to correlate this Admin Roles with that have APs with associated clients whose transactions will be discoverable for this Admin Role, so that Admins within this Admin Role may choose to approve those transactions.
Multi-Factor Authentication
The rXg supports verifying an administrator's identity by initiating Multi-Factor Authentication through a third-party provider. The Multi-Factor Authentication scaffold configures the rXg for multi-Factor Authentication.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The provider dropdown specifies the third-party MFA mechanism to be used for confirming administrator's identity.
The integration key , secret key , and API hostname fields should be completed using information from an application created within the provider's control panel.
The fallback mode determines the behavior that should be used when primary login is initiated, but the provider's service is unreachable or misconfigured. Completing Multi-Factor Authentication from the Admin UI requires that the administrator's device have Internet access, and in the case of SSH access, requires that the rXg have Internet access. If the rXg does not have Internet access, the fallback mode will be used to determine the login behavior.
When configured to allow access , errors with the configuration file or connection to the Duo service will allow SSH login without Multi-Factor Authentication.
When configured to prevent access , errors with the configuration file or connection to the Duo service will deny SSH access. This option is more secure but may result in you being locked out of SSH access to the system, and should be used with caution.
The admin roles selection determines which roles will trigger Multi-Factor Authentication after completing primary authentication.
Multi-Factor Authentication may be enabled for SSH access by enabling the MFA for SSH checkbox when editing an individual admin role. When MFA is used with SSH, the administrator may continue using a public key, if configured, but will fall back to username and password authentication with a Multi-Factor Authentication prompt before completion.
Duo Multi-Factor Authentication
In order to set up Duo Multi-Factor Authentication with the rXg, you will need to login to your Duo account, or create a new account at https://duo.com/
Once you are logged into the admin panel (https://admin.duosecurity.com/), you will need create a new Application to protect, and retrieve your integration key, secret key, and API hostname to be entered into the corresponding fields in the rXg.
To do so, click on the applications link on the Duo Dashboard, and then on "Protect an Application".
Next, search for the term "SDK" and click the protect button for the web SDK Application.
Copy the fields in the application details to the appropriate fields in the rXg
Select the admin roles for which Multi-Factor Authentication should be enforced.
Multi-Factor Authentication may optionally be applied to SSH access. If MFA for SSH is enabled in the admin role, the admin may log into the rXg via SSH by providing a public key OR providing a valid username and password combination. When providing a username and password, a push notification will be sent to the mobile device, or the admin may register by visiting a generated URL (if the Duo application policy allows it).
To configure Duo for SSH navigate to System::Admins and edit the administrative role for which you would like to enable MFA for SSH.
Single Sign-On Strategies
The Single Sign-On scaffold enables use of a centralized identity management store for administrative accounts of the rXg.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The role attribute field tells the rXg what user attribute to observe for an admin role assignment. An attribute value received which matches the name of an admin role will apply that admin role to the user.
The admin role dropdown enables the operator to select a fallback admin role. If the role attribute value is blank, or cannot be interpreted, the fallback role is used.
The provider dropdown selects the type of SSO application
The ID and key fields are used to authenticate to a specific application.
The scope field overrides default permissions requested by the app. Entries in the scope field may require an app review.
The alternate redirect hostname enables the operator to override the redirect URL to utilize a different FQDN than is configured on the rXg. This requires a DNS record pointing to the node and should fall under an existing wildcard certificate.
The button text field allows the operator to override the default text displayed within the button on the administrative portal login screen.
The IdP metadata URL (Identity Provider) can be used to import the SSO URL and certificate fingerprint of the remote identity provider. If the IdP provides this URL, the rXg will try to import the remaining fields.
The IdP SSO URL is provided by the identity provider as the URL to redirect logon requests to.
The IdP SLO URL is optionally provided by the identity provider as a URL to redirect log-off requests to.
The IdP cert fingerprint enables the operator to provide a SHA1 fingerprint of the identity providers certificate, for validation. Leaving this field blank disables certificate validation.
The SP EntityID (Service Provider) field enables an operator to override the default EntityID of the rXg. The default value is the active FQDN defined under System::Options::Device Options
.
SMB Servers
The SMB Servers scaffold configures the rXg integrated SMB file sharing server. The rXg exposes several aspects of the onboard filesystem as SMB shares including, but not limited to, the portals, logs, backups, and TFTP datastores.
The rXg SMB share is accessible via the UNC \ip.address.of.rxg\datastore. For example, if the rXg IP address is 192.168.5.1 and the operator desires to modify the captive portal, the appropriate UNC is \192.168.5.1\portals. Datastores are appropriately flagged as read-only or read-write depending on their nature. For example, logs and backups are read-only whereas the portals and TFTP datastores are writable. The following named shares are available: admin login - the admin's home directory; "backups" - routine backups (read only); "logs" - raw log files (read only); "portals" - custom portals (read/write); "tftp" - TFTP boot directory (read/write);
The active field enables an option set. Exactly one option set may be active at any time. Enabling a particular option set will automatically disable another existing active option set.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
IP layer access control to the SMB file sharing mechanism is controlled by the policy and WAN target fields. LAN access to the SMB shares must be initiated from an IP address that is a member of a group listed in the policy linked to the SMB server. WAN access must be initiated from an IP address that is listed in a linked WAN target.
User layer access control is configured via the administrator accounts configured on the system. The operator must supply a valid administrator account login and password that is linked to an administrative role with SMB enabled in order to access the SMB file shares.
Admin ACLs
The Admin ACLs scaffold enables operators to configure L3 access restrictions to the web administrative console. Since L3 ACLs take effect before L5-L7 credentials may be presented, the Admin ACLs are typically used to restrict access to the web admin console to a set of known devices. This helps thwart dictionary attacks against the L5-L7 authentication mechanism of the web administrative console.
The active field enables an option set. Exactly one option set may be active at any time. Enabling a particular option set will automatically disable another existing active option set.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The WAN targets and policies fields specify which sets of hosts should be allowed access to the web administrative console. By default, all devices are allowed access to the web administrative console. When an active record in the web admin console ACLs exists, then access to the web administrative console is restricted on L3 to the specified hosts.
It is extremely important to be careful when creating a web admin console ACL. Incorrect data entry may disable administrative access and may be unrecoverable. Once an admin ACL is active, the operator must specifically list hosts to be granted access on the WAN by creating WAN targets and enabling the appropriate check boxes. Hosts on the LAN may be granted access by placing the hosts into a group and then linking them into a policy selected here.
RADIUS Realms
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The read role from class field allows you to override the selected default Administrative Role.
The administrative role drop down box allows you to specify the default administrative role for admins tied to the Radius Realm. For example, if an admin logs in and the read role from class box is unchecked, all admins will be tied to the role specified here; if read role from class is checked but the role doesn't match, the role specified in administrative role will be applied.
The encoding drop down lets the operator specify between PAP , CHAP , and MSCHAP.
The servers field allows you to specify the Radius Realm Servers the realm(s) authenticates against.
Using the Request Attribute settings, the operator can specify which attributes will be sent to the Radius Server.
Send NAS-IP-Address attribute indicates the identifying IP Address of the NAS which is requesting authentication of the user. This can be set to use Uplink IP of the rXg, or it can be specified using the NAS-IP-Address field.
The operator can Send Called-Station-ID , this can be set to use the uplink MAC or the operator can specify using the Called-Station-Id field.
The operator can send a NAS-Identifier. If the use domain name box is checked it will send the active Device Option's domain name as NAS-Identifier , or the operator can manually set a static NAS-Identifier using the NAS-Identifier field.
The operator can send the NAS-Port. If Use client VLAN is checked, the VLAN tag of the client will be sent as NAS-Port, or 1 if untagged. The NAS-Port field will manually set static NAS-Port.
When Send NAS-Port-Type is checked, the operator can specify the type by using the NAS-Port-Type dropdown and selecting from the list.
When Send requesting node IP is checked, requesting node IP attribute can be selected from the drop-down box.
When Send requesting node MAC is checked, the requesting node MAC attribute will be sent and can be selected from the drop down box.
RADIUS Servers
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The priority field dictates the order servers are tried, where highest is first.
The host field is the RADIUS service IP address or domain name.
The secret field is the RADIUS shared secret.
The port field is the RADIUS service port (Default 1812).
The accounting port field is the RADIUS Accounting service port (Default 1813).
The tries field is the number of failed tries before moving on to the next least priority server.
The timeout field is the number of seconds per try to wait for a response from the server.
The realms field lets the operator select which Realms will be tied to the RADIUS Server.
TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server. TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation. You must have access to and must configure a TACACS+ server before the configured TACACS+ features on your network access server are available.
TACACS+ Realms
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The service name field is used to specify the custom TACACS+ service name.
The role attribute field is used to specify the custom TACACS+ authorization attribute to map to an administravite role name.
The administravite role drop down box allows the operator to specify the fallback role when the server does not provide the name of an existing role.
The operator can specify the TACACS+ servers to use the TACACS+ Realm by selecting servers in the servers field.
TACACS+ Servers
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The priority field dictates the order servers are tried, where highest is first.
The host field is the TACACS+ service IP address or domain name.
The port field is the TACACS+ service port (Default 49).
The encoding drop down lets the operator specify between PAP, CHAP, and MSCHAP.
The secret field is the TACACS+ shared secret.
The tries field is the number of failed tries before moving on to the next least priority server.
The timeout field is the number of seconds per try to wait for a response from the server.
The realms field lets the operator select which Realms will be tied to the TACACS+ Server.
Backup
The Backup view presents the dialogs and scaffolds associated with creating backups, automated push-based remote backups, and restoring backups of the rXg.
Backup is a critical aspect of network continuity. Proper backups enable the RGN operator to quickly and easily recover from a rXg hardware failure. In addition, the rXg backup and restore mechanism enables operators to quickly replicate a rXg configuration across a fleet of rXgs.
The rXg supports operator initiated on-demand backups as well as rXg initiated periodic scheduled backups. On-demand backups are initiated via a dialog presented on the Backup view. Periodic backups are configured via the Routine Backups and Backup Servers scaffolds.
On-demand and Pull Backup
The operator may initiate a backup at any time via a dialog present on the Backup view. Backups always include the configuration of the rXg. Backups may optionally include custom portals, graph databases, and/or historical data by selecting the appropriate checkbox.
The on-demand backup mechanism may also be used by an operator as part of a pull backup system. The most common use case for this is when an operator wishes to have a server periodically initiate a backup. For example, a UNIX server that has cron and curl might be configured with the following crontab:
30 4 * * * curl -O https://rxg.host/admin/menu/download_backup?api_key=a...123
30 5 * * * rm -f `ls -ot | head -10`
The value for the api_key parameter is obtained from the Admins view. It is highly recommended that the operator creates a specific account for the purpose of enabling pull-based backup on both the rXg and the backup server. There are two additional parameters that may also be present in the URL:portalsWhen set to 1, custom portals are included in the backuprrdsWhen set to 1, graph databases are included in the backupThe two parameters mirror the check box options that are present in the dialog box. The configuration of the rXg is always included in the backup. If the operator wishes to be explicit, the parameterconfig=1
may also be passed.
Scheduled and Push Backup
The rXg supports scheduled backups that are stored on the local persistent storage device, pushed to external servers, and other rXgs. Backup schedules are determined by routine backup records. External servers that will receive push-based backups are configured via backup server records.
Routine Backups
Entries in the Routine Backups scaffold configures the schedule according to which the rXg will perform automated system backups.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The frequency field specifies the execution frequency of the automatic backup defined by this record.
An rXg routine backup will be limited to the configuration of the system by default. Routine backups may include the installed custom portals , recorded graph databases , and recorded historical data by selecting the appropriate check boxes.
The number of backups to keep on the rXg configures the length of the FIFO storage queue. The rXg creates and stores new backups on the rXg persistent storage mechanism according to the schedule defined by this record. When the number of stored backups reaches the value specified in this field, the rXg deletes the oldest stored backup.
The backup servers field associates this routine backup record with a remote server to which the backup will be pushed. The specification of a backup server is optional. The default behavior when no backup server is specified is to store the backup file on the local persistent storage.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Backup Servers
Entries in the backup servers scaffold contain the configuration data needed to establish a file transfer to a remote server for the purpose of pushing a backup file created by a routine backup.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The protocol field specifies the application layer protocol that will be used to transport the file.
The host field specifies the DNS name or IP address of the server that will be the destination of the file transfer.
The username , password , and SSH private key fields contain the authentication credentials for the server specified in the host field. When the FTP protocol is selected, only the username and password fields are relevant. When the SFTP protocol is selected, the operator may choose to use either password or public-key based authentication. Public-key authentication is enabled by copying and pasting a key into the SSH private key field and entering the key passphrase into the password field.
The path field specifies the destination on the remote filesystem for the backup file that is being pushed. The location specified by the path field must exist or the routine backup will fail. If the path is left blank, the default path on the server will be used as the destination on for the backup file.
The port field specifies the TCP port that will be used when a connection is made by the rXg to the server specified by the host field. If the port is not specified, port 21 is used for FTP and 22 is used for SFTP.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Receiving Backups
A secondary warm spare rXg may be configured to receive push backups from a primary active rXg. This mechanism enables operators to rapidly recover from rXg hardware failures. If the primary active rXg hardware fails, the operator simply logs into the secondary warm spare rXg and initiates a restore. The secondary warm spare rXg will then immediately take over the operation of the primary active rXg. This mechanism is most often as a redundancy solution for rXg cluster controllers.
To configure an rXg to receive backups, create a backup server on the primary active rXg. Configure the following settings in the new backup server record:
ProtocolSFTPHostDNS entry of the secondary warm spare rXg.Usernamebackup
SSH private keyThe SSH private key from the secondary warm spare (a 4096-bit RSA key or stronger is required).All other fields may be left as their default. The SSH private key for the secondary warm spare rXg may be found on a dialog in the Backup view.
The backup server must be associated with a routine backup record that defines the transmission frequency of backups from the primary active rXg to the secondary warm spare rXg. Backups from the primary active rXg are displayed in the restore dialog of the secondary warm spare rXg.
Restore
An rXg may be restored with a backup that is uploaded by the operator or that is chosen from one or more that are stored on the local persistent storage. A dialog on the Backup view is presented to accomplish this task.
To restore a backup that has been previously created via a pull mechanism, use the file chooser dialog to select a rXg backup file that is accessible via the administrator's workstation. To restore a backup that has been previously created via a local routing backup or remotely pushed to the rXg, select a backup from the drop down.
If no local routine backups or remotely pushed backups are present on the rXg persistent storage, then the option to select a file stored on the rXg will not appear.
When restoring a backup, it is important to note that the rXg will maintain the license that is present on the rXg. Furthermore, when a backup is restored to a rXg that does not have the same Ethernet interfaces, the restore mechanism enables the operator to reconfigure the interfaces before the rXg comes online. This behavior enables operators to use a single rXg to build a configuration template that may be replicated across a fleet of rXgs.
Keep in mind that the flexibility of the backup and restore mechanism must be used in a reasonable manner. In general, the backup and restore mechanism is designed for similar machines. Restoring a secondary warm spare rXg that has fewer capabilities than a failed primary active rXg will likely result in disastrous consequences.
Config Templates
Entries in the Config Templates scaffold provide the ability to configure the rXg with YAML configuration files.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
You can either paste in your configuration template into the config field, or you can load one from either a local file with the upload file field or a remote file with the remote URL field. If the remote URL requires basic authentication, then use the username and password fields.
The apply template field applies the config template immediately after saving.
The recurring method field instructs the backend to regularly fetch the file at the remote URL and apply it on a schedule.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Configuration Syntax
The top-level YAML object must be a key-value store (also called a hash, map, or dictionary) or an array of key-value stores. There are two types of top-level keys in the YAML configuration template: model/scaffold keys and smart keys.
Model keys (or scaffold keys ) are entries in the YAML template which create/modify entries in the database. These keys are based on the underlying ActiveRecord models, or scaffolds. You may use the PascalCase
or snake_case
version of the scaffolds (e.g., AdminRole
, admin_role
, or admin_roles
); however, the PascalCase
version ensures you don't conflict with a smart key. Fields are always written in snake_case
.
For example, to add an administrator:
Admin:
- login: my_admin
password: 'testPassword1!'
password_confirmation: 'testPassword1!'
admin_role: Super User
ssh_keypairs:
- name: my_admin authorized public key
public_key: 'ssh-rsa AAAA...Q=='
authorized: true
If you wanted to edit an existing record, ensure that the lookup field is defined first. For example, to set the time zone:
DeviceOption:
- name: Default
time_zone: America/Chicago
Smart keys are snake_case
entries in the YAML template which, in addition to creating entries in the database, perform some other operations. An example of this is the license_key
. It is not enough to just create the entry; the backend also needs to process the key so the licensing limitations are removed. Otherwise, (for example) if later in the config template, the operator tries to set the Uplink to 1Gbps, the licensing limitations would not allow this until the backend processed the new license key. To set the license_key
in a config template:
license_key: |
abcdQabcduUzuo5IxtjuDabcdx6zVfEgnjl30Q4lDiabcdpCYmNrQa5x
...
xKdOy1PabcdHydNCvs5CU5JLRabcdn0yHZIpv6FvDxFdmku7XiDEGuI=
Advanced Usage
Top-Level Data Structure
If your top-level data structure is a hash, then you cannot replicate keys, or they will overwrite one-another. So, to organize your config template to support duplicate keys, you need to use an array as your top-level data structure:
# configure management network
- Address:
- name: mgmt
cidr: 10.0.0.1/24
- Vlan:
- name: mgmt
interface: igb3
tag: 4
addresses: mgmt
# configure onboarding network
- Address:
- name: onboarding
cidr: 172.16.0.1/23
- Vlan:
- name: onboarding
interface: igb3
tag: 5
addresses: onboarding
Nested Associations
Rather than creating associated records in their own keys, you can also nest the associations, like so:
Address:
- name: mgmt # configure management network
cidr: 10.0.0.1/24
create_dhcp_pool: true
vlan:
name: mgmt
interface: igb3
tag: 4
- name: onboarding # configure onboarding network
cidr: 172.16.0.1/23
create_dhcp_pool: true
vlan:
name: onboarding
interface: igb3
tag: 5
Notice that this pattern is more concise and readable, and naturally groups associated records together, without having to convert your top-level data structure into an array.
Custom Lookups and Mutating Records
Normally, the first key/value pair under a model key will be used to lookup the record. For example, to edit an admin's role, you can do this:
Admin:
- login: someuser
admin_role: Super User
However, suppose you wanted to edit a user's login. Then you should use the special _lookup
field:
Admin:
- _lookup:
login: sumusr
login: someuser
Only Update Existing Records
Typically, when a config template is run, the rXg will look up an existing record and modify it, or attempt to create a new record if there is no existing record.
Sometimes you may wish to only update an existing record if it is found and never create a new record. To do this, you may use the special _update
field:
AccountGroup:
- name: test
priority: 5
_update: true
- name: test2
priority: 7
_update: true
The template above would look for existing account groups with the name "test" and "test2" and update their priorities as needed. If the groups do not already exist, they will not be created, and the template will fail and be rolled back.
Delete Existing Records
A config template that contains an _delete
key can be used to delete an existing record. See the following example:
Admin:
- login: testadmin
_delete: true
The template above would look for an existing administrator account with the name "testadmin" and delete the administrator if it does exist.
Association Lookups
When defining a nested association, normally you can just provide a string with a "natural key", which usually refers to the name
field on the associated record. There are exceptions for models which don't have aname
field, such as the Admin
model, and for those we try to use the most sensible field (login
in the case of theAdmin
model). However, you can also provide a full record definition, for which the normal rules apply (first key/value pair will be used for lookup), and you can even provide a nested custom _lookup
field. If the record doesn't exist, it will be created, assuming you provided all the required fields.
Supported Model/Scaffold Keys
We are not going to enumerate the model keys, since they map directly to scaffolds. You can refer to the rXg API documentation, or you can SSH into the rXg and run console
to inspect the various models.
ActiveRecord models should generally be referenced using theirPascalCase
name, to ensure you are not accidentally using a smart key. However, to accommodate flexibility, you may also use thesnake_case
version of the model name in your config template.
Supported Smart Keys
license_key
Configure the system with the provided license key. This key only takes a single string as an argument, but you do need to use YAML formatting to send multiple lines. For example:
license_key: |
abcdQabcduUzuo5IxtjuDabcdx6gnjl30Q4lDiabcdpCYbK4VmNrQa5x
...
xKdOy1PabcdHydNCvs5CU5JLRabcdn0yHZIpv6FvDxFdmku7XiDEGuI=
Use Config Template to Bootstrap New rXg Installation
Prerequisites
- USB Drive containing bootable rXg image
- USB Drive containing config template YAML file Procedure
- Insert bootable USB drive into machine and follow normal rXg installation procedure
- After installation has completed and machine is rebooting, remove bootable USB drive.
- Insert USB Drive containing config template YAML file.
- Do not create an admin user
- rXg will automatically scan the USB drive for YAML files, and apply them as a config template.
Use Cases
- Bootstrap an initial installation with license and all Admin Users and Roles already created
---
license_key: "CVBB/4+t7KfT7mwgg+VqhnCusC5SCdF7o+jMeK4U82yV343JSAE0sWnc1F6V\n
/0RrJON/unT2XMvAwZXMKxbpdpYIC3WHcaqw24vaqGl2QNFxrj6KDvo5CJ9P\n
hj8aPuU7zX4nrUjQEEYU25lOa/Y/cVdS+jh+Gd3iopB5+/CEuBfSVcKIRSx1\n
EpDV0l58/0WXkDL1WBgumfviduVzrPyebA26+yjGlRsdlMbuQLWcE0qaiJDJ\n
aJI8cAbz2ehD7bTfVv65Tg4swAEKuENNxO9qIY8v7SALAshAhi6ONZcja32u\n
YjZSWk51GZuUdkbRxPdddebprB1Ab1/d7Ob0utFBhfh+OQVSqr7pVynNaRpv\n
P9YXdq86dflyUQ+dGnKZmtrogMFINj8Rv8k7RD6Slp644tZ9YDaDH4AGCFPs\n
xRzNXfDLhgCMyx7t9VHwCXsTHzsaFxhNFD77qHTyAf4rEkPJQTGuxC2VN46F\n
SmTMLztNJxKz7ud0Y9mQVrVr+24R+bNwT83jlYwx9a/YIgF3+oE1eZpXgK3F\n
z+BP0Ey5R5MClNxE+FEtH7/KYpY0iufb1Y9lUcelw9ppmNJNVcEG/OmJzy40\n
3phGQLMbRw7r2v+VMiBvRJRqsdY0EFoPa2PxWhWQNJeWCCAQODi239PfBcCG\n
JCQMedN0fyi8RtZuibWHZfFOXYJo1mJA202/4W/TPxfL2HoZeZuZ6AjB9iqP\n
ji2DFOLVhfHo4t8L4ZfEtu/TAtxhgUjTQ9St26+SB21P5VSmt7V31IIeBSco\n
+vM61bCObLdlapA9dalqBARDqTmjLAn+jgEh6sQ8oe655tK4M7Dd2RLN0VO+\n
nTxHa5/He2c5ROKG8HWrs4Vj0sZQknfyIkStyYUolI66DSKU2VbUImEJ4Y5v\n
8HlSXZjCQ7SbC+v3VUWI83akAX9hhKpxp2NDWlk77gwRkvmX9fpb/wwBENmH\n
eOIWqYlXYoRYNWTo5x327fzwv6bUv0tYSIk1eQ0xArzF546O1MX0C2T/5ptf\n
zTEmB/IJgQ3NTZRP+yFGOVim3SV05/0hJBsykkUt+Ked3Xpa7RsUQeT8pyMq\n
1ggtm66+M+jTFl7SsHemrc3vzQu/OUrGMEgeNaHO1Dx9KLn1p5CQumhkrSUN\n
Lzd+mSUnxOkD+fOLDduNRX9mSG8zTQz8GYF2+pqx2BAnzUxjrUs+HBpfSvlU\n
4USn6LYVtDyoBPpL"
AdminRole:
- name: RG Nets
system_permission: readwrite
policies_permission: readwrite
identities_permission: readwrite
instruments_permission: readwrite
ssh_enabled: true
master_permission: readwrite
billing_permission: readwrite
archives_permission: readwrite
conference_mode: admin
custom_emails:
- Health Notice Create (notification)
- Health Notice Cured (notification)
- name: WebGUI Only
system_permission: readwrite
policies_permission: readwrite
identities_permission: readwrite
instruments_permission: readwrite
ssh_enabled: false
master_permission: readwrite
billing_permission: readwrite
archives_permission: readwrite
conference_mode: admin
custom_emails:
- Health Notice Create (notification)
- Health Notice Cured (notification)
Admin:
- login: rg
first_name: Romeo
last_name: George
email: [email protected]
crypted_password: "$2a$11$NRMhuaklja/lksdjfglhkUe9Y/GP0jceg6hZRYDrbLufnO0Y2ZN4tO"
admin_role: Super User
company: RG Nets
preferred_contact: email
ssh_keypairs:
name: ndk authorized SSH key
public_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAgYhNrfb8Kncs1H7fHc1AhEJzgQ......
authorized: true
- login: dgray
first_name: Dorian
last_name: Gray
email: [email protected]
crypted_password: "$2a$11$Dpl1oXpIv9r3yt5mATWujeDQ255NuQ8L0edjAKGuox3ByAO7y2lUK"
admin_role: WebGUI Only
Integrating with Ansible
Ansible is an automation engine that can automate configuration management, deployment, and many other IT needs. Ansible relies on OpenSSH, making it very lightweight and secure. Furthermore, Ansible does not require any remote agent for configuration management. By utilizing the rXg config template mechanism, Ansible can automate tasks across many installations.
Procedure
- Install Ansible on a host machine. See Installation Guide.
- Create Hosts file "/etc/ansible/hosts"
- Populate hosts file (here I create a group called lab, and add my host to it).
lab:
hosts:
lab.rgnets.net:
production:
hosts:
production.rgnets.net:
- Ad-Hoc Ping all hosts
ndk@MBP ansible % ansible all -m ping
[WARNING]: Platform freebsd on host production.rgnets.com is using the discovered Python interpreter at
/usr/local/bin/python3.7, but future installation of another Python interpreter could change this. See
https://docs.ansible.com/ansible/2.9/reference_appendices/interpreter_discovery.html for more information. **production.rgnets.com | SUCCESS =\> {**"ansible_facts": {
"discovered_interpreter_python": "/usr/local/bin/python3.7"
},
"changed": false,
"ping": "pong"
}
[WARNING]: Platform freebsd on host lab.rgnets.com is using the discovered Python interpreter at
/usr/local/bin/python3.7, but future installation of another Python interpreter could change this. See
https://docs.ansible.com/ansible/2.9/reference_appendices/interpreter_discovery.html for more information. **lab.rgnets.com | SUCCESS =\> {**"ansible_facts": {
"discovered_interpreter_python": "/usr/local/bin/python3.7"
},
"changed": false,
"ping": "pong"
}
- Ad-Hoc Ping all hosts in 'lab' group
ndk@MBP ansible % ansible lab -m ping
[WARNING]: Platform freebsd on host lab.rgnets.com is using the discovered Python interpreter at
/usr/local/bin/python3.7, but future installation of another Python interpreter could change this. See
https://docs.ansible.com/ansible/2.9/reference_appendices/interpreter_discovery.html for more information. **lab.rgnets.com | SUCCESS =\> {**"ansible_facts": {
"discovered_interpreter_python": "/usr/local/bin/python3.7"
},
"changed": false,
"ping": "pong"
}
- Ad-Hoc copy a file to all hosts in 'lab' group
ansible lab -m copy -a "src=/etc/ansible/test.yaml dest=~/"
- Create an Ansible "Playbook". In Ansible, a playbook is a list of "plays". Plays are a collection of Ansible modules, or tasks to execute against one or more remote machines. In this example, we will utilize two "plays":
template
which is used to copy a file from our Ansible host to the desired rXg, andshell
to execute a command on the rXg.
- Create a rXg config-template YAML. Example:
admins.yaml
Admin:
- login: dgray
first_name: Dorian
last_name: Gray
email: [email protected]
crypted_password: "$2a$11$NRMhuglh/HgEvB3Um2skUe9Y/GP0jceg6hZRYDrbLufnO0Y2ZN4tO"
admin_role: Super User
- Create an Ansible "Playbook" YAML. Example:
adminmgmt.yml
---
- hosts: lab
tasks:
- name: Copy Admins YAML to host(s)
template:
src: /etc/ansible/admins.yaml
dest: ~/admins.yaml
- name: Apply the YAML as a config-Template
shell: "/space/rxg/rxgd/bin/apply_template ~/admins.yaml"
register: apply_template_output
- debug:
var: apply_template_output
- Execute the Ansible Playbook:
ndk@MBP ansible % ansible-playbook adminmgmt.yml
PLAY [lab] ***************************************************************************************************************
TASK [Gathering Facts] ***************************************************************************************************
[WARNING]: Platform freebsd on host lab.rgnets.com is using the discovered Python interpreter at
/usr/local/bin/python3.7, but future installation of another Python interpreter could change this. See
https://docs.ansible.com/ansible/2.9/reference_appendices/interpreter_discovery.html for more information.
ok: [lab.rgnets.com]
TASK [Copy Admins YAML to host(s)] ***************************************************************************************
ok: [lab.rgnets.com]
TASK [Apply the YAML as a config-Template] *******************************************************************************
changed: [lab.rgnets.com]
TASK [debug] *************************************************************************************************************
ok: [lab.rgnets.com] => {
"apply_template_output": {
"changed": true,
"cmd": "/space/rxg/rxgd/bin/apply_template ~/admins.yaml",
"delta": "0:00:07.626886",
"end": "2020-04-01 12:04:32.647933",
"failed": false,
"rc": 0,
"start": "2020-04-01 12:04:25.021047",
"stderr": "/space/rxg/console/vendor/bundle/ruby/2.6/gems/activesupport-4.2.11.1/lib/active_support/core_ext/....
"stderr_lines": [
"/space/rxg/console/vendor/bundle/ruby/2.6/gems/activesupport-4.2.11.1/lib/active_support/core_ext/object....
"Creating new ConfigTemplate with name Generated by ndk at Apr 1, 12:4 PM"
],
"stdout": "INFO : Initiated Apr 1, 12:04 PM",
"stdout_lines": [
"INFO : Initiated Apr 1, 12:04 PM"
]
}
}
PLAY RECAP ***************************************************************************************************************
lab.rgnets.com : ok=4 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Certificates
The Certificates view enables the operator to manipulate the cryptographic keys that are used in conjunction with rXg services that employ public key cryptography.
Cryptography in the form of transport layer security via SSL and IPsec protocols is present in several rXg services to ensure the privacy and integrity of the data being transferred. The RADIUS server, IPsec VPN concatenator, and of course, the web multiplexer that serves the captive portal and administrative console all require asymmetric cryptographic keypairs. The creation, import, and export of keypairs is accomplished by manipulating the Certificates scaffold.
The rXg web multiplexer and RADIUS server employ transport layer security (TLS) in the form of the SSL protocol. The VPN concatenator conforms to the IPsec protocol. Both TLS and the IPsec protocol suites incorporate signed certificates as part of their trust mechanisms. The Certificate Signing Requests scaffold enables the operator to generate trusted third-party certification requests. A trusted third-party signature is required for the certificate used by the web multiplexer to serve a captive portal in a production environment.
Third-party Signatures
Operation of an rXg served captive portal requires at least one administrator to have working knowledge of public-key cryptography and TLS/SSL. In particular, an administrator must be familiar with the process of obtaining a signed SSL certificate. This process must be repeated periodically since signed SSL certificates have a limited life time.
There are many references available on the Internet that provide detailed information about howpublic-key cryptographyworks as well as specific information about thetransport layer security protocol. Practical Cryptography (ISBN 0471223573) by Niels Ferguson and Bruce Schneier provides an excellent overview of this subject. Network Security with OpenSSL (ISBN 059600270X) provides detailed step-by-step instructions on the process of generating certificate signing requests as well as obtaining and installing third-party signed certificates.
To obtain and install a signed SSL certificate for an rXg:
- Choose a domain name for the rXg.
- Configure your DNS server to resolve the chosen domain to the WAN address of the rXg.
- Set the domain name in the Device Options scaffold.
- Click on the create new action on the Certificate scaffold. A drop-down dialog will appear.
- Enter a name for the new key chain. A good choice for the name of the new key chain is the domain name that you have chosen.
- Leave all other fields blank (except note if you have a note). The rXg will automatically generate a private key.
- Click the create button.
- Click on the create new action on the Certificate Signing Requests scaffold. A drop-down dialog will appear.
- Give the new CSR a name.
- Choose the certificate key chain that was created in the previous step.
- Completely fill out the form.
- Choose the appropriate option to generate a CSR for a trusted third-party to sign. Do not use the self-sign or local CA options as this will automatically create a certificate that is not automatically trusted by most browsers.
- Click the create button.
- A CSR will now be shown in the Certificate Signing Requests scaffold. Send the CSR to a trusted third-party signer to obtain a signed certificate to load into the rXg.
- Copy the CSR out of the list or show view of the certificate signing requests field into the clipboard.
- Contact a trusted third-party SSL certificate signer such asGo Daddy. Paste the CSR from the clipboard into the appropriate form along with payment.
- If the signer gives a choice of formats, choose X509 PEM, Apache, mod_ssl, or OpenSSL, as the rXg SSL web multiplexer is compatible with all of the above formats.
- Contact your domain administrator to authorize certificate issuance by clicking on a URL in an email sent by the third-party signer.
- Open the signed certificate and intermediate certificate(s) using a text editor such as WordPad, TextEdit.app, or vi.
- Edit the key chain record in the Certificates scaffold. Copy and paste the certificates into the appropriate fields in the record.
- Enable the key chain by setting on the check box next to the active field and clicking the update button.
- Wait for the web server to restart. When the web server comes back up it will be using the signed certificate.
Local CA Signatures
The Certificate Signing Requests scaffold also enables the operator to sign certificates using the rXg integrated certificate authority. This feature is typically used in conjunction with the IPsec concatenator to issue client certificates for IPsec host-to-site connectivity with the rXg. The rXg integrated certificate authority may also be employed as a powerful revenue generation tool. Operators with wireless distribution and access networks that have open connectivity at locations with high transient traffic are particularly suited to using the integrated rXg local certificate authority as a revenue generation mechanism.
In a typical usage scenario, one or more usage plans are created with misc. items specifying an additional charge for a secure connection. The captive portal is then configured to create a new certificate linked to a local certificate authority when these plans are purchased. In addition, the portal creates a new certificate signing request that is set to automatically sign chain with the local certificate authority. The portal would then present the certificate for the local CA, as well as the private key and signed certificate from the newly created certificate. Thus, an operator can generate significant additional revenue without any intervention once the configuration of the rXg and portal is established.
To setup a local certificate authority and begin signing certificates , use the following procedure:
- Click on the create new action on the Certificate Authorities scaffold. A drop-down dialog will appear.
- Give the new CA a name. Use a name that reflects the purpose of the CA, for example "CA for VPN."
- Fill out the C, ST, L, O, OU, CN, and email fields appropriately. The information listed here should reflect your actual organization. The information in the fields is meant to allow the recipient of the certificate a method to contact the owner and confirm validity of the key.
- Click the create button. You now have a local CA that may be used to sign certificates.
- Click on the create new action on the Certificate Key Chains scaffold. A drop-down dialog will appear.
- Enter a name for the new key chain. A good choice for the name of the new key chain is the name of the device for which it will be issued (e.g., "VPN srv CKC", "VPN client CKC 1", etc.)
- Select the CA that we just created in the previous step, which is "CA for VPN" if you followed our example.
- The rXg automatically populates the server field.
- Leave the intermediate and certificate fields blank.
- Click the create button.
- Repeat the steps above. At least two key chains (one for the rXg and one for the client) are needed to support most applications such as the IPsec VPN.
- Click on the create new action on the Certificate Signing Requests scaffold. A drop-down dialog will appear.
- Give the new CSR a name.
- Choose from one of the certificate key chains that were created in the previous step ("VPN src CKC" and "VPN client CKC 1" if you followed our example).
- Completely fill out the form.
- Choose the appropriate option to generate a CSR and sign with linked local Certificate Authority. The CA that was generated in the first step and linked in the second step will be used to sign the certificate.
- Click the create button.
- Repeat the steps above. At least two key chains (one for the rXg and one for the client) are needed to support most applications such as the IPsec VPN.
- Export all of certificates that we have just created along with the private key for the client so that they may be loaded into the client software. Specifically, you need to copy and paste the following items into files that must be copied onto the client:
- The certificate field from "CA for VPN"
- The certificate field from "VPN src CKC"
- The certificate field from "VPN client CKC 1"
- The server field from "VPN client CKC 1"
The procedure for installation of certificates and private keys onto the client device is highly dependent upon the client device software. The vast majority of client software will have a certificate manager with specific keystores for CA certificates, regular certificates and private keys. For example:
In the client software shown above, the operator must combine the contents of the certificate and server fields from "VPN client CKC 1" into a single file before importing with the "PEM/DER encoded certificate with private key" option. This may be accomplished by copying and pasting both sets of data into a text editor and saving the file. The "VPN srv CKC" certificate must be imported using the "PEM/DER encoded certificate without private key" option. The "VPN CA" certificate must be imported with the "PEM/DER encoded CA certificate" option.
The rXg integrated certificate authority may be used to support an unlimited number of clients. The same procedure as described above (omitting step #1) is used to create certificates and keys for additional clients. Once the certificate authority is set up, automating the creation of certificates for clients is very easy. For example:
ca = CertificateAuthority.find_by_name('VPN CA')
ckc = SslKeyChain.new
ckc.certificate_authority = ca
cc.save!
csr = CertificateSigningRequests.new
csr.SslKeyChain = ckc
csr.country = 'US'
csr.state = 'NV'
csr.locale = 'Reno'
csr.organization_name = 'RG Nets'
csr.common_name = 'vpn.rgnets.com'
csr.email_address = '[email protected]'
csr.sign_mode = 'ca'
csr.save!
If the code above were to be included in a customized portal, the country, state, locale, organization, etc., should be changed to reflect the operator. The certificates that the end-user would need to install may be presented in a portal view using the Ruby code shown below: Server Certificate <%= SslKeyChain.find_by_name('VPN srv CKC').certificate %>
CA Certificate <%= ca.certificate %>
Client Certificate <%= ckc.certificate %>
Client Private Key <%= ckc.server_key %>
Integrating and fully automating the generation of client certificates is a simple way to provide an IPsec VPN premium service offering. The IPsec VPN offering may be marketed as a wireless security mechanism, a remote access mechanism, or both at the same time. See the IPsec documentation for more details.
Active Certificate
The Active Certificate dialog at the top of the Certificate view presents a scrollable view port that contains the certificate currently in use. The details of the certificate are presented in text format. The certificate itself, in PEM format, can be found by scrolling to the bottom of the view port.
Certificates
The Certificate Key Chains scaffold enables the operator to manage the public and private keys used to ensure privacy and integrity of communication between the administrator and the operator.
The active field enables an option set. Exactly one option set may be active at any time. Enabling a particular option set will automatically disable another existing active option set.
If no keychain is set active, the rXg uses a self-signed keychain for bootstrap purposes. The bootstrap keychain is completely unsuitable for production environments. The captive portal will behave erratically when used with the self-signed bootstrap keychain. Replace the bootstrap keychain with one that has a certificate signed by a reputable trusted third-party signer immediately.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The server key algorithm dictates what algorithm is used for the private key of the certificate. When creating a certificate for the purpose of OpenRoaming RadSec, the key algorithm must be secp384r1
The certificate authority field associates this record with a local certificate authority. This field is optional and should be left blank if a trusted third-party will be used to sign this certificate. When this field is set, the linked certificate authority will be used to sign the certificate chain if a certificate signing request is created with a request for a local signature.
The server field contains the private key part of the keychain. In most cases a new keychain is created when the operator expects the rXg to generate the key. In this case, please leave this field blank when creating a new keychain to have the rXg automatically generate a private key. When installing a chain that was generated and/or signed elsewhere, this field must be populated with the server private key in PEM format.
The intermediate field contains the certificate(s) issued to the trusted third-party signer by a trusted root certificate authority. In most cases, this field must be populated with an intermediate certificate that can be downloaded from the website of the trusted third-party signer.
The certificate field contains the certificate issued to the domain administrator by the trusted third-party signer. This field must be populated with a signed certificate before the certificate chain may be made active. If the operator generates a CSR with a local certificate authority signature, this field will be populated with the signed certificate automatically.
Certificate Signing Requests
The Certificate Signing Requests scaffold enables the administrator to generate X.509 public key signing requests for submission to trusted third-party signers.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The certificate field chooses a key pair for which to generate the certificate signing request.
The certificate identification fields are used to identify and describe the organization making the certificate signing request. It is extremely important to be very careful when entering the data in the following fields. If a trusted third-party signer is used to sign a certificate, it may choose to validate each of the fields with arbitrarily high precision. If a local CA is being created, the end-users who will load the CA cert may choose to verify the trustworthiness of the CA based on the data in these fields.
The country code field is the ISO 3166-1-alpha-2 country code of the requesting organization.
The state field is the state or province of the requesting organization.
The locality field is the city or town of the requesting organization.
The organization field is the company name of the requesting organization.
The organizational unit field is the section or division of the requesting organization.
The common name field is the fully qualified domain name of the rXg. This field must match what is set in the active device option.
The email address field is a contact email address for the requesting organization.
When creating a RadSec certificate for the purpose of WBA OpenRoaming, there are a few considerations that must be met:
- The certificate's Server key algorithm must be secp384r1
- The key usage must be set to client+server.
- The Organizational Unit (OU) must be set to WBA:WRIX End-Entity
- The UID should be set to the WBA member ID, e.g. MYCORP:US
- The Policy identifier must be 1.3.6.1.4.1.14122.1.1.7
The sign mode field specifies how the operator intends to execute the signing for the CSR that is to be generated. The operator may choose to simply generate the certificate without any local signing. This is the option that should be used when the certificate will be signed by a trusted third-party. The operator may also choose to sign with a local certificate authority. This option is only valid if the certificate chain is associated with a local certificate authority. Finally, the operator may choose to self-sign the CSR. This option is for testing and demonstration purposes only and should never be used in a production environment.
The certbot credential is a necessary association if, and only if, a sign mode has been selected that requires a certbot credential.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Certificate Authorities
The Certificate Authorities scaffold enables the operator to create and manage local CAs that are used to sign certificate chains. The certificates that are signed by local certificate authorities take part in a chain of trust that begins with the CA certificate.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The certificate identification fields are used to identify and describe the organization making the certificate signing request. It is extremely important to be very careful when entering the data in the following fields. If a trusted third-party signer is used to sign a certificate, it may choose to validate each of the fields with arbitrarily high precision. If a local CA is being created, the end-users who will load the CA cert may choose to verify the trustworthiness of the CA based on the data in these fields.
The country code field is the ISO 3166-1-alpha-2 country code of the requesting organization.
The state field is the state or province of the requesting organization.
The locality field is the city or town of the requesting organization.
The organization field is the company name of the requesting organization.
The organizational unit field is the section or division of the requesting organization.
The common name field is the fully qualified domain name of the rXg. This field must match what is set in the active device option.
The email address field is a contact email address for the requesting organization.
The days field specifies the number of days that a signature for a certificate will be valid for. An expired certificate must be resigned before it can be used.
The CA keypair are automatically generated when the operator creates a new record in this scaffold. The certificate and private key fields contain the two halves of the keychain and may be accessed via the show option once a record is created. The certificate is what needs to be distributed to clients that wish to verify the trustworthiness of certificates signed by this certificate authority. The private key should never be copied out of the rXg except for backup purposes or if the CA keychain is to be used on a third-party CA for signing certificates.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
EST Certificate Servers
Enrollment over Secure Transport (EST) is a certificate management protocol for PKI clients needing to acquire client and associated CA certificates. The EST Certificate Servers scaffold enables the operator to create and manage EST servers that are used to retrieve signed certificate chains and CAs.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The host field specifies the FQDN or IP address of the EST server.
The port field specifies the remote TCP port the EST server is listening on for incoming connections.
The certificate authority allows the operator to select which imported CA will be used as the explicit trust anchor.
The label field is optional and denotes the EST partition to interact with.
The client certificate drop-down can be used to select a certificate used for authentication against the EST server.
The username and password fields can be used for basic authentication against an EST server.
Certbot Credentials
The Certificate Credentials scaffold enables the administrator to define api_key/email/provider records for 3rd party ACME-enabled, and API Key-enabled Certificate Authorities.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The Email field defines the username for the API Key.
The API Key field defines the API Key shared secret.
The Provider field defines which provider this credential is meant to be used with.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Let's Encrypt Examples
This example will show the creation process to setup and retrieve a certificate to be used for the FQDN using Let's Encrypt. NOTE: The use of Let's Encrypt requires the Let's Encrypt servers to reach out to the system via the FQDN to make sure the requester owns the domain, if an ACL is in place this can prevent Let's Encrypt from retrieving the required information. An ACL will also prevent the certificates from being automatically renewed.
First navigate to Systems::Certificates.
Create a new Certificate.
For Let's Encrypt the top section can be ignored (shown below).
The Certificate signing request section needs to be completed. Give the record a name, this can be the FQDN but does not need to be. Leave the Usage field set to server. Change the Sign mode field to Generate CSR and obtain certificate from Let's Encrypt. Enter the FQDN into the Common Name (CN) field. Enter the 2 letter country code into the*Country Code (C)* field. Enter the state into the State (ST) field, this should be spelled out and not the 2 letter abbreviation. Enter the city into the Locality (L) field. The Orgainization (O) field is optional, along with the Organizational Unit (OU)field. Enter a valid email address into the Email address field, this should be an email specifcally for this and not a personal email address. Click Create , this will start the certificate retrieval process.
It will take a minute or two to retrieve the certificate, one retrieved it will display the following. If for some reason the certificate cannot be retrieved a health notice will be generated with information regarding why it failed, this is usually because the system cannot be reached, either because the FQDN does not resolve to the primary IP address of the system, or an ACL is in place.
The final step is to edit the record, check the active box and click Update. This makes the certificate active and now when you use the FQDN name to access the system it will be secure.
Let's Encrypt Certificates for Virtual HTTP Hosts
Generating a Let's Encrypt Certificate for use with HTTP Virtual Hosts follows the above example with the exception that the Active box is not checked after retrieving the certificate. The FQDN being used to access the HTTP Virtual Host must resolve to the primary IP address of the system.
Next the HTTP Virtual Host must be created by navigating to System::Portals.
Create a new HTTP Virtual Hosts.
Give the record a Name , this is arbitrary and does not affect how the HTTP Virtual Host performs. Enter the FQDN used in the certificate in the previous step in the Hostname for remote access. The Target server IP field is the private IP address of the device to be accessed via the FQDN. Enter the port the device is listening on in the Target listening port field. If the device is listening for HTTPS connections check the HTTPS box. Select the certificate created in the previous step in the Certificate field. Click Create.
Now the device can be accessed via the FQDN we configured in the virtual host. This allows the operator to access devices behind the rXg over a secure connection even if the device itself is not HTTPS. To access the device enter https://esxi.neurotic.ninja into the browser.
Cluster
The rXg clustering solution simplifies and unifies the management of large scale rXg deployments.
An rXg cluster controller centralizes the configuration, instrumentation, and all operationally relevant persistent storage of a cluster of rXg devices. Synchronized, parallel, highly available, and cost-effective operation of an rXg cluster is easily achieved, enabling clear communication, authoritative control, and complete cognizance over a diverse RGN end-user population.
Load Balancing, Scaling and Failover
In a typical clustered rXg deployment, the distribution network is divided into parallel segments that are configured to be independent collision domains for the purposes of load balancing. Each rXg cluster node is then assigned one or more LAN segments to manage. A single, unified identity management and policy enforcement configuration is then applied to the entire cluster. This enables a cluster of rXg devices to support networks of virtually unlimited scale.
An rXg cluster automatically provides a failover configuration. In the event of a node failure, L2s and L3s of the failed node are automatically moved to operational nodes. End-users experience no downtime, and the process requires no operator intervention.
Topology
The approved cluster deployment topology is creating a private network solely for the purpose of cluster internal communications. It is highly recommended that the physical layer of the cluster internal communications network be gigabit Ethernet. Cluster nodes must use a native port to communicate directly with the controller (not a VLAN trunk port). The cluster intercommunication network (CIN) may be provisioned via a VLAN switch if and only if the cluster nodes are connected via untagged ports. In general, an Ethernet interface that is associated with an uplink on the node or controller should never be used for the CIN. In theory, the cluster may be connected over the public Internet, however this configuration is not officially supported.
The segmentation of the distribution LAN is usually accomplished via a VLAN switch. The segment assigned to the rXg cluster nodes is usually accomplished via VLAN trunk ports in order to ease management. There is no fundamental issue with using native ports to achieve the same goal, though naturally the management of the additional physical cabling may be more cumbersome.
Configuration
By default, the rXg stores its configuration database locally on the same hardware that executes the administrative console, portal web application, and enforcement engine. The rXg can be configured as part of a cluster using the Cluster Node Bootstrap scaffold of the Cluster view.
When operating as a node of a cluster , the rXg shares a remote database with all of its peers. By sharing a single database between all nodes, the operator uses a single, unified console to configure settings that are global to the cluster (e.g., end-user identity management, policy enforcement, etc.) as well as unique to the individual node (e.g., networking, SSL certificates, etc.). In addition, instrumentation and logging from all nodes in the cluster is centrally stored in the same shared database that resides on the cluster controller. This enables the operator to obtain complete cognizance over any end-user that is on any node of the cluster through the cluster controller administrative console.
To enable an rXg as a cluster controller, the operator creates an entry in the Cluster Nodes scaffold. The first entry will always be for the master controller. Subsequent entries will be made for standby controllers , nodes , and witnesses. The operator will need to provide the IUI, IP address, and HA Role for each subsequent system.
Each cluster should only contain one master controller entry which will contain the read-write copy of the database.
Standby controllers can be defined to receive read-only copies of the database and have the ability to promote to master controller in the event of a failure.
Nodes contain no copy of the database and participate in the cluster by managing individual LAN segments.
A witness does not contain a local copy of the database or manage any LAN segments. The function of a witness is to maintain quorum in the event of a failure.
A cluster controller presents a Cluster Nodes scaffold on the Cluster view that configures the member nodes that are attached to the cluster controller. The operator must create a record for each and every cluster node that is to take part in a cluster managed by the cluster controller. Each record contains the credentials that authorize the cluster node to share the cluster controller database.
Deployment Procedure
A successful cluster deployment begins with a proper plan and documentation of the cluster topology. At very least, a network diagram must be created that has all relevant IP addresses labelled. Every cluster node must have at least three connections (LAN, WAN, CIN). The cluster controller must be connected to the CIN. The LAN and WAN connections are optional on the cluster controller , though recommended to ease remote and local access to the management console as well as enable ping targets for multiple uplink control.
- Install the rXg cluster controller(s), and all rXg cluster node hardware according to RG Nets guidelines.
- Power on the devices and connect to the administrative console of each device.
- Use the WAN IP address to connect to the administrative console as all units will have the same default LAN IP address at this time. If necessary, connect a serial terminal or VGA monitor to the rXg and hit CTRL-D to see what WAN IP address the rXg has acquired.
Create at least one administrator and install a valid license on the master controller.
On the master controller , bring up the LAN view and create an Ethernet interface along with an associated network address. This will define the CIN and allow all nodes to communicate with one another once configured.
Bring up two web browsers side-by-side. In one browser, open the administrative console of the cluster controller and navigate to the cluster view. You should see the Cluster Nodes scaffold with a single entry (the cluster controller ). In the second browser, bring up the administrative console of a cluster node (still in default state) and you should see the Cluster Node Bootstrap scaffold. The master database should be currently set to local master.
Create a new Cluster Node scaffold entry on the master controller by copying the IUI of the second system and defining the IP Address. Use the dual browser setup to repeat the process outlined here for each node that will take part in this cluster.
A new record in the Cluster Nodes scaffold must be created for every rXg device that will participate in this cluster.
- Copy the IUI from the browser displaying the cluster node console and paste it into the appropriate field displayed in the cluster node record creation form.
- Enter the CIN IP address that will be configured on this node into the IP field.
Choose the appropriate mode for the rXg device. Use the dual browser setup to repeat the process outlined here for each node that will take part in this cluster.
Click the edit link next to the record in the Cluster Node Bootstrap scaffold in the administrative console of the node. Enter the CIN IP address of the cluster controller in the Controller IP field. The settings for the username and password fields are displayed in the list view of the Cluster Nodes scaffold on the administrative console of the master controller. Copy and paste those values into the appropriate fields.
Choose the CIN port for the interface setting and enter the CIN IP address in CIDR notation for the cluster node into the local IP address fields. Click update to save the settings.
When the cluster node connects to the remote database on the cluster controller for the first time, a cluster node initialization process is automatically executed. First, the cluster controller incorporates the MAC addresses and media-types available to the cluster node into the set of all available Ethernet ports. Then, records for the CIN Ethernet interface and address are added to the cluster configuration and marked for application to the particular cluster node that is being initialized. In addition, a default device option for the new cluster node is created.
When all cluster nodes have been initialized, the deployment of the cluster is complete. The operator can input licensing for each node in the License Keys scaffold in the Cluster view. The cluster may now be configured with settings in a similar manner as a standalone rXg, by using the master controller administrative console.
Symmetric Cluster
In a symmetric cluster a node can operate as both the data plane and control plane. Because each node requires large, high endurance SSDs as well as enough CPU and RAM to operate as both the control plane and data plane, symmetric clustering is recommended for smaller deployments.
Asymmetric Cluster
An asymmetric cluster separates the control plane from the data plane. This enables the operator to scale requirements for nodes individually. Only nodes allocated as controllers need large high endurance SSDs, more CPU, and RAM. Data plane nodes require minimal SSD, CPU, and RAM to manage their individual LAN Segments.
All transit networking features are executed on the cluster nodes. The controller does not forward packets nor does it run any proxies for web experience manipulation. All billing, user management, and instrument collection features are executed on the cluster controller. Cluster nodes do not run recurring billing, system status, or traffic rate collection tasks.
Implementation Details
The gateway setting in the Database Storage scaffold of cluster nodes should not be configured unless absolutely necessary. Setting this implies that the cluster node will connect to the cluster controller via an uplink interface and is not officially supported.
All CIN traffic is passed through the rXg policy enforcement engine unfettered. No packet filter states are created and traffic is not queued. Ensure proper cluster operation by making sure that the CIN is properly deployed using high performance gigabit Ethernet equipment and high-quality cables.
A valid license must be present in the license view of the cluster controller for every node associated with the cluster.
Device and network configurations are associated with a particular node while almost every other kind of configuration is global. If a scaffold does not have a field that associates a node with the record, the record will apply globally to the entire cluster. When the scaffold has an active setting, only one record per cluster node may be made active. The records that are not active are shared by the cluster.
When configuring Ethernet interfaces , one port will be available for each physical port in the cluster. Since all networking configuration (e.g., addresses , uplinks , VLANs , binats and even all the DHCP server settings) are ultimately linked to an Ethernet interface , the port field determines which node the configuration applies to.
A single uplink control record may contain uplinks that span several nodes of the cluster. However, on each node, only the relevant uplinks are used to determine the weighted connection pools.
Ping targets may be configured as node-specific (associated with a cluster node record). Ping targets that are node-specific are pinged and status-updated by their associated node only.
Ping targets that have no cluster_node association are global to the cluster. Global ping targets are status-updated by only the cluster controller. However, global ping targets may and should be used to instrument the condition of multiple uplinks configured throughout devices in the cluster. In this case, all nodes having an uplink associated with the global ping targets ping the target through the respective uplink(s), but only the online state of the uplink record is changed, not the state of the global ping target itself, except by the controller. Creating a ping target with an uplink(s) association automatically clears any cluster node associated with it.
System graphs must be cluster node specific and represent data for only that node or the cluster controller.
Network graphs are global. Graphs of IPs , MACs , login sessions , bandwidth queues , and policies represent cluster-wide data. For example, traffic rate stats for the same IP that may somehow be behind two different nodes is accumulated at the controller and collated into a single database entry for that IP. Similarly, traffic rates statistics for a single bandwidth queue or policy are collected from all nodes, summed at the controller, and written to a single database entry. Cluster node specific items defined by the records that are directly or indirectly associated with an Ethernet interface record are stored in node specific records.
Cluster Node Bootstrap
The Cluster Node Bootstrap scaffold configures the mechanism by which this rXg will join a cluster.
The controller IP field specifies the IP address of the rXg cluster controller.
The username and password fields are the credentials assigned to this node by the cluster controller. Obtain the values for these fields by entering the IUI for this node into the Cluster Nodes scaffold of the Cluster view on the console of the cluster controller.
The interface field configures the Ethernet interface that will be used by this cluster node to communicate with the cluster controller. An Ethernet interface must be dedicated for the sole purpose of cluster communications.
The local bootstrap configuration options ( local IP address and gateway ) are used as the bootstrap configuration of the rXg when operated in cluster mode. This is needed to enable the cluster node to communicate with the cluster controller and retrieve the complete rXg configuration from the controller.
Cluster Nodes
Cluster nodes define the members of an rXg cluster.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The auto registration box enables automatic registration of cluster nodes. Allows for automatic cluster configuration.
The permit new nodes box allows new nodes that have never been a member of the cluster to join the cluster.
The auto approve new nodes box allows new nodes to be automatically approved without operator intervention.
The pending auto registration box, if checked, will mark the node as pending auto registration. When the node connects to the master controller for the first time it will automatically become a member of the cluster.
The mode dropdown indicates the type of node defined by this record. Only one node may be defined as the master controller for each cluster.
The IUI is the installation unique identifier for the node that is defined by this record. The installation unique identifier for an rXg may be found by visiting the license view of the system menu.
The IP is the IP address that will be used by the cluster node for communicating with the cluster controller. This will also be the bootstrap IP address that is configured in the Database Storage scaffold of the Cluster view on the cluster node.
The priority field indicates the priority of an individual node. A higher precedence node takes over for lower precedence gimps within the same team.
The networking HA enabled field defines the HA behavior of this node in the cluster; if checked this node will take over networking for a failed node, if unchecked the node will not.
The networking HA backoff (seconds) field specifies the amount of time a node will try to reach the controller before moving on to the next controller. Default value is 300 seconds.
The networking HA timeout (seconds) field specifies the amount of time that must elapse before a node is considered offline, and another node will take over the networking configured on the failed node. Default value is 300 seconds.
The username and password fields are the credentials assigned to this node by the cluster controller. Enter these into the cluster view of the appropriate cluster node to enable access.
Example Cluster Setup: 2 CC's, 2 GW's
For this example, there will be 4 machines: 2 CC's and 2 GW's. For different cluster layouts there may be more CC's or GW's. The example below will provide details on adding each type. The first step will be to install the rXg software on all 4 machines. Once this is done, two browser windows should be opened: one for the primary CC, and the 2nd for all additional nodes (this includes any CC's or GW's that will be added).
Create a new administrator on the Master Controller , by clicking "Create New" on the Administrators scaffold. Each admin account should be unique for every operator.
At a minimum a Login and Password are required. Click create.
Next edit the License Keys scaffold.
Paste in the license key and click update. This will restart the webserver.
Next the CIN (Cluster Interconnect Network) will be created. Navigate to Network::LAN , and create a new network address.
Name: cc1 CIN Address. Set the interface , and specify the IP address in CIDR notation. Leave both autoincrement and span values at 1. Do not check create DHCP pool. Click create.
Turn rXg into Master Controller by navigating to System::Cluster. Create a new cluster node by clicking create new on the Cluster Node scaffold.
Uncheck networking HA enabled this will ensure that the CC doesn't take over the networking for the other nodes before they are integrated into the cluster. Verify that the default information is correct and click create.
Create a new cluster node record for each CC and GW that will be added to the cluster. The easiest way to do this is to have 2 browser windows open, one with the Master Controller admin GUI loaded, and the other with the admin GUI with a tab for each CC and GW. Click create new on the Cluster Nodes scaffold.
Verify the name and mode is correct. Copy the IUI from the secondary controller into the IUI field on the Master Controller , verify that the mode , IP , and priority are configured as desired. Uncheck the networking HA enabled box. Click create.
Next repeat for the 2 GW nodes. Click create new on the Cluster Nodes scaffold, copy the IUI from the first GW node into the IUI field. Verify that the mode , IP , and priority are configured as desired. Uncheck the networking HA enabled box. Click create.
Repeat for GW 2. Verify that the mode , IP , and priority are configured as desired. Uncheck the networking HA enabled box. Click create.
All the CC's and GW's now have cluster node records on the Master Controller.
Next, we will integrate the secondary CC and GW's into the cluster using the Cluster Node Bootstrap scaffold. On the secondary cc admin GUI in the second browser edit the cluster node bootstrap record.
Copy controller IP , username , password from the Master Controller's Cluster Nodes scaffold to the secondary controller. Set the interface , and the local IP address in CIDR notation. Click update.
Repeat the process for GW 1 and GW 2 nodes.
Next add the license for each node. On the Master Controller edit the license key entry for cc2 paste the license in. Repeat for each node.
After the licenses have been installed on the remaining nodes the cluster configuration is complete. The operator will now use the Master Controller to continue configuring the system. The System::Cluster page will now show Replication and HA status as green.
Example Cluster Setup: Using Autoconfiguration 2 CC's
For this example, we will use auto configuration to configure a cluster consisting of 2 CC's. Unlike the previous example, we will use the auto configuration option instead of manually creating the cluster. After installing the rXg software on each machine, open a separate browser tab for each machine in the cluster.
Create a new administrator on the Master Controller , by clicking "create new" on the Administrators scaffold. Each admin account should be unique for every operator.
At a minimum a login and password are required. Click create.
Next, edit the License Keys scaffold.
Paste in the license key and click update , this will restart the webserver. Note: if an asset exists in the licensing portal with the IUI of the node, the node will automatically retrieve its license.
Next the CIN (Cluster Interconnect Network) will be created. Navigate to Network::LAN, and create a new network address.
Name : cc1 CIN Address. Set the interface , and specify the IP address in CIDR notation. Leave both autoincrement and span values at 1. Do not check create DHCP pool. Click create.
Turn the rXg into a Master Controller by navigating to System::Cluster. Create a new cluster node by clicking create new on the Cluster Node scaffold.
Verify that the default information is correct. Check the auto registration box, this will allow the automatic registration of cluster nodes. Once that is done, it will open up the permit new nodes option, check this as well. This will allow new nodes to join the cluster so they can auto-register.
Now the auto approve new nodes option will become available. Check this box. By checking this box, the operator of the rXg will not need to approve new nodes that join the cluster. Checking all the boxes makes it so new nodes will not only auto join the cluster but will also be approved without any intervention. If you wish to disallow the auto-approval process, then the opererator will need to approve each node before it will become part of the cluster.
For this example, we are checking all the options so that the process is as automatic as possible. Click create.
Now go to the tab that was opened with the secondary CC's admin GUI. Do not create an admin or apply a license at this time. Scroll down to the bottom of the page and edit the cluster node bootstrap record.
Under the Auto Registration section check the auto registration box, which will enable the node automatically register to the Master Controller. This will unlock the create CIN option and the join as new option. Create CIN will create the cluster interconnect network on the node using the data provided on the form. Check the create CIN box.
The join as new box should be checked if this node has never been a member of this cluster before (such as having a node fail and re-adding it to the cluster after repair - it would not be a new node in this case), check this box. This will allow the operator to select the join role for this node. In this case, it should be set to*standby controller (HA)*.
Enter the controller's IP address in the controller IP field. Set the interface that will be used to connect to the CIN network in the interface field. Set the CIN IP of this node in the local IP address field. The gateway field does not need to be set because the node belongs to the same network as the Master Controller. Click update.
The cluster node bootstrap record will now show that it is awaiting auto-registration.
On the Master Controller navigate to System::Cluster. Both nodes should not be listed in the Cluster Nodes scaffold.
Note that their status may be unlicensed; the licenses can be added via the License Key scaffold below. Edit the record for CC2 and paste in the license. In this case, the nodes have pulled their licenses automatically.
Now that the licenses have been added, it is a fully functional cluster that created itself without the operator needing to copy and paste information between the Master Controller and nodes.
How to change which Cluster Controller is the Master Controller
Turn off network HA on the nodes, leave the Master Controller for last.
Make sure the priority of the standby you want to become the new master is higher than all other standby controllers. Typically, the standby controllers will be a priority of 7 by default. Set the standby that you want to be master to 9.
SSH into the current master. Stop rxgd and kill postgres (you will need to become root for this). Running ' kr' will stop rxgd and then running ' killall postgres' will stop postgres. Once this is done, the highest priority standby will take over as master. You can reduce the HA timeout to make this faster (default is 5 minutes).
Open GUI on the new master. Edit the cluster node record for the current master node and set to standby.
SSH into the node that will be the new master. Run ' console' to access the rails console. Find the BootstrapOption record for the NEW master and set the host , username , and password fields to nil. In this case, the record that will be edited is the last record, since there is only CC1 and CC 2. The record can be found by running ' BootstrapOption.last'.
Edit cluster node record in GUI for new master and set to master.
Edit the bootstrap option record in GUI for old master and set it as if it is a new node.
SSH to OLD master and edit the bootstrap.yml located at /space/rxg/bootstrap.yml. Change the order under _controllers so that the NEW master is on top of the list followed by any other standbys. Repeat for bootstrap_live.yml. After editing the 2 files on the OLD master run ' rr' to restart rxgd. If you changed the controller HA timeout , be sure to set it back. Finally, edit the cluster node records and re-enable network HA starting , doing the master CC last.
Note: Doing this will not copy over graphing information so it will be lost.
Node Integration After Failure
With HA 3.0 , the process to get a failed node back into the cluster is straight forward. For example, if a node loses a power supply, once it's replaced and the node is turned back on, the node will automatically join the cluster and take over networks configured on it (if another node took over for it).
If the node is replaced with new hardware, meaning the IUI has changed, the cluster node record for the downed node can be edited. Once the IUI is replaced with the new node's IUI , the username and password for the new node will be generated. These can then be entered into the bootstrap and the node will integrate into the cluster and replace the failed node.
Fleet
The Fleet view allows the operator to configure the rXg to be used as a fleet manager or to join a node to an existing fleet manager.
The Fleet Nodes scaffold allows the operator to turn the rXg into a fleet manager and to add nodes to be managed.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The this checkbox indicates that this fleet node record refers to this system.
The manager field, if checked, indicates that this node is the fleet manager.
The host field is used to enter the FQDN or IP address of the Node.
The key will contain the key to be used to authenticate with the fleet manager , or if on a fleet node, it will be a record of the key generated for the node by the fleet manager.
The ignore SSL cert errors field, if checked, will allow the fleet manager to ignore any certificate errors when communicating with the nodes. Note: this is not recommended.
The stat reporting interval field is the interval in seconds that the node will report its stats. When set on the fleet manager node, this value will set the default value, unless overridden on a node record. Default value is 10 seconds.
The fleet groups field allows the operator to set which fleet groups the node will belong to. It is possible for a node to belong to multiple groups.
The PMS properties field allows the operator to set which PMS properties the node belongs to (if configured).
The config templates field allows the operator to select which, if any, templates should be pushed to the node.
The software package field allows the operator to select an upgrade software package to push to the node.
The proxy hostname field is the hostname to use for proxying web and/or SSH traffic. When set on a fleet manager record, it enables cookie-based proxying via the operator portal. When set on a Fleet Node record, enables persistant anonymous Virtual Host behavior.
The certificate field sets the certificate to present for traffic destined to the proxy hostname.
The operator can use the Fleet Groups scaffold to create groups, which can then be used to control who can access those groups by specific admin or administrative roles.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The fleet nodes field allows the operator to specify which nodes belong to the fleet group.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The admins field allows the operator to specify which admins will have explicit access to the nodes in this group, in addition to the admin roles.
The admin roles field allows the operator to select the admin roles that have access to the nodes in this group.
The config templates field allows the operator to push selected config templates to the nodes that are members of this group.
The Software Packages scaffold allows the operator to upload software packages that can then be pushed to fleet nodes for upgrades.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The file field allows the operator to upload an upgrade package to the fleet manager.
The remote URL field allows the operator to specify a URL to retrieve the package from (if not uploading via the file field).
The username field is used for HTTP authentication if required.
The password field is used for HTTP authentication if required.
The fleet nodes field allows the operator to specify which nodes the upgrade package should be pushed to. This is optional; the operator can use the Scheduled Upgrade scaffold to specify which nodes and when the upgrade should take place.
The Scheduled Upgrades scaffold allows the operator to schedule upgrades. Upgrades can be pushed out immediately or can be rolled out over several days, starting at a specific time of day.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The software package field allows the operator to specify which upgrade package is scheduled for install. By default, it will be set to use latest available for OS version. The operator can also specify any software package that has been uploaded using the Software Packages scaffold.
The start at field allows the operator to specify on what day and at what time the upgrade will begin.
The fleet node field is used to specify which node the upgrade will be pushed from.
The this system field specifies that the upgrade will also be pushed to the fleet manager.
The fleet nodes field allows the operator to select specific nodes that will be upgraded regardless of fleet group membership.
The fleet groups field allows the operator to select which fleet groups will be included in the upgrade. If a fleet group is selected, it will push the upgrade to all nodes that belong to that group.
The node CSV field allows the operator to upload a CSV file containing a single column with the names or host values of the fleet nodes to include in this job. This will overwrite any existing nodes that have been selected.
The minimum version field designates that the node must be running at least the specified version in order to upgrade.
If the no alpha builds box is checked, then nodes that are running an alpha build will not be upgraded.
The schedule mode field is by default set to immediate; if set to staggered , it allows the operator to set the number of days the upgrade will take place over and how many nodes should be upgraded per day. The number of days can be changed by deleting or adding a day.
The max concurrent upgrades field sets the maximum number of nodes that can be updated at a time.
The max failures field will pause the job when the specified number of nodes have failed.
The max failure % field will pause the job when the specified percentage of nodes have failed.
Example Fleet Manager Setup
For initial fleet setup, navigate to https://FQDN/admin/menu/fleet.
Create a new fleet node. Name is arbitrary.
This box should be checked if the record being created is for the node being created.
Manager should be checked if the node being created will be the fleet manager node.
Host is the FQDN or IP address of the node.
Fleet groups should be selected to allow the node to be seen by specific groups.
Proxy host can be set if required for proxying web and/or SSH traffic. Select certificate to present for traffic destined to the proxy hostname. Click create.
Fleet groups can be used to group nodes together. For example, nodes can be grouped by property owner. Name is arbitrary.
Fleet nodes is used to select the nodes that will belong to the group.
The admin field sets admins with explicit access to the nodes in this group. The admin roles field sets the admin roles that have access to the nodes in this group.
To add a node to the fleet manager navigate to System::Fleet on the fleet manager node.
Create a new fleet node record by clicking create new.
The name field is arbitrary. Leave both the this and manager boxes unchecked.
Enter the FQDN of the node in the HOST field. Select a group this node will belong to, if applicable. Copy the key in the key field. Click create.
Navigate to https://FQDN/admin/menu/fleet on the node being added to the fleet manager. Enter the FQDN of the fleet manager into the fleet manager host field, and copy the key into this node's key field and click join.
Example Fleet Templates
The operator can use the fleet manager to push config templates to the nodes connected to the fleet manager. This can be done on a per-node basis or to specific groups as defined by the fleet groups.
To push a config template to a node navigate to System::Backup on the fleet manager , and create a new config template.
In this example, a new usage plan will be pushed to nodes in the Lab02 group. The config template must be given a name.
The config to be pushed goes in the config field, or a .yml file containing the config can be added.
Lastly, we select Lab02 Group via the fleet group field. Optionally, the apply template box can be checked which will run the template after creation.
Below is an example showing that the config template was successfully applied to both fleet nodes in the group.
Below are two screenshots. The first is from Billing::Plans before the config template is applied, and the second shows the same scaffold after applying the config template.
Example Fleet Templates #2 - Speedtests
In this example, a template will be used to push speedtest config to all the nodes that the fleet manager controls. Navigate to System::Backup on the fleet manager , and create a new config template.
A speedtest will be configured on all fleet nodes which will then run a speedtest every 8 hours.
The config template must be given a name.
The config to be pushed goes in the config field, or a .yml file containing the config can be added.
Lastly, we want to select all nodes. Optionally, the apply template checkbox can be checked, which will run the template after creation. Click create.
Below is an example showing that the config template was successfully applied to all fleet nodes controlled by the fleet manager.
Below is a screenshot of the configuration of the speedtest pushed to all nodes.
Example Fleet Proxy Setup
Fleet proxy allows the operator to access nodes behind the fleet manager that may not be otherwise accessible due to ACL's in place. To setup the proxy feature we first need to create a certificate.
Navigate to System::Certificates and create a new certificate. Note: the domain name you are using for the certificate should resolve to the primary IP address of the fleet manager node.
Give the certificate a name , then scroll down to the certificate signing request section. Give that a name as well, leave usage set to server, and set the sign mode to generate CSR. Obtain certificate from Let's Encrypt.
Fill out the common name , country code , state , locality , and email address fields with the appropriate information (the other fields are optional). Click create. After a minute or so the new certificate will be retrieved.
Now that the certificate is created, navigate to System::Fleet and edit the fleet node record for the fleet manager.
In the proxy behavior section, set the proxy hostname field to match the FQDN of the certificate created earlier. Select the certificate that matches the FQDN. Click update.
Navigate to the fleet operator portal and there will now be the option to proxy to each node, even nodes that would not be accessible, like the nodes in this example with private IP addresses on the WAN (which is not an officially supported deployment).
Now the fleet manager can be used as a proxy to either access the Admin UI or SSH. To access a node, click on the proxy drop-down for that node and select either admin UI or SSH.
Once the proxy is established the operator will have access to the admin UI of the fleet node , the proxy connection can be ended by clicking end proxy at the top of the admin UI.
Example Fleet Upgrade Setup
To setup a fleet upgrade the operator must first upload the software package that will be used for the upgrade. To upload the software package , navigate to System::Fleet and create a new software package.
Give the software package a name and choose the file, or enter the remote URL and username and password. For this example, the package will be uploaded directly. Once the file is chosen, click create.
Next, create a new scheduled upgrade.
Give the schedule a name. Select the software package uploaded in the previous step. Select a start at date/time.
Next, select the fleet node or fleet groups that should be included in the upgrade. For this example, the scheduling rate will be left at immediate since we are only pushing the upgrade to single node. Click create.
The operator can use the Scheduled Upgrades scaffold to view the status of the upgrade.
Licenses
The Licenses view presents all information and controls necessary to review, obtain, and install a license key for the current rXg.
Detailed View
The licensing summary dialog displays the permitted values of all aspects of the installed license key alongside current utilization.
The accounts field describes the number of end-user accounts in the local database. This represents the total number of end-user accounts that are present in the persistent storage mechanism. The activity of the end-user accounts (or lack thereof) does not have any effect on this parameter.
The login session field describes the number of simultaneous end-users logged in via the captive portal. This includes end-users who have logged in via RADIUS , LDAP , tokens (including free access) as well as locally stored accounts.
The IP sessions field describes the number of simultaneous IP addresses that have traffic transiting the rXg. This parameter is fully inclusive of all sessions regardless of whether they originate from end-users who have logged into the portal or are authorized for access by other means (e.g., MAC groups that have portal disabled).
The MAC entries field describes the number of devices that are L2 connected to the rXg. This parameter is fully inclusive of all L2 devices regardless of whether they are generating traffic that transits the rXg.
The connection states field describes the total number of simultaneous TCP and UDP connections transiting the rXg. A state is a connection between an end-user on the LAN and a server on the WAN. For example, opening Microsoft Outlook to read email from a single email account will typically result in 2 states: one for downloading new emails and a second one to transmit unsent emails. Typical web surfing results in approximately 5 simultaneous states, most of which are TCP HTTP connections downloading web page assets such as images. Some programs such as peer-to-peer file sharing programs may create upwards of 50 or even 100 states. Malicious software such as worms attempting to spread through the Internet will often generate thousands of states.
The VLANs field describes the number of logical interfaces configured on the rXg. Each physical interface of the rXg can have many logical VLAN interfaces. This parameter represents the sum total of all logical VLAN interfaces on all physical interfaces present on this rXg.
The uplinks field describes the number of logical WAN uplinks configured on the rXg. This parameter enables rXg link control features. The rXg can aggregate, fail-over, diversify, and affine traffic among multiple uplinks when configured and licensed to do so.
The RADIUS realms field describes the number of RADIUS realms that are configured on the rXg. In a typical configuration, each realm represents a roaming partner or entity with whom the operator has an agreement to authenticate the partner's database of end-user accounts.
The RADIUS groups field describes the number of RADIUS groups that are configured on the rXg. Each RADIUS group is a pool of end-users who have been authorized by a server specified by one or more RADIUS realms.
The LDAP domains field describes the number of LDAP domains that are configured on the rXg. Each LDAP domain represents a separate administrative group of end-users that can be authenticated via the rXg captive portal via LDAP.
The LDAP groups field describes the number of LDAP groups that are configured on the rXg. Each LDAP group is a pool of end-users who have been authorized by a server specified by one or more LDAP domains.
The account groups field describes the number of account groups that are configured on the rXg. Account groups affect end-users who have logged in via the captive portal using credentials matching a locally stored account. Account groups are often employed to logically group end-users who have purchased different levels of service (e.g., standard versus premium). The rXg integrated billing system employs account groups as destinations for end-users when a purchase of a usage plan is made.
The IP groups field describes the number of IP groups that are configured on the rXg. IP groups are used to logically group operator specified CIDR blocks that should experience similar policy. In a typical deployment, IP groups are used to define the IP addresses that will experience forced browser redirect. Members of IP groups can be as small as a single IP address (/32) or as large as a class A (/8).
The MAC groups field describes the number of MAC groups that are configured on the rXg. MAC groups are used to logically group one or more MAC addresses for policy enforcement purposes. In a typical scenario, MAC groups are used for exceptions to policies enforced globally via IP groups or specifically via account groups. For example, a MAC group may contain the MAC addresses of the operator laptops to enable unfettered and priority access to network administrators.
Installation Unique Identifier
The installation unique identifier (IUI) is a string of characters that uniquely identifies a particular piece of rXg hardware.
The IUI must be supplied with all license requests. License keys are generated for a particular IUI and will not install nor work with an rXg that does not present a matching IUI. The IUI is hardware dependent and cannot be changed by the administrator of the system.
License Keys Scaffold
The License Key scaffold interprets and presents the several dates present in the license key as well as the lifetime of the currently installed license.
In addition, the License scaffold enables the operator to view the current key as well as install a new license key.
To install a new license key , click on the edit link and copy and paste the new key string into the text box provided. Be very careful and precise when copying and pasting. Leaving out a line or even a single character will result in the rXg rejecting the key.
Confirm that the rXg is connected to the WAN before installing a license for the first time. This is needed for time synchronization, which is a prerequisite to installing a license with temporal restrictions. Also, be sure to install the right license key as the keys are generated to match the IUI that is also presented on this view.
Options
The Options view enables the operator to configure global configuration options for the rXg.
The Options scaffolds are designed to easily store and swap between profiles. For example, one set of device options can be stored for each node in an rXg cluster using the Device Options scaffold. This allows a single configuration database to be shared across a cluster. To give the rXg the identity of a particular node, simply mark the appropriate profile as being active. The Network Options scaffold comes pre-populated with a series of packet option profiles for different kinds of networks. If the complexion of the network changes, simply mark the appropriate profile active and the rXg will be reconfigured.
Device Options
The Device Options scaffold enables configuration of global settings governing various core services of the rXg.
The active field enables an option set. Exactly one option set may be active at any time. Enabling a particular option set will automatically disable another existing active option set.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The FQDN setting is the fully qualified domain name that is used to identify this rXg. This will be the domain name that users will be redirected to if using a local splash portal. Your upstream DNS servers and DNS glue records must be configured to resolve the specified DNS name into an IP address configured on the rXg.
The time zone setting configures the GMT offset for the rXg. It is critically important to make sure that this is set correctly to ensure proper billing functionality.
The NTP server field specifies the network time synchronization server. Change this to your internal network time servers for increased time synchronization reliability. If you do not have an internal network time server, choose from one of manypublic NTP servers or use the publicNTP pool.
The SMTP section is used to configure the outbound SMTP server. These settings are used for the email notification and mass email campaign subsystems.
The server address and server port settings enable configuration of an upstream proxy email server. By default, emails are queued to an email MTA locally on the rXg which then delivers directly to the recipients. Setting an SMTP server causes the rXg, to deliver all emails through the specified host.
The username and password fields are the credentials used for the email relay server specified by the server address and server password settings. Leave these fields blank if the email relay server does not require authentication credentials.
The log rotate hour field configures the hour during which the rXg rotates its system log files, restarts critical services, and performs nightly database maintenance. This should be set to the time of least end-user activity, likely in the middle of the night. A time of 4AM is not supported because it conflicts with the Daylight Savings Time (DST) shift.
The start limiting at field is the minimum amount of unauthenticated ssh connections necessary to begin dropping new connections at the percentage defined in the drop rate (%) field. Must be set if drop rate (%) is set. The drop rate (%) field is the rate which new unauthenticated ssh connections will be dropped once the start limiting at number of unauthenticated connections is reached. This will scale linearly up to 100% once the block all at number of connections is reached. Must be set if start limiting at is set. The block all at field is the maximum number of unauthenticated ssh sessions that will be allowed.
DKIM Domains
An entry in the DKIM Domains scaffold enables DKIM message signing of outbound email for the domain specified in the record. DKIM message signing is a technique that allows a sending mail server to prove that it is authorized to send email for that domain.
When enabling DKIM signing, a cryptographic keypair is generated, which will be used to sign the outgoing email. A DNS record must be defined in the public DNS records of the desired domain, which specifies the public key of the generated keypair.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The domain field specifies the domain for which DKIM signing should be enabled. By default, the rXg will use the FQDN of the system to send outbound emails, unless a different "from" address is specified in the Custom Message being sent. If a different domain is used in the Custom Message, then a DKIM Domain should be created for that domain in order to sign outbound email.
The selector field specifies the unique selector that identifies _this_system's public key, since there could potentially be many servers sending email for the same domain. The selector must be the same across all domains that are enabled for a single system. In a cluster, each node could use its own selector, although it is not a requirement. A different DNS TXT record will need to be created for each domain/selector combination.
After creating a DKIM Domain, refreshing the scaffold should show the DNS record name that must be created in the public DNS records, and a button allows the operator to copy the contents that should go into the data field of the DNS record. If the DNS record is not created, servers that receive email that has been signed by this server will not be able to validate the DKIM signature, and may reject the email.
Network Options
The Network Options scaffold enables configuration of global settings that govern the rXg packet manipulation engine.
The active field enables an option set. Exactly one option set may be active at any time. Enabling a particular option set will automatically disable another existing active option set.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The state timeout field governs the expiration of UDP / TCP connection states. The normal setting is the default recommended selection for most applications. The high-latency setting increases the time before expiration occurs and is recommended for satellite uplinks. The aggressive setting reduces expiration timeouts and should be used for highly reliable uplinks, such as a leased-line (e.g., T-1) and situations where a large number of connections are constantly being created and destroyed. The conservative setting changes the expiration policy so that the system goes to great lengths to preserve states even when they are idle despite a much higher memory utilization.
The MAC <=> IP setting affects how the rXg translates a MAC address into an IP address , and vice versa. A value of dhcp,arp configures the rXg to utilize the DHCP leases table and ARP table cooperatively, where the MAC sent by an IP's DHCP client is favored over the MAC determined by the ARP protocol for a given IP address. The arp,dhcp value means the ARP table takes precedence over active DHCP leases. The dhcp and arp values configure the rXg to use only the DHCP leases table or ARP table. Appropriate configuration of this setting is critical for correct operation of numerous rXg features including automatic login.
Using the ARP table is the preferred method of determining the MAC to IP mapping on L2 connected networks. This is because the ARP table is most likely to have up to-the-second information and will also be able to map MAC addresses to statically assigned and misconfigured IP addresses. However, the ARP table will be unreliable in L2 connected networks that have intermediate devices that engage in ARP spoofing. Some wireless radios perform MAC spoofing when used in bridged, mesh or WDS mode. When working with such equipment, the DHCP leases table must be used to determine the MAC to IP mapping.
Using the DHCP lease table to discover MAC to IP mapping is required in L3 routed networks. This is because the rXg will see the MAC address of the next hop router rather than the MAC address of the end-user device for all IPs that are not L2 bridged. Furthermore, intermediate routers must be configured for DHCP relay and use the rXg as the DHCP server. The rXg is unable to use the DHCP leases table to create a MAC to IP mapping for devices that do not use the rXg as the DHCP server , for statically assigned addresses and for otherwise misconfigured IP addresses. The DHCP leases table is also most likely to contain out-of-date information compared to the near real-time ARP table. Thus, it is recommended that the DHCP lease table be used only when the ARP table cannot be used to acquire the correct IP to MAC mapping.
Using either the dhcp,arp and arp,dhcp settings is only recommended when deploying an rXg in a mixed L2 and L3 connected LAN environment. If a rXg deployed to manage a L3 routed fixed wireless broadband network and then is also used to manage a local hotzone that is L2 bridged, then it is necessary to use both the DHCP leases table and the ARP table in order to determine the MAC to IP address mapping. In most cases, it is best to prefer the ARP table over the DHCP lease table because the ARP table is most likely to have the most recent and hence the most correct mapping.
The dhcp,arp and arp,dhcp settings should only be used when absolutely necessary. Conflicts and/or confusion may occur when both the DHCP leases table and ARP table are both used to map MACs to IPs. For example: if the DHCP issues a lease to client A, then client A leaves the network, then at a later time, client B joins the network and acquires a lease for the same IP address, then client A returns to the network, there will be a conflict. The DHCP leases table will report the IP MAC mapping as client B whereas the ARP table may report the IP MAC mapping as client A. This issue is exasperated in situations where long DHCP leases are issued.
Correct IP to MAC mapping is prerequisite for proper operation of several critical rXg features including automatic login. Careful consideration of all available options as well as thorough examination of all available ARP and DHCP instrumentation is strongly advised when configuring this option.
The ARP timeout field dictates how long an ARP entry is held in the cache, in minutes, until it needs to be refreshed.
The maximum MSS setting enforces amaximum segment size on all packets transiting the rXg to be less than or equal to the specified number of bytes. Make sure that the MSS is set less than the MTU of any transit network, otherwise fragmentation will occur again. Typical values of MSS and MTU for Ethernet are 1460 and 1500 respectively. Reductions in MSS are necessary to support certain forms of IP-IP tunneling (e.g., IPsec VPN).
The minimum TTL setting modifies the minimum time-to-live on all packets transiting the rXg. The TTL is a value from 1 to 255 that is decremented each time a packet crosses a router. When the TTL reaches zero, the packet can no longer cross any routers (unless the router is capable of and has been specifically configured to ignore and rewrite the TTL). This modifier is useful for fine tuning performance of very large networks. Boosting the TTL helps in situations where packets are not reaching their targets. Reducing the TTL helps reduce looping of stray traffic. A minimum TTL set to zero disables the TTL normalization. Note that setting a minimum TTL prevents traceroute utilities from operating correctly.
The prioritize ACK setting will prioritize packets with a TOS of low delay and for TCP ACKs with no data payload.
The clear DF bit setting enables or disables the removal of the don't fragment (DF) bit in the IP flags field of packets transiting the rXg. IP fragmentation is a mechanism that enables packets to be broken into smaller pieces to pass through links with a smaller MTU than the original size. In particular, packets with DF unset can be fragmented along their way to their destination by other routers. Enable this option if the packets transiting the rXg (upstream or downstream) are too large for one of the transit routers to handle. The two most common uses of this option are to enable NFS traffic to pass over the WAN and to permit fragmenting of inbound WAN traffic to support IP-IP tunneling (e.g., IPsec VPN) between the end-user client and the rXg.
The randomize ID setting enables or disables the randomization of the data inside IP identification fields. Enabling this prevents fingerprinting of a network from the outside world. Outsiders on the WAN can use the sequential nature of the IP packet ID field to discover the topology of a network protected by NAT. It is recommended that this option be enabled whenever clear DF bit is enabled.
The block policy field defines the response to devices when packets are blocked. The drop setting will silently drop all blocked packets, whereas the return setting will send an ICMP unreachable packet for UDP requests, a TCP Reset for TCP requests, and will silently drop all others.
The Queueing Mode option affects the traffic shaping mechanism and the queues that are built for client devices. When queueing is disabled, no queues are built and ALTQ is disabled. When set to normal mode, a single queue tree is built and packet scheduling and throughput is limited to a single CPU core. When set to parallel mode, packet processing is parallelized across multiple queue trees allowing multiple CPU cores to increase throughput. The number of parallel trees is set by the Tx/Rx Queues option, which requires a reboot if changed. NOTE: use of parallel queueing can result in inaccurate throttling if traffic for a single client traverses more than one tree, since the queue discipline is distinct for each queue tree.
In order to reduce the frequency of firewall queue and ruleset reloads, a set of semi-static queues pools is created, and queues are assigned to clients as needed. The Default Leaf Queue Count field specifies how many queues should be generated for a given pool when there is no prior knowledge of the number of queues required by that pool. When the number of clients nears the size of the pool, the pool is expanded. When a client disappears from the network, its queue assignment can be reclaimed so the queue can be reused by another client without growing the queue pool, since system performance is impacted when there are many queues. The Queue Assignment Timeout option controls how long (in minutes) a queue assignment will be retained before being reclaimed for another client. A shorter timeout will keep queue pools smaller. Setting a value of 0 will disable queue assignment reclamation.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Database Purgers
Entries in the Database Purgers scaffold define rules by which database records are automatically deleted.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The tables field specifies which tables of the database will be affected by this record. Multiple database tables may be selected so that a single purging policy may be applied across several facets of the rXg configuration database.
The timestamp column field determines the database timestamp that will be used in the calculations to determine if a database record is to be purged.
created_at and updated_at Any table may be purged of records using the created_at and updated_at timestamp columns. expires_at Only useful when used in conjunction with coupons. usage_expiration Only useful when used in conjunction with tokens. logged_in_at Only useful when used in conjunction with accounts.
The age field specifies the length of time that must elapse between the current time and the stored value in the timestamp column in order for a record to be chosen for deletion.
The retain records with usage remaining checkbox prevents the deletion of account records that have a non-zero value in their usage (time) field. This checkbox has no effect when the selected table is anything other than account.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Portals
The Portals view configures the rXg captive portal web application framework enabling self-provisioning and advertising communication for the end-users population.
The primary purpose of the captive portal is to provide a destination for end-users after a forced browser redirect. The end-user population that experiences a forced browser redirect is controlled through the policies subsystem.
The rXg is prepackaged with a default captive portal containing several revenue-generating web applications. Prepackaged end-user self-provisioning modules include sign-up via account creation, payment via real-time credit card processing, usage plan selection, coupon code redemption, viewing and editing of current profile , and more. In addition, the default captive portal includes several modules that assist with the delivery of pre authentication , post authentication , HTML injected , and web session interstitial advertising.
The captive portal infrastructure includes small format device detection and automatic routing of requests made by such devices to alternative layouts and stylesheets. This enables the portal to have unique and independent views for smart phones, PDAs, gaming devices, and other handheld devices.
While the default captive portal is fully functional, it is designed to be a basis for operators to create their own customized portal with operator specific art, identity, and even functionality. The process of customizing the captive portal begins with the creation of a new record in the Custom Portals scaffold on this view.
The rXg employs a caching mechanism to maximize performance of the captive portal web application server infrastructure. Use the restart web server dialog to bring the web application infrastructure into development mode in order to disable caching so that changes made to the custom portal files are immediately reflected in the pages being served. If pages are being loaded onto the rXg via SFTP, click the development button when the pages are finished being uploaded to dump the cache by restarting the web server. Restart the web server back into production mode when done making changes.
In order to customize a portal, the administrator must be enabled with SSH access via the Admins view. In addition, a working knowledge of how to use SSH, SFTP and Ruby on Railsare required. Some excellent books that cover these subjects are SSH, The Secure Shell: The Definitive Guide (ISBN 0596008953), Agile Web Development with Rails (ISBN 0977616630) and The Rails Way (ISBN 0321445619).
Custom Portals
An rXg can have multiple custom captive portals residing on it simultaneously. Each captive portal must have a record in the Custom Portals scaffold. Each captive portal may be assigned to serve a different subset of the end-user population. The mapping between portals and end-users is defined by the policies subsystem.
The name field is an arbitrary string used to identify the portal. This string is used for identification purposes only.
The controller name field is the string used to uniquely identify the portal within the Ruby on Rails web application infrastructure. If the controller name is left blank when a new custom portal is created, the rXg administrative console will automatically generate a reasonable default based on the name field.
The controller name becomes the suffix of the direct access URL. For example, if the controller name is abc
the direct access URL is https://rxg.local/portal/abc
. The controller name also determines the directory and file name structure that is used to store the custom portal on the filesystem of the rXg. It is very important be precise about the controller name when editing and uploading files to customize the portal.
The Google Analytics web property field stores a Google Analytics web property ID. The format of a Google Analytics web property ID is UA-xxxxxx-xx where the x's are numbers. The web property ID is listed next to the name of a configured profile in a Google Analytics account home page.
When the Google Analytics web property field is populated, the captive portal will automatically include a Google Analytics site tracking code. This allows the operator to easily integrate external, third-party verifiable portal traffic tracking for the purposes of revenue verification and advertising/impression count marketing.
It is the responsibility of the operator to create and maintain a Google Analytics account along with an appropriate profile for the desired web property. For most portals, it is recommended that the operator configure the portal post authentication landing page as a goal so that it is easy to see the ratio of potential end-users to end-users who commit to subscribe.
Operator Portals
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The controller name field sets the name of the controller and how you access the operator portal. For example, if the controller name is set to FOM, then the operator portal would be accessed by going to https://FQDN.OF.SYSTEM/FOM.
The default dashboard field allows the operator to specify which dashboard should be displayed when first logging in. By default, this is set to Template Default, but can be changed to any other custom dashboard that exists on the system.
The additional dashboards field allows the operator to select other custom dashboards that are visible in this operator portal, in addition to the default dashboard.
The single sign-on strategies field is used to select which, if any, single sign-on strategies that may be used to log into this operator portal.
The admin ACL field allows the operator to override the active admin controller ACL with the one specified here; the ACL selected here does not need to be marked as active.
The template field lets the operator choose which template this operator portal will be created from. Views and assets that do not exist will be sourced from the selected template. If portal source is set to duplicate, all views and assets will be copied from the selected template when created.
The initial contents field sets how the portal will be created. A portal with ' create directory structure only' selected will inherit all views and assets from the FOM portal unless overridden. If ' duplicate files from template or existing portal' is selected, then a new operator portal will be created and all files will be copied to the directory from the selected source, allowing the operator to edit any of the preexisting views. If ' Git' is selected then the source portal will be pulled from the Git repository. It is also possible to set a sync frequency when using Git so that any changes made to the repository can automatically be pulled to all systems. Checking ' restart after sync' will restart the webserver if there is change that was pulled and automatically restart the webserver so the changes will take effect. If ' Archive file via HTTP GET' is selected then the portal can be pulled from a remote site and sync frequency can be configured as well. It is also possible to use ' rsync' which provides the same sync options.
The module configuration section allows the operator to specify not only which admin roles have access to the operator portal but can also be used to disable specific modules contained within the operator portals.
Location Manager
The Location Manager is a portal that is aimed at presenting network information in a spatially aware way.
One of its key functionalities is creating and placing POIs (Points of Interest).
Click Here to Create a new POI.
After you name it, click here to save it
When you first create it, it will be placed in the center of the floorplan. Make sure dragging is turned on, then simply drag it to where it should be.
Omniauth Strategies
The Social Login Strategies scaffold enables creation, modification, and deletion of login strategies for supported Omniauth providers.
The name field identifies this login strategy in the system.
The provider name field determines which Oauth provider this strategy relates to. Select a supported provider from the list.
The app ID field defines the ID of the application that has been created with the provider chosen in the provider name field. For Facebook, this is the App ID , but for Twitter this is the API Key. This value should be obtained from the developer console of the associated provider.
The app secret field defines the app's secret value which authenticates the app. This value should be obtained from the developer console of the associated provider.
The captive portals selections define for which captive portals this strategy is enabled. This strategy will not be available unless it is associated with at least one captive portal.
The usage plans selections determine which usage plans are available for users who log in using this strategy. The plans selected here must also be associated with the end user's effective portal; however, users who have not logged in via this strategy won't be able to see these plans in the usage plan list. If there are no usage plans associated with this strategy, an account will be created for the user, who will then be redirected to the usage plan list view. If there is only one associated usage plan, and it is free, the plan will automatically be applied to the account.
The SAML section contains configuration options which pertain only to SAML login strategies. When utilizing a SAML strategy, the App ID and App Key are not necessary.
A SAML configuration requires at a minimum, an Identity Provider (IdP) SSO URL, and optionally, a IdP Cert Fingerprint to enable validation of the IdP's certificate. Both the SSO URL and Fingerprint may be determined automatically by providing a IdP metadata URL.
The Service Provider (SP) Entity ID is a unique identifier for the service provider, which will be entered into the IdP when adding the SP.
After creating the login strategy , the webserver will restart. Clicking the show link will provide the metadata URL that can be provided out-of-band to the Identity Provider in order to establish a login trust.
Users who log in with an Omniauth strategy only have access to usage plans that are associated with their strategy AND the current captive portal. Users who log in with a non-social account do not have access to the usage plans associated with the portal's Omniauth strategies.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
A WAN target should be associated with the captive portal where the operator intends to use the strategy which allows the user to access the provider's site for the login process. Twitter, Facebook, and Google WAN targets are created automatically and should be selected when utilizing these providers.
For more information, see the Social Login manual entry.
Remote Access to Local Web Servers
The rXg web multiplexor may be configured to recognize operator specified name-based virtual hosts. This feature enables the operator to configure remote access to web servers that are on the LAN side of the rXg in a reasonable, maintainable and understandable manner. Name-based virtual hosts are most often used for remote access to the web management consoles of privately addressed LAN equipment without VPN. VPNs are the preferred mechanism for enabling remote access to LAN equipment. The next best thing is to use name-based virtual hosts through this feature.
The operator must configure DNS records for each and every name-based virtual host that is desired. The DNS records must resolve to the WAN IP of the rXg. Web requests to the DNS record will contain the HTTP headers that enable the rXg web multiplexor to send the request to the appropriate backend server on the LAN.
The rXg must be configured with either a wildcard SSL certificate or individual certificates per destination host. Each HTTP virtual host entry can be configured to use unique SSL Certificates and should match the configured DNS entry for that host. This is required because HTTP headers are read after the SSL handshake is complete.
The hostname for remote access field specifies the DNS record that has
been configured. For example, if the rXg is given the domain name
gw.somewhere.net
it would be appropriate to use name-based virtual hosts such
as wc.gw.somewhere.net
, ap003.gw.somewhere.net
, sw18.gw.somewhere.net
,
etc. The chosen domain does not need to be a subdomain of the rXg.
The local server IP field specifies the target IP address(es) of the back-end server(s) for the name-based Virtual Host that is configured by this record. Web traffic sent to the rXg using the hostname configured in this record will be proxied to this IP. Multiple IP addresses can be defined, separated by spaces or newlines. When multiple IPs are defined, requests are load-balanced to the IPs in the list according to the configured Load balancing method.
The available load balanding methods are as follows:
- Round-Robin: This is the default behavior. Traffic is distributed in a round robin fashion.
- Least Connections: The next request is assigned to the server with the least number of active connections.
- Source IP Hash: A hash-function is used to determine what server should be selected for the next request (based on the client's IP address). Subsequent requests from the same client should be send to the same backend server.
- Source IP:Port Hash: A hash function based on the client's IP and Port combination
- Request URI Hash: A hash function based on the full request URI.
- Random: Each request will be passed to a randomly selected server.
- Random + Least Connections: Two servers are chosen at random, and the one with the least number of active connections is used.
The WAN Targets association restricts access to this virtual host to only the hosts included in the WAN Target. All other source IPs will receive a 403 Forbidden response when attempting to access using this FQDN.
Custom Data Set
The name field will be used to call the data set in a portal so choose a name that reflects the purpose of the record.
The policies field allows the operator to restrict which policies have access to the custom data set.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The key field specifies which custom data keys belong to the custom data set. When creating a custom data set this field is required; however, a custom data keys does not need to belong to a custom data set to be used.
Custom Data Keys
The dataset field is used to tie a custom data key to custom data set. This is optional when creating a custom data key , but can be used to tie a collection of custom data keys into a single custom data set.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The name field will be used to call the data set in a portal, so choose a name that reflects the purpose of the record.
The value section allows the operator to set what value or values are contained within the custom data key.
The string field is used to store a string value.
The text field is similar to the string field but should be used for large blocks of text.
The Boolean field can be used as a true/false flag. It is false by default.
The decimal field is used to store decimal numbers.
The integer field is used to store whole numbers.
The date field is used to store a specific date.
The time field is used to store the time.
The date-time field is used to store both the date and time.
Attachments
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The description field can be used to describe the purpose or a description of the content.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The custom portals field is used to select which customs portals the content will be available for use. Selecting a custom portal here will make the content available to any Captive or Landing portals based off of the Custom Portal selected.
The captive portals field is used to select which specific Splash portals the content will be available on.
The landing portals field is used to select which specific Splash portals the content will be available on.
The file field is used to select the file to upload and make available to the selected portals.
Simple Webpacker Example
Webpacker allows the operator to import pre-compiled JavaScript into a custom portal. In this example, a new custom portal will be created then add the necessary files. Navigate to System::Portals and create a new custom portal. Note: an existing portal if one already exists.
Give the portal a name, and specify the controller name. For this example, just the default portal will be used so no other information needs to be provided. Click create. Note: webserver will restart when a new portal is created.
Once the portal has been created, access the portal files. This can be done via SSH or SMB ; see the Portal Customization section of the help manual for instructions on setting up access. In this example, SSH to the machine and become root.
Now navigate to the portal directory cd /space/portals/demo. Note: portal path may be different if using a different portal or used a different controller name.
Next, create a src directory within the root portal directory. This will be where any desired js files imported using webpacker will be placed. To create directory, use the following command: mkdir src
Navigate to the src directory that was created with the following command: cd src
Next, create a hello.js file. This file will contain the following code:
let hello = "Hello, world!" console.log(hello)
Save the file and go back to the root portal directory cd ..
Edit the pack.js file and add the following line:
import "./src/hello.js"
This will import the JavaScript file created in the previous step. Once the line is added, save the file.
Now the portal JavaScript was added can be hit to and see in the developer tools console as the following:
Update
The Update view presents dialogs enabling the operator to change the version of the rXg software currently running. The operator may choose to automatically update or manually update the rXg.
It is imperative that the operator make a full backup of the rXg (including, but not limited to, the database configuration and the customized captive portals ) before initiating an update. If an update fails for any reason, it may be necessary to restore the rXg from backup.
The rXg automatic update process requires that the operator have a valid support contract with RG Nets. By supplying a valid support credential ( email and password ) assigned to the operator, the rXg will contact RG Nets servers, download the latest rXg software, and automatically perform the update.
The rXg manual update process requires that the operator have a version of the rXg software stored on their local filesystem. The latest versions of the rXg software are available on the rXg servers. Access to the rXg servers requires a valid support contract. The manual update process is useful for operators who have multiple rXgs deployed and wish to minimize the number of times that the rXg software package needs to be downloaded over the Internet.
The Update rXg from a mounted USB or local ISO Disk Image checkbox in this section allows you to use a bootable USB that is connected to the host as the source, OR an ISO file that is loaded into the disk images scaffold (currently only available when there is a virtualization host record defined or when manually loaded into the /space/disk_images directory). This dialog is intended for performing an rxg upgrade not an OS upgrade. The OS upgrade form becomes visible when the official FreeBSD version has changed.
When the box is unchecked, you can also upload an ISO file there to upgrade the rxg version.
Additional Resources
YouTube Playlist - Upgrading an rXg
Network
The rXg operates on the principle that it is the router between a distribution network which is connected to the end-user population and one or more uplinks where resources reside. Physical, data-link and network connectivity must be established in order for an rXg to deliver control, communication and cognizance over the end-user population. The network menu enables the operator to access the views of the administrative console to create and edit the IP addresses, routing tables, address translation configuration needed to establish L3 connectivity.
End-users must each be assigned an individual IP address so that the rXg can deliver the full spectrum enforcement and instrumentation capabilities. End-users may be assigned public or private IP addresses depending on the desired network topology. The operator may choose to utilize both both private and public addresses at the same time. The rXg may be configured to perform or network address translation on any private (or public for that matter) addresses on the LAN block.
The rXg supports nearly any IP topology imaginable. End-users may be either L2 or L3 connected to the rXg. All capabilities, including the forced browser redirection to a captive portal, are fully supported regardless of whether end-users are L2 connected or L3 connected. L2 connected end-users may be connected natively or via VLANs. L3 connected end-users transit routers that forward blocks configured statically or via dynamic routing protocols.
In the simplest case, the rXg is deployed as the router for a natively addressed LAN that is L2 bridged into the rXg such as the example shown above. The rXg may be configured to natively route public or private blocks and NAT may be enabled or disabled on each block.
In larger RGNs, the rXg is often configured to be the termination point of several VLANs that connect to end-users. In the example above, VLANs are used to segregate traffic between end-users who are originating traffic from two geospatially distinct properties on the same resort. The use of VLANs helps to maximize the performance of the network through traffic segregation.
Traffic segregation is a critical aspect of designing large scale RGNs. VLANs are the most common mechanism to accomplish this, but an alternative network topology is to use L3 segregation as depicted in the example shown above. To accomplish this, routers must be deployed on the LAN side of the rXg. End-users are then connected to blocks that are behind the routers. The rXg must be configured with static or dynamic routing so that the end-user traffic will pass appropriately.
Network Dashboard
The network dashboard presents an overview of the current status and configured settings for the WAN, LAN and routing subsystems of the rXg.
The left column presents a dialog containing the configuration and status information for each of the uplinks configured on the rXg.
Numerous details about the uplink are displayed in the dialog. The colored icon at the upper left of the dialog informs the administrator about the status of the uplink. A green light indicates that the uplink is online while a red one indicates that the uplink is offline. Real-time configuration information is presented in the dialog. For example, if the uplink is set to request network configuration via DHCP, the IP, subnet mask and gateway obtained from the DHCP server is presented.
The top of the middle column presents information about the physical and logical interfaces connected to the rXg.
Each interface that is physically connected and has a link is reported along with the MAC address and media type. The media type is read from the interface when the view is loaded making this an ideal place to determine the speed and duplex of an auto-negotiated link. Clicking on the dialog brings up a view with more detailed information.
The bottom of the middle column presents a snapshot of the routing table of the rXg.
The most utilized routes are presented here. Clicking on the scaffold brings up a view with more detailed information.
The right column presents a set of dialogs describing the LAN IP addresses configured on the rXg.
Use these dialogs to quickly review what IP addresses are configured into which interfaces.
WAN
The WAN view presents the scaffolds associated with configuring the wide area network interfaces.
An rXg requires at least one properly configured entry in the uplinks scaffold in order to function. If more than one uplink is configured, the rXg can aggregate and failover WAN uplinks. In addition, the rXg can affine and diversity LAN traffic over the WAN uplinks.
An uplink must be configured with a valid IP address and gateway to function. To use DHCP to obtain an IP address and gateway dynamically, simply check the DHCP checkbox in the uplink record. As an alternative, a static IP address may be manually specified by creating a record in the addresses scaffold and associating the record with an uplink. The gateway for a statically assigned IP block must be manually configured in the uplink record. If the upstream ISP requires PPPoE authentication, configure the ISP supplied credentials into a record of the PPPoE scaffold and associate the record with the uplink.
Ethernet Interfaces
An entry in the ethernet interfaces activates and configures a physical port on the rXg to take part in in networking connectivity.
In most cases, at least two ethernet interfaces must be configured (one for the WAN, one for the LAN). In multiple uplink scenarios, it is common to have one ethernet interface configured for each WAN uplink. It is also possible to use VLANs on a single ethernet interface to configure unlimited WAN and LAN interfaces.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The port field determines the physical ethernet port that this record will activate and configure.
The media field configures the speed and duplex of the Ethernet port. In most cases, the autoselect setting will automatically negotiate the fastest possible link. Autoselect should also be used if automatic crossover detection is required as most Ethernet hardware will disable automatic crossover if anything other than autoselect is specified as the media type.
If physical link cannot be established, first check the physical cable using an isolation test. If the cable is determined to not be the issue, try setting the ethernet interfaces on both sides of the cable to the same speed and duplex. Note that if a straight cable is connected between two nodes, that cable will need to be replaced with a crossover because automatic crossover detection will be disabled when a media type other than autoselect is specified. In addition, using a lower speed setting and avoiding full-duplex communication may be necessary when the cable is long or does not meet the standards needed for higher speed communication.
The MTU setting configures the maximum transmission unit (frame size) for this interface. By default, most ethernet interfaces support 1500 bytes. Large MTUs may be used in gigabit networks that support jumbo frames to obtain better throughput when transferring large files. Support for jumbo frames must be present throughout the infrastructure in order for larger MTUs to work properly.
The addresses , uplink , VLANs and PPPoE fields link an Ethernet interface to a configuration defined by the specified scaffold. These fields shown here are mainly presented for informational purposes. In most scenarios, an administrator will link the address, uplink, VLAN or PPPoE configuration to the Ethernet interface using the other scaffold.
The backup port field specifies an alternative ethernet interface to assign the addresses , uplink , VLANs and PPPoE configuration settings when this ethernet interface goes down. An ethernet interface is marked as down if it loses link or if all of the ping targets associated with it go offline. The VLANs and Network Addresses associated with an ethernet interface are moved to the backup port when the ethernet interface is marked as down. The backup port mechanism is designed to be used with generic L2 switching. Backup ports should not be used with any LAG/MLT/SMLT/LACP configuration on the connected switch.
The checksum offload , TCP segmentation offload and large receieve offload settings offload the specified processing to the NIC hardware when possible. In some cases this may cause instability and in other cases there are performance benefits.
Uplinks
An entry in the uplinks scaffold declares a specified logical interface as a WAN uplink. At least one uplink must be configured for proper rXg operation. More than one uplink may be configured in link control scenarios when the operator has obtained multiple WAN drains. When multiple uplinks are configured, the rXg can aggregate and failover between uplinks as well as diversify and affine LAN traffic amongst them.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The priority field determines the order of precedence during failover in a link control scenario. When only one uplink is configured, this field has no effect as there is no uplink to failover to. When multiple uplinks are configured and connection aggregation is enabled, a failure of a link will cause another member of the pool to forward all traffic. If aggregation is not enabled, or all uplinks within a pool have failed, then the uplink with the highest priority amongst all of the remaining uplinks will be used to forward the traffic.
The interface , PPPoE and VLAN drop downs specifies the mechanism by which this uplink will forward traffic upstream. Only one option may be selected for each uplink.
The DHCP checkbox enables the DHCP client for this uplink. The network address, subnet mask and default gateway of this uplink are requested from the DHCP server. If a statically configured IP address is desired, leave this checkbox cleared, create a record in the addresses scaffold and associate it with this uplink.
The gateway IP specifies a statically assigned default gateway for this uplink. The default gateway must be within the IP block defined by the network address associated with this uplink. This field should remain blank if the DHCP checkbox is set.
The upload speed and download speed fields describe the throughput of the uplink.
Network Addresses
An entry in the network addresses scaffold defines an IP block that will be associated with an interface, uplink or VLAN.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The IP field specifies the IP address using CIDR notation that will be configured on the interface specified. If the address record will be used for configuring multiple addresses on the interface via the span field, the IP field configures the first (lowest) IP address of the range.
The span field specifies the range of IP addresses configured by this address record. The default value of 1 is assumed if this field is omitted. For LAN links, a span of 1 is typical. For WAN links, a span of greater than 1 automatically enables translation pooling in NAT scenarios. In addition, bidirectional network address translation (BiNAT) requires the WAN link to span one additional address for each BiNAT.
PPPoE Tunnels
An entry in the PPPoE tunnels scaffold enables the point-to-point protocol over Ethernetclient to connect with the specified credentials through an Ethernet interface for the purpose of configuring a valid uplink.
The username and password fields specify the credentials for the PPPoE client. The credentials are assigned by the upstream ISP.
The service name is an optional service selector. If the upstream ISP did not provide a specific value, leave this field blank.
The interface field associates this PPPoE tunnel with an Ethernet interface. It is highly recommended that an Ethernet interface associated with a PPPoE tunnel be used exclusively for this purpose. Avoid associating addresses, VLANs, and other entities with an Ethernet interface that is designated for a PPPoE tunnel.
The uplink field associates this PPPoE tunnel with an uplink. To use PPPoE, an uplink must be associated with a record in the PPPoE tunnels scaffold, which in turn, is associated with a Ethernet interface. Do not associate an uplink that has a PPPoE tunnel enabled with the Ethernet interface directly.
DNS Servers
An entry in the DNS servers scaffold specifies an upstream DNS server to use for DNS resolution.
It is highly recommended that at least one upstream DNS servers be configured for network resilience, else the built-in DNS server is used for resolution. Without DNS resolution, no networking services will operate.
Many ISPs will provide DNS server entries. These DNS servers should be configured into this scaffold. In a link control scenario where multiple uplinks from a diverse set of ISPs are configured in parallel, the DNS servers for all of the upstream ISPs should be configured with the appropriate uplink setting selected. In this case, theGoogle Public DNS or OpenDNS servers may be used as backup DNS servers for all uplinks.
The IP field specifies the IP address of the DNS server that is to be used for DNS queries. In most cases, the upstream ISP will provide the IP addresses for the public DNS servers for a specific uplink. If no servers are provided, using the Google Public DNS orOpenDNS is a good alternative.
The uplinks field associates uplinks with the DNS server specified in this record. In many cases, the upstream ISP will have DNS servers that are restricted to their customers so it is important to make sure that the right IP is associated with the proper uplink.
Configure IPV6 to IPV4 Tunnel
In this example we will configure the rXg with an IP tunnel that will allow us to access IPv6 addresses over an existing IPv4 connection. The IPv6 tunnel end point is provided by https://ipv6.he.net after passing a basic certification process. We will need to create an IP Tunnel, an Uplink, a Network Address, and lastly a DHCP pool. To begin navigate to Network::WAN.
First we will create an IP Tunnel.
Give the IP Tunnel a name. The Type field should be set to GIF. Set the Local Interface field to the WAN interface. The Remote IP field is the Server IPv4 Address obtained from he.net. The Tunnel Local CIDR field is the Client IPv6 Address obtained from he.net. The Tunnel Remote IP is the Server IPv6 Address obtained from he.net. Click Create.
Next create a new Uplink, give the uplink a name, priority should be lower than your primary uplinks. Change the IP Tunnel field to the IP Tunnel created in the previous step. Click Create.
Next create a new Network address to create the LAN DHCP addresses that the system will hand out to IPv6 enabled clients. Give the Network addresses a name, select the ethernet interface the addresses will be configured on, and fill out the IP field with the information obtained from HE, in the Routed IPv6 Prefixes section. Note that the address given ends with :: which is invalid so append the IP you want to assign to the system usually 1. Checking the Create DHCP Pool box is optional, for this example setup it will not be checked and we will create the DHCP pool. Click Create.
Next navigate to Services::DHCP and create a new DHCP pool. As long as the last address created was the address from the previous step it will auto fill the fields. It may be a good idea to reduce the scope of the pool by changing the end IP from 2001:470:1f07:210:ffff:ffff:ffff:ffff to 2001:470:1f07:210::ff. Click Create
Now if we SSH into the machine and run ifconfig gif0 we should see our intferface configured with the IPv4 Tunnel addresses as well as the IPv6 Address, and we should be able to ping an IPv6 addressing using ping6 like ping6 google.com.
NAT
The NAT view presents the scaffolds that configure settings to modify the network address translation mechanisms of the rXg.
NAT
Entries in the NAT scaffold configure network address translation between LAN subnets and WAN addresses.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The addresses and static routes field specify the source LAN subnets for which network address translation will be enabled by this record.
The uplinks field specifies the destination WAN address(es) to which the selected LAN will be network address translated.
The Reverse NAT field specifies that traffic sent via selected Uplink is to be NATd to the first IP of the selected Addresses. This option is primarily used when the upstream ISP routes a block of public IPs to the rXg's primary uplink IP (often assigned via DHCP), and those IPs are assigned to a LAN interface for distribution to clients, but there is a need for outbound traffic from the rXg to always be sourced from the routed block of IPs rather than the DHCP uplink IP.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
If no records are present in the NAT scaffold, the rXg will automatically enable NAT from subnets that are configured with RFC 1918 specified private addresses.
Static IPs
An entry in the Static IPs scaffold creates a one-to-one mapping between an IP address within a span associated with an uplink and a private IP address on the LAN . This feature is typically used to give public access to a resource that is configured on a private IP address such as a web server.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The Source IP field determines the destination of the translation of traffic originating from the Public IP.
The Public IP field specifies the IP address within a span of addresses associated with an uplink that will be translated to the Source IP.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Dynamic BiNAT Pools
An entry in the Dynamic BiNAT Pools scaffold specifies a range of IP addresses that may be dynamically assigned to devices whose account has a Max BiNATs value of 1 or greater, and whose policy is enabled for this Dynamic BiNAT Pool. This feature is typically used to give public access to a resource that is configured on a private IP address such as a web server or a gaming device which requires open incoming firewall ports for proper operation.
The end-user may subscribe to a usage plan which allows Dynamic BiNAT, and may enable BiNAT functionality for specific device(s) by accessing the manage devices page of the portal. The operator may also change the active BiNAT device(s) by editing the account's device list. Care must be given to ensure that the range of addresses configured here is large enough to accomodate the number of devices that are configured for Dynamic BiNAT.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The Start IP field determines the first IP address of the range of uplink addresses that will be used as the Dynamic BiNAT IP for eligible devices. The IP should fall within a span of addresses associated with an uplink that is associated with the device's link control.
The End IP field specifies the last IP address in the range of uplink addresses that will be used as the Dynamic BiNAT IP for eligible devices. The IP should fall within a span of addresses associated with an uplink that is associated with the device's link control.
The Policies field specifies policies that may utilize this BiNAT Pool. When an associated Policy contains Accounts, a number of IP's specified in the Max BiNATs field of the Account will be assigned to that Account. The end user will be able to configure up to that many DMZ devices through the manage devices page in the captive portal. When an associated Policy contains devices that do not belong to an account, such as from an IP group or MAC group, a BiNAT will be assigned to each device currently connected that belongs to the associated Policy. If no policies are associated with this BiNAT pool, the pool is effectively disabled, and the addresses will be available for regular NAT.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Example BiNAT Deployments
Below are 3 BiNAT deployment examples.
Example 1: Dynamic BiNATs
In this example the operator has configured the rXg to have a block of public IP address that are used for CGNAT and another pool that users can dynamically be assigned a public IP address from that can used as NAT for the account. This IP can be assigned to a specific device (DMZ), and can also be used for UPNP.
First a block of public IP address must be assigned to an interface.
Next we need to configure a BiNAT pool by going to Network::NAT , in this case half the public IP addresses will be used for BiNAT's. The Operator can control which accounts/clients can be assigned a BiNAT by selecting the Policies that can use the pool. In this case only users in the Residents-Premium policy will be able to draw from the pool.
Being in the Residents-Premium policy is not all that is required the account must also be set to allow the use of BiNAT IP address. This is controlled by the Usage Plan the user has purchased. This can be set by going to Billing::Plans. Edit the appropriate Usage Plan and look at the Sessions section of the account. Here the Operator can set the number of Max dedicated IPs , in this example it is set to 1. UPnP has also been selected in this case.
Now users who purchase the Residents-Premium plan will have a BiNAT assigned to their account that all the traffic from their devices will NAT through and their devices can create UPnP port forwads automatically.
Example 2: Static Dedicated BiNATs
In this example the rXg has been configured so that each account gets assigned a BiNAT that is static. First a block of public IP addresses must be configured.
Next the BiNAT pool must be configured to consume the entire block of public IP address, and the appropriate policies must be allowed access to the BiNAT pool. Network::NAT.
The account must also be set to allow the use of BiNAT IP address. This is controlled by the Usage Plan the user has purchased. This can be set by going to Billing::Plans. Edit the appropriate Usage Plan and look at the Sessions section of the account. Here the Operator can set the number of Max dedicated IPs , in this example it is set to 1. By checking the Static dedicated IPs box the NAT IP or IPs are reserved and remain staic for the lifetime of the account. UPnP has also been selected in this case.
In this example each account is assigned a BiNAT address when created, and the IP assigned will remain for the lifetime of the account. This is the equivalent of having a static public IP address.
Example 3: BroadBand On Demand
In this example the rXg has been configured so that each account selects the number of Dedicated IP's (BiNAT addresses) that will be assigned to the account at time of purchase. A block of Public IP address must be configured via Network::WAN.
Next the BiNAT pool must be configured to determine which IP address can be used for dedicated IPs, and the appropriate policies must be allowed access to the BiNAT pool. Network::NAT.
The Usage Plans for this example must be configured to allow the user to pick the number of Dedicated IPs by using the Plan Addons scaffold via Billing::Plans. Here two Plan Addons have been created allowing the user to purchase additional Dedicated Ips and allows them to make them static by purchasing the static IP option.
The above configuration allows the user when purchasing a plan to select how many dedicated IP's they want and can purchase the ability to make them static as well.
NAT Reversal example
Video Configuration Guide and Demonstration
In this example a NAT rule will be created for NAT Reversal, it will be assumed here that the ISP is handing out a private IP address and routing a static block of public IP addresses to the private IP address. Traffic that originates from the WAN IP address of the rXg will be NAT'ted to the first IP address of the public static block on the LAN. What this means is that if a client device were to go to whatismyipaddress it would report the first IP address of the static block on the LAN and not the WAN IP address. Inbound traffic from the Internet destined to the first IP address of the public static block on the LAN is now redirected to the WAN IP address of the rXg. This means that if the operator were to put in their browser the first Public IP address from the static LAN block, they would be getting to the WAN of the system.
To configure this there needs to be a WAN uplink that would usually be a static IP address however it could be DHCP that assigns a static IP, and there needs to be a block of static Public IP addresses routed to the uplink IP. Below is an example Uplink configuration that receives a WAN IP via DHCP.
To configure this with an assigned static WAN IP address, create a new Uplink or edit an existing one. Select the interface. Make sure the DHCP box is unchecked, and enter the gateway IP address. Create or update the uplink.
Next create a new Network Address and assign the IP address to the uplink. Give the Network Address a name, and select the interface, the interface should match the interface of the Uplink. Enter the address to be assigned to the uplink and click create.
Next the Static Block of Public IP address will be created. Create a new Network Address. Give the record a name, select the interface that matches the uplink in this case it is vmx1. Enter the IP address in cidr notation. Only a single IP address is needed here however we can assign more to the system by adjusting the span if needed. Setting the span to 2 in this example would assign the .2 and .3 address to the system. Click Create.
Next navigate to Network::NAT and create a new NATs rule.
Give the record a name, select the Uplink and check the Reverse NAT box. Next select the Network Address created in the previous step and click Create.
With this configuration in place, a device on the LAN that goes to whatismyipaddress.com would report that it's IP address was 192.170.0.1. A device going to https://192.170.0.1/admin would get the Admin GUI of the system, even though the uplinks IP is a private address.
LAN
The LAN view presents the scaffolds associated with configuring the local area network interfaces.
An rXg requires at least one properly configured LAN address in order to function. To configure an IP address on an interface, create a record in the addresses scaffold and associate it with an Ethernet interface record. If the LAN distribution network is connected via an 802.1Q VLAN trunk, create VLAN interfaces using the VLANs scaffold and then associate address records with the VLAN interfaces.
Ethernet Interfaces
An entry in the ethernet interfaces activates and configures a physical port on the rXg to take part in in networking connectivity.
In most cases, at least two ethernet interfaces must be configured (one for the WAN, one for the LAN). In multiple uplink scenarios, it is common to have one ethernet interface configured for each WAN uplink. It is also possible to use VLANs on a single ethernet interface to configure unlimited WAN and LAN interfaces.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The port field determines the physical ethernet port that this record will activate and configure.
The media field configures the speed and duplex of the Ethernet port. In most cases, the autoselect setting will automatically negotiate the fastest possible link. Autoselect should also be used if automatic crossover detection is required as most Ethernet hardware will disable automatic crossover if anything other than autoselect is specified as the media type.
If physical link cannot be established, first check the physical cable using an isolation test. If the cable is determined to not be the issue, try setting the ethernet interfaces on both sides of the cable to the same speed and duplex. Note that if a straight cable is connected between two nodes, that cable will need to be replaced with a crossover because automatic crossover detection will be disabled when a media type other than autoselect is specified. In addition, using a lower speed setting and avoiding full-duplex communication may be necessary when the cable is long or does not meet the standards needed for higher speed communication.
The MTU setting configures the maximum transmission unit (frame size) for this interface. By default, most ethernet interfaces support 1500 bytes. Large MTUs may be used in gigabit networks that support jumbo frames to obtain better throughput when transferring large files. Support for jumbo frames must be present throughout the infrastructure in order for larger MTUs to work properly.
The addresses , uplink , VLANs and PPPoE fields link an Ethernet interface to a configuration defined by the specified scaffold. These fields shown here are mainly presented for informational purposes. In most scenarios, an administrator will link the address, uplink, VLAN or PPPoE configuration to the Ethernet interface using the other scaffold.
The backup port field specifies an alternative ethernet interface to assign the addresses , uplink , VLANs and PPPoE configuration settings when this ethernet interface goes down. An ethernet interface is marked as down if it loses link or if all of the ping targets associated with it go offline. The VLANs and Network Addresses associated with an ethernet interface are moved to the backup port when the ethernet interface is marked as down. The backup port mechanism is designed to be used with generic L2 switching. Backup ports should not be used with any LAG/MLT/SMLT/LACP configuration on the connected switch.
The checksum offload , TCP segmentation offload and large receieve offload settings offload the specified processing to the NIC hardware when possible. In some cases this may cause instability and in other cases there are performance benefits.
In this example, there is no redundancy as there is only one path between the rxg and all network switches. If the rxg loses connectivity with Switch A, Switch B, C, and D will also lose access.
A slightly better version of the above configuration would be to add a Backup Port so that if the primary link to switch A becomes unusable, a secondary link can be utilized.
Edit the primary interface, select several Ping Targets , then select a Backup Port.
In this example, when Igb3 loses link or all Ping Targets fail to respond, the VLANs and Network Addresses associated with Igb3 are moved to the Backup Port Igb2. Igb3 is marked as down.
However, this still leaves Switch A as a single point of failure. Consider the below topology for a higher level of redundancy.
This feature is not dependent on proprietary protocols and as such will work with most any available switch.
Sample Topology: Redundant Core Switches
Sample Topology: Redundant Gateways and Core Switches
Pseudo Interfaces
VXLAN
VXLAN, or Virtual Extensible LAN, is a network virtualization technology designed to address limitations of traditional VLANs (Virtual Local Area Networks) in large environments. VXLAN tunnels Layer 2 Ethernet traffic over a Layer 3 IP network by wrapping local area network data packets inside IP packets for transport across a larger IP network. VXLAN overcomes the limited number of VLANs supported by traditional methods. It uses a 24-bit identifier, allowing for millions of virtual networks compared to the roughly 4,000 of standard VLANs.
Bridge
The bridge interface allows two or more interfaces to have a connection between them at Layer 2. This essentially combines them into a single logical network segment, allowing devices connected to either interface to communicate directly with each other.
LAGG
LAGG, which can also be referred to as LAG (Link Aggregation Group), stands for Link Aggregation. It's a networking technology that groups multiple physical network interfaces together into a single logical interface. This essentially combines the bandwidth and, in some cases, provides redundancy for network connections.
Multiple Interfaces, One Logical Interface: By aggregating several physical interfaces, LAGG creates a single, high-bandwidth logical interface. This can be beneficial for applications requiring a lot of data transfer, like video streaming or large file transfers.
Increased Bandwidth: The combined bandwidth of all the physical interfaces in the LAGG is available to the logical interface. For instance, if you combine two 1 Gbps interfaces using LAGG, you'd get a logical interface with a potential bandwidth of 2 Gbps.
Redundancy: In addition to increased bandwidth, LAGG can also provide redundancy. If one of the physical interfaces in the LAGG fails, traffic can still be transmitted over the remaining active interfaces. This helps to improve network uptime and fault tolerance.
Protocols: There are different protocols for LAGG interfaces, with the most common one being LACP (Link Aggregation Control Protocol). This protocol negotiates with a compatible switch to automatically bundle the physical interfaces into a LAG. Both the switch and the device using LAGG need to support LACP for this to work.
Other protocols included Failover, Load Balance, Round Robin, and Broadcast.
WireGuard
WireGuard is a streamlined approach to virtual private network (VPN) protocols. It emphasizes three key aspects:
Ease of use: WireGuard is designed to be simpler to set up and use compared to other VPN protocols like OpenVPN. This is achieved by having a lean codebase and focusing on essential functionalities.
High performance: WireGuard prioritizes speed. It uses modern cryptographic techniques and a streamlined approach to achieve faster connection speeds and lower latency compared to traditional VPN protocols.
Security: Despite its simplicity, WireGuard offers robust security. It utilizes state-of-the-art cryptography and keeps the attack surface minimal by design.
SoftGRE
A SoftGRE tunnel is a type of tunneling protocol that uses Generic Routing Encapsulation (GRE) to transport Layer 2 Ethernet traffic over an IP network. In simpler terms, it encapsulates Ethernet data packets within GRE packets, allowing them to be sent across an IP network that wouldn't normally support them.
SoftGRE tunnels are particularly useful for extending WiFi networks. They can be used to connect geographically separated WiFi access points (APs) to a central rXg, creating a seamless network for users.
The following configuration steps provide an example of how to configure the rXg as an endpoint for a SoftGRE tunnel.
- The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
- Set the Interface type to SoftGRE.
- The Members field indicates where tunneled traffic can egress. In this example, only tagged traffic on VLAN 777 will be accepted. Interfaces can be used for untagged traffic and VLANs will be used for tagged traffic.
- In the SoftGRE Listen Interface you will set where incoming SoftGRE connections will be accepted from. Polices will be used to identify LAN side tunnels and WAN Targets will be used to identify tunnels originating from the WAN.
Vendor Specific Configuration Examples - RUCKUS SoftGRE Tunnel
SoftGRE Tunnel Troubleshooting
Confirm the presence of interface bridges The bridge number will be the same as the VLAN with an extra 1 at the beginning. For example if vlan2000 should be carried over the tunnel, you should also have a bridge12000. In our example, there will also be an additional 0 because the VLAN ID is only 3 digits. VLAN 777 becomes bridge10777.
This can be confirmed via SSH with the following command:
ifconfig | grep bridge10777
Confirm the traffic is flowing over the bridge interface
This can be done by using tcpdump
to confirm that you see unicast traffic over the interface. For example, have a client connect and ping 4.2.2.2.
Continuing the use of bridge10777, I will use the following tcpdump
statement tcpdump -ni bridge10777
and confirm that I can see unicast traffic from my client device.
VLANs
The rXg defines a logical 802.1Q virtual LAN interface for each entry in the VLANs scaffold. A good reference for understanding VLANs and trunk ports is Network Warrior (ISBN 0596101511) by Gary Donahue.
Creating a VLAN implies that the Ethernet interface that is directly associated with it is a VLAN trunk port. The device connected to the Ethernet interface must be similarly configured to accept traffic for the VLAN ID specified in this record.
The Physical Interface drop down associates this VLAN logical interface with an Ethernet interface. A VLAN logical interface presents itself in the same manner as a Ethernet interface for network address configuration and policy management purposes. However, the VLAN must be associated with an Ethernet interface so that it knows what physical port to transmit and receive on.
The Service VLAN drop down associates this VLAN with a Q-in-Q parent VLAN interface. Note: if using Q-in-Q the operator should make sure that VLAN hardware filtering is disabled on the Ethernet Interface by navigating to Network::LAN editing the interface and confirm that the VLAN hardware filtering box is unchecked.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The VLAN ID is an integer value that is used in the VLAN identifier field of the frames transferred over the physical interface defined by this record. The field is 12-bits in the ethernet frame, making the range of values from 0 to 4096. The 0 value is reserved for native traffic and 1 is used for management by many bridges and switches. In addition, 4095 is reserved by most implementations.
The I-SIDs (Backbone Service Instance Identifier) can be used to identify any virtualized traffic across an 802.1ah encapsulated frame.
The Autoincrement drop down changes how VLANs are configured with regards to the number of subnets. none | single L2 | n tags=1 will result in a single VLAN being associated to a single subnet or subnets. per-subnet | auto-increment L2 w/L3 | n tags = subnets / ratio means the number of VLANs that will be configured is the number of Subnets divided by the ration. With a Ratio of 1 and tied to a Network Address that has 32 subnets, 32 VLANs will be configured. With a Ratio of 2 and a Network Address with 32 subnets, 16 VLANs will be configured (32 / 2 = 16).per-IP | auto-increment L2 over split L3 via BNG | n tags = (usable IPs / ratio)means if we have a Network Address configured with 32 usable IP addresses the number of VLANs that will be configured is the number of IP address divided by the ratio. Given a Network Address with 32 usable IP addresses and a Ratio of 1, 32 VLANs will be configured. If the Ratio is set to 2, 16 VLANs will be configured (32 / 2 = 16).
The Ratio field is the number of autoincrement subnets or usable IPs in each VLAN tag.
The MAC Override allows the operator to adjust the MAC address(es) assigned to each VLAN interface created based on this VLAN configuration. The MAC address assigned to each VLAN will be the MAC Override incremented for each VLAN interface created. The first VLAN interface created will use the value of MAC Override. For each additional VLAN created, the value will be incremented by 1. For example a MAC Override of ff:ff:fe:00:00:1a with a vlan tag of 10 will result in a MAC address of ff:ff:fe:00:00:1a being assigned to the vlan10 interface. When using autoincrement, vlan11 will be assigned ff:ff:fe:00:00:1b , vlan12 will be assigned ff:ff:fe:00:00:1c , etc.
The addresses field associates one or more network addresses with this VLAN logical interface. All interfaces, including logical VLAN interfaces, must have one or more network addresses associated with them in order for them to pass traffic.
The Switch Port Profiles field allows the operator to associate the VLAN(s) to a switch port profile that will automatically configured the VLAN(s) to the switch ports attached to the profile.
The WLANs field allows the operator to associate the VLAN(s) to a WLAN.
The Conference options field allows the operator to associate the VLAN(s) to a conference record so the VLAN(s) can be used when created a conference via the Conference Tool.
Network Addresses
An entry in the network addresses scaffold defines an IP block that will be associated with an interface, uplink or VLAN.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The IP field specifies the IP address using CIDR notation that will be configured on the interface specified. If the address record will be used for configuring multiple addresses on the interface via the span field, the IP field configures the first (lowest) IP address of the range.
The span field specifies the range of IP addresses configured by this address record. The default value of 1 is assumed if this field is omitted. For LAN links, a span of 1 is typical. For WAN links, a span of greater than 1 automatically enables translation pooling in NAT scenarios. In addition, bidirectional network address translation (BiNAT) requires the WAN link to span one additional address for each BiNAT.
Examples using Autoincrement
1. Autoincrement with 1:1 VLAN per subnet (MDU)
In this example the VLAN is configured per-subnet with a ratio of 1, this means that each subnet will have it's own VLAN tag. The number of VLANs used will be the number of subnets divied by the ratio. For this example there will be 128 /24 subnets tied to the VLAN which will result in 128 VLANs.
Create a new VLAN Interface , give it a name, select the Physical Interface the VLANs will be tied to. Set the VLAN IDs field to first VLAN to be used. Autoincrement is set to per-subnet , and Ratio is set to 1. If the Network Address is created already it can be selected, in this case it does not, click Create.
Next create a new Network Address , give it a name. Under the Interface section set the Ethernet field to select, and the VLAN field to the VLAN created in the previous step. Set the IP field to the desired starting network address using CIDR notation. Next set the Autoincrement field to the desired number of subnets to create, in this case it will be set to 128. Check the Create DHCP Pool box and then click Create.
Now there are 128 /24 subnets that have been created (10.0.0.1/24-10.0.127.1/24), and 128 VLANs have been configured (100-227) tied sequentially to the subnets.
2. Autoincrement with more than 1 subnet per VLAN
In this example the configuration will put more than 1 subnet into each VLAN. The number of VLANs in this case will be the number of subnets divided by the ratio. In this example there are 64 /30 subnets and the ratio will be set to 4. In this configuration there will end up being 16 VLANs configured.
Create a new VLAN Interface , give it a name, select the Physical Interface the VLANs will be tied to. Set the VLAN ID's field to the first VLAN to be used. Autoincrement is set to per-subnet , and Ratio is set to 4. If the Network Address is created already it can be selected, in this case it does not, click Create.
Next create a new Network Address , give it a name. Under the Interface section set the Ethernet field to select, and the VLAN field to the VLAN created in the previous step. Set the IP field to the desired starting network address using CIDR notation. Next set the Autoincrement field to the desired number of subnets to create, in this case it will be set to 64. Check the Create DHCP Pool box and then click Create
With this configuration there are 64 /30 subnets with 4 subnets per VLAN. 64(subnets) / 4(Ratio) gives us a total of 16 VLANs.
3. BNG with many VLANS inside a single subnet.
The autoincrement BNG feature enables a single subnet to be divided amongst a large number of VLANs. Autoincrement BNG maximizes public address space distribution efficiency. A public /24 CIDR block would typically need to be divided into 64 /30 CIDRs for distribution amongst subscribers. Each of the /30 CIDRs would then be assigned to a unique layer 2 microsegment. Thus a /24 CIDR block would typically support 64 subcscribers. This is an inefficient use of public IPv4 address space.
Network | VLAN |
---|---|
76.77.78.0/30 | VLAN 1000 |
76.77.78.4/30 | VLAN 1001 |
76.77.78.8/30 | VLAN 1002 |
â‹® | â‹® |
76.77.78.248/30 | VLAN 1062 |
76.77.78.252/30 | VLAN 1063 |
The autoincrement BNG feature enables efficient distribution of public static IPv4 24 CIDR blocks. For example, a /24 CIDR block can support 253 subscribers where each subscriber is microsegmented onto their own unique layer two on the distribution infrastructure. It may help to think of this as autoincrementing VLAN assignment via /32s instead of /30s. The difference is that all of the /32s share a single gateway that is accessible from all VLANs. In reality the BNG autoincrement mechanism enables distribution of the addresses on a /24 subnet to ensure client compatibility. This enables efficient use of address space while enforcing true segmentation through a universally compatible standards-based approach.
Network | VLAN |
---|---|
76.77.78.2/24 | VLAN 1000 |
76.77.78.3/24 | VLAN 1001 |
76.77.78.4/24 | VLAN 1002 |
â‹® | â‹® |
76.77.78.253/24 | VLAN 1251 |
76.77.78.254/24 | VLAN 1252 |
In the example below, autoincrement BNG microsegments each usable IP address in 76.77.78.0/24 onto a unique VLAN. VLAN 3002 on igb3 is configured with the first address of the CIDR 76.77.78.1/24 as if the entire CIDR were configured onto VLAN 3002. All of the usable IP addresses of CIDR 76.77.78.0/24 (76.77.67.2/24 to 76.77.78.254/24 inclusive) would normally share the same VLAN 3002. However with autoincrement BNG enabled, the usable IPs are spread across VLANs 3002 to 3254 inclusive.
Autoincrement BNG is unique in that it allows all client devices to share the same default gateway despite being microsegmented at layer 2. In this example, all client devices in VLANs 3002 to 3254 inclusive use 76.77.78.1/24 as their the default gateway. Sharing a single layer 3 default gateway IP address amongst a large number of layer 2 microsegmented clients dramatically improves the efficiency of IP address consumption.
It is important to note that only VLANs 3002 to 3254 inclusive are usable on igb3 when autoincrement BNG is enabled on igb3. It is impossible to assign additional VLANs to igb3 that fall outside of the BNG range as this would interfere with the autoincrement BNG functionality in the configuration described above. An operator may use Q-in-Q if they wish to configure both both BNG and non-BNG VLANs on the same physical interface. This is what we will discuss next.
In this example a single service VLAN (SVLAN 100) will be created and used as the parent VLAN that will contain many client VLANs (CVLANs 1000 to 1352 inclusive). Putting VLAN tags inside other VLAN tags is referred to as a Q-in-Q network architecture.
First create a new VLAN Interface that will be the parent VLAN that will contain the many VLANs. Give it a name. Select the Phyiscal Interface the VLAN will be attached to. Set the VLAN IDs that will be the parent VLAN. Set Autoincrement to none. If there are any Switch Port Profiles configured they can be added here to add the VLAN to any necessary ports. Click Create.
Next configure the VLAN pool that will be tied to the parent VLAN created in the previous step, these VLANs will be tied to IP address in that will be created in the next step as needed. Create a new VLAN Interface and give it a name. The Physical Interface should be unselected and the Service VLAN should be set to the Parent VLAN created in the previous step. The VLAN IDs should be set to the first VLAN to be used. Autoincrement should be set to per-ip , Ratio is set to 1. There is no need to select a Switch Port Profile as these VLANs will not be seen by the switch. Click Create.
Next create a new Network Address , give it a name. Under Interface the Ethernet field should be set to -select- , and the VLAN field should be set to the VLAN created in the previous step. Enter the IP address in CIDR notation in the IP field. The Autoincrement and Span field should be set to 1. Checking the Create DHCP Pool box will automatically create a DHCP pool for the addresses. Click Create.
With this configuration we have a VLAN (VLAN 1000), that contains our BNG VLANs (VLANS 100-352) which allows for the BNG VLANs to be assigned individually to a single IP within the BNG Addresses that were configured. Multiple IPs can be assigned the same VLAN within the address pool as needed and each assignment only consumes a single IP instead of a minimum of 4.
The use of the Q-in-Q network architecture allows a single physical interface to be used with multiple autoincrement BNG interfaces as well as static or dynamically configured VLANs. For example:
Here we see multiple BNG interfaces are created to support distinct downstream distribution equipment. We also see that there is an additional SVLAN that is dedicated for management infrastructure. The standards based nature of the autoincrement BNG approach enables unparalleled flexibilty and diversity. Any VLAN-aware distribution equipment, wireline or wireless, may participate in an autoincrement BNG deployment. In fact, it is even possible to have a single distribution infrastructure composed of equipment from multiple vendors and even mixing different forms of technology. A single installation may use BNG to efficiently distribute public IP addresses across DSL, GPON, DOCSIS, fixed wireless and PLTE all within the same deployment.
Routing
The routing view presents the scaffolds that configure settings to that control the static and dynamic entries into the rXg routing table.
The routing table of an rXg governs where packets are forwarded based on their desired destination. In a basic rXg installation where end-users are L2 connected to the LAN side of the rXg which is in turn connected to a single uplink, the routing table that is automatically created by the rXg is sufficient. In this case, no changes should be made to any of the scaffolds on the routing view.
If the rXg is deployed with a L3 routed distribution network for end-user access, then the rXg must be informed of all connected networks in order to properly route traffic and deliver forced browser redirection. This is typically accomplished by creating static routes for the various subnets that are connected behind L3 routers on the LAN side of the rXg.
The rXg supports distribution and integration of routes via RIP primarily for the purposes of simplifying cluster management. When an rXg cluster is deployed and routing between end-users on different nodes is desired, the rXgs must be informed as to all of the subnets that are behind the various cluster nodes. In addition, the rXg may broadcast router discovery responses to LAN nodes so that they may build up the internal routing tables on LAN nodes. This is particularly useful for LAN nodes that are locally and remotely accessible servers as this provides a simple mechanism for dynamic failover between multiple cluster nodes.
Static Routes
An entry in the static routes scaffold creates an entry in the IP routing table of the rXg.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The destination field configures the CIDR block for which a specific gateway is needed.
The gateway is the IP address of the next hop router for the CIDR block specified in the destination field.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
RIP
The RIP scaffold controls the behavior of the rXg with respect to RFC 1058 and RFC 2453 router information protocol messages. The rXg may be configured to broadcast route advertisements as well as accept RIP announcements from other routers.
The active field enables an option set. Exactly one option set may be active at any time. Enabling a particular option set will automatically disable another existing active option set.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The transmit RIP checkbox enables the broadcast of route advertisements to locally connected networks. When this box is checked, the rXg will make RIP announcements
The receive RIPv1 and receive RIPv2 checkboxes enable the rXg to receive RIPv1 and RIPv2 route advertisements respectively.
The RIPv2 password field configures the shared security credential that will be used when sending and receiving RIPv2 announcements.
The trusted gateways field is where the operator specifies the routers from which RIP announcements will be accepted. In order to prevent injection of false routers, it is required that one or more trusted gateways be specified in order to receive RIP announcements.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Wired
The Wired view presents the scaffolds associated with configuring the wired distribution layer of your network, and monitoring/configuring the switch ports throughout your infrastructure.
Switches
An entry in the switches scaffold defines a piece of switching equipment with which the rXg will communicate for the purpose of effecting dynamic VLAN changes when necessary due to a policy shift for a device on the network.
When a device's VLAN assignment has changed due to a policy shift, the rXg will connect to the switch associated with the device's RADIUS realm via the protocol specified in the configuration, and force a disconnect/reconnect, which will reinitiate the RADIUS authentication process, thereby resulting in the new VLAN assignment being applied to the client device.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The device section specifies information of equipment being configured. Fields with bold text are required. Choose the appropriate option from the supported device types drop-down menu.
Enabling the Monitoring checkbox results in the rXg attempting to import and synchronize Switch Ports from the device, as well as perform ping monitoring of the switch itself, and collect CPU and Memory statistics, where possible.
The SNMP community field specifies the SNMP community string that will be used when attempting to gather CPU and/or Memory information, as well as to collect Switch Port utilization/error/discard data for graphing.
The Switch Fabric field assigns a switch fabric profile to this switch. The Loopback IP , System name , and SPB-m nickname fields must be provided when assigning a switch fabric profile. After supplying the necessary information, the Config sync status link becomes available in the scaffold.
For switches that support configuration management, the Config sync status column contains a link that allows the operator to access bootstrap instructions and enable synchronization.
When bootstrapping a new switch, the operator may retrieve bootstrap commands that will bring a factory default switch or wireless controller into the necessary state to participate in the fabric network, which may be copy/pasted into a console session on the device.
After initial bootstrapping and network connectivity is established, the operator may download a running configuration backup or compare the current running configuration to the expected configuration, based on the associated configuration elements. If changes are needed, they may be pushed to the switch. After successfully synchronizing manually the first time, future configuration changes will be pushed to the device whenever relevant configuration changes are made in the database.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Switch Fabric
An entry in the Switch Fabric scaffold defines the fabric area of a 802.1aq Shortest Path Bridging-MAC (SPB-m) deployment. All participating fabric switches share the common configuration found here. In addition, each participating fabric switch should have an Infrastructure Device defined with the necessary SPB-m configuration specific to that device.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The Management I-SID field specifies the I-SID that will be associated with the Management VLAN for management traffic. The Management VLAN is configured per device, under the Switches scaffold.
The Manual area field specifies the IS-IS area that will be used within this fabric in the format: xx.xxxx (ex: 10.0001)
The Primary B-VLAN and Secondary B-VLAN fields indicate the VLANs which will be used for passing encapsulated traffic between participating fabric switches on switch ports designated as NNI ports. These VLANs should be unused elsewhere in your infrastructure.
Switch Ports
Entries in the Switch Ports scaffold are created automatically by enabling the Monitoring checkbox on a supported switch's Infrastructure Device. Ports are imported and speed, packet, error and discard rates are gathered via SNMP and made graphable for each switch port.
The name field represents the port's identification in the switch, and should not be changed.
The NNI Port designates this port as a Network-to-Network Interface. This option must be enabled for any port where two fabric-enabled switches interconnect.
The speed in bps field represents the port's maximum physical speed in bits per second.
Switch Port Profiles
Entries in the Switch Port Profiles scaffold define the behavior of downstream wired infrastructure device ports. Switch port profiles enable an operator to manage virtually unlimited switch ports, without configuring them individually.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The Default checkbox, declares the selected switch port profile as the default for any newly imported switches
The Move Ports checkbox, if selected, will move ports associated with a different default profile to a profile upon save. This should be used in conjunction with the Default checkbox.
The Ports field defines individual switch ports to associate with this profile.
The Native VLAN field is used to define the untagged VLAN that ports associated to a profile should use.
The Shutdown checkbox declares ports associated to this profile to be disabled.
The VLANs field defines the VLANs that should be tagged on ports associated with a profile.
The RADIUS drop-down menu can be used to enable 802.1x or MAC Authentication Bypass, on ports associated to a profile.
The native I-SID specifies the network that untagged traffic from this port should be placed into when building a Fabric configuration script.
The NNI Port designates this port as a Network-to-Network Interface. This option must be enabled for any port where two fabric-enabled switches interconnect.
Wireless
The Wireless view presents the scaffolds associated with configuring the wireless distribution layer of your network, and monitoring/configuring the access points throughout your infrastructure.
WLAN Controllers
An entry in the WLAN controllers scaffold defines a piece of wireless equipment with which the rXg will communicate for the purpose of effecting dynamic VLAN changes when necessary due to a policy shift for a device on the network.
When a device's VLAN assignment has changed due to a policy shift, the rXg will connect to the WLAN controller associated with the device's RADIUS realm via the protocol specified in the configuration, and force a disconnect/reconnect, which will reinitiate the RADIUS authentication process, thereby resulting in the new VLAN assignment being applied to the client device.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The device field specifies the type of equipment being configured. Choose the appropriate option from the supported device types drop-down menu.
The enable telemetry boolean completely controls whether the rXg will attempt to receive and process telemetry data at all.
The Instrument from Telemetry checkbox results in the rXg using telemetry data to instrument the Access Points and Wireless Clients for this controller, instead of the regular API integration. If telemetry is enabled, the rXg will always instrument radio and client data, regardless of whether instrument from telemetry is enabled.
Enabling the Monitoring checkbox results in the rXg attempting to import and synchronize Access Points from the device, as well as perform ping monitoring of the Infrastructure Device itself, and collect CPU and Memory statistics, where possible.
The SNMP community field specifies the SNMP community string that will be used when attempting to gather CPU and/or Memory information, or Access Point data from WLAN controllers where an API is not available.
The NB portal password and NB portal usernames are used when executing API calls against RUCKUS's northbound portal interface. These must correlate with what is configured in the controller.
The Telemetry username and Telemetry password are used when authenticating an MQTT session with this WLAN Controller. These must correlate with what is configured in the controller's northbound data streaming subscriptions.
Vendor Specific Configuration Examples
For Infrastructure Devices which support configuration management, the Config sync status column contains a link that allows the operator to access bootstrap instructions and enable synchronization.
When enabling automatic WLAN controller configuration management, the operator should ensure that the timezone and country code set in the Device Options scaffold are accurate as they will be used when configuring wireless infrastructure.
After initial bootstrapping and network connectivity is established, the operator may download a running configuration backup or compare the current running configuration to the expected configuration, based on the associated configuration elements. If changes are needed, they may be pushed to the controller. After successfully synchronizing manually the first time, future configuration changes will be pushed to the device whenever relevant configuration changes are made in the database.
Vendor Specific Configuration Examples
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Piglet Sensor
Piglets are small, low-cost, raspberry pi based, sensors that can be used for a variety of purposes. Adding a WLAN Controller with a device type of "Piglet" and a host address of "127.0.0.1" in this scaffold will allow the piglet sensors to discover the rXg for adoption. Click Here to access the piglet documentation.
WLANs
An entry in the WLANs scaffold defines a wireless network that you wish to deploy on a supported WLAN controller.
The SSID field specifies the WLAN SSID that will be broadcast and visible to users.
The Encryption selection specifies the encryption algorithm which will be used for this WLAN.
The Authentication selection specifies the type of authentication that should take place in order for users to join the network. In order for Dynamic VLANs to be assigned, authentication must utilize MAC Authentication Bypass or one of the 802.1X methods.
The Default VLAN field specifies the VLAN that users should be placed into, assuming it is not overriden by Dynamic VLAN behavior.
The Tunnel checkbox instructs access points to build a tunnel to the controller or some other location, depending on the vendor, instead of locally bridging the client traffic.
Application Examples: - RUCKUS SoftGRE Tunnel
The Enabled checkboxes allow the operator to enable or disable a WLAN for a particular radio across all profiles where it is utilized.
Dynamic VLANs require the association of at least one VLAN record which is tied to a RADIUS Realm.
The RADIUS Accounting checkbox instructs the Access Point to send accounting information to the RADIUS server as users join, use, and leave the network.
The Access Point Profiles selection specifies which Profiles should include this WLAN.
Access Point Profiles
An entry in the Access Point Profiles scaffold defines a set of common configuration parameters to be applied to a set of Access Points.
The Default checkbox indicates that this Profile will be the default Profile for this Infrastructure Device. Any Access Point which has not been explicitly assigned to a Profile will be placed into this Profile.
The WLANs association defines whoch WLANs will be broadcast on Access Points that fall into this Profile.
The Access Points association allows the operator to explicitly assign a profile to one or more Access Points. Selected Access Points which do not belong to the Infrastructure Device that the Profile is assigned to will be automatically deselected upon saving.
The Management VLAN field specifies which VLAN the Access Points in this profile will use to attempt to obtain an IP address via DHCP.
The 2.4GHz Data Rates and 5GHz Data Rates fields allow the operator to restrict the types of devices that may join the network to only those supporting a specific subset of data rates. By default, 802.11b rates are disabled to improve network performance.
The 2.4GHz Antenna Gain and 5GHz Antenna Gain fields allow the operator to specify antenna gain values (in dBi) that will be applied to Access Points which use external antennas.
The Outdoor APs checkbox instructs the system to enable or disable outdoor power and channel tables for the radios in order to be compliant with regulatory rules.
Access Points
Entries in the Access Points scaffold are created automatically by enabling the Monitoring checkbox on a supported wireless controller's Infrastructure Device. Status and statistics are gathered on an ongoing basis via API and/or SNMP.
After creation, the operator may reassign an Access Point's Access Point Profile in order to control the WLAN and radio settings applied to it. Access Point details are updated on a regular basis via background interaction with the Infrastructure Device.
Access Point Radios
Entries in the Access Point Radios scaffold are created automatically by enabling the Monitoring checkbox on a supported wireless controller's Infrastructure Device. Status and statistics are gathered on an ongoing basis via API and/or SNMP.
Access Point Radio Profiles
Entries in the Access Point Radio Profiles scaffold can be assigned to WLANS in the Access Point Profiles scaffold. The HW Mode Preference field ia a comma separated listing of supported radio type, 'A' (5 Ghz, 802.11 A and 802.11 AC), 'B' (2.4 Ghz 802.11 B), or 'G' (2.4 Ghz 802.11 G). The order matters, as HW Modes are preferred as listed, left to right. Selected Channels is a list of numbers associated with the HW Mode Preference. The list can be a comma separated list of individual channels, or ranges of channels (i.e. '1,2,3,4,5,6,7,8,10,11' can be represented as '1-11').
Access Point Zones
An entry in the Access Point Zones scaffold defines the configuration common throughout this site.
Entries in the Access Point Zones scaffold are populated automatically after enabling the monitoring checkbox for a supported WLAN controller Infrastructure Device.
The Enable DFS channels checkbox instructs the Access Points in this Access Point Zone to broadcast at the 5GHz frequencies that are generally reserved for radars. Disabling the Dynamic Frequency Selection (DFS) prevents the use of 5GHz channels 52 - 140.
The 5GHz Channel Width option allows the configuration of channel width for the 5GHz radio for Access Points in this Access Point Zone.
Location
The Location view presents the scaffolds associated with configuring the location services layer of your network.
Location Services
An entry in the Location Services scaffold defines a Location server with which the rXg will use to determine the location of a wireless client.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The Type field specifies the type of equipment being configured. Choose the appropriate option from the supported device types drop-down menu.
The Host field is the IP address or domain name of the Location device.
The Subnet mask field is used to enter the subnet mask of the network the location device is on.
The Gateway IP field is used to enter the gateway IP address of the location device.
The API port field is used to set the API port, leave blank for device default.
The Username field sets the device admin username.
The Password field sets the device password, note password will remains the same if left blank.
The API key field sets the device API key.
The Timeout field sets the connection timeout in seconds.
The Areas field sets the location areas managed by this service.
The Location events checkbox will create device location events for notifications recieved from the server if checked.
Location Areas
An entry in the Location Areas scaffold allows the Operator of the rXg to define areas that can then be tied to Location Categories.
The Type field is used to determine if the area is a floor or site.
The Category field if set specifies the category applied to events in this area, unless overridden by a more specific category.
The Parent field sets the parent are which contains this area. Example, a site may be a parent to floor.
The Conference AP's field allows the Operator to add any AP's that should be used for Conferences, this used in conjunction with the conference tool makes it easy to broadcast Conference SSIDs to only the areas where the conference is taking place.
The Conference Ports field allows the Operator to add switch ports that should be used for Conferences.
When configured the Admin Roles field sets the admin roles that will be able to request pending admin transactions from APs in this Location Area.
The Min Gradient and Max Gradient fields allow the operator to override the default heatmap gradiation coloration.
Location Categories
The Areas field allows the Operator of the rXg to assign categories to specific Location Areas , which includes any APs selected when creating the category.
The Access Points field allows the Operator to select specific APs that will be tied to this Location Category.
The Infrastructure Devices field allows the Operator to assign Infrastructure Devices to the Location Category.
Device Locations
The Device Locations scaffold lists the reported location of devices on the network. The Time entry shows the time the record was created. The MAC entry lists the MAC address of the connected device. The Session entry shows the login session for the device. The Account entry lists the account the device is a member of. The Event field shows the event type for record. The Area field shows the Location Area the record belongs to and the Category field shows the Location Category the record is associated with. The Dwell entry displays the amount of time the device has been in a given area. The Last Area and Last Category entries display the previous are and category the device was associated with. The Access Point entry lists the IP and MAC address the device was connected to at the time the entry was created. The SSID field displays the SSID the client device was connected to. The WLAN entry shows the WLAN on the rXg the client device was associated with. The RADIUS Realm entry shows the radius realm the device authenticated against. The Location Device lists the Infdev device providing the location information.
Example Setup
In this example shows the process of setting up location in a MDU.
- Add floorplan to location area.
- Create regions for AP placement.
- Place AP's into regions.
Create Location Categories and add AP's.
Add floorplan to location area.
Navigate to Network::Location and create a new Location Area. The Name field is arbitrary, enter a name. Change the Type field to Floor. Note: by selecting floor it allows the operator to upload a floor plan and this will become the partent for any regions that are created, if Site is selected this will be the parent of the floors. Leave Category on -select- as there are none to select at this time. For the Floorplan field click the Choose File button and select the floorplan image to be used. Set the Floor number field to set the floor number. Leave the Parent field on -select- and hit the Create button.
- Create regions for AP placement.
To create regions click on the Floorplan in the Location Area scaffold, this will open up the map allowing the placement of AP's and Regions.
In the Add a Region section enter a name for the region, pick a color for the region and then click Add Region. This create a region that can be placed on the floorplan. The region can be resized by dragging the bottom right corner.
Drag the region to the desired area on the floor plan, adjust size and click save.
Repeat for each area that needs a region.
- Place AP's into regions.
Select an AP from the Place an Access Point / Senso: dropdown. Click the Drag me button.
This will generate an AP that can be placed on the floor plan, the first AP will go in Unit1.
Drag AP to its placement on the map and click Save.
Repeat this step for each AP that is present on the floorplan.
- Create Location Categories and add AP's.
Create a new Location Category.
The Name field is arbitrary, in this case there will be a Location Category created for each unit, the name will reflect the unit. Select the unit for in the Areas field. Select the AP or APs from the Access Points field. Click Create.
Repeat for each Unit.
The rXg is now configured to start keeping track of Device Locations. In order for this to work at a minimum, radius account packets must be received. The below image shows the WLAN settings for the SSID setup for this example. Note: In this example we have control of the wireless infrastructure creating the WLAN pushed all needed settings, without control the WLAN would need to be configured manually on the wireless infrastructure.
The below image shows the information received in the Device Location scaffold.
Recalibration
In order for location-aware functionality to work as well as possible, setting the right calibration on your floorplan is essential. In order to begin recalibration, click on 'Begin Recalibration' In the floorplan view:
Next, click a point on the map. Often times, a wall or one side of a door frame is a good choice because they are easy to measure, in fact most doors are roughly 1 meter wide.
After you clicked your first point, click your second point
After you clicked your second point, enter the distance between the two points in meters, and click Finish.
Finally just let the floor plan view close on its own and reopen it.
After you re-open the floor plan, the new calibration will be displayed.
WAN
The WAN view presents the scaffolds associated with configuring the wide area network interfaces.
An rXg requires at least one properly configured entry in the uplinks scaffold in order to function. If more than one uplink is configured, the rXg can aggregate and failover WAN uplinks. In addition, the rXg can affine and diversity LAN traffic over the WAN uplinks.
An uplink must be configured with a valid IP address and gateway to function. To use DHCP to obtain an IP address and gateway dynamically, simply check the DHCP checkbox in the uplink record. As an alternative, a static IP address may be manually specified by creating a record in the addresses scaffold and associating the record with an uplink. The gateway for a statically assigned IP block must be manually configured in the uplink record. If the upstream ISP requires PPPoE authentication, configure the ISP supplied credentials into a record of the PPPoE scaffold and associate the record with the uplink.
Ethernet Interfaces
An entry in the ethernet interfaces activates and configures a physical port on the rXg to take part in in networking connectivity.
In most cases, at least two ethernet interfaces must be configured (one for the WAN, one for the LAN). In multiple uplink scenarios, it is common to have one ethernet interface configured for each WAN uplink. It is also possible to use VLANs on a single ethernet interface to configure unlimited WAN and LAN interfaces.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The port field determines the physical ethernet port that this record will activate and configure.
The media field configures the speed and duplex of the Ethernet port. In most cases, the autoselect setting will automatically negotiate the fastest possible link. Autoselect should also be used if automatic crossover detection is required as most Ethernet hardware will disable automatic crossover if anything other than autoselect is specified as the media type.
If physical link cannot be established, first check the physical cable using an isolation test. If the cable is determined to not be the issue, try setting the ethernet interfaces on both sides of the cable to the same speed and duplex. Note that if a straight cable is connected between two nodes, that cable will need to be replaced with a crossover because automatic crossover detection will be disabled when a media type other than autoselect is specified. In addition, using a lower speed setting and avoiding full-duplex communication may be necessary when the cable is long or does not meet the standards needed for higher speed communication.
The MTU setting configures the maximum transmission unit (frame size) for this interface. By default, most ethernet interfaces support 1500 bytes. Large MTUs may be used in gigabit networks that support jumbo frames to obtain better throughput when transferring large files. Support for jumbo frames must be present throughout the infrastructure in order for larger MTUs to work properly.
The addresses , uplink , VLANs and PPPoE fields link an Ethernet interface to a configuration defined by the specified scaffold. These fields shown here are mainly presented for informational purposes. In most scenarios, an administrator will link the address, uplink, VLAN or PPPoE configuration to the Ethernet interface using the other scaffold.
The backup port field specifies an alternative ethernet interface to assign the addresses , uplink , VLANs and PPPoE configuration settings when this ethernet interface goes down. An ethernet interface is marked as down if it loses link or if all of the ping targets associated with it go offline. The VLANs and Network Addresses associated with an ethernet interface are moved to the backup port when the ethernet interface is marked as down. The backup port mechanism is designed to be used with generic L2 switching. Backup ports should not be used with any LAG/MLT/SMLT/LACP configuration on the connected switch.
The checksum offload , TCP segmentation offload and large receieve offload settings offload the specified processing to the NIC hardware when possible. In some cases this may cause instability and in other cases there are performance benefits.
Uplinks
An entry in the uplinks scaffold declares a specified logical interface as a WAN uplink. At least one uplink must be configured for proper rXg operation. More than one uplink may be configured in link control scenarios when the operator has obtained multiple WAN drains. When multiple uplinks are configured, the rXg can aggregate and failover between uplinks as well as diversify and affine LAN traffic amongst them.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The priority field determines the order of precedence during failover in a link control scenario. When only one uplink is configured, this field has no effect as there is no uplink to failover to. When multiple uplinks are configured and connection aggregation is enabled, a failure of a link will cause another member of the pool to forward all traffic. If aggregation is not enabled, or all uplinks within a pool have failed, then the uplink with the highest priority amongst all of the remaining uplinks will be used to forward the traffic.
The interface , PPPoE and VLAN drop downs specifies the mechanism by which this uplink will forward traffic upstream. Only one option may be selected for each uplink.
The DHCP checkbox enables the DHCP client for this uplink. The network address, subnet mask and default gateway of this uplink are requested from the DHCP server. If a statically configured IP address is desired, leave this checkbox cleared, create a record in the addresses scaffold and associate it with this uplink.
The gateway IP specifies a statically assigned default gateway for this uplink. The default gateway must be within the IP block defined by the network address associated with this uplink. This field should remain blank if the DHCP checkbox is set.
The upload speed and download speed fields describe the throughput of the uplink.
Network Addresses
An entry in the network addresses scaffold defines an IP block that will be associated with an interface, uplink or VLAN.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The IP field specifies the IP address using CIDR notation that will be configured on the interface specified. If the address record will be used for configuring multiple addresses on the interface via the span field, the IP field configures the first (lowest) IP address of the range.
The span field specifies the range of IP addresses configured by this address record. The default value of 1 is assumed if this field is omitted. For LAN links, a span of 1 is typical. For WAN links, a span of greater than 1 automatically enables translation pooling in NAT scenarios. In addition, bidirectional network address translation (BiNAT) requires the WAN link to span one additional address for each BiNAT.
PPPoE Tunnels
An entry in the PPPoE tunnels scaffold enables the point-to-point protocol over Ethernetclient to connect with the specified credentials through an Ethernet interface for the purpose of configuring a valid uplink.
The username and password fields specify the credentials for the PPPoE client. The credentials are assigned by the upstream ISP.
The service name is an optional service selector. If the upstream ISP did not provide a specific value, leave this field blank.
The interface field associates this PPPoE tunnel with an Ethernet interface. It is highly recommended that an Ethernet interface associated with a PPPoE tunnel be used exclusively for this purpose. Avoid associating addresses, VLANs, and other entities with an Ethernet interface that is designated for a PPPoE tunnel.
The uplink field associates this PPPoE tunnel with an uplink. To use PPPoE, an uplink must be associated with a record in the PPPoE tunnels scaffold, which in turn, is associated with a Ethernet interface. Do not associate an uplink that has a PPPoE tunnel enabled with the Ethernet interface directly.
DNS Servers
An entry in the DNS servers scaffold specifies an upstream DNS server to use for DNS resolution.
It is highly recommended that at least one upstream DNS servers be configured for network resilience, else the built-in DNS server is used for resolution. Without DNS resolution, no networking services will operate.
Many ISPs will provide DNS server entries. These DNS servers should be configured into this scaffold. In a link control scenario where multiple uplinks from a diverse set of ISPs are configured in parallel, the DNS servers for all of the upstream ISPs should be configured with the appropriate uplink setting selected. In this case, theGoogle Public DNS or OpenDNS servers may be used as backup DNS servers for all uplinks.
The IP field specifies the IP address of the DNS server that is to be used for DNS queries. In most cases, the upstream ISP will provide the IP addresses for the public DNS servers for a specific uplink. If no servers are provided, using the Google Public DNS orOpenDNS is a good alternative.
The uplinks field associates uplinks with the DNS server specified in this record. In many cases, the upstream ISP will have DNS servers that are restricted to their customers so it is important to make sure that the right IP is associated with the proper uplink.
Configure IPV6 to IPV4 Tunnel
In this example we will configure the rXg with an IP tunnel that will allow us to access IPv6 addresses over an existing IPv4 connection. The IPv6 tunnel end point is provided by https://ipv6.he.net after passing a basic certification process. We will need to create an IP Tunnel, an Uplink, a Network Address, and lastly a DHCP pool. To begin navigate to Network::WAN.
First we will create an IP Tunnel.
Give the IP Tunnel a name. The Type field should be set to GIF. Set the Local Interface field to the WAN interface. The Remote IP field is the Server IPv4 Address obtained from he.net. The Tunnel Local CIDR field is the Client IPv6 Address obtained from he.net. The Tunnel Remote IP is the Server IPv6 Address obtained from he.net. Click Create.
Next create a new Uplink, give the uplink a name, priority should be lower than your primary uplinks. Change the IP Tunnel field to the IP Tunnel created in the previous step. Click Create.
Next create a new Network address to create the LAN DHCP addresses that the system will hand out to IPv6 enabled clients. Give the Network addresses a name, select the ethernet interface the addresses will be configured on, and fill out the IP field with the information obtained from HE, in the Routed IPv6 Prefixes section. Note that the address given ends with :: which is invalid so append the IP you want to assign to the system usually 1. Checking the Create DHCP Pool box is optional, for this example setup it will not be checked and we will create the DHCP pool. Click Create.
Next navigate to Services::DHCP and create a new DHCP pool. As long as the last address created was the address from the previous step it will auto fill the fields. It may be a good idea to reduce the scope of the pool by changing the end IP from 2001:470:1f07:210:ffff:ffff:ffff:ffff to 2001:470:1f07:210::ff. Click Create
Now if we SSH into the machine and run ifconfig gif0 we should see our intferface configured with the IPv4 Tunnel addresses as well as the IPv6 Address, and we should be able to ping an IPv6 addressing using ping6 like ping6 google.com.
NAT
The NAT view presents the scaffolds that configure settings to modify the network address translation mechanisms of the rXg.
NAT
Entries in the NAT scaffold configure network address translation between LAN subnets and WAN addresses.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The addresses and static routes field specify the source LAN subnets for which network address translation will be enabled by this record.
The uplinks field specifies the destination WAN address(es) to which the selected LAN will be network address translated.
The Reverse NAT field specifies that traffic sent via selected Uplink is to be NATd to the first IP of the selected Addresses. This option is primarily used when the upstream ISP routes a block of public IPs to the rXg's primary uplink IP (often assigned via DHCP), and those IPs are assigned to a LAN interface for distribution to clients, but there is a need for outbound traffic from the rXg to always be sourced from the routed block of IPs rather than the DHCP uplink IP.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
If no records are present in the NAT scaffold, the rXg will automatically enable NAT from subnets that are configured with RFC 1918 specified private addresses.
Static IPs
An entry in the Static IPs scaffold creates a one-to-one mapping between an IP address within a span associated with an uplink and a private IP address on the LAN . This feature is typically used to give public access to a resource that is configured on a private IP address such as a web server.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The Source IP field determines the destination of the translation of traffic originating from the Public IP.
The Public IP field specifies the IP address within a span of addresses associated with an uplink that will be translated to the Source IP.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Dynamic BiNAT Pools
An entry in the Dynamic BiNAT Pools scaffold specifies a range of IP addresses that may be dynamically assigned to devices whose account has a Max BiNATs value of 1 or greater, and whose policy is enabled for this Dynamic BiNAT Pool. This feature is typically used to give public access to a resource that is configured on a private IP address such as a web server or a gaming device which requires open incoming firewall ports for proper operation.
The end-user may subscribe to a usage plan which allows Dynamic BiNAT, and may enable BiNAT functionality for specific device(s) by accessing the manage devices page of the portal. The operator may also change the active BiNAT device(s) by editing the account's device list. Care must be given to ensure that the range of addresses configured here is large enough to accomodate the number of devices that are configured for Dynamic BiNAT.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The Start IP field determines the first IP address of the range of uplink addresses that will be used as the Dynamic BiNAT IP for eligible devices. The IP should fall within a span of addresses associated with an uplink that is associated with the device's link control.
The End IP field specifies the last IP address in the range of uplink addresses that will be used as the Dynamic BiNAT IP for eligible devices. The IP should fall within a span of addresses associated with an uplink that is associated with the device's link control.
The Policies field specifies policies that may utilize this BiNAT Pool. When an associated Policy contains Accounts, a number of IP's specified in the Max BiNATs field of the Account will be assigned to that Account. The end user will be able to configure up to that many DMZ devices through the manage devices page in the captive portal. When an associated Policy contains devices that do not belong to an account, such as from an IP group or MAC group, a BiNAT will be assigned to each device currently connected that belongs to the associated Policy. If no policies are associated with this BiNAT pool, the pool is effectively disabled, and the addresses will be available for regular NAT.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Example BiNAT Deployments
Below are 3 BiNAT deployment examples.
Example 1: Dynamic BiNATs
In this example the operator has configured the rXg to have a block of public IP address that are used for CGNAT and another pool that users can dynamically be assigned a public IP address from that can used as NAT for the account. This IP can be assigned to a specific device (DMZ), and can also be used for UPNP.
First a block of public IP address must be assigned to an interface.
Next we need to configure a BiNAT pool by going to Network::NAT , in this case half the public IP addresses will be used for BiNAT's. The Operator can control which accounts/clients can be assigned a BiNAT by selecting the Policies that can use the pool. In this case only users in the Residents-Premium policy will be able to draw from the pool.
Being in the Residents-Premium policy is not all that is required the account must also be set to allow the use of BiNAT IP address. This is controlled by the Usage Plan the user has purchased. This can be set by going to Billing::Plans. Edit the appropriate Usage Plan and look at the Sessions section of the account. Here the Operator can set the number of Max dedicated IPs , in this example it is set to 1. UPnP has also been selected in this case.
Now users who purchase the Residents-Premium plan will have a BiNAT assigned to their account that all the traffic from their devices will NAT through and their devices can create UPnP port forwads automatically.
Example 2: Static Dedicated BiNATs
In this example the rXg has been configured so that each account gets assigned a BiNAT that is static. First a block of public IP addresses must be configured.
Next the BiNAT pool must be configured to consume the entire block of public IP address, and the appropriate policies must be allowed access to the BiNAT pool. Network::NAT.
The account must also be set to allow the use of BiNAT IP address. This is controlled by the Usage Plan the user has purchased. This can be set by going to Billing::Plans. Edit the appropriate Usage Plan and look at the Sessions section of the account. Here the Operator can set the number of Max dedicated IPs , in this example it is set to 1. By checking the Static dedicated IPs box the NAT IP or IPs are reserved and remain staic for the lifetime of the account. UPnP has also been selected in this case.
In this example each account is assigned a BiNAT address when created, and the IP assigned will remain for the lifetime of the account. This is the equivalent of having a static public IP address.
Example 3: BroadBand On Demand
In this example the rXg has been configured so that each account selects the number of Dedicated IP's (BiNAT addresses) that will be assigned to the account at time of purchase. A block of Public IP address must be configured via Network::WAN.
Next the BiNAT pool must be configured to determine which IP address can be used for dedicated IPs, and the appropriate policies must be allowed access to the BiNAT pool. Network::NAT.
The Usage Plans for this example must be configured to allow the user to pick the number of Dedicated IPs by using the Plan Addons scaffold via Billing::Plans. Here two Plan Addons have been created allowing the user to purchase additional Dedicated Ips and allows them to make them static by purchasing the static IP option.
The above configuration allows the user when purchasing a plan to select how many dedicated IP's they want and can purchase the ability to make them static as well.
NAT Reversal example
Video Configuration Guide and Demonstration
In this example a NAT rule will be created for NAT Reversal, it will be assumed here that the ISP is handing out a private IP address and routing a static block of public IP addresses to the private IP address. Traffic that originates from the WAN IP address of the rXg will be NAT'ted to the first IP address of the public static block on the LAN. What this means is that if a client device were to go to whatismyipaddress it would report the first IP address of the static block on the LAN and not the WAN IP address. Inbound traffic from the Internet destined to the first IP address of the public static block on the LAN is now redirected to the WAN IP address of the rXg. This means that if the operator were to put in their browser the first Public IP address from the static LAN block, they would be getting to the WAN of the system.
To configure this there needs to be a WAN uplink that would usually be a static IP address however it could be DHCP that assigns a static IP, and there needs to be a block of static Public IP addresses routed to the uplink IP. Below is an example Uplink configuration that receives a WAN IP via DHCP.
To configure this with an assigned static WAN IP address, create a new Uplink or edit an existing one. Select the interface. Make sure the DHCP box is unchecked, and enter the gateway IP address. Create or update the uplink.
Next create a new Network Address and assign the IP address to the uplink. Give the Network Address a name, and select the interface, the interface should match the interface of the Uplink. Enter the address to be assigned to the uplink and click create.
Next the Static Block of Public IP address will be created. Create a new Network Address. Give the record a name, select the interface that matches the uplink in this case it is vmx1. Enter the IP address in cidr notation. Only a single IP address is needed here however we can assign more to the system by adjusting the span if needed. Setting the span to 2 in this example would assign the .2 and .3 address to the system. Click Create.
Next navigate to Network::NAT and create a new NATs rule.
Give the record a name, select the Uplink and check the Reverse NAT box. Next select the Network Address created in the previous step and click Create.
With this configuration in place, a device on the LAN that goes to whatismyipaddress.com would report that it's IP address was 192.170.0.1. A device going to https://192.170.0.1/admin would get the Admin GUI of the system, even though the uplinks IP is a private address.
LAN
The LAN view presents the scaffolds associated with configuring the local area network interfaces.
An rXg requires at least one properly configured LAN address in order to function. To configure an IP address on an interface, create a record in the addresses scaffold and associate it with an Ethernet interface record. If the LAN distribution network is connected via an 802.1Q VLAN trunk, create VLAN interfaces using the VLANs scaffold and then associate address records with the VLAN interfaces.
Ethernet Interfaces
An entry in the ethernet interfaces activates and configures a physical port on the rXg to take part in in networking connectivity.
In most cases, at least two ethernet interfaces must be configured (one for the WAN, one for the LAN). In multiple uplink scenarios, it is common to have one ethernet interface configured for each WAN uplink. It is also possible to use VLANs on a single ethernet interface to configure unlimited WAN and LAN interfaces.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The port field determines the physical ethernet port that this record will activate and configure.
The media field configures the speed and duplex of the Ethernet port. In most cases, the autoselect setting will automatically negotiate the fastest possible link. Autoselect should also be used if automatic crossover detection is required as most Ethernet hardware will disable automatic crossover if anything other than autoselect is specified as the media type.
If physical link cannot be established, first check the physical cable using an isolation test. If the cable is determined to not be the issue, try setting the ethernet interfaces on both sides of the cable to the same speed and duplex. Note that if a straight cable is connected between two nodes, that cable will need to be replaced with a crossover because automatic crossover detection will be disabled when a media type other than autoselect is specified. In addition, using a lower speed setting and avoiding full-duplex communication may be necessary when the cable is long or does not meet the standards needed for higher speed communication.
The MTU setting configures the maximum transmission unit (frame size) for this interface. By default, most ethernet interfaces support 1500 bytes. Large MTUs may be used in gigabit networks that support jumbo frames to obtain better throughput when transferring large files. Support for jumbo frames must be present throughout the infrastructure in order for larger MTUs to work properly.
The addresses , uplink , VLANs and PPPoE fields link an Ethernet interface to a configuration defined by the specified scaffold. These fields shown here are mainly presented for informational purposes. In most scenarios, an administrator will link the address, uplink, VLAN or PPPoE configuration to the Ethernet interface using the other scaffold.
The backup port field specifies an alternative ethernet interface to assign the addresses , uplink , VLANs and PPPoE configuration settings when this ethernet interface goes down. An ethernet interface is marked as down if it loses link or if all of the ping targets associated with it go offline. The VLANs and Network Addresses associated with an ethernet interface are moved to the backup port when the ethernet interface is marked as down. The backup port mechanism is designed to be used with generic L2 switching. Backup ports should not be used with any LAG/MLT/SMLT/LACP configuration on the connected switch.
The checksum offload , TCP segmentation offload and large receieve offload settings offload the specified processing to the NIC hardware when possible. In some cases this may cause instability and in other cases there are performance benefits.
In this example, there is no redundancy as there is only one path between the rxg and all network switches. If the rxg loses connectivity with Switch A, Switch B, C, and D will also lose access.
A slightly better version of the above configuration would be to add a Backup Port so that if the primary link to switch A becomes unusable, a secondary link can be utilized.
Edit the primary interface, select several Ping Targets , then select a Backup Port.
In this example, when Igb3 loses link or all Ping Targets fail to respond, the VLANs and Network Addresses associated with Igb3 are moved to the Backup Port Igb2. Igb3 is marked as down.
However, this still leaves Switch A as a single point of failure. Consider the below topology for a higher level of redundancy.
This feature is not dependent on proprietary protocols and as such will work with most any available switch.
Sample Topology: Redundant Core Switches
Sample Topology: Redundant Gateways and Core Switches
Pseudo Interfaces
VXLAN
VXLAN, or Virtual Extensible LAN, is a network virtualization technology designed to address limitations of traditional VLANs (Virtual Local Area Networks) in large environments. VXLAN tunnels Layer 2 Ethernet traffic over a Layer 3 IP network by wrapping local area network data packets inside IP packets for transport across a larger IP network. VXLAN overcomes the limited number of VLANs supported by traditional methods. It uses a 24-bit identifier, allowing for millions of virtual networks compared to the roughly 4,000 of standard VLANs.
Bridge
The bridge interface allows two or more interfaces to have a connection between them at Layer 2. This essentially combines them into a single logical network segment, allowing devices connected to either interface to communicate directly with each other.
LAGG
LAGG, which can also be referred to as LAG (Link Aggregation Group), stands for Link Aggregation. It's a networking technology that groups multiple physical network interfaces together into a single logical interface. This essentially combines the bandwidth and, in some cases, provides redundancy for network connections.
Multiple Interfaces, One Logical Interface: By aggregating several physical interfaces, LAGG creates a single, high-bandwidth logical interface. This can be beneficial for applications requiring a lot of data transfer, like video streaming or large file transfers.
Increased Bandwidth: The combined bandwidth of all the physical interfaces in the LAGG is available to the logical interface. For instance, if you combine two 1 Gbps interfaces using LAGG, you'd get a logical interface with a potential bandwidth of 2 Gbps.
Redundancy: In addition to increased bandwidth, LAGG can also provide redundancy. If one of the physical interfaces in the LAGG fails, traffic can still be transmitted over the remaining active interfaces. This helps to improve network uptime and fault tolerance.
Protocols: There are different protocols for LAGG interfaces, with the most common one being LACP (Link Aggregation Control Protocol). This protocol negotiates with a compatible switch to automatically bundle the physical interfaces into a LAG. Both the switch and the device using LAGG need to support LACP for this to work.
Other protocols included Failover, Load Balance, Round Robin, and Broadcast.
WireGuard
WireGuard is a streamlined approach to virtual private network (VPN) protocols. It emphasizes three key aspects:
Ease of use: WireGuard is designed to be simpler to set up and use compared to other VPN protocols like OpenVPN. This is achieved by having a lean codebase and focusing on essential functionalities.
High performance: WireGuard prioritizes speed. It uses modern cryptographic techniques and a streamlined approach to achieve faster connection speeds and lower latency compared to traditional VPN protocols.
Security: Despite its simplicity, WireGuard offers robust security. It utilizes state-of-the-art cryptography and keeps the attack surface minimal by design.
SoftGRE
A SoftGRE tunnel is a type of tunneling protocol that uses Generic Routing Encapsulation (GRE) to transport Layer 2 Ethernet traffic over an IP network. In simpler terms, it encapsulates Ethernet data packets within GRE packets, allowing them to be sent across an IP network that wouldn't normally support them.
SoftGRE tunnels are particularly useful for extending WiFi networks. They can be used to connect geographically separated WiFi access points (APs) to a central rXg, creating a seamless network for users.
The following configuration steps provide an example of how to configure the rXg as an endpoint for a SoftGRE tunnel.
- The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
- Set the Interface type to SoftGRE.
- The Members field indicates where tunneled traffic can egress. In this example, only tagged traffic on VLAN 777 will be accepted. Interfaces can be used for untagged traffic and VLANs will be used for tagged traffic.
- In the SoftGRE Listen Interface you will set where incoming SoftGRE connections will be accepted from. Polices will be used to identify LAN side tunnels and WAN Targets will be used to identify tunnels originating from the WAN.
Vendor Specific Configuration Examples - RUCKUS SoftGRE Tunnel
SoftGRE Tunnel Troubleshooting
Confirm the presence of interface bridges The bridge number will be the same as the VLAN with an extra 1 at the beginning. For example if vlan2000 should be carried over the tunnel, you should also have a bridge12000. In our example, there will also be an additional 0 because the VLAN ID is only 3 digits. VLAN 777 becomes bridge10777.
This can be confirmed via SSH with the following command:
ifconfig | grep bridge10777
Confirm the traffic is flowing over the bridge interface
This can be done by using tcpdump
to confirm that you see unicast traffic over the interface. For example, have a client connect and ping 4.2.2.2.
Continuing the use of bridge10777, I will use the following tcpdump
statement tcpdump -ni bridge10777
and confirm that I can see unicast traffic from my client device.
VLANs
The rXg defines a logical 802.1Q virtual LAN interface for each entry in the VLANs scaffold. A good reference for understanding VLANs and trunk ports is Network Warrior (ISBN 0596101511) by Gary Donahue.
Creating a VLAN implies that the Ethernet interface that is directly associated with it is a VLAN trunk port. The device connected to the Ethernet interface must be similarly configured to accept traffic for the VLAN ID specified in this record.
The Physical Interface drop down associates this VLAN logical interface with an Ethernet interface. A VLAN logical interface presents itself in the same manner as a Ethernet interface for network address configuration and policy management purposes. However, the VLAN must be associated with an Ethernet interface so that it knows what physical port to transmit and receive on.
The Service VLAN drop down associates this VLAN with a Q-in-Q parent VLAN interface. Note: if using Q-in-Q the operator should make sure that VLAN hardware filtering is disabled on the Ethernet Interface by navigating to Network::LAN editing the interface and confirm that the VLAN hardware filtering box is unchecked.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The VLAN ID is an integer value that is used in the VLAN identifier field of the frames transferred over the physical interface defined by this record. The field is 12-bits in the ethernet frame, making the range of values from 0 to 4096. The 0 value is reserved for native traffic and 1 is used for management by many bridges and switches. In addition, 4095 is reserved by most implementations.
The I-SIDs (Backbone Service Instance Identifier) can be used to identify any virtualized traffic across an 802.1ah encapsulated frame.
The Autoincrement drop down changes how VLANs are configured with regards to the number of subnets. none | single L2 | n tags=1 will result in a single VLAN being associated to a single subnet or subnets. per-subnet | auto-increment L2 w/L3 | n tags = subnets / ratio means the number of VLANs that will be configured is the number of Subnets divided by the ration. With a Ratio of 1 and tied to a Network Address that has 32 subnets, 32 VLANs will be configured. With a Ratio of 2 and a Network Address with 32 subnets, 16 VLANs will be configured (32 / 2 = 16).per-IP | auto-increment L2 over split L3 via BNG | n tags = (usable IPs / ratio)means if we have a Network Address configured with 32 usable IP addresses the number of VLANs that will be configured is the number of IP address divided by the ratio. Given a Network Address with 32 usable IP addresses and a Ratio of 1, 32 VLANs will be configured. If the Ratio is set to 2, 16 VLANs will be configured (32 / 2 = 16).
The Ratio field is the number of autoincrement subnets or usable IPs in each VLAN tag.
The MAC Override allows the operator to adjust the MAC address(es) assigned to each VLAN interface created based on this VLAN configuration. The MAC address assigned to each VLAN will be the MAC Override incremented for each VLAN interface created. The first VLAN interface created will use the value of MAC Override. For each additional VLAN created, the value will be incremented by 1. For example a MAC Override of ff:ff:fe:00:00:1a with a vlan tag of 10 will result in a MAC address of ff:ff:fe:00:00:1a being assigned to the vlan10 interface. When using autoincrement, vlan11 will be assigned ff:ff:fe:00:00:1b , vlan12 will be assigned ff:ff:fe:00:00:1c , etc.
The addresses field associates one or more network addresses with this VLAN logical interface. All interfaces, including logical VLAN interfaces, must have one or more network addresses associated with them in order for them to pass traffic.
The Switch Port Profiles field allows the operator to associate the VLAN(s) to a switch port profile that will automatically configured the VLAN(s) to the switch ports attached to the profile.
The WLANs field allows the operator to associate the VLAN(s) to a WLAN.
The Conference options field allows the operator to associate the VLAN(s) to a conference record so the VLAN(s) can be used when created a conference via the Conference Tool.
Network Addresses
An entry in the network addresses scaffold defines an IP block that will be associated with an interface, uplink or VLAN.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The IP field specifies the IP address using CIDR notation that will be configured on the interface specified. If the address record will be used for configuring multiple addresses on the interface via the span field, the IP field configures the first (lowest) IP address of the range.
The span field specifies the range of IP addresses configured by this address record. The default value of 1 is assumed if this field is omitted. For LAN links, a span of 1 is typical. For WAN links, a span of greater than 1 automatically enables translation pooling in NAT scenarios. In addition, bidirectional network address translation (BiNAT) requires the WAN link to span one additional address for each BiNAT.
Examples using Autoincrement
1. Autoincrement with 1:1 VLAN per subnet (MDU)
In this example the VLAN is configured per-subnet with a ratio of 1, this means that each subnet will have it's own VLAN tag. The number of VLANs used will be the number of subnets divied by the ratio. For this example there will be 128 /24 subnets tied to the VLAN which will result in 128 VLANs.
Create a new VLAN Interface , give it a name, select the Physical Interface the VLANs will be tied to. Set the VLAN IDs field to first VLAN to be used. Autoincrement is set to per-subnet , and Ratio is set to 1. If the Network Address is created already it can be selected, in this case it does not, click Create.
Next create a new Network Address , give it a name. Under the Interface section set the Ethernet field to select, and the VLAN field to the VLAN created in the previous step. Set the IP field to the desired starting network address using CIDR notation. Next set the Autoincrement field to the desired number of subnets to create, in this case it will be set to 128. Check the Create DHCP Pool box and then click Create.
Now there are 128 /24 subnets that have been created (10.0.0.1/24-10.0.127.1/24), and 128 VLANs have been configured (100-227) tied sequentially to the subnets.
2. Autoincrement with more than 1 subnet per VLAN
In this example the configuration will put more than 1 subnet into each VLAN. The number of VLANs in this case will be the number of subnets divided by the ratio. In this example there are 64 /30 subnets and the ratio will be set to 4. In this configuration there will end up being 16 VLANs configured.
Create a new VLAN Interface , give it a name, select the Physical Interface the VLANs will be tied to. Set the VLAN ID's field to the first VLAN to be used. Autoincrement is set to per-subnet , and Ratio is set to 4. If the Network Address is created already it can be selected, in this case it does not, click Create.
Next create a new Network Address , give it a name. Under the Interface section set the Ethernet field to select, and the VLAN field to the VLAN created in the previous step. Set the IP field to the desired starting network address using CIDR notation. Next set the Autoincrement field to the desired number of subnets to create, in this case it will be set to 64. Check the Create DHCP Pool box and then click Create
With this configuration there are 64 /30 subnets with 4 subnets per VLAN. 64(subnets) / 4(Ratio) gives us a total of 16 VLANs.
3. BNG with many VLANS inside a single subnet.
The autoincrement BNG feature enables a single subnet to be divided amongst a large number of VLANs. Autoincrement BNG maximizes public address space distribution efficiency. A public /24 CIDR block would typically need to be divided into 64 /30 CIDRs for distribution amongst subscribers. Each of the /30 CIDRs would then be assigned to a unique layer 2 microsegment. Thus a /24 CIDR block would typically support 64 subcscribers. This is an inefficient use of public IPv4 address space.
Network | VLAN |
---|---|
76.77.78.0/30 | VLAN 1000 |
76.77.78.4/30 | VLAN 1001 |
76.77.78.8/30 | VLAN 1002 |
â‹® | â‹® |
76.77.78.248/30 | VLAN 1062 |
76.77.78.252/30 | VLAN 1063 |
The autoincrement BNG feature enables efficient distribution of public static IPv4 24 CIDR blocks. For example, a /24 CIDR block can support 253 subscribers where each subscriber is microsegmented onto their own unique layer two on the distribution infrastructure. It may help to think of this as autoincrementing VLAN assignment via /32s instead of /30s. The difference is that all of the /32s share a single gateway that is accessible from all VLANs. In reality the BNG autoincrement mechanism enables distribution of the addresses on a /24 subnet to ensure client compatibility. This enables efficient use of address space while enforcing true segmentation through a universally compatible standards-based approach.
Network | VLAN |
---|---|
76.77.78.2/24 | VLAN 1000 |
76.77.78.3/24 | VLAN 1001 |
76.77.78.4/24 | VLAN 1002 |
â‹® | â‹® |
76.77.78.253/24 | VLAN 1251 |
76.77.78.254/24 | VLAN 1252 |
In the example below, autoincrement BNG microsegments each usable IP address in 76.77.78.0/24 onto a unique VLAN. VLAN 3002 on igb3 is configured with the first address of the CIDR 76.77.78.1/24 as if the entire CIDR were configured onto VLAN 3002. All of the usable IP addresses of CIDR 76.77.78.0/24 (76.77.67.2/24 to 76.77.78.254/24 inclusive) would normally share the same VLAN 3002. However with autoincrement BNG enabled, the usable IPs are spread across VLANs 3002 to 3254 inclusive.
Autoincrement BNG is unique in that it allows all client devices to share the same default gateway despite being microsegmented at layer 2. In this example, all client devices in VLANs 3002 to 3254 inclusive use 76.77.78.1/24 as their the default gateway. Sharing a single layer 3 default gateway IP address amongst a large number of layer 2 microsegmented clients dramatically improves the efficiency of IP address consumption.
It is important to note that only VLANs 3002 to 3254 inclusive are usable on igb3 when autoincrement BNG is enabled on igb3. It is impossible to assign additional VLANs to igb3 that fall outside of the BNG range as this would interfere with the autoincrement BNG functionality in the configuration described above. An operator may use Q-in-Q if they wish to configure both both BNG and non-BNG VLANs on the same physical interface. This is what we will discuss next.
In this example a single service VLAN (SVLAN 100) will be created and used as the parent VLAN that will contain many client VLANs (CVLANs 1000 to 1352 inclusive). Putting VLAN tags inside other VLAN tags is referred to as a Q-in-Q network architecture.
First create a new VLAN Interface that will be the parent VLAN that will contain the many VLANs. Give it a name. Select the Phyiscal Interface the VLAN will be attached to. Set the VLAN IDs that will be the parent VLAN. Set Autoincrement to none. If there are any Switch Port Profiles configured they can be added here to add the VLAN to any necessary ports. Click Create.
Next configure the VLAN pool that will be tied to the parent VLAN created in the previous step, these VLANs will be tied to IP address in that will be created in the next step as needed. Create a new VLAN Interface and give it a name. The Physical Interface should be unselected and the Service VLAN should be set to the Parent VLAN created in the previous step. The VLAN IDs should be set to the first VLAN to be used. Autoincrement should be set to per-ip , Ratio is set to 1. There is no need to select a Switch Port Profile as these VLANs will not be seen by the switch. Click Create.
Next create a new Network Address , give it a name. Under Interface the Ethernet field should be set to -select- , and the VLAN field should be set to the VLAN created in the previous step. Enter the IP address in CIDR notation in the IP field. The Autoincrement and Span field should be set to 1. Checking the Create DHCP Pool box will automatically create a DHCP pool for the addresses. Click Create.
With this configuration we have a VLAN (VLAN 1000), that contains our BNG VLANs (VLANS 100-352) which allows for the BNG VLANs to be assigned individually to a single IP within the BNG Addresses that were configured. Multiple IPs can be assigned the same VLAN within the address pool as needed and each assignment only consumes a single IP instead of a minimum of 4.
The use of the Q-in-Q network architecture allows a single physical interface to be used with multiple autoincrement BNG interfaces as well as static or dynamically configured VLANs. For example:
Here we see multiple BNG interfaces are created to support distinct downstream distribution equipment. We also see that there is an additional SVLAN that is dedicated for management infrastructure. The standards based nature of the autoincrement BNG approach enables unparalleled flexibilty and diversity. Any VLAN-aware distribution equipment, wireline or wireless, may participate in an autoincrement BNG deployment. In fact, it is even possible to have a single distribution infrastructure composed of equipment from multiple vendors and even mixing different forms of technology. A single installation may use BNG to efficiently distribute public IP addresses across DSL, GPON, DOCSIS, fixed wireless and PLTE all within the same deployment.
Routing
The routing view presents the scaffolds that configure settings to that control the static and dynamic entries into the rXg routing table.
The routing table of an rXg governs where packets are forwarded based on their desired destination. In a basic rXg installation where end-users are L2 connected to the LAN side of the rXg which is in turn connected to a single uplink, the routing table that is automatically created by the rXg is sufficient. In this case, no changes should be made to any of the scaffolds on the routing view.
If the rXg is deployed with a L3 routed distribution network for end-user access, then the rXg must be informed of all connected networks in order to properly route traffic and deliver forced browser redirection. This is typically accomplished by creating static routes for the various subnets that are connected behind L3 routers on the LAN side of the rXg.
The rXg supports distribution and integration of routes via RIP primarily for the purposes of simplifying cluster management. When an rXg cluster is deployed and routing between end-users on different nodes is desired, the rXgs must be informed as to all of the subnets that are behind the various cluster nodes. In addition, the rXg may broadcast router discovery responses to LAN nodes so that they may build up the internal routing tables on LAN nodes. This is particularly useful for LAN nodes that are locally and remotely accessible servers as this provides a simple mechanism for dynamic failover between multiple cluster nodes.
Static Routes
An entry in the static routes scaffold creates an entry in the IP routing table of the rXg.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The destination field configures the CIDR block for which a specific gateway is needed.
The gateway is the IP address of the next hop router for the CIDR block specified in the destination field.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
RIP
The RIP scaffold controls the behavior of the rXg with respect to RFC 1058 and RFC 2453 router information protocol messages. The rXg may be configured to broadcast route advertisements as well as accept RIP announcements from other routers.
The active field enables an option set. Exactly one option set may be active at any time. Enabling a particular option set will automatically disable another existing active option set.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The transmit RIP checkbox enables the broadcast of route advertisements to locally connected networks. When this box is checked, the rXg will make RIP announcements
The receive RIPv1 and receive RIPv2 checkboxes enable the rXg to receive RIPv1 and RIPv2 route advertisements respectively.
The RIPv2 password field configures the shared security credential that will be used when sending and receiving RIPv2 announcements.
The trusted gateways field is where the operator specifies the routers from which RIP announcements will be accepted. In order to prevent injection of false routers, it is required that one or more trusted gateways be specified in order to receive RIP announcements.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Wired
The Wired view presents the scaffolds associated with configuring the wired distribution layer of your network, and monitoring/configuring the switch ports throughout your infrastructure.
Switches
An entry in the switches scaffold defines a piece of switching equipment with which the rXg will communicate for the purpose of effecting dynamic VLAN changes when necessary due to a policy shift for a device on the network.
When a device's VLAN assignment has changed due to a policy shift, the rXg will connect to the switch associated with the device's RADIUS realm via the protocol specified in the configuration, and force a disconnect/reconnect, which will reinitiate the RADIUS authentication process, thereby resulting in the new VLAN assignment being applied to the client device.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The device section specifies information of equipment being configured. Fields with bold text are required. Choose the appropriate option from the supported device types drop-down menu.
Enabling the Monitoring checkbox results in the rXg attempting to import and synchronize Switch Ports from the device, as well as perform ping monitoring of the switch itself, and collect CPU and Memory statistics, where possible.
The SNMP community field specifies the SNMP community string that will be used when attempting to gather CPU and/or Memory information, as well as to collect Switch Port utilization/error/discard data for graphing.
The Switch Fabric field assigns a switch fabric profile to this switch. The Loopback IP , System name , and SPB-m nickname fields must be provided when assigning a switch fabric profile. After supplying the necessary information, the Config sync status link becomes available in the scaffold.
For switches that support configuration management, the Config sync status column contains a link that allows the operator to access bootstrap instructions and enable synchronization.
When bootstrapping a new switch, the operator may retrieve bootstrap commands that will bring a factory default switch or wireless controller into the necessary state to participate in the fabric network, which may be copy/pasted into a console session on the device.
After initial bootstrapping and network connectivity is established, the operator may download a running configuration backup or compare the current running configuration to the expected configuration, based on the associated configuration elements. If changes are needed, they may be pushed to the switch. After successfully synchronizing manually the first time, future configuration changes will be pushed to the device whenever relevant configuration changes are made in the database.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Switch Fabric
An entry in the Switch Fabric scaffold defines the fabric area of a 802.1aq Shortest Path Bridging-MAC (SPB-m) deployment. All participating fabric switches share the common configuration found here. In addition, each participating fabric switch should have an Infrastructure Device defined with the necessary SPB-m configuration specific to that device.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The Management I-SID field specifies the I-SID that will be associated with the Management VLAN for management traffic. The Management VLAN is configured per device, under the Switches scaffold.
The Manual area field specifies the IS-IS area that will be used within this fabric in the format: xx.xxxx (ex: 10.0001)
The Primary B-VLAN and Secondary B-VLAN fields indicate the VLANs which will be used for passing encapsulated traffic between participating fabric switches on switch ports designated as NNI ports. These VLANs should be unused elsewhere in your infrastructure.
Switch Ports
Entries in the Switch Ports scaffold are created automatically by enabling the Monitoring checkbox on a supported switch's Infrastructure Device. Ports are imported and speed, packet, error and discard rates are gathered via SNMP and made graphable for each switch port.
The name field represents the port's identification in the switch, and should not be changed.
The NNI Port designates this port as a Network-to-Network Interface. This option must be enabled for any port where two fabric-enabled switches interconnect.
The speed in bps field represents the port's maximum physical speed in bits per second.
Switch Port Profiles
Entries in the Switch Port Profiles scaffold define the behavior of downstream wired infrastructure device ports. Switch port profiles enable an operator to manage virtually unlimited switch ports, without configuring them individually.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The Default checkbox, declares the selected switch port profile as the default for any newly imported switches
The Move Ports checkbox, if selected, will move ports associated with a different default profile to a profile upon save. This should be used in conjunction with the Default checkbox.
The Ports field defines individual switch ports to associate with this profile.
The Native VLAN field is used to define the untagged VLAN that ports associated to a profile should use.
The Shutdown checkbox declares ports associated to this profile to be disabled.
The VLANs field defines the VLANs that should be tagged on ports associated with a profile.
The RADIUS drop-down menu can be used to enable 802.1x or MAC Authentication Bypass, on ports associated to a profile.
The native I-SID specifies the network that untagged traffic from this port should be placed into when building a Fabric configuration script.
The NNI Port designates this port as a Network-to-Network Interface. This option must be enabled for any port where two fabric-enabled switches interconnect.
Wireless
The Wireless view presents the scaffolds associated with configuring the wireless distribution layer of your network, and monitoring/configuring the access points throughout your infrastructure.
WLAN Controllers
An entry in the WLAN controllers scaffold defines a piece of wireless equipment with which the rXg will communicate for the purpose of effecting dynamic VLAN changes when necessary due to a policy shift for a device on the network.
When a device's VLAN assignment has changed due to a policy shift, the rXg will connect to the WLAN controller associated with the device's RADIUS realm via the protocol specified in the configuration, and force a disconnect/reconnect, which will reinitiate the RADIUS authentication process, thereby resulting in the new VLAN assignment being applied to the client device.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The device field specifies the type of equipment being configured. Choose the appropriate option from the supported device types drop-down menu.
The enable telemetry boolean completely controls whether the rXg will attempt to receive and process telemetry data at all.
The Instrument from Telemetry checkbox results in the rXg using telemetry data to instrument the Access Points and Wireless Clients for this controller, instead of the regular API integration. If telemetry is enabled, the rXg will always instrument radio and client data, regardless of whether instrument from telemetry is enabled.
Enabling the Monitoring checkbox results in the rXg attempting to import and synchronize Access Points from the device, as well as perform ping monitoring of the Infrastructure Device itself, and collect CPU and Memory statistics, where possible.
The SNMP community field specifies the SNMP community string that will be used when attempting to gather CPU and/or Memory information, or Access Point data from WLAN controllers where an API is not available.
The NB portal password and NB portal usernames are used when executing API calls against RUCKUS's northbound portal interface. These must correlate with what is configured in the controller.
The Telemetry username and Telemetry password are used when authenticating an MQTT session with this WLAN Controller. These must correlate with what is configured in the controller's northbound data streaming subscriptions.
Vendor Specific Configuration Examples
For Infrastructure Devices which support configuration management, the Config sync status column contains a link that allows the operator to access bootstrap instructions and enable synchronization.
When enabling automatic WLAN controller configuration management, the operator should ensure that the timezone and country code set in the Device Options scaffold are accurate as they will be used when configuring wireless infrastructure.
After initial bootstrapping and network connectivity is established, the operator may download a running configuration backup or compare the current running configuration to the expected configuration, based on the associated configuration elements. If changes are needed, they may be pushed to the controller. After successfully synchronizing manually the first time, future configuration changes will be pushed to the device whenever relevant configuration changes are made in the database.
Vendor Specific Configuration Examples
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Piglet Sensor
Piglets are small, low-cost, raspberry pi based, sensors that can be used for a variety of purposes. Adding a WLAN Controller with a device type of "Piglet" and a host address of "127.0.0.1" in this scaffold will allow the piglet sensors to discover the rXg for adoption. Click Here to access the piglet documentation.
WLANs
An entry in the WLANs scaffold defines a wireless network that you wish to deploy on a supported WLAN controller.
The SSID field specifies the WLAN SSID that will be broadcast and visible to users.
The Encryption selection specifies the encryption algorithm which will be used for this WLAN.
The Authentication selection specifies the type of authentication that should take place in order for users to join the network. In order for Dynamic VLANs to be assigned, authentication must utilize MAC Authentication Bypass or one of the 802.1X methods.
The Default VLAN field specifies the VLAN that users should be placed into, assuming it is not overriden by Dynamic VLAN behavior.
The Tunnel checkbox instructs access points to build a tunnel to the controller or some other location, depending on the vendor, instead of locally bridging the client traffic.
Application Examples: - RUCKUS SoftGRE Tunnel
The Enabled checkboxes allow the operator to enable or disable a WLAN for a particular radio across all profiles where it is utilized.
Dynamic VLANs require the association of at least one VLAN record which is tied to a RADIUS Realm.
The RADIUS Accounting checkbox instructs the Access Point to send accounting information to the RADIUS server as users join, use, and leave the network.
The Access Point Profiles selection specifies which Profiles should include this WLAN.
Access Point Profiles
An entry in the Access Point Profiles scaffold defines a set of common configuration parameters to be applied to a set of Access Points.
The Default checkbox indicates that this Profile will be the default Profile for this Infrastructure Device. Any Access Point which has not been explicitly assigned to a Profile will be placed into this Profile.
The WLANs association defines whoch WLANs will be broadcast on Access Points that fall into this Profile.
The Access Points association allows the operator to explicitly assign a profile to one or more Access Points. Selected Access Points which do not belong to the Infrastructure Device that the Profile is assigned to will be automatically deselected upon saving.
The Management VLAN field specifies which VLAN the Access Points in this profile will use to attempt to obtain an IP address via DHCP.
The 2.4GHz Data Rates and 5GHz Data Rates fields allow the operator to restrict the types of devices that may join the network to only those supporting a specific subset of data rates. By default, 802.11b rates are disabled to improve network performance.
The 2.4GHz Antenna Gain and 5GHz Antenna Gain fields allow the operator to specify antenna gain values (in dBi) that will be applied to Access Points which use external antennas.
The Outdoor APs checkbox instructs the system to enable or disable outdoor power and channel tables for the radios in order to be compliant with regulatory rules.
Access Points
Entries in the Access Points scaffold are created automatically by enabling the Monitoring checkbox on a supported wireless controller's Infrastructure Device. Status and statistics are gathered on an ongoing basis via API and/or SNMP.
After creation, the operator may reassign an Access Point's Access Point Profile in order to control the WLAN and radio settings applied to it. Access Point details are updated on a regular basis via background interaction with the Infrastructure Device.
Access Point Radios
Entries in the Access Point Radios scaffold are created automatically by enabling the Monitoring checkbox on a supported wireless controller's Infrastructure Device. Status and statistics are gathered on an ongoing basis via API and/or SNMP.
Access Point Radio Profiles
Entries in the Access Point Radio Profiles scaffold can be assigned to WLANS in the Access Point Profiles scaffold. The HW Mode Preference field ia a comma separated listing of supported radio type, 'A' (5 Ghz, 802.11 A and 802.11 AC), 'B' (2.4 Ghz 802.11 B), or 'G' (2.4 Ghz 802.11 G). The order matters, as HW Modes are preferred as listed, left to right. Selected Channels is a list of numbers associated with the HW Mode Preference. The list can be a comma separated list of individual channels, or ranges of channels (i.e. '1,2,3,4,5,6,7,8,10,11' can be represented as '1-11').
Access Point Zones
An entry in the Access Point Zones scaffold defines the configuration common throughout this site.
Entries in the Access Point Zones scaffold are populated automatically after enabling the monitoring checkbox for a supported WLAN controller Infrastructure Device.
The Enable DFS channels checkbox instructs the Access Points in this Access Point Zone to broadcast at the 5GHz frequencies that are generally reserved for radars. Disabling the Dynamic Frequency Selection (DFS) prevents the use of 5GHz channels 52 - 140.
The 5GHz Channel Width option allows the configuration of channel width for the 5GHz radio for Access Points in this Access Point Zone.
Location
The Location view presents the scaffolds associated with configuring the location services layer of your network.
Location Services
An entry in the Location Services scaffold defines a Location server with which the rXg will use to determine the location of a wireless client.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The Type field specifies the type of equipment being configured. Choose the appropriate option from the supported device types drop-down menu.
The Host field is the IP address or domain name of the Location device.
The Subnet mask field is used to enter the subnet mask of the network the location device is on.
The Gateway IP field is used to enter the gateway IP address of the location device.
The API port field is used to set the API port, leave blank for device default.
The Username field sets the device admin username.
The Password field sets the device password, note password will remains the same if left blank.
The API key field sets the device API key.
The Timeout field sets the connection timeout in seconds.
The Areas field sets the location areas managed by this service.
The Location events checkbox will create device location events for notifications recieved from the server if checked.
Location Areas
An entry in the Location Areas scaffold allows the Operator of the rXg to define areas that can then be tied to Location Categories.
The Type field is used to determine if the area is a floor or site.
The Category field if set specifies the category applied to events in this area, unless overridden by a more specific category.
The Parent field sets the parent are which contains this area. Example, a site may be a parent to floor.
The Conference AP's field allows the Operator to add any AP's that should be used for Conferences, this used in conjunction with the conference tool makes it easy to broadcast Conference SSIDs to only the areas where the conference is taking place.
The Conference Ports field allows the Operator to add switch ports that should be used for Conferences.
When configured the Admin Roles field sets the admin roles that will be able to request pending admin transactions from APs in this Location Area.
The Min Gradient and Max Gradient fields allow the operator to override the default heatmap gradiation coloration.
Location Categories
The Areas field allows the Operator of the rXg to assign categories to specific Location Areas , which includes any APs selected when creating the category.
The Access Points field allows the Operator to select specific APs that will be tied to this Location Category.
The Infrastructure Devices field allows the Operator to assign Infrastructure Devices to the Location Category.
Device Locations
The Device Locations scaffold lists the reported location of devices on the network. The Time entry shows the time the record was created. The MAC entry lists the MAC address of the connected device. The Session entry shows the login session for the device. The Account entry lists the account the device is a member of. The Event field shows the event type for record. The Area field shows the Location Area the record belongs to and the Category field shows the Location Category the record is associated with. The Dwell entry displays the amount of time the device has been in a given area. The Last Area and Last Category entries display the previous are and category the device was associated with. The Access Point entry lists the IP and MAC address the device was connected to at the time the entry was created. The SSID field displays the SSID the client device was connected to. The WLAN entry shows the WLAN on the rXg the client device was associated with. The RADIUS Realm entry shows the radius realm the device authenticated against. The Location Device lists the Infdev device providing the location information.
Example Setup
In this example shows the process of setting up location in a MDU.
- Add floorplan to location area.
- Create regions for AP placement.
- Place AP's into regions.
Create Location Categories and add AP's.
Add floorplan to location area.
Navigate to Network::Location and create a new Location Area. The Name field is arbitrary, enter a name. Change the Type field to Floor. Note: by selecting floor it allows the operator to upload a floor plan and this will become the partent for any regions that are created, if Site is selected this will be the parent of the floors. Leave Category on -select- as there are none to select at this time. For the Floorplan field click the Choose File button and select the floorplan image to be used. Set the Floor number field to set the floor number. Leave the Parent field on -select- and hit the Create button.
- Create regions for AP placement.
To create regions click on the Floorplan in the Location Area scaffold, this will open up the map allowing the placement of AP's and Regions.
In the Add a Region section enter a name for the region, pick a color for the region and then click Add Region. This create a region that can be placed on the floorplan. The region can be resized by dragging the bottom right corner.
Drag the region to the desired area on the floor plan, adjust size and click save.
Repeat for each area that needs a region.
- Place AP's into regions.
Select an AP from the Place an Access Point / Senso: dropdown. Click the Drag me button.
This will generate an AP that can be placed on the floor plan, the first AP will go in Unit1.
Drag AP to its placement on the map and click Save.
Repeat this step for each AP that is present on the floorplan.
- Create Location Categories and add AP's.
Create a new Location Category.
The Name field is arbitrary, in this case there will be a Location Category created for each unit, the name will reflect the unit. Select the unit for in the Areas field. Select the AP or APs from the Access Points field. Click Create.
Repeat for each Unit.
The rXg is now configured to start keeping track of Device Locations. In order for this to work at a minimum, radius account packets must be received. The below image shows the WLAN settings for the SSID setup for this example. Note: In this example we have control of the wireless infrastructure creating the WLAN pushed all needed settings, without control the WLAN would need to be configured manually on the wireless infrastructure.
The below image shows the information received in the Device Location scaffold.
Recalibration
In order for location-aware functionality to work as well as possible, setting the right calibration on your floorplan is essential. In order to begin recalibration, click on 'Begin Recalibration' In the floorplan view:
Next, click a point on the map. Often times, a wall or one side of a door frame is a good choice because they are easy to measure, in fact most doors are roughly 1 meter wide.
After you clicked your first point, click your second point
After you clicked your second point, enter the distance between the two points in meters, and click Finish.
Finally just let the floor plan view close on its own and reopen it.
After you re-open the floor plan, the new calibration will be displayed.
Services
All IP-data networks must provide several core services in order for end-users to establish connectivity. The vast majority of IP-data networks use DHCP for provisioning end-user IP addresses. Thus a DHCP server is a requirement for almost every IP-data network. DHCP server responses include DNS server information. Most IP-data networks incorporate a local, caching DNS server, to improve network performance. Furthermore, information security is another critical aspect of the contemporary IP-data networks. One commonly deployed service to help increase the trustworthiness of the network is an IPsec VPN concatenator. Many IP-data network also incorporate network time (NTP) and SNMP services to ease administration.
Revenue generating networks must deliver several additional services in addition to which most other IP-data networks must provide. If a captive portal is used, then a web application server must be present on the RGN. If the captive portal is to incorporate advertising, an advertising proxy and rotation server is needed. Email broadcasts, transparent web proxies and many other possibilities exist. In many cases, the profitability of the RGN is directly related to the availability and provisioning of the network core services.
The rXg incorporates all of the core services needed to operate a revenue generating network. The services menu enables the operator to access the views needed to configure core services integrated into the rXg.
Services Dashboard
The services dashboard presents an overview of the current status and configured settings for the various core services executing on the rXg.
The left column presents dialogs depicting summaries of the latest instrumentation gathered from the DHCP server.
The top dialog in the left column displays statistical information about the DHCP pools offered by the DHCP server. Next to the name of the pool, the current number of free and used leases is displayed. The right column displays the maximum number of leases that may be in use simultaneously. This dialog is extremely useful in determining if the DHCP pool is configured in a way that makes it capable of serving the entire end-user population.
The bottom dialog in the left column displays the four latest DHCP leases that were issued by the DHCP server. The IP address issued is listed along with the MAC address and DHCP client ID (if the client transmitted one in the request). This dialog is very useful for quickly tracking down problematic end-users who have recently joined the network. First call end-user support personnel will find the information presented in this dialog very useful in identifying and isolating end-users with connectivity problems.
The right column presents graphs describing the recent load of various core rXg services.
The first graph in the right column presents the recent average number of DHCP leases.
The second graph in the right column presents the recent average number of VLAN tag assignments.
The last graph in the right column presents the recent average number of web server hits. The web server hit count is determined by the number of end-users hitting the captive portal web application, typically as a result of forced web browser redirection. Keep in mind that the default interstitial advertising methodology uses the captive portal to deliver the ad content as well.
The dialog presented at the bottom of the left column displays a dashboard of status lights for the various services offered by the rXg. A red light means the service is currently offline or disabled. A green light means that the service is currently running. This dialog is the quickest way to obtaining a first order understanding of why a particular rXg subsystem is misbehaving when troubleshooting new service deployment scenarios. Clicking on the light will take you to a relevant view for configuring the service. This dialog also displays the current instantaneous rate of web server, web proxy and HTML injection hits. This is very useful for comparing the current rate with the rates presented in the graphs to see where the current load of the rXg fits in the overall picture of recent load.
DHCP
The DHCP view presents the scaffolds associated with configuring the DHCP server and DHCP relay features of the rXg.
The rXg integrates a fully featured DHCP server capable of meeting the needs of nearly any imaginable environment. By default, the rXg DHCP server responds to all DHCP requests on the LAN with a temporary address assignment from within a pool. This behavior may be modified and augmented via the scaffolds presented on this view to deliver a broad spectrum of possible responses.
To enable the rXg integrated DHCP server, the operator must create a DHCP pool that falls within the CIDR of an address that is on the LAN of the rXg. An address is considered to be on the LAN of the rXg if the address is associated with an Ethernet interface , VLAN or is the destination in a static route.
The CIDR of the address from which the pool draws IP addresses from automatically determines the DHCP server listening interface as well as the subnet mask and default route that is presented to the client.
For example, given an rXg that has the following addresses :
- Ethernet Interface en1: 192.168.5.1 / 24
- VLAN 3800: 172.16.16.1 / 22 If a DHCP pool for with a range of 192.168.5.100 to 192.168.5.200 is created, the rXg integrated DHCP server will listen on en1 for DHCP requests in the native VLAN and respond with:
- IP address in range 192.168.5.100 to 192.168.5.200
- subnet mask 255.255.255.0
- default gateway 192.168.5.1 Similarly, if a pool with a range of 172.16.23.1 to 172.16.28.255 is created, then DHCP requests present on VLAN 3800 will see a response of:
- IP address in range 172.16.23.1 to 172.16.28.255
- subnet mask 255.255.240.0
- default gateway 172.16.16.1
Many networks combine DHCP assigned addresses with manually assigned static addresses. Use the pools scaffold to control the range of addresses issued by the rXg. It is extremely important to ensure that network administrators manually configure statically assigned addresses correctly to prevent overlap. It is also suggested that VLANs be used for L2 segregation of machines with statically assigned addresses from those pulling from DHCP in order to prevent IP address collisions. Alternatively, the network operator may choose to use DHCP fixed hosts in lieu of statically assigned addresses to achieve the same goal.
In most networks, there are some devices which should obtain the same IP address every time a request is made. A common occurrence of this is when a Static IP has been configured for a device that is using DHCP. To ensure connectivity, the BiNAT'ed device must have a static IP address or must be established as a fixed host. It is important to make sure that fixed hosts are assigned IP addresses that are outside of the ranges specified by the pools
Two, non-overlapping pools may also be configured for the same Ethernet interface or VLAN. Given the example rXg network address configuration above, 172.16.23.1 to 172.16.28.1 and 172.16.20.1 to 172.16.22.255 may both be configured as pools simultaneously. By default, requests originating from VLAN 3800 will draw addresses from both pools. This behavior is usually modified through the use of classes and match rules.
Match rules may be used to differentiate between requests originating from the same physical or logical media. For example, match rules may be used to associate devices presenting DHCP client identifiers containing a specific prefix with a class. Another common use of match rules is to place all devices presenting a MAC address from a specific vendor into a class.
A class may be used to determine the pool from which the requesting device acquires an address. This is useful for IP-based policy management as certain devices may be placed into specific ranges of IP addresses which can have different policies associated with them. In addition, different pools may have different DHCP options. For example, pools may have different maximum lease times, DNS servers, default routes, etc.
If there is a LAN CIDR block configured on the rXg for which there is no pool , the rXg may also be configured as a DHCP relay server. This feature enables a DHCP proxy server on the rXg that forwards DHCP requests originating from the associated Ethernet interface or VLAN to an external DHCP server.
Pools
An entry in the DHCP Pools scaffold configures a pool of IP addresses that are to be offered to end-user devices requesting an IP address.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The start IP and end IP fields define the range of addresses to be offered by this pool. The pool of offered addresses must fall within the range of an IP network configured on an interface and must not include the address(es) consumed by the rXg or the broadcast address. For example, if the 192.168.5.1/24 IP network is configured on the LAN, the maximum allowable range is from the start IP of 192.168.5.2 to the end IP of 192.168.5.254.
It is critically important to be very precise when entering these values to prevent IP address conflicts. Some of the many things to keep in mind include:
- Devices with statically assigned IP addresses must not use addresses within the DHCP pool range.
- IP address reservations (specified in the fixed hosts scaffold) must not be in the pool.
- The pool ranges must be large enough to accommodate the end-user population.
The Reserved options let you specify addresses you wish to reserve either at the begining of each subnet in the pool via the First field or at the end of the subnet via the Last field. For example a network address consisting of 32 /24 subnets (x.x.0.1/24 - x.x.31.1/24 (32)) setting the First field to 4 would reserve x.x.0.2 - x.x.0.5 in the first subnet and .2 - .5 in each subsequent subnet. Setting the Last field to 4 would reserve x.x.0.251 - x.x.0.254 in the first subnet and 251 - 254 in each subsequent subnet. The Router field can change the gateway IP in each subnet. Incremented from the network address, where 1 is the first usable IP address (e.g. x.x.x.1/24). Decremented from the last usable address, where -1 means the last host address (e.g. x.x.x.254/24).
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The option group and class fields link this DHCP pool with options and configuration rules. For example, the WINS server DHCP option can be transmitted to only those end-users running Window through the use of the option group and class fields.
Fixed Hosts
An entry in the Fixed Hosts scaffold reserves an IP address for a particular device. When a device with the MAC address specified in this record requests network configuration via DHCP, the specified IP address is offered. This mechanism is often used as an alternative to manually assigning static IP addresses to devices.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The IP field contains the IP address to be reserved for this device. It is critically important that the reserved IP be outside of any pools specified in the pools scaffold.
The MAC field contains the MAC address of the device that this reservation is being held for.
The hostname field is an optional parameter that, if specified, will cause the DHCP server to deliver a client identifier to the device via a DHCP option.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The option group links this reservation with a set of DHCP options that control additional information that may be delivered to the device beyond IP address, hostname, subnet mask and gateway. For example, an option group may be used to specify alternative DNS servers for the device specified in this reservation.
Option Groups
An entry in the option groups scaffold links one or more options to devices that are offered addresses from a pool or set of fixed hosts. When an option is linked, the specified payload will be delivered as part of the DHCP response offered to a requesting device. The use of option groups to link options to pools and fixed hosts maximizes the flexible reuse of configuration options.
The global check box links the associated options with all DHCP responses. Only a single option group can have the global field checked. Furthermore, the global checkbox should be used in exclusion to linking any specific pools and fixed hosts and vice versa.
The authoritative check box indicates whether or not the DHCP server should be authoritative for the network(s) its attached to. An authoritative DHCP server will assume that the configuration information about a given network segment is known to be correct and authoritative, and thus will send DHCPNAK messages to misconfigured clients. Operators setting up DHCP servers for their networks should usually have this checked to indicate that the DHCP server should send DHCPNAK messages to misconfigured clients. If this is not done, clients will be unable to get a correct IP address after changing subnets until their old lease has expired, which could take quite a long time. For certain cluster deployment configurations it is necessary to put the server in non authoritative mode. For example, when two or more cluster nodes are performing the role of the DHCP server on the same network. This is so that the nodes do not NAK each others lease assignments.
The BOOTP check box allows or denies address assignment from the related pool(s) for BOOTP clients.
The options field specifies the members of the options scaffold that will be linked to the targets specified in this option groups record.
The pools and fixed hosts fields specify targets for receiving the DHCP configuration options specified by the options fields.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Options
An entry in the options scaffold establishes a key-value pair that can be appended to any DHCP response via an option group.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The standard option field specifies the DHCP option that is to be defined by this record. The purpose of the vast majority of the DHCP options is easily derived by the name. The set of all available standard DHCP options is defined by IETF RFC 2132. The custom option field enables the operator to deploy DHCP options that are not part of IETF RFC 2132.
The name makes the purpose of the option self evident in many cases. Here are some common required use cases:
routersWhen the rXg integrated DHCP server is responding to requests originating from a network that is L2 connected to the rXg, the DHCP server automatically populates the response with a next hop router specified as the rXg. However, if the rXg integrated DHCP server is responding to requests on a network that is L3 connected behind a router, the routers option must be specified. In general, it is not possible to automatically determine the IP address of the next hop router that faces the clients being served DHCP, hence the requirement for manual specification.tftp-server-nameCertain forms of customer premises equipment require BOOTP or TFTP provisioning (e.g., DOCSIS cable modems or WiMAX subscriber terminals). To accommodate this, the rXg incorporates a TFTP server and supports the delivery of DHCP responses with the requisite options. The value of the tftp-server-name option should be the IP address of the rXg that is closest to the end-user.
The value is the value that will be used when the key-value pair is appended to the DHCP request. For example, if max-lease-time
is chosen as the option name for a record, the option value should be set to the maximum number of seconds that a DHCP lease can be used by a end-user device.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The option group field determines which DHCP responses will contain the key-value option pair configured in this record.
The following DHCP client options are currently supported:
Code | Option | Name | Description |
---|---|---|---|
1 | subnet-mask | Subnet Mask | Subnet Mask Value |
2 | time-offset | Time Offset | Time Offset in Seconds from UTC (note: deprecated by 100 and 101) |
3 | routers | Router | N/4 Router addresses |
4 | time-servers | Time Server | N/4 Timeserver addresses |
5 | ien116-name-servers | Name Server | N/4 IEN-116 Server addresses |
6 | domain-name-servers | Domain Server | N/4 DNS Server addresses |
7 | log-servers | Log Server | N/4 Logging Server addresses |
8 | cookie-servers | Quotes Server | N/4 Quotes Server addresses |
9 | lpr-servers | LPR Server | N/4 Printer Server addresses |
10 | impress-servers | Impress Server | N/4 Impress Server addresses |
11 | resource-location-servers | RLP Server | N/4 RLP Server addresses |
12 | host-name | Hostname | Hostname string |
13 | boot-size | Boot File Size | Size of boot file in 512 byte chunks |
14 | merit-dump | Merit Dump File | Client to dump and name the file to dump it to |
15 | domain-name | Domain Name | The DNS domain name of the client |
16 | swap-server | Swap Server | Swap Server address |
17 | root-path | Root Path | Path name for root disk |
19 | ip-forwarding | Forward On/Off | Enable/Disable IP Forwarding |
20 | non-local-source-routing | SrcRte On/Off | Enable/Disable Source Routing |
21 | policy-filter | Policy Filter | Routing Policy Filters |
22 | max-dgram-reassembly | Max DG Assembly | Max Datagram Reassembly Size |
23 | default-ip-ttl | Default IP TTL | Default IP Time to Live |
24 | path-mtu-aging-timeout | MTU Timeout | Path MTU Aging Timeout |
25 | path-mtu-plateau-table | MTU Plateau | Path MTU Plateau Table |
26 | interface-mtu | MTU Interface | Interface MTU Size |
27 | all-subnets-local | MTU Subnet | All Subnets are Local |
28 | broadcast-address | Broadcast Address | Broadcast Address |
29 | perform-mask-discovery | Mask Discovery | Perform Mask Discovery |
30 | mask-supplier | Mask Supplier | Provide Mask to Others |
31 | router-discovery | Router Discovery | Perform Router Discovery |
32 | router-solicitation-address | Router Request | Router Solicitation Address |
33 | static-routes | Static Route | Static Routing Table |
34 | trailer-encapsulation | Trailers | Trailer Encapsulation |
35 | arp-cache-timeout | ARP Timeout | ARP Cache Timeout |
36 | ieee802-3-encapsulation | Ethernet | Ethernet Encapsulation |
37 | default-tcp-ttl | Default TCP TTL | Default TCP Time to Live |
38 | tcp-keepalive-interval | Keepalive Time | TCP Keepalive Interval |
39 | tcp-keepalive-garbage | Keepalive Data | TCP Keepalive Garbage |
40 | nis-domain | NIS Domain | NIS Domain Name |
41 | nis-servers | NIS Servers | NIS Server Addresses |
42 | ntp-servers | NTP Servers | NTP Server Addresses |
44 | netbios-name-servers | NETBIOS Name Srv | NETBIOS Name Servers |
45 | netbios-dd-server | NETBIOS Dist Srv | NETBIOS Datagram Distribution |
46 | netbios-node-type | NETBIOS Node Type | NETBIOS Node Type |
47 | netbios-scope | NETBIOS Scope | NETBIOS Scope |
48 | font-servers | X Window Font | X Window Font Server |
49 | x-display-manager | X Window Manager | X Window Display Manager |
54 | dhcp-server-identifier | DHCP Server Id | DHCP Server Identification |
61 | dhcp-client-identifier | Client Id | Client Identifier |
64 | nisplus-domain | NIS-Domain-Name | NIS+ v3 Client Domain Name |
65 | nisplus-servers | NIS-Server-Addr | NIS+ v3 Server Addresses |
66 | tftp-server-name | Server-Name | TFTP Server Name |
67 | bootfile-name | Bootfile-Name | Boot File Name |
68 | mobile-ip-home-agent | Home-Agent-Addrs | Home Agent Addresses |
69 | smtp-server | SMTP-Server | Simple Mail Server Addresses |
70 | pop-server | POP3-Server | Post Office Server Addresses |
71 | nntp-server | NNTP-Server | Network News Server Addresses |
72 | www-server | WWW-Server | WWW Server Addresses |
73 | finger-server | Finger-Server | Finger Server Addresses |
74 | irc-server | IRC-Server | Chat Server Addresses |
75 | streettalk-server | StreetTalk-Server | StreetTalk Server Addresses |
114 | captive-portal-api | Captive Portal API | Captive Portal API URL |
The following DHCP server options are currently supported:
Option | Description |
---|---|
abandon-lease-time | Maximum amount of time (in seconds) that an abandoned lease remains unavailable for assignment to a client |
adaptive-lease-time-threshold | Specify the % of active leases before the server hands out only short min_lease_time leases |
always-broadcast | Always broadcast responses to clients, regardless of the broadcast bit in the request header |
always-reply-rfc1048 | Always respond with RFC1048-style responses |
default-lease-time | length in seconds that will be assigned to a lease if the client does not ask for a specific expiration time |
dynamic-bootp-lease-length | length in seconds of leases dynamically assigned to BOOTP clients |
filename | Name of the initial boot file which is to be loaded by a client |
get-lease-hostnames | Perform reverse lookup of IP to determine hostname |
infinite-is-reserved | |
one-lease-per-client | Automatically free any other leases the client holds when responding to a request |
ping-check | Ping the IP to ensure it is free before assigning to a client |
ping-timeout | Timeout in seconds to wait for the ping-check to complete |
server-name | Inform the client of the name of the server from which it is booting |
site-option-space | Determine from what option space site-local options will be taken |
stash-agent-options | Record the relay agent information options sent during the initial request message and behave as if those options are included in all subsequent renewal requests |
update-conflict-detection | |
max-lease-time | Maximum length in seconds that will be assigned to a lease |
min-lease-time | Minimum length in seconds that will be assigned to a lease |
min-secs | Minimum number of seconds since a client began trying to acquire a new lease before the DHCP server will respond to its request |
next-server | Address of the server from which the initial boot file is to be loaded |
use-host-decl-names | Supply the scope's host declaration name to the client as its hostname |
Custom DHCP Options
The vast majority of client devices require only basic DHCP in order to achieve network connectivity. Some operators may choose to use standard DHCP options that are defined in IETF RFC 2132 to deliver specific additional configuration. Standard DHCP options may be configured via the DHCP Options scaffold. Between basic DHCP and standard options almost all client devices will get everything they need. Infrastructure devices are a different story.
In some cases certain kinds of devices may require configuration to be delivered via non-standard DHCP options. This usually applies to thin, headless infrastructure devices that depend on a central controller or server such as VoIP handsets, VoD set top boxes, wireless access points, etc. Specialized infrastructure devices. Custom DHCP Options are usually used to deliver bootstrap configuration information such as the IP address and filestore location of initial bootstrap configuration.
The Custom DHCP Options scaffold enables operators to configure the rXg to deliver DHCP options that are not defined byIETF RFC 2132. Each record in the Custom DHCP Option scaffold adds an option to the custom option drop down list in the DHCP Options scaffold. The payload ( value ) to be delivered to the device is configured in the DHCP Options scaffold.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The type , array and code fields enable the operator to define the headers in the DHCP option that is to being defined. When the array checkbox is enabled, the option will be defined as an array of the type designated. The values of the corresponding DHCP Options should be entered in comma separated format. DHCP vendor-specific option 43 as well as DHCP site-specific option codes between 128 to 254 may be configured to be delivered by the rXg. The exception to this is option 121, classless-static-routes. Static routes may be provided to clients by creating a custom DHCP option and specifying the type as an array of unsigned integer 8, and a code of 121. The value of the corresponding DHCP Option record may be 24,192,168,99,10,10,10,1, 24,172,16,32,10,10,10,2. This would provide a route to 192.168.99.0/24 via 10.10.10.1 and a route to 172.16.32.0/24 via 10.10.10.2. Refer to IETF RFC 3442 for more information.
If the operator desires to deliver payloads via vendor-specific DHCP option 43 then the type should be set to vendor-specific. In this case the code field should be configured to be the DHCP option sub-code that is desired. The settings of the type to vendor-specific implicitly defines the format of the payload to be hex. The payload that is configured by the value field in associated the DHCP Option will be automatically converted to hex from ASCII before being encoded into the option packet.
If the operator sets the type to anything other than vendor-specific then the code represents the site-specific DHCP option that must be between 128 and 254. This limitation is due to the fact that IETF RFC 2132 has already defined DHCP option codes from 0 to 127. The exception to this is the classless-static-routes option, code 121.
The payload of the Custom DHCP Option is defined in the option field of the DHCP Options scaffold and must fall within the range of acceptable possibilities for the given type.
Classes
An entry in the classes scaffold links one or more match rules to devices that are offered addresses from pools. When a match rule is linked, the specifications in the match rule are used to determine membership of the class.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
Classes are used to differentiate groups of clients based on matching a substring transmitted as part of the DHCP request or the MAC address of the requesting device. If two pools are created within the network address range associated with a single interface (e.g., 192.168.5.100-150 and 192.168.5.151-200), classes can then be used to populate devices into one of the two ranges based on the request. For example, all requesting devices presenting a dhcp-client-identifier
with a well known predefined prefix can be put into the first pool while all others into the second pool. This alleviates the need to collect and enter the MAC addresses of all devices in a group as fixed hosts in order to place them into a pool.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The pools fields specifies the pool to place devices into that meet the criteria of the match rules specified by this class.
The match rules field links this class with the match rules that will determine membership.
Match Rules
An entry in the match rules scaffold creates a criteria for selecting DHCP requests to be a member of a class.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The negate field configure the way the match rule specified by this record behaves. If negate is checked, a DHCP request is considered to be part of a class if it does not meet criteria specified by this match rule.
The logic field controls the way multiple match rules belonging to the same class behave. A setting of and
requires that all criteria be met. Conversely, a setting of or
allows a request to become part of a class if only one of the match rule criteria is met.
The option substring , substring offset and substring length fields control the matching criteria specified in the option value field. If option substring is unchecked, the data in the option value field must exactly match the payload of the DHCP option in the request in order for the request to be considered a match by this match rule. Inversely, if option substring is checked, the substring offset and substring length fields can be used to make a request considered a match if only a portion of the data in option value matches what is presented in the DHCP request. The values that are matched in the option substring are inclusive of the specified boundaries.
The option name and option value are the criteria that determine whether or not a request is a match for this rule. If a DHCP request contains a DHCP option name-value pair matching the data entered into option name and option value , then the DHCP request is considered a match for this rule.
For example, let us consider the case where the RGN distribution infrastructure is DOCSIS cable and composed of Motorola SURFboard cable modems with MAC prefix 00:0A:28, In order to simplify administration, the operator wishes to give all of the cable modems addresses in the 192.168.10.0/24 block and serve 172.16.16.0/24 to the end-users. To accomplish this, the operator would need to configure both DHCP pools and then associate the 172.16.16.0/24 pool with a class that has a match rule configured with:
- option substring - checked
- substring offset - 1
- substring length - 3
- option name - hardware
- option value - 000A28 At first glance, this would seem to be incorrect because we want to match the zeroth through the second byte of the MAC address inclusive. However, the hardware field has the Ethernet prepended onto the MAC address as the zeroth byte. Therefore the actual MAC address is the first to the seventh of the _hardware_field.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The class field specifies the class for which this matching rule should be used to determine membership.
Relay Servers
An entry in the Relay Servers scaffold enables the DHCP relay feature for the specified interface. DHCP relay allows an rXg to proxy DHCP requests to an upstream DHCP server rather than managing a DHCP pool locally. DHCP relay cannot be used in conjunction with the DHCP server (pools and fixed hosts).
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The server IP field configures the IP address of the upstream DHCP server that will respond to the proxy DHCP requests.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The interfaces and VLANs fields specify the local physical and logical interfaces to proxy DHCP requests to the server specified by server IP.
DNS
The DNS view contains the scaffolds to configure the rXg core services related to the domain name system.
The rXg integrates a dynamic DNS client that supports all of the major third party dynamic DNS services. Dynamic DNS is an essential part of deploying an rXg in an environment where the uplink address is dynamically assigned and may change.
Many of the rXg services (most notably, the forced browser redirect), require DNS resolution of a domain name to the IP address of the WAN uplink. If the IP address of the WAN uplink is configured via DHCP, it is critically important to reconfigure the DNS whenever the assigned IP address changes. The simplest way to accomplish this is to use the rXg dynamic DNS client.
The rXg also incorporates a fully featured DNS server. The operator can configure the rXg to be a primary, secondary or tertiary domain name server for any domain. Before using the DNS server features of the rXg, it is highly recommended that the administrative staff be familiar with the deployment and operation of the domain name system. Incorrect configuration may render the rXg inoperable. An excellent reference on the domain name system is DNS and BIND (ISBN 0596100574) by Cricket Lui and Paul Albitz.
To configure the rXg as a primary domain name server, the DNS glue records for the domain name must contain the IP address of an rXg uplink. To configure the rXg as a secondary name server, create a DNS zone specifying the primary name server in the master hostname field.
When using the rXg as a primary domain name server, proper DNS glue records must be in place. Most DNS registrars have a web application that enables glue record changes. Updates to glue records sometimes take days to propagate so it important to use a manually assigned static IP address for the rXg uplink.
With the DNS glue records in place, a new entry must be added to the DNS zone scaffold. Set the master hostname to the host name of the rXg and the hostmaster email to something appropriate. At a minimum, two entries must be added to the DNS records scaffold (the nameserver and address records for the rXg itself). Additional resource records may be added so that the rXg provides resolution of desired hostnames.
Dynamic DNS Clients
An entry in the Dynamic DNS scaffold enables the rXg to update third-party dynamic DNS services with the latest WAN IP address configuration. In most cases, a DNS record must be created on the third party dynamic DNS service before updates can be made by the rXg.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The protocol field determines the communication protocol that will be used to perform dynamic DNS updates. Most of the popular dynamic DNS services have developed their own proprietary protocols. In most cases, the protocol is synonymous with the service, making the choice obvious.
The login and password fields are the authentication credentials that are supplied to the dynamic DNS service when sending updates. These credentials must match those of the account at the third party service in order for updates to be authenticated and accepted.
The hosts field is a comma-delimited list specifying the DNS name(s) that are to be updated. Typically this will be the same DNS name that is specified in the domain name field of the device options scaffold.
The static and wildcard checkboxes modify the payload of the update message sent to the dynamic DNS service. Some services permit automated update of statically configured IP addresses. Usually there is a stipulation that the update frequency must be much lower than that of a dynamic IP. In addition, some services permit the use of wildcard DNS names so that a single entry can cover several hosts. If either kind of record is established on the third party dynamic DNS service, the appropriate checkbox must be set.
The protocol server field is an optional parameter that can be used to specify an alternate destination for dynamic DNS update messages. Since most dynamic DNS services use their own proprietary protocol, selecting a protocol usually determines the destination for the messages. This field enables the operator to override the default destination.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The IP address sent to the dynamic DNS service in an update message is the uplink IP address of the default rXg route. In single uplink scenarios, this is the network address that is statically associated with the uplink or the dynamic address acquired by the uplink via DHCP. In multiple uplink scenarios, the choice of the default route is controlled by the priority setting of the uplink.
DNS Zones
An entry in the DNS zones scaffold defines a new domain that the rXg integrated DNS server will respond to.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The domain name field configures the domain that this record will enable responses to.
The master hostname must be set to the fully qualified domain name of the primary master nameserver for this domain. If the rXg is to be the primary master nameserver for the domain, an address record must be configured in the DNS records scaffold.
The hostmaster email field specifies the administrative email address that is reported by the DNS server.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
DNS Records
An entry in the DNS records scaffold creates a new record in a zone specified in the DNS zones scaffold.
The host is the host name for this record. The host name is the parameter that is matched when a DNS query is made.
The type field determines the DNS resource record type. The list of dns record types and their function is defined by a series of RFCs published by the IETF.
The dynamic data and data fields define the payload for the DNS resource record. The use of dynamic data and data are mutually exclusive. If a dynamic data field is chosen from the drop down, the response to a query matching the host specified in this record will be the IP address of the uplink specified by the drop down. If data is populated and no dynamic data field is specified, then the response will contain the static payload configured in the data field.
The zone field specifies the DNS zone that this record will be attached to. If "DNS Override" is selected, the rXg will resolve this specific record to the data listed, but all other requests for the same domain will be forwarded on for normal DNS lookup via upstream providers. This avoids having to maintain all records for a domain when attempting to override a single A record.
Domains may be "black-holed" by creating two CNAME DNS Override records, one for domain.com and one for *.domain.com, and setting the data field for both records to "." (no quotes).
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
A complete reference of DNS resource records is found in BIND 9 DNS Administration Reference Book (ISBN 0979034213) by Jeremy Reed.
DNS Server
Entries in the DNS Server scaffold define configuration profiles for the rXg integrated DNS server.
The active field enables an option set. Exactly one option set may be active at any time. Enabling a particular option set will automatically disable another existing active option set.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
A properly configured DNS server takes part in a hierarchy of servers starting with the operator of the next hop network all the way to the root DNS servers. By default, the rXg is properly configured to forward requests to the next hop DNS servers. Clearing the request forwarding check box will force the rXg DNS server to make requests directly to the root. Avoid this configuration when possible.
The request forwarding order drop down menu determines the which DNS servers the rXg will query as the next hop. Dynamic servers are those that have been provided via WAN DHCP configuration. Static servers are those that have been manually configured by the operator using the DNS Servers scaffold of the WAN view of the rXg console. Choosing the dynamic,static option tells the rXg to query the dynamically assigned servers first and then the statically assigned servers. Choosing the static or dynamic options tells the rXg to limit queries to the selected set of servers. When multiple uplink control is deployed, the set of dynamic DNS servers is limited to those that are presented by the DHCP server of each pipe. Furthermore, the set of statically configured servers must be accessible via all pipes. This drop down has no effect unless request forwarding is enabled.
The originate queries from port 53 check box configures the DNS server so that upstream UDP queries originate from port 53. This setting may be required if a strict firewall is positioned between the rXg and the upstream DNS server(s).
By default, access to rXg services are either limited to the LAN or disabled entirely. In certain cases, the operator may desire to permit accessibility to services over the WAN and/or LAN. To enable access to rXg services over the WAN, the operator should specify one or more WAN targets containing the list of allowed hosts and then set the visibility appropriately. If no WAN target is specified and WAN visibility is enabled, any node on the WAN may connect to the service. It is highly recommended that this wide-open configuration be avoided to ensure system security. If LAN visibility is included then all authenticated nodes on the LAN may access this service.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Example: Setup CloudFlare Dynamic DNS
Before we begin we must obtain an API Key from CloudFlare. Navigate to their site and login with your credentials. Click on the person icon in the upper right-hand corner.
Click on "My Profile".
Click on "API Tokens".
Click "View" on the "Global API key".
Enter your CloudFlare password when prompted.
Copy your API Key.
In the rXg navigate to Services::DNS and create a new Dynamic DNS Client.
Give the record a Name. Change the Protocol field to CloudFlare. Enter your email address into the Login field. Enter your API key into the Password field. The Host field is the FQDN to be updated in CloudFlare, and the Zone field is the root domain of the FQDN. Click Create.
When setup the scaffold will update when there is a change.
VPN
The VPN view presents the scaffolds associated with configuring the IPsec and OpenVPN services integrated into the rXg.
OpenVPN Servers
Entries in the OpenVPN Servers scaffold define configuration profiles for the rXg integrated SSL(TLS) VPN.
OpenVPN is an industry standard, open-source software application that the rXg leverages to implement virtual private network (VPN) techniques to create secure point-to-point connections in a routed configuration. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. The OpenVPN functionality allows peers to authenticate each other using certificates and/or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signatures and certificate authority. It uses the OpenSSL encryption library extensively, as well as the TLS protocol, and contains many security and control features.
https://community.openvpn.net/openvpn/wiki
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
Each server represents a virtual network interface on a subnet specified by a related Network Address. A separate VPN instance exists for each configured server. A Network Address that is assigned to an OpenVPN interface cannot be configured on a traditional ethernet Interface or VLAN. All servers/networks operate in OpenVPN's TUN (tunnel) mode, which transports only layer 3 IP packets.
If the default gateway field is checked the client will use the VPN interface's IP as its default gateway and DNS server, and route everything over the VPN. An OpenVPN server's Network Address behaves similarly to any other routed subnet behind an ethernet interface or VLAN, in that IP clients behind it are subject to Policy enforcement. For example, creating an IP Group and Landing Portal Policy without a subnet filter for the VPN network would permit the client to access all networks. Conversley, a portal-enabled Policy could be deployed for the VPN client's network. If gateway redirect is not enabled on the server, then it will push routes for all other local networks to a VPN client, which allows it to route through the normal Internet whilst also having knowledge of networks behind the VPN. Note that like any other traditionally-attached subnet, or when the VPN is the default gateway, the routes pushed to the client do not necessarilly ensure firewall access to all networks. In general, an OpenVPN client can also manipulate its routing table independently on a per-client basis.
Authentication from a client may be multi or single-factor via certificates ( require certificate ) and/or username/password ( require login ). If certificates are required, clients must have a unique certificate installed to authenticate. The certificate must be signed by the same CA as the OpenVPN Server's certificate. If multiple devices need to use the same client certificate, the allow duplicate certificates field must be checked, otherwise only one connection per certificate Common Name is permitted. Requiring a unique certificate per client is more secure, but requires each client to have a unique configuration.
If client-to-client behavior is enabled, then clients on the same virtual network can route to each other as if the firewall was disabled. This does not include L2 traffic. Otherwise, if this behavior is disabled, all traffic is forced to route through the rXg and is thus filtered according to Policy enforcement. This should only be enabled when_everyone_ connecting to the same OpenVPN Server should be allowed to communicate.
Configuring the Admin Roles or Account Groups fields permit corresponding Admins and/or Accounts access to the VPN via login. If client certificates are required, the login is only half the authentication process. If client login is not required then these selections are ignored. It is recommended that operators (Admins) and end-users (Accounts) connect to separate OpenVPN Servers. In the case where an OpenVPN Server has Admins and Accounts allowed, an Admin having the same login as an Account always takes precedence for login and instrumentation purposes.
The port and protocol fields define how a client initially connects to the VPN server. A TCP and UDP server may be configured to run on the same port. There are advantages and disadvantages to either protocol (OpenVPN tcp vs udp).
An OpenVPN Server must have a Certificate configured. This identifies the server's certificate and private key in additon to the Certificate Authority (CA) that establishes the PKI used to trust clients. The selected Certificate must be associated with and created from a local Certificate Authority. The certificate must be marked for server usage, meaning it was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules. This can be done when creating the Certificate Signing Request (CSR). This is an important security precaution to protect against a man-in-the-middle attack where an authorized client attempts to connect to another client by impersonating the server.
The cipher and digest options affect the strength of the underlying encryption, where a longer key length increases security and reduces throughput performance. Data compression is enabled by default and is very efficient when LZ4 is employed, which reduces the bandwidth requirements of the VPN at the expense of additional overhead on the client and server.
The TLS-auth option adds an additional layer of HMAC authentication on top of TLS to mitigate DoS and other attacks againist the TLS layer. This is accomplished by including a unique key that resides on top of TLS. The key is generated behind the scenes when an OpenVPN Server is created, and included in the client config output. If a client is configured manually and this is enabled, then the operator must obtain the key from the record via scaffold show action.
By default, access to rXg services are either limited to the LAN or disabled entirely. In certain cases, the operator may desire to permit accessibility to services over the WAN and/or LAN. To enable access to rXg services over the WAN, the operator should specify one or more WAN targets containing the list of allowed hosts and then set the visibility appropriately. If no WAN target is specified and WAN visibility is enabled, any node on the WAN may connect to the service. It is highly recommended that this wide-open configuration be avoided to ensure system security. If LAN visibility is included then all authenticated nodes on the LAN may access this service.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Clicking the Download Config link will generate an OpenVPN config (.ovpn) file containing the necessary client connection parameters based on the server's configuration, including the Server certificate. Currently, if a client certificate is required, it must be generated manually via the local CA and installed in the client along with the config file.
IPsec VPN
IPsec is an industry standard mechanism that enables secure communication between two nodes or networks that are connected by a potentially insecure IP transit. The rXg supports bidirectional site-to-site IPsec VPNs between rXgs and between rXgs and other kinds of routers. In addition, the rXg may be configured to be a concatenator for host-to-site VPNs originating from nearly any operating system.
Site-to-site VPNs are typically used to enable secure bidirectional communication between two private IP blocks that are behind different routers that are located in geospatially distinct locations. For example, if a WISP has three distinct fixed wireless broadband coverage areas, all three could be linked together via site-to-site VPNs. This could be used as part of a revenue generation strategy such as allowing business customers to access their systems from home for an additional fee.
Site-to-site VPNs are very useful in geospatially diverse deployments that are connected via a central cluster controller. Establishing site-to-site VPNs between the rXgs and the cluster controller enables the operator to easily access all nodes at any part of the network. It is important to keep in mind that the private LAN addresses blocks behind the various rXgs be kept distinct as having the same private LAN block behind two rXgs would cause routing confusion.
Host-to-site VPNs are often used by operators for remote administration. An operator that is on the WAN side of a rXg may use host-to-site IPsec VPNs to directly access machines that are connected to a private address range. In a typical deployment, LAN equipment is assigned IP addresses from private ranges that cannot be reached from the WAN. An operator who is on the WAN side on the rXg (e.g., away on business) that wishes to have complete and direct access to the LAN equipment private address range would setup a host-to-site IPsec VPN using the rXg as the concatenator.
Host-to-site VPNs are also used as a revenue generation mechanism as they are typically sold as a premium service or as a value-added extra part of business class service. End-users originating traffic from the LAN side of the rXg may create a host-to-site VPN using the rXg as a concatenator to protect their traffic from sniffers present in the distribution network. Of course, end-users may also be sold host-to-site VPNs as a mechanism for remote connectivity to nodes addressed on a private LAN.
The rXg uses an industry standard reference implementation of the IPsec suite. Site-to-site VPNs are easily established between an rXg and nearly any other router that supports IPsec VPNs. In addition, site-to-site and site-to-host VPNs may be established between the rXg and almost any operating system released since 2005. Most operating systems have a built-in IPsec stack that is meant to be configured by a trained and certified specialist. However, VPN client software (e.g., Greenbow for Windows and IPsecuritas for Mac OS X) simplify the process to the extent that anybody with a working knowledge of basic TCP/IP can accomplish the task.
IPsec Tunnels
An entry in the IPsec tunnels scaffold is used to configure a site-to-site IPsec VPN.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The specification field selects the credential and encryption settings for this IPsec tunnel. It is critically important to ensure that the settings in the chosen IPsec specification matches those of the node at the other end of the site-to-site VPN created by this IPsec tunnel.
The Pre-Shared key and Certificates fields are used to configure the certificates or pre-shared key that will be used for authenticating IPsec tunnels that use this IPsec specification. The operator may choose to use one or more certificates or a pre-shared key but not both. If one or more certificates are chosen, then the node at the other end of the IPsec tunnel must have the matching private key. If a pre-shared key is chosen, then the node at the other end of the IPsec tunnel must have the exact same pre-shared key programmed.
The addresses and static routes checkboxes specify which LAN address blocks will be forwarded to the remote node of this site-to-site VPN.
The remote gateway field specifies the IP address of the node at the other end of this site-to-site IPsec VPN.
The remote networks field specifies the IP address blocks at the other end of this site-to-site VPN that will be routable once the VPN is established.
Conflicts between addresses or static routes and remote networks will cause severe routing problems. In situations where multiple site-to-site VPNs will be deployed, it is critically important to carefully plan the addressing across all current and potential future networks.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
IPsec Specifications
An entry in the IPsec specifications scaffold defines an IPsec policy that can be used for bidirectional site-to-site VPN tunnels as well as host-to-site VPN concatenation.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The IKE Version field allows the operator to select which IKE(Internet Key Exhange) version to use for the tunnel. IKEv1 and IKEv2 are supported.
The phase 1 and phase 2 groups are used to configure the encryption specifications for the initialization and operational phases of a IPsec tunnel. The chosen encryption , authentication , Diffie-Hellman group , exchange mode and proposal check must exactly match the settings on the node at the other end of the IPsec tunnel.
The encryption field specifies the algorithm that will be used for bulk encryption of the packet data that will transit the VPN connection. The DES option is included for reference only and should be avoided as it is trivially broken given contemporary computing power. The 3DES and AES options are the most compatible and generally accepted to be strong enough for most purposes. AES is preferable as it is the new government standard encryption protocol. Blowfish and CAST are less known protocols but widely believed to be as strong if not stronger than AES but not as well supported.
The authentication field specifies the algorithm that will be used for generating cryptographic hashes to authenticate data passing through the VPN connection. The MD5 option is included for reference only and should be avoided as researchers have discovered methods to break it. The SHA1 option is the most compatible option as it is broadly supported. If possible, the SHA256, SHA384 or SHA512 options as researchers have found a handful of minor vulnerabilities in SHA1 to date.
The Diffie-Hellman group and PFS group fields configure the strength of the encryption keys that will be used to protect the session keys used by the encryption algorithm. The stronger the key, the less likely that it will be broken. However, the stronger the key, the more CPU utilization and entropy it will consume and less compatible it will be. The Group 1 / 768 bit key length option should be avoided unless the other end of the VPN cannot support any other option. The Group 2 / 1024 bit key length is the absolute minimum key strength that should be used for a production environment. The longer key lengths are recommended if the other end of the VPN connection supports it.
The lifetime field configures the length of time in seconds of the security association. A shorter lifetime causes the system to rotate keys more often (potentially increasing security). As a result, shorter lifetimes will increase CPU utilization and entropy consumption.
The nonce field configures the size of the "number used once" for IPsec initialization. A longer nonce helps prevent replay attacks, but trades off CPU utilization and entropy consumption. A longer nonce is also less compatible with other IPsec implementations.
IPsec Server
Entries in the IPsec Server scaffold define configuration profiles for the rXg integrated IPsec server.
The active field enables an option set. Exactly one option set may be active at any time. Enabling a particular option set will automatically disable another existing active option set.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The Pre-Shared key and Certificates fields are used to configure the certificates or pre-shared key that will be used for authenticating IPsec tunnels that use this IPsec specification. The operator may choose to use one or more certificates or a pre-shared key but not both. If one or more certificates are chosen, then the node at the other end of the IPsec tunnel must have the matching private key. If a pre-shared key is chosen, then the node at the other end of the IPsec tunnel must have the exact same pre-shared key programmed.
The anonymous specification field selects the credential and encryption settings for anonymous IPsec connections (i.e., where the client's originating IP address is unknown). Pre-shared-key authentication may not be used for anonymous connections. An anonymous IPsec client must authenticate using a certificate. The certificates to be used by the anonymous clients should be configured in the IPsec Specifications scaffold for the selected anonymous specification. It is critically important to ensure that the settings in the chosen anonymous specification match those of the IPsec client.
The certificate field specifies an alternate certificate to configure the IPsec server with.
By default, access to rXg services are either limited to the LAN or disabled entirely. In certain cases, the operator may desire to permit accessibility to services over the WAN and/or LAN. To enable access to rXg services over the WAN, the operator should specify one or more WAN targets containing the list of allowed hosts and then set the visibility appropriately. If no WAN target is specified and WAN visibility is enabled, any node on the WAN may connect to the service. It is highly recommended that this wide-open configuration be avoided to ensure system security. If LAN visibility is included then all authenticated nodes on the LAN may access this service.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Site-to-site IPsec VPN Configuration
Site-to-site IP-sec VPNs enable devices that are behind VPN concatenators to communicate with each other securely without any configuration changes to the end-user devices. In most cases, site-to-site IPsec VPNs are deployed with privately addressed end-user devices behind the VPN concatenators. Without a site-to-site IPsec VPN, the privately addressed devices would not be able to initiate communication with each other due to the one-way nature of network address translation. Consider the following network diagram:
In this example, we have two rXgs and we desire to create a site-to-site IPsec VPN to enable two way communication for devices that are on private addresses behind the rXgs. We will call the rXg on the left with WAN IP 66.67.68.2 east and the rXg on the right with WAN IP 55.45.35.2 west. The network dashboard of the_east_ rXg is shown below:
The rXg IPsec VPN feature is compatible with a broad spectrum of IPsec implementations. It is not necessary for a site-to-site VPN to be established between two rXgs. We have used two rXgs in this example so that we can best illustrate the appropriate configuration for either end of the site-to-site VPN. The network dashboard of the_west_ rXg is shown below:
Notice that both rXgs have a single private LAN block associated with them. The east rXg has 192.168.6.0/24 behind it and the west rXg has 192.168.7.0/24 behind it. When configuring IPsec VPNs, it is critically important to ensure that the networks behind the various endpoints of the IPsec VPN do not intersect. This is because IPsec depends on a valid L3 (routing layer) configuration in order to operate.
Establishing a site-to-site VPN is simply a matter of creating a single record in the IPsec Tunnel scaffold on both ends of the connection. The remote gateway field must be set to the IP address of the concatenator on the other end of the site-to-site VPN. The remote networks field must contain the CIDR of the block present on the other end of the site-to-site VPN.
Following our example, the IPsec tunnel record on east(which has WAN IP address 66.67.68.2, LAN address 192.168.6.1 / 24) must have the following settings:
- remote gateway - 55.45.35.2
- remote networks - 192.168.7.0/24 Below is a screenshot of the configuration that is present on east:
Similarly, west (which has WAN IP address 55.45.35.2, LAN address 192.168.7.1 / 24) must have the following settings in the IPsec tunnel record:
- remote gateway - 66.68.67.2
- remote networks - 192.168.6.0/24 Below is a screenshot on configuration that is present on west:
Notice that the IPsec Tunnel records depend on the existence of an IPsec Specification record in order to configure the encryption protocol and keys for the tunnel. In the configuration screenshots shown above, we seen that the specification is referenced as PSK for S2S. A screen shot of the configuration for_PSK for S2S_ that is present on both east and _west_is shown below:
Since we are configuring a site-to-site VPN, we are assuming that both ends of the connection are controlled by trusted parties. Thus we will use a pre-shared key to secure the connection. To accomplish this, we will create a new record in the IPsec Specifications scaffold on both the east and west rXgs. To get a site-to-site IPsec VPN up and running, the individual choices for the encryption protocol and credentials are not as important as the simple fact that they must be exactly the same on both machines. Using a strong pre-shared key is obviously a prerequisite to maintaining the confidentiality and integrity of the VPN.
Several templates are provided as examples for strong, medium and minimum security configurations. The minimum security configuration is the least secure against brute force attacks but is the most compatible. The template for the most secure setting will only function with KAME derived IPsec stacks such as the ones present in OpenBSD and FreeBSD. For more information on the precise meaning behind each of the settings, we recommend reading information that may acquired via a search on IPsec. When configuring a site-to-site VPN, keep in mind that even the slightest difference in a single setting will prevent the site-to-site IPsec VPN from initializing.
For your reference, the complete IPsec configuration for both_east_ and west is shown below:
Once we have this configuration in place on both east and_west_, devices on the 192.168.6.0 / 24 private network behind_east_ may directly contact devices on the 192.168.7.0 / 24 private network behind west and vice versa. Note that absolutely no configuration changes needs to be made on the end-user devices whatsoever. All of the encryption, decryption and routing between the private networks is handled by the IPsec VPN endpoints, which in this case are the east and west rXgs.
For example, let us assume there is a Windows XP laptop behind_east_. The XP machine will acquire a DHCP address in the 192.168.6.0 / 24 CIDR. Similarly, let us assume there is a Windows 2003 server behind west that is on the 192.168.7.0 / 24 CIDR. Given the site-to-site VPN configuration that we have created on the rXgs, the XP laptop will be able to directly communicate with the Win2k3 server without any configuration changes to the clients.
The screenshot below shows the desktop of the Windows XP laptop that is behind east. It has acquired address 198.168.6.100 / 24 from the east rXg. Notice that it can ping the private address 192.168.7.100 directly. The 192.168.7.100 address is configured on the Windows 2003 Server that is behind the _west_rXg.
No configuration changes were made to the Windows XP laptop whatsoever. The Windows XP laptop has no knowledge that the 192.168.7.100 is behind the west rXg. The 192.168.7.100 could be on the other side of the world and the XP laptop would not know any better. Furthermore, the XP laptop does not do any encryption or decryption of traffic. It merely sends traffic to the east rXg which does all of the work in encrypting and forwarding the traffic to the west router for delivery to 192.168.7.100.
The screenshot below shows the desktop of the Windows 2003 Server that is behind east. It has an address of 198.168.7.100 / 24 which is behind the west rXg. Notice that it can ping the private address 192.168.6.100 directly. As depicted in the previous screenshot, the 192.168.6.100 address belongs to the Windows XP laptop behind the east rXg.
The Windows 2003 Server has no knowledge about the site-to-site IPsec VPN. The Win2k3 server simply forwards packets to the_west_ rXg which does all of the work involved in the encryption and routing of packets to 192.168.6.100 via east.
The site-to-site IPsec VPN enables routing between private networks to occur over the public Internet that is otherwise not possible. Once established, any network application may be used. In the screenshots below, the Windows XP client on 192.168.6.100 behind east_is shown initiating and utilization a remote desktop connection to manage the Windows 2003 Server on 192.168.7.100 behind _west.
Site-to-site IPsec VPNs enable RGN operators to have secure remote access to all of their various networks. Any devices that is on a private network behind an rXg may be accessed as if it is a local device at the other end of the site-to-site VPN without any configuration changes to the devices themselves. The possibilities of what site-to-site IPsec VPNs may be used for is limitless. Many RGN operators deploy site-to-site VPNs for remote access as demonstrated above. Another frequent use of site-to-site VPNs is for monitoring. For example, site-to-site VPNs may be used to enable a central site to have a single network monitoring system (NMS) or element monitoring system (EMS) to monitor multiple remote networks.
Host-to-site IPsec VPN Configuration
Host-to-site VPNs are used with the rXg to securely route data between a specific end-user device and the rXg. Host-to-site VPNs may be initiated to the rXg from the WAN or the LAN. The process and technical steps of creating either a WAN to rXg or LAN to rXg host-to-site VPN are identical. However, the use case and business reasons for using the two topologies are radically different.
If the end-user device is on the WAN-side of the rXg, a host-to-site VPNs is usually deployed for the purpose of remote access to local privately addressed machines similar to a site-to-site VPN. However, a host-to-site VPN obviates the need to deploy and configure a VPN concatenator on the end-user network.
A WAN host-to-site VPN is the appropriate methodology to use with a mobile client used by a network administrator that requires access to privately addressed resources when the mobile client must connect to networks which the administrator does not control. For example, if the mobile client uses a wireless WAN connection (e.g., cellular 3G), it would be more difficult to install a VPN concatenator for site-to-site VPN than it would be to configure the device for host-to-site VPN. The use of host-to-site VPNs is ubiquitous in enterprise networks to the extent that even mobile phones operating systems such as Symbian, Windows Mobile and Apple iPhone OS are capable of initiating host-to-site VPNs.
Host-to-site VPNs originating from the LAN-side of the rXg are typically deployed as a facet of revenue generation for the operator. Popular media has helped educate most end-users to understand that there are many security issues present when computer networks are used. This effect may be exploited by RGN operators for the purpose of generating additional revenue by offering security related premium services.
For example, if the LAN distribution mechanism is wireless, a host-to-site IPsec VPN upgrade may be offered to end-users to provide confidentiality and integrity to the traffic over the wireless portion of the Internet link. Enabling the anonymous IPsec VPN capability and integrating the generation of a client certificate into the rXg captive portal allows operators to enjoy zero operator intervention provisioning of host-to-site VPNs.
Host-to-site IPsec VPNs typically use public key cryptography in order to authenticate the initiating hosts. Each initiating host must have a unique keypair in order to ensure the confidentiality and integrity of the IPsec VPN connection. In addition, the IPsec VPN concatenator must identify itself with a keypair to the initiating client. The rXg uses X.509 certificates and private keys for the purposes of authenticating both ends of a host-to-site IPsec VPN.
The rXg expects that the operator has stored certificates for each of the hosts that will be initiating a host-to-site IPsec VPN in the certificates scaffold on the certificates view. When a host-to-site IPsec VPN connection is initialized, the rXg expects that the initiating client will authenticate by using the matching private key to sign an authentication credential. Similarly, the rXg must be configured with a private key and certificate for authenticating the site. The initiating client is assumed to have a copy of the rXg certificate and the rXg will sign an authentication credential with the matching private key.
The certificates view of the rXg administrative console may also be used to create keypairs that may be used for authenticating host-to-site IPsec VPNs. To accomplish this, use the certificate authorities scaffold to create a new authority that can be used to sign certificate signing requests to fully populate certificates. For more information, please see the documentation on the certificates view.
In order to instantiate a host-to-site IPsec VPN, configuration changes must be executed on both the rXg and the end-user device. However, the same process is used to configure the end-user device and the rXg to enable a host-to-site IPsec VPN concatenator regardless of whether the VPN will be initiated from the WAN or LAN. Let us consider the east rXg that was discussed earlier. The configuration and network diagram for the east rXg is shown below:
The rXg must be configured to allow anonymous connections to enable the host-to-site IPsec VPN capability. To accomplish this, an entry in the IPsec servers scaffold must be created that specifies the site authentication certificate. The IPsec server record must be linked to a IPsec specification record that defines the encryption protocol as well as the client certificates that will be accepted for connection initiation.
The configuration steps of the end-user device needed to setup a host-to-site VPN follow the same pattern regardless of the operating system of the end-user device. At a bare minimum, the following items need to be configured in order for a host-to-site IPsec VPN to be established:
- host certificate
- host private key
- IP address of VPN router
- remote network CIDR
- encryption protocol and associated parameters The precise steps that are needed depend on both the operating system as well as the VPN client software. Many popular operating systems have "bare metal" VPN clients built into them that are suited for operation by IT professionals. However, in almost all cases, user friendly VPN client GUIs are available from both free and commercial sources.
The IPsec capabilities of all recent versions of Microsoft Windows is configured using the Microsoft Management Console. Depending on the specific of Windows, the MMC snap-in will be called something like "IP Security Policy Management" or "Windows Firewall with Advanced Security." Search the web for Microsoft'sstep by step guide to deploying Windows firewall and IPsec policies and review pages 15-17 as well as 89-91 for specific instructions. For those who are less technically inclined, we have that the Greenbow VPN client greatly simplifies the creation of host-to-site IPsec VPNs on Windows.
The MacOS X operating system incorporates numerous open source components into its IPsec VPN stack. This makes the MacOS X IPsec VPN one of the most compatible of the commonly available commercial offerings. However, the command line configuration is needed to setup the IPsec stack for the vast majority of use cases. For this reason, we recommend that users download and install the IPsecuritas freeware GUI to configure host-to-site IPsec VPNs between MacOS X clients and rXgs.
Example OpenVPN Configuration
- Create certificate
- Create Networking
- Configure OpenVPN in rXg Navigate to System-->Certificates. If there are no Certificate Authorities we will need to create one to self sign our OpenVPN certificate. Click Create New on the Certificate Authorities scaffold.
Name is arbitrary and be set to anything. Days by default will be 825. Common Name does not need to resolve for the purposes of using OpenVPN. Fill out the remaining fields with the appropriate information for your location. Click Create.
Next create a new Certificate.
For the certificate only the name needs to be entered at this step. Verify CA is set to Local CA. Click Create.
Next create a new Certificate Signing Request.
Verify that the Certificate field is set to the correct certificate. Sign mode should be set to Generate CSR and sign with linked local Certificate Authority. Common Name should match the Common Name in the Certificate Authority. Fill out the remaining fields with the appropriate information if applicable. Click Create.
Next we need to create the networking that will be used for devices connecting to the OpenVPN. Navigate to Network-->LAN, and create a new Network Address.
Enter a name. Make sure that Interface is set to -select- for each box. The IP field will be the addresses available to devices connecting via OpenVPN and should be entered in CIDR notaton. Autoincrement and Span should be left set to 1, do not check Create DHCP Pool. Click Create.
Navigate to Services-->VPN and create a new OpenVPN Server.
Enter a name, or use the default. Under Client Configuration Network should be set to the Network Addresses we created earlier. If you want traffic to route through the remote system check the Default gateway option. Require login is checked by default and this prevents access except for Admin Roles we have selected in this example. Server Options will be left at their default values for this example. WAN Targets can be selected to further restrict access if desired. Click Create.
Now the config can be downloaded from the rXg and imported into a VPN client of choice.
Notifications
The notifications view presents the scaffolds associated with configuring templates for email, SMS, webhooks, and event health notices in response to events.
The notification actions scaffold enables clear communication to the RG end-user population, operators and administrators, as well as other systems.
Email is one of several end-user communication methods that are used to create a complete revenue generating network strategy. Email is an important part of the feedback loop when end-users purchase services. Event-based email notifications bring confidence to the end-user by offering a "receipt" when billing events occur. In addition, email can be used for marketing and administrative communication conveyance.
The rXg also uses email as a mechanism to communicate events to administrators. Events may be end-user related such as the service purchase case discussed before, or they may be system generated. Examples of system generated events include, but are not limited to, output from daily, weekly and monthly recurring system maintenance tasks, changes to uplink and monitored node status as well as detection of internal system problems.
The rXg sends emails to administrators and end-users when certain events occur (e.g., account creation, plan selection, etc.). These event-based email notifications draw from templates defined in the custom messages template. The templates may be customized for content, look and feel as well to change the language to match the locale.
custom message templates also be used by the administrator initiated bulk email jobs. For example, the administrator may wish to send some or all end-users an email indicating a maintenance window, a reduced price service special or a paid advertisement from a partner.
The rXg email mechanism also helps operators generate revenue by enabling bulk email marketing. For example, if an operator becomes an affiliate marketing program subscriber, the operator will receive email notifications of special offers. In many cases, affiliate marketing program subscribers are given the opportunity to offer exclusive discount codes to their market base as a purchasing incentive. When an operator receives such a notification, a new email template incorporating affiliate program linkage and incentive information may be formulated and a job created broadcast to the end-user population. The operator is then issued a credit For end-users who take advantage of the opportunity described in the bulk email.
Significant operational cost reduction may also be achieved through the use of the rXg bulk email mechanism. Notification of maintenance windows, end-user surveys, promotions and well-checks may all be accomplished via the bulk email mechanism. Using the bulk email mechanism minimizes the hours utilized by support staff to communicate system and network administration events. In addition, keeping end-users informed often and ahead of time helps reduce support load in maintenance situations.
Below is an example Custom Message that reports to the recipients the amount of revenue generated in the previous 24 hour period:
<p>Good Morning,</p>
<%
rev = ArTransaction.where(['created_at > ?', 24.hours.ago]).sum(:credit)
%>
<p>Your network generated $
<b><tt><%= sprintf("%.2f", rev) %></tt></b>
yesterday. Have a nice day.
</p>
The Ruby script embedded inside the Custom Message above performs a calculation on the ArTransactions to generate a report for the recipients. Ruby scripts may also perform write operations on the database. For example, below is a Custom Message that is configured to be sent to a guest services representative on a daily basis.
<p>Good Morning,</p>
<%
todays_credential = sprintf("%x%d", rand(255), rand(9999))
scg = SharedCredentialGroup.find_by_name('Guests')
scg.credential = todays_credential
scg.save
%>
<p>Today's shared credential for guest access is:</p>
<p><b><tt><%= todays_credential %></tt></b></p>
<p>Thank you.</p>
The Ruby script embedded inside the Custom Message changes the designated Shared Credential Group to a randomly generated value and notifies the associated administators.
Adding Graphs to Custom Messages
Network, System, and Accounting graphs may be added to your custom messages in order to provide enhanced reporting emails to operators and administrators. By selecting associated Graph records in the custom messages's configuration, the system will automatically generate and attach PNG images of those graphs to the email as attachments.
Additionally, graph images may be inserted into the body of an email by calling the insert_attached_graphs method inside the body. The method takes an optional argument specifying the resolution of the image, such as_1000px*600px_ (the default). The resulting images will be stored on the rXg in a publicly accessible directory such that they may be retrieved by email clients.
For example, below is a Custom Message that inserts all associated graphs into the body of the email, separated by a line-break (<br>).
<h2>Weekly Report</h2>
<h3><%= Date.today.strftime("%a, %B %d, %Y") %></h3>
<br>
<%= insert_attached_graphs('1200px*700px') %>
If you wish to exercise greater control over the structure of your HTML email, you may provide a block to the method. The block will yield an array of hashes in the format of { graph_object => image_tag_string }. The array may be iterated over to insert each image tag into your desired HTML structure. For example:
<h2>Weekly Report</h2>
<h3><%= Date.today.strftime("%a, %B %d, %Y") %></h3>
<br>
<table>
<% insert_attached_graphs('600px*500px') do |graph_tags| %>
<% graph_tags.each do |graph, image_tag| %>
<tr> <td align="center" style="font-size:34px"><%= graph.title %></td> </tr>
<tr> <td align="center" style="font-size:14px"><%= graph.subtitle %></td> </tr>
<tr> <td><%= image_tag %></td> </tr>
<% end %>
<% end %>
</table>
Webhooks, and Webhook Targets
The webhooks and webhook targets scaffolds enable an operator to integrate other systems with the rXg. Webhooks user defined HTTP callbacks which are triggered by specific events. The events are configured in the notification actions scaffold. When the triggered event occurs, a webhook gathers the required data (headers, and body), and sends it to the configured URL.
An entry in the webhook targets scaffold defines a set of 'global' parameters that all webhooks configured for the target will use. These include the Base URL, body formatting, error code response, as well as any global HTTP headers, or query parameters an operator may need to configure. This enables the flexibility to configure multiple unique webhooks, utilizing a common target, and eliminates the need for repeating common elements such as API-keys, or content-types on each configured webhooks
An entry in the webhooks scaffold defines the parameters for a single webhook. A webhook must have an associated webhook target, containing the base URL. The specific endpoint path is defined in the webhook scaffold entry. The path will be appended to the webhooks configured target base URL. An operator can override the base URL by starting the webook path with a /
. The HTTP request method, as well as the body or data is also configured within the webhook scaffold. Any additional HTTP headers, or query parameters that are unique to the configured webhook can be added.
Notification Actions
An entry in the notification actions scaffold defines an event of which the rXg should complete the selected action(s). Events can include database changes, time and/or location based triggers, and more.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The event type field selects what kind of events should trigger a configured action. Depending on the selection, additional options may be rendered for operator configuration. For database changes, an operator can select Watch Scaffold
, choose the appropriate modifiers (create, update, and/or delete).
The messages field configures a custom message to be sent when the criteria of the event is met. The message recievers are configured in the custom messages scaffold entry.
The webhooks field defines configured webhooks to be triggerd when the criteria of the event is met.
The health notice field defines whether the system should send a health notice. Choosing default
will result in the default behavior of a configured event. For instance, "Certbot Failure" is configured to send a health notice on failure. If the event does not have a default health notice action, nothing is changed, and no health notice is sent. Choosing Disabled
, will override the configured default health notice the event type, and not send it. For instance, with "Certbot Failure", choosing disabled will disable a health notice from being sent. Choosing Custom
allows the operator to configure or override an existing health notice. For instance, "Watch Scaffold :: Administrators" wouldn't trigger a health notice by default. Choosing custom would allow an operator to configure a health notice for this event type.
Custom Messages
An entry in the custom messages scaffold creates a template that can be used for email notifications and bulk emails originating from the rXg.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The event drop down associates this template with an event which will trigger an email notification to an end-user. If no event is chosen, the template is assumed to be used in only an email campaign.
The from field defines the address from which emails sent using this template will originate. This email address should lead to an account that is regularly monitored because end-users who receive emails based on this template are likely to reply with questions.
The account and admin roles check boxes enables automatic sending of emails using this custom message for event notification. If the account check box is checked, then the custom message template will be populated with the appropriate data and transmitted to the end-user when the selected event occurs. Similarly, when one or more admin roles check boxes are checked, the custom message template will be populated with the appropriate data and send to the administrators who are linked of the to the checked admin role.
The subject and body fields define the payload of the email template. Place the desired content for the subject and message into the appropriate field. Placeholders for variable substitutions begin and end with the percent sign and must refer to fields from the usage plans or accounts scaffolds. For example, %account.first_name% %account.last_name%
will be substituted for the full name of the end-user being targeted by the email. See the full manual page for more information about the values available for substitution.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Email Campaigns
An entry in the email campaigns scaffold defines a bulk email job. Once the job is complete (i.e., all emails are queued for transmission), the entry in email campaigns is automatically deleted.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The custom message field selects the template that will be used for this bulk email job. The template payload is defined in the custom messages scaffold.
The account groups field configures the set of end-users who will be sent the email template selected by the custom message via this job. The members of the groups are controlled by the account groups scaffold on the accounts view of the identifies subsystem.
The start at field defines the starting time and date for this job. If the value of the start at field is before the current date and time, the job will be started immediately. If the start at is set to the future, the job will start at the specified future date and time.
A job is automatically deleted after it is finished. The optional frequency field determines if this job is run more than once, and how often. The optional end at field defines when a repeat job is finished. A job with a set frequency and a blank end at field will repeat indefinitely at the configured frequency. A periodic job with a configured end at field is deleted when the time of the next iteration exceeds the end at date/time.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
SMS Gateways
The SMS Gateways scaffold enables the creation of an SMS Gateway service which will be utilized for verifying a user's mobile number for the purpose of new account signups and/or password resets.
The name field identifies this SMS Gateway in the system.
The provider field specifies which provider this SMS Gateway relates to. Select a supported provider from the list.
The from field specifies the phone number, shortcode, or Alphanumeric Sender ID (not supported in all countries) to be used when sending SMS messages through this gateway. This value must correspond to a number purchased from or ported to the provider.
The Account SID and Auth Token fields specify the API credentials used to access the provider's REST API, and may be obtained from your dashboard within the provider's website.
The Usage Plans selections determine which usage plans are configured to utilize this SMS Gateway. The usage plan must also specify a validation method which includes SMS in order for messages to be sent via SMS.
The Splash Portals selections determine which splash portals are configured to utilize this SMS Gateway for the purposes of performing password resets. Accounts with a valid mobile phone number may request a password reset token via SMS or Email, depending on the password reset method specified in the splash portal.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
For more information, see the SMS Integration manual entry.
Webhook Targets
An entry in the webhook targets scaffold defines a remote endpoint the rXg should send configured webhooks to.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The base url field should be configured with the top-level/base URL of the remote API endpoint. This allows for flexibility to have multiple webhooks configured to use the same target.
The persistent connection checkbox configures the rXg to send 'keep-alive' headers and persist the connection state.
The resend on failure checkbox configures the rXg to attempt resending if the initial connection fails.
The error status codes field defines a list of codes that should be considered error responses. The use of wildcard 'x' is available to the operator. Examples include: (400, 401, 4xx, 500, 5xx, 50x).
The body format selector defines the formatting of the body of webhooks configured to use this target. Selecting JSON
automatically addsapplication/json
to the HTTP Header content-type. SelectingProtobuf
requires the operator to define a protobuf schema.
The body encoding selector defines an optional encoding scheme. Options include RAW (no encoding), Base64, and Base64 w/newline every 60 characters.
The webhook properties fields allow the operator to define additional HTTP Headers, or Query Parameters to send globally with all webooks configured to use this target.
Webhooks
An entry in the webhooks scaffold defines the body, target, method, and additional HTTP Headers and/or Query Parameters for a configured webhook.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The notification actions field displays what actions this webhook is configured for.
The webhook target dropdown configures the webhook target this webhook will use.
The path field is appended to the base url of the webhook target. This allows multiple webhooks to use the same webhook target, and be configured for unique endpoints.
The body field contains the body of the webhook.
The buffer field configures a time period (in minutes) before sending the webhook. "0" will disable buffering.
The webhook properties selector defines an optional encoding scheme. Options include RAW (no encoding), Base64, and Base64 w/newline every 60 characters.
The webhook properties fields allow the operator to define additional HTTP Headers, or Query Parameters to send only with this individual webhook.
Substitution
Payload fields may contain special keywords surrounded by % signs that will be substituted with relevant values. This enables the operator to deliver values stored in the database as part of the payload.
List of objects available:
Account Create | Usage Plan Purchase | Transaction: success/failure |
---|---|---|
cluster_node | cluster_node | cluster_node |
custom_email | custom_email | custom_email |
device_option | device_option | device_option |
ip_group | login_session | login_session |
login_session | usage_plan | merchant |
usage_plan | account | payment_method |
account | merchant_transaction | |
usage_plan | ||
account |
Credit Card Expiring | Coupon Redemption | Account Charge: success/failure/no response |
---|---|---|
cluster_node | cluster_node | cluster_node |
custom_email | custom_email | custom_email |
device_option | device_option | device_option |
login_session | coupon | login_session |
payment_method | login_session | payment_method |
usage_plan | usage_plan | response |
account | account | usage_plan |
account |
Trigger: Connections | Trigger: Quota | Trigger: DPI |
---|---|---|
cluster_node | cluster_node | cluster_node |
custom_email | custom_email | custom_email |
device_option | device_option | device_option |
login_session | login_session | login_session |
max_connections_trigger | quota_trigger | snort_trigger |
transient_group_membership | transient_group_membership | transient_group_membership |
account | account | account |
Trigger: Time | Trigger: Log Hits | Health Notice: create |
---|---|---|
cluster_node | cluster_node | cluster_node |
custom_email | custom_email | custom_email |
device_option | device_option | device_option |
login_session | login_session | health_notice |
time_trigger | log_hits_trigger | |
transient_group_membership | transient_group_membership | |
account | account |
Health Notice: cured |
---|
cluster_node |
custom_email |
device_option |
health_notice |
List of objects available for all associated record types:
Aged AR Penalty |
---|
cluster_node |
custom_email |
device_option |
aged_ar_penalty |
login_session |
payment_method |
usage_plan |
account |
List of attributes available for each object:
account | usage_plan | merchant |
---|---|---|
id | id | id |
type | account_group_id | name |
login | name | gateway |
crypted_password | description | login |
salt | currency | password |
state | recurring_method | test |
first_name | recurring_day | note |
last_name | variable_recurring_day | created_at |
automatic_login | updated_at | |
usage_plan_id | note | created_by |
usage_minutes | created_at | updated_by |
unlimited_usage_minutes | updated_at | signature |
usage_expiration | created_by | partner |
no_usage_expiration | updated_by | invoice_prefix |
automatic_login | time_plan_id | integration |
note | quota_plan_id | store_payment_methods |
logged_in_at | usage_lifetime_time | live_url |
created_at | absolute_usage_lifetime | pem |
updated_at | unlimited_usage_lifetime | scratch |
created_by | no_usage_lifetime | dup_timeout_seconds |
updated_by | recurring_retry_grace_minutes | |
mb_up | recurring_fail_limit | |
mb_down | prorate_credit | |
pkts_up | permit_unpaid_ar | |
pkts_down | pms_server_id | |
usage_mb_up | lock_devices | |
usage_mb_down | scratch | |
unlimited_usage_mb_up | max_sessions | |
unlimited_usage_mb_down | max_devices | |
company | unlimited_devices | |
address1 | unlimited_sessions | |
address2 | usage_lifetime_time_unit | |
city | max_dedicated_ips | |
region | pms_guest_match_operator | |
zip | recurring_lifetime_time | |
country | recurring_lifetime_time_unit | |
phone | unlimited_recurring_lifetime | |
bill_at | sms_gateway_id | |
lock_version | validation_method | |
charge_attempted_at | validation_grace_minutes | |
lock_devices | max_party_devices | |
relative_usage_lifetime | unlimited_party_devices | |
scratch | upnp_enabled | |
portal_message | automatic_provision | |
max_devices | conference_id | |
unlimited_devices | ips_are_static | |
max_sessions | base_price | |
unlimited_sessions | vtas_are_static | |
max_dedicated_ips | manual_ar | |
account_group_id | ||
email2 | ||
pre_shared_key | ||
phone_validation_code | ||
email_validation_code | ||
phone_validated | ||
email_validated | ||
phone_validation_code_expires_at | ||
email_validation_code_expires_at | ||
max_party_devices | ||
unlimited_party_devices | ||
nt_password | ||
upnp_enabled | ||
automatic_provision | ||
ips_are_static | ||
guid | ||
vtas_are_static | ||
account_id | ||
max_sub_accounts | ||
unlimited_sub_accounts | ||
approved_by | ||
approved_at | ||
pending_admin_approval | ||
wispr_data | ||
hide_from_operator |
payment_method | merchant_transaction | coupon |
---|---|---|
id | id | id |
account_id | account_id | usage_plan_id |
active | payment_method_id | code |
company | merchant_id | credit |
address1 | usage_plan_id | expires_at |
address2 | amount | note |
city | currency | created_by |
state | test | updated_by |
zip | ip | created_at |
country | mac | updated_at |
phone | customer | batch |
note | scratch | |
created_at | merchant_string | max_redemptions |
updated_at | description | unlimited_redemptions |
created_by | success | |
updated_by | response_yaml | |
scratch | created_at | |
customer_id | updated_at | |
card_id | created_by | |
nickname | updated_by | |
encrypted_cc_number | message | |
encrypted_cc_number_iv | authorization | |
encrypted_cc_expiration_month | hostname | |
encrypted_cc_expiration_month_iv | http_user_agent_id | |
encrypted_cc_expiration_year | account_group_id | |
encrypted_cc_expiration_year_iv | subscription_id | |
encrypted_first_name | ||
encrypted_first_name_iv | ||
encrypted_middle_name | ||
encrypted_middle_name_iv | ||
encrypted_last_name | ||
encrypted_last_name_iv | ||
cc_number | ||
cc_expiration_month | ||
cc_expiration_year | ||
first_name | ||
middle_name | ||
last_name |
login_session | ip_group | device_option |
---|---|---|
id | id | id |
account_id | policy_id | name |
radius_realm_id | name | active |
login | priority | device_location |
ip | note | domain_name |
mac | created_at | ntp_server |
expires_at | updated_at | time_zone |
online | created_by | smtp_address |
radius_acct_session_id | updated_by | rails_env |
radius_response | scratch | note |
radius_class_attribute | created_at | |
created_at | updated_at | |
updated_at | created_by | |
created_by | updated_by | |
updated_by | smtp_port | |
bytes_up | smtp_domain | |
bytes_down | smtp_username | |
pkts_up | smtp_password | |
pkts_down | cluster_node_id | |
usage_bytes_up | scratch | |
usage_bytes_down | log_rotate_hour | |
ldap_domain_id | log_rotate_count | |
radius_realm_server_id | ssh_port | |
ldap_domain_server_id | country_code | |
cluster_node_id | disable_hyperthreading | |
shared_credential_group_id | developer_mode | |
ip_group_id | sync_builtin_admins | |
account_group_id | delayed_job_workers | |
usage_plan_id | log_level | |
lock_version | max_forked_processes | |
hostname | soap_port | |
total_bytes_up | reboot_timestamp | |
total_bytes_down | reboot_time_zone | |
total_pkts_up | limit_sshd_start | |
total_pkts_down | limit_sshd_rate | |
radius_server_id | limit_sshd_full | |
radius_request | use_puma_threads | |
backend_login_at | ||
http_user_agent_id | ||
backend_login_seconds | ||
portal_login_at | ||
omniauth_profile_id | ||
encrypted_password | ||
encrypted_password_iv | ||
conference_id | ||
password |
custom_email | transient_group_membership | time_trigger |
---|---|---|
id | id | id |
name | ip_group_id | account_group_id |
from | mac_group_id | name |
subject | account_group_id | mon |
body | account_id | tues |
event | ip | wed |
note | mac | thurs |
created_by | reason | fri |
updated_by | expires_at | sat |
created_at | created_by | sun |
updated_at | updated_by | start |
send_to_account | created_at | end |
scratch | updated_at | note |
email_recipient | cluster_node_id | created_by |
include_custom_reports_in_body | max_connections_trigger_id | updated_by |
attachment_format | quota_trigger_id | created_at |
custom_event | time_trigger_id | updated_at |
delivery_method | snort_trigger_id | ip_group_id |
sms_gateway_id | hostname | mac_group_id |
reply_to | radius_group_id | scratch |
ldap_group_id | flush_states | |
login_session_id | flush_dhcp | |
log_hits_trigger_id | flush_arp | |
flush_states | flush_vtas | |
flush_dhcp | infrastructure_area_id | |
flush_arp | previous_infrastructure_area_id | |
flush_vtas | duration | |
vulner_assess_trigger_id | current_dwell | |
previous_dwell |
log_hits_trigger | snort_trigger | max_connections_trigger |
---|---|---|
id | id | id |
ip_group_id | ip_group_id | ip_group_id |
mac_group_id | name | name |
name | duration | max_connections |
note | note | duration |
log_file | created_by | note |
duration | updated_by | created_by |
max_hits | created_at | updated_by |
window | updated_at | created_at |
scratch | scratch | updated_at |
created_by | mac_group_id | scratch |
updated_by | flush_states | mac_group_id |
created_at | flush_dhcp | flush_states |
updated_at | flush_arp | flush_dhcp |
flush_states | flush_vtas | flush_arp |
flush_dhcp | flush_vtas | |
flush_arp | max_duration | |
flush_vtas | max_mb | |
period | ||
active_or_expired | ||
max_duration_logic | ||
max_mb_logic |
quota_trigger | health_notice | cluster_node |
---|---|---|
id | id | id |
account_group_id | cluster_node_id | name |
name | name | iui |
usage_mb_down | short_message | database_password |
usage_mb_down_unit | long_message | note |
usage_mb_up | cured_short_message | created_by |
usage_mb_up_unit | cured_long_message | updated_by |
up_down_logic_operator | severity | created_at |
note | cured_at | updated_at |
created_by | created_at | ip |
updated_by | updated_at | ssh_public_key |
created_at | created_by | scratch |
updated_at | updated_by | heartbeat_at |
radius_group_id | fleet_node_id | data_plane_ha_timeout_seconds |
ldap_group_id | node_mode | |
period | cluster_node_team_id | |
unlimited_period | wal_receiver_pid | |
duration | wal_receiver_status | |
unlimited_duration | wal_receiver_receive_start_lsn | |
scratch | wal_receiver_receive_start_tli | |
ip_group_id | wal_receiver_received_lsn | |
mac_group_id | wal_receiver_received_tli | |
flush_states | wal_receiver_latest_end_lsn | |
flush_dhcp | wal_receiver_slot_name | |
flush_arp | wal_receiver_sender_host | |
flush_vtas | wal_receiver_sender_port | |
wal_receiver_last_msg_send_time | ||
wal_receiver_last_msg_receipt_time | ||
wal_receiver_latest_end_time | ||
op_cluster_node_id | ||
priority | ||
auto_registration | ||
permit_new_nodes | ||
auto_approve_new_nodes | ||
pending_auto_registration | ||
pending_approval | ||
control_plane_ha_backoff_seconds | ||
data_plane_ha_enabled | ||
upgrading | ||
enable_radius_proxy |
aged_ar_penalty |
---|
id |
name |
amount |
days |
suspend_account |
note |
created_at |
updated_at |
created_by |
updated_by |
custom_email_id |
scratch |
record_type |
days_type |
Use Cases
Slack Integration: Notification when an admin is created or deleted
Procedure:
- Use Slack guide to create a new app, and configure incoming webhooks.
Navigate to Services-->Notifications and create a new webhook target Insert the webhook address from your slack app as the base URL.
Create a webhook for created admins. An example body is:
{ "attachments": [ { "fallback": "Admin Created on <%= DeviceOption.active.domain_name %>.", "color": "#36a64f", "pretext": "A New Administrator has been created", "author_name": "FQDN: <%= DeviceOption.active.domain_name %>", "author_link": "https://<%= DeviceOption.active.domain_name %>/admin/", "title": "Created Admin: <%= admin.login %>", "text": "*Created by:* <%= admin.created_by %>", "fields": [ { "title": "Priority", "value": "Medium", "short": false } ], "footer": "Slack API" } ] }
Create a webhook for deleted admins An example body is: (notice the use of <%= admin_hash %> because the record has been deleted.)
{
"attachments": [
{
"fallback": Admin Deleted on <%= DeviceOption.active.domain_name %>.",
"color": "#FF0000",
"pretext": "An Administrator has been deleted",
"author_name": "FQDN: <%= DeviceOption.find_by(active: 'true').domain_name %>",
"author_link": "https://<%= DeviceOption.find_by(active: 'true').domain_name %>/admin/",
"title": "Deleted Admin: <%= admin_hash[:login] %>",
"text": "*Deleted by:* <%= admin_hash[:updated_by] %>",
"fields": [
{
"title": "Priority",
"value": "High",
"short": false
}
],
"footer": "Slack API"
}
]
}
- Create a notification action for created admins.
- Choose Event Type: Watch Scaffold
- Choose Watched Model: Administrators
- Select: Watch Create
- Choose the Admin Created Webhook under actions
- Create a notification action for deleted admins.
- Choose Event Type: Watch Scaffold
- Choose Watched Model: Administrators
- Select: Watch Delete
- Choose the Admin Deleted Webhook under actions
- Navigate to System-->Admins, and create a new admin. Then delete the new admin. The channel configured in your Slack app will have messages posted via the rXg Notification Actions subsystem.
Location Based Crowding Notifications
Procedure:
- Navigate to Network :: Location
Create or edit existing location areas.
Edit individual areas and set crowd event thresholds. Thresholds can be set at region, floor, and site levels.
Navigate to Services :: Notifications
Create a notification action and select desired messages, webhooks and/or health notices to trigger.
Push Account To Remote rXg On Create
Procedure:
- Navigate to Services :: Notifications
Create a new Notification Action
- Event Type set to Watch Scaffold
- Watched Model set to Accounts
- Check the Watch Create checkbox
- Click Create.
Create a new Webhook Target
- Input a Name
- The base url will be https://FQDN\_of\_remote\_system/admins/scaffolds/
- Select body format, JSON in this case, and Body Encoding as RAW
- Add Webhook Property, Kind = Query Paramater, Key = api_key, the value will be the API key of an admin on remote system
- Click Create
Create a new Webhook
- Input a name
- Select Notification action created in step 1
- Select the webhook target created above
- Set path to accounts/create.json
- Set Method to POST
- Enter code into body (example below), click create.
<%
# get remote usage plan hash
result = HTTParty.post('https://FQDN_of_remote_system/admin/scaffolds/usage_plans/index.xml',
body: {:api_key=>"REMOTE_ADMIN_API_KEY",
:search=>account.usage_plan.try(:name)})
up = result["usage_plans"].try(:first)
# get remote account group hash
result = HTTParty.post('https://FQDN_of_remote_system/admin/scaffolds/account_groups/index.xml',
body: {:api_key=>"REMOTE_ADMIN_API_KEY",
:search=>account.account_group.try(:name)})
ag = result["account_groups"].try(:first)
# varible for device creation
count = 1
acct_hash = account.attributes
# remove attrs we dont want to push
acct_hash.delete("id")
acct_hash.delete("usage_plan_id")
acct_hash.delete("account_group_id")
acct_hash.delete("type")
acct_hash.delete("created_at")
acct_hash.delete("updated_at")
acct_hash.delete("created_by")
acct_hash.delete("updated_by")
acct_hash.delete("mb_up")
acct_hash.delete("mb_down")
acct_hash.delete("crypted_password")
acct_hash.delete("salt")
# make temporary password
acct_hash["password"] = acct_hash["password_confirmation"] = acct_hash["pre_shared_key"]
# add usage plan and do_apply_plan to hash if found on remote system
if up
acct_hash["usage_plan"] = up["id"]
acct_hash["do_apply_usage_plan"] = 1
end
# add account group to hash if found on remote system
if ag
acct_hash["account_group"] = ag["id"]
end
# add all devices to account hash
acct_hash["devices"] = {}
account.devices.each do |device|
acct_hash["devices"]["device#{count.to_s}"] = {
"name" => device.name,
"mac" => device.mac
}
count += 1
end
%>
{
"record": <%= acct_hash.to_json %>
}
CRM Integration
This example will explore integrating the rXg with the community edition of vTiger CRM. This case demonstrates using an API requiring a multistep login process, and use of a disposable session key rather than static credentials.
Procedure:
- The community edition of vTiger uses a combination of a challenge token, username, and access key to generate an expiring session key to be used with API calls. Create a custom data key under System :: Portals as a place to store the key.
- The only necessary field to populate is the name.
- Create a notification action to periodically get the session key, and perform a log in to the CRM.
- Set the event type to periodic.
- Choose a time within the session key expiration (the webhook will contain logic to determine if a refresh is necessary).
- Create a webhook target for the CRM.
- Add an HTTP header of "Content-Type": "application/x-www-form-urlencoded"
- Create a webhook that uses embedded ruby to store the current session key in the previously defined custom data key. This example looks at the age of the current key to see if a new key is necessary before executing.
- Choose the previously created notification action.
- Choose the CRM webhook target.
- Example Body:
<%
api_key = CustomDataKey.find_by(name: 'api_key')
if api_key.value_string.blank? || 30.minutes.since > api_key.updated_at
query = {
operation: "getchallenge",
username: "username",
}
resp = HTTParty.get(webhook_target.base_url, query: query)
token = JSON.parse(resp.body)['result']['token']
access_key = Digest::MD5.hexdigest(token + 'access_key_from_GUI')
body = {
operation: "login",
username: "username",
accessKey: access_key,
}
login = HTTParty.post(webhook_target.base_url, body: body)
session_id = JSON.parse(login.body)['result']['sessionName']
api_key.value_string = session_id
api_key.save!
end
raise DoNotSendError
%>
- Create a notfication action to trigger when a new account is created.
- Choose the event type: Watch Scaffold
- Choose the watched model: Accounts
- Check: Watch Create
- Create a webhook to create the account on the CRM.
- Select the previously created notification action.
- Choose the CRM webhook target.
- Set the method to POST
- Example Body:
<%=
{
operation: "create",
sessionName: CustomDataKey.find_by(name: 'api_key').value_string,
elementType: "Contacts",
element: {
firstname: record_hash["first_name"],
lastname: record_hash["last_name"],
assigned_user_id: "20x4",
}.to_json
}.to_query
%>
- Because vTiger CRM expects the body of the HTTP POST to be url-encoded the body is enclosed in ERB tags "<%= ... %>" so certain methods can be used to make formatting easier. ## Webhook to retrieve System Info
In this example will show how to setup a Webhook to push System Info on a periodic interval.
Procedure:
- Create a new Notification Action
- Populate the name field with the desired name.
- Set the Event Type field to Periodic.
- Specify how often the action should run using the Period field. Default is 5 minutes.
- Click Create. 2. Create a new Webhook Target
- Populate the name field with the desired name.
- Specify the URL of the target using the Base URL field.
Click Create.
- Create a new Webhook
Populate the name field with the desired name.
Use the Notification Actions field to select the notification action created in step 1.
Select the webhook target created in step 2 in the Webhook Target field.
Set the path in the Path field.
The Body field is where we will put our payload.
<%= SystemInfo.first.attributes.to_json %> - Click Create. This will pass the following information.
{
"id": 1048577,
"cluster_node_id": null,
"baseboard_asset_tag": "Not Specified",
"baseboard_manufacturer": "Intel Corporation",
"baseboard_product_name": "440BX Desktop Reference Platform",
"baseboard_serial_number": "None",
"baseboard_version": "None",
"bios_vendor": "Phoenix Technologies LTD",
"bios_version": "6.00",
"chassis_asset_tag": "No Asset Tag",
"chassis_manufacturer": "No Enclosure",
"chassis_serial_number": "None",
"chassis_type": "Other",
"chassis_version": "N/A",
"disk_device": "NECVMWar VMware SATA CD00 1.00",
"hostname": "rxg.example.com",
"os_arch": "amd64",
"os_branch": "RELEASE",
"os_kernel": "FreeBSD 12.2-RELEASE-p9 #16 476551a338d",
"os_name": "FreeBSD",
"os_release": "12.2-RELEASE-p9 #16",
"os_version": "12.2",
"processor_family": "Unknown",
"processor_frequency": "2300 MHz",
"processor_manufacturer": "GenuineIntel",
"processor_version": "Intel(R) Xeon(R) D-2146NT CPU @ 2.30GHz",
"rxg_build": "12.999",
"system_manufacturer": "VMware, Inc.",
"system_product_name": "VMware Virtual Platform",
"system_serial_number": "VMware-56 4d fd 29 e4 1a c1 4e-a2 60 81 57 54 ff dd 51",
"system_uuid": "29fd4d56-1ae4-4ec1-a260-815754ffdd51",
"system_version": "None",
"disk_total_gb": 111,
"memory_free_mb": 3874,
"memory_total_mb": 8192,
"memory_used_mb": 4317,
"processor_count": 4,
"uptime": 85371,
"load_avg_15m": "0.78",
"load_avg_1m": "1.09",
"load_avg_5m": "0.84",
"processor_temp": "0.0",
"bios_release_date": "2018-12-12",
"booted_at": "2021-08-30T08:37:23.000-07:00",
"created_by": "rxgd(InstrumentVitals)",
"updated_by": "rxgd(InstrumentVitals)",
"created_at": "2021-08-11T08:38:58.800-07:00",
"updated_at": "2021-08-31T08:20:14.808-07:00",
"rxg_iui": "4 2290 8192 111 ZKORHJVPDUQUZUNIBEWLHDFQ GZQQJUTGUDOIFDNTDUFQSKTW NLDQYHFARJWE",
"system_family": "Not Specified",
"fleet_node_id": null
}
Backend Scripts
The backend script allows the operator to write custom ruby scripts that can be used for things like interacting with mobile applications or performing a configuration change on a regular schedule. From the Notification Actions scaffold you can choose a trigger for the script from the drop down list. Some examples included manual, periodic, errors, and thresholds.
Big Red Button Mobile Application
This example will show how to setup a backend script that can be triggered by an API call executed by a mobile application which is available in the Apple and Google Play app stores.
This example assumes that you have an existing WLAN created under the WLANs scaffold with a record name of arena.
Procedure:
1) Browse to Services >> Notifications >> Backend Scripts 2) Click Create New 3) Name the backend script toggle_ssid. 4) Paste the following script into the body and click create.
def toggle_ssid wlan = Wlan.find_by(name: 'arena') ssid = wlan.ssid
if ssid == 'basketball_arena' wlan.ssid = 'hockey_arena' else wlan.ssid = 'basketball_arena' end
wlan.save! end
toggle_ssid
puts 'ssid toggled successfully'
5) Browse to Services >> Notifications >> Notification Actions 6) Click Create New 7) Name the notification action toggle_ssid. 8) Set the event type field to Manual. 9) Select toggle_ssid from the available scripts in the list.
Install the rXg Action Button Mobile App
Apple: https://apps.apple.com/us/app/rxg-action-button/id1483547358 Android: https://play.google.com/store/apps/details?id=net.lok.aidan.rxg_action_button
1) On the rXg browse to System >> Admins 2) Next to your admin account, click on the API Keys link. 3) Click Create New 4) Provide the API Key a name and click Create.
5) You will be presented with several QR codes. Make sure to leave this screen up.
6) From the mobile app, click Scan QR Code.
7) Scan the QR code labeled JSON. 8) Click Login With Saved Credentials
9) Set the action to toggle_ssid 10) Click on the slider to enable the button.
Now, simply press the red action button to toggle the SSID from basketball_arena to hockey_arena. These changes will be pushed to the wireless controller via config sync.
This is a very simple example of what can be done using a combination of a mobile application and the rXg backend scripts.
Conference Tool
Conference Tool Prerequisites
- Infastructure devices must be in sync.
- Any switches that contain switch ports that are tied to location areas need to be in sync.
- The wireless controller must also be in sync so the system can create SSID's that will be broadcast in the conference areas.
- Create VLAN interfaces and Network addresses.
- Create IP groups for each Network address that was created.
- Create Conference Options.
- Create Location Areas and assign switch ports/AP's.
- Switches and WLAN controllers must be in sync to fully work with the Conference Tool. To make sure they are in sync, navigate to Network::Wired and Network::Wireless to check the status of the devices. The "Config sync status" field should be green. See below images.
- Create VLAN interfaces and Network addresses. This step creates the networking that will be used for conferences. There are two types of networks that can be created. Per-user networks which will put each device in it's own VLAN (or a smaller group of devices in each VLAN if there are not enough VLANs for each device), or we can create a network that is contained in a single VLAN so that devices may communicate with each other. In either case navigate to Network::LAN.
To create a Per-user network first create a new VLAN Interface. Give it a name, select the Physical interface. Set the VLAN ID, which will be the starting VLAN. For this example we will set the Ratio to 4, this means that we will put 4 subnets we create in the next step into each VLAN. Click create.
Next create a new Network Address. Give it a name, select the VLAN from the previous step in the VLAN field. Specify the IP address using CIDR notation in the IP field. In this example there are going to be 128 /30 addresses created. When creating the networking, the operator should take care to create network address space that is large enough to contain enough addresses for the number of devices that are expected to connect to any given conference. For these addresses it is not necessary to check the Create DHCP Pool box, as the system will create the DHCP pool when the conference is active. Create New should be selected in the IP Group, which will take care of Step 3 as well. Click Create.
For non Per-User networks, create a new VLAN Interface, give it a name, select the Physical interface. Set the VLAN ID, which will be the starting VLAN. For non Per-User networks the Autoincrement field should be set to none, and the ratio left at 1. Click create.
Next create a new Network Address. Give it a name, select the VLAN from the previous step in the VLAN field. Specify the IP address using CIDR notation in the IP field. In this example we are creating a single /24 network that will be on VLAN 3500 which was created in the previous step, so make sure Autoincrement is set to 1. When creating the networking, the operator should take care to create network address space that is large enough to contain enough addresses for the number of devices that are expected to connect to any given conference. For these addresses it is not necessary to check the Create DHCP Pool box, as the system will create the DHCP pool when the conference is active. For this example we will not select Create New for the IP Group and will manually create the IP group. Click Create.
- Create IP groups for each Network address that was created. In the previous step one network was created with the create new IP group option selected and one was not. To manually create the IP group for the 2nd network in this example navigate to Identities::Groups and create a new IP Group. Give it a name, and select the Address in the Addresses field from the previous step. Leave everything else default and click create. Note a policy should not be selected when creating the IP Group as the system will create and assign a policy to the group as needed.
- Create Conference Options. Navigate to Services::Conference Tool and create a new Conference Option. Give it a name, and select the admin roles that are allowed to access the conference tool. Select the VLANs that the Conference Tool has access to. Leave any other settings as the defaults and click Create.
- Create Location Areas and assign switch ports/AP's. For this step a location area should be created for each conference space and the switch ports and AP's that are located in that physical space should be added. Create a new Location Area, give it a name, and select the AP's in this space in the Conference APs field and any switch ports in the Conference Ports field. Click Create. Repeat for each area. Lastly edit the Conference Option created in the previous step and select the Location Areas that have been created.
The Conference Tool is now ready to be used after completing these steps.
IoT Hubs
An entry in the IoT Hubs scaffold defines a device capable of controlling IoT devices. The rXg supports two controllers currently, RUCKUS IoT and RG Nets Piglet. The RUCKUS IoT (RIoT) controller is a virtualized software application that connects to RUCKUS IoT-enabled access points to provide support for BLE and ZigBee devices. One RIoT application per 500 IoT devices is the typical deployment model. RG Nets Piglet runs on a Raspberry Pi 4 and supports multiple protocols. One Piglet per account is the typical deployment model.
IotHubs
The online field when green, this indicates that the Iot Websocket Client is running and subscribed to streaming changes from this device. If red, the websocket client is not subscribed to streaming changes, so the state of iot entities may not accurately reflect the actual, current state.
The OS field indicates the version of the piglet software running on the IotHub.
The HA version indicates the version of home_assistant running on the IotHub.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The Host field is the IP address of the Iot Hub.
The Port field is used to change ssh port, default is 22.
The Api Port field sets the API port for the Pi, default is 8123.
The Username field is used to set the username for the IotHub.
The Password field is used to set the password for the IotHub.
The Monitor state changes box if checked idndicates the websocket client should subscribe to streaming changes from this IotHub.
The Iot hub profile field is currently reserved for future use.
The Pms property field is optional, used to select the PMS property that the IotHub is associated with.
The Pms room field is optional, used to select the PMS room that the IotHub is associted with.
IotHubProfiles
Reserved for future use.
IotGroups
IotGroups are used to logically group IotHubs, IotEntities, and nested IotGroups. In addition, admin role access is granted at the IotGroup level. At a minimum, you will need to define an IotGroup that consists of the IotHubs you will want to control and assign the appropriate admin role access. Otherwise, IotHubs will not be populated on the iot hub dashboard in the operator portal due to lack of privileges.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The Description field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The Group type field is reserved for future use.
The Admin roles field allows the operator to select which admin roles should have access to the group.
The Iot hubs field allows the operator to select the IotHubs included in the group.
The Iot entities field allows the operator to select which IotEntities are included in the group.
The Iot groups field is the nested IotGroups for the group.
IotEntities
IotEntities are the devices that are controlled and/or monitored by an IotHub. They can be lights, switches, sensors, or any supported IoT device. These are typically Z-Wave or Zigbee devices, but there are many different types of IoT control. These entities will be populated during an Import Entities for each hub. If you add devices after the initial import, you will want to run the import entities again.
The Iot type field is used to specify the type of entity, light, sensor, binary_sensor, etc.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The Description field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The Is property controlled field is reserved for future use.
The State field is the last recored state of this entity, for example 'on' for a light.
The Iot actions field is reserved for future use.
The Iot hub field indicates the IotHub that this entity is associated with.
vRIoT Integration
The following section will outline the process of attaching RUCKUS vRIoT as an IoT hub in rXg and setup the MQTT service.
Add vRIoT as IoT Hub
- Browse to Services >> IoT Hubs
- In the IoT Hubs scaffold, click Create New
- Name the controller
- Set the Model dropdown to RUCKUS IoT Controller
- Add the IP address of the vRIoT server to the host field
- Provide a username and password to access the vRIoT server
- Press Create
- In the IoT Hubs scaffold, click Create New
- Click Import Entities link to complete the process.
Setup MQTT on the vRIoT Server
- On the vRIoT server, Browse to Admin >> Plugins
- From the dropdown, select Controller Data Stream
- Press the Activate button
- Configure the controller data stream as follows:
MQTT Broker IP: 127.0.0.1
MQTT Broker Port: 1883
MQTT Publish Topic: /events
Device Reporting: Yes
Device Reporting Topic: /events
- To confirm the MQTT service is working, SSH to the rXg and type
tail -f /var/log/mqtt_subscriber_iot.log
to check for activity.
RADIUS
The RADIUS view presents the scaffolds associated with configuring the rXg integrated RADIUS server.
Centralized Infrastructure Device AAA Server
The rXg identity database may be used as a credential store for rXg units or other third party devices via the RADIUS protocol. One common use of the rXg RADIUS server is to serve as a central credential database for administrative access to infrastructure equipment. For example, most VLAN "smart" switches and "enterprise" wireless access points may be configured to look to a RADIUS server for authenticating administrative access. Using the integrated rXg RADIUS server as a central credential store for infrastructure is a simple and effective way to reduce the complexity that is usually associated with networks that have a large number of devices.
Configuring rXg For Centralized Infrastructure Device AAA Server
Procedure: 1. Create an Account Group that will be tied to Administrator Account(s) 2. Create a policy for Administrator Account(s) Account Group
Check the AAA Account Group in the Account group section.3. Create a WAN Target that contains the public IP the radius request will come from. 4. Edit Radius Server Options add WAN target previously created. 5. Create a RADIUS realm and attach the policy created from the Administrator Account(s). 6. Create a new Account that will contain the credentials.
Attach account to the policy for Administrator Account(s)7. Point remote device to the rXg RADIUS server.
- Navigate to Identities-->Groups and create a new Account Group.
- Navigate to Policies-->Captive Portal and create a new Policy. Enter a name for the new policy and check the Account Group created in the previous step.
- Create a new WAN Target or edit existing WAN Target by navigating to Identities-->Definitions. Enter the IP(s) that should be allowed access to the Radius Server.
- Edit the RADIUS Server Options by navigating to Services-->RADIUS and check the WAN Target. Click Update.
- Create a new RADIUS Server Realm and select the policy that was created for the Administator account(s). Click Create.
- Create a new Account by navigating to Identities-->Accounts, Enter the Login name and password. Under Provision set the Group to the Account Group created previously. A First and Last name will also need to be provided along with an email address.
- Point the device to use the RADIUS server running on the rXg, set the primary IP address of the rXg as the AAA server, and adjust the ports if necessary. The key can be copied from the Radius Server Options on the rXg.
Subscriber Roaming
Another common use of the integrated rXg RADIUS server is to share a single centrally located end-user database amongst a set of geographically diverse RADIUS NAS capable devices. For example, "smart" access points, DSLAMs and even modem banks may be configured to use RADIUS to use an rXg with the RADIUS server enabled as a credential store. Using a single unified credential store across devices that controls access to multiple media helps control operational costs.
In many cases, the RADIUS NAS may also be configured for forced browser redirect of unauthenticated end-users to the rXg captive portal. This enables end-user self-provisioning and further reduces operational overhead. Since the rXg billing mechanisms are fully integrated into with the RADIUS server enabling operators to easily bill end-users for access to a diverse set of media.
The rXg integrated RADIUS server may also be used as a mechanism to loosely federate multiple rXg units. RG Nets recommends the deployment of the rXg clustering mechanism with an rXg cluster controller for unified and simplified clustering of multiple rXg units. However, for certain special cases, it may be more appropriate to use the RADIUS server of an rXg node or an rXg cluster controller along with the RADIUS NAS of multiple other rXgs to create a federation of rXg devices that share a single database.
One rXg unit is then dedicated to being the federation master. The captive portal web application server and end-user database are centrally stored on the federation master. The federation nodes are configured to authenticate using the RADIUS NAS clients and the rXg federation master is configured to be a RADIUS server.
Enterprise NAC
The rXg integrated RADIUS Server can be used to as a centralized AAA server for enterprise wired and wireless networks. Edge infrastructure devices are configured as access servers with port control enabled. Both username/password tuples and MAC address authentication credentials are supported. The rXg can proxy authentication to an external LDAP or RADIUS server (discussed later in this manual page) and/or check the local database.
If the local database is used then the operator may choose to create accounts for each employee and set a password. Alternatively, the administrator can use MAC address device authentication. To accomplish this, the operator will need to populate an account with desired MAC addresses. In either case, the account(s)should be associated with an account group. The account group also needs to be associated to a policy that is selected under a RADIUS Server Realm's matching options. By associating VLAN(s) to the RADIUS Server Realm , an operator can control what network(s) enterprise owned devices are assigned.
For example, in the packet exchange below, the Calling-Station-ID
attribute contains the MAC Address of the requesting device. The highest-priority policy will be used to determine which RADIUS Server Realm the device matches. The Tunnel-Private-Group-ID
attribute in the Access-Accept packet shows the VLAN assigned to this device.
14:38:33.381021 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 206)
10.103.254.4.56792 > 10.103.254.1.1812: [udp sum ok] RADIUS, length: 178
Access-Request (1), id: 0xe5, Authenticator: 2b9a4726041df0639dcc5f8574c30f5a
User-Name Attribute (1), length: 14, Value: 449160ece7fa
0x0000: 3434 3931 3630 6563 6537 6661
User-Password Attribute (2), length: 18, Value:
0x0000: a0e8 7cc3 4eb8 c07f 2322 714c a2e7 416e**Calling-Station-Id Attribute (31), length: 19, Value: 44-91-60-EC-E7-FA** 0x0000: 3434 2d39 312d 3630 2d45 432d 4537 2d46
0x0010: 41
NAS-IP-Address Attribute (4), length: 6, Value: 10.103.254.4
0x0000: 0a67 fe04
Called-Station-Id Attribute (30), length: 32, Value: D4-68-4D-2A-39-F0:SomeSSID
0x0000: 4434 2d36 382d 3444 2d32 412d 3339 2d46
0x0010: 303a 4b61 7272 6963 6b48 6f75 7365
Service-Type Attribute (6), length: 6, Value: Framed
0x0000: 0000 0002
NAS-Port-Type Attribute (61), length: 6, Value: Wireless - IEEE 802.11
0x0000: 0000 0013
NAS-Identifier Attribute (32), length: 19, Value: D4-68-4D-2A-39-F8
0x0000: 4434 2d36 382d 3444 2d32 412d 3339 2d46
0x0010: 38
Vendor-Specific Attribute (26), length: 20, Value: Vendor: Unknown (25053)
Vendor Attribute: 3, Length: 12, Value: KarrickHouse
0x0000: 0000 61dd 030e 4b61 7272 6963 6b48 6f75
0x0010: 7365
Message-Authenticator Attribute (80), length: 18, Value: .,H..-..S@.)..X.
0x0000: 842c 481d 8a2d 8c03 5340 0c29 deeb 5881
14:38:33.414314 IP (tos 0x0, ttl 64, id 6773, offset 0, flags [none], proto UDP (17), length 74)
10.103.254.1.1812 > 10.103.254.4.56792: [bad udp cksum 0x111c -> 0x598a!] RADIUS, length: 46
Access-Accept (2), id: 0xe5, Authenticator: d6f41b864e670829842982228b59649e
Class Attribute (25), length: 8, Value: Family
0x0000: 4661 6d69 6c79
Tunnel-Medium-Type Attribute (65), length: 6, Value: Tag[Unused] 802
0x0000: 0000 0006**Tunnel-Private-Group-ID Attribute (81), length: 6, Value: 2002**0x0000: 3230 3032
Tunnel-Type Attribute (64), length: 6, Value: Tag[Unused] VLAN
0x0000: 0000 000d
The enterprise NAC functionality can be used to augment other functions of the rXg. For instance, some WLAN controllers proxy RADIUS access-requests through the controller for client authentication, while others send the requests directly from each AP. Because the rXg utilizes ACLs to limit access to the RADIUS server function, the operator should utilize RADIUS MAC authentication on switchports to automate servicing access-requests from many APs.
Procedure:
- Create AP managment VLANs
- Create an IP group for AP Managment VLANs
- Create a policy for AP Management IP group
- Add AP Management policy to RADIUS Server Options scaffold
- Create a MAC group containing a wildcard of the OUIs of Access Points
- Attach MAC group to a policy
- Create a RADIUS realm for the AP MAC group policy
- Attach AP Management VLANs
- Enable RADIUS MAC authentication bypass on switch ports
DVLAN for Large Public Venues
The rXg incorporates intelligent VLAN assignment in the RADIUS Server. A RADIUS Server Realm with the per-device setting is used for guest, quarantine and onboarding networks where true device isolation is desired. This mechanism is often used a large public venues so that event attendees can be split across operator chosen VLANs. Optionally each device can be assigned a /30 network. To accomplish this, the operator will need to create a RADIUS Server Realm matching a policy, or attribute pattern, and select per-account or per-device in the Dynamic VLANs sharing menu. To enable microsegmented L3s or L2s for attendees, VLANs with proper auto-increment, and ratio settings should be implemented. VLAN re-use can be used in LPVs, where capacity exceeds available VLANs. This allows for high-density deployments, with minimal broadcast domains.
For example, in the packet exchange below, theCalled-Station-ID
attribute contains the AP Radio MAC Address, and SSID the client device requested. By using a attribute pattern match, the operator can have all devices requesting this WLAN match this RADIUS Realm. The rXg has a variety of built in attributes, and allows the operator to define custom attributes to match
14:38:33.381021 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 206)
10.103.254.4.56792 > 10.103.254.1.1812: [udp sum ok] RADIUS, length: 178
Access-Request (1), id: 0xe5, Authenticator: 2b9a4726041df0639dcc5f8574c30f5a
User-Name Attribute (1), length: 14, Value: 449160ece7fa
0x0000: 3434 3931 3630 6563 6537 6661
User-Password Attribute (2), length: 18, Value:
0x0000: a0e8 7cc3 4eb8 c07f 2322 714c a2e7 416e
Calling-Station-Id Attribute (31), length: 19, Value: 44-91-60-EC-E7-FA
0x0000: 3434 2d39 312d 3630 2d45 432d 4537 2d46
0x0010: 41
NAS-IP-Address Attribute (4), length: 6, Value: 10.103.254.4
0x0000: 0a67 fe04**Called-Station-Id Attribute (30), length: 32, Value: D4-68-4D-2A-39-F0:EventSSID**0x0000: 4434 2d36 382d 3444 2d32 412d 3339 2d46
0x0010: 303a 4b61 7272 6963 6b48 6f75 7365
Service-Type Attribute (6), length: 6, Value: Framed
0x0000: 0000 0002
NAS-Port-Type Attribute (61), length: 6, Value: Wireless - IEEE 802.11
0x0000: 0000 0013
NAS-Identifier Attribute (32), length: 19, Value: D4-68-4D-2A-39-F8
0x0000: 4434 2d36 382d 3444 2d32 412d 3339 2d46
0x0010: 38
Vendor-Specific Attribute (26), length: 20, Value: Vendor: Unknown (25053)
Vendor Attribute: 3, Length: 12, Value: KarrickHouse
0x0000: 0000 61dd 030e 4b61 7272 6963 6b48 6f75
0x0010: 7365
Message-Authenticator Attribute (80), length: 18, Value: .,H..-..S@.)..X.
0x0000: 842c 481d 8a2d 8c03 5340 0c29 deeb 5881
14:38:33.414314 IP (tos 0x0, ttl 64, id 6773, offset 0, flags [none], proto UDP (17), length 74)
10.103.254.1.1812 > 10.103.254.4.56792: [bad udp cksum 0x111c -> 0x598a!] RADIUS, length: 46
Access-Accept (2), id: 0xe5, Authenticator: d6f41b864e670829842982228b59649e
Class Attribute (25), length: 8, Value: Family
0x0000: 4661 6d69 6c79
Tunnel-Medium-Type Attribute (65), length: 6, Value: Tag[Unused] 802
0x0000: 0000 0006
Tunnel-Private-Group-ID Attribute (81), length: 6, Value: 2002
0x0000: 3230 3032
Tunnel-Type Attribute (64), length: 6, Value: Tag[Unused] VLAN
0x0000: 0000 000d
DVLAN Microsegmentation for Multi-Tenant and Hospitality
By configuring a RADIUS Server Realm in the rXg to use per-room, or per-guest VLANs, users can be dynamically assigned a microsegmented network. This enables users to have private LANs on a shared infrastructure, enabling property wide coverage of their personal network. Unique features such as screencasting, printing, etc., can happen via standard L2 protocols. To accomplish this, the operator will need to create a RADIUS Server Realm matching a policy associated to the desired account group , and select per-room in the Dynamic VLANs sharing menu.
For example, a hotel client would integrate the rXg with their existing PMS, and assign per-room VLANs to segment guests. This enables the guests to use services like screencasting in their rooms without the need to download an app. A shared office space environment would implement per-guest VLANs, and segment traffic from other guests, while making tasks like printing and file-sharing seamless.
An operator can associate a Bi-NAT pool to a policy, and utilize the per-room DVLAN mechanism to provide a "virtual Residential Gateway" or vRG. This enables end-users to manage their own port forwards for web-hosting, and gaming. In MDU or Dorm environments, this enables zero-operator intervention, and instant provisioning of typically complex configurations.
RADIUS Proxying
RADIUS Proxy Servers can be used in a variety of ways. By defining a RADIUS Proxy Server an operator can choose to proxy authentication, accounting, or all RADIUS packets to a remote RADIUS Server, LDAP Server, or PMS Server. By proxying authentication requests to a remote server, an operator can enable centralized credential management in distributed rXg deployments.
For example, the rXg can proxy ONLY RADIUS Accounting packets to an upstream device. This is useful in routed scenarios, where the rXg is not the head-end. This enables the operator to send user-name and IP/session information to upstream devices such as content filters, or firewalls.
An operator may also choose to proxy authentication requests against a configured LDAP Server. This enables 802.1x authentication directly against an LDAP server such as Microsoft Active Directory, without the use of Microsoft Network Policy Server (NPS).
RADIUS Proxy with RadSec
RadSec is a a protocol for transporting RADIUS datagrams over TCP and TLS. Standard RADIUS communications depend upon the unreliable transport protocol UDP, and lack security for large parts of the packet payload. RadSec provides a means to secure the communication between a RADIUS NAS and Server by utilizing Transport Layer Security (TLS). By utilizing RadSec, an operator can proxy incoming RADIUS requests securely to a centralized credential store.
To learn more about RADIUS, there are numerous web pages that provide background information on the RADIUS protocol. In addition, the O'Relly RADIUS (ISBN 0596003226) book provides a basic overview of the protocol. A good reference for how to use RADIUS in more complex environments is AAA and Network Security for Mobile Access: Radius, Diameter, EAP, PKI and IP Mobility (ISBN 0470011947).
Multiple PSK with Adtran vWLAN
AdTran supports multiple sets of tagged Tunnel-* RADIUS attributes where each set represents a 'guess' of what the end user may have entered into her device as the PSK. When a set of Tunnel-* attributes tagged with :1 are configured in the rXg, the rXg will automatically create additional sets of Tunnel-* attributes that represent additional possible Accounts the device may belong to. The rXg will create up to 24 total attribute sets. The AP will determine which set contains the correct PSK, and if it finds one, will allow the device to connect and start tagging the device traffic with the VLAN from the set that contained the correct PSK. Assuming 'Automatic Provisioning' is enabled in the account, the rXg will then automatically add the new device to the Account that corresponds to the VLAN from the attribute set.
Prerequisites
- Have Onboarding VLANs, associated to policy with a splash portal
- Have usage plan available for selection on splash portal
- Make sure the "Automatic Provision" checkbox is selected
- Have VLAN(s) available for registered accounts
- Have account group(s) for registered accounts associated to a policy with a landing portal
Configuration
- 1. Deploy vWLAN OVA
- vWLAN Appliance gets DHCP by default
- Login to vWLAN and add AP Licensing
- Either set Static IP on vWLAN, or add fixed-host address in DHCP
- Create "domain-name" DHCP Option , and attach to Global DHCP Option Group (Ex. Domain-Name = local)
- Create DNS Entry for apdiscovery.local to point to vWLAN controller (replace local with your domain name)
- Add vWLAN Controller to rXg wireless Infrastructure Devices
- Create an "Onboarding" RADIUS Realm and use an Attribute Pattern match since these devices would be unknown.
- Select your Onboarding VLANs, to ensure that users are presented the splash portal
- Create a Radius Realm for the policy of registered accounts
- - Select your Account VLANs
- Enable config sync on the vWLAN infrastructure device on the rXg
- Create a new WLAN choosing the following options
- Encryption: WPA2
- Authentication: Multiple PSK
- VLANs (Any associated with both realms)
- New RADIUS Server Attributes will be automatically created
- Create new RADIUS Server Attribute for onboarding
- Name: Tunnel-Password:1
- Value: onboarding (or whatever you want the onboarding PSK to be)
- Edit your Onboarding RADIUS Realm to respond with these attributes (notice the :1)
- Tunnel-Private-Group-Id:1 : %vlan_tag_assignment.tag%
- Tunnel-Type:1 : VLAN
- Tunnel-Medium-Type:1 : IEEE-802
- Tunnel-Password:1 : onboarding
- Edit your registered account RADIUS Realm to respond with these attributes (notice NO :1)
- Tunnel-Private-Group-Id : %vlan_tag_assignment.tag%
- Tunnel-Type : VLAN
- Tunnel-Medium-Type : IEEE-802
- Tunnel-Password : %account.pre_shared_key%
Dynamic PSK with RUCKUS virtual SmartZone (vSZ)
RUCKUS eDPSK enables an external AAA server to manage multiple PSKs associated with a single SSID. the rXg leverages eDPSK in conjunction with internal and external account management to deleiver person area networks (PANs) and virtual residential gateway (vRG) for MDUs.
Prerequisites
- Have Onboarding VLANs, associated to policy with a splash portal
- Have usage plan available for selection on splash portal
- Make sure the "Automatic Provision" checkbox is selected
- Have VLAN(s) available for registered accounts
- Have account group(s) for registered accounts associated to a policy with a landing portal
Configuration
- Deploy vSZ OVA, configure the following in the VM console:
- Configure vSZ in Essentials mode
- Set Static IP Address, or set DHCP Reservation
- Continue the vSZ deployment at web GUI -
https://{vSZ IP}:8443
- Add vSZ to rXg wireless Infrastructure Devices
- Create an "Onboarding" RADIUS Realm and use an Attribute Pattern match since these devices would be unknown.
- Select your Onboarding VLANs, to ensure that users are presented the splash portal
- Create a Radius Realm for the policy of registered accounts
- - Select your Account VLANs
- Enable config sync on the vWLAN infrastructure device on the rXg
- Create a new WLAN choosing the following options
- Encryption: WPA2
- Authentication: Multiple PSK
- VLANs (Any associated with both realms)
- Create new RADIUS Server Attribute for onboarding
- Name: Ruckus-DPSK
- Value: onboarding (or whatever you want the onboarding PSK to be)
- Edit your Onboarding RADIUS Realm to respond with these attributes
- Tunnel-Private-Group-Id : %vlan_tag_assignment.tag%
- Tunnel-Type : VLAN
- Tunnel-Medium-Type : IEEE-802
- Ruckus-DPSK : onboarding
- Edit your registered account RADIUS Realm to respond with these attributes
- Tunnel-Private-Group-Id : %vlan_tag_assignment.tag%
- Tunnel-Type : VLAN
- Tunnel-Medium-Type : IEEE-802
- Tunnel-Password : %account.pre_shared_key%
RADIUS Server Realms
An entry in the radius server realms scaffold creates a response realm that enables the rXg to respond to RADIUS requests.
One or more radius server realms are required in order to link RADIUS requests with attributes. Only one radius server realm is required if the network design requires that the same set of RADIUS attributes to be transmitted to all RADIUS requests.
Multiple radius server realms may be created in order to allow the rXg integrated RADIUS Server to respond with different RADIUS attributes depending upon the request. The most common usage scenario that requires the creation of two or more radius server realms is a network design that requires different VLANs or sets of VLANs to be assigned based on information present in the incoming RADIUS request. A RADIUS Access-Request will match at most a single RADIUS Server Realm
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The rank of a RADIUS server realm, allows the operator to designate multiple RADIUS realms with the same policy selection. If a RADIUS request matches multiple RADIUS realms, the highest ranking realm is used. This is typically used to override RADIUS realms when specific criteria is met, such as a user of a given policy connecting to a special SSID.
The policies field enables the operator to restrict this response realm to one or more sets of Identities. RADIUS Access-Request messages usually contain the MAC address of the end-user device. Thus a radius server realm may be restricted to answer RADIUS Access-Requests originating from end-user devices whose MAC addresses are present within MAC Groups and Account Groups. If no policies are enabled then the rXg will not restrict this response realm based on Identities but may still be restricted by other parameters such as attribute patterns.
The attribute patterns subsection enables the operator to restrict this response realm to RADIUS Access-Requests that contain the specified RADIUS attributes. One common use for this is mechanism is to restrict a response realm to only respond to RADIUS Access-Requests originating from end-user devices that are attaching to a specific SSID. This capability enables the operator associate respond with different RADIUS attributes depending upon the data in RADIUS Access-Request.
The dynamic VLANs section determines which VLANs will be passed from the rXg to the RADIUS NAS when a RADIUS Access-Accept message is sent. VLAN assignments are typically passed through RADIUS Attributes.
VLAN assignments are made either per-Device, per-Account, per-Guest, or per-Room. Using the per-Device setting tells the rXg to assign each MAC address that it sees a unique VLAN. The per-Device selection maximizes broadcast domain separation. The per-Account selection puts MAC addresses that belong to the same Account within the same VLAN. The per-Room and per-Guest selections puts MAC addresses that are associated with the same PMS Room or Guest name within the same VLAN.
One or more VLAN records must be configured and selected in order for the dynamic VLAN mechanism to be enabled. In most cases each RADIUS Server Realm will be associated with only a single VLAN record.
VLANs will be assigned to devices / accounts / PMS-Rooms per the above described selection until all available VLANs in the selected record are exhausted. If the Reuse VLANs checkbox is enabled then the VLANs configured in the VLAN will be reused if the VLANs in the record are exhausted. This setting is most often used in conjunction with the per-Device VLAN assignment setting as the number of devices will sometimes exceed the number of available VLANs.
The infrastructure devices setting enables the operator to tie this RADIUS Server Realm with an infrastruture device for the purpose of sending vendor specific instructions when VLANs change. This configuration is an absolute requirement when the dynamic VLAN capability is used with most wireless LAN controllers and wired switches.
The Proxy Servers field enables the operator to proxy incoming RADIUS packets to configured RADIUS Proxy Servers , LDAP Domains , or PMS Servers.
The Proxy Options enable an operator to choose what type of RADIUS packets to proxy, Accounting, Authentication, or both. By default, the rXg integrated RADIUS Server will only proxy 802.1x authentications. The Proxy MAC Auth selection enables the operator to also proxy MAC based authentications. The Replace username selection will override the "User-Name" attribute with the associated accounts login. If the Proxy Server is being used for authentication, the Create Account selection will create a local account on the rXg, and optionally apply a Usage Plan.
The attributes field defines one or more RADIUS attributes that will be appended to all RADIUS responses. Use this mechanism to send vendor specific attributes to the devices making RADIUS requests.
The Assume MAC auth option specifies that when an Account is located during RADIUS lookup and the request looks like a MAC auth request (i.e., the username looks like a MAC address) that we should treat the request as a MAC auth request and use the MAC address as the cleartext password instead of setting the NT-Password.
The Always perform Account lookup option ensures that an Account lookup occurs for the request while checking this realm, assuming it has not been performed already by a higher ranked realm. This is in contrast to the normal behavior where Account lookup is skipped unless there are Account Group-based Policies attached to the realm (or a higher ranked realm). This is necessary if performing MSCHAP authentication and the realm is being selected based on a RADIUS Attribute match pattern, rather than group membership. In this case the lookup is still necessary in order to set the NT-Password for the MSCHAP module.
RADIUS Proxy Servers
An entry in the RADIUS proxy servers scaffold defines a server that may be used to proxy requests to other remote RADIUS servers.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The RADIUS server realms field determines which logical partitions of the RADIUS Server will proxy requests to THIS server.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The priority field is used when multiple RADIUS proxy servers are associated with a RADIUS realm. The RADIUS proxy server with the highest priority is queried first. If the RADIUS proxy server with the highest priority does not respond within the window defined by the tries and timeout fields, the next highest priority server is queried. If no RADIUS proxy servers respond, the end-user is denied access.
The IP field specifies the IP address of the RADIUS server to be queried for credential validation.
The port field specifies the UDP port to use when sending the RADIUS request for credential validation. Similarly the accounting port field specifies the UDP port to use when sending the RADIUS accounting start, stop and intermediate updates. Leave these fields blank to use the defaults.
The secret field is the RADIUS shared secret. It is used to encode and decode messages being sent to and from the RADIUS server. This setting must match that of the RADIUS server in order for credential validation to operate.
If a server does not respond to a request within the timeout time, the server marks the request as timed out. After the configured number of tries , the server is marked as being "zombie", and the zombie period starts. The default timeout window is large because responses may be slow, especially when proxying across the Internet.
A server that is marked "zombie" will be used for proxying as a low priority. If there are live servers, they will always be preferred to a zombie. Requests will be proxied to a zombie server ONLY when there are no live servers. Any request that is proxied to a server will continue to be sent to that server until the server is marked dead. At that point, it will fail over to another server, if a live server is available. If the server does not respond to ANY packets during the zombie period , it will considered to be dead.
If status check is something other than "none", then the server will start sending status checks at the start of the zombie period. It will continue sending status checks until the server is marked "alive". These status packets are sent ONLY if the server is believed to be dead. They are NOT sent if the server is believed to be alive. They are NOT sent if this server is not proxying packets. If the server responds to the status check packet, then it is marked alive again, and is returned to use.
The check interval field configures the number of status checks in a row that the server needs to respond to before it is marked alive. If you want to mark a server as alive after a short time period of being responsive, it is best to use a small check interval , and a large value for answers to alive. Using a long check interval and a small number for answers to alive increases the probability of spurious fail-over and fallback attempts.
RADIUS layer "status checks" are used to see if a server is alive when status check is set to "Status-Server".
Some servers do not support status checks via the Status-Server packet. Others may not have a "test" user configured that can be used to query the server, to see if it is alive. For those servers, there is NO WAY of knowing when it becomes alive again. In this case, after the server has been marked dead, the revival interval must elapse before it is marked alive again, in the hope that it has come back to life. If it has NOT come back to life, the zombie period must elapse before marking it dead again. During the zombie period , all authentications will fail, because the server is still dead. There is nothing that can be done about this, other than to enable the status checks. e.g. if zombie period is 40 seconds, and revive interval is 300 seconds, then for 40 seconds out of every 340, or about 10% of the time, all authentications will fail. If the zombie period and revive interval configurations are set smaller, then it is possible for up to 50% of authentications to fail. We recommend enabling status check , and we do NOT recommend relying on revive interval. The revive interval is used ONLY if status check is set to "none".
If the server does not support Status-Server packets, then the proxying server can still send Access-Request or Accounting-Request packets with a pre-defined username. This behavior is enabled by setting status check to "Access-Request". This practice is NOT recommended, as it may potentially let users gain network access by using these "test" accounts. If it is used, we recommend that the server ALWAYS respond to these Access-Request status checks with Access-Reject. The status check just needs an answer, it does not need an Access-Accept. For Accounting-Request status checks, only the username needs to be set. The rest of the accounting attribute are set to default values. The server that receives these accounting packets SHOULD NOT treat them like normal user accounting packets.
RADIUS Server
The rXg internal credential database of users and tokens may be remotely accessed via the RADIUS protocol. Records in the RADIUS Server scaffold configure the behavior of the rXg RADIUS server.
The active field enables an option set. Exactly one option set may be active at any time. Enabling a particular option set will automatically disable another existing active option set.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The secret field defines the RADIUS shared secret. This shared credential must be identical to one configured on the RADIUS NAS devices that will access this RADIUS server.
The auth port and acct port fields configure the ports that the RADIUS server will listen for requests on. In most cases, the RFC defined ports of 1812 and 1813 should be used as many RADIUS NAS devices are only able to connect to those ports.
The debug field configures the RADIUS server to log the contents of all request and response packets to the log file.
The certificate field specifies an alternate certificate chain to configure the RADIUS server with.
The WAN targets and policies fields determine the set of devices that are allowed to have access to the rXg integrated RADIUS server. By default the rXg has packet filtering rules in place that prevent access to the integrated RADIUS server. This ensures that no devices of any kind may access the RADIUS server unless the operator takes specific action to enable access.
Access to the rXg integrated RADIUS server for RADIUS NAS devices that are on the WAN is enabled by creating one or more WAN targets for the RADIUS NAS devices and then enabling the appropriate check boxes. RADIUS NAS devices on the LAN may be granted access by placing the IPs of the RADIUS NAS devices into an IP Group and then linking the IP Group into a Policy which may be selected here.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
RADIUS Server Attributes
The rXg integrated RADIUS server responds to RADIUS requests with RFC defined attributes. The operator may define additional attributes to be present in RADIUS responses by creating RADIUS Server Attribute records. Each record defines one additional attribute that will be presnet
The name configures the name of the RADIUS attribute that will be sent to the RADIUS NAS. The name must be agreed upon and configured identically on both the RADIUS server and the RADIUS NAS.
The value configures the value of the payload of the RADIUS attribute that will be sent to the RADIUS NAS in RADIUS server response. The value may be static (e.g., 'IEEE-802' for the 'Tunnel-Medium-Type' when configuring dynamic VLANs). Alternatively the value may be a dynamic value configured through substitution variables.
The RADIUS Server Realms field determines which RADIUS requests will contain the RADIUS Server Attribute defined by this record. More than one RADIUS Server Realm may be selected and thus the RADIUS Server Attribute defined by this record will be present in the responses to each of the defined realms.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Most dynamic VLAN configurations require the following three attributes to be configured:
| Tunnel-Medium-Type
| 802
|
| Tunnel-Private-Group-ID
| %vlan_tag_assignment.tag%
|
| Tunnel-Type
| VLAN
|
Substitution
Payload fields may contain special keywords surrounded by % signs that will be substituted with relevant values. This enables the operator to deliver values stored in the database as part of the payload.
List of objects available:
Account Create | Usage Plan Purchase | Transaction: success/failure |
---|---|---|
cluster_node | cluster_node | cluster_node |
custom_email | custom_email | custom_email |
device_option | device_option | device_option |
ip_group | login_session | login_session |
login_session | usage_plan | merchant |
usage_plan | account | payment_method |
account | merchant_transaction | |
usage_plan | ||
account |
Credit Card Expiring | Coupon Redemption | Account Charge: success/failure/no response |
---|---|---|
cluster_node | cluster_node | cluster_node |
custom_email | custom_email | custom_email |
device_option | device_option | device_option |
login_session | coupon | login_session |
payment_method | login_session | payment_method |
usage_plan | usage_plan | response |
account | account | usage_plan |
account |
Trigger: Connections | Trigger: Quota | Trigger: DPI |
---|---|---|
cluster_node | cluster_node | cluster_node |
custom_email | custom_email | custom_email |
device_option | device_option | device_option |
login_session | login_session | login_session |
max_connections_trigger | quota_trigger | snort_trigger |
transient_group_membership | transient_group_membership | transient_group_membership |
account | account | account |
Trigger: Time | Trigger: Log Hits | Health Notice: create |
---|---|---|
cluster_node | cluster_node | cluster_node |
custom_email | custom_email | custom_email |
device_option | device_option | device_option |
login_session | login_session | health_notice |
time_trigger | log_hits_trigger | |
transient_group_membership | transient_group_membership | |
account | account |
Health Notice: cured |
---|
cluster_node |
custom_email |
device_option |
health_notice |
List of objects available for all associated record types:
Aged AR Penalty |
---|
cluster_node |
custom_email |
device_option |
aged_ar_penalty |
login_session |
payment_method |
usage_plan |
account |
List of attributes available for each object:
account | usage_plan | merchant |
---|---|---|
id | id | id |
type | account_group_id | name |
login | name | gateway |
crypted_password | description | login |
salt | currency | password |
state | recurring_method | test |
first_name | recurring_day | note |
last_name | variable_recurring_day | created_at |
automatic_login | updated_at | |
usage_plan_id | note | created_by |
usage_minutes | created_at | updated_by |
unlimited_usage_minutes | updated_at | signature |
usage_expiration | created_by | partner |
no_usage_expiration | updated_by | invoice_prefix |
automatic_login | time_plan_id | integration |
note | quota_plan_id | store_payment_methods |
logged_in_at | usage_lifetime_time | live_url |
created_at | absolute_usage_lifetime | pem |
updated_at | unlimited_usage_lifetime | scratch |
created_by | no_usage_lifetime | dup_timeout_seconds |
updated_by | recurring_retry_grace_minutes | |
mb_up | recurring_fail_limit | |
mb_down | prorate_credit | |
pkts_up | permit_unpaid_ar | |
pkts_down | pms_server_id | |
usage_mb_up | lock_devices | |
usage_mb_down | scratch | |
unlimited_usage_mb_up | max_sessions | |
unlimited_usage_mb_down | max_devices | |
company | unlimited_devices | |
address1 | unlimited_sessions | |
address2 | usage_lifetime_time_unit | |
city | max_dedicated_ips | |
region | pms_guest_match_operator | |
zip | recurring_lifetime_time | |
country | recurring_lifetime_time_unit | |
phone | unlimited_recurring_lifetime | |
bill_at | sms_gateway_id | |
lock_version | validation_method | |
charge_attempted_at | validation_grace_minutes | |
lock_devices | max_party_devices | |
relative_usage_lifetime | unlimited_party_devices | |
scratch | upnp_enabled | |
portal_message | automatic_provision | |
max_devices | conference_id | |
unlimited_devices | ips_are_static | |
max_sessions | base_price | |
unlimited_sessions | vtas_are_static | |
max_dedicated_ips | manual_ar | |
account_group_id | ||
email2 | ||
pre_shared_key | ||
phone_validation_code | ||
email_validation_code | ||
phone_validated | ||
email_validated | ||
phone_validation_code_expires_at | ||
email_validation_code_expires_at | ||
max_party_devices | ||
unlimited_party_devices | ||
nt_password | ||
upnp_enabled | ||
automatic_provision | ||
ips_are_static | ||
guid | ||
vtas_are_static | ||
account_id | ||
max_sub_accounts | ||
unlimited_sub_accounts | ||
approved_by | ||
approved_at | ||
pending_admin_approval | ||
wispr_data | ||
hide_from_operator |
payment_method | merchant_transaction | coupon |
---|---|---|
id | id | id |
account_id | account_id | usage_plan_id |
active | payment_method_id | code |
company | merchant_id | credit |
address1 | usage_plan_id | expires_at |
address2 | amount | note |
city | currency | created_by |
state | test | updated_by |
zip | ip | created_at |
country | mac | updated_at |
phone | customer | batch |
note | scratch | |
created_at | merchant_string | max_redemptions |
updated_at | description | unlimited_redemptions |
created_by | success | |
updated_by | response_yaml | |
scratch | created_at | |
customer_id | updated_at | |
card_id | created_by | |
nickname | updated_by | |
encrypted_cc_number | message | |
encrypted_cc_number_iv | authorization | |
encrypted_cc_expiration_month | hostname | |
encrypted_cc_expiration_month_iv | http_user_agent_id | |
encrypted_cc_expiration_year | account_group_id | |
encrypted_cc_expiration_year_iv | subscription_id | |
encrypted_first_name | ||
encrypted_first_name_iv | ||
encrypted_middle_name | ||
encrypted_middle_name_iv | ||
encrypted_last_name | ||
encrypted_last_name_iv | ||
cc_number | ||
cc_expiration_month | ||
cc_expiration_year | ||
first_name | ||
middle_name | ||
last_name |
login_session | ip_group | device_option |
---|---|---|
id | id | id |
account_id | policy_id | name |
radius_realm_id | name | active |
login | priority | device_location |
ip | note | domain_name |
mac | created_at | ntp_server |
expires_at | updated_at | time_zone |
online | created_by | smtp_address |
radius_acct_session_id | updated_by | rails_env |
radius_response | scratch | note |
radius_class_attribute | created_at | |
created_at | updated_at | |
updated_at | created_by | |
created_by | updated_by | |
updated_by | smtp_port | |
bytes_up | smtp_domain | |
bytes_down | smtp_username | |
pkts_up | smtp_password | |
pkts_down | cluster_node_id | |
usage_bytes_up | scratch | |
usage_bytes_down | log_rotate_hour | |
ldap_domain_id | log_rotate_count | |
radius_realm_server_id | ssh_port | |
ldap_domain_server_id | country_code | |
cluster_node_id | disable_hyperthreading | |
shared_credential_group_id | developer_mode | |
ip_group_id | sync_builtin_admins | |
account_group_id | delayed_job_workers | |
usage_plan_id | log_level | |
lock_version | max_forked_processes | |
hostname | soap_port | |
total_bytes_up | reboot_timestamp | |
total_bytes_down | reboot_time_zone | |
total_pkts_up | limit_sshd_start | |
total_pkts_down | limit_sshd_rate | |
radius_server_id | limit_sshd_full | |
radius_request | use_puma_threads | |
backend_login_at | ||
http_user_agent_id | ||
backend_login_seconds | ||
portal_login_at | ||
omniauth_profile_id | ||
encrypted_password | ||
encrypted_password_iv | ||
conference_id | ||
password |
custom_email | transient_group_membership | time_trigger |
---|---|---|
id | id | id |
name | ip_group_id | account_group_id |
from | mac_group_id | name |
subject | account_group_id | mon |
body | account_id | tues |
event | ip | wed |
note | mac | thurs |
created_by | reason | fri |
updated_by | expires_at | sat |
created_at | created_by | sun |
updated_at | updated_by | start |
send_to_account | created_at | end |
scratch | updated_at | note |
email_recipient | cluster_node_id | created_by |
include_custom_reports_in_body | max_connections_trigger_id | updated_by |
attachment_format | quota_trigger_id | created_at |
custom_event | time_trigger_id | updated_at |
delivery_method | snort_trigger_id | ip_group_id |
sms_gateway_id | hostname | mac_group_id |
reply_to | radius_group_id | scratch |
ldap_group_id | flush_states | |
login_session_id | flush_dhcp | |
log_hits_trigger_id | flush_arp | |
flush_states | flush_vtas | |
flush_dhcp | infrastructure_area_id | |
flush_arp | previous_infrastructure_area_id | |
flush_vtas | duration | |
vulner_assess_trigger_id | current_dwell | |
previous_dwell |
log_hits_trigger | snort_trigger | max_connections_trigger |
---|---|---|
id | id | id |
ip_group_id | ip_group_id | ip_group_id |
mac_group_id | name | name |
name | duration | max_connections |
note | note | duration |
log_file | created_by | note |
duration | updated_by | created_by |
max_hits | created_at | updated_by |
window | updated_at | created_at |
scratch | scratch | updated_at |
created_by | mac_group_id | scratch |
updated_by | flush_states | mac_group_id |
created_at | flush_dhcp | flush_states |
updated_at | flush_arp | flush_dhcp |
flush_states | flush_vtas | flush_arp |
flush_dhcp | flush_vtas | |
flush_arp | max_duration | |
flush_vtas | max_mb | |
period | ||
active_or_expired | ||
max_duration_logic | ||
max_mb_logic |
quota_trigger | health_notice | cluster_node |
---|---|---|
id | id | id |
account_group_id | cluster_node_id | name |
name | name | iui |
usage_mb_down | short_message | database_password |
usage_mb_down_unit | long_message | note |
usage_mb_up | cured_short_message | created_by |
usage_mb_up_unit | cured_long_message | updated_by |
up_down_logic_operator | severity | created_at |
note | cured_at | updated_at |
created_by | created_at | ip |
updated_by | updated_at | ssh_public_key |
created_at | created_by | scratch |
updated_at | updated_by | heartbeat_at |
radius_group_id | fleet_node_id | data_plane_ha_timeout_seconds |
ldap_group_id | node_mode | |
period | cluster_node_team_id | |
unlimited_period | wal_receiver_pid | |
duration | wal_receiver_status | |
unlimited_duration | wal_receiver_receive_start_lsn | |
scratch | wal_receiver_receive_start_tli | |
ip_group_id | wal_receiver_received_lsn | |
mac_group_id | wal_receiver_received_tli | |
flush_states | wal_receiver_latest_end_lsn | |
flush_dhcp | wal_receiver_slot_name | |
flush_arp | wal_receiver_sender_host | |
flush_vtas | wal_receiver_sender_port | |
wal_receiver_last_msg_send_time | ||
wal_receiver_last_msg_receipt_time | ||
wal_receiver_latest_end_time | ||
op_cluster_node_id | ||
priority | ||
auto_registration | ||
permit_new_nodes | ||
auto_approve_new_nodes | ||
pending_auto_registration | ||
pending_approval | ||
control_plane_ha_backoff_seconds | ||
data_plane_ha_enabled | ||
upgrading | ||
enable_radius_proxy |
aged_ar_penalty |
---|
id |
name |
amount |
days |
suspend_account |
note |
created_at |
updated_at |
created_by |
updated_by |
custom_email_id |
scratch |
record_type |
days_type |
Rotator
The rXg rotator service enables operators to simply and easily integrate content rotation into the captive portal web application. The system is designed to deliver zero-intervention advertising rotation via the captive portal web application to provide dynamic pre-authentication, post-authentication and interstitial advertising. In addition, the system can be used for a broad spectrum of other communication purposes other than advertising. For example, an operator may choose to use the rotator service to communicate late breaking news, integrate with third party messaging transport mechanisms or photographic galleries and real-time web cameras.
The rotator service may be directly accessed via an HTTP request to the rXg with a suffix of rotator
. The URN parameter must be specified to identify a particular rotator set that is to be accessed. Since the rotator service is accessible via a URL, it can be integrated into any third party display mechanism capable of making HTTP requests. For example, using a web browser connected to the LAN side of a newly installed rXg, open the URL:
https://rxg.local/rotator/?urn=postauth
.
The postauth
URN is a demonstration rotator that is part of the default rXg installation. It contains a series of advertisements that are displayed on the post-authentication landing page of the default portal. Reloading the web browser window will result in the rotation of the advertisements that are present in the chosen rotator.
The rotator service is implemented as a Ruby on Rails controller so that it may be easily integrated into the captive portal web application. Each time the captive portal page is loaded, the rotator displays a different payload.
To add a rotator to a captive portal page, edit the page and insert the following embedded ruby code where you would like the rotatee payload to be inserted:
<%= render partial: 'rotator', locals: { urn: ' **urn**' } %>
The urn
parameter in the example must be replaced with a string corresponding to a rotator scaffold entry. Incorrect specification of a rotator with a matching urn field will result in an error message being embedded into the portal page.
The rotator service is one of the many ways that the rXg enables operators to quickly and easily generate revenue from an end-user population. To maximize revenue, we strongly suggest that you partner with numerous affiliate programs that are appropriate to your end-user population. A good introductory text on affiliate programs is Make a Fortune Promoting Other People's Stuff Online: How Affiliate Marketing Can Make You Rich (ISBN 0071478132) by Rosalind Gardner. An excellent affiliate marketing recipe and ideas reference book is A Practical Guide to Affiliate Marketing: Quick Reference for Affiliate Managers & Merchants (ISBN 0979192706) by Evgenii Prussakov.
Rotators
An entry in the rotators scaffold creates a rotation group that can be integrated into the captive portal web application.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The URN field configures the uniform resource name that uniquely identifies this rotator. The URN is the parameter that is used to choose a specific rotator when incorporating the rotator service into a captive portal page.
The rotatees list enables the operator to select rotatees from the set of all rotatees to associate with this rotator. The rotator will choose one rotatee to display from among the associated rotatees.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Rotatees
An entry in the rotatees scaffold creates a member of a rotator group and specifies the payload that should be displayed.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The rotator field defines one or more rotators for this rotatee to be associated with.
The payload field defines the data that will be presented when a rotator service associated with this rotatee is accessed. In a typical scenario, this field is populated with an HTML fragment that contains a block of text or a reference to an image that is part of an advertising campaign.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Display and track advertisements
Navigate to Services::Ad Rotator.
The default portal by default looks for a Rotator with a URN of default to display the Rotatees. Create a new Rotator. The Name field is arrbitrary. Since the default portal looks for the URN of default set the URN field to default. Click Create.
Now that the Rotator has been configured, Rotatees can now be created that will contain the payload for the advertisement. In this example we will create Rotatees that will display on the main page of the default portal. Create a new Rotatee. The Name field is arrbitrary. In the Rotators field check the default box. The Payload field contains the url to the advertisement. The Target URL field contains the URL the user should be taken to if the click on the advertisement. The Price field is where the price paid for the advertisement can be entered and will be used in reports to calculate the price per impression/conversion. Do note that if the Payload is hosted outside the then it must be whitelisted on the splash portal in order for the content to be displayed. Click Create.
Repeat creating a Rotatee for each advertisement. In this example each advertisement is an image of fruit, and clicking on the advertisement image will link to wikipedia, but this could be the products homepage.
Rotator Logs will record an entry each time an Rotatee is loaded, it will display the IP of the device the advertisement was served to, along with the MAC address, Hostname, and Browser the device was using. The Rotator Logs will also show you if the advertisement was clicked.
The operator of the rXg can create reports showing detailed information about the number of clicks and conversions related to each Rotatee. To create a custom report navigate to Archives::Reports::Custom Reports.
There are two reports specific to the Ad Rotators. The first one is the Rotatee Metrics Custom Report. Create a new Custom Report. The Name field is arbitrary. Under Report set the Type field to Rotatee Metrics. Set the Time field to the desired time. Everyting else can be left to the defaults. Click Create.
The report can be viewed by clicking the view option on the left side of the scaffold. The Rotatee field shows the name of the Rotatee. The Impressions column displays the number of times the Rotatee was loaded and displayed. The Conversions column displays the number of times the Rotatee was clicked. The Conversion Ratio column displays the ratio of times Rotatee was loaded and clicked (Conversions divided by the number of Impressoins). The*Conversion Time(s)* section of the report gives you the average, minimum, and maximum number of conversions. Lastly the Cost section of the report displays the Price paid, the per impression cost (Price divided by the number of impressions), and the per conversion price (Price divided by the number of conversions).
The second report is the Rotator Impressions report. Create a new Custom Report. The Name field is arbitrary. Under Report set the Trype field to Rotator Impressions , and set the desired time for the report using the Time field. Click Create.
The report can be viewed by clicking the view option on the left side of the scaffold. The Impression column shows the date and time the Rotatee was displayed. The Rotator/Rotatee column shows which Rotatee the entry is for. The URL column shows the URL the device was trying to access when it was presented with the Rotatee. The IP field lists the IP of the device. The MAC field displays the MAC address of the device. The Hostname field will display the hostname of the device if available. The OS field displays the OS running on the device. The Browser field displays the browser the device is using along with the Version. The Login field displays the Policy the device is a member of. Lastly the Conversion Time(s) field displays the time between when the Rotatee was loaded and the user click on the Rotatee if applicable.
Display videos in captive portal based on location
In this example the rXg will be configured to display an advertisement video and static image in the captive portal based on the portal the device is accociated and the location of the device when it connects, using a prebuilt portal.
- Create Custom Portal.
- Create Splash and Landing portal to associate custom portal to.
- Create Shared Credential to activate ad rotator and allow access after advertisement.
- Create Rotators , this is what is used to determine which set of advertisements to display.
Create Rotatees , this is the advertisement content that will be displayed.
Create custom portal.
Navigate to System::Portals and create a new Custom Portal.
The Name field is arbitrary, for this example it will be named "videotest". The Controller name field is what is displayed in the URL when accessing the portal, for this example it will be "videotest". Set the Portal source field to Duplicate Local and the Duplicate field to default as the default portal will be used here. Click Create.
- Create Splash and Landing portal to associate custom portal to.
Navigate to Policies::Captive Portal and create a new Splash Portal.
The Name field is arbitrary, for this example it will be named "Splash". The rXg Portal field should be set to the portal created in step 1 which is "videotest". Select the policy associated unknown devices(devices connecting to the network for the first time), for the purpose of this example the "Onboarding Policy" will be selected. Click Create.
Create a new Landing Portal.
The Name field is arbitrary, for this example it will be named "Landing". The rXg Portal field should be set to the portal created in step 1 which is "videotest". Select the policy associated with devices that have authenticated for the purpose of this example the "Free Policy" will be selected. Click Create.
- Create Shared Credential to activate ad rotator and allow access after advertisement.
Navigate to Identities::Shared Credentials , and create a new Shared Credential Group.
The Name field is arbitrary, for this example it will be named "videotest". Remove the characters from the Credential field , the code is looking for a blank credential to activate the advertisements. The Policy field is used to select which policy the end user will become a member of after watching/viewing the advertisement, for this example the "Free" policy will be used. The Time field is used to set the amount of time the end user will be granted after authenicating, this will be set to 1 hour in this example. Both the Download quota and the Upload quota fields will be set to unlimited. By default a shared credential is valid for one week, this can be extended by changing the date in the Expires field, this will be set to the year 2099. Makes sure that the "Splash" portal is selected in the Splash Portals field. We can limit the number of simultaneous users by setting a value in the Simultaneous Users field, here it will be set to unlimited. If desired the Intersession field can be used to set a period of time that must pass before the same device can use the credential, this will be left at 0 for this example. Finally if we want to end user to be presented with the portal again if they leave the network and return we can uncheck the Automatic login checkbox. Click Create
- Create Rotators , this is what is used to determine which set of advertisements to display.
Navigate to Services::Ad Rotator. To determine which advertisements to display a Rotator must be created for each entity we want to match againts, a fallback can be created that will display advertisesments if there are no other matches. The URN for the fallback is the value "video", the rXg has the ability to match against the specific portal an end user is presented with, this can be further enhanced by adding a location as well. To start the fallback will be created first. Create a new Rotator.
Because this is the fallback enter "Fallback" in the Name field and the URN field value will be "video". Click Create.
The next Rotator will match against the portal created in Step 1. Create a new Rotator , for this example the value of the Name field will be "videotest" which matches the portal created earlier. Note: this name can be anything and does not need to match the portal name. The URN field will need to match the portal name as this Rotator will be used to match against the portal created in Step 1, the value for the URN field will be "videotest_video". Click Create.
This system is configured with Location Areas that consist of a Floor and two Regions we can match against. The floor is named "building1" and then there are two regions name "room1" and "room2" that can be used to match against. If the match is against "building1" then any device connected to an AP located within the regions attached to "building1" will display advertisements assigned to the Rotator. "Building1" contains the regions "room1" and "room2".
To match against "building1" create a new Rotator , the Name field is arbitrary for this the value will be set to Videotest_building1, and the URN value is "videotest_building1_video". Click Create.
To make the match specific to a region we can use the region name instead of "building1", create a new Rotator , the value for the Name field is arbitrary and will be set to "Videotest_room1" in this example. The URN field will be the portal we want to display this on followed by the region and then video, which results in "videotest_room1_video". Click Create.
- Create Rotatees , this is the advertisement content that will be displayed.
The final step is creating the entries that the rXg can draw from to display content. If more than one Rotatee is created per Rotator then the rXg will randomly pick a matching Rotatee. The default portal contains 3 images and 5 videos we can use to display for this example. To display one of the examples videos to an end user connected in room1 create a new Rotatee.
The Name field is arbitrary and its value will be set to "Video1" for this example. Select the "Videotest_room1" checkbox in the Rotators field to display this content to an end user connected in room1. For this example we will display a video of clouds in this Rotatee using the following Payload"<video class="w-100 mb-3" src="/static/portal/videotest/clouds_1.mp4" preload="none" muted webkit-playsinline playsinline style="display: none;">". Click Create This step can be repeated for each advertisement that should be displayed.
For the last example a Rotatee that contains a static image will be created to be displayed to end users as a fallback in the event they do not match aginst the portal or a location area. Create a new Rotatee. Provide a name and select the "Fallback" checkbox in the Rotators field. For this example we will use the payload "<img src="/static/portal/videotest/ad_one.png" width="80%" class="d-block mx-auto my-3">". Click Create. Note: for a list of images and videos provided in the default portal please scroll down.
The above examples were all locally hosted files within the /static directory of the captive portal. To use content that is stored remotely, a WAN target must be configued containing the domains and or IP addresses of where the content resides and it must be applied as a whitelist to the Splash portal. To create a WAN target navigate to Identities::Definitions and create a new WAN Target.
The Name field is arbitrary, value here will be "Ad Whitelist". In the Targets field enter the domains and or IP addresses that will contain content then click Create.
Once the WAN Target has been created, it must be set as a whitelist on the captive portal. Navigate to Policies::Captive Portal and edit the Splash portal.
Type the name of the WAN target into the Whitelist field and it will bring up any matching results, click on each one to add it to the whitelist. Click Update.
Now we can pull content from the domain(s) that are in the Whitelist. For example to pull content from rxg-lab.tech which is included in the Whitelist that was created. Create a new Rotatee give it a name, and the Payload will be <img src="https://rxg-lab.tech/images/ad\_two.png" width="80%" class="d-block mx-auto my-3">. Include the Rotators the content should be associated with and click Create. Note: to include external content it is important that you define a WAN target that contains all the domains and IP addresses content will be pulled from and this needs to be assigned to the Whitelist of the portal where the content will be displayed.
Static Image examples included in default portal.
- ad_one.png <img src="/static/portal/videotest/ad_one.png" width="80%" class="d-block mx-auto my-3">
- ad_two.png <img src="/static/portal/videotest/ad_two.png" width="80%" class="d-block mx-auto my-3">
- ad_three.png <img src="/static/portal/videotest/ad_three.png" width="80%" class="d-block mx-auto my-3">
Video examples included in default portal. 1. Big_Buck_Bunny_360_10s_1MB.mp4 <video class="w-100 mb-3" src="/static/portal/videotest/Big_Buck_Bunny_360_10s_1MB.mp4" preload="none" muted webkit-playsinline playsinline style="display: none;"> 2. clouds_1.mp4 <video class="w-100 mb-3" src="/static/portal/videotest/clouds_1.mp4" preload="none" muted webkit-playsinline playsinline style="display: none;"> 3. control_vid.mp4 <video class="w-100 mb-3" src="/static/portal/videotest/control_vid.mp4" preload="none" muted webkit-playsinline playsinline style="display: none;"> 4. money.mp4 <video class="w-100 mb-3" src="/static/portal/videotest/money.mp4" preload="none" muted webkit-playsinline playsinline style="display: none;"> 5. mountains_2.mp4 <video class="w-100 mb-3" src="/static/portal/videotest/mountains_2.mp4" preload="none" muted webkit-playsinline playsinline style="display: none;">
Note: The links provided above are linked to the custom portal created for the example, if you use these you may need to change the "videotest" portion of the link to match the name of the custom portal you created.
Advanced Servers
The servers view of the services menu displays scaffolds that allow the operator to customize the behavior of various services integrated into the rXg.
Remote Database Access
The local database of an rXg may be configured for read-only access by third-party software tools When an rXg is configured with local server database storage. The local server database storage methodology configures the rXg to utilize PostgreSQL as the on board database. PostgreSQL is an advanced open source relational database with a wide variety of access options supported by both community-based open source projects as well as proprietary commercial offerings. A quick search for PostgreSQL GUIreveals numerous possibilities.
Many of the tools that integrate with PostgreSQL have GUIs for exploration. In addition, the vast majority allow for arbitrary execution of SQL queries.
Remote access to the on board rXg database is used to accomplish a broad spectrum of tasks. Advanced and highly customized reporting is one common use case. Below is an example of a report generated by the pgAdmin PostgreSQL GUI tool for the login log.
Another common use for remote database access is for integration with a third-party accounting system. Below is a report generated by pgAdmin from the credit card transactions log. A third-party accounting package could be configured to retrieve all of the transactions recorded in a particular time for automatic posting and reconciliation.
The remote database access feature is also a very convenient way to take periodic backups of the rXg database. This may be accomplished via GUI tools, but is also very easy to script. For example, thepg_dump
utility may be run as a scheduled task on Windows or a cron job on a UNIX-based system to automate periodic backups of the rXg.
Remote database access is governed by the Database scaffold as discussed below. The default PostgreSQL port is used and the default database name is config
. The name of the database being used by the rXg may be changed via the Cluster view of the administrative console. It is strongly advised that the default database name be used.
Remote database access is a powerful tool for operators who wish to integrate the rXg with third-party devices, systems and software. Nearly any form of read-only integration may be achieved. To obtain read-write access to the database, the rXg API key mechanism (discussed in the Adminis view) must be used.
Database
Entries in the database scaffold define the remote access policy and credentials for the local database on an rXg. This scaffold is only accessible on an rXg that is configured to use a local server database storage type.
The active field enables an option set. Exactly one option set may be active at any time. Enabling a particular option set will automatically disable another existing active option set.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
By default, access to rXg services are either limited to the LAN or disabled entirely. In certain cases, the operator may desire to permit accessibility to services over the WAN and/or LAN. To enable access to rXg services over the WAN, the operator should specify one or more WAN targets containing the list of allowed hosts and then set the visibility appropriately. If no WAN target is specified and WAN visibility is enabled, any node on the WAN may connect to the service. It is highly recommended that this wide-open configuration be avoided to ensure system security. If LAN visibility is included then all authenticated nodes on the LAN may access this service.
The username and password fields contain the credentials for accessing the database. These credentials are generated by the rXg and are immutable.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
NTP Server
Entries in the NTP Server scaffold define configuration profiles for the rXg integrated NTP server. Precise and accurate local time keeping is a critical aspect of a functioning and error free billing system. The rXg uses the network time protocol to synchronize the local clock with established servers. In addition, both local and remote devices may be configured to use the rXg as a NTP server.
The active field enables an option set. Exactly one option set may be active at any time. Enabling a particular option set will automatically disable another existing active option set.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
By default, access to rXg services are either limited to the LAN or disabled entirely. In certain cases, the operator may desire to permit accessibility to services over the WAN and/or LAN. To enable access to rXg services over the WAN, the operator should specify one or more WAN targets containing the list of allowed hosts and then set the visibility appropriately. If no WAN target is specified and WAN visibility is enabled, any node on the WAN may connect to the service. It is highly recommended that this wide-open configuration be avoided to ensure system security. If LAN visibility is included then all authenticated nodes on the LAN may access this service.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
SNMP Server
Entries in the SNMP Server scaffold define configuration profiles for the rXg integrated SNMP server. Many of the instruments that may be accessed via the rXg administrative console are also available via SNMP. This allows the rXg to be probed by a SNMP network or element management system and enables the operator to use to integrate the rXg as part of a large scale heterogeneous network.
The active field enables an option set. Exactly one option set may be active at any time. Enabling a particular option set will automatically disable another existing active option set.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The community is the read only (r/o) string that is used to gain access to this rXg via SNMP. Remote access to SNMP is disabled by default.
The port field specifies which port the SNMP server should listen for SNMP probes.
By default, access to rXg services are either limited to the LAN or disabled entirely. In certain cases, the operator may desire to permit accessibility to services over the WAN and/or LAN. To enable access to rXg services over the WAN, the operator should specify one or more WAN targets containing the list of allowed hosts and then set the visibility appropriately. If no WAN target is specified and WAN visibility is enabled, any node on the WAN may connect to the service. It is highly recommended that this wide-open configuration be avoided to ensure system security. If LAN visibility is included then all authenticated nodes on the LAN may access this service.
The Receive Traps option enables the SNMP Trap listener on the rXg. Access to the server is restricted by the visibility and WAN Target selections. SNMP agents may use the community string specified here or the community string of an Infrastructure Device.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
SNMP MIBs
Integrating any network device with an SNMP monitoring solution usually requires MIBs. The following is list of MIBs that are available to download to assist with SNMP integration to the rXg:
TFTP Server
Entries in the TFTP Server scaffold define configuration profiles for the rXg integrated TFTP server. May third-party networking devices are configured by loading files over TFTP. The intended use of the rXg integrated TFTP server is to simplify the process of configuring and configuring provisioning of third-party devices.
The TFTP server delivers files out of /space/tftpboot
. It is assumed that the operator will use SFTP to transfer files to the rXg that will be served by the rXg integrated TFTP server. In addition, the rXg captive portal may be customized to generate files into this directory for zero operator intervention provisioning scenarios. For example, the captive portal may be customized to generate files for provisioning VoIP ATAs and telephones for end-users who have purchased a usage plan that incorporates a VoIP package.
The active field enables an option set. Exactly one option set may be active at any time. Enabling a particular option set will automatically disable another existing active option set.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The WAN targets and policies fields specify which sets of hosts should be allowed access to the rXg integrated TFTP server. TFTP does not include any authentication. Thus, by default, no access is allowed to the rXg integrated TFTP server. The operator must specifically enable access to hosts on the WAN by creating WAN targets and enabling the appropriate check boxes. Hosts on the LAN may be granted access by placing the hosts into a group and then linking them into a policy which is selected here.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Iperf Server
Entries in the Iperf Server scaffold define configuration profiles for the rXg integrated Iperf server. Iperf is the de-fato standard mechanism for measuring the available network bandwidth. To use this feature of the rXg, the operator must have an Iperf client installed on one or more external devices.
The active field enables an option set. Exactly one option set may be active at any time. Enabling a particular option set will automatically disable another existing active option set.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The port field configures the port that the Iperf server will be listening for connections on. The default port is 5201.
The WAN targets and policies fields specify which sets of hosts should be allowed access to the rXg integrated Iperf server. Iperf does not include any authentication. Thus, by default, no access is allowed to the rXg integrated Iperf server. The operator must specifically enable access to hosts on the WAN by creating WAN targets and enabling the appropriate check boxes. Hosts on the LAN may be granted access by placing the hosts into a group and then linking them into a policy which is selected here.
The rXg integrated Iperf server is most often used with devices on the LAN to instrument the maximum bandwidth between an end-user device and the rXg. The maximum speed reported by Iperf will be determined by the physical media speed and the bandwidth queue that is associated with the client device. Note that if the end-user has been associated with a usage quota, the use of Iperf will be counted into the quota.
Iperf may also be used from the WAN side to instrument the maximum bandwidth available on WAN uplinks. In order to acquire correct data, the Iperf client should be placed immediately adjacent to the rXg on the WAN. Using a Iperf client that is multiple hops away from the rXg will usually provide nonsensical results because it is impossible to guarantee that the intermediate hops will have sufficient bandwidth for the test.
The use of Iperf is highly preferred to web-based online bandwidth meters such as speedtest.net. This is because the Iperf server enables the operator to independently test the LAN distribution network and the WAN uplinks. A web-based online bandwidth meter can only perform a complete end-to-end test that does not provide any information as to where the potential problem is. Also, the results from an web-based online bandwidth meter test may be skewed by proxies, including the rXg integrated transparent web proxy.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
MQTT Server
Entries in the MQTT Server scaffold define configuration profiles for the rXg integrated MQTT server.
The active field enables an option set. Exactly one option set may be active at any time. Enabling a particular option set will automatically disable another existing active option set.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The WAN targets and policies fields specify which sets of hosts should be allowed access to the rXg integrated MQTT server. MQTT does not include any authentication. Thus, by default, no access is allowed to the rXg integrated MQTT server. The operator must specifically enable access to hosts on the WAN by creating WAN targets and enabling the appropriate check boxes. Hosts on the LAN may be granted access by placing the hosts into a group and then linking them into a policy which is selected here.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Virtualization
- Virtualization Deployment Guide
- Virtualization Design Guide
The virtualization view presents the scaffolds associated with configuring a virtual environment, including hosts, guests, and networking.
Virtualization Deployment Guide
The most common use case of virtualization within the rXg is to cluster multiple rXgs together on the same bare metal machine to maximize the use of available resources. The following steps will guide you through building a virtual infrastructure capable of clustering.
Note: If rXg virtualization host is itself installed onto a virtual machine running on ESXi, ensure that hardware virtualization is enabled in the VM options.
Create a Virtualization Host
From the Virtualization Hosts scaffold, click Create New
A host can be created on any bare metal node you wish to use as a virtualization environment. Assign the host a name and select the node that will be used for virtualization. The Autostart delay can be left at the default of 5 seconds. You will notice that a virtual switch has already been added for each physical interface on the host. Keep this configuration as is; at the bottom, you can click create.
Note: It is necessary to have the physical interface for the cluster network in an active state, even if there is no plan to egress traffic from that interface.
Load the ISO onto the Host
Once the host is created, you can click Disk Images to load the ISO file that will be used as the operating system for your virtual machines.
Next, click Create New.
The Filename field is required. This will be used to reference the associated .iso file. The rXg provides two methods to load the .iso file onto the system. You can provide a URL that points to the .iso file, and the rXg will download it directly, or you can use the File Upload method to select an .iso from your local machine to upload to the system.
Once the upload/download is complete, you will see the file in the list.
Create a Virtual Machine
From the Virtualization Machines scaffold, click Create New
Assign the virtual machine a name and select the host that it should be built on.
Cluster Node Auto Provision
If this VM is to be part of a cluster, and the Virtualization Host is the CC, you can use the Cluster Node dropdown to automate the clustering configuration. The rXg will combine the data collected from this form with available information from the CC, create a configuration template, and automatically apply it after the software installation is complete. This process allows the VM to join the cluster automatically.
Note: The host CC record (System >> Cluster) will need to be configured for Automatic Registration.
The Cluster Node dropdown will allow you to select an existing cluster node record or create a new one. If you choose an existing record, you need to check the Auto Provision option to activate this feature. All other required information is collected from the current configuration. If you choose Create New, providing the Node Mode and Node IP address will also be necessary.
Create New
Existing Record
The bootloader can stay at the default setting for the rXg installation. Other operating systems, such as Windows, may require a different bootloader. Set the memory and CPU count as necessary to support the VM that you are creating. It is recommended to enable Autostart so that if the host is power cycled, the guest VM will automatically start back up. Add virtual interfaces as needed and assign them to a virtual switch. In this example, I have created a virtual interface for the WAN, CIN, and LAN and matched them to the physical ports I plan to use on the host. Add a virtual disk to the VM of the appropriate size to support the rXg that you are installing. Adding an additional 20 GB of space is necessary to allow for overhead here. Click Create.
Begin the OS Installation
With the VM created, you can click the Install link to select a disk image for installation.
Select the desired image and click Install.
Console Access
The console can be reached via an SSH session to the host node and then switching to the root user.
Type vm console your_vm_name
.
Press Enter
To exit the console session, assuming you were SSH'd to the host, type "~~."
You may need to press enter before the first ~ if it doesn't work the first time. (needs to be entered on its own input line)
After installation, the node can be configured from the primary CC.
Virtualization Hosts
The Virtualization Hosts scaffold enables creation, modification, and deletion of a host. The first step to creating a virtual machine in rXg is creating a virtualization host.
The Name field is an arbitrary string used to identify the host. This string is used for identification purposes only.
A virtualization host can be created on any of the bare metal machines in a cluster. The Node dropdown allows you to select the intended target for this configuration.
The Autostart Delay field defines the number of seconds to wait between starting each virtual machine with autostart enabled.
The Virtual Switches field allows for the creation of vswitches that virtual ports can later be attached to. One virtual switch per host interface will automatically be created when you create a new host.
The Virtual Machines field displays all virtual machines that are either unassigned (unchecked) or assigned (checked) to this host.
The Disk Images link, when selected, will allow the operator to manage the .iso files stored for virtual machine creation. Create New will provide the operator with options to either upload or download a new .iso file. The Filename field is required and will be used to reference the associated .iso file. The rXg can directly download a .iso file from a remote destination specified in the URL field. Alternatively, you can select Choose File and select a .iso file from your local machine for upload.
Virtual Machines
The Virtual Machines scaffold enables creation, modification, and deletion of virtual machines.
The Name field is an arbitrary string used to identify the host. This string is used for identification purposes only.
The Host dropdown allows you to specify the host for the virtual machine creation.
If this VM is to be part of a cluster, and the Virtualization Host is the CC, you can use the Cluster Node dropdown to automate the clustering configuration. The rXg will combine the data collected from this form with available information from the CC, create a configuration template, and automatically apply it after the software installation is complete. This process allows the VM to join the cluster automatically. The cluster node dropdown will allow you to select an existing cluster node record or create a new one. If you choose an existing record, you need to check the Auto Provision option to activate this feature. All other required information is collected from the current configuration. If you choose Create New , providing the Node Mode and Node IP address will also be necessary.
The Bootloader field allows for selecting a specific set of booting instructions that is most appropriate for your virtual machine. Use Bhyveload for rXg.
The Memory field allows the number of gigabytes of memory that should be allocated from the host to the virtual machine to be specified.
The Cores field allows the number of CPU cores that should be allocated from the host to the virtual machine to be specified.
The Autostart checkbox, if checked, will automatically start the virtual machine when the host starts. A delay between virtual machine starts can be configured in the host scaffold.
The Enable Graphics field, if selected, will start a VNC server to provide GUI access to the VM.
The Virtual interfaces section allows for the creation of virtual interfaces that can connect the virtual machine to the virtual switch. Creating a virtual interface in this scaffold will also add it to the Virtual Interfaces scaffold. The name field is an arbitrary string used to identify the interface. This string is used for identification purposes only. The emulation field allows for the specification of the emulation type. Virtio-net is recommended in most cases. The virtual switch dropdown allows you to select with which switch the interface you are creating will be assigned. A virtual switch enables interfaces to communicate with each other or with an associated uplink. The MAC field allows the assignment of a custom MAC address to the interface. Leaving this field blank will result in a MAC address being automatically created.
The Virtual disks section allows for creating a virtual drive that can connect to this virtual machine. Creating a virtual disk in this scaffold will also add it to the Virtual Disks scaffold. The name field is an arbitrary string used to identify the interface. This string is used for identification purposes only. The Size field specifies the number of gigabytes of drive space that should be allocated from the host to the virtual machine. The emulation field allows for the specification of the emulation type. Virtio-blk is recommended in most cases.
Virtual Switches
The Virtual Switches scaffold enables the creation, modification, and deletion of virtual switches.
The Name field is an arbitrary string used to identify the host. This string is used for identification purposes only.
The Host dropdown allows you to specify the host for the virtual switch creation.
The Switch Type dropdown allows a switch type to be specified. Standard is recommended for most cases.
The Interface dropdown provides a list of available physical interfaces from the host machine. Selecting an interface from this dropdown will assign it to this virtual switch as an uplink. Each physical interface can only be assigned to one virtual switch.
The Virtual Interfaces field provides a list of available virtual interfaces that can be assigned to this switch. Selecting an interface from this dropdown will assign it to this virtual switch and unassign it from any other switch.
Virtual Disks
The Virtual Disks scaffold enables the creation, modification, and deletion of virtual disks.
The Name field is an arbitrary string used to identify the host. This string is used for identification purposes only.
The Virtual Machine dropdown specifies with which virtual machine this disk should be associated.
The Size (GB) field specifies the number of gigabytes of drive space that should be allocated from the host to the virtual machine.
The emulation field allows for the specification of the emulation type. Virtio-blk is recommended in most cases.
Virtual Interfaces
The Virtual Interfaces scaffold enables the creation, modification, and deletion of virtual interfaces.
The Name field is an arbitrary string used to identify the host. This string is used for identification purposes only.
The Virtual Machine dropdown allows you to select with which virtual machine the interface you are creating will be assigned.
The Virtual Switch dropdown allows you to select with which switch the interface you are creating will be assigned. A virtual switch enables interfaces to communicate with each other or with an associated uplink.
The Emulation field allows for the specification of the emulation type. Virtio-net is recommended in most cases.
The MAC field allows the assignment of a custom MAC address to the interface. Leaving this field blank will result in a MAC address being automatically created.
Virtualization Design Guide
Note: We recommend that a single machine with a single instance of rXg be limited to 1500 DPL, 8 CPU cores, and 16 GB of RAM.
No HA Required
- Single rXg Host Internal Dataplane Virtualization
HA Required
- 2-way Symmetric rXg Cluster
- 3-way Symmetric rXg Cluster
- 3-way Asymmetric rXg Cluster
- 4-way Asymmetric rXg Cluster
- 8-way Asymmetric rXg Cluster
Single rXg Host Internal Dataplane Virtualization
- Install rXg on bare metal machine
- Configure bare metal rXg as CC
- Also use the bare metal rXg as virtualization host
- Install (6) vDPs
- Configure bare metal rXg as CC
Example:
- Server with AMD 64-core CPU / 256 GB of RAM
- 6-way IDV (8 cores / 16 GB each)
- 16 cores and 64GB RAM for CC
- 6000 DPL in full operation
2-way Symmetric rXg Cluster
- Install rXg on both bare metal machines.
- Configure bare metal rXgs as symmetric rXg cluster with (2) CCs
- Also use the bare metal rXgs as virtualization hosts
- Install (2) vDPs per node
- Use cluster teaming to facilitate deterministic failover
- Configure bare metal rXgs as symmetric rXg cluster with (2) CCs
Example:
- 2 x servers with AMD 24-core CPU / 64 GB of RAM
- 2-way IDV (8 cores / 16 GB each) on each server
- 8 cores and 32GB RAM for CC
- 4000 DPL in full operation (2000 DPL if one fails)
3-way Symmetric rXg Cluster
- Install rXg on all 3 bare metal machines.
- Configure bare metal rXgs as symmetric rXg cluster with (3) CCs
- Also use the bare metal rXgs as virtualization hosts
- Install (4) vDPs per node
- Use cluster teaming to facilitate deterministic failover
- Configure bare metal rXgs as symmetric rXg cluster with (3) CCs
Example:
- 3 x servers with AMD 48-core CPU / 128 GB of RAM
- 4-way IDV on each server
- 16 cores and 64 GB RAM for CC
- 12000 DPL in full operation (8000 DPL if one fails)
3-way Asymmetric rXg Cluster
- Install rXg on all 3 bare metal machines.
- Configure bare metal rXgs as asymmetric rXg cluster with (1) CC and (2) DPs
- Use the bare metal DP nodes as virtualization hosts
- Install (4) vDPs per DP node
- Configure bare metal rXgs as asymmetric rXg cluster with (1) CC and (2) DPs
Example:
- 3 x servers with AMD 32-core CPU / 64 GB of RAM
- rXg CC runs on bare metal
- 4-way IDV on bare metal rXg DPs
- 16 cores and 40 GB RAM for CC
- 16 cores and 24 GB RAM for VMs - 8000 DPL in full operation (4000 DPL if one fails)
6-way Asymmetric rXg Cluster
- Install rXg on all 4 bare metal machines.
- Configure bare metal rXgs as asymmetric rXg cluster with (2) CCs and (2) DPs
- Use the bare metal DP nodes as virtualization hosts
- Install (4) vDPs per DP node
- Use cluster teaming to facilitate deterministic failover
- Configure bare metal rXgs as asymmetric rXg cluster with (2) CCs and (2) DPs
Example:
- 6 x servers with AMD 32-core CPU / 64 GB of RAM
- 4-way IDV (8 cores / 16 GB each) on each vDP
- Full capacity of bare metal for master and standby CC
- 16000 DPL in full operation (12000 DPL if one CP or DP or both fails)
8-way Asymmetric rXg Cluster
- Install rXg on all 8 bare metal machines.
- Configure bare metal rXgs as asymmetric rXg cluster with (2) CCs and (6) DPs
- Use the bare metal DP nodes as virtualization hosts
- Install (16) vDPs per DP node
- Use cluster teaming to facilitate deterministic failover
- Configure bare metal rXgs as asymmetric rXg cluster with (2) CCs and (6) DPs
Example:
- 8 x servers with 2x AMD 64-core CPU / 512 GB of RAM
- 16-way IDV (8 cores / 16 GB each) on each vDP
- Full capacity of bare metal for master and standby CC
- 96,000 DPL in full operation with room to grow!
LLM
The LLM view enables the operator to configure a cutting-edge retrieval augmented generation (RAG) large language model (LLM) artificially intelligent (AI) feature designed to empower network operators to harness the power of advanced language models within their private networks. By leveraging this innovative technology, operators can revolutionize network operations, enhance customer experiences, and unlock new revenue streams.
LLM Options
The LLM Options scaffold configures the end-user behavior of the LLM feature. It may be useful to think of each LLM Option as a unique chatbot. In a scenario where there are multiple end-user and operator portals, multiple LLM Option records may be created to drive each portal to a unique chatbot experience.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The default checkbox, if checked specifies this LLM Option will be used for all portals without an explicit LLM option defined.
The temperature field is a number between 0 and 1 (0.8 default). Increasing the temperature value will make the model answer more creatively.
The chatbot name field is used to set the name of the chatbot, default is Romeo George.
The chatbot avatar field allows the operator to upload a custom image to be as the chatbots avatar in chatbox window.
The apply guardrails checkbox applies guardrails against harmful, unethical, racist, sexist, toxic, etc. conversations. This is applied after any custom instructions and is enabled by default.
The custom instructions field allows the operator to provide the LLM with a full set of custom system instructions.
The initial greeting field allows the operator to specify a specific greeting the chatbox will use to introduce itself when a user initiates a new chat.
The default llm model drop down is used to specify the default LLM modem this LLM will use.
The llm models field allows the operator to select all the models that can be used with this LLM Option.
The admin roles field sets the admin roles that will use this LLM option, selecting any roles here will remove them from being selected in another LLM option.
The operator portal field selects which Operator Portals are assigned to this LLM Option. Note that an admin role match is prioritized over an operator portal match. Associating a record removes it from other options.
The landing portals field sets which splash/landing portals use this LLM option. Associating a record removes it from the other options.
The alow anonymous chats field, if checked allows users to chat via the portal without being logged in with an account.
LLM Workers
The LLM Workers scaffold configures an LLM back-end service that will be used by the chatbots defined by LLM Options. LLM Workers may leverage both local as well as remote GPU resources. The remote GPU resource configuration is intended to be used with a Fleet Manager. An organization might wish to install one or more GPUs into the Fleet Manager and thus have a centralized pool of GPU resources that are shared amongst of a fleet in order to meet cost, power, and cooling budgets at the edge. It is also possible to create LLM Workers that leverage cloud AI systems. We highly recommend that operators deploy their own GPUs to maximize ROI and information security. Tying an LLM Worker to a cloud system is primarily included for the purpose of demonstration.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The adapter field specifies the adapter to be used, Ollama is selected by default.
The run locally checkbox tells the system to run a local server for the specfied backend (adapter) and optionally can be made available to specific WAN targets and or policies.
The host field is used to specify the IP or FQDN of the host providing the API interface for the designated backend.
The port field specifies the port to be used for communication.
The timeout field sets the amount of time the system should wait for the LLM worker to respond.
The online checkbox, if checked indicates that the LLM worker is online and ready to process reqquests, unchecking this field will make the LLM worker unavailable.
The llm model drop down specifies which LLM Model this worker will use by default.
The llm models field specfies which LLM Models this worker is allowed to use.
The use for embeddings field if checked, designates the worker that will be used to generate embeddings for context lookup. Enabling will deactive embedding for other workers.
LLM Models
The LLM Models scaffold displays the models that are available to the LLM Worker. Use the import models action link on the LLM Worker to bring in the available models and populate this scaffold. This scaffold is primarily for informational purposes. We recommend pulling llama3.1:latest for most purposes, or llama3.1:70b if you have more than 40 GB of VRAM. We recommend pulling nomic-embed-text (or mxbai-embed-large if you have a powerful machine) for embeddings.
The name field is the name of the model as recognized by the LLM Workers running it. This name needs to match the model name this field is not arbitrary.
The url NEED Clarification here, does it pull the model to the system and the URL is where that model can be downloaded from.
The formatter specifies which LLM model to use to format the requests that are sent to the LLM Worker Needs clarification
The context window sets the size of the set of information that is relevant for answering questions. Setting a larger context window can allow for more detailed and comprehensive answers. What limits this
The embedding dimensions field sets the scope for how many different features/variables are being considered, different models require varying amounts of data.
The quantization level field is used to set how many bits are being used per word when encoding text data. The higher this value the more detail can be gained from the information/data.
LLM Sources
The LLM Sources scaffold allows operators to upload data sources that are used by the retrieval augmented generation (RAG) system. Documents uploaded to this scaffold are indexed using an embeddings model. Vector similarity search is performed upon the chatbot input to acquire relevant fragments of LLM Sources to provide context to the LLM when generating a chatbot response.
The intended method of use is for the operator to upload a large number of files from their existing dataset. For example, the operator might upload all of the menus for all of the restaurants at a large public venue. Another common use case would be an upload of all of the recommended nearby activities for a hospitality venue. The LLM Sources are unique to each edge. Synchronization of LLM Sources between edges is accomplished using a Fleet Manager.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The llm_remote_data_source if selected, marks this LLM Source as remote, meaning that the rXg is expected to fetch the source data from a remote host.
The frequency selector allows the operator to choose whether to make the llm source get called live, or periodically. If it is called periodically, it will not have access to a specific user's specific query, the way it will if being called live. If this LLM Option is periodic, the remote source will be called periodically and the result will be stored in the LLM Option's source attachment, and a button to manually refresh it will be made available. If this is a Live LLM Source, the query will be accessible from within the parameterization's ERB context as the query variable.
The source field lets you choose the file to upload that will be used as an embeded source.
The visibilty field sets which users can access this information, if set to admins only, the source will only be referenced if you are logged in as an admin. Admins and Users allows both admins and client users to receieve information from this source, and setting it to anonymous allows any user interacting with the LLM to recieve this information regardless of being logged in or not. The anonymous setting should only be used if the client would be interacting with the chatbot without a login sessions, ie from the splash portal.
The request properties are merged with the request properties of the remote llm data source when this data is retreived.
These request properties can use ERB, and if they do, the user's query will be available in that ERB context as the query
variable. Other variables such as client_ip
, client_mac
, current_account_id
, anonymous_user_id
, connected_ap_id
, current_admin_id
will be available if possible.
The path attribute is merged with the base url of the LLM Remote Data Source to determine the URI that will be called. This allows the operator to configure different paths with different query parameters off of one LLM Remote Data Source.
The timeout attribute determines how long the rXg will wait for a response when it tries to query the remote data source.
The frequency field choice determines how often a periodic remote data source is redownloaded.
The cache duration field determines how long an on-demand response is cached for. This works in conjunction with the cache duration unit field.
LLM Remote Data Sources
LLM Remote Data Sources Represent "base" configuration for getting data from remote web servers to use in LLM generated responses. LLM Remote Data Sources contain properties that are used when requesting data from that remote llm source.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The base url field will be combined with the path attribute of a correlated LLM Source. This is intended to give operators significant flexibility when using LLM Remote Data Sources.
The request properties will be merged with the LLM Source's request properties when making the request.
These request properties can use ERB, and if they do, the user's query will be available in that ERB context as the query
variable. Other variables such as client_ip
, client_mac
, current_account_id
, anonymous_user_id
, connected_ap_id
, current_admin_id
will be available if possible.
The basic auth username and basic auth password will be included as basic auth if they are present.
LLM Embeddings
The LLM Embeddings scaffold displays all of the indexes that have been created by the embeddings model for the various LLM Sources. This scaffold is intended for informational purposes only.
An entry in the embedding scaffold represents data the LLM can pull from to answer client questions. The source shows where the data is from, updated reflects the last time this information was updated, the llm model used and the dimensionality.
LLM Prompts
This scaffold is a list of all the prompts sent to the LLM from the clients.
LLM Requests
This scaffold is a list of all the prompts sent to the LLM from the clients, it will list which llm model was used, the LLM worker, when the task was started, when it completed, and how long it took to complete the response.
Chats
The chats scaffold is a history of the chats that have been initiated on the system.
LLM Setup Example
In this example the hardware is a pc with a 3090 graphics card, WAN + certificate is configured, no other configuration has been done.
Navigate to Services::LLM
Create a new LLM Worker.
Give the record a name, in this case since it will be running locally on the system using Ollama I will use the name Local Ollama.
The adapter field should be set to Ollama, and the run locally checkbox should be checked.
The default port value of 11434 should be used, and timeout can be left at 30 seconds. It may be necessary to increase the timeout to 120 seconds to support larger models such as the 70b variant of llama.
Add any WAN targets that should be allowed to communicate on this port and/or any polcies that should be allowed. Being that there is no other configuration currently on this system I will select the default policy, if this were a live deployment I would need to add any client policies that will have access to the chatbot.
Leave the online checkbox, checked.
We do not have any llm models yet so we will leave those fields blank. In this demo we will also be using this worker for the embedding so the use for embeddings checkbox should be checked.
Click Create.
To pull a new model click the pull model link and enter the name of the model to be fetched.
Here we will pull the latest llama3 model, then click submit. This process can take a long time to complete as it must download and process the model file which an be quite large. If the model does not automatically appear in the model scaffold after pulling, wait a bit longer, and click the Import models link in the scaffold.
Repeat for each desired model.
Edit the LLM Worker created previously and now we can select the default model to use with this worker as well as specify other models the worker can use.
After selecting the default LLM model and any additional models click create.
Next we will enable embedding generation. Embeddings are numerical representations of text or other data, which can be compared against each other in order to detect similarity between different data. If enabled, embeddings will be created for the Retrieval Augmented Generation (RAG) sources, as well as the admin manual and the Active Record Models that make up the database. There must be a worker designated for creating embeddings as well as a model designated for embeddings. For this we will use the nomic-embed-text:latest model. Edit the nomic LLM worker.
The embedding dimensions field is required when using a model for embedding. This field is typically populated automatically when importing models from a worker. Valid values are as follows: 512, 768, 1024. Default is 768 and will be used if the field is blank. Check the use for embeddings checkbox and click update. NOTE It will not start generating LLM embeddings until we create the LLM Option which brings us to the next step.
Create a new LLM Option.
Give the record a name, since this will be the default LLM Option I will call it default, and check the default box below the name field. If desired you can enter a name for the chatbot, and upload a custom avatar.
Be default apply guardrails is checked, for the purpose of this demo it will remain checked.
I will not be changing the custom instructions or the the initial greeting at this time.
Select the default LLM model, for this we will be using llama3:latest, I will select the other models as well.
In the Provisioning section select which admin roles that will use this option set. If there are any operator portals or splash/landing portals that should use this LLM option they can be selected at this time as well. If the goal is to allow anyone to access the chatbot without a login session check allow anonymous chats. Primarily this would be checked if you intend to have the chatbot on the splash portal before authentication.
Click create.
This will then start generating the LLM Embeddings to be used as resources for chat responses. The time it will take to generate the embeddings depends on hardware.
The Chat is now available for use in the admin gui.
LLM Remote Sources Example
Using the LLM Remote Data Source feature allows the system to pull in realtime data via API calls. In this example we will create a remote data source that pulls information from Aviationstack.com. In this example we are using the paid service, however I believe a free account allows 100 API calls per month.
Before we begin we should determine which API endpoints we will use. We can see a list of available API calls for Aviationstack here aviationstack.com/documentation. For this example we will using the following endpoints.
dep_iata which allows us to narrow the scope of our searches to a specific airport.
flight_date which allows us to specify a time for our queries.
flight_number which allows us to inquire about specific flights.
Lastly access_key which is required and will pass our API access key.
To begin using Remote Data Sources navigate to Services::LLM and create a new LLM Remote Data Source.
Give the record a name. Enter the base URL, which for aviationstack is https://api.aviationstack.com/. Next we need to configure a Request property. Kind should be set to Query Parameter, key set to access_key from the endpoint above, and the value is the API key provided by aviationstack. Click Create.
Next create a new LLM Source.
Give the record a name. Set the Visibility field to Admins and users, if we leave it at the defult Admins, then only admins will be able to access this source, we want clients on the network that have logged in to be able to access this. Setting it to anonymous then a client would be able to access the source regardless of login status.
The path here needs to be set to v1/flights for aviationstack. Select the LLM Remote Data Source that we created previously in the LLM remote data source field.
The Remote Data Description field is important and we must provide a value here. This is what the system will look at to determine if this source has information relevant to the inquery.
Next we need to create the Request Properties to use for this source. We will be using dep_iata to narrow the scope to a specific airport in this example DEN (Denver), flight_date which allows to search for a specific dates/times, and finally flight_number which allows us to retrieve information based on the specific flight numbers.
Click Create.
Now we should see a new LLM Embedding for this source, if not, click the Regenerate Embeddings link above the LLM Embeddings.
Now we are ready to start asking questions.
GPUs
Nvidia datacenter and workstation GPUs are preferred. The RTX 4000 is the preferred GPU for space and power constrained scenarios. The RTX 4000 consumes a single PCI-e slot and contains 16 GB to 20 GB of VRAM which is enough to run most typical models. Production servers from major manufacturers are usually ordered with the Nvidia L40S GPU which comes with 48 GB of VRAM.
It is possible to use desktop GPUs which are often available a lower prices, especially in the second-hand market, which is useful for demonstation and development purposes. The Nvidia 3090 GPU is known to work and available at reasonable prices. The 24 GB of RAM present onboard the 3090 is to run most models. The 3090 GPU is also available in two-slot configurations. Later generation Nvidia GPUs such as the 4090 typically require three slots and provide similar amounts of VRAM.
It is possible to put two (or more) GPUs in the same machine. For example, two 3090s with 24 GB of VRAM, or three A4000s with 16 GB of VRAM each, would be enough to run Llama 3.1 70b which requires 40 GB of VRAM.
DHCP
The DHCP view presents the scaffolds associated with configuring the DHCP server and DHCP relay features of the rXg.
The rXg integrates a fully featured DHCP server capable of meeting the needs of nearly any imaginable environment. By default, the rXg DHCP server responds to all DHCP requests on the LAN with a temporary address assignment from within a pool. This behavior may be modified and augmented via the scaffolds presented on this view to deliver a broad spectrum of possible responses.
To enable the rXg integrated DHCP server, the operator must create a DHCP pool that falls within the CIDR of an address that is on the LAN of the rXg. An address is considered to be on the LAN of the rXg if the address is associated with an Ethernet interface , VLAN or is the destination in a static route.
The CIDR of the address from which the pool draws IP addresses from automatically determines the DHCP server listening interface as well as the subnet mask and default route that is presented to the client.
For example, given an rXg that has the following addresses :
- Ethernet Interface en1: 192.168.5.1 / 24
- VLAN 3800: 172.16.16.1 / 22 If a DHCP pool for with a range of 192.168.5.100 to 192.168.5.200 is created, the rXg integrated DHCP server will listen on en1 for DHCP requests in the native VLAN and respond with:
- IP address in range 192.168.5.100 to 192.168.5.200
- subnet mask 255.255.255.0
- default gateway 192.168.5.1 Similarly, if a pool with a range of 172.16.23.1 to 172.16.28.255 is created, then DHCP requests present on VLAN 3800 will see a response of:
- IP address in range 172.16.23.1 to 172.16.28.255
- subnet mask 255.255.240.0
- default gateway 172.16.16.1
Many networks combine DHCP assigned addresses with manually assigned static addresses. Use the pools scaffold to control the range of addresses issued by the rXg. It is extremely important to ensure that network administrators manually configure statically assigned addresses correctly to prevent overlap. It is also suggested that VLANs be used for L2 segregation of machines with statically assigned addresses from those pulling from DHCP in order to prevent IP address collisions. Alternatively, the network operator may choose to use DHCP fixed hosts in lieu of statically assigned addresses to achieve the same goal.
In most networks, there are some devices which should obtain the same IP address every time a request is made. A common occurrence of this is when a Static IP has been configured for a device that is using DHCP. To ensure connectivity, the BiNAT'ed device must have a static IP address or must be established as a fixed host. It is important to make sure that fixed hosts are assigned IP addresses that are outside of the ranges specified by the pools
Two, non-overlapping pools may also be configured for the same Ethernet interface or VLAN. Given the example rXg network address configuration above, 172.16.23.1 to 172.16.28.1 and 172.16.20.1 to 172.16.22.255 may both be configured as pools simultaneously. By default, requests originating from VLAN 3800 will draw addresses from both pools. This behavior is usually modified through the use of classes and match rules.
Match rules may be used to differentiate between requests originating from the same physical or logical media. For example, match rules may be used to associate devices presenting DHCP client identifiers containing a specific prefix with a class. Another common use of match rules is to place all devices presenting a MAC address from a specific vendor into a class.
A class may be used to determine the pool from which the requesting device acquires an address. This is useful for IP-based policy management as certain devices may be placed into specific ranges of IP addresses which can have different policies associated with them. In addition, different pools may have different DHCP options. For example, pools may have different maximum lease times, DNS servers, default routes, etc.
If there is a LAN CIDR block configured on the rXg for which there is no pool , the rXg may also be configured as a DHCP relay server. This feature enables a DHCP proxy server on the rXg that forwards DHCP requests originating from the associated Ethernet interface or VLAN to an external DHCP server.
Pools
An entry in the DHCP Pools scaffold configures a pool of IP addresses that are to be offered to end-user devices requesting an IP address.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The start IP and end IP fields define the range of addresses to be offered by this pool. The pool of offered addresses must fall within the range of an IP network configured on an interface and must not include the address(es) consumed by the rXg or the broadcast address. For example, if the 192.168.5.1/24 IP network is configured on the LAN, the maximum allowable range is from the start IP of 192.168.5.2 to the end IP of 192.168.5.254.
It is critically important to be very precise when entering these values to prevent IP address conflicts. Some of the many things to keep in mind include:
- Devices with statically assigned IP addresses must not use addresses within the DHCP pool range.
- IP address reservations (specified in the fixed hosts scaffold) must not be in the pool.
- The pool ranges must be large enough to accommodate the end-user population.
The Reserved options let you specify addresses you wish to reserve either at the begining of each subnet in the pool via the First field or at the end of the subnet via the Last field. For example a network address consisting of 32 /24 subnets (x.x.0.1/24 - x.x.31.1/24 (32)) setting the First field to 4 would reserve x.x.0.2 - x.x.0.5 in the first subnet and .2 - .5 in each subsequent subnet. Setting the Last field to 4 would reserve x.x.0.251 - x.x.0.254 in the first subnet and 251 - 254 in each subsequent subnet. The Router field can change the gateway IP in each subnet. Incremented from the network address, where 1 is the first usable IP address (e.g. x.x.x.1/24). Decremented from the last usable address, where -1 means the last host address (e.g. x.x.x.254/24).
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The option group and class fields link this DHCP pool with options and configuration rules. For example, the WINS server DHCP option can be transmitted to only those end-users running Window through the use of the option group and class fields.
Fixed Hosts
An entry in the Fixed Hosts scaffold reserves an IP address for a particular device. When a device with the MAC address specified in this record requests network configuration via DHCP, the specified IP address is offered. This mechanism is often used as an alternative to manually assigning static IP addresses to devices.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The IP field contains the IP address to be reserved for this device. It is critically important that the reserved IP be outside of any pools specified in the pools scaffold.
The MAC field contains the MAC address of the device that this reservation is being held for.
The hostname field is an optional parameter that, if specified, will cause the DHCP server to deliver a client identifier to the device via a DHCP option.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The option group links this reservation with a set of DHCP options that control additional information that may be delivered to the device beyond IP address, hostname, subnet mask and gateway. For example, an option group may be used to specify alternative DNS servers for the device specified in this reservation.
Option Groups
An entry in the option groups scaffold links one or more options to devices that are offered addresses from a pool or set of fixed hosts. When an option is linked, the specified payload will be delivered as part of the DHCP response offered to a requesting device. The use of option groups to link options to pools and fixed hosts maximizes the flexible reuse of configuration options.
The global check box links the associated options with all DHCP responses. Only a single option group can have the global field checked. Furthermore, the global checkbox should be used in exclusion to linking any specific pools and fixed hosts and vice versa.
The authoritative check box indicates whether or not the DHCP server should be authoritative for the network(s) its attached to. An authoritative DHCP server will assume that the configuration information about a given network segment is known to be correct and authoritative, and thus will send DHCPNAK messages to misconfigured clients. Operators setting up DHCP servers for their networks should usually have this checked to indicate that the DHCP server should send DHCPNAK messages to misconfigured clients. If this is not done, clients will be unable to get a correct IP address after changing subnets until their old lease has expired, which could take quite a long time. For certain cluster deployment configurations it is necessary to put the server in non authoritative mode. For example, when two or more cluster nodes are performing the role of the DHCP server on the same network. This is so that the nodes do not NAK each others lease assignments.
The BOOTP check box allows or denies address assignment from the related pool(s) for BOOTP clients.
The options field specifies the members of the options scaffold that will be linked to the targets specified in this option groups record.
The pools and fixed hosts fields specify targets for receiving the DHCP configuration options specified by the options fields.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Options
An entry in the options scaffold establishes a key-value pair that can be appended to any DHCP response via an option group.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The standard option field specifies the DHCP option that is to be defined by this record. The purpose of the vast majority of the DHCP options is easily derived by the name. The set of all available standard DHCP options is defined by IETF RFC 2132. The custom option field enables the operator to deploy DHCP options that are not part of IETF RFC 2132.
The name makes the purpose of the option self evident in many cases. Here are some common required use cases:
routersWhen the rXg integrated DHCP server is responding to requests originating from a network that is L2 connected to the rXg, the DHCP server automatically populates the response with a next hop router specified as the rXg. However, if the rXg integrated DHCP server is responding to requests on a network that is L3 connected behind a router, the routers option must be specified. In general, it is not possible to automatically determine the IP address of the next hop router that faces the clients being served DHCP, hence the requirement for manual specification.tftp-server-nameCertain forms of customer premises equipment require BOOTP or TFTP provisioning (e.g., DOCSIS cable modems or WiMAX subscriber terminals). To accommodate this, the rXg incorporates a TFTP server and supports the delivery of DHCP responses with the requisite options. The value of the tftp-server-name option should be the IP address of the rXg that is closest to the end-user.
The value is the value that will be used when the key-value pair is appended to the DHCP request. For example, if max-lease-time
is chosen as the option name for a record, the option value should be set to the maximum number of seconds that a DHCP lease can be used by a end-user device.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The option group field determines which DHCP responses will contain the key-value option pair configured in this record.
The following DHCP client options are currently supported:
Code | Option | Name | Description |
---|---|---|---|
1 | subnet-mask | Subnet Mask | Subnet Mask Value |
2 | time-offset | Time Offset | Time Offset in Seconds from UTC (note: deprecated by 100 and 101) |
3 | routers | Router | N/4 Router addresses |
4 | time-servers | Time Server | N/4 Timeserver addresses |
5 | ien116-name-servers | Name Server | N/4 IEN-116 Server addresses |
6 | domain-name-servers | Domain Server | N/4 DNS Server addresses |
7 | log-servers | Log Server | N/4 Logging Server addresses |
8 | cookie-servers | Quotes Server | N/4 Quotes Server addresses |
9 | lpr-servers | LPR Server | N/4 Printer Server addresses |
10 | impress-servers | Impress Server | N/4 Impress Server addresses |
11 | resource-location-servers | RLP Server | N/4 RLP Server addresses |
12 | host-name | Hostname | Hostname string |
13 | boot-size | Boot File Size | Size of boot file in 512 byte chunks |
14 | merit-dump | Merit Dump File | Client to dump and name the file to dump it to |
15 | domain-name | Domain Name | The DNS domain name of the client |
16 | swap-server | Swap Server | Swap Server address |
17 | root-path | Root Path | Path name for root disk |
19 | ip-forwarding | Forward On/Off | Enable/Disable IP Forwarding |
20 | non-local-source-routing | SrcRte On/Off | Enable/Disable Source Routing |
21 | policy-filter | Policy Filter | Routing Policy Filters |
22 | max-dgram-reassembly | Max DG Assembly | Max Datagram Reassembly Size |
23 | default-ip-ttl | Default IP TTL | Default IP Time to Live |
24 | path-mtu-aging-timeout | MTU Timeout | Path MTU Aging Timeout |
25 | path-mtu-plateau-table | MTU Plateau | Path MTU Plateau Table |
26 | interface-mtu | MTU Interface | Interface MTU Size |
27 | all-subnets-local | MTU Subnet | All Subnets are Local |
28 | broadcast-address | Broadcast Address | Broadcast Address |
29 | perform-mask-discovery | Mask Discovery | Perform Mask Discovery |
30 | mask-supplier | Mask Supplier | Provide Mask to Others |
31 | router-discovery | Router Discovery | Perform Router Discovery |
32 | router-solicitation-address | Router Request | Router Solicitation Address |
33 | static-routes | Static Route | Static Routing Table |
34 | trailer-encapsulation | Trailers | Trailer Encapsulation |
35 | arp-cache-timeout | ARP Timeout | ARP Cache Timeout |
36 | ieee802-3-encapsulation | Ethernet | Ethernet Encapsulation |
37 | default-tcp-ttl | Default TCP TTL | Default TCP Time to Live |
38 | tcp-keepalive-interval | Keepalive Time | TCP Keepalive Interval |
39 | tcp-keepalive-garbage | Keepalive Data | TCP Keepalive Garbage |
40 | nis-domain | NIS Domain | NIS Domain Name |
41 | nis-servers | NIS Servers | NIS Server Addresses |
42 | ntp-servers | NTP Servers | NTP Server Addresses |
44 | netbios-name-servers | NETBIOS Name Srv | NETBIOS Name Servers |
45 | netbios-dd-server | NETBIOS Dist Srv | NETBIOS Datagram Distribution |
46 | netbios-node-type | NETBIOS Node Type | NETBIOS Node Type |
47 | netbios-scope | NETBIOS Scope | NETBIOS Scope |
48 | font-servers | X Window Font | X Window Font Server |
49 | x-display-manager | X Window Manager | X Window Display Manager |
54 | dhcp-server-identifier | DHCP Server Id | DHCP Server Identification |
61 | dhcp-client-identifier | Client Id | Client Identifier |
64 | nisplus-domain | NIS-Domain-Name | NIS+ v3 Client Domain Name |
65 | nisplus-servers | NIS-Server-Addr | NIS+ v3 Server Addresses |
66 | tftp-server-name | Server-Name | TFTP Server Name |
67 | bootfile-name | Bootfile-Name | Boot File Name |
68 | mobile-ip-home-agent | Home-Agent-Addrs | Home Agent Addresses |
69 | smtp-server | SMTP-Server | Simple Mail Server Addresses |
70 | pop-server | POP3-Server | Post Office Server Addresses |
71 | nntp-server | NNTP-Server | Network News Server Addresses |
72 | www-server | WWW-Server | WWW Server Addresses |
73 | finger-server | Finger-Server | Finger Server Addresses |
74 | irc-server | IRC-Server | Chat Server Addresses |
75 | streettalk-server | StreetTalk-Server | StreetTalk Server Addresses |
114 | captive-portal-api | Captive Portal API | Captive Portal API URL |
The following DHCP server options are currently supported:
Option | Description |
---|---|
abandon-lease-time | Maximum amount of time (in seconds) that an abandoned lease remains unavailable for assignment to a client |
adaptive-lease-time-threshold | Specify the % of active leases before the server hands out only short min_lease_time leases |
always-broadcast | Always broadcast responses to clients, regardless of the broadcast bit in the request header |
always-reply-rfc1048 | Always respond with RFC1048-style responses |
default-lease-time | length in seconds that will be assigned to a lease if the client does not ask for a specific expiration time |
dynamic-bootp-lease-length | length in seconds of leases dynamically assigned to BOOTP clients |
filename | Name of the initial boot file which is to be loaded by a client |
get-lease-hostnames | Perform reverse lookup of IP to determine hostname |
infinite-is-reserved | |
one-lease-per-client | Automatically free any other leases the client holds when responding to a request |
ping-check | Ping the IP to ensure it is free before assigning to a client |
ping-timeout | Timeout in seconds to wait for the ping-check to complete |
server-name | Inform the client of the name of the server from which it is booting |
site-option-space | Determine from what option space site-local options will be taken |
stash-agent-options | Record the relay agent information options sent during the initial request message and behave as if those options are included in all subsequent renewal requests |
update-conflict-detection | |
max-lease-time | Maximum length in seconds that will be assigned to a lease |
min-lease-time | Minimum length in seconds that will be assigned to a lease |
min-secs | Minimum number of seconds since a client began trying to acquire a new lease before the DHCP server will respond to its request |
next-server | Address of the server from which the initial boot file is to be loaded |
use-host-decl-names | Supply the scope's host declaration name to the client as its hostname |
Custom DHCP Options
The vast majority of client devices require only basic DHCP in order to achieve network connectivity. Some operators may choose to use standard DHCP options that are defined in IETF RFC 2132 to deliver specific additional configuration. Standard DHCP options may be configured via the DHCP Options scaffold. Between basic DHCP and standard options almost all client devices will get everything they need. Infrastructure devices are a different story.
In some cases certain kinds of devices may require configuration to be delivered via non-standard DHCP options. This usually applies to thin, headless infrastructure devices that depend on a central controller or server such as VoIP handsets, VoD set top boxes, wireless access points, etc. Specialized infrastructure devices. Custom DHCP Options are usually used to deliver bootstrap configuration information such as the IP address and filestore location of initial bootstrap configuration.
The Custom DHCP Options scaffold enables operators to configure the rXg to deliver DHCP options that are not defined byIETF RFC 2132. Each record in the Custom DHCP Option scaffold adds an option to the custom option drop down list in the DHCP Options scaffold. The payload ( value ) to be delivered to the device is configured in the DHCP Options scaffold.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The type , array and code fields enable the operator to define the headers in the DHCP option that is to being defined. When the array checkbox is enabled, the option will be defined as an array of the type designated. The values of the corresponding DHCP Options should be entered in comma separated format. DHCP vendor-specific option 43 as well as DHCP site-specific option codes between 128 to 254 may be configured to be delivered by the rXg. The exception to this is option 121, classless-static-routes. Static routes may be provided to clients by creating a custom DHCP option and specifying the type as an array of unsigned integer 8, and a code of 121. The value of the corresponding DHCP Option record may be 24,192,168,99,10,10,10,1, 24,172,16,32,10,10,10,2. This would provide a route to 192.168.99.0/24 via 10.10.10.1 and a route to 172.16.32.0/24 via 10.10.10.2. Refer to IETF RFC 3442 for more information.
If the operator desires to deliver payloads via vendor-specific DHCP option 43 then the type should be set to vendor-specific. In this case the code field should be configured to be the DHCP option sub-code that is desired. The settings of the type to vendor-specific implicitly defines the format of the payload to be hex. The payload that is configured by the value field in associated the DHCP Option will be automatically converted to hex from ASCII before being encoded into the option packet.
If the operator sets the type to anything other than vendor-specific then the code represents the site-specific DHCP option that must be between 128 and 254. This limitation is due to the fact that IETF RFC 2132 has already defined DHCP option codes from 0 to 127. The exception to this is the classless-static-routes option, code 121.
The payload of the Custom DHCP Option is defined in the option field of the DHCP Options scaffold and must fall within the range of acceptable possibilities for the given type.
Classes
An entry in the classes scaffold links one or more match rules to devices that are offered addresses from pools. When a match rule is linked, the specifications in the match rule are used to determine membership of the class.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
Classes are used to differentiate groups of clients based on matching a substring transmitted as part of the DHCP request or the MAC address of the requesting device. If two pools are created within the network address range associated with a single interface (e.g., 192.168.5.100-150 and 192.168.5.151-200), classes can then be used to populate devices into one of the two ranges based on the request. For example, all requesting devices presenting a dhcp-client-identifier
with a well known predefined prefix can be put into the first pool while all others into the second pool. This alleviates the need to collect and enter the MAC addresses of all devices in a group as fixed hosts in order to place them into a pool.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The pools fields specifies the pool to place devices into that meet the criteria of the match rules specified by this class.
The match rules field links this class with the match rules that will determine membership.
Match Rules
An entry in the match rules scaffold creates a criteria for selecting DHCP requests to be a member of a class.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The negate field configure the way the match rule specified by this record behaves. If negate is checked, a DHCP request is considered to be part of a class if it does not meet criteria specified by this match rule.
The logic field controls the way multiple match rules belonging to the same class behave. A setting of and
requires that all criteria be met. Conversely, a setting of or
allows a request to become part of a class if only one of the match rule criteria is met.
The option substring , substring offset and substring length fields control the matching criteria specified in the option value field. If option substring is unchecked, the data in the option value field must exactly match the payload of the DHCP option in the request in order for the request to be considered a match by this match rule. Inversely, if option substring is checked, the substring offset and substring length fields can be used to make a request considered a match if only a portion of the data in option value matches what is presented in the DHCP request. The values that are matched in the option substring are inclusive of the specified boundaries.
The option name and option value are the criteria that determine whether or not a request is a match for this rule. If a DHCP request contains a DHCP option name-value pair matching the data entered into option name and option value , then the DHCP request is considered a match for this rule.
For example, let us consider the case where the RGN distribution infrastructure is DOCSIS cable and composed of Motorola SURFboard cable modems with MAC prefix 00:0A:28, In order to simplify administration, the operator wishes to give all of the cable modems addresses in the 192.168.10.0/24 block and serve 172.16.16.0/24 to the end-users. To accomplish this, the operator would need to configure both DHCP pools and then associate the 172.16.16.0/24 pool with a class that has a match rule configured with:
- option substring - checked
- substring offset - 1
- substring length - 3
- option name - hardware
- option value - 000A28 At first glance, this would seem to be incorrect because we want to match the zeroth through the second byte of the MAC address inclusive. However, the hardware field has the Ethernet prepended onto the MAC address as the zeroth byte. Therefore the actual MAC address is the first to the seventh of the _hardware_field.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The class field specifies the class for which this matching rule should be used to determine membership.
Relay Servers
An entry in the Relay Servers scaffold enables the DHCP relay feature for the specified interface. DHCP relay allows an rXg to proxy DHCP requests to an upstream DHCP server rather than managing a DHCP pool locally. DHCP relay cannot be used in conjunction with the DHCP server (pools and fixed hosts).
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The server IP field configures the IP address of the upstream DHCP server that will respond to the proxy DHCP requests.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The interfaces and VLANs fields specify the local physical and logical interfaces to proxy DHCP requests to the server specified by server IP.
DNS
The DNS view contains the scaffolds to configure the rXg core services related to the domain name system.
The rXg integrates a dynamic DNS client that supports all of the major third party dynamic DNS services. Dynamic DNS is an essential part of deploying an rXg in an environment where the uplink address is dynamically assigned and may change.
Many of the rXg services (most notably, the forced browser redirect), require DNS resolution of a domain name to the IP address of the WAN uplink. If the IP address of the WAN uplink is configured via DHCP, it is critically important to reconfigure the DNS whenever the assigned IP address changes. The simplest way to accomplish this is to use the rXg dynamic DNS client.
The rXg also incorporates a fully featured DNS server. The operator can configure the rXg to be a primary, secondary or tertiary domain name server for any domain. Before using the DNS server features of the rXg, it is highly recommended that the administrative staff be familiar with the deployment and operation of the domain name system. Incorrect configuration may render the rXg inoperable. An excellent reference on the domain name system is DNS and BIND (ISBN 0596100574) by Cricket Lui and Paul Albitz.
To configure the rXg as a primary domain name server, the DNS glue records for the domain name must contain the IP address of an rXg uplink. To configure the rXg as a secondary name server, create a DNS zone specifying the primary name server in the master hostname field.
When using the rXg as a primary domain name server, proper DNS glue records must be in place. Most DNS registrars have a web application that enables glue record changes. Updates to glue records sometimes take days to propagate so it important to use a manually assigned static IP address for the rXg uplink.
With the DNS glue records in place, a new entry must be added to the DNS zone scaffold. Set the master hostname to the host name of the rXg and the hostmaster email to something appropriate. At a minimum, two entries must be added to the DNS records scaffold (the nameserver and address records for the rXg itself). Additional resource records may be added so that the rXg provides resolution of desired hostnames.
Dynamic DNS Clients
An entry in the Dynamic DNS scaffold enables the rXg to update third-party dynamic DNS services with the latest WAN IP address configuration. In most cases, a DNS record must be created on the third party dynamic DNS service before updates can be made by the rXg.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The protocol field determines the communication protocol that will be used to perform dynamic DNS updates. Most of the popular dynamic DNS services have developed their own proprietary protocols. In most cases, the protocol is synonymous with the service, making the choice obvious.
The login and password fields are the authentication credentials that are supplied to the dynamic DNS service when sending updates. These credentials must match those of the account at the third party service in order for updates to be authenticated and accepted.
The hosts field is a comma-delimited list specifying the DNS name(s) that are to be updated. Typically this will be the same DNS name that is specified in the domain name field of the device options scaffold.
The static and wildcard checkboxes modify the payload of the update message sent to the dynamic DNS service. Some services permit automated update of statically configured IP addresses. Usually there is a stipulation that the update frequency must be much lower than that of a dynamic IP. In addition, some services permit the use of wildcard DNS names so that a single entry can cover several hosts. If either kind of record is established on the third party dynamic DNS service, the appropriate checkbox must be set.
The protocol server field is an optional parameter that can be used to specify an alternate destination for dynamic DNS update messages. Since most dynamic DNS services use their own proprietary protocol, selecting a protocol usually determines the destination for the messages. This field enables the operator to override the default destination.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The IP address sent to the dynamic DNS service in an update message is the uplink IP address of the default rXg route. In single uplink scenarios, this is the network address that is statically associated with the uplink or the dynamic address acquired by the uplink via DHCP. In multiple uplink scenarios, the choice of the default route is controlled by the priority setting of the uplink.
DNS Zones
An entry in the DNS zones scaffold defines a new domain that the rXg integrated DNS server will respond to.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The domain name field configures the domain that this record will enable responses to.
The master hostname must be set to the fully qualified domain name of the primary master nameserver for this domain. If the rXg is to be the primary master nameserver for the domain, an address record must be configured in the DNS records scaffold.
The hostmaster email field specifies the administrative email address that is reported by the DNS server.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
DNS Records
An entry in the DNS records scaffold creates a new record in a zone specified in the DNS zones scaffold.
The host is the host name for this record. The host name is the parameter that is matched when a DNS query is made.
The type field determines the DNS resource record type. The list of dns record types and their function is defined by a series of RFCs published by the IETF.
The dynamic data and data fields define the payload for the DNS resource record. The use of dynamic data and data are mutually exclusive. If a dynamic data field is chosen from the drop down, the response to a query matching the host specified in this record will be the IP address of the uplink specified by the drop down. If data is populated and no dynamic data field is specified, then the response will contain the static payload configured in the data field.
The zone field specifies the DNS zone that this record will be attached to. If "DNS Override" is selected, the rXg will resolve this specific record to the data listed, but all other requests for the same domain will be forwarded on for normal DNS lookup via upstream providers. This avoids having to maintain all records for a domain when attempting to override a single A record.
Domains may be "black-holed" by creating two CNAME DNS Override records, one for domain.com and one for *.domain.com, and setting the data field for both records to "." (no quotes).
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
A complete reference of DNS resource records is found in BIND 9 DNS Administration Reference Book (ISBN 0979034213) by Jeremy Reed.
DNS Server
Entries in the DNS Server scaffold define configuration profiles for the rXg integrated DNS server.
The active field enables an option set. Exactly one option set may be active at any time. Enabling a particular option set will automatically disable another existing active option set.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
A properly configured DNS server takes part in a hierarchy of servers starting with the operator of the next hop network all the way to the root DNS servers. By default, the rXg is properly configured to forward requests to the next hop DNS servers. Clearing the request forwarding check box will force the rXg DNS server to make requests directly to the root. Avoid this configuration when possible.
The request forwarding order drop down menu determines the which DNS servers the rXg will query as the next hop. Dynamic servers are those that have been provided via WAN DHCP configuration. Static servers are those that have been manually configured by the operator using the DNS Servers scaffold of the WAN view of the rXg console. Choosing the dynamic,static option tells the rXg to query the dynamically assigned servers first and then the statically assigned servers. Choosing the static or dynamic options tells the rXg to limit queries to the selected set of servers. When multiple uplink control is deployed, the set of dynamic DNS servers is limited to those that are presented by the DHCP server of each pipe. Furthermore, the set of statically configured servers must be accessible via all pipes. This drop down has no effect unless request forwarding is enabled.
The originate queries from port 53 check box configures the DNS server so that upstream UDP queries originate from port 53. This setting may be required if a strict firewall is positioned between the rXg and the upstream DNS server(s).
By default, access to rXg services are either limited to the LAN or disabled entirely. In certain cases, the operator may desire to permit accessibility to services over the WAN and/or LAN. To enable access to rXg services over the WAN, the operator should specify one or more WAN targets containing the list of allowed hosts and then set the visibility appropriately. If no WAN target is specified and WAN visibility is enabled, any node on the WAN may connect to the service. It is highly recommended that this wide-open configuration be avoided to ensure system security. If LAN visibility is included then all authenticated nodes on the LAN may access this service.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Example: Setup CloudFlare Dynamic DNS
Before we begin we must obtain an API Key from CloudFlare. Navigate to their site and login with your credentials. Click on the person icon in the upper right-hand corner.
Click on "My Profile".
Click on "API Tokens".
Click "View" on the "Global API key".
Enter your CloudFlare password when prompted.
Copy your API Key.
In the rXg navigate to Services::DNS and create a new Dynamic DNS Client.
Give the record a Name. Change the Protocol field to CloudFlare. Enter your email address into the Login field. Enter your API key into the Password field. The Host field is the FQDN to be updated in CloudFlare, and the Zone field is the root domain of the FQDN. Click Create.
When setup the scaffold will update when there is a change.
VPN
The VPN view presents the scaffolds associated with configuring the IPsec and OpenVPN services integrated into the rXg.
OpenVPN Servers
Entries in the OpenVPN Servers scaffold define configuration profiles for the rXg integrated SSL(TLS) VPN.
OpenVPN is an industry standard, open-source software application that the rXg leverages to implement virtual private network (VPN) techniques to create secure point-to-point connections in a routed configuration. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. The OpenVPN functionality allows peers to authenticate each other using certificates and/or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signatures and certificate authority. It uses the OpenSSL encryption library extensively, as well as the TLS protocol, and contains many security and control features.
https://community.openvpn.net/openvpn/wiki
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
Each server represents a virtual network interface on a subnet specified by a related Network Address. A separate VPN instance exists for each configured server. A Network Address that is assigned to an OpenVPN interface cannot be configured on a traditional ethernet Interface or VLAN. All servers/networks operate in OpenVPN's TUN (tunnel) mode, which transports only layer 3 IP packets.
If the default gateway field is checked the client will use the VPN interface's IP as its default gateway and DNS server, and route everything over the VPN. An OpenVPN server's Network Address behaves similarly to any other routed subnet behind an ethernet interface or VLAN, in that IP clients behind it are subject to Policy enforcement. For example, creating an IP Group and Landing Portal Policy without a subnet filter for the VPN network would permit the client to access all networks. Conversley, a portal-enabled Policy could be deployed for the VPN client's network. If gateway redirect is not enabled on the server, then it will push routes for all other local networks to a VPN client, which allows it to route through the normal Internet whilst also having knowledge of networks behind the VPN. Note that like any other traditionally-attached subnet, or when the VPN is the default gateway, the routes pushed to the client do not necessarilly ensure firewall access to all networks. In general, an OpenVPN client can also manipulate its routing table independently on a per-client basis.
Authentication from a client may be multi or single-factor via certificates ( require certificate ) and/or username/password ( require login ). If certificates are required, clients must have a unique certificate installed to authenticate. The certificate must be signed by the same CA as the OpenVPN Server's certificate. If multiple devices need to use the same client certificate, the allow duplicate certificates field must be checked, otherwise only one connection per certificate Common Name is permitted. Requiring a unique certificate per client is more secure, but requires each client to have a unique configuration.
If client-to-client behavior is enabled, then clients on the same virtual network can route to each other as if the firewall was disabled. This does not include L2 traffic. Otherwise, if this behavior is disabled, all traffic is forced to route through the rXg and is thus filtered according to Policy enforcement. This should only be enabled when_everyone_ connecting to the same OpenVPN Server should be allowed to communicate.
Configuring the Admin Roles or Account Groups fields permit corresponding Admins and/or Accounts access to the VPN via login. If client certificates are required, the login is only half the authentication process. If client login is not required then these selections are ignored. It is recommended that operators (Admins) and end-users (Accounts) connect to separate OpenVPN Servers. In the case where an OpenVPN Server has Admins and Accounts allowed, an Admin having the same login as an Account always takes precedence for login and instrumentation purposes.
The port and protocol fields define how a client initially connects to the VPN server. A TCP and UDP server may be configured to run on the same port. There are advantages and disadvantages to either protocol (OpenVPN tcp vs udp).
An OpenVPN Server must have a Certificate configured. This identifies the server's certificate and private key in additon to the Certificate Authority (CA) that establishes the PKI used to trust clients. The selected Certificate must be associated with and created from a local Certificate Authority. The certificate must be marked for server usage, meaning it was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules. This can be done when creating the Certificate Signing Request (CSR). This is an important security precaution to protect against a man-in-the-middle attack where an authorized client attempts to connect to another client by impersonating the server.
The cipher and digest options affect the strength of the underlying encryption, where a longer key length increases security and reduces throughput performance. Data compression is enabled by default and is very efficient when LZ4 is employed, which reduces the bandwidth requirements of the VPN at the expense of additional overhead on the client and server.
The TLS-auth option adds an additional layer of HMAC authentication on top of TLS to mitigate DoS and other attacks againist the TLS layer. This is accomplished by including a unique key that resides on top of TLS. The key is generated behind the scenes when an OpenVPN Server is created, and included in the client config output. If a client is configured manually and this is enabled, then the operator must obtain the key from the record via scaffold show action.
By default, access to rXg services are either limited to the LAN or disabled entirely. In certain cases, the operator may desire to permit accessibility to services over the WAN and/or LAN. To enable access to rXg services over the WAN, the operator should specify one or more WAN targets containing the list of allowed hosts and then set the visibility appropriately. If no WAN target is specified and WAN visibility is enabled, any node on the WAN may connect to the service. It is highly recommended that this wide-open configuration be avoided to ensure system security. If LAN visibility is included then all authenticated nodes on the LAN may access this service.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Clicking the Download Config link will generate an OpenVPN config (.ovpn) file containing the necessary client connection parameters based on the server's configuration, including the Server certificate. Currently, if a client certificate is required, it must be generated manually via the local CA and installed in the client along with the config file.
IPsec VPN
IPsec is an industry standard mechanism that enables secure communication between two nodes or networks that are connected by a potentially insecure IP transit. The rXg supports bidirectional site-to-site IPsec VPNs between rXgs and between rXgs and other kinds of routers. In addition, the rXg may be configured to be a concatenator for host-to-site VPNs originating from nearly any operating system.
Site-to-site VPNs are typically used to enable secure bidirectional communication between two private IP blocks that are behind different routers that are located in geospatially distinct locations. For example, if a WISP has three distinct fixed wireless broadband coverage areas, all three could be linked together via site-to-site VPNs. This could be used as part of a revenue generation strategy such as allowing business customers to access their systems from home for an additional fee.
Site-to-site VPNs are very useful in geospatially diverse deployments that are connected via a central cluster controller. Establishing site-to-site VPNs between the rXgs and the cluster controller enables the operator to easily access all nodes at any part of the network. It is important to keep in mind that the private LAN addresses blocks behind the various rXgs be kept distinct as having the same private LAN block behind two rXgs would cause routing confusion.
Host-to-site VPNs are often used by operators for remote administration. An operator that is on the WAN side of a rXg may use host-to-site IPsec VPNs to directly access machines that are connected to a private address range. In a typical deployment, LAN equipment is assigned IP addresses from private ranges that cannot be reached from the WAN. An operator who is on the WAN side on the rXg (e.g., away on business) that wishes to have complete and direct access to the LAN equipment private address range would setup a host-to-site IPsec VPN using the rXg as the concatenator.
Host-to-site VPNs are also used as a revenue generation mechanism as they are typically sold as a premium service or as a value-added extra part of business class service. End-users originating traffic from the LAN side of the rXg may create a host-to-site VPN using the rXg as a concatenator to protect their traffic from sniffers present in the distribution network. Of course, end-users may also be sold host-to-site VPNs as a mechanism for remote connectivity to nodes addressed on a private LAN.
The rXg uses an industry standard reference implementation of the IPsec suite. Site-to-site VPNs are easily established between an rXg and nearly any other router that supports IPsec VPNs. In addition, site-to-site and site-to-host VPNs may be established between the rXg and almost any operating system released since 2005. Most operating systems have a built-in IPsec stack that is meant to be configured by a trained and certified specialist. However, VPN client software (e.g., Greenbow for Windows and IPsecuritas for Mac OS X) simplify the process to the extent that anybody with a working knowledge of basic TCP/IP can accomplish the task.
IPsec Tunnels
An entry in the IPsec tunnels scaffold is used to configure a site-to-site IPsec VPN.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The specification field selects the credential and encryption settings for this IPsec tunnel. It is critically important to ensure that the settings in the chosen IPsec specification matches those of the node at the other end of the site-to-site VPN created by this IPsec tunnel.
The Pre-Shared key and Certificates fields are used to configure the certificates or pre-shared key that will be used for authenticating IPsec tunnels that use this IPsec specification. The operator may choose to use one or more certificates or a pre-shared key but not both. If one or more certificates are chosen, then the node at the other end of the IPsec tunnel must have the matching private key. If a pre-shared key is chosen, then the node at the other end of the IPsec tunnel must have the exact same pre-shared key programmed.
The addresses and static routes checkboxes specify which LAN address blocks will be forwarded to the remote node of this site-to-site VPN.
The remote gateway field specifies the IP address of the node at the other end of this site-to-site IPsec VPN.
The remote networks field specifies the IP address blocks at the other end of this site-to-site VPN that will be routable once the VPN is established.
Conflicts between addresses or static routes and remote networks will cause severe routing problems. In situations where multiple site-to-site VPNs will be deployed, it is critically important to carefully plan the addressing across all current and potential future networks.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
IPsec Specifications
An entry in the IPsec specifications scaffold defines an IPsec policy that can be used for bidirectional site-to-site VPN tunnels as well as host-to-site VPN concatenation.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The IKE Version field allows the operator to select which IKE(Internet Key Exhange) version to use for the tunnel. IKEv1 and IKEv2 are supported.
The phase 1 and phase 2 groups are used to configure the encryption specifications for the initialization and operational phases of a IPsec tunnel. The chosen encryption , authentication , Diffie-Hellman group , exchange mode and proposal check must exactly match the settings on the node at the other end of the IPsec tunnel.
The encryption field specifies the algorithm that will be used for bulk encryption of the packet data that will transit the VPN connection. The DES option is included for reference only and should be avoided as it is trivially broken given contemporary computing power. The 3DES and AES options are the most compatible and generally accepted to be strong enough for most purposes. AES is preferable as it is the new government standard encryption protocol. Blowfish and CAST are less known protocols but widely believed to be as strong if not stronger than AES but not as well supported.
The authentication field specifies the algorithm that will be used for generating cryptographic hashes to authenticate data passing through the VPN connection. The MD5 option is included for reference only and should be avoided as researchers have discovered methods to break it. The SHA1 option is the most compatible option as it is broadly supported. If possible, the SHA256, SHA384 or SHA512 options as researchers have found a handful of minor vulnerabilities in SHA1 to date.
The Diffie-Hellman group and PFS group fields configure the strength of the encryption keys that will be used to protect the session keys used by the encryption algorithm. The stronger the key, the less likely that it will be broken. However, the stronger the key, the more CPU utilization and entropy it will consume and less compatible it will be. The Group 1 / 768 bit key length option should be avoided unless the other end of the VPN cannot support any other option. The Group 2 / 1024 bit key length is the absolute minimum key strength that should be used for a production environment. The longer key lengths are recommended if the other end of the VPN connection supports it.
The lifetime field configures the length of time in seconds of the security association. A shorter lifetime causes the system to rotate keys more often (potentially increasing security). As a result, shorter lifetimes will increase CPU utilization and entropy consumption.
The nonce field configures the size of the "number used once" for IPsec initialization. A longer nonce helps prevent replay attacks, but trades off CPU utilization and entropy consumption. A longer nonce is also less compatible with other IPsec implementations.
IPsec Server
Entries in the IPsec Server scaffold define configuration profiles for the rXg integrated IPsec server.
The active field enables an option set. Exactly one option set may be active at any time. Enabling a particular option set will automatically disable another existing active option set.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The Pre-Shared key and Certificates fields are used to configure the certificates or pre-shared key that will be used for authenticating IPsec tunnels that use this IPsec specification. The operator may choose to use one or more certificates or a pre-shared key but not both. If one or more certificates are chosen, then the node at the other end of the IPsec tunnel must have the matching private key. If a pre-shared key is chosen, then the node at the other end of the IPsec tunnel must have the exact same pre-shared key programmed.
The anonymous specification field selects the credential and encryption settings for anonymous IPsec connections (i.e., where the client's originating IP address is unknown). Pre-shared-key authentication may not be used for anonymous connections. An anonymous IPsec client must authenticate using a certificate. The certificates to be used by the anonymous clients should be configured in the IPsec Specifications scaffold for the selected anonymous specification. It is critically important to ensure that the settings in the chosen anonymous specification match those of the IPsec client.
The certificate field specifies an alternate certificate to configure the IPsec server with.
By default, access to rXg services are either limited to the LAN or disabled entirely. In certain cases, the operator may desire to permit accessibility to services over the WAN and/or LAN. To enable access to rXg services over the WAN, the operator should specify one or more WAN targets containing the list of allowed hosts and then set the visibility appropriately. If no WAN target is specified and WAN visibility is enabled, any node on the WAN may connect to the service. It is highly recommended that this wide-open configuration be avoided to ensure system security. If LAN visibility is included then all authenticated nodes on the LAN may access this service.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Site-to-site IPsec VPN Configuration
Site-to-site IP-sec VPNs enable devices that are behind VPN concatenators to communicate with each other securely without any configuration changes to the end-user devices. In most cases, site-to-site IPsec VPNs are deployed with privately addressed end-user devices behind the VPN concatenators. Without a site-to-site IPsec VPN, the privately addressed devices would not be able to initiate communication with each other due to the one-way nature of network address translation. Consider the following network diagram:
In this example, we have two rXgs and we desire to create a site-to-site IPsec VPN to enable two way communication for devices that are on private addresses behind the rXgs. We will call the rXg on the left with WAN IP 66.67.68.2 east and the rXg on the right with WAN IP 55.45.35.2 west. The network dashboard of the_east_ rXg is shown below:
The rXg IPsec VPN feature is compatible with a broad spectrum of IPsec implementations. It is not necessary for a site-to-site VPN to be established between two rXgs. We have used two rXgs in this example so that we can best illustrate the appropriate configuration for either end of the site-to-site VPN. The network dashboard of the_west_ rXg is shown below:
Notice that both rXgs have a single private LAN block associated with them. The east rXg has 192.168.6.0/24 behind it and the west rXg has 192.168.7.0/24 behind it. When configuring IPsec VPNs, it is critically important to ensure that the networks behind the various endpoints of the IPsec VPN do not intersect. This is because IPsec depends on a valid L3 (routing layer) configuration in order to operate.
Establishing a site-to-site VPN is simply a matter of creating a single record in the IPsec Tunnel scaffold on both ends of the connection. The remote gateway field must be set to the IP address of the concatenator on the other end of the site-to-site VPN. The remote networks field must contain the CIDR of the block present on the other end of the site-to-site VPN.
Following our example, the IPsec tunnel record on east(which has WAN IP address 66.67.68.2, LAN address 192.168.6.1 / 24) must have the following settings:
- remote gateway - 55.45.35.2
- remote networks - 192.168.7.0/24 Below is a screenshot of the configuration that is present on east:
Similarly, west (which has WAN IP address 55.45.35.2, LAN address 192.168.7.1 / 24) must have the following settings in the IPsec tunnel record:
- remote gateway - 66.68.67.2
- remote networks - 192.168.6.0/24 Below is a screenshot on configuration that is present on west:
Notice that the IPsec Tunnel records depend on the existence of an IPsec Specification record in order to configure the encryption protocol and keys for the tunnel. In the configuration screenshots shown above, we seen that the specification is referenced as PSK for S2S. A screen shot of the configuration for_PSK for S2S_ that is present on both east and _west_is shown below:
Since we are configuring a site-to-site VPN, we are assuming that both ends of the connection are controlled by trusted parties. Thus we will use a pre-shared key to secure the connection. To accomplish this, we will create a new record in the IPsec Specifications scaffold on both the east and west rXgs. To get a site-to-site IPsec VPN up and running, the individual choices for the encryption protocol and credentials are not as important as the simple fact that they must be exactly the same on both machines. Using a strong pre-shared key is obviously a prerequisite to maintaining the confidentiality and integrity of the VPN.
Several templates are provided as examples for strong, medium and minimum security configurations. The minimum security configuration is the least secure against brute force attacks but is the most compatible. The template for the most secure setting will only function with KAME derived IPsec stacks such as the ones present in OpenBSD and FreeBSD. For more information on the precise meaning behind each of the settings, we recommend reading information that may acquired via a search on IPsec. When configuring a site-to-site VPN, keep in mind that even the slightest difference in a single setting will prevent the site-to-site IPsec VPN from initializing.
For your reference, the complete IPsec configuration for both_east_ and west is shown below:
Once we have this configuration in place on both east and_west_, devices on the 192.168.6.0 / 24 private network behind_east_ may directly contact devices on the 192.168.7.0 / 24 private network behind west and vice versa. Note that absolutely no configuration changes needs to be made on the end-user devices whatsoever. All of the encryption, decryption and routing between the private networks is handled by the IPsec VPN endpoints, which in this case are the east and west rXgs.
For example, let us assume there is a Windows XP laptop behind_east_. The XP machine will acquire a DHCP address in the 192.168.6.0 / 24 CIDR. Similarly, let us assume there is a Windows 2003 server behind west that is on the 192.168.7.0 / 24 CIDR. Given the site-to-site VPN configuration that we have created on the rXgs, the XP laptop will be able to directly communicate with the Win2k3 server without any configuration changes to the clients.
The screenshot below shows the desktop of the Windows XP laptop that is behind east. It has acquired address 198.168.6.100 / 24 from the east rXg. Notice that it can ping the private address 192.168.7.100 directly. The 192.168.7.100 address is configured on the Windows 2003 Server that is behind the _west_rXg.
No configuration changes were made to the Windows XP laptop whatsoever. The Windows XP laptop has no knowledge that the 192.168.7.100 is behind the west rXg. The 192.168.7.100 could be on the other side of the world and the XP laptop would not know any better. Furthermore, the XP laptop does not do any encryption or decryption of traffic. It merely sends traffic to the east rXg which does all of the work in encrypting and forwarding the traffic to the west router for delivery to 192.168.7.100.
The screenshot below shows the desktop of the Windows 2003 Server that is behind east. It has an address of 198.168.7.100 / 24 which is behind the west rXg. Notice that it can ping the private address 192.168.6.100 directly. As depicted in the previous screenshot, the 192.168.6.100 address belongs to the Windows XP laptop behind the east rXg.
The Windows 2003 Server has no knowledge about the site-to-site IPsec VPN. The Win2k3 server simply forwards packets to the_west_ rXg which does all of the work involved in the encryption and routing of packets to 192.168.6.100 via east.
The site-to-site IPsec VPN enables routing between private networks to occur over the public Internet that is otherwise not possible. Once established, any network application may be used. In the screenshots below, the Windows XP client on 192.168.6.100 behind east_is shown initiating and utilization a remote desktop connection to manage the Windows 2003 Server on 192.168.7.100 behind _west.
Site-to-site IPsec VPNs enable RGN operators to have secure remote access to all of their various networks. Any devices that is on a private network behind an rXg may be accessed as if it is a local device at the other end of the site-to-site VPN without any configuration changes to the devices themselves. The possibilities of what site-to-site IPsec VPNs may be used for is limitless. Many RGN operators deploy site-to-site VPNs for remote access as demonstrated above. Another frequent use of site-to-site VPNs is for monitoring. For example, site-to-site VPNs may be used to enable a central site to have a single network monitoring system (NMS) or element monitoring system (EMS) to monitor multiple remote networks.
Host-to-site IPsec VPN Configuration
Host-to-site VPNs are used with the rXg to securely route data between a specific end-user device and the rXg. Host-to-site VPNs may be initiated to the rXg from the WAN or the LAN. The process and technical steps of creating either a WAN to rXg or LAN to rXg host-to-site VPN are identical. However, the use case and business reasons for using the two topologies are radically different.
If the end-user device is on the WAN-side of the rXg, a host-to-site VPNs is usually deployed for the purpose of remote access to local privately addressed machines similar to a site-to-site VPN. However, a host-to-site VPN obviates the need to deploy and configure a VPN concatenator on the end-user network.
A WAN host-to-site VPN is the appropriate methodology to use with a mobile client used by a network administrator that requires access to privately addressed resources when the mobile client must connect to networks which the administrator does not control. For example, if the mobile client uses a wireless WAN connection (e.g., cellular 3G), it would be more difficult to install a VPN concatenator for site-to-site VPN than it would be to configure the device for host-to-site VPN. The use of host-to-site VPNs is ubiquitous in enterprise networks to the extent that even mobile phones operating systems such as Symbian, Windows Mobile and Apple iPhone OS are capable of initiating host-to-site VPNs.
Host-to-site VPNs originating from the LAN-side of the rXg are typically deployed as a facet of revenue generation for the operator. Popular media has helped educate most end-users to understand that there are many security issues present when computer networks are used. This effect may be exploited by RGN operators for the purpose of generating additional revenue by offering security related premium services.
For example, if the LAN distribution mechanism is wireless, a host-to-site IPsec VPN upgrade may be offered to end-users to provide confidentiality and integrity to the traffic over the wireless portion of the Internet link. Enabling the anonymous IPsec VPN capability and integrating the generation of a client certificate into the rXg captive portal allows operators to enjoy zero operator intervention provisioning of host-to-site VPNs.
Host-to-site IPsec VPNs typically use public key cryptography in order to authenticate the initiating hosts. Each initiating host must have a unique keypair in order to ensure the confidentiality and integrity of the IPsec VPN connection. In addition, the IPsec VPN concatenator must identify itself with a keypair to the initiating client. The rXg uses X.509 certificates and private keys for the purposes of authenticating both ends of a host-to-site IPsec VPN.
The rXg expects that the operator has stored certificates for each of the hosts that will be initiating a host-to-site IPsec VPN in the certificates scaffold on the certificates view. When a host-to-site IPsec VPN connection is initialized, the rXg expects that the initiating client will authenticate by using the matching private key to sign an authentication credential. Similarly, the rXg must be configured with a private key and certificate for authenticating the site. The initiating client is assumed to have a copy of the rXg certificate and the rXg will sign an authentication credential with the matching private key.
The certificates view of the rXg administrative console may also be used to create keypairs that may be used for authenticating host-to-site IPsec VPNs. To accomplish this, use the certificate authorities scaffold to create a new authority that can be used to sign certificate signing requests to fully populate certificates. For more information, please see the documentation on the certificates view.
In order to instantiate a host-to-site IPsec VPN, configuration changes must be executed on both the rXg and the end-user device. However, the same process is used to configure the end-user device and the rXg to enable a host-to-site IPsec VPN concatenator regardless of whether the VPN will be initiated from the WAN or LAN. Let us consider the east rXg that was discussed earlier. The configuration and network diagram for the east rXg is shown below:
The rXg must be configured to allow anonymous connections to enable the host-to-site IPsec VPN capability. To accomplish this, an entry in the IPsec servers scaffold must be created that specifies the site authentication certificate. The IPsec server record must be linked to a IPsec specification record that defines the encryption protocol as well as the client certificates that will be accepted for connection initiation.
The configuration steps of the end-user device needed to setup a host-to-site VPN follow the same pattern regardless of the operating system of the end-user device. At a bare minimum, the following items need to be configured in order for a host-to-site IPsec VPN to be established:
- host certificate
- host private key
- IP address of VPN router
- remote network CIDR
- encryption protocol and associated parameters The precise steps that are needed depend on both the operating system as well as the VPN client software. Many popular operating systems have "bare metal" VPN clients built into them that are suited for operation by IT professionals. However, in almost all cases, user friendly VPN client GUIs are available from both free and commercial sources.
The IPsec capabilities of all recent versions of Microsoft Windows is configured using the Microsoft Management Console. Depending on the specific of Windows, the MMC snap-in will be called something like "IP Security Policy Management" or "Windows Firewall with Advanced Security." Search the web for Microsoft'sstep by step guide to deploying Windows firewall and IPsec policies and review pages 15-17 as well as 89-91 for specific instructions. For those who are less technically inclined, we have that the Greenbow VPN client greatly simplifies the creation of host-to-site IPsec VPNs on Windows.
The MacOS X operating system incorporates numerous open source components into its IPsec VPN stack. This makes the MacOS X IPsec VPN one of the most compatible of the commonly available commercial offerings. However, the command line configuration is needed to setup the IPsec stack for the vast majority of use cases. For this reason, we recommend that users download and install the IPsecuritas freeware GUI to configure host-to-site IPsec VPNs between MacOS X clients and rXgs.
Example OpenVPN Configuration
- Create certificate
- Create Networking
- Configure OpenVPN in rXg Navigate to System-->Certificates. If there are no Certificate Authorities we will need to create one to self sign our OpenVPN certificate. Click Create New on the Certificate Authorities scaffold.
Name is arbitrary and be set to anything. Days by default will be 825. Common Name does not need to resolve for the purposes of using OpenVPN. Fill out the remaining fields with the appropriate information for your location. Click Create.
Next create a new Certificate.
For the certificate only the name needs to be entered at this step. Verify CA is set to Local CA. Click Create.
Next create a new Certificate Signing Request.
Verify that the Certificate field is set to the correct certificate. Sign mode should be set to Generate CSR and sign with linked local Certificate Authority. Common Name should match the Common Name in the Certificate Authority. Fill out the remaining fields with the appropriate information if applicable. Click Create.
Next we need to create the networking that will be used for devices connecting to the OpenVPN. Navigate to Network-->LAN, and create a new Network Address.
Enter a name. Make sure that Interface is set to -select- for each box. The IP field will be the addresses available to devices connecting via OpenVPN and should be entered in CIDR notaton. Autoincrement and Span should be left set to 1, do not check Create DHCP Pool. Click Create.
Navigate to Services-->VPN and create a new OpenVPN Server.
Enter a name, or use the default. Under Client Configuration Network should be set to the Network Addresses we created earlier. If you want traffic to route through the remote system check the Default gateway option. Require login is checked by default and this prevents access except for Admin Roles we have selected in this example. Server Options will be left at their default values for this example. WAN Targets can be selected to further restrict access if desired. Click Create.
Now the config can be downloaded from the rXg and imported into a VPN client of choice.
Notifications
The notifications view presents the scaffolds associated with configuring templates for email, SMS, webhooks, and event health notices in response to events.
The notification actions scaffold enables clear communication to the RG end-user population, operators and administrators, as well as other systems.
Email is one of several end-user communication methods that are used to create a complete revenue generating network strategy. Email is an important part of the feedback loop when end-users purchase services. Event-based email notifications bring confidence to the end-user by offering a "receipt" when billing events occur. In addition, email can be used for marketing and administrative communication conveyance.
The rXg also uses email as a mechanism to communicate events to administrators. Events may be end-user related such as the service purchase case discussed before, or they may be system generated. Examples of system generated events include, but are not limited to, output from daily, weekly and monthly recurring system maintenance tasks, changes to uplink and monitored node status as well as detection of internal system problems.
The rXg sends emails to administrators and end-users when certain events occur (e.g., account creation, plan selection, etc.). These event-based email notifications draw from templates defined in the custom messages template. The templates may be customized for content, look and feel as well to change the language to match the locale.
custom message templates also be used by the administrator initiated bulk email jobs. For example, the administrator may wish to send some or all end-users an email indicating a maintenance window, a reduced price service special or a paid advertisement from a partner.
The rXg email mechanism also helps operators generate revenue by enabling bulk email marketing. For example, if an operator becomes an affiliate marketing program subscriber, the operator will receive email notifications of special offers. In many cases, affiliate marketing program subscribers are given the opportunity to offer exclusive discount codes to their market base as a purchasing incentive. When an operator receives such a notification, a new email template incorporating affiliate program linkage and incentive information may be formulated and a job created broadcast to the end-user population. The operator is then issued a credit For end-users who take advantage of the opportunity described in the bulk email.
Significant operational cost reduction may also be achieved through the use of the rXg bulk email mechanism. Notification of maintenance windows, end-user surveys, promotions and well-checks may all be accomplished via the bulk email mechanism. Using the bulk email mechanism minimizes the hours utilized by support staff to communicate system and network administration events. In addition, keeping end-users informed often and ahead of time helps reduce support load in maintenance situations.
Below is an example Custom Message that reports to the recipients the amount of revenue generated in the previous 24 hour period:
<p>Good Morning,</p>
<%
rev = ArTransaction.where(['created_at > ?', 24.hours.ago]).sum(:credit)
%>
<p>Your network generated $
<b><tt><%= sprintf("%.2f", rev) %></tt></b>
yesterday. Have a nice day.
</p>
The Ruby script embedded inside the Custom Message above performs a calculation on the ArTransactions to generate a report for the recipients. Ruby scripts may also perform write operations on the database. For example, below is a Custom Message that is configured to be sent to a guest services representative on a daily basis.
<p>Good Morning,</p>
<%
todays_credential = sprintf("%x%d", rand(255), rand(9999))
scg = SharedCredentialGroup.find_by_name('Guests')
scg.credential = todays_credential
scg.save
%>
<p>Today's shared credential for guest access is:</p>
<p><b><tt><%= todays_credential %></tt></b></p>
<p>Thank you.</p>
The Ruby script embedded inside the Custom Message changes the designated Shared Credential Group to a randomly generated value and notifies the associated administators.
Adding Graphs to Custom Messages
Network, System, and Accounting graphs may be added to your custom messages in order to provide enhanced reporting emails to operators and administrators. By selecting associated Graph records in the custom messages's configuration, the system will automatically generate and attach PNG images of those graphs to the email as attachments.
Additionally, graph images may be inserted into the body of an email by calling the insert_attached_graphs method inside the body. The method takes an optional argument specifying the resolution of the image, such as_1000px*600px_ (the default). The resulting images will be stored on the rXg in a publicly accessible directory such that they may be retrieved by email clients.
For example, below is a Custom Message that inserts all associated graphs into the body of the email, separated by a line-break (<br>).
<h2>Weekly Report</h2>
<h3><%= Date.today.strftime("%a, %B %d, %Y") %></h3>
<br>
<%= insert_attached_graphs('1200px*700px') %>
If you wish to exercise greater control over the structure of your HTML email, you may provide a block to the method. The block will yield an array of hashes in the format of { graph_object => image_tag_string }. The array may be iterated over to insert each image tag into your desired HTML structure. For example:
<h2>Weekly Report</h2>
<h3><%= Date.today.strftime("%a, %B %d, %Y") %></h3>
<br>
<table>
<% insert_attached_graphs('600px*500px') do |graph_tags| %>
<% graph_tags.each do |graph, image_tag| %>
<tr> <td align="center" style="font-size:34px"><%= graph.title %></td> </tr>
<tr> <td align="center" style="font-size:14px"><%= graph.subtitle %></td> </tr>
<tr> <td><%= image_tag %></td> </tr>
<% end %>
<% end %>
</table>
Webhooks, and Webhook Targets
The webhooks and webhook targets scaffolds enable an operator to integrate other systems with the rXg. Webhooks user defined HTTP callbacks which are triggered by specific events. The events are configured in the notification actions scaffold. When the triggered event occurs, a webhook gathers the required data (headers, and body), and sends it to the configured URL.
An entry in the webhook targets scaffold defines a set of 'global' parameters that all webhooks configured for the target will use. These include the Base URL, body formatting, error code response, as well as any global HTTP headers, or query parameters an operator may need to configure. This enables the flexibility to configure multiple unique webhooks, utilizing a common target, and eliminates the need for repeating common elements such as API-keys, or content-types on each configured webhooks
An entry in the webhooks scaffold defines the parameters for a single webhook. A webhook must have an associated webhook target, containing the base URL. The specific endpoint path is defined in the webhook scaffold entry. The path will be appended to the webhooks configured target base URL. An operator can override the base URL by starting the webook path with a /
. The HTTP request method, as well as the body or data is also configured within the webhook scaffold. Any additional HTTP headers, or query parameters that are unique to the configured webhook can be added.
Notification Actions
An entry in the notification actions scaffold defines an event of which the rXg should complete the selected action(s). Events can include database changes, time and/or location based triggers, and more.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The event type field selects what kind of events should trigger a configured action. Depending on the selection, additional options may be rendered for operator configuration. For database changes, an operator can select Watch Scaffold
, choose the appropriate modifiers (create, update, and/or delete).
The messages field configures a custom message to be sent when the criteria of the event is met. The message recievers are configured in the custom messages scaffold entry.
The webhooks field defines configured webhooks to be triggerd when the criteria of the event is met.
The health notice field defines whether the system should send a health notice. Choosing default
will result in the default behavior of a configured event. For instance, "Certbot Failure" is configured to send a health notice on failure. If the event does not have a default health notice action, nothing is changed, and no health notice is sent. Choosing Disabled
, will override the configured default health notice the event type, and not send it. For instance, with "Certbot Failure", choosing disabled will disable a health notice from being sent. Choosing Custom
allows the operator to configure or override an existing health notice. For instance, "Watch Scaffold :: Administrators" wouldn't trigger a health notice by default. Choosing custom would allow an operator to configure a health notice for this event type.
Custom Messages
An entry in the custom messages scaffold creates a template that can be used for email notifications and bulk emails originating from the rXg.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The event drop down associates this template with an event which will trigger an email notification to an end-user. If no event is chosen, the template is assumed to be used in only an email campaign.
The from field defines the address from which emails sent using this template will originate. This email address should lead to an account that is regularly monitored because end-users who receive emails based on this template are likely to reply with questions.
The account and admin roles check boxes enables automatic sending of emails using this custom message for event notification. If the account check box is checked, then the custom message template will be populated with the appropriate data and transmitted to the end-user when the selected event occurs. Similarly, when one or more admin roles check boxes are checked, the custom message template will be populated with the appropriate data and send to the administrators who are linked of the to the checked admin role.
The subject and body fields define the payload of the email template. Place the desired content for the subject and message into the appropriate field. Placeholders for variable substitutions begin and end with the percent sign and must refer to fields from the usage plans or accounts scaffolds. For example, %account.first_name% %account.last_name%
will be substituted for the full name of the end-user being targeted by the email. See the full manual page for more information about the values available for substitution.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Email Campaigns
An entry in the email campaigns scaffold defines a bulk email job. Once the job is complete (i.e., all emails are queued for transmission), the entry in email campaigns is automatically deleted.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The custom message field selects the template that will be used for this bulk email job. The template payload is defined in the custom messages scaffold.
The account groups field configures the set of end-users who will be sent the email template selected by the custom message via this job. The members of the groups are controlled by the account groups scaffold on the accounts view of the identifies subsystem.
The start at field defines the starting time and date for this job. If the value of the start at field is before the current date and time, the job will be started immediately. If the start at is set to the future, the job will start at the specified future date and time.
A job is automatically deleted after it is finished. The optional frequency field determines if this job is run more than once, and how often. The optional end at field defines when a repeat job is finished. A job with a set frequency and a blank end at field will repeat indefinitely at the configured frequency. A periodic job with a configured end at field is deleted when the time of the next iteration exceeds the end at date/time.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
SMS Gateways
The SMS Gateways scaffold enables the creation of an SMS Gateway service which will be utilized for verifying a user's mobile number for the purpose of new account signups and/or password resets.
The name field identifies this SMS Gateway in the system.
The provider field specifies which provider this SMS Gateway relates to. Select a supported provider from the list.
The from field specifies the phone number, shortcode, or Alphanumeric Sender ID (not supported in all countries) to be used when sending SMS messages through this gateway. This value must correspond to a number purchased from or ported to the provider.
The Account SID and Auth Token fields specify the API credentials used to access the provider's REST API, and may be obtained from your dashboard within the provider's website.
The Usage Plans selections determine which usage plans are configured to utilize this SMS Gateway. The usage plan must also specify a validation method which includes SMS in order for messages to be sent via SMS.
The Splash Portals selections determine which splash portals are configured to utilize this SMS Gateway for the purposes of performing password resets. Accounts with a valid mobile phone number may request a password reset token via SMS or Email, depending on the password reset method specified in the splash portal.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
For more information, see the SMS Integration manual entry.
Webhook Targets
An entry in the webhook targets scaffold defines a remote endpoint the rXg should send configured webhooks to.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The base url field should be configured with the top-level/base URL of the remote API endpoint. This allows for flexibility to have multiple webhooks configured to use the same target.
The persistent connection checkbox configures the rXg to send 'keep-alive' headers and persist the connection state.
The resend on failure checkbox configures the rXg to attempt resending if the initial connection fails.
The error status codes field defines a list of codes that should be considered error responses. The use of wildcard 'x' is available to the operator. Examples include: (400, 401, 4xx, 500, 5xx, 50x).
The body format selector defines the formatting of the body of webhooks configured to use this target. Selecting JSON
automatically addsapplication/json
to the HTTP Header content-type. SelectingProtobuf
requires the operator to define a protobuf schema.
The body encoding selector defines an optional encoding scheme. Options include RAW (no encoding), Base64, and Base64 w/newline every 60 characters.
The webhook properties fields allow the operator to define additional HTTP Headers, or Query Parameters to send globally with all webooks configured to use this target.
Webhooks
An entry in the webhooks scaffold defines the body, target, method, and additional HTTP Headers and/or Query Parameters for a configured webhook.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The notification actions field displays what actions this webhook is configured for.
The webhook target dropdown configures the webhook target this webhook will use.
The path field is appended to the base url of the webhook target. This allows multiple webhooks to use the same webhook target, and be configured for unique endpoints.
The body field contains the body of the webhook.
The buffer field configures a time period (in minutes) before sending the webhook. "0" will disable buffering.
The webhook properties selector defines an optional encoding scheme. Options include RAW (no encoding), Base64, and Base64 w/newline every 60 characters.
The webhook properties fields allow the operator to define additional HTTP Headers, or Query Parameters to send only with this individual webhook.
Substitution
Payload fields may contain special keywords surrounded by % signs that will be substituted with relevant values. This enables the operator to deliver values stored in the database as part of the payload.
List of objects available:
Account Create | Usage Plan Purchase | Transaction: success/failure |
---|---|---|
cluster_node | cluster_node | cluster_node |
custom_email | custom_email | custom_email |
device_option | device_option | device_option |
ip_group | login_session | login_session |
login_session | usage_plan | merchant |
usage_plan | account | payment_method |
account | merchant_transaction | |
usage_plan | ||
account |
Credit Card Expiring | Coupon Redemption | Account Charge: success/failure/no response |
---|---|---|
cluster_node | cluster_node | cluster_node |
custom_email | custom_email | custom_email |
device_option | device_option | device_option |
login_session | coupon | login_session |
payment_method | login_session | payment_method |
usage_plan | usage_plan | response |
account | account | usage_plan |
account |
Trigger: Connections | Trigger: Quota | Trigger: DPI |
---|---|---|
cluster_node | cluster_node | cluster_node |
custom_email | custom_email | custom_email |
device_option | device_option | device_option |
login_session | login_session | login_session |
max_connections_trigger | quota_trigger | snort_trigger |
transient_group_membership | transient_group_membership | transient_group_membership |
account | account | account |
Trigger: Time | Trigger: Log Hits | Health Notice: create |
---|---|---|
cluster_node | cluster_node | cluster_node |
custom_email | custom_email | custom_email |
device_option | device_option | device_option |
login_session | login_session | health_notice |
time_trigger | log_hits_trigger | |
transient_group_membership | transient_group_membership | |
account | account |
Health Notice: cured |
---|
cluster_node |
custom_email |
device_option |
health_notice |
List of objects available for all associated record types:
Aged AR Penalty |
---|
cluster_node |
custom_email |
device_option |
aged_ar_penalty |
login_session |
payment_method |
usage_plan |
account |
List of attributes available for each object:
account | usage_plan | merchant |
---|---|---|
id | id | id |
type | account_group_id | name |
login | name | gateway |
crypted_password | description | login |
salt | currency | password |
state | recurring_method | test |
first_name | recurring_day | note |
last_name | variable_recurring_day | created_at |
automatic_login | updated_at | |
usage_plan_id | note | created_by |
usage_minutes | created_at | updated_by |
unlimited_usage_minutes | updated_at | signature |
usage_expiration | created_by | partner |
no_usage_expiration | updated_by | invoice_prefix |
automatic_login | time_plan_id | integration |
note | quota_plan_id | store_payment_methods |
logged_in_at | usage_lifetime_time | live_url |
created_at | absolute_usage_lifetime | pem |
updated_at | unlimited_usage_lifetime | scratch |
created_by | no_usage_lifetime | dup_timeout_seconds |
updated_by | recurring_retry_grace_minutes | |
mb_up | recurring_fail_limit | |
mb_down | prorate_credit | |
pkts_up | permit_unpaid_ar | |
pkts_down | pms_server_id | |
usage_mb_up | lock_devices | |
usage_mb_down | scratch | |
unlimited_usage_mb_up | max_sessions | |
unlimited_usage_mb_down | max_devices | |
company | unlimited_devices | |
address1 | unlimited_sessions | |
address2 | usage_lifetime_time_unit | |
city | max_dedicated_ips | |
region | pms_guest_match_operator | |
zip | recurring_lifetime_time | |
country | recurring_lifetime_time_unit | |
phone | unlimited_recurring_lifetime | |
bill_at | sms_gateway_id | |
lock_version | validation_method | |
charge_attempted_at | validation_grace_minutes | |
lock_devices | max_party_devices | |
relative_usage_lifetime | unlimited_party_devices | |
scratch | upnp_enabled | |
portal_message | automatic_provision | |
max_devices | conference_id | |
unlimited_devices | ips_are_static | |
max_sessions | base_price | |
unlimited_sessions | vtas_are_static | |
max_dedicated_ips | manual_ar | |
account_group_id | ||
email2 | ||
pre_shared_key | ||
phone_validation_code | ||
email_validation_code | ||
phone_validated | ||
email_validated | ||
phone_validation_code_expires_at | ||
email_validation_code_expires_at | ||
max_party_devices | ||
unlimited_party_devices | ||
nt_password | ||
upnp_enabled | ||
automatic_provision | ||
ips_are_static | ||
guid | ||
vtas_are_static | ||
account_id | ||
max_sub_accounts | ||
unlimited_sub_accounts | ||
approved_by | ||
approved_at | ||
pending_admin_approval | ||
wispr_data | ||
hide_from_operator |
payment_method | merchant_transaction | coupon |
---|---|---|
id | id | id |
account_id | account_id | usage_plan_id |
active | payment_method_id | code |
company | merchant_id | credit |
address1 | usage_plan_id | expires_at |
address2 | amount | note |
city | currency | created_by |
state | test | updated_by |
zip | ip | created_at |
country | mac | updated_at |
phone | customer | batch |
note | scratch | |
created_at | merchant_string | max_redemptions |
updated_at | description | unlimited_redemptions |
created_by | success | |
updated_by | response_yaml | |
scratch | created_at | |
customer_id | updated_at | |
card_id | created_by | |
nickname | updated_by | |
encrypted_cc_number | message | |
encrypted_cc_number_iv | authorization | |
encrypted_cc_expiration_month | hostname | |
encrypted_cc_expiration_month_iv | http_user_agent_id | |
encrypted_cc_expiration_year | account_group_id | |
encrypted_cc_expiration_year_iv | subscription_id | |
encrypted_first_name | ||
encrypted_first_name_iv | ||
encrypted_middle_name | ||
encrypted_middle_name_iv | ||
encrypted_last_name | ||
encrypted_last_name_iv | ||
cc_number | ||
cc_expiration_month | ||
cc_expiration_year | ||
first_name | ||
middle_name | ||
last_name |
login_session | ip_group | device_option |
---|---|---|
id | id | id |
account_id | policy_id | name |
radius_realm_id | name | active |
login | priority | device_location |
ip | note | domain_name |
mac | created_at | ntp_server |
expires_at | updated_at | time_zone |
online | created_by | smtp_address |
radius_acct_session_id | updated_by | rails_env |
radius_response | scratch | note |
radius_class_attribute | created_at | |
created_at | updated_at | |
updated_at | created_by | |
created_by | updated_by | |
updated_by | smtp_port | |
bytes_up | smtp_domain | |
bytes_down | smtp_username | |
pkts_up | smtp_password | |
pkts_down | cluster_node_id | |
usage_bytes_up | scratch | |
usage_bytes_down | log_rotate_hour | |
ldap_domain_id | log_rotate_count | |
radius_realm_server_id | ssh_port | |
ldap_domain_server_id | country_code | |
cluster_node_id | disable_hyperthreading | |
shared_credential_group_id | developer_mode | |
ip_group_id | sync_builtin_admins | |
account_group_id | delayed_job_workers | |
usage_plan_id | log_level | |
lock_version | max_forked_processes | |
hostname | soap_port | |
total_bytes_up | reboot_timestamp | |
total_bytes_down | reboot_time_zone | |
total_pkts_up | limit_sshd_start | |
total_pkts_down | limit_sshd_rate | |
radius_server_id | limit_sshd_full | |
radius_request | use_puma_threads | |
backend_login_at | ||
http_user_agent_id | ||
backend_login_seconds | ||
portal_login_at | ||
omniauth_profile_id | ||
encrypted_password | ||
encrypted_password_iv | ||
conference_id | ||
password |
custom_email | transient_group_membership | time_trigger |
---|---|---|
id | id | id |
name | ip_group_id | account_group_id |
from | mac_group_id | name |
subject | account_group_id | mon |
body | account_id | tues |
event | ip | wed |
note | mac | thurs |
created_by | reason | fri |
updated_by | expires_at | sat |
created_at | created_by | sun |
updated_at | updated_by | start |
send_to_account | created_at | end |
scratch | updated_at | note |
email_recipient | cluster_node_id | created_by |
include_custom_reports_in_body | max_connections_trigger_id | updated_by |
attachment_format | quota_trigger_id | created_at |
custom_event | time_trigger_id | updated_at |
delivery_method | snort_trigger_id | ip_group_id |
sms_gateway_id | hostname | mac_group_id |
reply_to | radius_group_id | scratch |
ldap_group_id | flush_states | |
login_session_id | flush_dhcp | |
log_hits_trigger_id | flush_arp | |
flush_states | flush_vtas | |
flush_dhcp | infrastructure_area_id | |
flush_arp | previous_infrastructure_area_id | |
flush_vtas | duration | |
vulner_assess_trigger_id | current_dwell | |
previous_dwell |
log_hits_trigger | snort_trigger | max_connections_trigger |
---|---|---|
id | id | id |
ip_group_id | ip_group_id | ip_group_id |
mac_group_id | name | name |
name | duration | max_connections |
note | note | duration |
log_file | created_by | note |
duration | updated_by | created_by |
max_hits | created_at | updated_by |
window | updated_at | created_at |
scratch | scratch | updated_at |
created_by | mac_group_id | scratch |
updated_by | flush_states | mac_group_id |
created_at | flush_dhcp | flush_states |
updated_at | flush_arp | flush_dhcp |
flush_states | flush_vtas | flush_arp |
flush_dhcp | flush_vtas | |
flush_arp | max_duration | |
flush_vtas | max_mb | |
period | ||
active_or_expired | ||
max_duration_logic | ||
max_mb_logic |
quota_trigger | health_notice | cluster_node |
---|---|---|
id | id | id |
account_group_id | cluster_node_id | name |
name | name | iui |
usage_mb_down | short_message | database_password |
usage_mb_down_unit | long_message | note |
usage_mb_up | cured_short_message | created_by |
usage_mb_up_unit | cured_long_message | updated_by |
up_down_logic_operator | severity | created_at |
note | cured_at | updated_at |
created_by | created_at | ip |
updated_by | updated_at | ssh_public_key |
created_at | created_by | scratch |
updated_at | updated_by | heartbeat_at |
radius_group_id | fleet_node_id | data_plane_ha_timeout_seconds |
ldap_group_id | node_mode | |
period | cluster_node_team_id | |
unlimited_period | wal_receiver_pid | |
duration | wal_receiver_status | |
unlimited_duration | wal_receiver_receive_start_lsn | |
scratch | wal_receiver_receive_start_tli | |
ip_group_id | wal_receiver_received_lsn | |
mac_group_id | wal_receiver_received_tli | |
flush_states | wal_receiver_latest_end_lsn | |
flush_dhcp | wal_receiver_slot_name | |
flush_arp | wal_receiver_sender_host | |
flush_vtas | wal_receiver_sender_port | |
wal_receiver_last_msg_send_time | ||
wal_receiver_last_msg_receipt_time | ||
wal_receiver_latest_end_time | ||
op_cluster_node_id | ||
priority | ||
auto_registration | ||
permit_new_nodes | ||
auto_approve_new_nodes | ||
pending_auto_registration | ||
pending_approval | ||
control_plane_ha_backoff_seconds | ||
data_plane_ha_enabled | ||
upgrading | ||
enable_radius_proxy |
aged_ar_penalty |
---|
id |
name |
amount |
days |
suspend_account |
note |
created_at |
updated_at |
created_by |
updated_by |
custom_email_id |
scratch |
record_type |
days_type |
Use Cases
Slack Integration: Notification when an admin is created or deleted
Procedure:
- Use Slack guide to create a new app, and configure incoming webhooks.
Navigate to Services-->Notifications and create a new webhook target Insert the webhook address from your slack app as the base URL.
Create a webhook for created admins. An example body is:
{ "attachments": [ { "fallback": "Admin Created on <%= DeviceOption.active.domain_name %>.", "color": "#36a64f", "pretext": "A New Administrator has been created", "author_name": "FQDN: <%= DeviceOption.active.domain_name %>", "author_link": "https://<%= DeviceOption.active.domain_name %>/admin/", "title": "Created Admin: <%= admin.login %>", "text": "*Created by:* <%= admin.created_by %>", "fields": [ { "title": "Priority", "value": "Medium", "short": false } ], "footer": "Slack API" } ] }
Create a webhook for deleted admins An example body is: (notice the use of <%= admin_hash %> because the record has been deleted.)
{
"attachments": [
{
"fallback": Admin Deleted on <%= DeviceOption.active.domain_name %>.",
"color": "#FF0000",
"pretext": "An Administrator has been deleted",
"author_name": "FQDN: <%= DeviceOption.find_by(active: 'true').domain_name %>",
"author_link": "https://<%= DeviceOption.find_by(active: 'true').domain_name %>/admin/",
"title": "Deleted Admin: <%= admin_hash[:login] %>",
"text": "*Deleted by:* <%= admin_hash[:updated_by] %>",
"fields": [
{
"title": "Priority",
"value": "High",
"short": false
}
],
"footer": "Slack API"
}
]
}
- Create a notification action for created admins.
- Choose Event Type: Watch Scaffold
- Choose Watched Model: Administrators
- Select: Watch Create
- Choose the Admin Created Webhook under actions
- Create a notification action for deleted admins.
- Choose Event Type: Watch Scaffold
- Choose Watched Model: Administrators
- Select: Watch Delete
- Choose the Admin Deleted Webhook under actions
- Navigate to System-->Admins, and create a new admin. Then delete the new admin. The channel configured in your Slack app will have messages posted via the rXg Notification Actions subsystem.
Location Based Crowding Notifications
Procedure:
- Navigate to Network :: Location
Create or edit existing location areas.
Edit individual areas and set crowd event thresholds. Thresholds can be set at region, floor, and site levels.
Navigate to Services :: Notifications
Create a notification action and select desired messages, webhooks and/or health notices to trigger.
Push Account To Remote rXg On Create
Procedure:
- Navigate to Services :: Notifications
Create a new Notification Action
- Event Type set to Watch Scaffold
- Watched Model set to Accounts
- Check the Watch Create checkbox
- Click Create.
Create a new Webhook Target
- Input a Name
- The base url will be https://FQDN\_of\_remote\_system/admins/scaffolds/
- Select body format, JSON in this case, and Body Encoding as RAW
- Add Webhook Property, Kind = Query Paramater, Key = api_key, the value will be the API key of an admin on remote system
- Click Create
Create a new Webhook
- Input a name
- Select Notification action created in step 1
- Select the webhook target created above
- Set path to accounts/create.json
- Set Method to POST
- Enter code into body (example below), click create.
<%
# get remote usage plan hash
result = HTTParty.post('https://FQDN_of_remote_system/admin/scaffolds/usage_plans/index.xml',
body: {:api_key=>"REMOTE_ADMIN_API_KEY",
:search=>account.usage_plan.try(:name)})
up = result["usage_plans"].try(:first)
# get remote account group hash
result = HTTParty.post('https://FQDN_of_remote_system/admin/scaffolds/account_groups/index.xml',
body: {:api_key=>"REMOTE_ADMIN_API_KEY",
:search=>account.account_group.try(:name)})
ag = result["account_groups"].try(:first)
# varible for device creation
count = 1
acct_hash = account.attributes
# remove attrs we dont want to push
acct_hash.delete("id")
acct_hash.delete("usage_plan_id")
acct_hash.delete("account_group_id")
acct_hash.delete("type")
acct_hash.delete("created_at")
acct_hash.delete("updated_at")
acct_hash.delete("created_by")
acct_hash.delete("updated_by")
acct_hash.delete("mb_up")
acct_hash.delete("mb_down")
acct_hash.delete("crypted_password")
acct_hash.delete("salt")
# make temporary password
acct_hash["password"] = acct_hash["password_confirmation"] = acct_hash["pre_shared_key"]
# add usage plan and do_apply_plan to hash if found on remote system
if up
acct_hash["usage_plan"] = up["id"]
acct_hash["do_apply_usage_plan"] = 1
end
# add account group to hash if found on remote system
if ag
acct_hash["account_group"] = ag["id"]
end
# add all devices to account hash
acct_hash["devices"] = {}
account.devices.each do |device|
acct_hash["devices"]["device#{count.to_s}"] = {
"name" => device.name,
"mac" => device.mac
}
count += 1
end
%>
{
"record": <%= acct_hash.to_json %>
}
CRM Integration
This example will explore integrating the rXg with the community edition of vTiger CRM. This case demonstrates using an API requiring a multistep login process, and use of a disposable session key rather than static credentials.
Procedure:
- The community edition of vTiger uses a combination of a challenge token, username, and access key to generate an expiring session key to be used with API calls. Create a custom data key under System :: Portals as a place to store the key.
- The only necessary field to populate is the name.
- Create a notification action to periodically get the session key, and perform a log in to the CRM.
- Set the event type to periodic.
- Choose a time within the session key expiration (the webhook will contain logic to determine if a refresh is necessary).
- Create a webhook target for the CRM.
- Add an HTTP header of "Content-Type": "application/x-www-form-urlencoded"
- Create a webhook that uses embedded ruby to store the current session key in the previously defined custom data key. This example looks at the age of the current key to see if a new key is necessary before executing.
- Choose the previously created notification action.
- Choose the CRM webhook target.
- Example Body:
<%
api_key = CustomDataKey.find_by(name: 'api_key')
if api_key.value_string.blank? || 30.minutes.since > api_key.updated_at
query = {
operation: "getchallenge",
username: "username",
}
resp = HTTParty.get(webhook_target.base_url, query: query)
token = JSON.parse(resp.body)['result']['token']
access_key = Digest::MD5.hexdigest(token + 'access_key_from_GUI')
body = {
operation: "login",
username: "username",
accessKey: access_key,
}
login = HTTParty.post(webhook_target.base_url, body: body)
session_id = JSON.parse(login.body)['result']['sessionName']
api_key.value_string = session_id
api_key.save!
end
raise DoNotSendError
%>
- Create a notfication action to trigger when a new account is created.
- Choose the event type: Watch Scaffold
- Choose the watched model: Accounts
- Check: Watch Create
- Create a webhook to create the account on the CRM.
- Select the previously created notification action.
- Choose the CRM webhook target.
- Set the method to POST
- Example Body:
<%=
{
operation: "create",
sessionName: CustomDataKey.find_by(name: 'api_key').value_string,
elementType: "Contacts",
element: {
firstname: record_hash["first_name"],
lastname: record_hash["last_name"],
assigned_user_id: "20x4",
}.to_json
}.to_query
%>
- Because vTiger CRM expects the body of the HTTP POST to be url-encoded the body is enclosed in ERB tags "<%= ... %>" so certain methods can be used to make formatting easier. ## Webhook to retrieve System Info
In this example will show how to setup a Webhook to push System Info on a periodic interval.
Procedure:
- Create a new Notification Action
- Populate the name field with the desired name.
- Set the Event Type field to Periodic.
- Specify how often the action should run using the Period field. Default is 5 minutes.
- Click Create. 2. Create a new Webhook Target
- Populate the name field with the desired name.
- Specify the URL of the target using the Base URL field.
Click Create.
- Create a new Webhook
Populate the name field with the desired name.
Use the Notification Actions field to select the notification action created in step 1.
Select the webhook target created in step 2 in the Webhook Target field.
Set the path in the Path field.
The Body field is where we will put our payload.
<%= SystemInfo.first.attributes.to_json %> - Click Create. This will pass the following information.
{
"id": 1048577,
"cluster_node_id": null,
"baseboard_asset_tag": "Not Specified",
"baseboard_manufacturer": "Intel Corporation",
"baseboard_product_name": "440BX Desktop Reference Platform",
"baseboard_serial_number": "None",
"baseboard_version": "None",
"bios_vendor": "Phoenix Technologies LTD",
"bios_version": "6.00",
"chassis_asset_tag": "No Asset Tag",
"chassis_manufacturer": "No Enclosure",
"chassis_serial_number": "None",
"chassis_type": "Other",
"chassis_version": "N/A",
"disk_device": "NECVMWar VMware SATA CD00 1.00",
"hostname": "rxg.example.com",
"os_arch": "amd64",
"os_branch": "RELEASE",
"os_kernel": "FreeBSD 12.2-RELEASE-p9 #16 476551a338d",
"os_name": "FreeBSD",
"os_release": "12.2-RELEASE-p9 #16",
"os_version": "12.2",
"processor_family": "Unknown",
"processor_frequency": "2300 MHz",
"processor_manufacturer": "GenuineIntel",
"processor_version": "Intel(R) Xeon(R) D-2146NT CPU @ 2.30GHz",
"rxg_build": "12.999",
"system_manufacturer": "VMware, Inc.",
"system_product_name": "VMware Virtual Platform",
"system_serial_number": "VMware-56 4d fd 29 e4 1a c1 4e-a2 60 81 57 54 ff dd 51",
"system_uuid": "29fd4d56-1ae4-4ec1-a260-815754ffdd51",
"system_version": "None",
"disk_total_gb": 111,
"memory_free_mb": 3874,
"memory_total_mb": 8192,
"memory_used_mb": 4317,
"processor_count": 4,
"uptime": 85371,
"load_avg_15m": "0.78",
"load_avg_1m": "1.09",
"load_avg_5m": "0.84",
"processor_temp": "0.0",
"bios_release_date": "2018-12-12",
"booted_at": "2021-08-30T08:37:23.000-07:00",
"created_by": "rxgd(InstrumentVitals)",
"updated_by": "rxgd(InstrumentVitals)",
"created_at": "2021-08-11T08:38:58.800-07:00",
"updated_at": "2021-08-31T08:20:14.808-07:00",
"rxg_iui": "4 2290 8192 111 ZKORHJVPDUQUZUNIBEWLHDFQ GZQQJUTGUDOIFDNTDUFQSKTW NLDQYHFARJWE",
"system_family": "Not Specified",
"fleet_node_id": null
}
Backend Scripts
The backend script allows the operator to write custom ruby scripts that can be used for things like interacting with mobile applications or performing a configuration change on a regular schedule. From the Notification Actions scaffold you can choose a trigger for the script from the drop down list. Some examples included manual, periodic, errors, and thresholds.
Big Red Button Mobile Application
This example will show how to setup a backend script that can be triggered by an API call executed by a mobile application which is available in the Apple and Google Play app stores.
This example assumes that you have an existing WLAN created under the WLANs scaffold with a record name of arena.
Procedure:
1) Browse to Services >> Notifications >> Backend Scripts 2) Click Create New 3) Name the backend script toggle_ssid. 4) Paste the following script into the body and click create.
def toggle_ssid wlan = Wlan.find_by(name: 'arena') ssid = wlan.ssid
if ssid == 'basketball_arena' wlan.ssid = 'hockey_arena' else wlan.ssid = 'basketball_arena' end
wlan.save! end
toggle_ssid
puts 'ssid toggled successfully'
5) Browse to Services >> Notifications >> Notification Actions 6) Click Create New 7) Name the notification action toggle_ssid. 8) Set the event type field to Manual. 9) Select toggle_ssid from the available scripts in the list.
Install the rXg Action Button Mobile App
Apple: https://apps.apple.com/us/app/rxg-action-button/id1483547358 Android: https://play.google.com/store/apps/details?id=net.lok.aidan.rxg_action_button
1) On the rXg browse to System >> Admins 2) Next to your admin account, click on the API Keys link. 3) Click Create New 4) Provide the API Key a name and click Create.
5) You will be presented with several QR codes. Make sure to leave this screen up.
6) From the mobile app, click Scan QR Code.
7) Scan the QR code labeled JSON. 8) Click Login With Saved Credentials
9) Set the action to toggle_ssid 10) Click on the slider to enable the button.
Now, simply press the red action button to toggle the SSID from basketball_arena to hockey_arena. These changes will be pushed to the wireless controller via config sync.
This is a very simple example of what can be done using a combination of a mobile application and the rXg backend scripts.
Conference Tool
Conference Tool Prerequisites
- Infastructure devices must be in sync.
- Any switches that contain switch ports that are tied to location areas need to be in sync.
- The wireless controller must also be in sync so the system can create SSID's that will be broadcast in the conference areas.
- Create VLAN interfaces and Network addresses.
- Create IP groups for each Network address that was created.
- Create Conference Options.
- Create Location Areas and assign switch ports/AP's.
- Switches and WLAN controllers must be in sync to fully work with the Conference Tool. To make sure they are in sync, navigate to Network::Wired and Network::Wireless to check the status of the devices. The "Config sync status" field should be green. See below images.
- Create VLAN interfaces and Network addresses. This step creates the networking that will be used for conferences. There are two types of networks that can be created. Per-user networks which will put each device in it's own VLAN (or a smaller group of devices in each VLAN if there are not enough VLANs for each device), or we can create a network that is contained in a single VLAN so that devices may communicate with each other. In either case navigate to Network::LAN.
To create a Per-user network first create a new VLAN Interface. Give it a name, select the Physical interface. Set the VLAN ID, which will be the starting VLAN. For this example we will set the Ratio to 4, this means that we will put 4 subnets we create in the next step into each VLAN. Click create.
Next create a new Network Address. Give it a name, select the VLAN from the previous step in the VLAN field. Specify the IP address using CIDR notation in the IP field. In this example there are going to be 128 /30 addresses created. When creating the networking, the operator should take care to create network address space that is large enough to contain enough addresses for the number of devices that are expected to connect to any given conference. For these addresses it is not necessary to check the Create DHCP Pool box, as the system will create the DHCP pool when the conference is active. Create New should be selected in the IP Group, which will take care of Step 3 as well. Click Create.
For non Per-User networks, create a new VLAN Interface, give it a name, select the Physical interface. Set the VLAN ID, which will be the starting VLAN. For non Per-User networks the Autoincrement field should be set to none, and the ratio left at 1. Click create.
Next create a new Network Address. Give it a name, select the VLAN from the previous step in the VLAN field. Specify the IP address using CIDR notation in the IP field. In this example we are creating a single /24 network that will be on VLAN 3500 which was created in the previous step, so make sure Autoincrement is set to 1. When creating the networking, the operator should take care to create network address space that is large enough to contain enough addresses for the number of devices that are expected to connect to any given conference. For these addresses it is not necessary to check the Create DHCP Pool box, as the system will create the DHCP pool when the conference is active. For this example we will not select Create New for the IP Group and will manually create the IP group. Click Create.
- Create IP groups for each Network address that was created. In the previous step one network was created with the create new IP group option selected and one was not. To manually create the IP group for the 2nd network in this example navigate to Identities::Groups and create a new IP Group. Give it a name, and select the Address in the Addresses field from the previous step. Leave everything else default and click create. Note a policy should not be selected when creating the IP Group as the system will create and assign a policy to the group as needed.
- Create Conference Options. Navigate to Services::Conference Tool and create a new Conference Option. Give it a name, and select the admin roles that are allowed to access the conference tool. Select the VLANs that the Conference Tool has access to. Leave any other settings as the defaults and click Create.
- Create Location Areas and assign switch ports/AP's. For this step a location area should be created for each conference space and the switch ports and AP's that are located in that physical space should be added. Create a new Location Area, give it a name, and select the AP's in this space in the Conference APs field and any switch ports in the Conference Ports field. Click Create. Repeat for each area. Lastly edit the Conference Option created in the previous step and select the Location Areas that have been created.
The Conference Tool is now ready to be used after completing these steps.
IoT Hubs
An entry in the IoT Hubs scaffold defines a device capable of controlling IoT devices. The rXg supports two controllers currently, RUCKUS IoT and RG Nets Piglet. The RUCKUS IoT (RIoT) controller is a virtualized software application that connects to RUCKUS IoT-enabled access points to provide support for BLE and ZigBee devices. One RIoT application per 500 IoT devices is the typical deployment model. RG Nets Piglet runs on a Raspberry Pi 4 and supports multiple protocols. One Piglet per account is the typical deployment model.
IotHubs
The online field when green, this indicates that the Iot Websocket Client is running and subscribed to streaming changes from this device. If red, the websocket client is not subscribed to streaming changes, so the state of iot entities may not accurately reflect the actual, current state.
The OS field indicates the version of the piglet software running on the IotHub.
The HA version indicates the version of home_assistant running on the IotHub.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The Host field is the IP address of the Iot Hub.
The Port field is used to change ssh port, default is 22.
The Api Port field sets the API port for the Pi, default is 8123.
The Username field is used to set the username for the IotHub.
The Password field is used to set the password for the IotHub.
The Monitor state changes box if checked idndicates the websocket client should subscribe to streaming changes from this IotHub.
The Iot hub profile field is currently reserved for future use.
The Pms property field is optional, used to select the PMS property that the IotHub is associated with.
The Pms room field is optional, used to select the PMS room that the IotHub is associted with.
IotHubProfiles
Reserved for future use.
IotGroups
IotGroups are used to logically group IotHubs, IotEntities, and nested IotGroups. In addition, admin role access is granted at the IotGroup level. At a minimum, you will need to define an IotGroup that consists of the IotHubs you will want to control and assign the appropriate admin role access. Otherwise, IotHubs will not be populated on the iot hub dashboard in the operator portal due to lack of privileges.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The Description field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The Group type field is reserved for future use.
The Admin roles field allows the operator to select which admin roles should have access to the group.
The Iot hubs field allows the operator to select the IotHubs included in the group.
The Iot entities field allows the operator to select which IotEntities are included in the group.
The Iot groups field is the nested IotGroups for the group.
IotEntities
IotEntities are the devices that are controlled and/or monitored by an IotHub. They can be lights, switches, sensors, or any supported IoT device. These are typically Z-Wave or Zigbee devices, but there are many different types of IoT control. These entities will be populated during an Import Entities for each hub. If you add devices after the initial import, you will want to run the import entities again.
The Iot type field is used to specify the type of entity, light, sensor, binary_sensor, etc.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The Description field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The Is property controlled field is reserved for future use.
The State field is the last recored state of this entity, for example 'on' for a light.
The Iot actions field is reserved for future use.
The Iot hub field indicates the IotHub that this entity is associated with.
vRIoT Integration
The following section will outline the process of attaching RUCKUS vRIoT as an IoT hub in rXg and setup the MQTT service.
Add vRIoT as IoT Hub
- Browse to Services >> IoT Hubs
- In the IoT Hubs scaffold, click Create New
- Name the controller
- Set the Model dropdown to RUCKUS IoT Controller
- Add the IP address of the vRIoT server to the host field
- Provide a username and password to access the vRIoT server
- Press Create
- In the IoT Hubs scaffold, click Create New
- Click Import Entities link to complete the process.
Setup MQTT on the vRIoT Server
- On the vRIoT server, Browse to Admin >> Plugins
- From the dropdown, select Controller Data Stream
- Press the Activate button
- Configure the controller data stream as follows:
MQTT Broker IP: 127.0.0.1
MQTT Broker Port: 1883
MQTT Publish Topic: /events
Device Reporting: Yes
Device Reporting Topic: /events
- To confirm the MQTT service is working, SSH to the rXg and type
tail -f /var/log/mqtt_subscriber_iot.log
to check for activity.
RADIUS
The RADIUS view presents the scaffolds associated with configuring the rXg integrated RADIUS server.
Centralized Infrastructure Device AAA Server
The rXg identity database may be used as a credential store for rXg units or other third party devices via the RADIUS protocol. One common use of the rXg RADIUS server is to serve as a central credential database for administrative access to infrastructure equipment. For example, most VLAN "smart" switches and "enterprise" wireless access points may be configured to look to a RADIUS server for authenticating administrative access. Using the integrated rXg RADIUS server as a central credential store for infrastructure is a simple and effective way to reduce the complexity that is usually associated with networks that have a large number of devices.
Configuring rXg For Centralized Infrastructure Device AAA Server
Procedure: 1. Create an Account Group that will be tied to Administrator Account(s) 2. Create a policy for Administrator Account(s) Account Group
Check the AAA Account Group in the Account group section.3. Create a WAN Target that contains the public IP the radius request will come from. 4. Edit Radius Server Options add WAN target previously created. 5. Create a RADIUS realm and attach the policy created from the Administrator Account(s). 6. Create a new Account that will contain the credentials.
Attach account to the policy for Administrator Account(s)7. Point remote device to the rXg RADIUS server.
- Navigate to Identities-->Groups and create a new Account Group.
- Navigate to Policies-->Captive Portal and create a new Policy. Enter a name for the new policy and check the Account Group created in the previous step.
- Create a new WAN Target or edit existing WAN Target by navigating to Identities-->Definitions. Enter the IP(s) that should be allowed access to the Radius Server.
- Edit the RADIUS Server Options by navigating to Services-->RADIUS and check the WAN Target. Click Update.
- Create a new RADIUS Server Realm and select the policy that was created for the Administator account(s). Click Create.
- Create a new Account by navigating to Identities-->Accounts, Enter the Login name and password. Under Provision set the Group to the Account Group created previously. A First and Last name will also need to be provided along with an email address.
- Point the device to use the RADIUS server running on the rXg, set the primary IP address of the rXg as the AAA server, and adjust the ports if necessary. The key can be copied from the Radius Server Options on the rXg.
Subscriber Roaming
Another common use of the integrated rXg RADIUS server is to share a single centrally located end-user database amongst a set of geographically diverse RADIUS NAS capable devices. For example, "smart" access points, DSLAMs and even modem banks may be configured to use RADIUS to use an rXg with the RADIUS server enabled as a credential store. Using a single unified credential store across devices that controls access to multiple media helps control operational costs.
In many cases, the RADIUS NAS may also be configured for forced browser redirect of unauthenticated end-users to the rXg captive portal. This enables end-user self-provisioning and further reduces operational overhead. Since the rXg billing mechanisms are fully integrated into with the RADIUS server enabling operators to easily bill end-users for access to a diverse set of media.
The rXg integrated RADIUS server may also be used as a mechanism to loosely federate multiple rXg units. RG Nets recommends the deployment of the rXg clustering mechanism with an rXg cluster controller for unified and simplified clustering of multiple rXg units. However, for certain special cases, it may be more appropriate to use the RADIUS server of an rXg node or an rXg cluster controller along with the RADIUS NAS of multiple other rXgs to create a federation of rXg devices that share a single database.
One rXg unit is then dedicated to being the federation master. The captive portal web application server and end-user database are centrally stored on the federation master. The federation nodes are configured to authenticate using the RADIUS NAS clients and the rXg federation master is configured to be a RADIUS server.
Enterprise NAC
The rXg integrated RADIUS Server can be used to as a centralized AAA server for enterprise wired and wireless networks. Edge infrastructure devices are configured as access servers with port control enabled. Both username/password tuples and MAC address authentication credentials are supported. The rXg can proxy authentication to an external LDAP or RADIUS server (discussed later in this manual page) and/or check the local database.
If the local database is used then the operator may choose to create accounts for each employee and set a password. Alternatively, the administrator can use MAC address device authentication. To accomplish this, the operator will need to populate an account with desired MAC addresses. In either case, the account(s)should be associated with an account group. The account group also needs to be associated to a policy that is selected under a RADIUS Server Realm's matching options. By associating VLAN(s) to the RADIUS Server Realm , an operator can control what network(s) enterprise owned devices are assigned.
For example, in the packet exchange below, the Calling-Station-ID
attribute contains the MAC Address of the requesting device. The highest-priority policy will be used to determine which RADIUS Server Realm the device matches. The Tunnel-Private-Group-ID
attribute in the Access-Accept packet shows the VLAN assigned to this device.
14:38:33.381021 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 206)
10.103.254.4.56792 > 10.103.254.1.1812: [udp sum ok] RADIUS, length: 178
Access-Request (1), id: 0xe5, Authenticator: 2b9a4726041df0639dcc5f8574c30f5a
User-Name Attribute (1), length: 14, Value: 449160ece7fa
0x0000: 3434 3931 3630 6563 6537 6661
User-Password Attribute (2), length: 18, Value:
0x0000: a0e8 7cc3 4eb8 c07f 2322 714c a2e7 416e**Calling-Station-Id Attribute (31), length: 19, Value: 44-91-60-EC-E7-FA** 0x0000: 3434 2d39 312d 3630 2d45 432d 4537 2d46
0x0010: 41
NAS-IP-Address Attribute (4), length: 6, Value: 10.103.254.4
0x0000: 0a67 fe04
Called-Station-Id Attribute (30), length: 32, Value: D4-68-4D-2A-39-F0:SomeSSID
0x0000: 4434 2d36 382d 3444 2d32 412d 3339 2d46
0x0010: 303a 4b61 7272 6963 6b48 6f75 7365
Service-Type Attribute (6), length: 6, Value: Framed
0x0000: 0000 0002
NAS-Port-Type Attribute (61), length: 6, Value: Wireless - IEEE 802.11
0x0000: 0000 0013
NAS-Identifier Attribute (32), length: 19, Value: D4-68-4D-2A-39-F8
0x0000: 4434 2d36 382d 3444 2d32 412d 3339 2d46
0x0010: 38
Vendor-Specific Attribute (26), length: 20, Value: Vendor: Unknown (25053)
Vendor Attribute: 3, Length: 12, Value: KarrickHouse
0x0000: 0000 61dd 030e 4b61 7272 6963 6b48 6f75
0x0010: 7365
Message-Authenticator Attribute (80), length: 18, Value: .,H..-..S@.)..X.
0x0000: 842c 481d 8a2d 8c03 5340 0c29 deeb 5881
14:38:33.414314 IP (tos 0x0, ttl 64, id 6773, offset 0, flags [none], proto UDP (17), length 74)
10.103.254.1.1812 > 10.103.254.4.56792: [bad udp cksum 0x111c -> 0x598a!] RADIUS, length: 46
Access-Accept (2), id: 0xe5, Authenticator: d6f41b864e670829842982228b59649e
Class Attribute (25), length: 8, Value: Family
0x0000: 4661 6d69 6c79
Tunnel-Medium-Type Attribute (65), length: 6, Value: Tag[Unused] 802
0x0000: 0000 0006**Tunnel-Private-Group-ID Attribute (81), length: 6, Value: 2002**0x0000: 3230 3032
Tunnel-Type Attribute (64), length: 6, Value: Tag[Unused] VLAN
0x0000: 0000 000d
The enterprise NAC functionality can be used to augment other functions of the rXg. For instance, some WLAN controllers proxy RADIUS access-requests through the controller for client authentication, while others send the requests directly from each AP. Because the rXg utilizes ACLs to limit access to the RADIUS server function, the operator should utilize RADIUS MAC authentication on switchports to automate servicing access-requests from many APs.
Procedure:
- Create AP managment VLANs
- Create an IP group for AP Managment VLANs
- Create a policy for AP Management IP group
- Add AP Management policy to RADIUS Server Options scaffold
- Create a MAC group containing a wildcard of the OUIs of Access Points
- Attach MAC group to a policy
- Create a RADIUS realm for the AP MAC group policy
- Attach AP Management VLANs
- Enable RADIUS MAC authentication bypass on switch ports
DVLAN for Large Public Venues
The rXg incorporates intelligent VLAN assignment in the RADIUS Server. A RADIUS Server Realm with the per-device setting is used for guest, quarantine and onboarding networks where true device isolation is desired. This mechanism is often used a large public venues so that event attendees can be split across operator chosen VLANs. Optionally each device can be assigned a /30 network. To accomplish this, the operator will need to create a RADIUS Server Realm matching a policy, or attribute pattern, and select per-account or per-device in the Dynamic VLANs sharing menu. To enable microsegmented L3s or L2s for attendees, VLANs with proper auto-increment, and ratio settings should be implemented. VLAN re-use can be used in LPVs, where capacity exceeds available VLANs. This allows for high-density deployments, with minimal broadcast domains.
For example, in the packet exchange below, theCalled-Station-ID
attribute contains the AP Radio MAC Address, and SSID the client device requested. By using a attribute pattern match, the operator can have all devices requesting this WLAN match this RADIUS Realm. The rXg has a variety of built in attributes, and allows the operator to define custom attributes to match
14:38:33.381021 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 206)
10.103.254.4.56792 > 10.103.254.1.1812: [udp sum ok] RADIUS, length: 178
Access-Request (1), id: 0xe5, Authenticator: 2b9a4726041df0639dcc5f8574c30f5a
User-Name Attribute (1), length: 14, Value: 449160ece7fa
0x0000: 3434 3931 3630 6563 6537 6661
User-Password Attribute (2), length: 18, Value:
0x0000: a0e8 7cc3 4eb8 c07f 2322 714c a2e7 416e
Calling-Station-Id Attribute (31), length: 19, Value: 44-91-60-EC-E7-FA
0x0000: 3434 2d39 312d 3630 2d45 432d 4537 2d46
0x0010: 41
NAS-IP-Address Attribute (4), length: 6, Value: 10.103.254.4
0x0000: 0a67 fe04**Called-Station-Id Attribute (30), length: 32, Value: D4-68-4D-2A-39-F0:EventSSID**0x0000: 4434 2d36 382d 3444 2d32 412d 3339 2d46
0x0010: 303a 4b61 7272 6963 6b48 6f75 7365
Service-Type Attribute (6), length: 6, Value: Framed
0x0000: 0000 0002
NAS-Port-Type Attribute (61), length: 6, Value: Wireless - IEEE 802.11
0x0000: 0000 0013
NAS-Identifier Attribute (32), length: 19, Value: D4-68-4D-2A-39-F8
0x0000: 4434 2d36 382d 3444 2d32 412d 3339 2d46
0x0010: 38
Vendor-Specific Attribute (26), length: 20, Value: Vendor: Unknown (25053)
Vendor Attribute: 3, Length: 12, Value: KarrickHouse
0x0000: 0000 61dd 030e 4b61 7272 6963 6b48 6f75
0x0010: 7365
Message-Authenticator Attribute (80), length: 18, Value: .,H..-..S@.)..X.
0x0000: 842c 481d 8a2d 8c03 5340 0c29 deeb 5881
14:38:33.414314 IP (tos 0x0, ttl 64, id 6773, offset 0, flags [none], proto UDP (17), length 74)
10.103.254.1.1812 > 10.103.254.4.56792: [bad udp cksum 0x111c -> 0x598a!] RADIUS, length: 46
Access-Accept (2), id: 0xe5, Authenticator: d6f41b864e670829842982228b59649e
Class Attribute (25), length: 8, Value: Family
0x0000: 4661 6d69 6c79
Tunnel-Medium-Type Attribute (65), length: 6, Value: Tag[Unused] 802
0x0000: 0000 0006
Tunnel-Private-Group-ID Attribute (81), length: 6, Value: 2002
0x0000: 3230 3032
Tunnel-Type Attribute (64), length: 6, Value: Tag[Unused] VLAN
0x0000: 0000 000d
DVLAN Microsegmentation for Multi-Tenant and Hospitality
By configuring a RADIUS Server Realm in the rXg to use per-room, or per-guest VLANs, users can be dynamically assigned a microsegmented network. This enables users to have private LANs on a shared infrastructure, enabling property wide coverage of their personal network. Unique features such as screencasting, printing, etc., can happen via standard L2 protocols. To accomplish this, the operator will need to create a RADIUS Server Realm matching a policy associated to the desired account group , and select per-room in the Dynamic VLANs sharing menu.
For example, a hotel client would integrate the rXg with their existing PMS, and assign per-room VLANs to segment guests. This enables the guests to use services like screencasting in their rooms without the need to download an app. A shared office space environment would implement per-guest VLANs, and segment traffic from other guests, while making tasks like printing and file-sharing seamless.
An operator can associate a Bi-NAT pool to a policy, and utilize the per-room DVLAN mechanism to provide a "virtual Residential Gateway" or vRG. This enables end-users to manage their own port forwards for web-hosting, and gaming. In MDU or Dorm environments, this enables zero-operator intervention, and instant provisioning of typically complex configurations.
RADIUS Proxying
RADIUS Proxy Servers can be used in a variety of ways. By defining a RADIUS Proxy Server an operator can choose to proxy authentication, accounting, or all RADIUS packets to a remote RADIUS Server, LDAP Server, or PMS Server. By proxying authentication requests to a remote server, an operator can enable centralized credential management in distributed rXg deployments.
For example, the rXg can proxy ONLY RADIUS Accounting packets to an upstream device. This is useful in routed scenarios, where the rXg is not the head-end. This enables the operator to send user-name and IP/session information to upstream devices such as content filters, or firewalls.
An operator may also choose to proxy authentication requests against a configured LDAP Server. This enables 802.1x authentication directly against an LDAP server such as Microsoft Active Directory, without the use of Microsoft Network Policy Server (NPS).
RADIUS Proxy with RadSec
RadSec is a a protocol for transporting RADIUS datagrams over TCP and TLS. Standard RADIUS communications depend upon the unreliable transport protocol UDP, and lack security for large parts of the packet payload. RadSec provides a means to secure the communication between a RADIUS NAS and Server by utilizing Transport Layer Security (TLS). By utilizing RadSec, an operator can proxy incoming RADIUS requests securely to a centralized credential store.
To learn more about RADIUS, there are numerous web pages that provide background information on the RADIUS protocol. In addition, the O'Relly RADIUS (ISBN 0596003226) book provides a basic overview of the protocol. A good reference for how to use RADIUS in more complex environments is AAA and Network Security for Mobile Access: Radius, Diameter, EAP, PKI and IP Mobility (ISBN 0470011947).
Multiple PSK with Adtran vWLAN
AdTran supports multiple sets of tagged Tunnel-* RADIUS attributes where each set represents a 'guess' of what the end user may have entered into her device as the PSK. When a set of Tunnel-* attributes tagged with :1 are configured in the rXg, the rXg will automatically create additional sets of Tunnel-* attributes that represent additional possible Accounts the device may belong to. The rXg will create up to 24 total attribute sets. The AP will determine which set contains the correct PSK, and if it finds one, will allow the device to connect and start tagging the device traffic with the VLAN from the set that contained the correct PSK. Assuming 'Automatic Provisioning' is enabled in the account, the rXg will then automatically add the new device to the Account that corresponds to the VLAN from the attribute set.
Prerequisites
- Have Onboarding VLANs, associated to policy with a splash portal
- Have usage plan available for selection on splash portal
- Make sure the "Automatic Provision" checkbox is selected
- Have VLAN(s) available for registered accounts
- Have account group(s) for registered accounts associated to a policy with a landing portal
Configuration
- 1. Deploy vWLAN OVA
- vWLAN Appliance gets DHCP by default
- Login to vWLAN and add AP Licensing
- Either set Static IP on vWLAN, or add fixed-host address in DHCP
- Create "domain-name" DHCP Option , and attach to Global DHCP Option Group (Ex. Domain-Name = local)
- Create DNS Entry for apdiscovery.local to point to vWLAN controller (replace local with your domain name)
- Add vWLAN Controller to rXg wireless Infrastructure Devices
- Create an "Onboarding" RADIUS Realm and use an Attribute Pattern match since these devices would be unknown.
- Select your Onboarding VLANs, to ensure that users are presented the splash portal
- Create a Radius Realm for the policy of registered accounts
- - Select your Account VLANs
- Enable config sync on the vWLAN infrastructure device on the rXg
- Create a new WLAN choosing the following options
- Encryption: WPA2
- Authentication: Multiple PSK
- VLANs (Any associated with both realms)
- New RADIUS Server Attributes will be automatically created
- Create new RADIUS Server Attribute for onboarding
- Name: Tunnel-Password:1
- Value: onboarding (or whatever you want the onboarding PSK to be)
- Edit your Onboarding RADIUS Realm to respond with these attributes (notice the :1)
- Tunnel-Private-Group-Id:1 : %vlan_tag_assignment.tag%
- Tunnel-Type:1 : VLAN
- Tunnel-Medium-Type:1 : IEEE-802
- Tunnel-Password:1 : onboarding
- Edit your registered account RADIUS Realm to respond with these attributes (notice NO :1)
- Tunnel-Private-Group-Id : %vlan_tag_assignment.tag%
- Tunnel-Type : VLAN
- Tunnel-Medium-Type : IEEE-802
- Tunnel-Password : %account.pre_shared_key%
Dynamic PSK with RUCKUS virtual SmartZone (vSZ)
RUCKUS eDPSK enables an external AAA server to manage multiple PSKs associated with a single SSID. the rXg leverages eDPSK in conjunction with internal and external account management to deleiver person area networks (PANs) and virtual residential gateway (vRG) for MDUs.
Prerequisites
- Have Onboarding VLANs, associated to policy with a splash portal
- Have usage plan available for selection on splash portal
- Make sure the "Automatic Provision" checkbox is selected
- Have VLAN(s) available for registered accounts
- Have account group(s) for registered accounts associated to a policy with a landing portal
Configuration
- Deploy vSZ OVA, configure the following in the VM console:
- Configure vSZ in Essentials mode
- Set Static IP Address, or set DHCP Reservation
- Continue the vSZ deployment at web GUI -
https://{vSZ IP}:8443
- Add vSZ to rXg wireless Infrastructure Devices
- Create an "Onboarding" RADIUS Realm and use an Attribute Pattern match since these devices would be unknown.
- Select your Onboarding VLANs, to ensure that users are presented the splash portal
- Create a Radius Realm for the policy of registered accounts
- - Select your Account VLANs
- Enable config sync on the vWLAN infrastructure device on the rXg
- Create a new WLAN choosing the following options
- Encryption: WPA2
- Authentication: Multiple PSK
- VLANs (Any associated with both realms)
- Create new RADIUS Server Attribute for onboarding
- Name: Ruckus-DPSK
- Value: onboarding (or whatever you want the onboarding PSK to be)
- Edit your Onboarding RADIUS Realm to respond with these attributes
- Tunnel-Private-Group-Id : %vlan_tag_assignment.tag%
- Tunnel-Type : VLAN
- Tunnel-Medium-Type : IEEE-802
- Ruckus-DPSK : onboarding
- Edit your registered account RADIUS Realm to respond with these attributes
- Tunnel-Private-Group-Id : %vlan_tag_assignment.tag%
- Tunnel-Type : VLAN
- Tunnel-Medium-Type : IEEE-802
- Tunnel-Password : %account.pre_shared_key%
RADIUS Server Realms
An entry in the radius server realms scaffold creates a response realm that enables the rXg to respond to RADIUS requests.
One or more radius server realms are required in order to link RADIUS requests with attributes. Only one radius server realm is required if the network design requires that the same set of RADIUS attributes to be transmitted to all RADIUS requests.
Multiple radius server realms may be created in order to allow the rXg integrated RADIUS Server to respond with different RADIUS attributes depending upon the request. The most common usage scenario that requires the creation of two or more radius server realms is a network design that requires different VLANs or sets of VLANs to be assigned based on information present in the incoming RADIUS request. A RADIUS Access-Request will match at most a single RADIUS Server Realm
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The rank of a RADIUS server realm, allows the operator to designate multiple RADIUS realms with the same policy selection. If a RADIUS request matches multiple RADIUS realms, the highest ranking realm is used. This is typically used to override RADIUS realms when specific criteria is met, such as a user of a given policy connecting to a special SSID.
The policies field enables the operator to restrict this response realm to one or more sets of Identities. RADIUS Access-Request messages usually contain the MAC address of the end-user device. Thus a radius server realm may be restricted to answer RADIUS Access-Requests originating from end-user devices whose MAC addresses are present within MAC Groups and Account Groups. If no policies are enabled then the rXg will not restrict this response realm based on Identities but may still be restricted by other parameters such as attribute patterns.
The attribute patterns subsection enables the operator to restrict this response realm to RADIUS Access-Requests that contain the specified RADIUS attributes. One common use for this is mechanism is to restrict a response realm to only respond to RADIUS Access-Requests originating from end-user devices that are attaching to a specific SSID. This capability enables the operator associate respond with different RADIUS attributes depending upon the data in RADIUS Access-Request.
The dynamic VLANs section determines which VLANs will be passed from the rXg to the RADIUS NAS when a RADIUS Access-Accept message is sent. VLAN assignments are typically passed through RADIUS Attributes.
VLAN assignments are made either per-Device, per-Account, per-Guest, or per-Room. Using the per-Device setting tells the rXg to assign each MAC address that it sees a unique VLAN. The per-Device selection maximizes broadcast domain separation. The per-Account selection puts MAC addresses that belong to the same Account within the same VLAN. The per-Room and per-Guest selections puts MAC addresses that are associated with the same PMS Room or Guest name within the same VLAN.
One or more VLAN records must be configured and selected in order for the dynamic VLAN mechanism to be enabled. In most cases each RADIUS Server Realm will be associated with only a single VLAN record.
VLANs will be assigned to devices / accounts / PMS-Rooms per the above described selection until all available VLANs in the selected record are exhausted. If the Reuse VLANs checkbox is enabled then the VLANs configured in the VLAN will be reused if the VLANs in the record are exhausted. This setting is most often used in conjunction with the per-Device VLAN assignment setting as the number of devices will sometimes exceed the number of available VLANs.
The infrastructure devices setting enables the operator to tie this RADIUS Server Realm with an infrastruture device for the purpose of sending vendor specific instructions when VLANs change. This configuration is an absolute requirement when the dynamic VLAN capability is used with most wireless LAN controllers and wired switches.
The Proxy Servers field enables the operator to proxy incoming RADIUS packets to configured RADIUS Proxy Servers , LDAP Domains , or PMS Servers.
The Proxy Options enable an operator to choose what type of RADIUS packets to proxy, Accounting, Authentication, or both. By default, the rXg integrated RADIUS Server will only proxy 802.1x authentications. The Proxy MAC Auth selection enables the operator to also proxy MAC based authentications. The Replace username selection will override the "User-Name" attribute with the associated accounts login. If the Proxy Server is being used for authentication, the Create Account selection will create a local account on the rXg, and optionally apply a Usage Plan.
The attributes field defines one or more RADIUS attributes that will be appended to all RADIUS responses. Use this mechanism to send vendor specific attributes to the devices making RADIUS requests.
The Assume MAC auth option specifies that when an Account is located during RADIUS lookup and the request looks like a MAC auth request (i.e., the username looks like a MAC address) that we should treat the request as a MAC auth request and use the MAC address as the cleartext password instead of setting the NT-Password.
The Always perform Account lookup option ensures that an Account lookup occurs for the request while checking this realm, assuming it has not been performed already by a higher ranked realm. This is in contrast to the normal behavior where Account lookup is skipped unless there are Account Group-based Policies attached to the realm (or a higher ranked realm). This is necessary if performing MSCHAP authentication and the realm is being selected based on a RADIUS Attribute match pattern, rather than group membership. In this case the lookup is still necessary in order to set the NT-Password for the MSCHAP module.
RADIUS Proxy Servers
An entry in the RADIUS proxy servers scaffold defines a server that may be used to proxy requests to other remote RADIUS servers.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The RADIUS server realms field determines which logical partitions of the RADIUS Server will proxy requests to THIS server.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The priority field is used when multiple RADIUS proxy servers are associated with a RADIUS realm. The RADIUS proxy server with the highest priority is queried first. If the RADIUS proxy server with the highest priority does not respond within the window defined by the tries and timeout fields, the next highest priority server is queried. If no RADIUS proxy servers respond, the end-user is denied access.
The IP field specifies the IP address of the RADIUS server to be queried for credential validation.
The port field specifies the UDP port to use when sending the RADIUS request for credential validation. Similarly the accounting port field specifies the UDP port to use when sending the RADIUS accounting start, stop and intermediate updates. Leave these fields blank to use the defaults.
The secret field is the RADIUS shared secret. It is used to encode and decode messages being sent to and from the RADIUS server. This setting must match that of the RADIUS server in order for credential validation to operate.
If a server does not respond to a request within the timeout time, the server marks the request as timed out. After the configured number of tries , the server is marked as being "zombie", and the zombie period starts. The default timeout window is large because responses may be slow, especially when proxying across the Internet.
A server that is marked "zombie" will be used for proxying as a low priority. If there are live servers, they will always be preferred to a zombie. Requests will be proxied to a zombie server ONLY when there are no live servers. Any request that is proxied to a server will continue to be sent to that server until the server is marked dead. At that point, it will fail over to another server, if a live server is available. If the server does not respond to ANY packets during the zombie period , it will considered to be dead.
If status check is something other than "none", then the server will start sending status checks at the start of the zombie period. It will continue sending status checks until the server is marked "alive". These status packets are sent ONLY if the server is believed to be dead. They are NOT sent if the server is believed to be alive. They are NOT sent if this server is not proxying packets. If the server responds to the status check packet, then it is marked alive again, and is returned to use.
The check interval field configures the number of status checks in a row that the server needs to respond to before it is marked alive. If you want to mark a server as alive after a short time period of being responsive, it is best to use a small check interval , and a large value for answers to alive. Using a long check interval and a small number for answers to alive increases the probability of spurious fail-over and fallback attempts.
RADIUS layer "status checks" are used to see if a server is alive when status check is set to "Status-Server".
Some servers do not support status checks via the Status-Server packet. Others may not have a "test" user configured that can be used to query the server, to see if it is alive. For those servers, there is NO WAY of knowing when it becomes alive again. In this case, after the server has been marked dead, the revival interval must elapse before it is marked alive again, in the hope that it has come back to life. If it has NOT come back to life, the zombie period must elapse before marking it dead again. During the zombie period , all authentications will fail, because the server is still dead. There is nothing that can be done about this, other than to enable the status checks. e.g. if zombie period is 40 seconds, and revive interval is 300 seconds, then for 40 seconds out of every 340, or about 10% of the time, all authentications will fail. If the zombie period and revive interval configurations are set smaller, then it is possible for up to 50% of authentications to fail. We recommend enabling status check , and we do NOT recommend relying on revive interval. The revive interval is used ONLY if status check is set to "none".
If the server does not support Status-Server packets, then the proxying server can still send Access-Request or Accounting-Request packets with a pre-defined username. This behavior is enabled by setting status check to "Access-Request". This practice is NOT recommended, as it may potentially let users gain network access by using these "test" accounts. If it is used, we recommend that the server ALWAYS respond to these Access-Request status checks with Access-Reject. The status check just needs an answer, it does not need an Access-Accept. For Accounting-Request status checks, only the username needs to be set. The rest of the accounting attribute are set to default values. The server that receives these accounting packets SHOULD NOT treat them like normal user accounting packets.
RADIUS Server
The rXg internal credential database of users and tokens may be remotely accessed via the RADIUS protocol. Records in the RADIUS Server scaffold configure the behavior of the rXg RADIUS server.
The active field enables an option set. Exactly one option set may be active at any time. Enabling a particular option set will automatically disable another existing active option set.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The secret field defines the RADIUS shared secret. This shared credential must be identical to one configured on the RADIUS NAS devices that will access this RADIUS server.
The auth port and acct port fields configure the ports that the RADIUS server will listen for requests on. In most cases, the RFC defined ports of 1812 and 1813 should be used as many RADIUS NAS devices are only able to connect to those ports.
The debug field configures the RADIUS server to log the contents of all request and response packets to the log file.
The certificate field specifies an alternate certificate chain to configure the RADIUS server with.
The WAN targets and policies fields determine the set of devices that are allowed to have access to the rXg integrated RADIUS server. By default the rXg has packet filtering rules in place that prevent access to the integrated RADIUS server. This ensures that no devices of any kind may access the RADIUS server unless the operator takes specific action to enable access.
Access to the rXg integrated RADIUS server for RADIUS NAS devices that are on the WAN is enabled by creating one or more WAN targets for the RADIUS NAS devices and then enabling the appropriate check boxes. RADIUS NAS devices on the LAN may be granted access by placing the IPs of the RADIUS NAS devices into an IP Group and then linking the IP Group into a Policy which may be selected here.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
RADIUS Server Attributes
The rXg integrated RADIUS server responds to RADIUS requests with RFC defined attributes. The operator may define additional attributes to be present in RADIUS responses by creating RADIUS Server Attribute records. Each record defines one additional attribute that will be presnet
The name configures the name of the RADIUS attribute that will be sent to the RADIUS NAS. The name must be agreed upon and configured identically on both the RADIUS server and the RADIUS NAS.
The value configures the value of the payload of the RADIUS attribute that will be sent to the RADIUS NAS in RADIUS server response. The value may be static (e.g., 'IEEE-802' for the 'Tunnel-Medium-Type' when configuring dynamic VLANs). Alternatively the value may be a dynamic value configured through substitution variables.
The RADIUS Server Realms field determines which RADIUS requests will contain the RADIUS Server Attribute defined by this record. More than one RADIUS Server Realm may be selected and thus the RADIUS Server Attribute defined by this record will be present in the responses to each of the defined realms.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Most dynamic VLAN configurations require the following three attributes to be configured:
| Tunnel-Medium-Type
| 802
|
| Tunnel-Private-Group-ID
| %vlan_tag_assignment.tag%
|
| Tunnel-Type
| VLAN
|
Substitution
Payload fields may contain special keywords surrounded by % signs that will be substituted with relevant values. This enables the operator to deliver values stored in the database as part of the payload.
List of objects available:
Account Create | Usage Plan Purchase | Transaction: success/failure |
---|---|---|
cluster_node | cluster_node | cluster_node |
custom_email | custom_email | custom_email |
device_option | device_option | device_option |
ip_group | login_session | login_session |
login_session | usage_plan | merchant |
usage_plan | account | payment_method |
account | merchant_transaction | |
usage_plan | ||
account |
Credit Card Expiring | Coupon Redemption | Account Charge: success/failure/no response |
---|---|---|
cluster_node | cluster_node | cluster_node |
custom_email | custom_email | custom_email |
device_option | device_option | device_option |
login_session | coupon | login_session |
payment_method | login_session | payment_method |
usage_plan | usage_plan | response |
account | account | usage_plan |
account |
Trigger: Connections | Trigger: Quota | Trigger: DPI |
---|---|---|
cluster_node | cluster_node | cluster_node |
custom_email | custom_email | custom_email |
device_option | device_option | device_option |
login_session | login_session | login_session |
max_connections_trigger | quota_trigger | snort_trigger |
transient_group_membership | transient_group_membership | transient_group_membership |
account | account | account |
Trigger: Time | Trigger: Log Hits | Health Notice: create |
---|---|---|
cluster_node | cluster_node | cluster_node |
custom_email | custom_email | custom_email |
device_option | device_option | device_option |
login_session | login_session | health_notice |
time_trigger | log_hits_trigger | |
transient_group_membership | transient_group_membership | |
account | account |
Health Notice: cured |
---|
cluster_node |
custom_email |
device_option |
health_notice |
List of objects available for all associated record types:
Aged AR Penalty |
---|
cluster_node |
custom_email |
device_option |
aged_ar_penalty |
login_session |
payment_method |
usage_plan |
account |
List of attributes available for each object:
account | usage_plan | merchant |
---|---|---|
id | id | id |
type | account_group_id | name |
login | name | gateway |
crypted_password | description | login |
salt | currency | password |
state | recurring_method | test |
first_name | recurring_day | note |
last_name | variable_recurring_day | created_at |
automatic_login | updated_at | |
usage_plan_id | note | created_by |
usage_minutes | created_at | updated_by |
unlimited_usage_minutes | updated_at | signature |
usage_expiration | created_by | partner |
no_usage_expiration | updated_by | invoice_prefix |
automatic_login | time_plan_id | integration |
note | quota_plan_id | store_payment_methods |
logged_in_at | usage_lifetime_time | live_url |
created_at | absolute_usage_lifetime | pem |
updated_at | unlimited_usage_lifetime | scratch |
created_by | no_usage_lifetime | dup_timeout_seconds |
updated_by | recurring_retry_grace_minutes | |
mb_up | recurring_fail_limit | |
mb_down | prorate_credit | |
pkts_up | permit_unpaid_ar | |
pkts_down | pms_server_id | |
usage_mb_up | lock_devices | |
usage_mb_down | scratch | |
unlimited_usage_mb_up | max_sessions | |
unlimited_usage_mb_down | max_devices | |
company | unlimited_devices | |
address1 | unlimited_sessions | |
address2 | usage_lifetime_time_unit | |
city | max_dedicated_ips | |
region | pms_guest_match_operator | |
zip | recurring_lifetime_time | |
country | recurring_lifetime_time_unit | |
phone | unlimited_recurring_lifetime | |
bill_at | sms_gateway_id | |
lock_version | validation_method | |
charge_attempted_at | validation_grace_minutes | |
lock_devices | max_party_devices | |
relative_usage_lifetime | unlimited_party_devices | |
scratch | upnp_enabled | |
portal_message | automatic_provision | |
max_devices | conference_id | |
unlimited_devices | ips_are_static | |
max_sessions | base_price | |
unlimited_sessions | vtas_are_static | |
max_dedicated_ips | manual_ar | |
account_group_id | ||
email2 | ||
pre_shared_key | ||
phone_validation_code | ||
email_validation_code | ||
phone_validated | ||
email_validated | ||
phone_validation_code_expires_at | ||
email_validation_code_expires_at | ||
max_party_devices | ||
unlimited_party_devices | ||
nt_password | ||
upnp_enabled | ||
automatic_provision | ||
ips_are_static | ||
guid | ||
vtas_are_static | ||
account_id | ||
max_sub_accounts | ||
unlimited_sub_accounts | ||
approved_by | ||
approved_at | ||
pending_admin_approval | ||
wispr_data | ||
hide_from_operator |
payment_method | merchant_transaction | coupon |
---|---|---|
id | id | id |
account_id | account_id | usage_plan_id |
active | payment_method_id | code |
company | merchant_id | credit |
address1 | usage_plan_id | expires_at |
address2 | amount | note |
city | currency | created_by |
state | test | updated_by |
zip | ip | created_at |
country | mac | updated_at |
phone | customer | batch |
note | scratch | |
created_at | merchant_string | max_redemptions |
updated_at | description | unlimited_redemptions |
created_by | success | |
updated_by | response_yaml | |
scratch | created_at | |
customer_id | updated_at | |
card_id | created_by | |
nickname | updated_by | |
encrypted_cc_number | message | |
encrypted_cc_number_iv | authorization | |
encrypted_cc_expiration_month | hostname | |
encrypted_cc_expiration_month_iv | http_user_agent_id | |
encrypted_cc_expiration_year | account_group_id | |
encrypted_cc_expiration_year_iv | subscription_id | |
encrypted_first_name | ||
encrypted_first_name_iv | ||
encrypted_middle_name | ||
encrypted_middle_name_iv | ||
encrypted_last_name | ||
encrypted_last_name_iv | ||
cc_number | ||
cc_expiration_month | ||
cc_expiration_year | ||
first_name | ||
middle_name | ||
last_name |
login_session | ip_group | device_option |
---|---|---|
id | id | id |
account_id | policy_id | name |
radius_realm_id | name | active |
login | priority | device_location |
ip | note | domain_name |
mac | created_at | ntp_server |
expires_at | updated_at | time_zone |
online | created_by | smtp_address |
radius_acct_session_id | updated_by | rails_env |
radius_response | scratch | note |
radius_class_attribute | created_at | |
created_at | updated_at | |
updated_at | created_by | |
created_by | updated_by | |
updated_by | smtp_port | |
bytes_up | smtp_domain | |
bytes_down | smtp_username | |
pkts_up | smtp_password | |
pkts_down | cluster_node_id | |
usage_bytes_up | scratch | |
usage_bytes_down | log_rotate_hour | |
ldap_domain_id | log_rotate_count | |
radius_realm_server_id | ssh_port | |
ldap_domain_server_id | country_code | |
cluster_node_id | disable_hyperthreading | |
shared_credential_group_id | developer_mode | |
ip_group_id | sync_builtin_admins | |
account_group_id | delayed_job_workers | |
usage_plan_id | log_level | |
lock_version | max_forked_processes | |
hostname | soap_port | |
total_bytes_up | reboot_timestamp | |
total_bytes_down | reboot_time_zone | |
total_pkts_up | limit_sshd_start | |
total_pkts_down | limit_sshd_rate | |
radius_server_id | limit_sshd_full | |
radius_request | use_puma_threads | |
backend_login_at | ||
http_user_agent_id | ||
backend_login_seconds | ||
portal_login_at | ||
omniauth_profile_id | ||
encrypted_password | ||
encrypted_password_iv | ||
conference_id | ||
password |
custom_email | transient_group_membership | time_trigger |
---|---|---|
id | id | id |
name | ip_group_id | account_group_id |
from | mac_group_id | name |
subject | account_group_id | mon |
body | account_id | tues |
event | ip | wed |
note | mac | thurs |
created_by | reason | fri |
updated_by | expires_at | sat |
created_at | created_by | sun |
updated_at | updated_by | start |
send_to_account | created_at | end |
scratch | updated_at | note |
email_recipient | cluster_node_id | created_by |
include_custom_reports_in_body | max_connections_trigger_id | updated_by |
attachment_format | quota_trigger_id | created_at |
custom_event | time_trigger_id | updated_at |
delivery_method | snort_trigger_id | ip_group_id |
sms_gateway_id | hostname | mac_group_id |
reply_to | radius_group_id | scratch |
ldap_group_id | flush_states | |
login_session_id | flush_dhcp | |
log_hits_trigger_id | flush_arp | |
flush_states | flush_vtas | |
flush_dhcp | infrastructure_area_id | |
flush_arp | previous_infrastructure_area_id | |
flush_vtas | duration | |
vulner_assess_trigger_id | current_dwell | |
previous_dwell |
log_hits_trigger | snort_trigger | max_connections_trigger |
---|---|---|
id | id | id |
ip_group_id | ip_group_id | ip_group_id |
mac_group_id | name | name |
name | duration | max_connections |
note | note | duration |
log_file | created_by | note |
duration | updated_by | created_by |
max_hits | created_at | updated_by |
window | updated_at | created_at |
scratch | scratch | updated_at |
created_by | mac_group_id | scratch |
updated_by | flush_states | mac_group_id |
created_at | flush_dhcp | flush_states |
updated_at | flush_arp | flush_dhcp |
flush_states | flush_vtas | flush_arp |
flush_dhcp | flush_vtas | |
flush_arp | max_duration | |
flush_vtas | max_mb | |
period | ||
active_or_expired | ||
max_duration_logic | ||
max_mb_logic |
quota_trigger | health_notice | cluster_node |
---|---|---|
id | id | id |
account_group_id | cluster_node_id | name |
name | name | iui |
usage_mb_down | short_message | database_password |
usage_mb_down_unit | long_message | note |
usage_mb_up | cured_short_message | created_by |
usage_mb_up_unit | cured_long_message | updated_by |
up_down_logic_operator | severity | created_at |
note | cured_at | updated_at |
created_by | created_at | ip |
updated_by | updated_at | ssh_public_key |
created_at | created_by | scratch |
updated_at | updated_by | heartbeat_at |
radius_group_id | fleet_node_id | data_plane_ha_timeout_seconds |
ldap_group_id | node_mode | |
period | cluster_node_team_id | |
unlimited_period | wal_receiver_pid | |
duration | wal_receiver_status | |
unlimited_duration | wal_receiver_receive_start_lsn | |
scratch | wal_receiver_receive_start_tli | |
ip_group_id | wal_receiver_received_lsn | |
mac_group_id | wal_receiver_received_tli | |
flush_states | wal_receiver_latest_end_lsn | |
flush_dhcp | wal_receiver_slot_name | |
flush_arp | wal_receiver_sender_host | |
flush_vtas | wal_receiver_sender_port | |
wal_receiver_last_msg_send_time | ||
wal_receiver_last_msg_receipt_time | ||
wal_receiver_latest_end_time | ||
op_cluster_node_id | ||
priority | ||
auto_registration | ||
permit_new_nodes | ||
auto_approve_new_nodes | ||
pending_auto_registration | ||
pending_approval | ||
control_plane_ha_backoff_seconds | ||
data_plane_ha_enabled | ||
upgrading | ||
enable_radius_proxy |
aged_ar_penalty |
---|
id |
name |
amount |
days |
suspend_account |
note |
created_at |
updated_at |
created_by |
updated_by |
custom_email_id |
scratch |
record_type |
days_type |
Rotator
The rXg rotator service enables operators to simply and easily integrate content rotation into the captive portal web application. The system is designed to deliver zero-intervention advertising rotation via the captive portal web application to provide dynamic pre-authentication, post-authentication and interstitial advertising. In addition, the system can be used for a broad spectrum of other communication purposes other than advertising. For example, an operator may choose to use the rotator service to communicate late breaking news, integrate with third party messaging transport mechanisms or photographic galleries and real-time web cameras.
The rotator service may be directly accessed via an HTTP request to the rXg with a suffix of rotator
. The URN parameter must be specified to identify a particular rotator set that is to be accessed. Since the rotator service is accessible via a URL, it can be integrated into any third party display mechanism capable of making HTTP requests. For example, using a web browser connected to the LAN side of a newly installed rXg, open the URL:
https://rxg.local/rotator/?urn=postauth
.
The postauth
URN is a demonstration rotator that is part of the default rXg installation. It contains a series of advertisements that are displayed on the post-authentication landing page of the default portal. Reloading the web browser window will result in the rotation of the advertisements that are present in the chosen rotator.
The rotator service is implemented as a Ruby on Rails controller so that it may be easily integrated into the captive portal web application. Each time the captive portal page is loaded, the rotator displays a different payload.
To add a rotator to a captive portal page, edit the page and insert the following embedded ruby code where you would like the rotatee payload to be inserted:
<%= render partial: 'rotator', locals: { urn: ' **urn**' } %>
The urn
parameter in the example must be replaced with a string corresponding to a rotator scaffold entry. Incorrect specification of a rotator with a matching urn field will result in an error message being embedded into the portal page.
The rotator service is one of the many ways that the rXg enables operators to quickly and easily generate revenue from an end-user population. To maximize revenue, we strongly suggest that you partner with numerous affiliate programs that are appropriate to your end-user population. A good introductory text on affiliate programs is Make a Fortune Promoting Other People's Stuff Online: How Affiliate Marketing Can Make You Rich (ISBN 0071478132) by Rosalind Gardner. An excellent affiliate marketing recipe and ideas reference book is A Practical Guide to Affiliate Marketing: Quick Reference for Affiliate Managers & Merchants (ISBN 0979192706) by Evgenii Prussakov.
Rotators
An entry in the rotators scaffold creates a rotation group that can be integrated into the captive portal web application.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The URN field configures the uniform resource name that uniquely identifies this rotator. The URN is the parameter that is used to choose a specific rotator when incorporating the rotator service into a captive portal page.
The rotatees list enables the operator to select rotatees from the set of all rotatees to associate with this rotator. The rotator will choose one rotatee to display from among the associated rotatees.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Rotatees
An entry in the rotatees scaffold creates a member of a rotator group and specifies the payload that should be displayed.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The rotator field defines one or more rotators for this rotatee to be associated with.
The payload field defines the data that will be presented when a rotator service associated with this rotatee is accessed. In a typical scenario, this field is populated with an HTML fragment that contains a block of text or a reference to an image that is part of an advertising campaign.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Display and track advertisements
Navigate to Services::Ad Rotator.
The default portal by default looks for a Rotator with a URN of default to display the Rotatees. Create a new Rotator. The Name field is arrbitrary. Since the default portal looks for the URN of default set the URN field to default. Click Create.
Now that the Rotator has been configured, Rotatees can now be created that will contain the payload for the advertisement. In this example we will create Rotatees that will display on the main page of the default portal. Create a new Rotatee. The Name field is arrbitrary. In the Rotators field check the default box. The Payload field contains the url to the advertisement. The Target URL field contains the URL the user should be taken to if the click on the advertisement. The Price field is where the price paid for the advertisement can be entered and will be used in reports to calculate the price per impression/conversion. Do note that if the Payload is hosted outside the then it must be whitelisted on the splash portal in order for the content to be displayed. Click Create.
Repeat creating a Rotatee for each advertisement. In this example each advertisement is an image of fruit, and clicking on the advertisement image will link to wikipedia, but this could be the products homepage.
Rotator Logs will record an entry each time an Rotatee is loaded, it will display the IP of the device the advertisement was served to, along with the MAC address, Hostname, and Browser the device was using. The Rotator Logs will also show you if the advertisement was clicked.
The operator of the rXg can create reports showing detailed information about the number of clicks and conversions related to each Rotatee. To create a custom report navigate to Archives::Reports::Custom Reports.
There are two reports specific to the Ad Rotators. The first one is the Rotatee Metrics Custom Report. Create a new Custom Report. The Name field is arbitrary. Under Report set the Type field to Rotatee Metrics. Set the Time field to the desired time. Everyting else can be left to the defaults. Click Create.
The report can be viewed by clicking the view option on the left side of the scaffold. The Rotatee field shows the name of the Rotatee. The Impressions column displays the number of times the Rotatee was loaded and displayed. The Conversions column displays the number of times the Rotatee was clicked. The Conversion Ratio column displays the ratio of times Rotatee was loaded and clicked (Conversions divided by the number of Impressoins). The*Conversion Time(s)* section of the report gives you the average, minimum, and maximum number of conversions. Lastly the Cost section of the report displays the Price paid, the per impression cost (Price divided by the number of impressions), and the per conversion price (Price divided by the number of conversions).
The second report is the Rotator Impressions report. Create a new Custom Report. The Name field is arbitrary. Under Report set the Trype field to Rotator Impressions , and set the desired time for the report using the Time field. Click Create.
The report can be viewed by clicking the view option on the left side of the scaffold. The Impression column shows the date and time the Rotatee was displayed. The Rotator/Rotatee column shows which Rotatee the entry is for. The URL column shows the URL the device was trying to access when it was presented with the Rotatee. The IP field lists the IP of the device. The MAC field displays the MAC address of the device. The Hostname field will display the hostname of the device if available. The OS field displays the OS running on the device. The Browser field displays the browser the device is using along with the Version. The Login field displays the Policy the device is a member of. Lastly the Conversion Time(s) field displays the time between when the Rotatee was loaded and the user click on the Rotatee if applicable.
Display videos in captive portal based on location
In this example the rXg will be configured to display an advertisement video and static image in the captive portal based on the portal the device is accociated and the location of the device when it connects, using a prebuilt portal.
- Create Custom Portal.
- Create Splash and Landing portal to associate custom portal to.
- Create Shared Credential to activate ad rotator and allow access after advertisement.
- Create Rotators , this is what is used to determine which set of advertisements to display.
Create Rotatees , this is the advertisement content that will be displayed.
Create custom portal.
Navigate to System::Portals and create a new Custom Portal.
The Name field is arbitrary, for this example it will be named "videotest". The Controller name field is what is displayed in the URL when accessing the portal, for this example it will be "videotest". Set the Portal source field to Duplicate Local and the Duplicate field to default as the default portal will be used here. Click Create.
- Create Splash and Landing portal to associate custom portal to.
Navigate to Policies::Captive Portal and create a new Splash Portal.
The Name field is arbitrary, for this example it will be named "Splash". The rXg Portal field should be set to the portal created in step 1 which is "videotest". Select the policy associated unknown devices(devices connecting to the network for the first time), for the purpose of this example the "Onboarding Policy" will be selected. Click Create.
Create a new Landing Portal.
The Name field is arbitrary, for this example it will be named "Landing". The rXg Portal field should be set to the portal created in step 1 which is "videotest". Select the policy associated with devices that have authenticated for the purpose of this example the "Free Policy" will be selected. Click Create.
- Create Shared Credential to activate ad rotator and allow access after advertisement.
Navigate to Identities::Shared Credentials , and create a new Shared Credential Group.
The Name field is arbitrary, for this example it will be named "videotest". Remove the characters from the Credential field , the code is looking for a blank credential to activate the advertisements. The Policy field is used to select which policy the end user will become a member of after watching/viewing the advertisement, for this example the "Free" policy will be used. The Time field is used to set the amount of time the end user will be granted after authenicating, this will be set to 1 hour in this example. Both the Download quota and the Upload quota fields will be set to unlimited. By default a shared credential is valid for one week, this can be extended by changing the date in the Expires field, this will be set to the year 2099. Makes sure that the "Splash" portal is selected in the Splash Portals field. We can limit the number of simultaneous users by setting a value in the Simultaneous Users field, here it will be set to unlimited. If desired the Intersession field can be used to set a period of time that must pass before the same device can use the credential, this will be left at 0 for this example. Finally if we want to end user to be presented with the portal again if they leave the network and return we can uncheck the Automatic login checkbox. Click Create
- Create Rotators , this is what is used to determine which set of advertisements to display.
Navigate to Services::Ad Rotator. To determine which advertisements to display a Rotator must be created for each entity we want to match againts, a fallback can be created that will display advertisesments if there are no other matches. The URN for the fallback is the value "video", the rXg has the ability to match against the specific portal an end user is presented with, this can be further enhanced by adding a location as well. To start the fallback will be created first. Create a new Rotator.
Because this is the fallback enter "Fallback" in the Name field and the URN field value will be "video". Click Create.
The next Rotator will match against the portal created in Step 1. Create a new Rotator , for this example the value of the Name field will be "videotest" which matches the portal created earlier. Note: this name can be anything and does not need to match the portal name. The URN field will need to match the portal name as this Rotator will be used to match against the portal created in Step 1, the value for the URN field will be "videotest_video". Click Create.
This system is configured with Location Areas that consist of a Floor and two Regions we can match against. The floor is named "building1" and then there are two regions name "room1" and "room2" that can be used to match against. If the match is against "building1" then any device connected to an AP located within the regions attached to "building1" will display advertisements assigned to the Rotator. "Building1" contains the regions "room1" and "room2".
To match against "building1" create a new Rotator , the Name field is arbitrary for this the value will be set to Videotest_building1, and the URN value is "videotest_building1_video". Click Create.
To make the match specific to a region we can use the region name instead of "building1", create a new Rotator , the value for the Name field is arbitrary and will be set to "Videotest_room1" in this example. The URN field will be the portal we want to display this on followed by the region and then video, which results in "videotest_room1_video". Click Create.
- Create Rotatees , this is the advertisement content that will be displayed.
The final step is creating the entries that the rXg can draw from to display content. If more than one Rotatee is created per Rotator then the rXg will randomly pick a matching Rotatee. The default portal contains 3 images and 5 videos we can use to display for this example. To display one of the examples videos to an end user connected in room1 create a new Rotatee.
The Name field is arbitrary and its value will be set to "Video1" for this example. Select the "Videotest_room1" checkbox in the Rotators field to display this content to an end user connected in room1. For this example we will display a video of clouds in this Rotatee using the following Payload"<video class="w-100 mb-3" src="/static/portal/videotest/clouds_1.mp4" preload="none" muted webkit-playsinline playsinline style="display: none;">". Click Create This step can be repeated for each advertisement that should be displayed.
For the last example a Rotatee that contains a static image will be created to be displayed to end users as a fallback in the event they do not match aginst the portal or a location area. Create a new Rotatee. Provide a name and select the "Fallback" checkbox in the Rotators field. For this example we will use the payload "<img src="/static/portal/videotest/ad_one.png" width="80%" class="d-block mx-auto my-3">". Click Create. Note: for a list of images and videos provided in the default portal please scroll down.
The above examples were all locally hosted files within the /static directory of the captive portal. To use content that is stored remotely, a WAN target must be configued containing the domains and or IP addresses of where the content resides and it must be applied as a whitelist to the Splash portal. To create a WAN target navigate to Identities::Definitions and create a new WAN Target.
The Name field is arbitrary, value here will be "Ad Whitelist". In the Targets field enter the domains and or IP addresses that will contain content then click Create.
Once the WAN Target has been created, it must be set as a whitelist on the captive portal. Navigate to Policies::Captive Portal and edit the Splash portal.
Type the name of the WAN target into the Whitelist field and it will bring up any matching results, click on each one to add it to the whitelist. Click Update.
Now we can pull content from the domain(s) that are in the Whitelist. For example to pull content from rxg-lab.tech which is included in the Whitelist that was created. Create a new Rotatee give it a name, and the Payload will be <img src="https://rxg-lab.tech/images/ad\_two.png" width="80%" class="d-block mx-auto my-3">. Include the Rotators the content should be associated with and click Create. Note: to include external content it is important that you define a WAN target that contains all the domains and IP addresses content will be pulled from and this needs to be assigned to the Whitelist of the portal where the content will be displayed.
Static Image examples included in default portal.
- ad_one.png <img src="/static/portal/videotest/ad_one.png" width="80%" class="d-block mx-auto my-3">
- ad_two.png <img src="/static/portal/videotest/ad_two.png" width="80%" class="d-block mx-auto my-3">
- ad_three.png <img src="/static/portal/videotest/ad_three.png" width="80%" class="d-block mx-auto my-3">
Video examples included in default portal. 1. Big_Buck_Bunny_360_10s_1MB.mp4 <video class="w-100 mb-3" src="/static/portal/videotest/Big_Buck_Bunny_360_10s_1MB.mp4" preload="none" muted webkit-playsinline playsinline style="display: none;"> 2. clouds_1.mp4 <video class="w-100 mb-3" src="/static/portal/videotest/clouds_1.mp4" preload="none" muted webkit-playsinline playsinline style="display: none;"> 3. control_vid.mp4 <video class="w-100 mb-3" src="/static/portal/videotest/control_vid.mp4" preload="none" muted webkit-playsinline playsinline style="display: none;"> 4. money.mp4 <video class="w-100 mb-3" src="/static/portal/videotest/money.mp4" preload="none" muted webkit-playsinline playsinline style="display: none;"> 5. mountains_2.mp4 <video class="w-100 mb-3" src="/static/portal/videotest/mountains_2.mp4" preload="none" muted webkit-playsinline playsinline style="display: none;">
Note: The links provided above are linked to the custom portal created for the example, if you use these you may need to change the "videotest" portion of the link to match the name of the custom portal you created.
Advanced Servers
The servers view of the services menu displays scaffolds that allow the operator to customize the behavior of various services integrated into the rXg.
Remote Database Access
The local database of an rXg may be configured for read-only access by third-party software tools When an rXg is configured with local server database storage. The local server database storage methodology configures the rXg to utilize PostgreSQL as the on board database. PostgreSQL is an advanced open source relational database with a wide variety of access options supported by both community-based open source projects as well as proprietary commercial offerings. A quick search for PostgreSQL GUIreveals numerous possibilities.
Many of the tools that integrate with PostgreSQL have GUIs for exploration. In addition, the vast majority allow for arbitrary execution of SQL queries.
Remote access to the on board rXg database is used to accomplish a broad spectrum of tasks. Advanced and highly customized reporting is one common use case. Below is an example of a report generated by the pgAdmin PostgreSQL GUI tool for the login log.
Another common use for remote database access is for integration with a third-party accounting system. Below is a report generated by pgAdmin from the credit card transactions log. A third-party accounting package could be configured to retrieve all of the transactions recorded in a particular time for automatic posting and reconciliation.
The remote database access feature is also a very convenient way to take periodic backups of the rXg database. This may be accomplished via GUI tools, but is also very easy to script. For example, thepg_dump
utility may be run as a scheduled task on Windows or a cron job on a UNIX-based system to automate periodic backups of the rXg.
Remote database access is governed by the Database scaffold as discussed below. The default PostgreSQL port is used and the default database name is config
. The name of the database being used by the rXg may be changed via the Cluster view of the administrative console. It is strongly advised that the default database name be used.
Remote database access is a powerful tool for operators who wish to integrate the rXg with third-party devices, systems and software. Nearly any form of read-only integration may be achieved. To obtain read-write access to the database, the rXg API key mechanism (discussed in the Adminis view) must be used.
Database
Entries in the database scaffold define the remote access policy and credentials for the local database on an rXg. This scaffold is only accessible on an rXg that is configured to use a local server database storage type.
The active field enables an option set. Exactly one option set may be active at any time. Enabling a particular option set will automatically disable another existing active option set.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
By default, access to rXg services are either limited to the LAN or disabled entirely. In certain cases, the operator may desire to permit accessibility to services over the WAN and/or LAN. To enable access to rXg services over the WAN, the operator should specify one or more WAN targets containing the list of allowed hosts and then set the visibility appropriately. If no WAN target is specified and WAN visibility is enabled, any node on the WAN may connect to the service. It is highly recommended that this wide-open configuration be avoided to ensure system security. If LAN visibility is included then all authenticated nodes on the LAN may access this service.
The username and password fields contain the credentials for accessing the database. These credentials are generated by the rXg and are immutable.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
NTP Server
Entries in the NTP Server scaffold define configuration profiles for the rXg integrated NTP server. Precise and accurate local time keeping is a critical aspect of a functioning and error free billing system. The rXg uses the network time protocol to synchronize the local clock with established servers. In addition, both local and remote devices may be configured to use the rXg as a NTP server.
The active field enables an option set. Exactly one option set may be active at any time. Enabling a particular option set will automatically disable another existing active option set.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
By default, access to rXg services are either limited to the LAN or disabled entirely. In certain cases, the operator may desire to permit accessibility to services over the WAN and/or LAN. To enable access to rXg services over the WAN, the operator should specify one or more WAN targets containing the list of allowed hosts and then set the visibility appropriately. If no WAN target is specified and WAN visibility is enabled, any node on the WAN may connect to the service. It is highly recommended that this wide-open configuration be avoided to ensure system security. If LAN visibility is included then all authenticated nodes on the LAN may access this service.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
SNMP Server
Entries in the SNMP Server scaffold define configuration profiles for the rXg integrated SNMP server. Many of the instruments that may be accessed via the rXg administrative console are also available via SNMP. This allows the rXg to be probed by a SNMP network or element management system and enables the operator to use to integrate the rXg as part of a large scale heterogeneous network.
The active field enables an option set. Exactly one option set may be active at any time. Enabling a particular option set will automatically disable another existing active option set.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The community is the read only (r/o) string that is used to gain access to this rXg via SNMP. Remote access to SNMP is disabled by default.
The port field specifies which port the SNMP server should listen for SNMP probes.
By default, access to rXg services are either limited to the LAN or disabled entirely. In certain cases, the operator may desire to permit accessibility to services over the WAN and/or LAN. To enable access to rXg services over the WAN, the operator should specify one or more WAN targets containing the list of allowed hosts and then set the visibility appropriately. If no WAN target is specified and WAN visibility is enabled, any node on the WAN may connect to the service. It is highly recommended that this wide-open configuration be avoided to ensure system security. If LAN visibility is included then all authenticated nodes on the LAN may access this service.
The Receive Traps option enables the SNMP Trap listener on the rXg. Access to the server is restricted by the visibility and WAN Target selections. SNMP agents may use the community string specified here or the community string of an Infrastructure Device.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
SNMP MIBs
Integrating any network device with an SNMP monitoring solution usually requires MIBs. The following is list of MIBs that are available to download to assist with SNMP integration to the rXg:
TFTP Server
Entries in the TFTP Server scaffold define configuration profiles for the rXg integrated TFTP server. May third-party networking devices are configured by loading files over TFTP. The intended use of the rXg integrated TFTP server is to simplify the process of configuring and configuring provisioning of third-party devices.
The TFTP server delivers files out of /space/tftpboot
. It is assumed that the operator will use SFTP to transfer files to the rXg that will be served by the rXg integrated TFTP server. In addition, the rXg captive portal may be customized to generate files into this directory for zero operator intervention provisioning scenarios. For example, the captive portal may be customized to generate files for provisioning VoIP ATAs and telephones for end-users who have purchased a usage plan that incorporates a VoIP package.
The active field enables an option set. Exactly one option set may be active at any time. Enabling a particular option set will automatically disable another existing active option set.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The WAN targets and policies fields specify which sets of hosts should be allowed access to the rXg integrated TFTP server. TFTP does not include any authentication. Thus, by default, no access is allowed to the rXg integrated TFTP server. The operator must specifically enable access to hosts on the WAN by creating WAN targets and enabling the appropriate check boxes. Hosts on the LAN may be granted access by placing the hosts into a group and then linking them into a policy which is selected here.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Iperf Server
Entries in the Iperf Server scaffold define configuration profiles for the rXg integrated Iperf server. Iperf is the de-fato standard mechanism for measuring the available network bandwidth. To use this feature of the rXg, the operator must have an Iperf client installed on one or more external devices.
The active field enables an option set. Exactly one option set may be active at any time. Enabling a particular option set will automatically disable another existing active option set.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The port field configures the port that the Iperf server will be listening for connections on. The default port is 5201.
The WAN targets and policies fields specify which sets of hosts should be allowed access to the rXg integrated Iperf server. Iperf does not include any authentication. Thus, by default, no access is allowed to the rXg integrated Iperf server. The operator must specifically enable access to hosts on the WAN by creating WAN targets and enabling the appropriate check boxes. Hosts on the LAN may be granted access by placing the hosts into a group and then linking them into a policy which is selected here.
The rXg integrated Iperf server is most often used with devices on the LAN to instrument the maximum bandwidth between an end-user device and the rXg. The maximum speed reported by Iperf will be determined by the physical media speed and the bandwidth queue that is associated with the client device. Note that if the end-user has been associated with a usage quota, the use of Iperf will be counted into the quota.
Iperf may also be used from the WAN side to instrument the maximum bandwidth available on WAN uplinks. In order to acquire correct data, the Iperf client should be placed immediately adjacent to the rXg on the WAN. Using a Iperf client that is multiple hops away from the rXg will usually provide nonsensical results because it is impossible to guarantee that the intermediate hops will have sufficient bandwidth for the test.
The use of Iperf is highly preferred to web-based online bandwidth meters such as speedtest.net. This is because the Iperf server enables the operator to independently test the LAN distribution network and the WAN uplinks. A web-based online bandwidth meter can only perform a complete end-to-end test that does not provide any information as to where the potential problem is. Also, the results from an web-based online bandwidth meter test may be skewed by proxies, including the rXg integrated transparent web proxy.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
MQTT Server
Entries in the MQTT Server scaffold define configuration profiles for the rXg integrated MQTT server.
The active field enables an option set. Exactly one option set may be active at any time. Enabling a particular option set will automatically disable another existing active option set.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The WAN targets and policies fields specify which sets of hosts should be allowed access to the rXg integrated MQTT server. MQTT does not include any authentication. Thus, by default, no access is allowed to the rXg integrated MQTT server. The operator must specifically enable access to hosts on the WAN by creating WAN targets and enabling the appropriate check boxes. Hosts on the LAN may be granted access by placing the hosts into a group and then linking them into a policy which is selected here.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Virtualization
- Virtualization Deployment Guide
- Virtualization Design Guide
The virtualization view presents the scaffolds associated with configuring a virtual environment, including hosts, guests, and networking.
Virtualization Deployment Guide
The most common use case of virtualization within the rXg is to cluster multiple rXgs together on the same bare metal machine to maximize the use of available resources. The following steps will guide you through building a virtual infrastructure capable of clustering.
Note: If rXg virtualization host is itself installed onto a virtual machine running on ESXi, ensure that hardware virtualization is enabled in the VM options.
Create a Virtualization Host
From the Virtualization Hosts scaffold, click Create New
A host can be created on any bare metal node you wish to use as a virtualization environment. Assign the host a name and select the node that will be used for virtualization. The Autostart delay can be left at the default of 5 seconds. You will notice that a virtual switch has already been added for each physical interface on the host. Keep this configuration as is; at the bottom, you can click create.
Note: It is necessary to have the physical interface for the cluster network in an active state, even if there is no plan to egress traffic from that interface.
Load the ISO onto the Host
Once the host is created, you can click Disk Images to load the ISO file that will be used as the operating system for your virtual machines.
Next, click Create New.
The Filename field is required. This will be used to reference the associated .iso file. The rXg provides two methods to load the .iso file onto the system. You can provide a URL that points to the .iso file, and the rXg will download it directly, or you can use the File Upload method to select an .iso from your local machine to upload to the system.
Once the upload/download is complete, you will see the file in the list.
Create a Virtual Machine
From the Virtualization Machines scaffold, click Create New
Assign the virtual machine a name and select the host that it should be built on.
Cluster Node Auto Provision
If this VM is to be part of a cluster, and the Virtualization Host is the CC, you can use the Cluster Node dropdown to automate the clustering configuration. The rXg will combine the data collected from this form with available information from the CC, create a configuration template, and automatically apply it after the software installation is complete. This process allows the VM to join the cluster automatically.
Note: The host CC record (System >> Cluster) will need to be configured for Automatic Registration.
The Cluster Node dropdown will allow you to select an existing cluster node record or create a new one. If you choose an existing record, you need to check the Auto Provision option to activate this feature. All other required information is collected from the current configuration. If you choose Create New, providing the Node Mode and Node IP address will also be necessary.
Create New
Existing Record
The bootloader can stay at the default setting for the rXg installation. Other operating systems, such as Windows, may require a different bootloader. Set the memory and CPU count as necessary to support the VM that you are creating. It is recommended to enable Autostart so that if the host is power cycled, the guest VM will automatically start back up. Add virtual interfaces as needed and assign them to a virtual switch. In this example, I have created a virtual interface for the WAN, CIN, and LAN and matched them to the physical ports I plan to use on the host. Add a virtual disk to the VM of the appropriate size to support the rXg that you are installing. Adding an additional 20 GB of space is necessary to allow for overhead here. Click Create.
Begin the OS Installation
With the VM created, you can click the Install link to select a disk image for installation.
Select the desired image and click Install.
Console Access
The console can be reached via an SSH session to the host node and then switching to the root user.
Type vm console your_vm_name
.
Press Enter
To exit the console session, assuming you were SSH'd to the host, type "~~."
You may need to press enter before the first ~ if it doesn't work the first time. (needs to be entered on its own input line)
After installation, the node can be configured from the primary CC.
Virtualization Hosts
The Virtualization Hosts scaffold enables creation, modification, and deletion of a host. The first step to creating a virtual machine in rXg is creating a virtualization host.
The Name field is an arbitrary string used to identify the host. This string is used for identification purposes only.
A virtualization host can be created on any of the bare metal machines in a cluster. The Node dropdown allows you to select the intended target for this configuration.
The Autostart Delay field defines the number of seconds to wait between starting each virtual machine with autostart enabled.
The Virtual Switches field allows for the creation of vswitches that virtual ports can later be attached to. One virtual switch per host interface will automatically be created when you create a new host.
The Virtual Machines field displays all virtual machines that are either unassigned (unchecked) or assigned (checked) to this host.
The Disk Images link, when selected, will allow the operator to manage the .iso files stored for virtual machine creation. Create New will provide the operator with options to either upload or download a new .iso file. The Filename field is required and will be used to reference the associated .iso file. The rXg can directly download a .iso file from a remote destination specified in the URL field. Alternatively, you can select Choose File and select a .iso file from your local machine for upload.
Virtual Machines
The Virtual Machines scaffold enables creation, modification, and deletion of virtual machines.
The Name field is an arbitrary string used to identify the host. This string is used for identification purposes only.
The Host dropdown allows you to specify the host for the virtual machine creation.
If this VM is to be part of a cluster, and the Virtualization Host is the CC, you can use the Cluster Node dropdown to automate the clustering configuration. The rXg will combine the data collected from this form with available information from the CC, create a configuration template, and automatically apply it after the software installation is complete. This process allows the VM to join the cluster automatically. The cluster node dropdown will allow you to select an existing cluster node record or create a new one. If you choose an existing record, you need to check the Auto Provision option to activate this feature. All other required information is collected from the current configuration. If you choose Create New , providing the Node Mode and Node IP address will also be necessary.
The Bootloader field allows for selecting a specific set of booting instructions that is most appropriate for your virtual machine. Use Bhyveload for rXg.
The Memory field allows the number of gigabytes of memory that should be allocated from the host to the virtual machine to be specified.
The Cores field allows the number of CPU cores that should be allocated from the host to the virtual machine to be specified.
The Autostart checkbox, if checked, will automatically start the virtual machine when the host starts. A delay between virtual machine starts can be configured in the host scaffold.
The Enable Graphics field, if selected, will start a VNC server to provide GUI access to the VM.
The Virtual interfaces section allows for the creation of virtual interfaces that can connect the virtual machine to the virtual switch. Creating a virtual interface in this scaffold will also add it to the Virtual Interfaces scaffold. The name field is an arbitrary string used to identify the interface. This string is used for identification purposes only. The emulation field allows for the specification of the emulation type. Virtio-net is recommended in most cases. The virtual switch dropdown allows you to select with which switch the interface you are creating will be assigned. A virtual switch enables interfaces to communicate with each other or with an associated uplink. The MAC field allows the assignment of a custom MAC address to the interface. Leaving this field blank will result in a MAC address being automatically created.
The Virtual disks section allows for creating a virtual drive that can connect to this virtual machine. Creating a virtual disk in this scaffold will also add it to the Virtual Disks scaffold. The name field is an arbitrary string used to identify the interface. This string is used for identification purposes only. The Size field specifies the number of gigabytes of drive space that should be allocated from the host to the virtual machine. The emulation field allows for the specification of the emulation type. Virtio-blk is recommended in most cases.
Virtual Switches
The Virtual Switches scaffold enables the creation, modification, and deletion of virtual switches.
The Name field is an arbitrary string used to identify the host. This string is used for identification purposes only.
The Host dropdown allows you to specify the host for the virtual switch creation.
The Switch Type dropdown allows a switch type to be specified. Standard is recommended for most cases.
The Interface dropdown provides a list of available physical interfaces from the host machine. Selecting an interface from this dropdown will assign it to this virtual switch as an uplink. Each physical interface can only be assigned to one virtual switch.
The Virtual Interfaces field provides a list of available virtual interfaces that can be assigned to this switch. Selecting an interface from this dropdown will assign it to this virtual switch and unassign it from any other switch.
Virtual Disks
The Virtual Disks scaffold enables the creation, modification, and deletion of virtual disks.
The Name field is an arbitrary string used to identify the host. This string is used for identification purposes only.
The Virtual Machine dropdown specifies with which virtual machine this disk should be associated.
The Size (GB) field specifies the number of gigabytes of drive space that should be allocated from the host to the virtual machine.
The emulation field allows for the specification of the emulation type. Virtio-blk is recommended in most cases.
Virtual Interfaces
The Virtual Interfaces scaffold enables the creation, modification, and deletion of virtual interfaces.
The Name field is an arbitrary string used to identify the host. This string is used for identification purposes only.
The Virtual Machine dropdown allows you to select with which virtual machine the interface you are creating will be assigned.
The Virtual Switch dropdown allows you to select with which switch the interface you are creating will be assigned. A virtual switch enables interfaces to communicate with each other or with an associated uplink.
The Emulation field allows for the specification of the emulation type. Virtio-net is recommended in most cases.
The MAC field allows the assignment of a custom MAC address to the interface. Leaving this field blank will result in a MAC address being automatically created.
Virtualization Design Guide
Note: We recommend that a single machine with a single instance of rXg be limited to 1500 DPL, 8 CPU cores, and 16 GB of RAM.
No HA Required
- Single rXg Host Internal Dataplane Virtualization
HA Required
- 2-way Symmetric rXg Cluster
- 3-way Symmetric rXg Cluster
- 3-way Asymmetric rXg Cluster
- 4-way Asymmetric rXg Cluster
- 8-way Asymmetric rXg Cluster
Single rXg Host Internal Dataplane Virtualization
- Install rXg on bare metal machine
- Configure bare metal rXg as CC
- Also use the bare metal rXg as virtualization host
- Install (6) vDPs
- Configure bare metal rXg as CC
Example:
- Server with AMD 64-core CPU / 256 GB of RAM
- 6-way IDV (8 cores / 16 GB each)
- 16 cores and 64GB RAM for CC
- 6000 DPL in full operation
2-way Symmetric rXg Cluster
- Install rXg on both bare metal machines.
- Configure bare metal rXgs as symmetric rXg cluster with (2) CCs
- Also use the bare metal rXgs as virtualization hosts
- Install (2) vDPs per node
- Use cluster teaming to facilitate deterministic failover
- Configure bare metal rXgs as symmetric rXg cluster with (2) CCs
Example:
- 2 x servers with AMD 24-core CPU / 64 GB of RAM
- 2-way IDV (8 cores / 16 GB each) on each server
- 8 cores and 32GB RAM for CC
- 4000 DPL in full operation (2000 DPL if one fails)
3-way Symmetric rXg Cluster
- Install rXg on all 3 bare metal machines.
- Configure bare metal rXgs as symmetric rXg cluster with (3) CCs
- Also use the bare metal rXgs as virtualization hosts
- Install (4) vDPs per node
- Use cluster teaming to facilitate deterministic failover
- Configure bare metal rXgs as symmetric rXg cluster with (3) CCs
Example:
- 3 x servers with AMD 48-core CPU / 128 GB of RAM
- 4-way IDV on each server
- 16 cores and 64 GB RAM for CC
- 12000 DPL in full operation (8000 DPL if one fails)
3-way Asymmetric rXg Cluster
- Install rXg on all 3 bare metal machines.
- Configure bare metal rXgs as asymmetric rXg cluster with (1) CC and (2) DPs
- Use the bare metal DP nodes as virtualization hosts
- Install (4) vDPs per DP node
- Configure bare metal rXgs as asymmetric rXg cluster with (1) CC and (2) DPs
Example:
- 3 x servers with AMD 32-core CPU / 64 GB of RAM
- rXg CC runs on bare metal
- 4-way IDV on bare metal rXg DPs
- 16 cores and 40 GB RAM for CC
- 16 cores and 24 GB RAM for VMs - 8000 DPL in full operation (4000 DPL if one fails)
6-way Asymmetric rXg Cluster
- Install rXg on all 4 bare metal machines.
- Configure bare metal rXgs as asymmetric rXg cluster with (2) CCs and (2) DPs
- Use the bare metal DP nodes as virtualization hosts
- Install (4) vDPs per DP node
- Use cluster teaming to facilitate deterministic failover
- Configure bare metal rXgs as asymmetric rXg cluster with (2) CCs and (2) DPs
Example:
- 6 x servers with AMD 32-core CPU / 64 GB of RAM
- 4-way IDV (8 cores / 16 GB each) on each vDP
- Full capacity of bare metal for master and standby CC
- 16000 DPL in full operation (12000 DPL if one CP or DP or both fails)
8-way Asymmetric rXg Cluster
- Install rXg on all 8 bare metal machines.
- Configure bare metal rXgs as asymmetric rXg cluster with (2) CCs and (6) DPs
- Use the bare metal DP nodes as virtualization hosts
- Install (16) vDPs per DP node
- Use cluster teaming to facilitate deterministic failover
- Configure bare metal rXgs as asymmetric rXg cluster with (2) CCs and (6) DPs
Example:
- 8 x servers with 2x AMD 64-core CPU / 512 GB of RAM
- 16-way IDV (8 cores / 16 GB each) on each vDP
- Full capacity of bare metal for master and standby CC
- 96,000 DPL in full operation with room to grow!
LLM
The LLM view enables the operator to configure a cutting-edge retrieval augmented generation (RAG) large language model (LLM) artificially intelligent (AI) feature designed to empower network operators to harness the power of advanced language models within their private networks. By leveraging this innovative technology, operators can revolutionize network operations, enhance customer experiences, and unlock new revenue streams.
LLM Options
The LLM Options scaffold configures the end-user behavior of the LLM feature. It may be useful to think of each LLM Option as a unique chatbot. In a scenario where there are multiple end-user and operator portals, multiple LLM Option records may be created to drive each portal to a unique chatbot experience.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The default checkbox, if checked specifies this LLM Option will be used for all portals without an explicit LLM option defined.
The temperature field is a number between 0 and 1 (0.8 default). Increasing the temperature value will make the model answer more creatively.
The chatbot name field is used to set the name of the chatbot, default is Romeo George.
The chatbot avatar field allows the operator to upload a custom image to be as the chatbots avatar in chatbox window.
The apply guardrails checkbox applies guardrails against harmful, unethical, racist, sexist, toxic, etc. conversations. This is applied after any custom instructions and is enabled by default.
The custom instructions field allows the operator to provide the LLM with a full set of custom system instructions.
The initial greeting field allows the operator to specify a specific greeting the chatbox will use to introduce itself when a user initiates a new chat.
The default llm model drop down is used to specify the default LLM modem this LLM will use.
The llm models field allows the operator to select all the models that can be used with this LLM Option.
The admin roles field sets the admin roles that will use this LLM option, selecting any roles here will remove them from being selected in another LLM option.
The operator portal field selects which Operator Portals are assigned to this LLM Option. Note that an admin role match is prioritized over an operator portal match. Associating a record removes it from other options.
The landing portals field sets which splash/landing portals use this LLM option. Associating a record removes it from the other options.
The alow anonymous chats field, if checked allows users to chat via the portal without being logged in with an account.
LLM Workers
The LLM Workers scaffold configures an LLM back-end service that will be used by the chatbots defined by LLM Options. LLM Workers may leverage both local as well as remote GPU resources. The remote GPU resource configuration is intended to be used with a Fleet Manager. An organization might wish to install one or more GPUs into the Fleet Manager and thus have a centralized pool of GPU resources that are shared amongst of a fleet in order to meet cost, power, and cooling budgets at the edge. It is also possible to create LLM Workers that leverage cloud AI systems. We highly recommend that operators deploy their own GPUs to maximize ROI and information security. Tying an LLM Worker to a cloud system is primarily included for the purpose of demonstration.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The adapter field specifies the adapter to be used, Ollama is selected by default.
The run locally checkbox tells the system to run a local server for the specfied backend (adapter) and optionally can be made available to specific WAN targets and or policies.
The host field is used to specify the IP or FQDN of the host providing the API interface for the designated backend.
The port field specifies the port to be used for communication.
The timeout field sets the amount of time the system should wait for the LLM worker to respond.
The online checkbox, if checked indicates that the LLM worker is online and ready to process reqquests, unchecking this field will make the LLM worker unavailable.
The llm model drop down specifies which LLM Model this worker will use by default.
The llm models field specfies which LLM Models this worker is allowed to use.
The use for embeddings field if checked, designates the worker that will be used to generate embeddings for context lookup. Enabling will deactive embedding for other workers.
LLM Models
The LLM Models scaffold displays the models that are available to the LLM Worker. Use the import models action link on the LLM Worker to bring in the available models and populate this scaffold. This scaffold is primarily for informational purposes. We recommend pulling llama3.1:latest for most purposes, or llama3.1:70b if you have more than 40 GB of VRAM. We recommend pulling nomic-embed-text (or mxbai-embed-large if you have a powerful machine) for embeddings.
The name field is the name of the model as recognized by the LLM Workers running it. This name needs to match the model name this field is not arbitrary.
The url NEED Clarification here, does it pull the model to the system and the URL is where that model can be downloaded from.
The formatter specifies which LLM model to use to format the requests that are sent to the LLM Worker Needs clarification
The context window sets the size of the set of information that is relevant for answering questions. Setting a larger context window can allow for more detailed and comprehensive answers. What limits this
The embedding dimensions field sets the scope for how many different features/variables are being considered, different models require varying amounts of data.
The quantization level field is used to set how many bits are being used per word when encoding text data. The higher this value the more detail can be gained from the information/data.
LLM Sources
The LLM Sources scaffold allows operators to upload data sources that are used by the retrieval augmented generation (RAG) system. Documents uploaded to this scaffold are indexed using an embeddings model. Vector similarity search is performed upon the chatbot input to acquire relevant fragments of LLM Sources to provide context to the LLM when generating a chatbot response.
The intended method of use is for the operator to upload a large number of files from their existing dataset. For example, the operator might upload all of the menus for all of the restaurants at a large public venue. Another common use case would be an upload of all of the recommended nearby activities for a hospitality venue. The LLM Sources are unique to each edge. Synchronization of LLM Sources between edges is accomplished using a Fleet Manager.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The llm_remote_data_source if selected, marks this LLM Source as remote, meaning that the rXg is expected to fetch the source data from a remote host.
The frequency selector allows the operator to choose whether to make the llm source get called live, or periodically. If it is called periodically, it will not have access to a specific user's specific query, the way it will if being called live. If this LLM Option is periodic, the remote source will be called periodically and the result will be stored in the LLM Option's source attachment, and a button to manually refresh it will be made available. If this is a Live LLM Source, the query will be accessible from within the parameterization's ERB context as the query variable.
The source field lets you choose the file to upload that will be used as an embeded source.
The visibilty field sets which users can access this information, if set to admins only, the source will only be referenced if you are logged in as an admin. Admins and Users allows both admins and client users to receieve information from this source, and setting it to anonymous allows any user interacting with the LLM to recieve this information regardless of being logged in or not. The anonymous setting should only be used if the client would be interacting with the chatbot without a login sessions, ie from the splash portal.
The request properties are merged with the request properties of the remote llm data source when this data is retreived.
These request properties can use ERB, and if they do, the user's query will be available in that ERB context as the query
variable. Other variables such as client_ip
, client_mac
, current_account_id
, anonymous_user_id
, connected_ap_id
, current_admin_id
will be available if possible.
The path attribute is merged with the base url of the LLM Remote Data Source to determine the URI that will be called. This allows the operator to configure different paths with different query parameters off of one LLM Remote Data Source.
The timeout attribute determines how long the rXg will wait for a response when it tries to query the remote data source.
The frequency field choice determines how often a periodic remote data source is redownloaded.
The cache duration field determines how long an on-demand response is cached for. This works in conjunction with the cache duration unit field.
LLM Remote Data Sources
LLM Remote Data Sources Represent "base" configuration for getting data from remote web servers to use in LLM generated responses. LLM Remote Data Sources contain properties that are used when requesting data from that remote llm source.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The base url field will be combined with the path attribute of a correlated LLM Source. This is intended to give operators significant flexibility when using LLM Remote Data Sources.
The request properties will be merged with the LLM Source's request properties when making the request.
These request properties can use ERB, and if they do, the user's query will be available in that ERB context as the query
variable. Other variables such as client_ip
, client_mac
, current_account_id
, anonymous_user_id
, connected_ap_id
, current_admin_id
will be available if possible.
The basic auth username and basic auth password will be included as basic auth if they are present.
LLM Embeddings
The LLM Embeddings scaffold displays all of the indexes that have been created by the embeddings model for the various LLM Sources. This scaffold is intended for informational purposes only.
An entry in the embedding scaffold represents data the LLM can pull from to answer client questions. The source shows where the data is from, updated reflects the last time this information was updated, the llm model used and the dimensionality.
LLM Prompts
This scaffold is a list of all the prompts sent to the LLM from the clients.
LLM Requests
This scaffold is a list of all the prompts sent to the LLM from the clients, it will list which llm model was used, the LLM worker, when the task was started, when it completed, and how long it took to complete the response.
Chats
The chats scaffold is a history of the chats that have been initiated on the system.
LLM Setup Example
In this example the hardware is a pc with a 3090 graphics card, WAN + certificate is configured, no other configuration has been done.
Navigate to Services::LLM
Create a new LLM Worker.
Give the record a name, in this case since it will be running locally on the system using Ollama I will use the name Local Ollama.
The adapter field should be set to Ollama, and the run locally checkbox should be checked.
The default port value of 11434 should be used, and timeout can be left at 30 seconds. It may be necessary to increase the timeout to 120 seconds to support larger models such as the 70b variant of llama.
Add any WAN targets that should be allowed to communicate on this port and/or any polcies that should be allowed. Being that there is no other configuration currently on this system I will select the default policy, if this were a live deployment I would need to add any client policies that will have access to the chatbot.
Leave the online checkbox, checked.
We do not have any llm models yet so we will leave those fields blank. In this demo we will also be using this worker for the embedding so the use for embeddings checkbox should be checked.
Click Create.
To pull a new model click the pull model link and enter the name of the model to be fetched.
Here we will pull the latest llama3 model, then click submit. This process can take a long time to complete as it must download and process the model file which an be quite large. If the model does not automatically appear in the model scaffold after pulling, wait a bit longer, and click the Import models link in the scaffold.
Repeat for each desired model.
Edit the LLM Worker created previously and now we can select the default model to use with this worker as well as specify other models the worker can use.
After selecting the default LLM model and any additional models click create.
Next we will enable embedding generation. Embeddings are numerical representations of text or other data, which can be compared against each other in order to detect similarity between different data. If enabled, embeddings will be created for the Retrieval Augmented Generation (RAG) sources, as well as the admin manual and the Active Record Models that make up the database. There must be a worker designated for creating embeddings as well as a model designated for embeddings. For this we will use the nomic-embed-text:latest model. Edit the nomic LLM worker.
The embedding dimensions field is required when using a model for embedding. This field is typically populated automatically when importing models from a worker. Valid values are as follows: 512, 768, 1024. Default is 768 and will be used if the field is blank. Check the use for embeddings checkbox and click update. NOTE It will not start generating LLM embeddings until we create the LLM Option which brings us to the next step.
Create a new LLM Option.
Give the record a name, since this will be the default LLM Option I will call it default, and check the default box below the name field. If desired you can enter a name for the chatbot, and upload a custom avatar.
Be default apply guardrails is checked, for the purpose of this demo it will remain checked.
I will not be changing the custom instructions or the the initial greeting at this time.
Select the default LLM model, for this we will be using llama3:latest, I will select the other models as well.
In the Provisioning section select which admin roles that will use this option set. If there are any operator portals or splash/landing portals that should use this LLM option they can be selected at this time as well. If the goal is to allow anyone to access the chatbot without a login session check allow anonymous chats. Primarily this would be checked if you intend to have the chatbot on the splash portal before authentication.
Click create.
This will then start generating the LLM Embeddings to be used as resources for chat responses. The time it will take to generate the embeddings depends on hardware.
The Chat is now available for use in the admin gui.
LLM Remote Sources Example
Using the LLM Remote Data Source feature allows the system to pull in realtime data via API calls. In this example we will create a remote data source that pulls information from Aviationstack.com. In this example we are using the paid service, however I believe a free account allows 100 API calls per month.
Before we begin we should determine which API endpoints we will use. We can see a list of available API calls for Aviationstack here aviationstack.com/documentation. For this example we will using the following endpoints.
dep_iata which allows us to narrow the scope of our searches to a specific airport.
flight_date which allows us to specify a time for our queries.
flight_number which allows us to inquire about specific flights.
Lastly access_key which is required and will pass our API access key.
To begin using Remote Data Sources navigate to Services::LLM and create a new LLM Remote Data Source.
Give the record a name. Enter the base URL, which for aviationstack is https://api.aviationstack.com/. Next we need to configure a Request property. Kind should be set to Query Parameter, key set to access_key from the endpoint above, and the value is the API key provided by aviationstack. Click Create.
Next create a new LLM Source.
Give the record a name. Set the Visibility field to Admins and users, if we leave it at the defult Admins, then only admins will be able to access this source, we want clients on the network that have logged in to be able to access this. Setting it to anonymous then a client would be able to access the source regardless of login status.
The path here needs to be set to v1/flights for aviationstack. Select the LLM Remote Data Source that we created previously in the LLM remote data source field.
The Remote Data Description field is important and we must provide a value here. This is what the system will look at to determine if this source has information relevant to the inquery.
Next we need to create the Request Properties to use for this source. We will be using dep_iata to narrow the scope to a specific airport in this example DEN (Denver), flight_date which allows to search for a specific dates/times, and finally flight_number which allows us to retrieve information based on the specific flight numbers.
Click Create.
Now we should see a new LLM Embedding for this source, if not, click the Regenerate Embeddings link above the LLM Embeddings.
Now we are ready to start asking questions.
GPUs
Nvidia datacenter and workstation GPUs are preferred. The RTX 4000 is the preferred GPU for space and power constrained scenarios. The RTX 4000 consumes a single PCI-e slot and contains 16 GB to 20 GB of VRAM which is enough to run most typical models. Production servers from major manufacturers are usually ordered with the Nvidia L40S GPU which comes with 48 GB of VRAM.
It is possible to use desktop GPUs which are often available a lower prices, especially in the second-hand market, which is useful for demonstation and development purposes. The Nvidia 3090 GPU is known to work and available at reasonable prices. The 24 GB of RAM present onboard the 3090 is to run most models. The 3090 GPU is also available in two-slot configurations. Later generation Nvidia GPUs such as the 4090 typically require three slots and provide similar amounts of VRAM.
It is possible to put two (or more) GPUs in the same machine. For example, two 3090s with 24 GB of VRAM, or three A4000s with 16 GB of VRAM each, would be enough to run Llama 3.1 70b which requires 40 GB of VRAM.
Identities
Identity management is a critical prerequisite to achieving complete control, clear communication and total cognizance over an end-user population. The rXg must understand the who an end-user is before it can determine policy enforcement and properly instrument usage.
The rXg utilizes a two layer approach to identity management. End-users are first individually identified through one of several authentication mechanisms such as credentials passed into the captive portal or operator predefined MAC addresses or IP ranges. Identified end-users are then placed into one or more groups.
Policy enforcement is determined by the policy object that is associated with the group that the individual identity resolves to. Resolution of an identity when multiple group memberships exist determined by the priority field that is present in every group object.
The default rXg captive portal web application supports numerous authentication mechanisms. Operators may choose to authenticate end-users against one or more of the following on board credential stores:
- login user name and password
- single and multiple use tokens
- shared secrets Operators may also choose to use the default captive portal web application to authenticate end-users against external credential stores that support the following protocols:
- RADIUS
- LDAP The operator may also choose to identify end-users without the use of a captive portal. To accomplish this, the operator may specify group membership by one or more of the following:
- Individual MAC address
- Individual IP address
- CIDR range of IP addresses
Identities Dashboard
The identities dashboard presents an overview of the current status and configured settings for the various authentication mechanisms integrated into the rXg.
The top dialog in the left column presents a summary of the account groups on the rXg.
Account groups are listed next to the policy they are enforcing along with the current number of members and the billing plan that sends new end-users into the group.
The center and lower dialogs in the left column present summaries of the rXg external authentication mechanisms.
The top dialog displays a summary of the RADIUS NAS client that is integrated into the rXg captive portal web application. Each RADIUS group is displayed along with the policy that will be enforced upon the members of the group. In addition, the RADIUS Class attribute that will determine group membership (if any) and the policy that is enforced upon the members of the group is displayed.
The bottom dialog displays a summary of the LDAP client that is integrated into the rXg captive portal web application. Each LDAP group is displayed along with the policy that is enforced upon members of the group as well as which LDAP domains are queried during a credential challenge.
In the center column, there are three dialogs that present a summary of the currently configured IP groups, MAC groups, and shared credential groups.
The top dialog presents a list of the IP groups that are currently configured on the rXg. Each IP group is displayed along with the policy that is being enforced upon members of the group. In addition, the number of CIDR blocks assigned to each group is listed at the right. Similar dialogs are found at the bottom of the center column presenting a summary of the MAC and shared credential groups.
The rightmost column presents additional summary dialogs.
The dialog in the right column presents the 10 most recent end-user signups. Here, the login name, selected usage plan and elapsed time since the signup event are presented.
The bottom dialog in the right column presents the average number of devices per account.
Accounts
Accounts and Tokens
The accounts identities view presents the scaffolds associated with manipulating the rXg integrated credentials database.
Identifying devices and end-users is the first step in applying policy enforcement. The rXg integrated credential database consists of several modules that are used to identify and authenticate devices and end-users via the captive portal.
In most cases, end-users will be authenticated through the captive portal web application via account (identified by a username and password combination) or a token (identified by an alphanumeric code). Both accounts and tokens become members of account groups.
Both accounts and tokens are authentication mechanisms that work with the captive portal web application. When the captive portal is enabled, the end-user must provide credentials in order to gain access to the WAN. Providing a valid login / password tuple or a valid code for a token are two of the kinds of credentials that the portal will accept.
Each account and token record contains fields that store usage minutes, transfer quotas, expiration dates and other usage restrictions. In a typical scenario, the usage restrictions in the account record are initialized by the usage plan that the end-user has selected through the captive portal web application. The usage restrictions in a token record are setup when a batch of tokens is created.
A device or end-user may be a member of more than one group. For example, a transient end-user arrives at a hotspot and connects to an rXg controlled wireless network. The end-user's laptop acquires the IP address 192.168.5.42 and attempts to surf to the Internet. A WLAN IP group is configured on the rXg with a CIDR member of 192.168.5.0/24 and a policy that has the captive portal enabled. The end-user is redirected to the captive portal then provides a token to access the Internet. The end-user is now part of a account group that the token is associated with. Thus the end-user is now part of both an IP group and a account group.
Accounts
Each record in the accounts scaffold is an end-user account that can be used for authentication via the captive portal web application. Accounts are typically created by the end-user during the captive portal sign-up process. Alternatively, the operator may choose to manually create records using the scaffold.
The group field configures group membership for this account record. A account may be a member of only one account group at a time.
The login field determines the username that the end-user will supply to the captive portal web application as part of the credential for authentication.
The password field determines the second part of the credential tuple that is supplied by the end-user to authenticate via the captive portal. To change the password, the password and password confirmation must match.
The first name and last name fields are for informational and display purposes only.
The email and email2 fields configure the destination(s) for email notifications. The email2 field is optional.
The MAC field is the last recorded MAC address of the end-user. This field is used to identify the end-user if automatic login is enabled.
Automatic login enables an operator to use the captive portal for end-user self-signup and zero intervention provisioning while retaining the appearance of unfettered WAN access. If this box is checked, the next time the same MAC address and/or browser cookie is seen on the LAN, it will automatically be logged in without a forced browser redirect.
The lock checkbox enables MAC locking. When a MAC address is locked, the device associated with the MAC address may only be used to purchase usage plans when the end-user operating the device logs in with the corresponding account. This mechanism is used in fixed wireless broadband environments to prevent end-users from avoiding disconnect, reconnect and late fees by creating a new account. This feature is incompatible with high transient (hotspot, hotzone, etc.) environments where the portal automatically creates a new account for each transaction.
The status allows the operator to manually disable this account without changing any of the usage restrictions. This is useful for a temporary administrative override (e.g., disabling an abusive end-user until their behavior is discontinued).
The time field determines the amount of online time that this account has left. This field is typically populated when the end-user selects a plan. If the end-user should have not have any online time limits (e.g., if the end-user is manually billed), check the box next to the unlimited heading.
The download quota and upload quota fields determine the amount of data that the end-user can transfer between the LAN and the WAN. These fields are typically populated when the end-user selects a usage plan. If the end-user should not have any transfer restrictions (e.g., if the end-user has purchased a premium unmetered offering), check the appropriate boxes next to the unlimited fields.
The expiration field configures a date and time when the end-user will no longer be able to connect to the WAN. This field is typically populated when the end-user selects a usage plan. The rXg automatically ensures that the maximum allowable online time never exceeds the configured expiration. When the current time is beyond that of the configured expiration , the account will no longer be able to login.
The usage plan field displays the last usage plan that the end-user selected. This field also controls the recurring billing mechanism. This account will take part in a recurring billing schedule if the usage plan chosen here has recurring billing enabled.
The bill at field stores the next date and time at which the end-user will be billed. This field is only used when the end-user is associated with a usage plan that has recurring billing enabled. This field is automatically populated based on the interval field in the usage plan.
Checking the apply plan checkbox provisions the selected usage plan to the account as if the end-user had purchased the plan through the captive portal application. This overrides any usage options or group selections entered manually. The end-user is not billed.
Checking the charge and apply plan checkbox tries to bill the end-user for the selected usage plan by charging her active payment method. If the charge is successful, the usage plan is provisioned to the account as if she had purchased the plan through the captive portal application. This overrides any usage options or group selections entered manually.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Account Journal
Each user record has an accounting journal associated with it that may be displayed by clicking the Journal link.
The account journal keeps a record of all events that affect the end-user's balance. Such events include the selection of a usage plan, the redemption of a coupon, the charging of a credit card through a merchant, etc. The operator may also manually add entries to the journal through the nested scaffold.
Tokens
Each record in the tokens scaffold is a credential that can be used for authentication via the captive portal web application. Tokens can be thought of as "anonymous users." They have all of the usage restriction features present in accounts and are capable of being associated an account group in a similar fashion.
Tokens are typically created in batches by the administrator through the administrative console. The administrator can then export the tokens and integrate them into a wide variety of end-user delivery mechanisms (e.g., doing a mail merge into a word processor and printing onto labels or perforated business card printing sheets).
Alternatively, the operator may choose to use the captive portal web application to automatically create tokens. This mechanism is typically used to implement a simple "one-click free access" RGN offering. Since the end-users are authenticated as tokens , full policy management and service level differentiation is possible. This is useful if the operator wishes to have a time and transfer limited advertising supported offering side-by-side with a paid offering that has a superior experience.
The copies field enables the operator to generate multiple tokens at once. This is to facilitate generation of tokens in batches which is the typical usage scenario. This field is only accessible during the creation of tokens.
The characters and length fields control the complexity of the credential codes for the tokens being generated. An operator may choose from several different character classes and lengths. For security reasons, it is recommended that simpler character classes be used with longer lengths. For example, it is recommended that the "numbers only" class is always used with the length of 16. This field is only accessible during the creation of tokens.
The prefix and suffix fields allow the operator to specify a hardcoded prefix and suffix for the codes that are being generated. The specified prefix and suffix will be the same for all generated codes. This feature allows the operator to generate codes whose purpose that may be easily identified (e.g., 1DAY 1G2H 3J4K). The prefix and suffix may only contain simple characters (letters and numbers) and must be 4 characters long or completely omitted.
The batch field is an automatically assigned value to each set of tokens generated by the administrator. The purpose of the field is to allow the administrator to quickly locate all of the tokens that were generated at the same time. This field is not editable and is for informational purposes only, it does not affect policy management or any other end-user experience related functionality.
The group field configures group membership for this token record. A token may be a member of only one account group at a time.
The time field determines the amount of online time that this account has left. This field is typically populated when the end-user selects a usage plan. If the end-user should not have any online time limits (e.g., if the end-user is manually billed), check the box next to the unlimited heading.
The download quota and upload quota fields determine the amount of data that the end-user can transfer between the LAN and the WAN. These fields are typically populated when the end-user selects a usage plan. If the end-user should not have any transfer restrictions (e.g., if the end-user has purchased a premium unmetered offering), check the appropriate boxes next to the unlimited fields.
If the automatic login box is checked, the next time the same MAC address and/or browser cookie is seen on the LAN, it will automatically be logged in without a forced browser redirect.
The MAC field is the last recorded MAC address of the end-user.
The expiration field configures a date and time when the end-user will no longer be able to connect to the WAN. This field is typically populated when the end-user selects a usage plan. The rXg automatically ensures that the maximum allowable online time never exceeds the configured expiration. When the current time is beyond that of the configured expiration , the user will no longer be able to login. Setting the no expiration field causes the token to never expire, unless the relative lifetime field is also configured.
The relative lifetime field configures the token's usage expiration time to be dynamically set relative to the first login event, which supersedes the configured expiration field or no expiration field. This enables creating a batch of tokens with a finite and absolute shelf-life that also changes for an individual token upon its first use. This field is optional, and if left out, only the expiration field or no expiration field affect the token's lifetime.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Sub-Accounts
Enabling Sub-Accounts allows the creation of child accounts that share the same pool of resources and enforcements as the primary account. For example, if the primary account has a time or quota plan, child accounts will draw down on the remaining balance of that plan. Enable Sub-Accounts within the account record by indicating the number of Sub-Accounts allowed. Once enabled, add Sub-Accounts through the end-user portal or the admin UI.
Enable Sub-Accounts by setting the number allowed within the account record.
Sub-Accounts can also be added as a plan addon. Browse to Billing >> Plans >> Plan Addons.
Creating a Sub-Account from the End-User portal
Once logged into the end-user portal, select Profile.
Scroll to the bottom of the screen, and select Create Sub-Account.
Fill in the Sub-Account details and then select Create.
Creating a Sub-Account from the Admin UI
Browse to Identities >> Accounts and select Sub-Accounts.
Select Create New.
Complete the fields indicated below. All other information will be populated based on the primary account configuration.
Devices
An entry in the devices scaffold defines a device by MAC address and associates it to an account.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The MAC field should be populated with the device MAC address in the format xx:xx:xx:xx:xx:xx.
In the Account field you will select the account in which the device should be associated.
Static IP
An entry in the Static IP field creates a one-to-one mapping between an IP address within a span associated with an uplink and a device on the LAN. This feature is typically used to give public access to a resource that is configured on a private IP address such as a web server.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The Public IP field specifies the IP address within a span of addresses associated with an uplink that will be translated to the Device.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Checking the BiNAT checkbox will give public access to the device as long as the associated account has a Max BiNAT value of 1 or greater and there is an available address in the BiNAT pool. This would typically be used for devices such as a web server or a gaming device which requires open incoming firewall ports for proper operation.
Checking the Hide from portal checkbox will hide the device from the manage devices view in the captive portal.
Fixed Hosts
An entry in the Fixed Hosts field reserves an IP address for a particular device. When a device with the MAC address specified in this record requests network configuration via DHCP, the specified IP address is offered. This mechanism is often used as an alternative to manually assigning static IP addresses to devices.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The IP field contains the IP address to be reserved for this device. It is critically important that the reserved IP be outside of any pools specified in the pools scaffold.
The MAC field contains the MAC address of the device that this reservation is being held for.
The hostname field is an optional parameter that, if specified, will cause the DHCP server to deliver a client identifier to the device via a DHCP option.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The option group links this reservation with a set of DHCP options that control additional information that may be delivered to the device beyond IP address, hostname, subnet mask and gateway. For example, an option group may be used to specify alternative DNS servers for the device specified in this reservation.
Groups
The group identities view presents the scaffolds associated with manipulating the rXg internal credential database and integrated authentication mechanisms.
Policy enforcement on the rXg begins with groups. The rXg group objects ( IP groups , MAC groups and account groups ) may all be associated with a policy object. The policy object is then associated with any of the various end-user communication and control features of the rXg.
Devices may be directly authenticated by operator specified IP address and/or MAC address. This is accomplished by adding IP and MAC members to IP group and MAC group records. When the captive portal disabled, direct authentication through groups is required for policy enforcement.
All group objects have a priority field to to disambiguate the choice of a policy when an end-user or device is a member of more than one group. By default, IP groups have a lower priority than MAC groups which have a lower priority than account groups. This default is designed around the concept of creating a default policy via IP groups (typically portal enabled, no access to the WAN) with exceptions specified via MAC groups and account groups.
IP Groups
An entry in the IP groups scaffold defines a group object that contains IP blocks as members.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The priority field determines the effective group when an end-user or device is a member of more than one group. By default, IP groups have the lowest possible priority.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The addresses and static routes fields are easy ways to add an entire subnet to the IP group. For example, selecting an address configured with 192.168.5.1/24 is equivalent to entering 192.168.5.0/24 in the IPs sub form. Similarly, selecting a static route with a destination of 10.1.0.0/24 is equivalent to entering 10.1.0.0/24 in the IPs sub form.
The IPs sub form enables specification of IP ranges that are to be assigned to the IP group. To specify a single IP address as a member of a group, enter the IP address followed by a suffix of /32
(e.g., 192.168.8.168/32
).
The policy field associates this group object with a policy object. The policy object relates the group to objects that specify the configuration of the control and communication features of the rXg that determine the end-user experience.
In a typical scenario, each and every address range on the LAN of the rXg will be a member of an IP group. This is used to set the default policy for all devices on the rXg managed network. The default policy for IP groups typically incorporates a policy that specifies denial of all routing or redirection of all traffic to the portal.
Multiple IP groups are configured in scenarios when the rXg managed LAN has well understood IP boundaries with differing policy enforcement requirements. For example, location-based services that require displaying a different captive portal is one common reason why numerous IP groups are created. Deploying a DMZ for servers which require direct access to the WAN is another common scenario where multiple IP groups are needed.
MAC Groups
An entry in the MAC groups scaffold defines a group object that contains MAC addresses as members.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The priority field determines the effective group when an end-user or device is a member of more than one group. By default, MAC groups have a priority of 2, placing them higher than the default priority of IP groups.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The MACs sub form enables specification of MAC addresses that are to be assigned to the MAC group. MAC addresses must be specified in hexadecimal in any of the typical MAC address formats. MACs will be scrubbed and normalized to a colon-separated tuple format (e.g., 01:23:45:67:89:ab) before being stored in the database.
The policy field associates this group object with a policy object. The policy object relates the group to objects that specify the configuration of the control and communication features of the rXg that determine the end-user experience.
MAC groups are typically used to identify specific end-user devices that require a different policy from the default policy for the IP range specified by an IP group. MAC groups are also the only way that headless and browser-less devices may be identified.
For example, MAC groups are typically used to identify infrastructure equipment (switches, access points, power controllers, etc.) and handheld devices used by administrators. The higher default priority is typically used to enable access to the WAN as the IP groups are usually set to deny all access.
Account Groups
An entry in the account groups scaffold defines a group object that contains accounts members.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The priority field determines the effective group when an end-user or device is a member of more than one group. By default, account groups have a priority of 3, placing them higher than the default priority of both IP groups and MAC groups.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
By checking the box next to a usage plans , end-users will be automatically added to this account group when they select the specified usage plan. This is the primary mechanism that enables zero operator intervention self-provisioning of end-users. By associating plans with groups and groups with policies, end-users are delivered operator specified RGN offerings in a completely automated fashion.
Unlike other group objects, membership in a account group is controlled exclusively within the account record. This is because production rXg units will have hundreds of accounts in a account group making a membership UI in the account group to be ineffective.
The policy field associates this group object with a policy object. The policy object relates the group to objects that specify the configuration of the control and communication features of the rXg that determine the end-user experience.
account groups are typically the most specific (and hence by default have the highest priority) identification mechanism. An end-user may be a member of more than one account group so long as none of the account groups have the same priority. This is a scenario which is typical of an end-user who has selected a plan that enables a basic level of access but then later upgrades to a different plan that has enhanced access. Careful configuration of the group priority is a critical facet of delivering a deterministic and reliable RGN product to the end-user population.
Shared Credentials
The shared credentials view of the identities menu displays scaffolds that allow the operator to configure the shared credential access features of the rXg.
There are many situations when an operator wishes to allow access to a network without requiring each end-user to supply unique credentials. For example, the operator may wish to provide a "free access" service at certain locations for marketing purposes. Many rural WISPs and telcos are able to obtain subsidies from local governments for provided limited or advertising supported free access.
Another common use case for this capability is a "shared password" scenario. For example, if a hotel wishes to allow several end-users who have booked a conference room to use a single, shared password, to gain access. Conference centers also use this functionality to provide groups who purchase Internet access as an additional feature of booth space.
The rXg enables the operator to provide such services while applying the rich functionality of the rXg to each individual end-user. shared credential groups are linked to policies in the same manner as the all of the other group objects in the rXg. The user experience of end-users whe are members of shared credential groups may be controlled by the broad spectrum of capabilities that the rXg offers.
The "free access" service may utilize the interstitial redirects and HTML injection mechanisms to generate revenue from advertising. Similarly, per-device bandwidth queues may be configured to restrict the utilization of of end-users of a "free access" or "shared password" group to an acceptable rate and priority given the amount of revenue generated (or lack thereof).
The rXg also has an integrated end-user survey mechanism. This mechanism allows the operator to quickly and easily build a survey for end-users to fill out before they are allowed to gain access. It is possible to use this mechanism with any of the login methods, but it is most often used with the "free access" paradigm to capture marketing data. The results of the survey are collated in the surveys view of the archives menu.
The easiest way to integrate survey questions into a login form is to render the survey_question_fields
partial with the following Ruby code:
<%= render :partial => 'survey_questions_fields' %>
It is also very easy to manually generate the survey questions. To require responses for some of all survey questions, simply add the appropriate data format checks to Javascript.
Shared Credential Groups
The shared credential groups scaffold configures the rXg "free access" and "shared password access" captive portal credential mechanisms.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The priority field determines the effective group when an end-user or device is a member of more than one group.
The credential field configures the shared password that will be supplied by end-users to the captive portal in order to gain membership into this shared credential group. In order to configure a "free access" group, the credential that is configured here should be passed as an HTML hidden input field in the login form.
The policy field associates this group object with a policy object. The policy object relates the group to objects that specify the configuration of the control and communication features of the rXg that determine the end-user experience.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The time , download quota and upload quota fields configure the maximum amount of usage that an end-user may consume before membership to a shared credential group is canceled and the intersession (if specified) takes effect. The usage fields are enforced on a per-device basis and logical disjunction between all three fields is used to determine if usage has been exhausted.
The state field allows the operator to enable or disable logins for the credential.
The effective and expires fields configure the window of time this credential is valid. Logins are permitted during the window.
The days fields restrict the credential to particular days of the week. Logins are permitted on days that are checked.
The recurring option allows the effective and expires times to be adjusted on a recurring interval basis. When recurring is enabled by a setting other than "none", after the expires time has past, the effective time will be adjusted based on the recurring setting. For example, a recurring of "daily" will cause the effective time to be bumped up to the same time of the following day. Recurring behavior stops after the recurring end time (if configured).
The splash portals fields define which captive portals this credential may be logged in from. Use these fields to limit the availability of certain shared credentials to specific portals which in turn are displayed based on geographic location, network subnet, the expected class of end-users, etc.
The simultaneous sessions field specifies the maximum number of sessions that may exist at any given time for the shared credential group being created. Choosing unlimited disables this restriction and allows an unlimited number of simultaneous sessions to be created as a result of an end-user passing the matching credential. Specifying a number enables this feature and restricts the number of simultaneous sessions to the number specified. This feature is useful in a enterprise or hospitality guest access setting where Internet is purchased for a group with a size that is known ahead of time.
The intersession field specifies the amount of time that an end-user must wait they can login again. This field is used to enforce a policy such as one that only allows one hour of free access per day. The intersession takes effect based on the time shared credential group login. If an end-user has a 24 hour intersession logs in at 9:00 AM, then they will be able to login again at 9:00 AM the next day.
If the automatic login box is checked, the rXg will attempt to automatically login a returning end-user after the first successful authentication, assuming the user has the same MAC address and/or browser cookie. Credential, access and session restrictions are still enforced on subsequent automatic login attempts.
Survey Questions
The survey questions scaffold enables the operator to easily build a form that collects data before allowing an end-user to login.
The position field determines the order the questions appear in the form. A question with a lower position number is displayed before a question with a higher position number. If a record is updated or created and its position conflicts with another record, the conflicting record and all records with a higher position are incremented by one.
The question field specifies the question that will appear in the form.
The question type drop-down specifies what type of input will be used in the survey form. Radio Group s, Select Menu s, and Number Field s will utilize associated Survey Question Options in order to build the appropriate form elements.
The required checkbox determines whether user input will be required for this survey question. If required is enabled, the input will use the HTML5 'required' attribute to validate input, which may not be enforced by all browsers.
When creating a Radio Group or Select Menu , Survey Question Options should be specified to provide the user a list of options to choose from. The Display Text field will be shown in the drop-down menu or next to the radio button as a label, and the value field will be stored in the database as the Survey Answer.
When creating a Number Field , Survey Question Options may be used to specify options that will be provided to the number field input. The option's display name should be one of the following:
- min
- max
- in
- within
- step
The value should be the desired limit for the option.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
LDAP Client
The LDAP client view presents the scaffolds associated with manipulating the external LDAP server identity management integration mechanisms built into the rXg captive portal web application.
When an external LDAP server is used as the credential store, the captive portal must be enabled. The end-user web browser is then redirected to the rXg captive portal web application. At this point, the end-user must present credentials to the external authentication client that is integrated into the portal. The end-user supplied credentials are then sent to an external LDAP server. The response is then interpreted by the rXg integrated external authentication client and access to the WAN is manipulated appropriately.
Group membership is determined by the creation of the LDAP groups records and the association of those records with LDAP domains. In addition, LDAP groups are associated with policies in a manner similar to local groups ( MAC groups , IP groups and account groups ).
Several LDAP domain records may be configured to support multiple simultaneous logical partitions. For example, an operator may choose to have separate LDAP domain records for students and faculty in a campus setting as those two sets of identities may be either stored on different LDAP servers or as cousins in a large LDAP hierarchy of a single server.
Access to LDAP servers is defined by the associated records in the LDAP servers scaffold. Following the above example, if students and faculty are stored as cousins within the same LDAP hierarchy, two LDAP domains would be associated with a single LDAP server. Of course, if the two end-user pools are stored in different trees, then distinct LDAP server records must be created for the server hosting each tree. Multiple LDAP server records may be associated with a single LDAP domain to enable server failover.
The rXg LDAP client is fully compatible with Microsoft Active Directory (MSAD). To integrate with an MSAD, the LDAP domain must be designated as such via the AD binding field and the associated LDAP server records must point to MSAD domain controllers. Using both standard LDAP and MSAD servers in the same LDAP domain is not supported.
LDAP Groups
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
An entry in the LDAP groups scaffold defines a group object that can be used as a membership destination for end-users that have been authenticated via the LDAP protocol.
The priority field determines the effective group when an end-user or device is a member of more than one group. By default, LDAP groups have a priority of 4, which puts them ahead of the default priority of all group objects configured by internal identities.
The LDAP domains field determines which logical partitions of the LDAP client will send end-users to become members of this LDAP group (and hence, take part in the enforcement defined by the policy ).
The policy field associates this group object with a policy object. The policy object relates the group to objects that specify the configuration of the control and communication features of the rXg that determine the end-user experience.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
LDAP Servers
An entry in the LDAP servers scaffold defines a server that may be queried for end-user credential validation using the LDAP protocol.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The priority field is used when multiple LDAP servers are associated with a LDAP domain. The LDAP server with the highest priority is queried first.
The IP field specifies the IP address of the LDAP server to be queried for credential validation.
The port field specifies the TCP port to use when sending the LDAP query for credential validation. Leave this field blank to use the default.
The tries and timeout fields govern the retry and failure detection behavior of the LDAP client. Increase these values when communicating with servers that are heavily loaded or connected via congested networks.
The LDAP domains field determines which logical partitions of the LDAP client will use the server specified in this record for queries. LDAP trees are designed to support several different organizations and organizational units through a unified hierarchical structure. The same LDAP server may be associated with several different LDAP domains to provide access to different facets of the hierarchy.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
LDAP Domains
An entry in the LDAP domains scaffold defines a logical partition for the LDAP client that is integrated into a captive portal web application.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
If the Create Account box is checked, the rXg will create or update an Account object after successful user authentication against the LDAP server. Creating an Account for the user enables the user to take advantage of the manage devices, usage reporting, and DMZ and port forwarding functionality. This behavior is mutually exclusive to specifying an LDAP Group and session attributes.
Associating one or more Usage Plans to the LDAP Domain instructs the rXg to perform a search against the LDAP server to determine group membership. The names of the user's groups are compared against names of the associated Usage Plans to attempt to find a matching plan. If there is a singular match, the Usage Plan is applied automatically. If there are no matches or multiple matches, the Account will be created with no usage plan and the user must select or purchase a usage plan via the captive portal before gaining access to the Internet.
The LDAP group field specifies the membership destination for end-users that have presented valid credentials.
The session minutes field specifies the length of the login session for end-users that have presented valid credentials.
If the automatic login box is checked, the rXg will attempt to automatically login a returning end-user after the first successful authentication, assuming the user has the same MAC address and/or browser cookie. This requires storing the end-user's password in the rXg's database in encrypted format.
If the logical partition of the LDAP client defined by this record is to be used with Microsoft Active Directory, check the box next to AD binding and enter the MSAD domain into the AD domain field.
The Users context field specifies the base DN to be used when searching for LDAP users or when building a user's DN for authentication against a non-Active Directory LDAP server. User records must reside below the specified DN in order to be located via LDAP searches for usage plan matching when Account creation behavior is enabled.
The Username field specifies the LDAP attribute that will be used to build a user's DN when using non-AD binding, as well as for performing searches against LDAP when account creation behavior is enabled. The value should be the name of an attribute identifies the the user's username, such as samaccountname when utilizing Active Directory.
The Bind username and Bind password fields specify the credentials that will be used to perform searches against the LDAP database when Account creation behavior is enabled.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
RADIUS NAS
The RADIUS NAS view presents the scaffolds associated with manipulating the external RADIUS server identity management integration mechanisms built into the rXg captive portal web application.
When an external RADIUS server is used as the credential store, the captive portal must be enabled. The end-user web browser is then redirected to the rXg captive portal web application. At this point, the end-user must present credentials to the external authentication client that is integrated into the portal. The end-user supplied credentials are then sent to an external RADIUS server. The response is then interpreted by the rXg integrated external authentication client and access to the WAN is manipulated appropriately.
Group membership is determined by the creation of the RADIUS groups records and the association of those records with RADIUS realms. In addition, RADIUS groups are associated with policies in a manner similar to local groups ( MAC groups , IP groups and account groups ). Membership of end-users into particular RADIUS groups may also be specified by the RADIUS server through the Class attribute that passed back in Access-Accept messages.
Several RADIUS realms may be configured to support multiple simultaneous logical partitions. For example, many operators wish to setup agreements with as many wireless account aggregators (e.g., iPass, Boingo, T-mobile, etc.) as possible. Each of the aggregators has their own servers that require specific RADIUS attributes to be transmitted with Access-Request messages. Thus, each aggregator must be configured as an independent RADIUS realm record.
Credential database servers are defined by the associated records in the server scaffolds of the associated protocol. For example, the RADIUS servers that will be queried are defined by the RADIUS servers scaffold. Several RADIUS servers may be associated with a single RADIUS realm for failover purposes.
RADIUS Groups
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
An entry in the RADIUS groups scaffold defines a group object that can be used as a membership destination for end-users that have been authenticated via the RADIUS protocol in a partition defined by a RADIUS realm.
The priority field determines the effective group when an end-user or device is a member of more than one group. By default, RADIUS groups have a priority of 4, which puts them ahead of the default priority of all group objects configured by internal identities.
The Class attribute field is used when RADIUS realms are configured to read group from Class. When configured in this manner, a single RADIUS realm can make end-users members of several different RADIUS groups. The RADIUS Access-Accept message is parsed for a Class attribute. If found, the value of the Class attribute is compared to the Class attribute field of all RADIUS groups. If a match is found, the matching RADIUS group becomes the destination for the end-user.
The RADIUS realms field determines which logical partitions of the RADIUS NAS will send end-users to become members of this RADIUS group (and hence, take part in the enforcement defined by the policy ).
The policy field associates this group object with a policy object. The policy object relates the group to objects that specify the configuration of the control and communication features of the rXg that determine the end-user experience.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
RADIUS Servers
An entry in the RADIUS servers scaffold defines a server that may be queried for end-user credential validity using the RADIUS protocol.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The priority field is used when multiple RADIUS servers are associated with a RADIUS realm. The RADIUS server with the highest priority is queried first. If the RADIUS server with the highest priority does not respond within the window defined by the tries and timeout fields, the next highest priority server is queried. If no RADIUS servers respond, the end-user is denied access.
The IP field specifies the IP address of the RADIUS server to be queried for credential validation.
The port field specifies the UDP port to use when sending the RADIUS request for credential validation. Similarly the accounting port field specifies the UDP port to use when sending the RADIUS accounting start, stop and intermediate updates. Leave these fields blank to use the defaults.
The tries and timeout fields govern the retry and failure detection behavior of the RADIUS NAS. Increase these values when communicating with servers that are heavily loaded or connected via congested networks.
The secret field is the RADIUS shared secret. It is used to encode and decode messages being sent to and from the RADIUS server. This setting must match that of the RADIUS server in order for credential validation to operate.
The RADIUS realms field determines which logical partitions of the RADIUS NAS will use the server specified in this record for queries. There are several reasons a given RADIUS server will be shared across multiple RADIUS realms. One very common scenario is when an account aggregator outsources the operation of their OSS to a well established third-party. Another is when a single corporate RADIUS server is used for authenticating several different classes of devices or end-users.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
RADIUS Realms
An entry in the RADIUS realms scaffold defines a logical partition for the RADIUS NAS that is integrated into the captive portal web application.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
If read group from Class is checked, the RADIUS NAS will look for the RADIUS Class attribute in Access-Accept messages. If the RADIUS Class attribute is found, the value is decoded and compared with the values of the class attribute field of the RADIUS groups that are configured. If a match is found, the authenticated end-user is made a member of the RADIUS group with the matching class attribute. If no match is found, the RADIUS group setting of the RADIUS realm is used to determine group membership.
The RADIUS group field specifies the default RADIUS group record that authenticated end-users will be made members of. If the read group from class field is not checked, the authenticated end-users are always made members of the RADIUS group specified here.
The accounting checkbox enables the transmission of start and stop RADIUS accounting messages. Accounting messages are sent to the same RADIUS server as authentication messages but on a different port as specified in the RADIUS Server configuration.
The encoding field specifies the password encoding used when sending RADIUS Access-Request messages. This setting must match what is accepted by the RADIUS server.
The use Session-Timeout and session minutes fields control the length of the user session for authenticated end-users. If use Session-Timeout is checked, the RADIUS NAS will look for the RADIUS Session-Timeout attribute in all Access-Accept messages. The session length of the end-user is set to the decoded value If a reasonable value is found. If no reasonable value is found, the session minutes field is used to set the end-user session length. If the use Session-Timeout field is not checked, the end-user session length is always set to session minutes.
If the automatic login box is checked, the rXg will attempt to automatically login a returning end-user after the first successful authentication, assuming the user has the same MAC address and/or browser cookie. This requires storing the end-user's password in the rXg's database in encrypted format.
The servers field associates the logical partition defined by this RADIUS realm record with one or more RADIUS server records that define which RADIUS servers to send Access-Request messages.
The RADIUS NAS can send optional RADIUS attributes to the RADIUS server in Access-Accept messages. The supported optional RADIUS attributes are NAS-IP-Address, Called-Station-Id, NAS-Identifier, NAS-Port and NAS-Port-Type. Many RADIUS servers and third-party account aggregation services have very specific requirements for the attributes and values present in RADIUS Access-Request messages. Incorrect configuration of optional attributes usually results in universal rejection of all Access-Accept messages.
Each of these optional attributes has a set of synonymous configuration fields. A checkbox is provided to enable the sending of the optional attribute (e.g., send NAS-IP-Address ). Optional attributes will not be sent unless the appropriate box is checked. The values to be sent in the optional attribute is also configurable. All optional attributes may be transmitted with an arbitrary static value that is specified in a text-field. In addition, different dynamic values are available for the the optional attributes. For example, a common value for the NAS-Identifier attribute is the domain name of the RADIUS NAS and this is enabled by checking the box next to the use domain name field.
The IP and/or MAC address of the rXg may be sent to the RADIUS server in all Access-Request messages by checking the boxes next to the send requesting node IP and send requesting node MAC fields. The RADIUS attribute that will contain the address is configured via the requesting node IP attribute and requesting node MAC attribute. Many RADIUS servers and third-party account aggregation services have specific requirements regarding these fields. In addition, some third-party account aggregators require pre-registration of the MAC and/or IP address of the RADIUS NAS (i.e., the rXg) before credential validation will operate.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
WISPr Prefixes
WISPr (Wireless Internet Service Provider roaming) is a mechanism that allows software clients installed on devices to authenticate end-users without the end-user experiencing a forced browser redirect. Each entry in the WISPr prefixes scaffold defines a prefix that is used by all software clients from the same account aggregator and associates that prefix with a RADIUS realm. Enabling WISPr support on the rXg requires documentation and cooperation of the account aggregator providing the software clients to end-users.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The prefix field stores the string that is defined by the account aggregators and needs to match the value sent in the software clients.
The RADIUS realm field associates a RADIUS realm record that defines the logical partition of the RADIUS NAS with the prefix that will be transmitted by software clients.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Definitions
The definitions view presents the scaffolds associated with configuring mechanisms to identify applications and WAN targets.
The rXg identifies applications by traffic characteristics and WAN targets by IP address or domain name. Identified applications and WAN targets are used in many facts of the policy enforcement engine.
For example, when used with bandwidth queues, application identification is useful for reducing the priority of bulk transfer of data over FTP and NNTP and increasing the priority of interactive applications such as web surfing. WAN targets may be used with bandwidth queues to restrict the utilization of social networking websites and/or guarantee the bandwidth to video on demand servers.
WAN targets are in many other facets of the policy enforcement engine. For example, WAN targets are used as whitelists to enabled unfettered access to certain websites when forced browser redirection to a captive portal is enabled. In addition, WAN targets are used to select destinations for link affinity when an rXg is deployed in a link control scenario.
Applications
An entry in the applications scaffold defines a set of ports that are considered by the rXg to be a singular logical group for policy enforcement.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The protocol field configures this application definition to match to a particular class of transport. In most cases, a given application will only transport over only one TCP, UDP or ICMP, not
The destination ports and source ports fields specify the ports that are used to identify the application defined by this record. Multiple ports and ranges of ports are specified by using these operators:
!=x
All ports not equal to the specified value. For example,!=80
matches all ports other than 80.<x
and<=x
All ports less then and less than or equal to the specified value. For example,<1024
matches all ports less than 1024 (i.e., 1 to 1023 inclusive) and<=1024
matches all ports less or equal to 1024 (i.e., 1 to 1024 inclusive).>x
and>=x
All ports greater than and greater than or equal to the specified value. For example,>40000
matches all ports greater than 40000 (i.e., 40001 to 65535 inclusive) and<=40000
matches all ports greater than or equal to 40000 (i.e., 40000 to 65535 inclusive).x-y
andx:y
All ports within the range specified by the numbers on either side of the operator including boundaries. For example,5900-5909
and5900:5909
are two ways to specify ports 5900 to 5909 inclusive.x><y
All ports within the range specified by the numbers on either side of the operator excluding boundaries. For example1025><1030
specifies ports 1026 to 1029 inclusive.x<>y
All ports except those specified by the numbers on either side of the operator.x,y
Multiple port specifications may be included in a single field by separating them with commas. For example, `8080-8090, 9080-9090,=9300`
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
WAN Targets
WAN targets define WAN IP addresses and DNS entries that are to be considered as a single logical group for the purposes of policy enforcement.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The targets field configures the list of WAN IPs and/or DNS entries that are members of this WAN target. Any combination of dotted quad IP addresses and DNS names is valid. It is recommended that each WAN target contain either all IP addresses or all DNS names for clarity.
Using DNS names reduces the performance of the system due to the need to perform DNS lookup. Use IP addresses whe possible.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
DPI Signatures
An entry in the DPI Signatures scaffold specifies a set of deep packet inspection rules that are used to identify and classify of end-user traffic.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The rules field contains the deep packet inspection specifications that are used to identify the end-user traffic. Rules are specified using the Snort rule format. The rXg is designed to be compatible with most Snort rulesets that are commonly available for download. For example, the Sourcefire Vulnerability Research Team publishes a list of Snort rules that identify common attacks.
The rXg requires that rules follow a few additional specifications in addition to the Snort grammar:
The
alert
action must be specified. Thelog
andpass
actions will not have any affect when used with the rXg. In other words, any rule that does not begin with thealert
idiom will be ignored when used with the rXg.The
sid
idiom (Snort rule ID) is required for each and every rule. Furthermore no two rules may have the samesid
. Ensure that rules abide by the Snortsid
conventions to preventsid
conflict. Values ofsid
less than one million are reserved for "official" rules. Bleeding Snort publishes rules starting atsid
two million. Entirely new custom rules should start atsid
nine million.
The msg
idiom is used by the rXg for logging. For example, when DPI signatures are used with triggers, the string specified by the msg
idiom is used to populate the reason
field.
Here is a simple example rule that checks to see if a node transmits 10 emails (via port 25) in the past 60 seconds:
alert tcp $HOME_NET any -> any 25 (msg:"possible spammer"; content:"rcpt to\:"; nocase; flow:to_server, established; threshold:type both, track by_src, count 10, seconds 60; sid:9000000; rev:1;)
Here is a another example rule that checks to see if a node opens more than 10 SSH connections (via port 25) in the past 60 seconds:
alert tcp any any -> any 22 (msg:SSH incoming; flow:stateless; flags:S+; threshold:type both, track by_src, count 10, seconds 60; sid:9000001; rev:1;)
Nodes that exhibit such behavior are likely to be zombies that are transmitting spam. The above rule is intended to be used in a DPI signature linked to a policy that is associated with throttling via bandwidth queues or quarantine via captive portal to prevent upstream spamming.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Remote DPI Signatures
An entry in the Remote DPI Signatures scaffold configures the rXg for automatic download of deep packet inspection signatures that are used to identify and classify of end-user traffic from a third-party website.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The categories field allows the operator to choose from one or more groups of predefined signatures present on the third-party server. This field is only useful when the URL of this remote DPI signature refers to a gzipped tarball archive. The signatures present in the archive are presumed to be organized by file name. Each file should contain signatures that are relevant to the name of the file.
The SID whitelist field enables the operator to exclude specific rules from being used. This feature is typically used to exclude overly aggressive rules and thus reduce the possibility of false positives. Consider the following rule from the Snort emerging threats list:
emerging-p2p.rules:alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Publicize File"; dsize:>15; content:"|e3 0c|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003310; classtype:policy-violation; sid:2003310; rev:3;)
The example rule shown above is known to occasionally trip false positives with Skype file sharing. Listing 2003310
into the SID whitelist field causes the rule to be ignored. Multiple SIDs may be listed in the SID whitelist to tell the DPI engine to ignore more than one rule in the remote set.
When a remote DPI signature record is first created, the categories field will be empty. Once the signatures have been downloaded and extracted for the first time, the names of the files will then appear in this field. After creating a remote DPI signature it is necessary to edit the record and select the desired categories in order for proper operation. Initial download time (and hence, population of the categories field depends upon the size of the archive file as well as the speed of the network connection between the server addressed by the URL.
The URL field contains the URL of the file that the rXg will download. The target file is expected to be in one of two formats: .tar.gz archive or a .txt plain text file. If the file is a gzipped tarball archive (.tar.gz), it is expected to extract multiple files named by category, each of which contains DPI signatures. If the file is plain-text, it is expected that the file is simply a file of the the DPI signatures. The rXg supports DPI signatures formatted for Snort 2.9. Well known remote DPI signature repositories include the official Snort rules and the Snort emerging threats list.
The frequency field specifies the download interval. Some sites have terms of use that specify appropriate download intervals. Please check the remote site terms and conditions carefully before using.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Content Filter Lists
Entries in the content filter lists scaffold are used to define sets of domain names and URLs that are to be blocked or passed by the rXg content filter. Each content filter list record should store a list of domains, wildcards, or URLs that are similar in nature for organizational purposes. Multiple content filter lists may be used simultaneously in a single content filter enforcement.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The category field is used to store a short phrase that is meant to help the end-user understand the reason why the URL is being blocked. The text in this field is presented on the access denied page on the captive portal. For example, if the list includes domains and URLs that refer to online casinos, the phrase "gambling" would be appropriate for the category.
The list field contains the set of entries that comprise this content filter list. When this content filter list is associated with a content filter enforcement, HTTP requests that match entries in this list will be denied. Valid entries include domain names (e.g., somedomain.com) as well as URL fragments (e.g., somedomain.com/somepath/).
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Remote Content Filter Lists
Entries in the remote content filter lists scaffold are used to configure the parameters needed to periodically download third party maintained lists. The de facto standard list format is a compressed archive (.tar.gz) file that extracts into a series of subdirectories named by blocking category. Each entry in this scaffold configures the periodic download of a compressed archive (.tar.gz) file. Multiple archive files may be used in a single content filter policy enforcement.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The categories field allows the operator to choose from one or more groups of URLs and/or domains to include in this remote content filter list definition. This field is only useful when the URL of this remote content filter list refers to a gzipped tarball archive. The names of subdirectories present in the archive are presumed to be the names of blocking categories and show up in this field.
When a remote content filter list is created, this field will be empty. Once the list is downloaded and extracted for the first time, the subdirectories will then appear in this field. After creating a remote content filter list it is necessary to edit the record and select the desired categories in order for proper operation. Initial download time (and hence, population of the categories field depends upon the size of the archive file as well as the speed of the network connection between the server addressed by the URL.
When Custom is selected in the Provider field it allows the operator to specify a custom URL to a list maintained by the operator or another source.
The URL field contains the URL of the file that the rXg will download. The target file is expected to be in one of two formats: .tar.gz archive or a .txt plain text file. If the file is a gzipped tarball archive (.tar.gz), it is expected to extract multiple subdirectories named by category, each of which contains a "urls" file containing a list of specific URLs to list, and/or a "domains" file containing a list of domains (i.e., entire sites) to list. If the file is plain-text, it is expected that the file is a list of domains and URLs to list. The rXg supports lists formatted for ufdbGuard,DansGuardian and SquidGuard. Well known providers include URLfilterDB, Shalla Listand Squidblacklist.org.
The frequency defines the periodicity with which the rXg will download the list archive file from the URL specified. The request to download a new remote content filter list occurs immediately after the create button is clicked. The periodicity of subsequent downloads are determined by the value of specified in this field. The downloading of subsequent updates will always occur between 4 and 5 AM local time.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Accounts
Accounts and Tokens
The accounts identities view presents the scaffolds associated with manipulating the rXg integrated credentials database.
Identifying devices and end-users is the first step in applying policy enforcement. The rXg integrated credential database consists of several modules that are used to identify and authenticate devices and end-users via the captive portal.
In most cases, end-users will be authenticated through the captive portal web application via account (identified by a username and password combination) or a token (identified by an alphanumeric code). Both accounts and tokens become members of account groups.
Both accounts and tokens are authentication mechanisms that work with the captive portal web application. When the captive portal is enabled, the end-user must provide credentials in order to gain access to the WAN. Providing a valid login / password tuple or a valid code for a token are two of the kinds of credentials that the portal will accept.
Each account and token record contains fields that store usage minutes, transfer quotas, expiration dates and other usage restrictions. In a typical scenario, the usage restrictions in the account record are initialized by the usage plan that the end-user has selected through the captive portal web application. The usage restrictions in a token record are setup when a batch of tokens is created.
A device or end-user may be a member of more than one group. For example, a transient end-user arrives at a hotspot and connects to an rXg controlled wireless network. The end-user's laptop acquires the IP address 192.168.5.42 and attempts to surf to the Internet. A WLAN IP group is configured on the rXg with a CIDR member of 192.168.5.0/24 and a policy that has the captive portal enabled. The end-user is redirected to the captive portal then provides a token to access the Internet. The end-user is now part of a account group that the token is associated with. Thus the end-user is now part of both an IP group and a account group.
Accounts
Each record in the accounts scaffold is an end-user account that can be used for authentication via the captive portal web application. Accounts are typically created by the end-user during the captive portal sign-up process. Alternatively, the operator may choose to manually create records using the scaffold.
The group field configures group membership for this account record. A account may be a member of only one account group at a time.
The login field determines the username that the end-user will supply to the captive portal web application as part of the credential for authentication.
The password field determines the second part of the credential tuple that is supplied by the end-user to authenticate via the captive portal. To change the password, the password and password confirmation must match.
The first name and last name fields are for informational and display purposes only.
The email and email2 fields configure the destination(s) for email notifications. The email2 field is optional.
The MAC field is the last recorded MAC address of the end-user. This field is used to identify the end-user if automatic login is enabled.
Automatic login enables an operator to use the captive portal for end-user self-signup and zero intervention provisioning while retaining the appearance of unfettered WAN access. If this box is checked, the next time the same MAC address and/or browser cookie is seen on the LAN, it will automatically be logged in without a forced browser redirect.
The lock checkbox enables MAC locking. When a MAC address is locked, the device associated with the MAC address may only be used to purchase usage plans when the end-user operating the device logs in with the corresponding account. This mechanism is used in fixed wireless broadband environments to prevent end-users from avoiding disconnect, reconnect and late fees by creating a new account. This feature is incompatible with high transient (hotspot, hotzone, etc.) environments where the portal automatically creates a new account for each transaction.
The status allows the operator to manually disable this account without changing any of the usage restrictions. This is useful for a temporary administrative override (e.g., disabling an abusive end-user until their behavior is discontinued).
The time field determines the amount of online time that this account has left. This field is typically populated when the end-user selects a plan. If the end-user should have not have any online time limits (e.g., if the end-user is manually billed), check the box next to the unlimited heading.
The download quota and upload quota fields determine the amount of data that the end-user can transfer between the LAN and the WAN. These fields are typically populated when the end-user selects a usage plan. If the end-user should not have any transfer restrictions (e.g., if the end-user has purchased a premium unmetered offering), check the appropriate boxes next to the unlimited fields.
The expiration field configures a date and time when the end-user will no longer be able to connect to the WAN. This field is typically populated when the end-user selects a usage plan. The rXg automatically ensures that the maximum allowable online time never exceeds the configured expiration. When the current time is beyond that of the configured expiration , the account will no longer be able to login.
The usage plan field displays the last usage plan that the end-user selected. This field also controls the recurring billing mechanism. This account will take part in a recurring billing schedule if the usage plan chosen here has recurring billing enabled.
The bill at field stores the next date and time at which the end-user will be billed. This field is only used when the end-user is associated with a usage plan that has recurring billing enabled. This field is automatically populated based on the interval field in the usage plan.
Checking the apply plan checkbox provisions the selected usage plan to the account as if the end-user had purchased the plan through the captive portal application. This overrides any usage options or group selections entered manually. The end-user is not billed.
Checking the charge and apply plan checkbox tries to bill the end-user for the selected usage plan by charging her active payment method. If the charge is successful, the usage plan is provisioned to the account as if she had purchased the plan through the captive portal application. This overrides any usage options or group selections entered manually.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Account Journal
Each user record has an accounting journal associated with it that may be displayed by clicking the Journal link.
The account journal keeps a record of all events that affect the end-user's balance. Such events include the selection of a usage plan, the redemption of a coupon, the charging of a credit card through a merchant, etc. The operator may also manually add entries to the journal through the nested scaffold.
Tokens
Each record in the tokens scaffold is a credential that can be used for authentication via the captive portal web application. Tokens can be thought of as "anonymous users." They have all of the usage restriction features present in accounts and are capable of being associated an account group in a similar fashion.
Tokens are typically created in batches by the administrator through the administrative console. The administrator can then export the tokens and integrate them into a wide variety of end-user delivery mechanisms (e.g., doing a mail merge into a word processor and printing onto labels or perforated business card printing sheets).
Alternatively, the operator may choose to use the captive portal web application to automatically create tokens. This mechanism is typically used to implement a simple "one-click free access" RGN offering. Since the end-users are authenticated as tokens , full policy management and service level differentiation is possible. This is useful if the operator wishes to have a time and transfer limited advertising supported offering side-by-side with a paid offering that has a superior experience.
The copies field enables the operator to generate multiple tokens at once. This is to facilitate generation of tokens in batches which is the typical usage scenario. This field is only accessible during the creation of tokens.
The characters and length fields control the complexity of the credential codes for the tokens being generated. An operator may choose from several different character classes and lengths. For security reasons, it is recommended that simpler character classes be used with longer lengths. For example, it is recommended that the "numbers only" class is always used with the length of 16. This field is only accessible during the creation of tokens.
The prefix and suffix fields allow the operator to specify a hardcoded prefix and suffix for the codes that are being generated. The specified prefix and suffix will be the same for all generated codes. This feature allows the operator to generate codes whose purpose that may be easily identified (e.g., 1DAY 1G2H 3J4K). The prefix and suffix may only contain simple characters (letters and numbers) and must be 4 characters long or completely omitted.
The batch field is an automatically assigned value to each set of tokens generated by the administrator. The purpose of the field is to allow the administrator to quickly locate all of the tokens that were generated at the same time. This field is not editable and is for informational purposes only, it does not affect policy management or any other end-user experience related functionality.
The group field configures group membership for this token record. A token may be a member of only one account group at a time.
The time field determines the amount of online time that this account has left. This field is typically populated when the end-user selects a usage plan. If the end-user should not have any online time limits (e.g., if the end-user is manually billed), check the box next to the unlimited heading.
The download quota and upload quota fields determine the amount of data that the end-user can transfer between the LAN and the WAN. These fields are typically populated when the end-user selects a usage plan. If the end-user should not have any transfer restrictions (e.g., if the end-user has purchased a premium unmetered offering), check the appropriate boxes next to the unlimited fields.
If the automatic login box is checked, the next time the same MAC address and/or browser cookie is seen on the LAN, it will automatically be logged in without a forced browser redirect.
The MAC field is the last recorded MAC address of the end-user.
The expiration field configures a date and time when the end-user will no longer be able to connect to the WAN. This field is typically populated when the end-user selects a usage plan. The rXg automatically ensures that the maximum allowable online time never exceeds the configured expiration. When the current time is beyond that of the configured expiration , the user will no longer be able to login. Setting the no expiration field causes the token to never expire, unless the relative lifetime field is also configured.
The relative lifetime field configures the token's usage expiration time to be dynamically set relative to the first login event, which supersedes the configured expiration field or no expiration field. This enables creating a batch of tokens with a finite and absolute shelf-life that also changes for an individual token upon its first use. This field is optional, and if left out, only the expiration field or no expiration field affect the token's lifetime.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Sub-Accounts
Enabling Sub-Accounts allows the creation of child accounts that share the same pool of resources and enforcements as the primary account. For example, if the primary account has a time or quota plan, child accounts will draw down on the remaining balance of that plan. Enable Sub-Accounts within the account record by indicating the number of Sub-Accounts allowed. Once enabled, add Sub-Accounts through the end-user portal or the admin UI.
Enable Sub-Accounts by setting the number allowed within the account record.
Sub-Accounts can also be added as a plan addon. Browse to Billing >> Plans >> Plan Addons.
Creating a Sub-Account from the End-User portal
Once logged into the end-user portal, select Profile.
Scroll to the bottom of the screen, and select Create Sub-Account.
Fill in the Sub-Account details and then select Create.
Creating a Sub-Account from the Admin UI
Browse to Identities >> Accounts and select Sub-Accounts.
Select Create New.
Complete the fields indicated below. All other information will be populated based on the primary account configuration.
Devices
An entry in the devices scaffold defines a device by MAC address and associates it to an account.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The MAC field should be populated with the device MAC address in the format xx:xx:xx:xx:xx:xx.
In the Account field you will select the account in which the device should be associated.
Static IP
An entry in the Static IP field creates a one-to-one mapping between an IP address within a span associated with an uplink and a device on the LAN. This feature is typically used to give public access to a resource that is configured on a private IP address such as a web server.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The Public IP field specifies the IP address within a span of addresses associated with an uplink that will be translated to the Device.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Checking the BiNAT checkbox will give public access to the device as long as the associated account has a Max BiNAT value of 1 or greater and there is an available address in the BiNAT pool. This would typically be used for devices such as a web server or a gaming device which requires open incoming firewall ports for proper operation.
Checking the Hide from portal checkbox will hide the device from the manage devices view in the captive portal.
Fixed Hosts
An entry in the Fixed Hosts field reserves an IP address for a particular device. When a device with the MAC address specified in this record requests network configuration via DHCP, the specified IP address is offered. This mechanism is often used as an alternative to manually assigning static IP addresses to devices.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The IP field contains the IP address to be reserved for this device. It is critically important that the reserved IP be outside of any pools specified in the pools scaffold.
The MAC field contains the MAC address of the device that this reservation is being held for.
The hostname field is an optional parameter that, if specified, will cause the DHCP server to deliver a client identifier to the device via a DHCP option.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The option group links this reservation with a set of DHCP options that control additional information that may be delivered to the device beyond IP address, hostname, subnet mask and gateway. For example, an option group may be used to specify alternative DNS servers for the device specified in this reservation.
Groups
The group identities view presents the scaffolds associated with manipulating the rXg internal credential database and integrated authentication mechanisms.
Policy enforcement on the rXg begins with groups. The rXg group objects ( IP groups , MAC groups and account groups ) may all be associated with a policy object. The policy object is then associated with any of the various end-user communication and control features of the rXg.
Devices may be directly authenticated by operator specified IP address and/or MAC address. This is accomplished by adding IP and MAC members to IP group and MAC group records. When the captive portal disabled, direct authentication through groups is required for policy enforcement.
All group objects have a priority field to to disambiguate the choice of a policy when an end-user or device is a member of more than one group. By default, IP groups have a lower priority than MAC groups which have a lower priority than account groups. This default is designed around the concept of creating a default policy via IP groups (typically portal enabled, no access to the WAN) with exceptions specified via MAC groups and account groups.
IP Groups
An entry in the IP groups scaffold defines a group object that contains IP blocks as members.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The priority field determines the effective group when an end-user or device is a member of more than one group. By default, IP groups have the lowest possible priority.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The addresses and static routes fields are easy ways to add an entire subnet to the IP group. For example, selecting an address configured with 192.168.5.1/24 is equivalent to entering 192.168.5.0/24 in the IPs sub form. Similarly, selecting a static route with a destination of 10.1.0.0/24 is equivalent to entering 10.1.0.0/24 in the IPs sub form.
The IPs sub form enables specification of IP ranges that are to be assigned to the IP group. To specify a single IP address as a member of a group, enter the IP address followed by a suffix of /32
(e.g., 192.168.8.168/32
).
The policy field associates this group object with a policy object. The policy object relates the group to objects that specify the configuration of the control and communication features of the rXg that determine the end-user experience.
In a typical scenario, each and every address range on the LAN of the rXg will be a member of an IP group. This is used to set the default policy for all devices on the rXg managed network. The default policy for IP groups typically incorporates a policy that specifies denial of all routing or redirection of all traffic to the portal.
Multiple IP groups are configured in scenarios when the rXg managed LAN has well understood IP boundaries with differing policy enforcement requirements. For example, location-based services that require displaying a different captive portal is one common reason why numerous IP groups are created. Deploying a DMZ for servers which require direct access to the WAN is another common scenario where multiple IP groups are needed.
MAC Groups
An entry in the MAC groups scaffold defines a group object that contains MAC addresses as members.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The priority field determines the effective group when an end-user or device is a member of more than one group. By default, MAC groups have a priority of 2, placing them higher than the default priority of IP groups.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The MACs sub form enables specification of MAC addresses that are to be assigned to the MAC group. MAC addresses must be specified in hexadecimal in any of the typical MAC address formats. MACs will be scrubbed and normalized to a colon-separated tuple format (e.g., 01:23:45:67:89:ab) before being stored in the database.
The policy field associates this group object with a policy object. The policy object relates the group to objects that specify the configuration of the control and communication features of the rXg that determine the end-user experience.
MAC groups are typically used to identify specific end-user devices that require a different policy from the default policy for the IP range specified by an IP group. MAC groups are also the only way that headless and browser-less devices may be identified.
For example, MAC groups are typically used to identify infrastructure equipment (switches, access points, power controllers, etc.) and handheld devices used by administrators. The higher default priority is typically used to enable access to the WAN as the IP groups are usually set to deny all access.
Account Groups
An entry in the account groups scaffold defines a group object that contains accounts members.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The priority field determines the effective group when an end-user or device is a member of more than one group. By default, account groups have a priority of 3, placing them higher than the default priority of both IP groups and MAC groups.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
By checking the box next to a usage plans , end-users will be automatically added to this account group when they select the specified usage plan. This is the primary mechanism that enables zero operator intervention self-provisioning of end-users. By associating plans with groups and groups with policies, end-users are delivered operator specified RGN offerings in a completely automated fashion.
Unlike other group objects, membership in a account group is controlled exclusively within the account record. This is because production rXg units will have hundreds of accounts in a account group making a membership UI in the account group to be ineffective.
The policy field associates this group object with a policy object. The policy object relates the group to objects that specify the configuration of the control and communication features of the rXg that determine the end-user experience.
account groups are typically the most specific (and hence by default have the highest priority) identification mechanism. An end-user may be a member of more than one account group so long as none of the account groups have the same priority. This is a scenario which is typical of an end-user who has selected a plan that enables a basic level of access but then later upgrades to a different plan that has enhanced access. Careful configuration of the group priority is a critical facet of delivering a deterministic and reliable RGN product to the end-user population.
Shared Credentials
The shared credentials view of the identities menu displays scaffolds that allow the operator to configure the shared credential access features of the rXg.
There are many situations when an operator wishes to allow access to a network without requiring each end-user to supply unique credentials. For example, the operator may wish to provide a "free access" service at certain locations for marketing purposes. Many rural WISPs and telcos are able to obtain subsidies from local governments for provided limited or advertising supported free access.
Another common use case for this capability is a "shared password" scenario. For example, if a hotel wishes to allow several end-users who have booked a conference room to use a single, shared password, to gain access. Conference centers also use this functionality to provide groups who purchase Internet access as an additional feature of booth space.
The rXg enables the operator to provide such services while applying the rich functionality of the rXg to each individual end-user. shared credential groups are linked to policies in the same manner as the all of the other group objects in the rXg. The user experience of end-users whe are members of shared credential groups may be controlled by the broad spectrum of capabilities that the rXg offers.
The "free access" service may utilize the interstitial redirects and HTML injection mechanisms to generate revenue from advertising. Similarly, per-device bandwidth queues may be configured to restrict the utilization of of end-users of a "free access" or "shared password" group to an acceptable rate and priority given the amount of revenue generated (or lack thereof).
The rXg also has an integrated end-user survey mechanism. This mechanism allows the operator to quickly and easily build a survey for end-users to fill out before they are allowed to gain access. It is possible to use this mechanism with any of the login methods, but it is most often used with the "free access" paradigm to capture marketing data. The results of the survey are collated in the surveys view of the archives menu.
The easiest way to integrate survey questions into a login form is to render the survey_question_fields
partial with the following Ruby code:
<%= render :partial => 'survey_questions_fields' %>
It is also very easy to manually generate the survey questions. To require responses for some of all survey questions, simply add the appropriate data format checks to Javascript.
Shared Credential Groups
The shared credential groups scaffold configures the rXg "free access" and "shared password access" captive portal credential mechanisms.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The priority field determines the effective group when an end-user or device is a member of more than one group.
The credential field configures the shared password that will be supplied by end-users to the captive portal in order to gain membership into this shared credential group. In order to configure a "free access" group, the credential that is configured here should be passed as an HTML hidden input field in the login form.
The policy field associates this group object with a policy object. The policy object relates the group to objects that specify the configuration of the control and communication features of the rXg that determine the end-user experience.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The time , download quota and upload quota fields configure the maximum amount of usage that an end-user may consume before membership to a shared credential group is canceled and the intersession (if specified) takes effect. The usage fields are enforced on a per-device basis and logical disjunction between all three fields is used to determine if usage has been exhausted.
The state field allows the operator to enable or disable logins for the credential.
The effective and expires fields configure the window of time this credential is valid. Logins are permitted during the window.
The days fields restrict the credential to particular days of the week. Logins are permitted on days that are checked.
The recurring option allows the effective and expires times to be adjusted on a recurring interval basis. When recurring is enabled by a setting other than "none", after the expires time has past, the effective time will be adjusted based on the recurring setting. For example, a recurring of "daily" will cause the effective time to be bumped up to the same time of the following day. Recurring behavior stops after the recurring end time (if configured).
The splash portals fields define which captive portals this credential may be logged in from. Use these fields to limit the availability of certain shared credentials to specific portals which in turn are displayed based on geographic location, network subnet, the expected class of end-users, etc.
The simultaneous sessions field specifies the maximum number of sessions that may exist at any given time for the shared credential group being created. Choosing unlimited disables this restriction and allows an unlimited number of simultaneous sessions to be created as a result of an end-user passing the matching credential. Specifying a number enables this feature and restricts the number of simultaneous sessions to the number specified. This feature is useful in a enterprise or hospitality guest access setting where Internet is purchased for a group with a size that is known ahead of time.
The intersession field specifies the amount of time that an end-user must wait they can login again. This field is used to enforce a policy such as one that only allows one hour of free access per day. The intersession takes effect based on the time shared credential group login. If an end-user has a 24 hour intersession logs in at 9:00 AM, then they will be able to login again at 9:00 AM the next day.
If the automatic login box is checked, the rXg will attempt to automatically login a returning end-user after the first successful authentication, assuming the user has the same MAC address and/or browser cookie. Credential, access and session restrictions are still enforced on subsequent automatic login attempts.
Survey Questions
The survey questions scaffold enables the operator to easily build a form that collects data before allowing an end-user to login.
The position field determines the order the questions appear in the form. A question with a lower position number is displayed before a question with a higher position number. If a record is updated or created and its position conflicts with another record, the conflicting record and all records with a higher position are incremented by one.
The question field specifies the question that will appear in the form.
The question type drop-down specifies what type of input will be used in the survey form. Radio Group s, Select Menu s, and Number Field s will utilize associated Survey Question Options in order to build the appropriate form elements.
The required checkbox determines whether user input will be required for this survey question. If required is enabled, the input will use the HTML5 'required' attribute to validate input, which may not be enforced by all browsers.
When creating a Radio Group or Select Menu , Survey Question Options should be specified to provide the user a list of options to choose from. The Display Text field will be shown in the drop-down menu or next to the radio button as a label, and the value field will be stored in the database as the Survey Answer.
When creating a Number Field , Survey Question Options may be used to specify options that will be provided to the number field input. The option's display name should be one of the following:
- min
- max
- in
- within
- step
The value should be the desired limit for the option.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
LDAP Client
The LDAP client view presents the scaffolds associated with manipulating the external LDAP server identity management integration mechanisms built into the rXg captive portal web application.
When an external LDAP server is used as the credential store, the captive portal must be enabled. The end-user web browser is then redirected to the rXg captive portal web application. At this point, the end-user must present credentials to the external authentication client that is integrated into the portal. The end-user supplied credentials are then sent to an external LDAP server. The response is then interpreted by the rXg integrated external authentication client and access to the WAN is manipulated appropriately.
Group membership is determined by the creation of the LDAP groups records and the association of those records with LDAP domains. In addition, LDAP groups are associated with policies in a manner similar to local groups ( MAC groups , IP groups and account groups ).
Several LDAP domain records may be configured to support multiple simultaneous logical partitions. For example, an operator may choose to have separate LDAP domain records for students and faculty in a campus setting as those two sets of identities may be either stored on different LDAP servers or as cousins in a large LDAP hierarchy of a single server.
Access to LDAP servers is defined by the associated records in the LDAP servers scaffold. Following the above example, if students and faculty are stored as cousins within the same LDAP hierarchy, two LDAP domains would be associated with a single LDAP server. Of course, if the two end-user pools are stored in different trees, then distinct LDAP server records must be created for the server hosting each tree. Multiple LDAP server records may be associated with a single LDAP domain to enable server failover.
The rXg LDAP client is fully compatible with Microsoft Active Directory (MSAD). To integrate with an MSAD, the LDAP domain must be designated as such via the AD binding field and the associated LDAP server records must point to MSAD domain controllers. Using both standard LDAP and MSAD servers in the same LDAP domain is not supported.
LDAP Groups
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
An entry in the LDAP groups scaffold defines a group object that can be used as a membership destination for end-users that have been authenticated via the LDAP protocol.
The priority field determines the effective group when an end-user or device is a member of more than one group. By default, LDAP groups have a priority of 4, which puts them ahead of the default priority of all group objects configured by internal identities.
The LDAP domains field determines which logical partitions of the LDAP client will send end-users to become members of this LDAP group (and hence, take part in the enforcement defined by the policy ).
The policy field associates this group object with a policy object. The policy object relates the group to objects that specify the configuration of the control and communication features of the rXg that determine the end-user experience.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
LDAP Servers
An entry in the LDAP servers scaffold defines a server that may be queried for end-user credential validation using the LDAP protocol.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The priority field is used when multiple LDAP servers are associated with a LDAP domain. The LDAP server with the highest priority is queried first.
The IP field specifies the IP address of the LDAP server to be queried for credential validation.
The port field specifies the TCP port to use when sending the LDAP query for credential validation. Leave this field blank to use the default.
The tries and timeout fields govern the retry and failure detection behavior of the LDAP client. Increase these values when communicating with servers that are heavily loaded or connected via congested networks.
The LDAP domains field determines which logical partitions of the LDAP client will use the server specified in this record for queries. LDAP trees are designed to support several different organizations and organizational units through a unified hierarchical structure. The same LDAP server may be associated with several different LDAP domains to provide access to different facets of the hierarchy.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
LDAP Domains
An entry in the LDAP domains scaffold defines a logical partition for the LDAP client that is integrated into a captive portal web application.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
If the Create Account box is checked, the rXg will create or update an Account object after successful user authentication against the LDAP server. Creating an Account for the user enables the user to take advantage of the manage devices, usage reporting, and DMZ and port forwarding functionality. This behavior is mutually exclusive to specifying an LDAP Group and session attributes.
Associating one or more Usage Plans to the LDAP Domain instructs the rXg to perform a search against the LDAP server to determine group membership. The names of the user's groups are compared against names of the associated Usage Plans to attempt to find a matching plan. If there is a singular match, the Usage Plan is applied automatically. If there are no matches or multiple matches, the Account will be created with no usage plan and the user must select or purchase a usage plan via the captive portal before gaining access to the Internet.
The LDAP group field specifies the membership destination for end-users that have presented valid credentials.
The session minutes field specifies the length of the login session for end-users that have presented valid credentials.
If the automatic login box is checked, the rXg will attempt to automatically login a returning end-user after the first successful authentication, assuming the user has the same MAC address and/or browser cookie. This requires storing the end-user's password in the rXg's database in encrypted format.
If the logical partition of the LDAP client defined by this record is to be used with Microsoft Active Directory, check the box next to AD binding and enter the MSAD domain into the AD domain field.
The Users context field specifies the base DN to be used when searching for LDAP users or when building a user's DN for authentication against a non-Active Directory LDAP server. User records must reside below the specified DN in order to be located via LDAP searches for usage plan matching when Account creation behavior is enabled.
The Username field specifies the LDAP attribute that will be used to build a user's DN when using non-AD binding, as well as for performing searches against LDAP when account creation behavior is enabled. The value should be the name of an attribute identifies the the user's username, such as samaccountname when utilizing Active Directory.
The Bind username and Bind password fields specify the credentials that will be used to perform searches against the LDAP database when Account creation behavior is enabled.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
RADIUS NAS
The RADIUS NAS view presents the scaffolds associated with manipulating the external RADIUS server identity management integration mechanisms built into the rXg captive portal web application.
When an external RADIUS server is used as the credential store, the captive portal must be enabled. The end-user web browser is then redirected to the rXg captive portal web application. At this point, the end-user must present credentials to the external authentication client that is integrated into the portal. The end-user supplied credentials are then sent to an external RADIUS server. The response is then interpreted by the rXg integrated external authentication client and access to the WAN is manipulated appropriately.
Group membership is determined by the creation of the RADIUS groups records and the association of those records with RADIUS realms. In addition, RADIUS groups are associated with policies in a manner similar to local groups ( MAC groups , IP groups and account groups ). Membership of end-users into particular RADIUS groups may also be specified by the RADIUS server through the Class attribute that passed back in Access-Accept messages.
Several RADIUS realms may be configured to support multiple simultaneous logical partitions. For example, many operators wish to setup agreements with as many wireless account aggregators (e.g., iPass, Boingo, T-mobile, etc.) as possible. Each of the aggregators has their own servers that require specific RADIUS attributes to be transmitted with Access-Request messages. Thus, each aggregator must be configured as an independent RADIUS realm record.
Credential database servers are defined by the associated records in the server scaffolds of the associated protocol. For example, the RADIUS servers that will be queried are defined by the RADIUS servers scaffold. Several RADIUS servers may be associated with a single RADIUS realm for failover purposes.
RADIUS Groups
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
An entry in the RADIUS groups scaffold defines a group object that can be used as a membership destination for end-users that have been authenticated via the RADIUS protocol in a partition defined by a RADIUS realm.
The priority field determines the effective group when an end-user or device is a member of more than one group. By default, RADIUS groups have a priority of 4, which puts them ahead of the default priority of all group objects configured by internal identities.
The Class attribute field is used when RADIUS realms are configured to read group from Class. When configured in this manner, a single RADIUS realm can make end-users members of several different RADIUS groups. The RADIUS Access-Accept message is parsed for a Class attribute. If found, the value of the Class attribute is compared to the Class attribute field of all RADIUS groups. If a match is found, the matching RADIUS group becomes the destination for the end-user.
The RADIUS realms field determines which logical partitions of the RADIUS NAS will send end-users to become members of this RADIUS group (and hence, take part in the enforcement defined by the policy ).
The policy field associates this group object with a policy object. The policy object relates the group to objects that specify the configuration of the control and communication features of the rXg that determine the end-user experience.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
RADIUS Servers
An entry in the RADIUS servers scaffold defines a server that may be queried for end-user credential validity using the RADIUS protocol.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The priority field is used when multiple RADIUS servers are associated with a RADIUS realm. The RADIUS server with the highest priority is queried first. If the RADIUS server with the highest priority does not respond within the window defined by the tries and timeout fields, the next highest priority server is queried. If no RADIUS servers respond, the end-user is denied access.
The IP field specifies the IP address of the RADIUS server to be queried for credential validation.
The port field specifies the UDP port to use when sending the RADIUS request for credential validation. Similarly the accounting port field specifies the UDP port to use when sending the RADIUS accounting start, stop and intermediate updates. Leave these fields blank to use the defaults.
The tries and timeout fields govern the retry and failure detection behavior of the RADIUS NAS. Increase these values when communicating with servers that are heavily loaded or connected via congested networks.
The secret field is the RADIUS shared secret. It is used to encode and decode messages being sent to and from the RADIUS server. This setting must match that of the RADIUS server in order for credential validation to operate.
The RADIUS realms field determines which logical partitions of the RADIUS NAS will use the server specified in this record for queries. There are several reasons a given RADIUS server will be shared across multiple RADIUS realms. One very common scenario is when an account aggregator outsources the operation of their OSS to a well established third-party. Another is when a single corporate RADIUS server is used for authenticating several different classes of devices or end-users.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
RADIUS Realms
An entry in the RADIUS realms scaffold defines a logical partition for the RADIUS NAS that is integrated into the captive portal web application.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
If read group from Class is checked, the RADIUS NAS will look for the RADIUS Class attribute in Access-Accept messages. If the RADIUS Class attribute is found, the value is decoded and compared with the values of the class attribute field of the RADIUS groups that are configured. If a match is found, the authenticated end-user is made a member of the RADIUS group with the matching class attribute. If no match is found, the RADIUS group setting of the RADIUS realm is used to determine group membership.
The RADIUS group field specifies the default RADIUS group record that authenticated end-users will be made members of. If the read group from class field is not checked, the authenticated end-users are always made members of the RADIUS group specified here.
The accounting checkbox enables the transmission of start and stop RADIUS accounting messages. Accounting messages are sent to the same RADIUS server as authentication messages but on a different port as specified in the RADIUS Server configuration.
The encoding field specifies the password encoding used when sending RADIUS Access-Request messages. This setting must match what is accepted by the RADIUS server.
The use Session-Timeout and session minutes fields control the length of the user session for authenticated end-users. If use Session-Timeout is checked, the RADIUS NAS will look for the RADIUS Session-Timeout attribute in all Access-Accept messages. The session length of the end-user is set to the decoded value If a reasonable value is found. If no reasonable value is found, the session minutes field is used to set the end-user session length. If the use Session-Timeout field is not checked, the end-user session length is always set to session minutes.
If the automatic login box is checked, the rXg will attempt to automatically login a returning end-user after the first successful authentication, assuming the user has the same MAC address and/or browser cookie. This requires storing the end-user's password in the rXg's database in encrypted format.
The servers field associates the logical partition defined by this RADIUS realm record with one or more RADIUS server records that define which RADIUS servers to send Access-Request messages.
The RADIUS NAS can send optional RADIUS attributes to the RADIUS server in Access-Accept messages. The supported optional RADIUS attributes are NAS-IP-Address, Called-Station-Id, NAS-Identifier, NAS-Port and NAS-Port-Type. Many RADIUS servers and third-party account aggregation services have very specific requirements for the attributes and values present in RADIUS Access-Request messages. Incorrect configuration of optional attributes usually results in universal rejection of all Access-Accept messages.
Each of these optional attributes has a set of synonymous configuration fields. A checkbox is provided to enable the sending of the optional attribute (e.g., send NAS-IP-Address ). Optional attributes will not be sent unless the appropriate box is checked. The values to be sent in the optional attribute is also configurable. All optional attributes may be transmitted with an arbitrary static value that is specified in a text-field. In addition, different dynamic values are available for the the optional attributes. For example, a common value for the NAS-Identifier attribute is the domain name of the RADIUS NAS and this is enabled by checking the box next to the use domain name field.
The IP and/or MAC address of the rXg may be sent to the RADIUS server in all Access-Request messages by checking the boxes next to the send requesting node IP and send requesting node MAC fields. The RADIUS attribute that will contain the address is configured via the requesting node IP attribute and requesting node MAC attribute. Many RADIUS servers and third-party account aggregation services have specific requirements regarding these fields. In addition, some third-party account aggregators require pre-registration of the MAC and/or IP address of the RADIUS NAS (i.e., the rXg) before credential validation will operate.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
WISPr Prefixes
WISPr (Wireless Internet Service Provider roaming) is a mechanism that allows software clients installed on devices to authenticate end-users without the end-user experiencing a forced browser redirect. Each entry in the WISPr prefixes scaffold defines a prefix that is used by all software clients from the same account aggregator and associates that prefix with a RADIUS realm. Enabling WISPr support on the rXg requires documentation and cooperation of the account aggregator providing the software clients to end-users.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The prefix field stores the string that is defined by the account aggregators and needs to match the value sent in the software clients.
The RADIUS realm field associates a RADIUS realm record that defines the logical partition of the RADIUS NAS with the prefix that will be transmitted by software clients.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Definitions
The definitions view presents the scaffolds associated with configuring mechanisms to identify applications and WAN targets.
The rXg identifies applications by traffic characteristics and WAN targets by IP address or domain name. Identified applications and WAN targets are used in many facts of the policy enforcement engine.
For example, when used with bandwidth queues, application identification is useful for reducing the priority of bulk transfer of data over FTP and NNTP and increasing the priority of interactive applications such as web surfing. WAN targets may be used with bandwidth queues to restrict the utilization of social networking websites and/or guarantee the bandwidth to video on demand servers.
WAN targets are in many other facets of the policy enforcement engine. For example, WAN targets are used as whitelists to enabled unfettered access to certain websites when forced browser redirection to a captive portal is enabled. In addition, WAN targets are used to select destinations for link affinity when an rXg is deployed in a link control scenario.
Applications
An entry in the applications scaffold defines a set of ports that are considered by the rXg to be a singular logical group for policy enforcement.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The protocol field configures this application definition to match to a particular class of transport. In most cases, a given application will only transport over only one TCP, UDP or ICMP, not
The destination ports and source ports fields specify the ports that are used to identify the application defined by this record. Multiple ports and ranges of ports are specified by using these operators:
!=x
All ports not equal to the specified value. For example,!=80
matches all ports other than 80.<x
and<=x
All ports less then and less than or equal to the specified value. For example,<1024
matches all ports less than 1024 (i.e., 1 to 1023 inclusive) and<=1024
matches all ports less or equal to 1024 (i.e., 1 to 1024 inclusive).>x
and>=x
All ports greater than and greater than or equal to the specified value. For example,>40000
matches all ports greater than 40000 (i.e., 40001 to 65535 inclusive) and<=40000
matches all ports greater than or equal to 40000 (i.e., 40000 to 65535 inclusive).x-y
andx:y
All ports within the range specified by the numbers on either side of the operator including boundaries. For example,5900-5909
and5900:5909
are two ways to specify ports 5900 to 5909 inclusive.x><y
All ports within the range specified by the numbers on either side of the operator excluding boundaries. For example1025><1030
specifies ports 1026 to 1029 inclusive.x<>y
All ports except those specified by the numbers on either side of the operator.x,y
Multiple port specifications may be included in a single field by separating them with commas. For example, `8080-8090, 9080-9090,=9300`
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
WAN Targets
WAN targets define WAN IP addresses and DNS entries that are to be considered as a single logical group for the purposes of policy enforcement.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The targets field configures the list of WAN IPs and/or DNS entries that are members of this WAN target. Any combination of dotted quad IP addresses and DNS names is valid. It is recommended that each WAN target contain either all IP addresses or all DNS names for clarity.
Using DNS names reduces the performance of the system due to the need to perform DNS lookup. Use IP addresses whe possible.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
DPI Signatures
An entry in the DPI Signatures scaffold specifies a set of deep packet inspection rules that are used to identify and classify of end-user traffic.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The rules field contains the deep packet inspection specifications that are used to identify the end-user traffic. Rules are specified using the Snort rule format. The rXg is designed to be compatible with most Snort rulesets that are commonly available for download. For example, the Sourcefire Vulnerability Research Team publishes a list of Snort rules that identify common attacks.
The rXg requires that rules follow a few additional specifications in addition to the Snort grammar:
The
alert
action must be specified. Thelog
andpass
actions will not have any affect when used with the rXg. In other words, any rule that does not begin with thealert
idiom will be ignored when used with the rXg.The
sid
idiom (Snort rule ID) is required for each and every rule. Furthermore no two rules may have the samesid
. Ensure that rules abide by the Snortsid
conventions to preventsid
conflict. Values ofsid
less than one million are reserved for "official" rules. Bleeding Snort publishes rules starting atsid
two million. Entirely new custom rules should start atsid
nine million.
The msg
idiom is used by the rXg for logging. For example, when DPI signatures are used with triggers, the string specified by the msg
idiom is used to populate the reason
field.
Here is a simple example rule that checks to see if a node transmits 10 emails (via port 25) in the past 60 seconds:
alert tcp $HOME_NET any -> any 25 (msg:"possible spammer"; content:"rcpt to\:"; nocase; flow:to_server, established; threshold:type both, track by_src, count 10, seconds 60; sid:9000000; rev:1;)
Here is a another example rule that checks to see if a node opens more than 10 SSH connections (via port 25) in the past 60 seconds:
alert tcp any any -> any 22 (msg:SSH incoming; flow:stateless; flags:S+; threshold:type both, track by_src, count 10, seconds 60; sid:9000001; rev:1;)
Nodes that exhibit such behavior are likely to be zombies that are transmitting spam. The above rule is intended to be used in a DPI signature linked to a policy that is associated with throttling via bandwidth queues or quarantine via captive portal to prevent upstream spamming.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Remote DPI Signatures
An entry in the Remote DPI Signatures scaffold configures the rXg for automatic download of deep packet inspection signatures that are used to identify and classify of end-user traffic from a third-party website.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The categories field allows the operator to choose from one or more groups of predefined signatures present on the third-party server. This field is only useful when the URL of this remote DPI signature refers to a gzipped tarball archive. The signatures present in the archive are presumed to be organized by file name. Each file should contain signatures that are relevant to the name of the file.
The SID whitelist field enables the operator to exclude specific rules from being used. This feature is typically used to exclude overly aggressive rules and thus reduce the possibility of false positives. Consider the following rule from the Snort emerging threats list:
emerging-p2p.rules:alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Publicize File"; dsize:>15; content:"|e3 0c|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003310; classtype:policy-violation; sid:2003310; rev:3;)
The example rule shown above is known to occasionally trip false positives with Skype file sharing. Listing 2003310
into the SID whitelist field causes the rule to be ignored. Multiple SIDs may be listed in the SID whitelist to tell the DPI engine to ignore more than one rule in the remote set.
When a remote DPI signature record is first created, the categories field will be empty. Once the signatures have been downloaded and extracted for the first time, the names of the files will then appear in this field. After creating a remote DPI signature it is necessary to edit the record and select the desired categories in order for proper operation. Initial download time (and hence, population of the categories field depends upon the size of the archive file as well as the speed of the network connection between the server addressed by the URL.
The URL field contains the URL of the file that the rXg will download. The target file is expected to be in one of two formats: .tar.gz archive or a .txt plain text file. If the file is a gzipped tarball archive (.tar.gz), it is expected to extract multiple files named by category, each of which contains DPI signatures. If the file is plain-text, it is expected that the file is simply a file of the the DPI signatures. The rXg supports DPI signatures formatted for Snort 2.9. Well known remote DPI signature repositories include the official Snort rules and the Snort emerging threats list.
The frequency field specifies the download interval. Some sites have terms of use that specify appropriate download intervals. Please check the remote site terms and conditions carefully before using.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Content Filter Lists
Entries in the content filter lists scaffold are used to define sets of domain names and URLs that are to be blocked or passed by the rXg content filter. Each content filter list record should store a list of domains, wildcards, or URLs that are similar in nature for organizational purposes. Multiple content filter lists may be used simultaneously in a single content filter enforcement.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The category field is used to store a short phrase that is meant to help the end-user understand the reason why the URL is being blocked. The text in this field is presented on the access denied page on the captive portal. For example, if the list includes domains and URLs that refer to online casinos, the phrase "gambling" would be appropriate for the category.
The list field contains the set of entries that comprise this content filter list. When this content filter list is associated with a content filter enforcement, HTTP requests that match entries in this list will be denied. Valid entries include domain names (e.g., somedomain.com) as well as URL fragments (e.g., somedomain.com/somepath/).
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Remote Content Filter Lists
Entries in the remote content filter lists scaffold are used to configure the parameters needed to periodically download third party maintained lists. The de facto standard list format is a compressed archive (.tar.gz) file that extracts into a series of subdirectories named by blocking category. Each entry in this scaffold configures the periodic download of a compressed archive (.tar.gz) file. Multiple archive files may be used in a single content filter policy enforcement.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The categories field allows the operator to choose from one or more groups of URLs and/or domains to include in this remote content filter list definition. This field is only useful when the URL of this remote content filter list refers to a gzipped tarball archive. The names of subdirectories present in the archive are presumed to be the names of blocking categories and show up in this field.
When a remote content filter list is created, this field will be empty. Once the list is downloaded and extracted for the first time, the subdirectories will then appear in this field. After creating a remote content filter list it is necessary to edit the record and select the desired categories in order for proper operation. Initial download time (and hence, population of the categories field depends upon the size of the archive file as well as the speed of the network connection between the server addressed by the URL.
When Custom is selected in the Provider field it allows the operator to specify a custom URL to a list maintained by the operator or another source.
The URL field contains the URL of the file that the rXg will download. The target file is expected to be in one of two formats: .tar.gz archive or a .txt plain text file. If the file is a gzipped tarball archive (.tar.gz), it is expected to extract multiple subdirectories named by category, each of which contains a "urls" file containing a list of specific URLs to list, and/or a "domains" file containing a list of domains (i.e., entire sites) to list. If the file is plain-text, it is expected that the file is a list of domains and URLs to list. The rXg supports lists formatted for ufdbGuard,DansGuardian and SquidGuard. Well known providers include URLfilterDB, Shalla Listand Squidblacklist.org.
The frequency defines the periodicity with which the rXg will download the list archive file from the URL specified. The request to download a new remote content filter list occurs immediately after the create button is clicked. The periodicity of subsequent downloads are determined by the value of specified in this field. The downloading of subsequent updates will always occur between 4 and 5 AM local time.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Policies
The rXg policy enforcement engine is configured via three classes of objects: group records, enforcement records and policy records. Group records (e.g, account groups , MAC groups , LDAP groups , etc.) identify and classify end-users and devices into roles. Enforcement records (e.g., splash portals , application forwards , bandwidth queues ) define and configure behaviors that are to be applied to some or all end-users and devices managed by the rXg. Policy records associate the group records to the enforcement records and define who receives what treatment.
Policies link groups that identify end-users and devices with the enforcement capabilities of the rXg. In the example configuration depicted above, the groups are in the left column and the enforcement records are in the right column. The policies are in the center column and link the groups to the enforcement records. It is these links that define the network experience of the end-user.
If you are familiar with SQL and relational database management systems, then you may recognize the organization of the identity :: group :: policy :: enforcement mechanism. From a DBMS / ERD perspective, the policies should be thought of as rows in a join table that has columns to hold the foreign keys for tables that define kind of group and enforcement configuration.
The network experience for each end-user is determined by the policy. Each and every end-user is identified through one or more mechanisms (e.g., portal credentials, IP address, MAC address, etc.) and assigned to one or more groups. The effective group for a given end-user is resolved through the priority field present in all group objects. The rXg will apply the enforcement capabilities that are connected by the policy that is associated with the effective group.
The identity :: group :: policy :: enforcement mechanism is the method by which all network experience related features are delivered to the end-user. This mechanism determines everything including but not limited to the portal (which one is presented, what usage plans may be selected, etc.), the advertising experience (interstitial and injection), traffic shaping (rate limits and guarantees) and much more.
Consider the following example simple network configuration in conjunction with the policy shown above:
Assume that an end-user opens a laptop and connects to a wireless access point that is bridged into the switch on the LAN side of the rXg. The rXg serves the laptop a DHCP address of 192.168.5.254. Since the rXg is not aware of any identity for the end-user other than the IP address which falls into the IP group called_LAN IPs_, the end-user experiences the splash portal that is associated with the pre-auth policy.
Now let us say that the end-user navigates the splash portal, signs up for an account, selects and then purchases a usage plan. Let us also say that the usage plan that the end-user purchases is linked to the Hotspot group. The end-user now has two independent identities on the rXg (IP 192.168.5.254 and their user account). The IP places the end-user into the IP group called LAN IPs and the account places the end-user into the account group called hotspot.
When a single identity is present in more than one group, the group priority is used to disambiguate the membership. This concept is discussed in more detail in the identities portion of the operator's manual. Notice that the hotspot account group has a priority of 3 while the LAN IPs IP group has a priority of 2. Thus the end-user will now experience the enforcement options associated with the policy named hotspot.
To expand on this example and concept, let us assume that the operator has decided enable Internet access for the smartphones that technicians and administrators carry with them. The flexible nature of the rXg enables the operator to choose amongst many ways that this could be accomplished. Let us assume that the operator wishes to use a MAC address access control list as the authentication mechanisms for the smartphone fleet.
Notice that the Admin SmartPhones MAC group is associated with the T1 policy. Also notice that the priority of the Admin SmartPhones MAC group is 5. When a field technician or system administrator uses the Wi-Fi capability of their smartphone to connect an access point bridged to the LAN side of the rXg, they are issued a DHCP address in the 192.168.5.0/24 block. This makes the smartphone a member of the LAN IPs IP group. Since the priority of the_LAN IPs_ IP group is 2 and the priority of the_Admin SmartPhones_ MAC group is 5, the effective group is the Admin SmartPhones MAC group. Thus the smartphones experience the T1 policy that assigns a 1544 kbps symmetric amount of bandwidth without any forced browser redirection.
Now let us expand on this example. Consider an expanded as depicted by the network diagram shown below. In this example RGN, the operator has setup VLANs that are bridged to geospatially distinct locations.
End-users that connect to access points deployed at a local hotel are bridged into VLAN 2801. Similarly end-users that connect to access points deployed at a local gated community are bridged into VLAN 2808. Thus end-users that are at the hotel are assigned addresses in the 10.0.10.0/24 CIDR and end-users that are at the gated community are assigned addresses in the 172.16.16.0/24 CIDR.
The operator wishes to display distinct captive portals to the end-users at the hotel and the gated community. To accomplish this, two new policy objects are created along with two new splash portal objects. The actual captive portal that is displayed to each end-user is determined by the fields in the splash portal object. Several other aspects of the captive portal (e.g., which usage plans are displayed on the portal) are also determined by the configuration fields in the splash portal object.
In addition, IP group objects that contain the CIDRs for each geospatial location are created so that the non-authenticated end-users are associated with the appropriate policy that displays the desired captive portal. Following the network diagram depicted previously, the appalachian hotel IP group would need to have an IP CIDR member of 10.0.10.0/24 and the black creek sanctuary IP group would have an IP CIDR member of 172.16.16.0/24.
Policies Dashboard
The policies dashboard presents an overview of the current status and configured settings of the rXg policy enforcement engine.
At the top of the policies dashboard is a node-edge graph that depicts the current configured state of the rXg policy enforcement engine.
Groups are presented in a single column on the left. Enforcement records are presented in a single column on the right. Policy objects link groups and enforcement records and are in the middle of the group.
A graph that is isolated to a single policy may be generated by clicking on a policy or group object in the graph.
In addition, the operator may enter an identity (IP address, MAC address, username, token, etc...) into the search field at the top right of the dashboard. The result is an isolate graph (similar to the one shown above) of the groups, policies and enforcement records that are related to the data that is entered. This mechanism is useful for troubleshooting the operation of an rXg. The vast majority of perceived enforcement errors are a result of incorrect configuration that results in the application of a policy other than what is desired.
The views for each policy enforcement feature include a subset of the policies scaffold with the fields that are relevant to each specific enforcement capability. In this scaffold, all of the available enforcement features are presented. This enables the operator to quickly reconfigure what enforcement capabilities are linked to a policy.
At the very bottom of the policy dashboard are graphs that displays the number of sessions and the amount of data transferred for each policy over the course of the past 24 hours.
Captive Portals
The captive portal view presents the scaffolds that configure the behavior of the rXg forced browser redirect mechanism.
The initial forced browser redirect is configured via the splash portals scaffold. Once a device has acquired an IP address via DHCP or via static assignment, the rXg enforces policy based on the group membership. In a typical scenario, most devices will initially be members of an IP group that spans the entire subnet from which the IP address of the device is assigned. To enable the forced browser redirect, the IP group must be configured with a policy that is associated with a splash portal record.
Once redirected to the captive portal specified in the splash portal record, the end-user must present credentials to access the WAN. The supplied credentials determine the new group that the device will be a member of. In a typical scenario, the end-user will supply a username / password pair or a token code that is associated with a account group. If external identification is used, the device will be associated with a RADIUS group or LDAP group.
To complete the captive portal configuration, the new group must be associated with a policy that is linked to a landing portal. In addition, the new group be of a higher priority than the first group. In a typical scenario, the new group is associated with a policy that is linked to several other enforcement mechanisms (e.g., bandwidth queues, multiple uplink controls, web experience manipulation, etc.).
Splash Portals
Splash portals define the pre-authentication settings that are used when forced browser redirect is in effect.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The portal field determines the local captive portal that will be used for pre-authentication. The default RG Nets portal is always available as a choice from this list. Additional choices for the portal field are determined by the custom portals scaffold on the portals view of the system module.
Setting the remote checkbox specifying a remote URL enables forced browser redirect to a captive portal web application that is stored on a remote host. Using a remote host for the pre-authentication pages is not recommended for typical deployment scenarios due to increased latency and complexity. In most clustering and multi-unit central management scenarios, a customized local pre-authentication portal contains hyperlinks to a centrally served portal for unified end-user credential management.
The following substitutions are available for the remote URL :
- %url% - the original URL (desired URL) that the end-user surfed to
- %rxg% - the name of the rXg that executed the redirection
- %ip% - the IP address of the end-user
- %mac% - the MAC address of the end-user
- %wan_ip% - the WAN NAT IP address of the end-user
- %wan_mac% - the MAC address of the interface for the Uplink the user is assigned to
- %wan_mac_last6% - The last 6 characters of the WAN MAC, excluding colons
- %hostname% - the DHCP client hostname of the end-user
- %group% - the name of the group that the end-user was a member of during redirection
- %policy% - the name of policy that the end-user experienced during redirection
- %landing_portal% - the name of the splash portal that the end-user was presented
- %portal_controller% - the name of the custom portal controller that the end-user was presented
- %logged_in% - true or false depending on whether or not the end-user is logged in
- %random_number% - a random eight digit integer
- %error% - an error string
- %notice% - a notice string
- %exception% - an exception string
- %action% the custom portal action that the end-user was redirected to
- %redirect_action% - the custom portal action/view that the end-user was redirected to after processing the request
- %vlan% - client VLAN tag, if any
- %ap_mac% - MAC address of the AP to which the client is currently connected
An example of a remote URL that utilizes substitution is:http://central.srvr/port_app/?orig_url=%url%&subcriber_ip=%ip%
The whitelist field enables the operator to choose one or more wan targets that list IP addresses and/or DNS entries of websites that are to be exempt from the forced browser redirection policy configured by this splash portal record. There are many common uses for the whitelist. When credit card payment gateways are used, the payment gateway servers may need to be whitelisted in order for payments to be processed. If pay-per-click advertising is placed on the pre-authentication portal, the advertising destinations must be in the whitelist to enable proper click through and tracking. Cluster configurations require the cluster controller to be in the whitelist to enable unified user management. In addition, many operators use the whitelist to enable unfettered access to a handful of websites of their choosing.
The configuration options in the automatic login section defines how the rXg captive portal behaves when a account with automatic login enabled joins the network and does not have an existing session. Enabling background mode and/or the portal mode allows accounts with automatic login enabled to connect without having to enter credentials at the captive portal.
If background mode is set to MAC , then the rXg will continually poll the ARP table and/or DHCP leases (as defined by the MAC to IP mapping setting in the device options). The rXg will then automatically create sessions for accounts with automatic login enabled, thus obviating the need for the account to login via the captive portal. If a login session is created by the rXg via the background mode then the end-user will never experience forced browser redirection. Enabling background mode is sufficient for handling most cases of automatic login. However, if the rXg becomes heavily loaded, then the polling nature of background mode automatic login may result in some end-users browsers experiencing forced browser redirect. Thus automatic login is also implemented in the captive portal and enabled via the portal mode option. Disabling the background mode may be necessary to operate in extremely high load environments. Disabling background mode may also be necessary when deploying the rXg in conjunction with certain wireless infrastructures that spoof MAC addresses.
If portal mode is set to anything other than disabled , then the rXg will attempt to create a session and/or login to the portal for accounts with automatic login enabled when a device with a matching MAC address hits the portal. The MAC (create session only) option creates a login session for the account but does not log the account into portal. Thus the end-user web browser is denied access to the profile information stored in the account. This option is most appropriate for high transient environments such as hotspots, hotzones, hotels, conference centers, etc. The MAC (create session, login to portal) creates a login session for the account and also logs them into the portal. This option is most appropriate for fixed wireless broadband environments where the end-user population is mostly static. The MAC AND cookie option is similar to the MAC (create session, login to portal) in that a session is created for the account and the web browser is granted access to the portal. However, in addition to checking for the MAC address, the browser is checked to make sure that a cookie matching one stored by the rXg during previous portal activity is present. This is the most secure method of enabling automatic login but it requires that the end-user bring up the same web browser that they used the last time they interacted with the rXg captive portal. The MAC OR cookie option is similar to MAC AND cookie , except the user's MAC address can have changed as long as there is still a matching cookie in the user's browser. This is useful for situations where a user switches between a wired and wireless connection, thereby changing MAC address. The MAC mode checks only the MAC address. The cookie mode checks only the browser cookie.
The WISPr settings are arbitrary strings that pass meta-data to WISPr client software. Consult the documentation that is provided by wireless service aggregrators for the proper settings for these fields.
The TOS checkbox enables a terms of service requirement for the pre-authentication captive portal.
The policy field relates this record to a set of groups through a policy record.
The shared credential groups field determines which shared credential logins are to be accepted by this portal.
The usage plans field determines which usage plans are to be displayed and accepted by this portal.
Landing Portals
Landing portals define the post-authentication settings that are used when forced browser redirect is in effect.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The portal field determines the local captive portal that will be used for post-authentication. The default RG Nets portal is always available as a choice from this list. Additional choices for the portal field are determined by the custom portals scaffold on the portals view of the system module.
Setting the remote checkbox and specifying a remote URL enables post-login browser redirect to a captive portal web application that is stored on a remote host.
The following substitutions are available for the remote URL :
- %url% - the original URL (desired URL) that the end-user surfed to
- %rxg% - the name of the rXg that executed the redirection
- %ip% - the IP address of the end-user
- %mac% - the MAC address of the end-user
- %wan_ip% - the WAN NAT IP address of the end-user
- %wan_mac% - the MAC address of the interface for the Uplink the user is assigned to
- %wan_mac_last6% - The last 6 characters of the WAN MAC, excluding colons
- %hostname% - the DHCP client hostname of the end-user
- %group% - the name of the group that the end-user was a member of during redirection
- %policy% - the name of policy that the end-user experienced during redirection
- %landing_portal% - the name of the splash portal that the end-user was presented
- %portal_controller% - the name of the custom portal controller that the end-user was presented
- %logged_in% - true or false depending on whether or not the end-user is logged in
- %random_number% - a random eight digit integer
- %error% - an error string
- %notice% - a notice string
- %exception% - an exception string
- %action% the custom portal action that the end-user was redirected to
- %redirect_action% - the custom portal action/view that the end-user was redirected to after processing the request
- %vlan% - client VLAN tag, if any
- %ap_mac% - MAC address of the AP to which the client is currently connected
An example of a remote URL that utilizes substitution is:http://central.srvr/port_app/?logged_in=%logged_in%&subcriber_ip=%ip%
The blacklist field enables the operator to choose one or more wan targets that list IP addresses and/or DNS entries of websites that are always to be redirected to the captive portal web application selected in this landing portal record. In a clustering scenario, it may be useful to redirect certain web accessible cluster resources back to the post authentication portal for load balancing. In an advertising scenario, it may be useful to redirect access for particular websites to the local captive portal web application so that focused local content is delivered over generic content.
The session restrictions settings control the length of the end-user session as well as the automatic logout mechanism. The settings here may be overridden by various other configuration settings of the rXg. For example, if external RADIUS authentication is being utilized, the RADIUS Class attribute may be consulted to configure the session length. Another example is if the account has automatic login enabled. In that case, the portal will not be displayed again until the user no longer has any usage minutes.
Set the amount of time that an end-user is allowed to be logged on before they need to login again using the restriction field. If unlimited login time is desired, check the unrestricted box.
Check the no idle timeout box to disable the automatic logout upon idle feature of the captive portal web application. Account usage minutes will continue to be depleted regardless of traffic when the automatic logout feature is disabled. Alternatively, set a idle timeout to enable the automatic logout feature.
The grace time field enables the captive portal web application to allow end-users to be logged in for a short amount of time to complete the selection and purchase of a usage plan.
The redirect URL field enables the operator to redirect the end-user to a configurable URL after successful login. Check the original box to redirect the user to the URL she requested before being redirected by the captive portal. Leave both fields blank to display the post login success page of the landing portal.
The policy field relates this record to a set of groups through a policy record.
The usage plans field determines which usage plans are to be displayed and accepted by this portal.
Portal Mods
Portal Mods allow the operator of the rXg to modify an existing portal, content can be modified by selecting the view and adding HTML content that will replace the view. Images can also be replaced as well. This allows the operator to easily change images and specify the login options for example.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The Custom field allows the operator to select the custom portal the Portal Modification record applies to.
The Splash and Landing fields allow the operator to select which Splash and Landing portals the record will apply to. This allows the operator to use the same portal but have different changes to either the Splash or Landing side of the portal(s).
The Splash field allows the operator to specify the Splash portal(s) the Portal Modification will apply to.
The Landing field allows the operator to specify the Splash portal(s) the Portal Modification will apply to.
The View field selects the view in the portal that will be modified.
The HTML(ERB) field, contains the code that will modify the selected view.
The Image field, is used to upload an image to replace an existing image in the portal, or can be used to upload an image to be used in the HTML(ERB) field.
The Image to Replace field combined with the Image field allows the operator to replace and existing image on the portal with a custom image.
For examples of how to use Portal Mods see the Portal Customization::Portal Modifications section of the manual.
WiFi Profiles
The Name field is arbitrary and can be set to anything.
The SSID field is used to set the SSID that will be contained in the profile that the client device will connect to after downloading the profile.
The Default checkbox, if checked specifies that this WiFi Profile will apply to all landing portals.
The Server Certificate field allows the operator to specify the SSL certificate that will be included with the profile.
The Landing Portals field allows the operator to specify which landing portal(s) will present the WiFi Profile when the client device successfully connects.
WiFi Profiles allow the operator of the rXg to configure the profiles that will be downloaded to the client device when it succesfully connects to the network. The profile contains the information to connect to the network and installs the certifcate on the device.
Content Filtering
Content filtering enables the operator to deny the transit of web pages that contain textual media that matches filters specified by the operator.
The content filtering mechanism allows the operator to specify independent content filtering policies for different groups. The intention is to allow the operator to generate direct revenue from the application of filtering or for enabling unfettered Internet access.
For example, residential customers may be offered a porn blocking premium service while business customers receive unfettered access. The converse may also be useful where advertising supported hotspot access is restricted from accessing all known objectionable content and a paid upgrade enables unfettered access to the Internet.
In order for content filtering to operate, the rXg must have access to the web page that the end-user requests. This is accomplished by enabling the transparency web proxy which intercepts end-user HTTP requests. If locally cached copies of the content are expired or out of date, a new copy is requested from the server. The rXg content filtering mechanism then operates on the local copy of the end-user requested web page. If the requested web page does not match the profile configured by the operator, an HTTP response containing the requested page is then transferred to the end-user.
Content Not Permitted
When an end-user attempts to access prohibited content, they are redirected to /content_filter
view of the captive portal. By default, this view displays a denied graphic along with the desired URL, the reason for the denial and the categories that were matched. This view of the portal may be customized to any format that the operator desires.
The /content_filter
view of the portal is an integral part of revenue generation through content filtering. For example, if the content filter is being applied to limit access for to end-users in an advertising supported group, the /content_filter
view should be customized to advertise the availability of unfettered access for a fee. If the content filter is enabled as part of a threat management package, affiliate program links to security software downloads (e.g., McAfee, Norton, etc.) would be appropriate.
Content Filters
The content filters scaffold presents the fields necessary to configure the rXg policy enforcement engine to deny access to HTTP responses containing operator specified classes of content.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The filtering section configures the global behavior and filtering sources for this content filter.
The lists and remote lists fields specify the lists of URLs and domains that will be pass or denied in this content filter. The lists and remote lists are configured using the scaffolds below.
The blanket block checkbox is used to place the content filter into whitelist mode. All web pages except those specified in the whitelists are denied when this mode is enabled.
The denied portal action specifies the action on the captive portal that will be called when prohibited content is requested.
The WAN targets field limits the effect of the content filtering settings defined by this record to traffic that is destined to the IP addresses or DNS names listed in the selected WAN targets. By default, a content filter record affects all HTTP traffic matched by the policy regardless of WAN origin / destination. Setting a WAN target causes the breadth of the content filter to be limited to the specified hosts in the manner specified by the WAN target mode.
The content filter only manipulates HTTP traffic by default. Setting the intercept SSL/TLS checkbox enables the content filter to manipulate encrypted HTTPS traffic in the same manner as if it were regular HTTP traffic.
The safesearch checkbox causes the content filter to always enable safe-search mode in search engines. This feature requires the intercept SSL/TLS feature to be enabled because almost all search engines run over HTTPS.
The YouTube EDU ID field configures the content filter to add the specified data to all traffic to/from YouTube. This mechanism enables server-side content filtering for YouTube. Use of this feature requires educational facility registration with Google / YouTube.
The tunnel detection field configures the content filter to look for IP tunneling over HTTPS. The detection may be configured in real-time (higher overhead) or background (higher performance). The operator may also choose to log the presence of HTTPS tunneling rather than denying this behavior outright.
The enhanced HTTPS security checkbox configures the content filter to block access to HTTPS sites that fail to present a SSL certificate that is signed by a trusted third-party.
The policy field relates this record to a set of groups through a policy record.
Remote Content Filter Lists
Entries in the remote content filter lists scaffold are used to configure the parameters needed to periodically download third party maintained lists. The de facto standard list format is a compressed archive (.tar.gz) file that extracts into a series of subdirectories named by blocking category. Each entry in this scaffold configures the periodic download of a compressed archive (.tar.gz) file. Multiple archive files may be used in a single content filter policy enforcement.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The categories field allows the operator to choose from one or more groups of URLs and/or domains to include in this remote content filter list definition. This field is only useful when the URL of this remote content filter list refers to a gzipped tarball archive. The names of subdirectories present in the archive are presumed to be the names of blocking categories and show up in this field.
When a remote content filter list is created, this field will be empty. Once the list is downloaded and extracted for the first time, the subdirectories will then appear in this field. After creating a remote content filter list it is necessary to edit the record and select the desired categories in order for proper operation. Initial download time (and hence, population of the categories field depends upon the size of the archive file as well as the speed of the network connection between the server addressed by the URL.
When Custom is selected in the Provider field it allows the operator to specify a custom URL to a list maintained by the operator or another source.
The URL field contains the URL of the file that the rXg will download. The target file is expected to be in one of two formats: .tar.gz archive or a .txt plain text file. If the file is a gzipped tarball archive (.tar.gz), it is expected to extract multiple subdirectories named by category, each of which contains a "urls" file containing a list of specific URLs to list, and/or a "domains" file containing a list of domains (i.e., entire sites) to list. If the file is plain-text, it is expected that the file is a list of domains and URLs to list. The rXg supports lists formatted for ufdbGuard,DansGuardian and SquidGuard. Well known providers include URLfilterDB, Shalla Listand Squidblacklist.org.
The frequency defines the periodicity with which the rXg will download the list archive file from the URL specified. The request to download a new remote content filter list occurs immediately after the create button is clicked. The periodicity of subsequent downloads are determined by the value of specified in this field. The downloading of subsequent updates will always occur between 4 and 5 AM local time.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Example Content Filter Configuration
In this example we will configure content filter that will block adult content. Navigate to Policies::Content Filtering and create a new Remote Content Filter List.
Give it a name, type should be set to Blacklist. For this example we will use the UT1 Provider. Set the Frequency for often it downloads the list, for UT1 we do not need a username/password, click create.
The system will download the remote list, after waiting about a minute we can edit the Remote Content Filter List we created. The Categories section should now list the categories that can be filtered. For this example adult, dating, and lingerie is selected. Click update.
Next create a new Content Filter.
Give it a name, leave Filter DNS checked, we can change how it lookup response behaves by changing the response, for this example I will leave it on Block w/ NXDOMAIN (return name does not exist). Under Content Lists verify that the Remote list created in the previous step is checked. Lastly select the polices the filter should apply to, and click create.
A custom Content Filter list can be hosted on any accessible web server. The rXg can be configured to use this Custom Content Filter (plain-text or tar/gzip) file by creating a new Remote content Filter List and selecting Custom for the Provider and populating the URL with the direct link to the file. The content filter can be set to synchronize as a daily, weekly, or monthly recurrence.
To host the Custom Content Filter on a rXg device, the filter list can be uploaded to the /space/rxg/console/public folder on the host.
A content filter list is contained within a tar.gz file. The root of the file contains a set of directories which serve as categories for the filter list. The categories are used to select specific types of content to filter from the broader list. Inside each folder there are one or more extensionless text files which contain lists of domains and URLs. The file domains consists of fully qualified domain names for entire websites to be used in a content filter list. The file urls consists of full paths to pages which will be used in the content filter list.
File Structure:
Domain List:
URL List
Event Triggers
The event triggers view displays the scaffolds that configure the events that define transient group membership policy.
The transient group membership mechanism temporarily changes the group membership of an end-user. Since group membership determines which policies are enforced, event triggers are a simple way to temporarily change the end-user experience.
The possibilities of what can be accomplished through transient group memberships are endless. For example, when max connections triggers can be configured to establish transient IP group membership for abusive behavior. The transient IP group may then be associated with a splash portal policy to quarantine the user, a packet filter policy to blackhole the user or a bandwidth queue policy to throttle the user for some specified period of time.
The space-time triggers and quota triggers are typically used for end-user communication and upselling of premium services. A simple way to utilize this is to create a quota trigger that triggers on high utilization and places these end-users into a group. This transient group can then be associated with a policy that is linked to interstitial redirection to a page that communicates with the end-user about their high utilization and offers them the opportunity to buy more. In addition, the interstitial page might offer the end-user the ability to switch to a plan that has higher bandwidth rates.
The DPI triggers enable the operator to apply transient group memberships to subsets of the end-user population that match any profile that may be described in the form of a deep-packet inspection rule. This may be used to detect specific kinds of applications (e.g., BitTorrent, VoIP, etc.) or specific usage patterns (e.g., the presence of a streaming media center or a NAT router). The remote DPI signatures capability enables the operator to deploy DPI triggers as a malware egress filtering mechanism.
All triggers are configured to enforce upon policy and send matches to transient group memberships. End-users are sourced from the policies associated with trigger record. End-users that match the trigger enforcement are then destined for the configured transient group memberships.
Connections Triggers
Records in the connections triggers scaffold define the configuration of the rXg behavioral intrusion protection system.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The policy field relates this record to a set of groups through a policy record.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The max connections field specifies the number of simultaneous connections that an end-user or device can utilize before the behavioral IPS is triggered. The number of connections is determined by counting the number of TCP and UDP streams that transit to the WAN through the rXg. Currently observed active connections, recently attempted connections (regardless of whether or not they actually connected) as well as recently closed connections are all counted. How long recent connection attempts and recently closed connections are counted is determined by the setting the state timeout in the network options.
The operator should tune value for the max connections to a value that best fits the nature of the end-users on the LAN. Many applications utilize multiple TCP and/or UDP streams in parallel. For example many web browsers will open several connections to a web server in order to download multiple assets referenced by a web page at the same time. Cloud computing applications tend to have software hooks that keep several background connections active at all times. Thus a value too small will trip a very large number of false positives.
Setting the max connections field to a value that is overly large prevents the behavioral IPS from detecting malicious software that is designed to avoid attracting attention. Worms that rapidly proliferate by opening as many connections per second as the infected CPU will support have given way to worms that attempt to proliferate under the radar. Many P2P software systems have a setting that configures the maximum number of simultaneous connections whose purpose is to help prevent the software from being detected. Thus it is important to tune the max connections field that is small enough to allow the kinds of applications present on the network while detecting malicious activity.
The behavioral IPS should always be enabled for all networks. If the operator is unwilling to cope with even a single false positive then the max connections should simply be set large enough to put the most egregious offenders into a transient group membership for instant remediation. The transietn group membership is typically associated with a policy that blocks all traffic (e.g., via a splash portal) or slows all traffic down (e.g., via a traffic shaping queue) and notifies the end-user of the violation (e.g., via an interstitial redirect or injection).
The duration determines the length of time that an end-user or device that has triggered the IPS will remain a member of the transient group. Once the duration is reached the transient group membership expires and the end-user or device will be returned to their original policy. If the number of connections being utilized exceeds the configured max connections the trigger will be fired again and the end-user or device will be placed into a new transient group membership for the specified duration.
If an end-user or device triggers the behavioral IPS, they will become a transient member of the IP group specified by the IP group field. connections triggers affect all devices that are associated with the record through the policy regardless of authentication method.
Quota Triggers
Records in the quota triggers scaffold define rules that will change the effective policy of end-users based on the data transfer utilization over a specified period of time.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The policy field relates this record to a set of groups through a policy record.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Quota triggers operate on calculated aggregate traffic transfer over an operator specified period of time. Thus operators configure the quota in multiples of bytes (e.g., megabytes, gigabytes, etc.). Furthermore the operator specifies the quota trigger time period to be since the last recharge or a rolling window of time. The values are mathematically to the traffic shaping system which is deals with instantaneous transfer rates configured in multiples of bits per second (e.g., kilobits per second, megabits per second, etc.) but the use cases are usually very different.
The download , download unit , upload and upload unit fields configure the aggregate amount of data transfer that must be recorded before a triggering a transient group membership. The download and upload fields specify the value representing the utilization level that needs to be met while the download unit and upload unit fields specify the type of the value fields.
When the download unit and/or upload unit is set to % , the download and/or upload value is taken to mean a percentage of the quota stored in the usage plan record associated with the end-user record. For example, if the download quota in the usage plan record is 500 MB and the download field is configured to be 25 with a download unit of % , when the end-user utilization reaches 125 MB, the transient group membership will be triggered.
When the download unit and/or upload unit is set to MB or GB , the download and/or upload value is taken to mean an absolute value in megabytes or gigabytes respectively. The utilization stored in the end-user record must exceed the value configured in the record in order for the transient group membership to be triggered.
The logic field configures whether one or both of the utilization levels specified in the upload and download fields must be met before this record triggers a transient group membership. A setting of and requires both the upload and download utilization levels be met before a transient group membership is triggered. When set to or , satisfying either upload or download utilization level is sufficient to trigger a transient group membership.
The window field specifies the amount of time over which the the quota trigger will measure usage. The window is specified as the time in the past for the beginning of the measurement period. The measurement period always ends at the present. For example if a window of 2 days is specified then the usage will be measured starting from two days ago until the present.
Rolling window based quotas are most often used to control end-user behavior in a manner similar to the rate limiting mechanisms found in the traffic shaper. A rolling window-based quota enables the operator enforce a lower effective transfer rate. For example, a rolling quota of 5 GB per month that is popular with WWAN data providers is comes to an average rate that is only 15 kbps. A relatively loose rolling quota of 10 GB per week comes to only 277 kbps.
This mode is used to apply control over transient or fixed end-user populations regardless of whether or not quota is being explicitly sold to the population. The destination transient group membership is typically associated with a lower maximum instantaneous rate queue along with some kind of end-user notification (e.g., an interstitial that informs the end-user of their overage condition).
If no window is specified then the quota trigger will measure usage since the last quota recharge. This mode is most used in scenarios with a fixed end-user population where the operator wants to upsell additional quota to end-users when their consumption is approaching their purchased limit. The destination transient group membership is typically associated with a notification mechanism (e.g., an injection with copy informing of the overage condition and a link to the portal to purchase an upgrade).
The duration field specifies the amount of time that an end-user will remain a member of the transient group after exceeding the defined transfer quotas. By default the transient group membership is in effect for as long as the quota trigger condition is met.
The account group field configures the destination where end-user matching the utilization values specified in this record will be sent. If an end-user's utilization meets the criteria defined in this quota trigger , they will become a transient member of the account group specified by the account group field.
Space-Time Triggers
Records in the space-time triggers scaffold define rules that will change the effective policy of end-users based on the time of day, day of the week, and physical location.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The policy field relates this record to a set of groups through a policy record.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The start and end fields configure the range of time that the time trigger is active. The start time must precede the end. The trigger is active for the time period between start and end. To specify an entire day, use a start of 00:00:00 and an end of 23:59:59. To specify more than one time period during a single day, multiple time trigger records must be created.
The days field specifies the days of the week that this time trigger is active. A checked box indicates that the the time trigger is active during the day that is labeled. The parameters specified by the days field as well as the the start and end fields must both be satisfied (logical and) in order for the trigger to be active.
The logic field configures whether one or both of the utilization levels specified in the upload and download fields must be met before this record triggers a transient group membership. A setting of and requires both the upload and download utilization levels be met before a transient group membership is triggered. When set to or , satisfying either upload or download utilization level is sufficient to trigger a transient group membership.
The IP group , MAC group and account group fields configure the destination for the IPs, MACs and users associated with this trigger through the selected policy when the trigger is active. Only one of the three possible destinations should be selected for any given record. The account group destination is only effective when the policy is associated with a user group as no login session is created for IP groups and MAC groups.
DPI Triggers
Records in the DPI triggers scaffold define rules that will change the effective policy of end-users based on a DPI signature.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The policy field relates this record to a set of groups through a policy record.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The DPI signatures field links the DPI trigger to one or more DPI signatures specified on the definitions view. The DPI signatures are what are used to determine the firing of the trigger and the temporary IP group membership.
The duration field specifies the amount of time that an end-user will remain a member of the transient group after matching a DPI signature. For example, if a DPI signature specifies a virus and the target transient group is linked to quarantine policy, the duration represents the length of time that the end-user would remain quarantined after the virus is initially detected.
The IP group field configures the destination where end-user matching the DPI signature specified in this record will be sent. DPI triggers affect all devices that are associated with the record through the policy regardless of authentication method.
Remote DPI Signatures
An entry in the Remote DPI Signatures scaffold configures the rXg for automatic download of deep packet inspection signatures that are used to identify and classify of end-user traffic from a third-party website.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The categories field allows the operator to choose from one or more groups of predefined signatures present on the third-party server. This field is only useful when the URL of this remote DPI signature refers to a gzipped tarball archive. The signatures present in the archive are presumed to be organized by file name. Each file should contain signatures that are relevant to the name of the file.
The SID whitelist field enables the operator to exclude specific rules from being used. This feature is typically used to exclude overly aggressive rules and thus reduce the possibility of false positives. Consider the following rule from the Snort emerging threats list:
emerging-p2p.rules:alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Publicize File"; dsize:>15; content:"|e3 0c|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003310; classtype:policy-violation; sid:2003310; rev:3;)
The example rule shown above is known to occasionally trip false positives with Skype file sharing. Listing 2003310
into the SID whitelist field causes the rule to be ignored. Multiple SIDs may be listed in the SID whitelist to tell the DPI engine to ignore more than one rule in the remote set.
When a remote DPI signature record is first created, the categories field will be empty. Once the signatures have been downloaded and extracted for the first time, the names of the files will then appear in this field. After creating a remote DPI signature it is necessary to edit the record and select the desired categories in order for proper operation. Initial download time (and hence, population of the categories field depends upon the size of the archive file as well as the speed of the network connection between the server addressed by the URL.
The URL field contains the URL of the file that the rXg will download. The target file is expected to be in one of two formats: .tar.gz archive or a .txt plain text file. If the file is a gzipped tarball archive (.tar.gz), it is expected to extract multiple files named by category, each of which contains DPI signatures. If the file is plain-text, it is expected that the file is simply a file of the the DPI signatures. The rXg supports DPI signatures formatted for Snort 2.9. Well known remote DPI signature repositories include the official Snort rules and the Snort emerging threats list.
The frequency field specifies the download interval. Some sites have terms of use that specify appropriate download intervals. Please check the remote site terms and conditions carefully before using.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Log Hits Trigger
Records in the log Hits Triggers scaffolds defines rules that will dynamic blacklisting with transient WAN membership based on log hits.
The*name*field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The*policyfield relates this record to a set of groups through apolicy*record.
The log field allows the operator to select which log will be monitored for predetermined behaviors.
The max hits field specifies the number of log hits for a specified service by a device on the LAN or WAN before the behavior IPS is triggered.
The window field specifies the the amount of time over which the log hits trigger will measure usage. The window is specified as the time in the past for the beginning of the measurement period. The measurement period always ends at the present. For example if a window of 5 minutes is specified then the connection will measure starting from 5 mins ago until the present.
The duration field specifies the amount of time that a connection that an end-user or IP has triggered the IPS will remain a member of the transient group. The the duration is reached the transient group membership expires and the end-user or IP will be removed. If the number of connection being utilized exceeds the configured max hits the trigger will be fired again and the end-user or IP will be placed into a new transient group membership for the specified duration.
The MAC group and IP group fields configure the identity for the IPs, MACs, and users associated with this trigger through the selected policy when the trigger is active. The WAN Target field selects the destination for violating IPs originating from the WAN. This list of IPs can be used in other areas of the rXg configuration. Only one of the three possible destinations should be selected for any given record.
The flush connection states allows an operator to clear some or all of the active session data. Flushing DHCP leases erases IP address assigned. Flushing MAC entries erases the saved MAC addresses from the devices table. Flushing VLAN assignments clears the the VLAN association from the device MAC.
In the notifications section, the message fields allows you to specify which custom email will be sent when an event is triggered.
Interstitial Redirection
Interstitial redirection is the periodic application of forced browser redirection to end-users for the purposes of generating impressions to an operator specified web page.
Interstitial redirection is a mechanism that enables operators to deploy advertising or other messaging on broadband networks in a manner that is similar to TV commercials. End-users and devices that been selected to take part in interstitial redirection are periodically redirected to a target of the operator's choosing. Furthermore, the rXg may require that the end-user experience the chosen target for a specified amount of time before they are able to continue on to their original destination.
Specific criteria must be met in order of a HTTP request to be redirected so that only "normal browsing" WWW sessions are interrupted. This enables web applications such as web-based email to continue to operate correctly even with interstitial redirection is enabled. In addition, interstitial redirection does not modify the content of transit pages in any way. The rXg goes to great lengths to ensure that interstitial redirection does not adversely affect the end-user in any way.
In most cases, the interstitial redirection is a specialized view of the captive portal web application. This enables the operator to have complete control over the content. In a typical deployment, the interstitial view of the captive portal displays a "continue to original request" link as well as several rotated advertisements or other messages. The /interstitial
view of the default portal is provided as an example of how an interstitial redirect target should be formatted.
The choice of content for the target of the interstitial redirects is entirely up to the operator. Any combination of static or dynamic images, JavaScript generated text or just about anything else imaginable can be placed on the redirection target. The most common application of interstitial redirection is to generate impressions of advertiser supplied videos. Forced viewing of video advertisements generate dramatically higher revenue per impression than image or text based advertisements (except for affiliate program conversions).
Interstitial Redirects
The interstitial redirects scaffold configures the periodic forced browser redirection of connected end-users to web content specified by the operator.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The initial minutes , minutes and duration fields control the timing behavior of the interstitial redirect mechanism. Using the broadcast television commercial analogy, the end-users experience a commercial that is duration seconds long with a periodicity specified by minutes. The initial minutes field specifies the amount of time before the first redirect. If the initial minutes is set to 0 then the end-user will experience redirect immediately upon login.
The URL field specifies the target for the forced browser redirect that occurs during an interstitial redirect. In most cases, the specified URL wll be a view of the onboard captive portal web application. The interstitial.erb
in the default captive portal provides an example of an interstitial redirect target with advertising integration. An external web server may also be used as an interstitial redirection target.
Several substitution variables are available for dynamic URL assembly.
%url%The original URL that the browser requested when the interstitial redirection took affect. When the interstitial redirection workflow is complete, the end-user should be directed to this URL.%rxg%The domain name of the rXg as configured in Options view of the System menu.%ip%The IP address of the end-user device that has been subjected to the interstitial redirect.%mac%The MAC address of the end-user device that has been subjected to the interstitial redirect.%hostname%The DHCP client hostname of the end-user device that has been subjected to the interstitial redirect.%group%The effective group of the end-user when the interstitial redirect was initiated. %policy%The effective policy of the end-user when the interstitial redirect was initiated. %landing_portal%The landing portal associated with the effective policy of the end-user when the interstitial redirect was initiated. If no landing portal enforcement record exists, then the value of this variable will be 'default'.%portal_controller%The custom portal controller name associated with the effective policy of the end-user when the interstitial redirect was initiated. If no landing portal enforcement record exists, then the value of this variable will be 'default'.%random_number%A random eight digit integer.
An example of a URL that utilizes substitution variables is:
https://%rxg%/portal/%portal_controller%/interstitial?desired_url=%url%
The WAN targets field limits the effect of the interstitial redirect settings defined by this record to traffic that is originating from or destined to the IP addresses or DNS names listed in the selected WAN targets. By default, an interstitial redirect record affects all HTTP traffic matched by the policy regardless of WAN origin / destination. Setting a WAN target causes the breadth of the interstitial redirect to be limited to the specified hosts in the manner specified by the WAN target mode.
The WAN target mode field determines the effect of choosing WAN targets. When set to ignore, all HTTP requests originating from end-users and devices selected by the associated policy will take part in the interstitial redirect except for the requests that are headed to the IP addresses and DNS names in the chosen WAN targets.
The policy field relates this record to a set of groups through a policy record.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
URL Replacements
The URL replacements scaffold enables fine grain configuration of the rXg HTTP URL request rewriting mechanism. URL replacements enable arbitrary modifications to the URL in an HTTP request. Thus an end-user retrieves a web page that is different from what they originally requested. The URL replacements mechanism uses the same underlying technology as the interstitial redirection feature. The key difference between the two is that the URL replacements mechanism allows for fine grain control. The interstitial redirection mechanism replaces the entire URL whereas the URL replacements mechanism only replaces a portion of the URL.
URL replacements must be associated with a interstitial redirection in order to function. The timing of the URL replacement is defined in the interstitial redirection. Only the first HTTP request in the periodicity defined in the interstitial redirection will be rewritten. All subsequent HTTP requests will pass unchanged.
The match and replacement fields configure the search and replace parameters used to rewrite the URL. For example if a match of microsoft
is configured with a replacement of apple
then an end-user HTTP request forwww.microsoft.com
would be rewritten to www.apple.com
. The match and replacement fields may also be used to modify the parameters passed in a HTTP GET. For example, a match of ?query=hello
and a replacement of?query=goodbye
would result in payload of the variablequery
being changed from hello
to goodbye
. Thus an end-user that enters the string hello
into an HTML form with an input of query
that is submitted via a HTTP GET would end up being rewritten into submitting the stringgoodbye
.
Packet Filters
The packet filters view presents the scaffolds that configure settings to modify the rXg per-packet filtering engine.
The packet filtering is most often configured to deny certain end-users and/or devices access to certain kinds of applications. For example, some revenue generating network operators choose to deny access to P2P file sharing applications in order to conserve bandwidth. The rXg application filters scaffold is used to accomplish this.
Selection of end-users and/or devices is accomplished by associating a policy and applications are selected by associating application definitions to an application filter record. Since account group membership is usually determined by end-user self-provisioning via the captive portal web application, it is possible to enforce different application filters based on the usage plan selected by the end-user (and hence, revenue generated). This enables revenue generating network operators to limit access to certain applications (e.g., P2P file sharing and VoIP) to plans that are premium offerings.
Application Filters
An entry in the application filters scaffold creates a firewall rule that prohibits a particular application from reaching and/or being reached by specified WAN targets
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
Rules for a given policy are checked in a top-down order, and the LAST rule to match a packet is the one which will be applied. Care should be given to order the rules appropriately to achieve the desired behavior and avoid being overly restrictive or permissive. More specific rules should be placed below more general rules.
The Action field allows the operator to set the mode to either Block or Pass the traffic as defined in the WAN Targets and Applications fields.
The direction field limits the prohibition of traffic to packets transiting the rXg in a particular direction. The outbound setting configures the firewall rule to drop packets originating from the LAN and destined for the WAN. Conversely, the inbound setting configures the firewall rule to drop packets originating from the WAN and destined for the LAN. The both setting drops all matching packets regardless of the direction of travel.
The WAN targets field limits the effect of the application filter rule defined by this record to traffic that is originating from or destined to the IP addresses or DNS names listed in the selected WAN targets. By default, an application filter denies all traffic matched by the policy regardless of WAN origin / destination. Setting a WAN target causes the breadth of the application filter to be limited to the specified hosts.
By default the WAN Target acts as a blacklist, however by checking the*Invert(!) WAN Targets* box, it will reverse the rule and make it a whitelist so instead of blocking access to what is defined in the WAN target it, it will only allow access to what is defined in the WAN target.
The applications field configures the kinds of applications that will be blocked by the application filter defined by this rule. Selecting multiple application groups applies this rule to all of the selected applications (logical or). By default, all types of packets that match the chosen policy , WAN targets , and applications are blocked.
The policy field relates this record to a set of groups through a policy record.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Filtering rules are applied in a top down order, with the last rule that matches being the one the takes effect, thus rule ordering is important. The Application Filters scaffold also has links to "Move Up" or "Move Down" an entry. More general rules should be at the top of the list and and as the rules get more specific they should be moved down. For example if there are two rules created, one that blocks all traffic and another that passes traffic to a set of WAN targets, the rule blocking all traffic should be moved up to the top, and the rule passing traffic to the set of WAN targets should be below it. This will block all traffic except for sites defined in the WAN target. If the rule order were reversed, where the pass rule is positioned at the top of the list and the rule blocking all traffic is below it, all traffic would be blocked including what is defined in the pass rule because the last rule that matched is the block rule.
Subnet Filters
The subnets filter scaffold configures the rXg packet filtering to enable or disable reachability between LAN subnets. By default, with no subnet filters configured, the rXg permits routing between subnets.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The policies field configures which clients will not be able to access hosts on LAN subnets other than their own. The filtering is unidirectional; clients affiliated with a policy that does not have a subnets filter configured can still access other subnets.
The WAN targets field configures a list of destination hosts that are exempt from the filtering. Clients of the selected policies will still be able to access these hosts, even if they are on a different subnet.
Example filter configurations.
Multi Tenant Example
In this example users will be blocked from communicating across subnets but will have access to a shared resource. First we need to define the resources we want to share by creating a WAN Target by navigating to Identities::Definitions. Create a new WAN Target , the Name field is arbitrary. Enter the IP address or FQDN of resources to be shared. Click Create.
Next navigate to Policies::Packet Filters , edit the existing Subnet Filter or create a new one. The Name field is arbitrary. Select the Shared Printer in the WAN Target field. Lastly use the Policies field to select the policies that should be included for this Subnet Filter. Click Create or Update.
With this configurations tenants will not be allowed to communicate with anything outside of their subnet with the exception of the Shared Printer.
Content Filter Example
In this example an Application Filter will be created that will block streaming services. By default the rXg comes with Applications that includes both Destination Ports and WAN Targets for popular streaming services. Create a new Application Filter , the Name field is arbitrary. Specify if inbound/outbound or both should be blocked using the Direction field. Leave the WAN Target field blank as the WAN Targets are attached to the Applications already in the included applications. In the Applications field, select the Applications to block. Lastly using the Policies field select the policies that this filter should be applied to. Click Create.
Block all traffic except what is whitelisted.
In this example the packet filter will be configured to block all traffic except for what is defined in the selected Wan Targets.
First define the site or sites we wish to allow access to by creating a WAN Target. Navigate to Identities::Definitions. Create or edit and existing WAN Target. For this example Social Media will be allowed but everything else will be blocked.
Next navigate to Policies::Packet Filters and create a new Application. The Name field is arbitrary. Protocol field should be set to tcp udp. For the Destination ports field enter >0, this will include all ports greater than 0. Click Create.
Next create a new Application Filter , the Name field is arbitrary. Set the Direction field to both. Use the WAN Targets field to select the desired WAN targets. To make the WAN targets a whitellist instead of a blacklist check the*Invert (!) WAN Targets* checkbox. In the Applications field select the Application created earlier that contains all ports. Lastly use the Policies field to select the policies to apply the filter to.
This configuration will only allow members of the Bronze policy access to social media sites and not allow them to access other sites.
Pass/Block Filter Example
In this example a rule will be created that blocks ICMP to the 8.8.8.0/24 subnet, and another rule will be created to pass ICMP traffic to 8.8.8.8.
First create the WAN target that contains the IP's to be blocked and another that contains the IP's to allow. Navigate to Identities::Definitions. Create a new WAN Target. Give the WAN target a name, and for the target enter 8.8.8.0/24. Click Create.
Create another WAN Target , this time the target will be the address to allow, in this case 8.8.8.8, click Create.
Next navigate to Policies::Packet Filters and create a new Application Filter. Give the application filter a name, Action should be set to block , Direction set to both. In the WAN Target field select the WAN target that contains the 8.8.8.0/24 subnet. In the Applications field select the ICMP application. Select the policies this rule should apply to, and click Create.
Create another Application Filter , give it a name. The Action field should be set to pass , and the Direction Field set to both. In the WAN Targets field select the WAN target contaning the addresses that are to be allowed. Select the ICMP application in the Applications field. Select the polcies the filter should apply to and click Create.
Now members of the Bronze and Silver policies can ping 8.8.8.8 but cannot ping other addresses in the 8.8.8.0/24 subnet. NOTE: the order of the rules are important, for this to work the PASS rule must be below the block rule in the scaffold. The order can be changed by clicking the Enable Drag & Drop link above the scaffold, or using the Move Up/Move Down links for an individual rule.
Packet Forwards
The packet forwards view presents the scaffolds that configure settings to modify the per-packet forwarding configuration.
The rXg packet forwarding engine enables the revenue generating network operator to reroute traffic according to predefined rules. There are classes of forwarding rules that the operator may specify. The operator may choose to create rXg forwards that reroute traffic that is originally destined for the rXg. In addition, the operator may choose to create transit traffic forwards that reroute traffic that originates from the LAN and is transitting the rXg ot the WAN.
rXg forwards enable the operator to deploy publicly accessible services on hosts that are on private IP addresses and using NAT to access the WAN. In a typical scenario, rXg forwards are used to enable remote access to infrastructure management mechanisms, public web servers, etc. When deployed generically, this concept is called port forwarding.
The rXg packet forwarding mechanism builds upon the generic port forwarding concept by enabling the same port to be forwarded to different hosts depending on the originating (WAN) host. In addition, the application forward is limited in effect via policy. This enables the revenue generating network operator to use application forwarding to sell a premium service in a similar manner to application filters.
Transit traffic forwards enable the operator to reroute end-user traffic to operator specified destinations. In a typical scenario, transit traffic forwards are used to require end-users to use operator specified proxies. For example, transit traffic forwards are particularly useful for rerouting all outbound email tranmissions through an operator specified SMTP relay. Another example would be to forward all Jabber IM requests to a Jabber proxy that injects advertising.
The operator specifies which end-users are affected by transit traffic forwards through policies. This fits naturally with the rXg zero operator intervention provisioning methodology and enables operators to deploy transit traffic forwarding as a premium service. For example, hotspot operators may desire to charge a premium for SMTP relay.
rXg Forwards
An entry in the rXg forwards scaffold creates a packet forwarding rule that reroutes traffic originally destined for the specified applications on the rXg to a destination specified by one or more IP groups associated with the selected policy.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The applications field configures the class(es) of packets that will be forwarded by the rules generated as a result of this record. Selecting multiple application groups applies this rule to all of the selected applications (logical or).
The source WAN targets field limits the effect of the inbound application forward rule defined by this record to traffic that is originating from the IP addresses or DNS names listed in the selected source WAN targets. By default, an rXg forward rule acts as a generic port forwarder that redirects all traffic matching the configured applications. Setting a source WAN target causes the rXg forward to limit the breadth of the rule to packets originating from the specified host(s).
The destination port override field specifies an alternative port to send the forward traffic. If left unspecified, the original destination port specified by the application is used as the destination port. If specified, all traffic is redirected to the selected port. For example, if the application is configured to be SMTP (destination port 25) and the destination port override is configured to be 587, all port 25 traffic will be forwarded to port 587 on hosts contained in the destination policies.
The policy field relates this record to a set of groups through a policy record.
The policy mode field configures the forwarding behavior when the linked policy contains multiple groups or multiple members in a group. The first member only option causes all traffic coming in from the WAN to the port specified by the application to be forwarded to the first member of the first group. The round-robin option causes inbound traffic on the port specified by application to be load balanced between all members linked to the policy. If only a single group with a single member is linked to the enforcement record, the behavior will be identical to first member only. This option is useful for having inbound requests load balanced to a farm of servers. The autoincrement option causes the enforcement record to create a many to many mapping between ports and group members. For example, if the application specifies a port of 5000, and the policy links to a group with members 10.0.1.100, 10.0.1.101 and 10.0.1.102, then port 5000 will forward to 10.0.1.100, port 5001 will forward to 10.0.1.101, port 5002 will forward to 10.0.1.102, etc. The autoincrement option is useful for easily configuring remote monitoring of a large number of LAN devices when site-to-site VPN is not possible.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Transit Traffic Forwards
An entry in the transit traffic forwards scaffold creates a forwarding rule that reroutes traffic originating from the LAN to the destination specified on the WAN. The rXg transit traffic forwarding mechanism supports generic (universal) port forwarding as well as policy specific forwarding.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The applications field configures the class(es) of packets that will be forwarded by firewall rules generated as a result of this record. Selecting multiple application groups applies this rule to all of the selected applications (logical or).
The policy field relates this record to a set of groups through a policy record.
The policy mode field for outbound forwards is always set to round-robin. If only a single WAN target is specified, then all traffic will always be redirect to the specified WAN target. If multiple WAN targets are specified, outbound traffic is load balanced amongst the specified WAN targets /.
The destination WAN targets field specifies the destination of the traffic for the transit traffic forward. If multiple hosts are defined by the specified WAN targets, the destinations are forwarded connections on a round-robin basis.
The destination port override field specifies an alternative port to send the forward traffic. If left unspecified, the original destination port specified by the application is used as the destination port. If specified, all traffic is redirected to the selected port. For example, if the application is configured to be SMTP (destination port 25) and the destination port override is configured to be 587, all port 25 traffic will be forwarded to port 587 on hosts contained in the destination WAN targets.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Payload Rewriting
The payload rewriting feature of the rXg allows operators to dynamically modify the content of any or all HTML pages that transit the rXg. Payload rewriting is embodied by two key features: HTML injection and HTML rewriting. HTML injection enables operators to easily add content to transit web pages. HTML rewriting enables operators to arbitrarily modify the HTML of transit web pages.
Enabling the payload rewriting feature of the rXg is accomplished by add the desired rewriting configurations into a HTML Payload Rewrites record which is related to a Policy. The effect of the rewrite is controlled by configuring the HTML Injections and HTML Rewrites scaffolds.
HTML Payload Rewrites
The HTML payload rewrites scaffold configures the replacement of web content in web pages that transit the rXg. It is used to link the definitions of desired rewriting configured in the HTML Injections and HTML Rewrites scaffolds to a Policy.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The WAN targets field limits the effect of the HTML payload rewrite settings defined by this record to traffic that is originating from or destined to the IP addresses or DNS names listed in the selected WAN targets. By default, an HTML payload rewrite record affects all HTTP traffic matched by the policy regardless of WAN origin / destination. Setting a WAN target causes the breadth of the HTML payload rewrite to be limited to the specified hosts in the manner specified by the WAN target mode.
The WAN target mode field determines the effect of choosing WAN targets. When set to ignore, all HTTP requests originating from end-users and devices selected by the associated policy will take part in the HTML payload rewrite except for the requests that are headed to the IP addresses and DNS names in the chosen WAN targets.
The policy field relates this record to a set of groups through a policy record.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
HTML Injections
The HTML injections scaffold configures the insertion of operator specified web content into web pages that transit the rXg.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The position field specifies the location where the operator specified web content will be inserted into every web page that transits the rXg.
The recipe field configures which methodology the rXg will use to inject HTML content into web pages. Setting this field to virtual frames will result in HTML content being injected as a header, footer or sidebar (depending on the setting of the position ). Setting this field to floating overlay results in the injected HTML payload being delivered in a stylized HTML div element that floats over existing web content. The ad element overlay option is a specialized recipe designed to work with the rXg integrated advertising rotation mechanism to deliver advertising overlay.
The CSS and HTML fields specify the web content that will be inserted into every web page that transits the rXg.
The policy field relates this record to a set of groups through a policy record.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
HTML injection is a unique capability of the rXg that enables operators to insert snippets of HTML into any transit web page. When enabled, the response from upstream web servers (or local stores if the persistent cache is enabled) are buffered into the RAM of the rXg. The payload is then analyzed for compatibility with injection.
Compatible payloads are rewritten according to the operator selected recipe. The virtual frames recipe converts the original web page into one that uses CSS to emulate frames. The original web content appears at the center of the frame emulated page with operator specified content around the four edges.
The floating overlay recipe enables operators to insert contant that they desire in a stylized HTML div that is present on all web pages. A small red button is present so that the end-user may close the overlay in case critical content is residing behind the div.
The ad element overlay recipe specifically targets well known advertising delivery mechanisms for HTML injection. This recipe demonstrates the ability of the rXg to seemlessly deliver advertising impressions by overlaying existing publisher-controlled advertisments with operator-controlled advertising inventory.
The ad element overlay recipe works in conjunction with the rXg integrated advertising delivery mechanism. This recipe expects that rotators named "160x600," "180x150", "300x250" and "728x90" exist. Rotatees associated with the appropriate rotator should contain the operator-controlled advertising inventory that will be overlaid on top of publisher-controlled advertising content that is present on web pages. Furthermore, the advertising overlay script must be executed by injecting:
<script type='text/javascript'>
adRotatorOverlay();
</script>
HTML injection is typically deployed for three purposes: messaging, up-selling and advertising.
One common application of HTML injection is operators to broadcast messages to the end-user population. Operators are most often going to communicate service messages such as notification of a scheduled system outage. Some operators choose to make use of HTML injection messaging as part of a larger emergency notification system strategy. Sometimes it is possible for operators to leverage this capability to partially fund their networks using federal emergency management grants.
Operators may also use the HTML injection mechanism to up-sell premium services. For example, injection may be used to bring parts of the captive portal into the view to allow an end-user to easily purchase more quota, higher rate limits, etc. In a typical deployment, a quota trigger is configured to place end-users with high percentage or absolute value of quota utilization into a transient group that is associated with a policy that has injection enabled. The injection payload is then configured to notify the end-user of their high utilization and offer them the option of clicking through to purchase more quota and/or upgrade to a higher bandwidth plan.
Many operators choose to use the HTML injection mechanism to deliver advertising. By incorporating operator specified content into potentially every single web page that transits the rXg, a tremendous number of advertising impressions may be generated. In a typical deployment, HTML injection used to generate advertising impressions is associated with a policy that contains "free" end-users while paid end-users do not experience any advertisements.
HTML Replacements
The HTML replacements scaffold configures the generic search-and-replace engine for web pages that transit the rXg.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The match field the string that the engine will use to search for. The entirety of the match field will be replaced with the contents of the replacement field. Parenthesis may be used to store all or part of the contents in the match field for use in the replacement field.
The replacement field is the string that will be used by the engine to replace the match string. The replacement field may contain text or substitution variables such as $1, $2, etc. The number after the $ represents the contents of the parenthesis specified in the match.
The replacement field may also contain a server-side include substitution variable of the form %ssi%FILENAME%. For example, %ssi%/space/portals/your_portal/static/abc.html% will substitute tag with the contents of the file abc.html.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
HTML rewriting enables operators to perform "search and replace" on the web pages that transit the web page. The operator configures a string to match and a string to replace. The rXg loads each transit web page in memory and looks for the match string. If found, the match string is removed and the replacement is inserted in its place.
Consider the following example:
<html>
<head>
<title> A Simple Page</title>
</head>
<body>
<h1> Simple Web Page </h1>
This is the simplest web page possible.
Here is an image:
<img src="/some_photo.jpg"/>
</body>
</html>
If a HTML rewriting record is created with the match field set to simplest
and the replacement field set to most complicated
, the resulting web page that the end-user sees would be:
<html>
<head>
<title> A Simple Page</title>
</head>
<body>
<h1> Simple Web Page </h1>
This is the simplest web page possible.
Here is an image:
<img src="/some_photo.jpg"/>
</body>
</html>
HTML rewriting records apply to every part of the HTML present in the web page. This allows the operator to effect dramatic changes to the look and feel as well as the structure of the web page. For example, it is possible to create a match rule to replace the stylesheet referenced by a page or add a CSS class to every instance of a particular element. The generic nature of the HTML rewriting engine opens up a broad spectrum of possible applications.
Persistent Caching
Persistent caching is a feature of the rXg that benefits the both end-users and operators with both a perceived and actual increase in performance and as well as a decrease in uplink utilization. When enabled, the local persistent store is consulted before any request is sent to the original web server destination. The request is serviced using a local copy if one exists. If not, the request is serviced by originating a HTTP request from the rXg and transmitting the response to the original end-user or device that made the request.
The HTTP headers of the response are checked for cache control options. If the content is cacheable, it is placed into the persistent store. To keep the cached content up to date, the proxy will transmit a request to the original web server to check to see if content has modified based on an expiration timetable configured by the operator. Enabling the persistent cache is a simple way to dramatically improve the performance and reduce the WAN uplink utilization of most revenue generating networks.
Web Caches
Records in the web caches scaffold enable the rXg integrated transparent web cache. The transparent web cache utilizes persistent storage to store HTML pages and assets that transit the rXg. Enabling the web cache reduces WAN uplink utilization as commonly accessed files will be served from the rXg persistent store.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The Intercept SSL/TLS checkbox enables the rXg integrated HTTPS proxy. Enabling this feature tells the rXg to intercept all HTTPS traffic, determine the destination and generate an SSL certificate matching the destinaion on-the-fly. Client software will report an SSL certificate error unless the rXg SSL certificate which is used to sign all of the on-the-fly generated certificates is installed on the client device.
The WAN targets field limits the effect of the web cache settings defined by this record to traffic that is originating from or destined to the IP addresses or DNS names listed in the selected WAN targets. By default, a web cache record affects all HTTP traffic matched by the policy regardless of WAN origin / destination. Setting a WAN target causes the breadth of the web cache to be limited to the specified hosts in the manner specified by the WAN target mode.
The WAN target mode field determines the effect of choosing WAN targets. When set to ignore, all HTTP requests originating from end-users and devices selected by the associated policy will take part in the web cache except for the requests that are headed to the IP addresses and DNS names in the chosen WAN targets. Conversely, when set to cache, only the HTTP requests headed to the chosen WAN targets originating from end-users selected via the policy will be cached and all other requests will not be cached.
The policy field relates this record to a set of groups through a policy record.
Web Proxy Servers
Entries in the Web Proxy Servers scaffold define configuration profiles for the rXg integrated web proxy and cache.
The active field enables an option set. Exactly one option set may be active at any time. Enabling a particular option set will automatically disable another existing active option set.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The mode field affects how and when objects are cached.
The memory (diskless) option utilizes an in-memory cache that is faster than storing cached objects to disk, but sacrifices caching larger files. This mode utilizes a heap GDSF algorithm which optimizes object hit rate by keeping smaller popular objects in the cache so a request has a better chance of getting a hit. It achieves a lower byte hit rate by evicting larger (possibly popular) objects.
The disk + memory option utilizes both an in-memory cache and a disk cache, which facilitates caching larger objects, and more content in general, which optimizes uplink bandwidth utilization at the expense of performance compared to the memory-only mode. The disk cache utilizes a heap LFUDA algorithm which keeps popular objects in cache regardless of their size and thus optimizes byte hit rate at the expense of hit rate since one large, popular object will prevent many smaller, slightly less popular objects from being cached.
The disabled (proxy-only) mode disables all object caching and is useful in conjunction with the content filtering and/or payload rewriting proxies, when caching is not desired or performance is of higher priority than optimizing uplink utilization.
The disk cache size field limits the amount of disk space to use for the disk cache when the mode field includes the disk method. This field is automatically calculated based on the size of the system's disk and cannot be set higher. Setting it lower may be desired to affect cache behavior.
The disk file size field limits the maximum size of an object cached to disk. This field may be changed to affect the byte versus object hit rate of the disk cache.
The memory file size field limits the maximum size of an object cached to memory. This field may be changed to affect the byte versus object hit rate of the memory cache.
The prefetch limit field sets an upper limit on how far (number of bytes) into the file a Range request may be to cause the web cache to prefetch the whole file. If beyond this limit, the proxy forwards the Range request as it is and the result is NOT cached. This is to stop a far ahead range request (lets say start at 17MB) from making the web proxy fetch the whole object up to that point before sending anything to the client. A size of 0 causes the web proxy to never fetch more than the client requested.
The clear cache field forces the disk cache to be flushed. It is necessary to check this field when making changes to some of the above options.
The Certificate Authority and Certificate fields are used to specify the rXg certifcate that will be used to sign the on-the-fly generated certificates used by the SSL intercept mechanism. The certificate specified here must be installed on client devices that participate an rXg policy with SSL interception enabled in order to avoid certificate errors. The Certificate Authority and Certificate fields are mutually exclusive (only one may be specified).
By default, access to rXg services are either limited to the LAN or disabled entirely. In certain cases, the operator may desire to permit accessibility to services over the WAN and/or LAN. To enable access to rXg services over the WAN, the operator should specify one or more WAN targets containing the list of allowed hosts and then set the visibility appropriately. If no WAN target is specified and WAN visibility is enabled, any node on the WAN may connect to the service. It is highly recommended that this wide-open configuration be avoided to ensure system security. If LAN visibility is included then all authenticated nodes on the LAN may access this service.
Traffic Shaping
The rXg traffic shaping mechanism offers five key bandwidth management capabilities: rate limiting, link share equalization, burst rates, bandwidth guarantees and packet prioritization.
All shaping capabilities are configured through bandwidth queue records which are specified to operate on each individual IP, each group or the policy as a whole. Multiple bandwidth queue records may be associated with a single policy to define a hierarchy of shaping controls.
Furthermore, enforcement may be limited to specific applications and/or WAN targets. The rXg applies more specific definitions first when multiple bandwidth queues records are associated with the same policy.
Rate Limiting
Rate limiting is a key capability that enables operators to oversubscribe WAN uplinks. In most usage scenarios, end-users consume little to no bandwidth most of the time interspersed with occasional spikes of heavy utilization. Rate limiting controls the maximum value of the heavy utilization periods. Preventing a handful of end-users from overwhelming the network with heavy utilization enables operators to dramatically oversubscribe WAN uplinks and profit from the results.
Rate limiting is a central aspect to the marketing program of most revenue generating networks. For example, the operator may choose to offer three tiers of service (768k / 256k, 1.5M / 512k, 5M / 1M) at prices that increase appropriately ($19, $39, $99). These tiers of service are configured as rate limits and tied to the billing system through group membership. When an end-user comes to the captive portal, they are given the opportunity to choose from the plans being offered. Once a plan is selected, they will be charged appropriately and then placed into a group automatically which has been associated with the appropriate bandwidth queue. Thus the rXg enables operators to offer multiple tiers of service that are integrated into the billing system and self-provisioned by the end-user with zero operator intervention.
Link Sharing and Flow Equalization
Profitable networks are oversubscribed and heavily oversubscribed networks will have periods where uplinks will be saturated. Many traffic shaping solutions fail to address the potential for random flow starvation with saturated uplinks that is a result of the nature of packet based network architectures. For example, if the uplink is 10 Mbps and the rate limit is 3 Mbps and there are 10 end-users, then just 4 out of the 10 end-users can fully saturate the uplink at which point some of the end-users will undoubtedly have a very poor experience due to the random nature of packets being dropped.
The rXg automatically enforces heuristic link sharing and per-flow packet rate equalization when traffic shaping is enabled. This feature prevents flow rate reduction from being exacerbated into extremely poor service. The rXg automatically slows down the highest rate flows as uplinks begin to saturate. Given a 10 Mbps uplink and 10 end-users that are all attempting to pull the full 3 Mbps specified in their rate limit, the rXg would automatically enforce link sharing at 1 Mbps to each end-user.
Burst Rates
Highly profitable revenue generating networks depend on creative service offerings that entice end-users to purchase premium services. Burst rate limiting enables operators to make service offerings that have a higher initial rate. The burst rate is typically much higher than the sustained rate limit in order to maximize marketing potential. For example, an operator may wish to offer a basic service that has a 3 Mbps sustained rate limit and a premium service that has a 5 Mbps sustained rate limit. The premium service could be enhanced with a 20 Mbps burst rate without dramatically affecting the oversubscription ratio. A premium service of 20 Mbps burst with 5 Mbps sustained is dramatically more attractive than the 5 Mbps sustained without the burst rate.
The rXg enforces burst rate limiting when the queue for an end-user is empty. The end-user will be delivered the burst rate at best effort for the configured burst time. Once the burst time has expired then the sustained rate limit will be delivered at best effort. The burst rate may be delivered to the end-user again if the end-user queue empties. It is important to note that the burst rate is delivered with best effort. It is unlikely that burst rates will ever be delivered when a link is saturated as the rXg will enforce linkshare equalization on highly oversaturated links.
Bandwidth Guarantees
Bandwidth guarantees enables operators to offer service level agreements that specify a minimum committed rate. In a typical deployment scenario, bandwidth guarantees are packaged as a premium service offering to end-users. For example, a "business class" offering may include a committed symmetric rate of 1.544 Mbps as a T-1 equivalent. Another common offering is a 128 Kbps committed symmetric rate for VoIP.
Bandwidth guarantees may not compose more than a fraction of the total available bandwidth on a WAN uplink. A good rule of thumb is that no more than 25% of the total available bandwidth should be allocated as a guarantee. Furthermore, bandwidth guarantees are only relevant within traffic shaping definitions that have the same priority.
The automatic link sharing and flow equalization feature of the rXg traffic shaping mechanism obviates the need to explicitly specify a rate guarantee for "best effort" service delivery. Guarantees should deployed carefully and always in conjunction with a premium service offerings to maximize revenue potential. In most cases, it is appropriate to think of the bandwidth guarantee as a mechanism to override linkshare equalization and give a small population of end-users an unequal share of the bandwidth.
Packet Prioritization
Packet prioritization enables operators to enforce hard priority on different classes of traffic. This enables the operator to ensure that certain end-users or devices are always serviced before other end-users or devices.
In a typical usage scenario a very high priority is assigned for VoIP and infrastructure management traffic. This ensures proper voice quality and the ability to manage the devices that power the infrastructure. In addition, "free" and pre-authenticated end-user traffic is typically given a very low priority.
Hierarchachal Enforcement
The rXg enables the operator to specify the traffic shaping enforcement at three different levels. Shaping by IP address is the finest grain enforcement support of the rXg and is at the bottom of a shaping hierarchy. Enforcement of shaping by group and policy enables operators to configure aggregate queuing and build up two more levels of a traffic shaping hieararchy.
The operator may specify up to three hierarchachal levels of enforcement for a given set of applications and WAN targets. Levels of the heirarchy that are omitted default to 100% of the parent. The implied parent of all policies is the uplink.
Shaping by IP address treats the configured bandwidth queue as a template to be replicated to each and every associated IP address. Every IP in the CIDR range that is associated with a linked bandwidth queue is assigned independent rate limits, bursts and guarantees when shaping by IP enforcement is enabled for policies associated with IP groups. Similarly, when shaping by IP enforcement is enabled for other types of groups (e.g., MAC groups, Account groups, RADIUS groups, etc.), each resolved IP address that is a member of associated groups is assigned an independent rate limit, burst and guarantee.
Shaping by group treats the configured bandwidth queue as a template to be replicated for each group linked to the bandwidth queue. This shaping mode is useful for applying the same rate limits to a set of groups linked through a single policy. Consider a network where VLANs are being used to identify end-users. Unique IP groups could be created for each VLAN and then the IP groups could all be associated through one or more policies associated with a single bandwidth queue.
Shaping by policy creates a single aggregate queue for each policy associated with the bandwidth queue. This shaping mode is less granular than shaping by group. All IP groups , MAC groups , etc., associated with a single policy will be assigned to the same aggregate queue. However if multiple policies are associated with the bandwidth queue then each policy will each be shaped independently.
The rXg generates a diagram of the configured hierarchy to help operators visualize the enforcement. The lowest level of the hierarchy (shaping by IP) is on the left. Packets are first shaped by IP, then by group and then by policy moving from the left to the right of the diagram.
The first example (shown above) depicts the simplest case of traffic shaping where an aggregate queue over all entities within a policy is desired. Since only the policy level of the hierarchy is defined the other levels default to 100%.
Alternatively the operator might desire to only configure shaping by IP without any aggregate queueing. This scenario is depicted in the example shown above. The diagram gets more interesting when more levels of the traffic shaping heirarchy are configured.
In the example given above, all three levels of the heirarchy are explicity specified. Thus an individual IP address is limited to 1 Mbps / 512 Kbps (with a 2 Mbps / 1 Mbps burst), while the group that the IP belongs (which in this case represents a corporate account) to is limited to 2 / 1 Mbps (with a 3 / 2 burst) and finally the set of all corporate accounts that fall within this structure are limited to 5 / 3 Mbps.
Bandwidth Queues
Bandwidth queues define traffic shaping policies.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The priority field determines the relative priority of the traffic that is assigned to this bandwidth queue. All packets waiting in a queue with higher priority are forwarded before packets waiting queues in lower priorities are serviced. The priority is completely independent from the rate limits and guarantees of a queue.
The absolute value of the priority field has no meaning as the enforcement of the packet priority policy is based on the relative values of each queue. The priority of 0 is the lowest and used to designate queues that are filled with packets that are least important or the least sensitive to delay. For example, bulk web traffic might be assigned a priority of 1 while VoIP traffic might be assigned a priority of 5.
The download rate limit and upload rate limit fields configure the absolute maximum steady-state transfer rate for this queue. These values are often described as being delivered with "best effort" in oversubscribed networks. This is because the actual maximum transfer rate is determined by numerous factors such as the size of the WAN uplink and the amount of traffic being generated by other end-users.
In heavily oversubscribed scenarios, the actual achievable maximum transfer rate experienced by the end-user will likely be much lower than the rates specified. In lightly used networks or networks with lower oversubscription ratios the data transfer rate may come be equal to but will never exceed the rate specified by these values unless a burst setting is configured.
The download rate burst and upload rate burst determine the initial maximum traffic rates for the specified burst time. These optional values allow the operator to offer end-users an initial burst of higher speed for a short period of time. These values are similar to the download rate limit and upload rate limit fields in that the specified rates are delivered with "best effort" and the actual maximum rate is determined by the amount of traffic being generated by the end-user population.
The download rate guarantee and upload rate guarantee are optional fields that configure the desired of amount of bandwidth that is dedicated to the queue. This value must be set carefully as it is a true dedicated guarantee and may not be oversubscribed. The operator should never guarantee more than 25% of the available bandwidth at any given time as doing so will likely result in an unstable network. It is particularly important to be very judicious with the use guarantees when configuring per-device Bandwidth Queues scenarios because the actual bandwidth guaranteed is determined by the specified value multiplied by the number of end-user devices. The bandwidth required to configure the guarantee may quickly become unmanageably large if an unexpectedly large number of end-users joins the network.
The WAN targets field limits traffic admitted to the queue defined by this record to traffic that is originating from the IP addresses or DNS names listed in the selected WAN targets. By default, a bandwidth queue will admit all traffic that is originating from and destined for the end-users and devices linked through the associated policies. Setting a WAN target causes the bandwidth queue to limit the breadth of admission to traffic destined for and originating from the designated hosts.
The applications field configures the kinds of packets that will be admitted to the bandwidth queue defined by this record. Selecting multiple application groups admits the packets from all of the selected applications (logical or). By default, all types of packets that match the chosen policy and WAN targets are admitted. Selecting one or more applications reduces the breadth of the queue admission configured by this record to the packets classified as being part of the chosen applications.
The shaping field configures the granularity of the traffic shaping enforcement. Setting this field to policy , group account or IP results in the configured settings being used as a template that is replicated for each associated policy , group or IP respectively. See the full traffic shaping help page for details.
The disable auto-IP queues field (a.k.a. LPV-mode) can be enabled only for queues configured for group or account sharing. This option disables the generation of the auto-IP queues for each IP member of an IP group, unless there is an explicit device sharing queue that also applies to the device. This drastically reduces the number of queues and firewall rules, thereby enhancing packet processing performance in scenarios where there is no portal and no device-specific rules. The trade-off to this is that there are no longer per-IP queue counters to instrument, meaning some visibility into device traffic rates is lost. This mode is not enabled if the policy has multiple link controls, since it would cause all traffic within the group to use a single uplink, or if there is a Captive Portal, since device-specific rules are required to pass traffic after authentication.
The policy field relates this record to a set of groups through a policy record.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Uplink Control
The uplink control view presents the scaffolds that configure the multiple uplink control mechanism of the rXg.
The multiple uplink control mechanism of the rXg enables operators to leverage the capacity and diversity of multiple WAN uplinks without the complexity, operational difficulty and support burden associated with traditional multihoming techniques (e.g., ARIN ASNs, upstream network cooperation and reconfiguration, etc. ). Multiple uplink control provides the operator with four distinct capabilities: bandwidth aggregation, uplink failover, carrier diversity and application affinity.
Bandwidth Aggregation
The rXg multiple uplink control mechanism utilizes multiple WAN uplinks as a team. This allows the operator to treat several uplinks as if they were a single high bandwidth uplink. Significant operational cost savings may be achieved through proper employment of this feature. For example, a turn-key rXg can be deployed with multiple uplink control to aggregate seven standard 7.1 Mbps x 768 Kbps ADSLs resulting in a virtual link that is nearly 50 x 5.5 Mbps. The MRCs associated with seven ADSLs is approximately $300, a fraction of the $5000 or more that would be incurred for a 45 Mbps T3.
Aggregating numerous WAN uplinks is also an effective way to scale uplink bandwidth with the end-user population. Since MRCs tend to scale with uplink bandwidth and revenue tends to scale with end-user population, multiple uplink control enables proportional scaling of cost with revenue. In addition, most high-bandwidth leased lines have long deployment lead times. Multiple uplink control enables operators to quickly deploy RGNs with one or two commonly available WAN uplinks (e.g., cable modems and DSLs). The operator may then dynamically increase total available bandwidth by simply adding more WAN uplinks from any ISP of the operator's choosing.
Uplink Failover
The multiple uplink control mechanism enables operators to easily increase the fault tolerance of the network and decrease the dependence of operator on WAN uplink providers. When several WAN uplinks are configured for aggregation, the rXg automatically monitors the health of the WAN uplinks and removes uplinks that have failed from the active pool. If a failed uplink returns to proper operation, the rXg automatically adds the WAN uplink to the active pool.
In addition, the rXg supports explicit configuration of backup WAN uplinks. This is useful for situations where a backup uplink that has different characteristics from the one or more primary uplinks. For example, satellite WAN uplink may be designated as an explicit backup uplink that is never used unless all members of a pool of primary DSLs have failed.
Carrier Diversity
The rXg multiple uplink control mechanism operates independently of the upstream carriers. The upstream carriers do not need to make any configuration changes or cooperate with the operator in any way. The multiple uplink control mechanism is so transparent that in most cases upstream carriers do not even know that their link is taking part in a connection pool. The rXg supports multiple uplink control over any number of carriers that are supplying an arbitrary set of uplinks.
With third-party ping targets configured, the rXg multiple uplink control mechanism can determine the health of the uplink carrier's upstream connectivity. This capability combined with WAN uplinks that are being supplied provided by different upstream carriers enables the rXg to provide carrier diversity and failover. Uplinks that are associated with carriers that are having peering difficulty are removed from the active pool.
Application Affinity
The rXg multiple uplink control mechanism can affine specific outgoing traffic to particular WAN uplinks. This capability enables operators to maximize the utilization and capabilities available through a diverse set of WAN uplinks. In a typical configuration, most traffic is sent across one set of WAN uplinks while traffic with special needs are sent through a different set of WAN uplinks.
For example, an operator that has a single T-1 and three ADSLs may choose to affine all VoIP traffic to the T-1. This allows the VoIP to be delivered at a lower latency that will make a noticeable difference in call quality. Link affinity may also be used in conjunction with application forwards and DNS mappings to reserve certain WAN uplinks for public facing services.
Link Controls
The records in the link controls scaffold defines the configuration of the multiple rXg uplink control mechanism.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The uplinks field determines which WAN uplinks will take part in the multiple uplink control policy configured by this record. When more than one uplink is set, the rXg will automatically load balance the links. The distribution of load across the selected uplinks is determined by the weight field of the WAN uplink records.
The backup checkbox configures the link control group configured by this record to remain inactive unless all other links associated with a link control record that is not designated as a backup have failed. At least two link control records (one designated as backup and that is not) must be associated with the same policy in order for this field to have any effect.
The WAN targets field limits the effect of the link control defined by this record to traffic that is originating from or destined to the IP addresses or DNS names listed in the selected WAN targets. By default, a link control affects all traffic originating from and destined to the members of all groups associated through the linked policies. Setting a WAN target causes the link control to limit the breadth of the rule to the specified hosts.
The applications field configures the kinds of packets that will be link controlled as a result of this record. Selecting multiple application groups applies this rule to all of the selected applications (logical or). By default, all types of packets that match the chosen policy and WAN targets are link controlled. Selecting one or more applications reduces the breadth of the rule configured by this record to the packets classified as being part of the chosen applications.
The policy field relates this record to a set of groups through a policy record.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Uplinks
This scaffold brings visibility to the columns of the uplinks scaffold that are relevant for multiple uplink control. Since uplinks are defined via the uplinks scaffold in the WAN view of the Network subsystem, this scaffold is limited to editing settings relevant to multiple uplink control.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The priority field determines the order of precedence during failover in a link control scenario. When only one uplink is configured, this field has no effect as there is no uplink to failover to. When multiple uplinks are configured and connection aggregation is enabled, a failure of a link will cause another member of the pool to forward all traffic. If aggregation is not enabled, or all uplinks within a pool have failed, then the uplink with the highest priority amongst all of the remaining uplinks will be used to forward the traffic.
The weight field is used to determine how load is distributed across a set of uplinks that have been grouped together into a single link control. If all upinks in the link control have the same weight, the end-users will be assigned to the uplinks in an simple round-robin (uniformly distributed) fashion. If the uplinks have different weights, end-users are assigned to uplinks in a distribution that uses the uplink weight as a ratio with respect to the sum total of the weights. For example, if a link control has two uplinks associated with it and the weights of the uplinks are 2 and 5, 28% (2/7) of the end-users will be will be assigned to the first link and 72% (5/7) of the end-users will be assigned to the second link.
The ping targets field associates ping targets with this uplink. Ping targets are used to determine the health of the uplink. When all of the associated ping targets are not reachable via an ICMP ping, the uplink is marked as down until at least one of the ping targets responds.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Ping Targets
The ping targets scaffold configures the third-party ping targets that are used to determine uplink availability. Each uplink should have more than one ping target associated with it in order to properly determine uplink health.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The target is the IP address of the device that is to be sent an ICMP ping.
The timeout is the number of seconds that the rXg will wait for a response from the target to an ICMP ping request.
The attempts is the number of times an ICMP ping will be tried before the ping target is considered to be down.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Simple Example Configurations
A minimum of two Uplinks must be configured to enable multiple uplink control functionality. Physically connect two distinct Internet connections to the rXg. Use the Network :: WAN view to create the appropriate Network Address objects as well as the associated Uplink objects. Ensure that reasonable Ping Targets are associated with each Uplink object.
Link Control is defined by Policy. The operator must identify the people and/or devices through to which they wish to apply Link Control. For the purposes of demonstration the creation of a single IP Group to cover the management Network Address is sufficient. Most production environments will have Account Groups representing tiers of service. In either case, Policy objects connected to Uplink Control object(s) determine the behavior.
Link Aggregation and Failover
Link aggregation is configured by associating a single Uplink Control enforcement to a Policy. The Uplink Control enforcement must have multiple Uplinks selected to enable aggregation. If a single link in the aggregation pool fails all traffic will be automatically moved over to the remaining operational uplink(s).
Link Failover Only
Link failover without aggregation is configured by associating at least two Uplink Control enforcements to a Policy. The Uplink Control enforcement for the primary uplink must have the Backup checkbox cleared and the appropriate Uplink associated. The Uplink Control enforcement for the failover uplink must have the Backup checkbox enabled and the appropriate Uplink associated. All traffic will flow over the primary Uplink until there is a failiure. No traffic will pass over the secondary Uplink until primary uplink failure occurs.
Application Affinity
Link affinity is configured by associating at least two Uplink Control enforcements to a Policy. The Uplink Control enforcement for the primary Uplink should have the appropriate Uplink associated. The Uplink Control enforcement for the specific traffic designed to over over the secondary uplink should have the appropriate Application and/or WAN Target configured as well as the appropriate Uplink associated.
Captive Portals
The captive portal view presents the scaffolds that configure the behavior of the rXg forced browser redirect mechanism.
The initial forced browser redirect is configured via the splash portals scaffold. Once a device has acquired an IP address via DHCP or via static assignment, the rXg enforces policy based on the group membership. In a typical scenario, most devices will initially be members of an IP group that spans the entire subnet from which the IP address of the device is assigned. To enable the forced browser redirect, the IP group must be configured with a policy that is associated with a splash portal record.
Once redirected to the captive portal specified in the splash portal record, the end-user must present credentials to access the WAN. The supplied credentials determine the new group that the device will be a member of. In a typical scenario, the end-user will supply a username / password pair or a token code that is associated with a account group. If external identification is used, the device will be associated with a RADIUS group or LDAP group.
To complete the captive portal configuration, the new group must be associated with a policy that is linked to a landing portal. In addition, the new group be of a higher priority than the first group. In a typical scenario, the new group is associated with a policy that is linked to several other enforcement mechanisms (e.g., bandwidth queues, multiple uplink controls, web experience manipulation, etc.).
Splash Portals
Splash portals define the pre-authentication settings that are used when forced browser redirect is in effect.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The portal field determines the local captive portal that will be used for pre-authentication. The default RG Nets portal is always available as a choice from this list. Additional choices for the portal field are determined by the custom portals scaffold on the portals view of the system module.
Setting the remote checkbox specifying a remote URL enables forced browser redirect to a captive portal web application that is stored on a remote host. Using a remote host for the pre-authentication pages is not recommended for typical deployment scenarios due to increased latency and complexity. In most clustering and multi-unit central management scenarios, a customized local pre-authentication portal contains hyperlinks to a centrally served portal for unified end-user credential management.
The following substitutions are available for the remote URL :
- %url% - the original URL (desired URL) that the end-user surfed to
- %rxg% - the name of the rXg that executed the redirection
- %ip% - the IP address of the end-user
- %mac% - the MAC address of the end-user
- %wan_ip% - the WAN NAT IP address of the end-user
- %wan_mac% - the MAC address of the interface for the Uplink the user is assigned to
- %wan_mac_last6% - The last 6 characters of the WAN MAC, excluding colons
- %hostname% - the DHCP client hostname of the end-user
- %group% - the name of the group that the end-user was a member of during redirection
- %policy% - the name of policy that the end-user experienced during redirection
- %landing_portal% - the name of the splash portal that the end-user was presented
- %portal_controller% - the name of the custom portal controller that the end-user was presented
- %logged_in% - true or false depending on whether or not the end-user is logged in
- %random_number% - a random eight digit integer
- %error% - an error string
- %notice% - a notice string
- %exception% - an exception string
- %action% the custom portal action that the end-user was redirected to
- %redirect_action% - the custom portal action/view that the end-user was redirected to after processing the request
- %vlan% - client VLAN tag, if any
- %ap_mac% - MAC address of the AP to which the client is currently connected
An example of a remote URL that utilizes substitution is:http://central.srvr/port_app/?orig_url=%url%&subcriber_ip=%ip%
The whitelist field enables the operator to choose one or more wan targets that list IP addresses and/or DNS entries of websites that are to be exempt from the forced browser redirection policy configured by this splash portal record. There are many common uses for the whitelist. When credit card payment gateways are used, the payment gateway servers may need to be whitelisted in order for payments to be processed. If pay-per-click advertising is placed on the pre-authentication portal, the advertising destinations must be in the whitelist to enable proper click through and tracking. Cluster configurations require the cluster controller to be in the whitelist to enable unified user management. In addition, many operators use the whitelist to enable unfettered access to a handful of websites of their choosing.
The configuration options in the automatic login section defines how the rXg captive portal behaves when a account with automatic login enabled joins the network and does not have an existing session. Enabling background mode and/or the portal mode allows accounts with automatic login enabled to connect without having to enter credentials at the captive portal.
If background mode is set to MAC , then the rXg will continually poll the ARP table and/or DHCP leases (as defined by the MAC to IP mapping setting in the device options). The rXg will then automatically create sessions for accounts with automatic login enabled, thus obviating the need for the account to login via the captive portal. If a login session is created by the rXg via the background mode then the end-user will never experience forced browser redirection. Enabling background mode is sufficient for handling most cases of automatic login. However, if the rXg becomes heavily loaded, then the polling nature of background mode automatic login may result in some end-users browsers experiencing forced browser redirect. Thus automatic login is also implemented in the captive portal and enabled via the portal mode option. Disabling the background mode may be necessary to operate in extremely high load environments. Disabling background mode may also be necessary when deploying the rXg in conjunction with certain wireless infrastructures that spoof MAC addresses.
If portal mode is set to anything other than disabled , then the rXg will attempt to create a session and/or login to the portal for accounts with automatic login enabled when a device with a matching MAC address hits the portal. The MAC (create session only) option creates a login session for the account but does not log the account into portal. Thus the end-user web browser is denied access to the profile information stored in the account. This option is most appropriate for high transient environments such as hotspots, hotzones, hotels, conference centers, etc. The MAC (create session, login to portal) creates a login session for the account and also logs them into the portal. This option is most appropriate for fixed wireless broadband environments where the end-user population is mostly static. The MAC AND cookie option is similar to the MAC (create session, login to portal) in that a session is created for the account and the web browser is granted access to the portal. However, in addition to checking for the MAC address, the browser is checked to make sure that a cookie matching one stored by the rXg during previous portal activity is present. This is the most secure method of enabling automatic login but it requires that the end-user bring up the same web browser that they used the last time they interacted with the rXg captive portal. The MAC OR cookie option is similar to MAC AND cookie , except the user's MAC address can have changed as long as there is still a matching cookie in the user's browser. This is useful for situations where a user switches between a wired and wireless connection, thereby changing MAC address. The MAC mode checks only the MAC address. The cookie mode checks only the browser cookie.
The WISPr settings are arbitrary strings that pass meta-data to WISPr client software. Consult the documentation that is provided by wireless service aggregrators for the proper settings for these fields.
The TOS checkbox enables a terms of service requirement for the pre-authentication captive portal.
The policy field relates this record to a set of groups through a policy record.
The shared credential groups field determines which shared credential logins are to be accepted by this portal.
The usage plans field determines which usage plans are to be displayed and accepted by this portal.
Landing Portals
Landing portals define the post-authentication settings that are used when forced browser redirect is in effect.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The portal field determines the local captive portal that will be used for post-authentication. The default RG Nets portal is always available as a choice from this list. Additional choices for the portal field are determined by the custom portals scaffold on the portals view of the system module.
Setting the remote checkbox and specifying a remote URL enables post-login browser redirect to a captive portal web application that is stored on a remote host.
The following substitutions are available for the remote URL :
- %url% - the original URL (desired URL) that the end-user surfed to
- %rxg% - the name of the rXg that executed the redirection
- %ip% - the IP address of the end-user
- %mac% - the MAC address of the end-user
- %wan_ip% - the WAN NAT IP address of the end-user
- %wan_mac% - the MAC address of the interface for the Uplink the user is assigned to
- %wan_mac_last6% - The last 6 characters of the WAN MAC, excluding colons
- %hostname% - the DHCP client hostname of the end-user
- %group% - the name of the group that the end-user was a member of during redirection
- %policy% - the name of policy that the end-user experienced during redirection
- %landing_portal% - the name of the splash portal that the end-user was presented
- %portal_controller% - the name of the custom portal controller that the end-user was presented
- %logged_in% - true or false depending on whether or not the end-user is logged in
- %random_number% - a random eight digit integer
- %error% - an error string
- %notice% - a notice string
- %exception% - an exception string
- %action% the custom portal action that the end-user was redirected to
- %redirect_action% - the custom portal action/view that the end-user was redirected to after processing the request
- %vlan% - client VLAN tag, if any
- %ap_mac% - MAC address of the AP to which the client is currently connected
An example of a remote URL that utilizes substitution is:http://central.srvr/port_app/?logged_in=%logged_in%&subcriber_ip=%ip%
The blacklist field enables the operator to choose one or more wan targets that list IP addresses and/or DNS entries of websites that are always to be redirected to the captive portal web application selected in this landing portal record. In a clustering scenario, it may be useful to redirect certain web accessible cluster resources back to the post authentication portal for load balancing. In an advertising scenario, it may be useful to redirect access for particular websites to the local captive portal web application so that focused local content is delivered over generic content.
The session restrictions settings control the length of the end-user session as well as the automatic logout mechanism. The settings here may be overridden by various other configuration settings of the rXg. For example, if external RADIUS authentication is being utilized, the RADIUS Class attribute may be consulted to configure the session length. Another example is if the account has automatic login enabled. In that case, the portal will not be displayed again until the user no longer has any usage minutes.
Set the amount of time that an end-user is allowed to be logged on before they need to login again using the restriction field. If unlimited login time is desired, check the unrestricted box.
Check the no idle timeout box to disable the automatic logout upon idle feature of the captive portal web application. Account usage minutes will continue to be depleted regardless of traffic when the automatic logout feature is disabled. Alternatively, set a idle timeout to enable the automatic logout feature.
The grace time field enables the captive portal web application to allow end-users to be logged in for a short amount of time to complete the selection and purchase of a usage plan.
The redirect URL field enables the operator to redirect the end-user to a configurable URL after successful login. Check the original box to redirect the user to the URL she requested before being redirected by the captive portal. Leave both fields blank to display the post login success page of the landing portal.
The policy field relates this record to a set of groups through a policy record.
The usage plans field determines which usage plans are to be displayed and accepted by this portal.
Portal Mods
Portal Mods allow the operator of the rXg to modify an existing portal, content can be modified by selecting the view and adding HTML content that will replace the view. Images can also be replaced as well. This allows the operator to easily change images and specify the login options for example.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The Custom field allows the operator to select the custom portal the Portal Modification record applies to.
The Splash and Landing fields allow the operator to select which Splash and Landing portals the record will apply to. This allows the operator to use the same portal but have different changes to either the Splash or Landing side of the portal(s).
The Splash field allows the operator to specify the Splash portal(s) the Portal Modification will apply to.
The Landing field allows the operator to specify the Splash portal(s) the Portal Modification will apply to.
The View field selects the view in the portal that will be modified.
The HTML(ERB) field, contains the code that will modify the selected view.
The Image field, is used to upload an image to replace an existing image in the portal, or can be used to upload an image to be used in the HTML(ERB) field.
The Image to Replace field combined with the Image field allows the operator to replace and existing image on the portal with a custom image.
For examples of how to use Portal Mods see the Portal Customization::Portal Modifications section of the manual.
WiFi Profiles
The Name field is arbitrary and can be set to anything.
The SSID field is used to set the SSID that will be contained in the profile that the client device will connect to after downloading the profile.
The Default checkbox, if checked specifies that this WiFi Profile will apply to all landing portals.
The Server Certificate field allows the operator to specify the SSL certificate that will be included with the profile.
The Landing Portals field allows the operator to specify which landing portal(s) will present the WiFi Profile when the client device successfully connects.
WiFi Profiles allow the operator of the rXg to configure the profiles that will be downloaded to the client device when it succesfully connects to the network. The profile contains the information to connect to the network and installs the certifcate on the device.
Content Filtering
Content filtering enables the operator to deny the transit of web pages that contain textual media that matches filters specified by the operator.
The content filtering mechanism allows the operator to specify independent content filtering policies for different groups. The intention is to allow the operator to generate direct revenue from the application of filtering or for enabling unfettered Internet access.
For example, residential customers may be offered a porn blocking premium service while business customers receive unfettered access. The converse may also be useful where advertising supported hotspot access is restricted from accessing all known objectionable content and a paid upgrade enables unfettered access to the Internet.
In order for content filtering to operate, the rXg must have access to the web page that the end-user requests. This is accomplished by enabling the transparency web proxy which intercepts end-user HTTP requests. If locally cached copies of the content are expired or out of date, a new copy is requested from the server. The rXg content filtering mechanism then operates on the local copy of the end-user requested web page. If the requested web page does not match the profile configured by the operator, an HTTP response containing the requested page is then transferred to the end-user.
Content Not Permitted
When an end-user attempts to access prohibited content, they are redirected to /content_filter
view of the captive portal. By default, this view displays a denied graphic along with the desired URL, the reason for the denial and the categories that were matched. This view of the portal may be customized to any format that the operator desires.
The /content_filter
view of the portal is an integral part of revenue generation through content filtering. For example, if the content filter is being applied to limit access for to end-users in an advertising supported group, the /content_filter
view should be customized to advertise the availability of unfettered access for a fee. If the content filter is enabled as part of a threat management package, affiliate program links to security software downloads (e.g., McAfee, Norton, etc.) would be appropriate.
Content Filters
The content filters scaffold presents the fields necessary to configure the rXg policy enforcement engine to deny access to HTTP responses containing operator specified classes of content.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The filtering section configures the global behavior and filtering sources for this content filter.
The lists and remote lists fields specify the lists of URLs and domains that will be pass or denied in this content filter. The lists and remote lists are configured using the scaffolds below.
The blanket block checkbox is used to place the content filter into whitelist mode. All web pages except those specified in the whitelists are denied when this mode is enabled.
The denied portal action specifies the action on the captive portal that will be called when prohibited content is requested.
The WAN targets field limits the effect of the content filtering settings defined by this record to traffic that is destined to the IP addresses or DNS names listed in the selected WAN targets. By default, a content filter record affects all HTTP traffic matched by the policy regardless of WAN origin / destination. Setting a WAN target causes the breadth of the content filter to be limited to the specified hosts in the manner specified by the WAN target mode.
The content filter only manipulates HTTP traffic by default. Setting the intercept SSL/TLS checkbox enables the content filter to manipulate encrypted HTTPS traffic in the same manner as if it were regular HTTP traffic.
The safesearch checkbox causes the content filter to always enable safe-search mode in search engines. This feature requires the intercept SSL/TLS feature to be enabled because almost all search engines run over HTTPS.
The YouTube EDU ID field configures the content filter to add the specified data to all traffic to/from YouTube. This mechanism enables server-side content filtering for YouTube. Use of this feature requires educational facility registration with Google / YouTube.
The tunnel detection field configures the content filter to look for IP tunneling over HTTPS. The detection may be configured in real-time (higher overhead) or background (higher performance). The operator may also choose to log the presence of HTTPS tunneling rather than denying this behavior outright.
The enhanced HTTPS security checkbox configures the content filter to block access to HTTPS sites that fail to present a SSL certificate that is signed by a trusted third-party.
The policy field relates this record to a set of groups through a policy record.
Remote Content Filter Lists
Entries in the remote content filter lists scaffold are used to configure the parameters needed to periodically download third party maintained lists. The de facto standard list format is a compressed archive (.tar.gz) file that extracts into a series of subdirectories named by blocking category. Each entry in this scaffold configures the periodic download of a compressed archive (.tar.gz) file. Multiple archive files may be used in a single content filter policy enforcement.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The categories field allows the operator to choose from one or more groups of URLs and/or domains to include in this remote content filter list definition. This field is only useful when the URL of this remote content filter list refers to a gzipped tarball archive. The names of subdirectories present in the archive are presumed to be the names of blocking categories and show up in this field.
When a remote content filter list is created, this field will be empty. Once the list is downloaded and extracted for the first time, the subdirectories will then appear in this field. After creating a remote content filter list it is necessary to edit the record and select the desired categories in order for proper operation. Initial download time (and hence, population of the categories field depends upon the size of the archive file as well as the speed of the network connection between the server addressed by the URL.
When Custom is selected in the Provider field it allows the operator to specify a custom URL to a list maintained by the operator or another source.
The URL field contains the URL of the file that the rXg will download. The target file is expected to be in one of two formats: .tar.gz archive or a .txt plain text file. If the file is a gzipped tarball archive (.tar.gz), it is expected to extract multiple subdirectories named by category, each of which contains a "urls" file containing a list of specific URLs to list, and/or a "domains" file containing a list of domains (i.e., entire sites) to list. If the file is plain-text, it is expected that the file is a list of domains and URLs to list. The rXg supports lists formatted for ufdbGuard,DansGuardian and SquidGuard. Well known providers include URLfilterDB, Shalla Listand Squidblacklist.org.
The frequency defines the periodicity with which the rXg will download the list archive file from the URL specified. The request to download a new remote content filter list occurs immediately after the create button is clicked. The periodicity of subsequent downloads are determined by the value of specified in this field. The downloading of subsequent updates will always occur between 4 and 5 AM local time.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Example Content Filter Configuration
In this example we will configure content filter that will block adult content. Navigate to Policies::Content Filtering and create a new Remote Content Filter List.
Give it a name, type should be set to Blacklist. For this example we will use the UT1 Provider. Set the Frequency for often it downloads the list, for UT1 we do not need a username/password, click create.
The system will download the remote list, after waiting about a minute we can edit the Remote Content Filter List we created. The Categories section should now list the categories that can be filtered. For this example adult, dating, and lingerie is selected. Click update.
Next create a new Content Filter.
Give it a name, leave Filter DNS checked, we can change how it lookup response behaves by changing the response, for this example I will leave it on Block w/ NXDOMAIN (return name does not exist). Under Content Lists verify that the Remote list created in the previous step is checked. Lastly select the polices the filter should apply to, and click create.
A custom Content Filter list can be hosted on any accessible web server. The rXg can be configured to use this Custom Content Filter (plain-text or tar/gzip) file by creating a new Remote content Filter List and selecting Custom for the Provider and populating the URL with the direct link to the file. The content filter can be set to synchronize as a daily, weekly, or monthly recurrence.
To host the Custom Content Filter on a rXg device, the filter list can be uploaded to the /space/rxg/console/public folder on the host.
A content filter list is contained within a tar.gz file. The root of the file contains a set of directories which serve as categories for the filter list. The categories are used to select specific types of content to filter from the broader list. Inside each folder there are one or more extensionless text files which contain lists of domains and URLs. The file domains consists of fully qualified domain names for entire websites to be used in a content filter list. The file urls consists of full paths to pages which will be used in the content filter list.
File Structure:
Domain List:
URL List
Event Triggers
The event triggers view displays the scaffolds that configure the events that define transient group membership policy.
The transient group membership mechanism temporarily changes the group membership of an end-user. Since group membership determines which policies are enforced, event triggers are a simple way to temporarily change the end-user experience.
The possibilities of what can be accomplished through transient group memberships are endless. For example, when max connections triggers can be configured to establish transient IP group membership for abusive behavior. The transient IP group may then be associated with a splash portal policy to quarantine the user, a packet filter policy to blackhole the user or a bandwidth queue policy to throttle the user for some specified period of time.
The space-time triggers and quota triggers are typically used for end-user communication and upselling of premium services. A simple way to utilize this is to create a quota trigger that triggers on high utilization and places these end-users into a group. This transient group can then be associated with a policy that is linked to interstitial redirection to a page that communicates with the end-user about their high utilization and offers them the opportunity to buy more. In addition, the interstitial page might offer the end-user the ability to switch to a plan that has higher bandwidth rates.
The DPI triggers enable the operator to apply transient group memberships to subsets of the end-user population that match any profile that may be described in the form of a deep-packet inspection rule. This may be used to detect specific kinds of applications (e.g., BitTorrent, VoIP, etc.) or specific usage patterns (e.g., the presence of a streaming media center or a NAT router). The remote DPI signatures capability enables the operator to deploy DPI triggers as a malware egress filtering mechanism.
All triggers are configured to enforce upon policy and send matches to transient group memberships. End-users are sourced from the policies associated with trigger record. End-users that match the trigger enforcement are then destined for the configured transient group memberships.
Connections Triggers
Records in the connections triggers scaffold define the configuration of the rXg behavioral intrusion protection system.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The policy field relates this record to a set of groups through a policy record.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The max connections field specifies the number of simultaneous connections that an end-user or device can utilize before the behavioral IPS is triggered. The number of connections is determined by counting the number of TCP and UDP streams that transit to the WAN through the rXg. Currently observed active connections, recently attempted connections (regardless of whether or not they actually connected) as well as recently closed connections are all counted. How long recent connection attempts and recently closed connections are counted is determined by the setting the state timeout in the network options.
The operator should tune value for the max connections to a value that best fits the nature of the end-users on the LAN. Many applications utilize multiple TCP and/or UDP streams in parallel. For example many web browsers will open several connections to a web server in order to download multiple assets referenced by a web page at the same time. Cloud computing applications tend to have software hooks that keep several background connections active at all times. Thus a value too small will trip a very large number of false positives.
Setting the max connections field to a value that is overly large prevents the behavioral IPS from detecting malicious software that is designed to avoid attracting attention. Worms that rapidly proliferate by opening as many connections per second as the infected CPU will support have given way to worms that attempt to proliferate under the radar. Many P2P software systems have a setting that configures the maximum number of simultaneous connections whose purpose is to help prevent the software from being detected. Thus it is important to tune the max connections field that is small enough to allow the kinds of applications present on the network while detecting malicious activity.
The behavioral IPS should always be enabled for all networks. If the operator is unwilling to cope with even a single false positive then the max connections should simply be set large enough to put the most egregious offenders into a transient group membership for instant remediation. The transietn group membership is typically associated with a policy that blocks all traffic (e.g., via a splash portal) or slows all traffic down (e.g., via a traffic shaping queue) and notifies the end-user of the violation (e.g., via an interstitial redirect or injection).
The duration determines the length of time that an end-user or device that has triggered the IPS will remain a member of the transient group. Once the duration is reached the transient group membership expires and the end-user or device will be returned to their original policy. If the number of connections being utilized exceeds the configured max connections the trigger will be fired again and the end-user or device will be placed into a new transient group membership for the specified duration.
If an end-user or device triggers the behavioral IPS, they will become a transient member of the IP group specified by the IP group field. connections triggers affect all devices that are associated with the record through the policy regardless of authentication method.
Quota Triggers
Records in the quota triggers scaffold define rules that will change the effective policy of end-users based on the data transfer utilization over a specified period of time.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The policy field relates this record to a set of groups through a policy record.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Quota triggers operate on calculated aggregate traffic transfer over an operator specified period of time. Thus operators configure the quota in multiples of bytes (e.g., megabytes, gigabytes, etc.). Furthermore the operator specifies the quota trigger time period to be since the last recharge or a rolling window of time. The values are mathematically to the traffic shaping system which is deals with instantaneous transfer rates configured in multiples of bits per second (e.g., kilobits per second, megabits per second, etc.) but the use cases are usually very different.
The download , download unit , upload and upload unit fields configure the aggregate amount of data transfer that must be recorded before a triggering a transient group membership. The download and upload fields specify the value representing the utilization level that needs to be met while the download unit and upload unit fields specify the type of the value fields.
When the download unit and/or upload unit is set to % , the download and/or upload value is taken to mean a percentage of the quota stored in the usage plan record associated with the end-user record. For example, if the download quota in the usage plan record is 500 MB and the download field is configured to be 25 with a download unit of % , when the end-user utilization reaches 125 MB, the transient group membership will be triggered.
When the download unit and/or upload unit is set to MB or GB , the download and/or upload value is taken to mean an absolute value in megabytes or gigabytes respectively. The utilization stored in the end-user record must exceed the value configured in the record in order for the transient group membership to be triggered.
The logic field configures whether one or both of the utilization levels specified in the upload and download fields must be met before this record triggers a transient group membership. A setting of and requires both the upload and download utilization levels be met before a transient group membership is triggered. When set to or , satisfying either upload or download utilization level is sufficient to trigger a transient group membership.
The window field specifies the amount of time over which the the quota trigger will measure usage. The window is specified as the time in the past for the beginning of the measurement period. The measurement period always ends at the present. For example if a window of 2 days is specified then the usage will be measured starting from two days ago until the present.
Rolling window based quotas are most often used to control end-user behavior in a manner similar to the rate limiting mechanisms found in the traffic shaper. A rolling window-based quota enables the operator enforce a lower effective transfer rate. For example, a rolling quota of 5 GB per month that is popular with WWAN data providers is comes to an average rate that is only 15 kbps. A relatively loose rolling quota of 10 GB per week comes to only 277 kbps.
This mode is used to apply control over transient or fixed end-user populations regardless of whether or not quota is being explicitly sold to the population. The destination transient group membership is typically associated with a lower maximum instantaneous rate queue along with some kind of end-user notification (e.g., an interstitial that informs the end-user of their overage condition).
If no window is specified then the quota trigger will measure usage since the last quota recharge. This mode is most used in scenarios with a fixed end-user population where the operator wants to upsell additional quota to end-users when their consumption is approaching their purchased limit. The destination transient group membership is typically associated with a notification mechanism (e.g., an injection with copy informing of the overage condition and a link to the portal to purchase an upgrade).
The duration field specifies the amount of time that an end-user will remain a member of the transient group after exceeding the defined transfer quotas. By default the transient group membership is in effect for as long as the quota trigger condition is met.
The account group field configures the destination where end-user matching the utilization values specified in this record will be sent. If an end-user's utilization meets the criteria defined in this quota trigger , they will become a transient member of the account group specified by the account group field.
Space-Time Triggers
Records in the space-time triggers scaffold define rules that will change the effective policy of end-users based on the time of day, day of the week, and physical location.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The policy field relates this record to a set of groups through a policy record.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The start and end fields configure the range of time that the time trigger is active. The start time must precede the end. The trigger is active for the time period between start and end. To specify an entire day, use a start of 00:00:00 and an end of 23:59:59. To specify more than one time period during a single day, multiple time trigger records must be created.
The days field specifies the days of the week that this time trigger is active. A checked box indicates that the the time trigger is active during the day that is labeled. The parameters specified by the days field as well as the the start and end fields must both be satisfied (logical and) in order for the trigger to be active.
The logic field configures whether one or both of the utilization levels specified in the upload and download fields must be met before this record triggers a transient group membership. A setting of and requires both the upload and download utilization levels be met before a transient group membership is triggered. When set to or , satisfying either upload or download utilization level is sufficient to trigger a transient group membership.
The IP group , MAC group and account group fields configure the destination for the IPs, MACs and users associated with this trigger through the selected policy when the trigger is active. Only one of the three possible destinations should be selected for any given record. The account group destination is only effective when the policy is associated with a user group as no login session is created for IP groups and MAC groups.
DPI Triggers
Records in the DPI triggers scaffold define rules that will change the effective policy of end-users based on a DPI signature.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The policy field relates this record to a set of groups through a policy record.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The DPI signatures field links the DPI trigger to one or more DPI signatures specified on the definitions view. The DPI signatures are what are used to determine the firing of the trigger and the temporary IP group membership.
The duration field specifies the amount of time that an end-user will remain a member of the transient group after matching a DPI signature. For example, if a DPI signature specifies a virus and the target transient group is linked to quarantine policy, the duration represents the length of time that the end-user would remain quarantined after the virus is initially detected.
The IP group field configures the destination where end-user matching the DPI signature specified in this record will be sent. DPI triggers affect all devices that are associated with the record through the policy regardless of authentication method.
Remote DPI Signatures
An entry in the Remote DPI Signatures scaffold configures the rXg for automatic download of deep packet inspection signatures that are used to identify and classify of end-user traffic from a third-party website.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The categories field allows the operator to choose from one or more groups of predefined signatures present on the third-party server. This field is only useful when the URL of this remote DPI signature refers to a gzipped tarball archive. The signatures present in the archive are presumed to be organized by file name. Each file should contain signatures that are relevant to the name of the file.
The SID whitelist field enables the operator to exclude specific rules from being used. This feature is typically used to exclude overly aggressive rules and thus reduce the possibility of false positives. Consider the following rule from the Snort emerging threats list:
emerging-p2p.rules:alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Publicize File"; dsize:>15; content:"|e3 0c|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003310; classtype:policy-violation; sid:2003310; rev:3;)
The example rule shown above is known to occasionally trip false positives with Skype file sharing. Listing 2003310
into the SID whitelist field causes the rule to be ignored. Multiple SIDs may be listed in the SID whitelist to tell the DPI engine to ignore more than one rule in the remote set.
When a remote DPI signature record is first created, the categories field will be empty. Once the signatures have been downloaded and extracted for the first time, the names of the files will then appear in this field. After creating a remote DPI signature it is necessary to edit the record and select the desired categories in order for proper operation. Initial download time (and hence, population of the categories field depends upon the size of the archive file as well as the speed of the network connection between the server addressed by the URL.
The URL field contains the URL of the file that the rXg will download. The target file is expected to be in one of two formats: .tar.gz archive or a .txt plain text file. If the file is a gzipped tarball archive (.tar.gz), it is expected to extract multiple files named by category, each of which contains DPI signatures. If the file is plain-text, it is expected that the file is simply a file of the the DPI signatures. The rXg supports DPI signatures formatted for Snort 2.9. Well known remote DPI signature repositories include the official Snort rules and the Snort emerging threats list.
The frequency field specifies the download interval. Some sites have terms of use that specify appropriate download intervals. Please check the remote site terms and conditions carefully before using.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Log Hits Trigger
Records in the log Hits Triggers scaffolds defines rules that will dynamic blacklisting with transient WAN membership based on log hits.
The*name*field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The*policyfield relates this record to a set of groups through apolicy*record.
The log field allows the operator to select which log will be monitored for predetermined behaviors.
The max hits field specifies the number of log hits for a specified service by a device on the LAN or WAN before the behavior IPS is triggered.
The window field specifies the the amount of time over which the log hits trigger will measure usage. The window is specified as the time in the past for the beginning of the measurement period. The measurement period always ends at the present. For example if a window of 5 minutes is specified then the connection will measure starting from 5 mins ago until the present.
The duration field specifies the amount of time that a connection that an end-user or IP has triggered the IPS will remain a member of the transient group. The the duration is reached the transient group membership expires and the end-user or IP will be removed. If the number of connection being utilized exceeds the configured max hits the trigger will be fired again and the end-user or IP will be placed into a new transient group membership for the specified duration.
The MAC group and IP group fields configure the identity for the IPs, MACs, and users associated with this trigger through the selected policy when the trigger is active. The WAN Target field selects the destination for violating IPs originating from the WAN. This list of IPs can be used in other areas of the rXg configuration. Only one of the three possible destinations should be selected for any given record.
The flush connection states allows an operator to clear some or all of the active session data. Flushing DHCP leases erases IP address assigned. Flushing MAC entries erases the saved MAC addresses from the devices table. Flushing VLAN assignments clears the the VLAN association from the device MAC.
In the notifications section, the message fields allows you to specify which custom email will be sent when an event is triggered.
Interstitial Redirection
Interstitial redirection is the periodic application of forced browser redirection to end-users for the purposes of generating impressions to an operator specified web page.
Interstitial redirection is a mechanism that enables operators to deploy advertising or other messaging on broadband networks in a manner that is similar to TV commercials. End-users and devices that been selected to take part in interstitial redirection are periodically redirected to a target of the operator's choosing. Furthermore, the rXg may require that the end-user experience the chosen target for a specified amount of time before they are able to continue on to their original destination.
Specific criteria must be met in order of a HTTP request to be redirected so that only "normal browsing" WWW sessions are interrupted. This enables web applications such as web-based email to continue to operate correctly even with interstitial redirection is enabled. In addition, interstitial redirection does not modify the content of transit pages in any way. The rXg goes to great lengths to ensure that interstitial redirection does not adversely affect the end-user in any way.
In most cases, the interstitial redirection is a specialized view of the captive portal web application. This enables the operator to have complete control over the content. In a typical deployment, the interstitial view of the captive portal displays a "continue to original request" link as well as several rotated advertisements or other messages. The /interstitial
view of the default portal is provided as an example of how an interstitial redirect target should be formatted.
The choice of content for the target of the interstitial redirects is entirely up to the operator. Any combination of static or dynamic images, JavaScript generated text or just about anything else imaginable can be placed on the redirection target. The most common application of interstitial redirection is to generate impressions of advertiser supplied videos. Forced viewing of video advertisements generate dramatically higher revenue per impression than image or text based advertisements (except for affiliate program conversions).
Interstitial Redirects
The interstitial redirects scaffold configures the periodic forced browser redirection of connected end-users to web content specified by the operator.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The initial minutes , minutes and duration fields control the timing behavior of the interstitial redirect mechanism. Using the broadcast television commercial analogy, the end-users experience a commercial that is duration seconds long with a periodicity specified by minutes. The initial minutes field specifies the amount of time before the first redirect. If the initial minutes is set to 0 then the end-user will experience redirect immediately upon login.
The URL field specifies the target for the forced browser redirect that occurs during an interstitial redirect. In most cases, the specified URL wll be a view of the onboard captive portal web application. The interstitial.erb
in the default captive portal provides an example of an interstitial redirect target with advertising integration. An external web server may also be used as an interstitial redirection target.
Several substitution variables are available for dynamic URL assembly.
%url%The original URL that the browser requested when the interstitial redirection took affect. When the interstitial redirection workflow is complete, the end-user should be directed to this URL.%rxg%The domain name of the rXg as configured in Options view of the System menu.%ip%The IP address of the end-user device that has been subjected to the interstitial redirect.%mac%The MAC address of the end-user device that has been subjected to the interstitial redirect.%hostname%The DHCP client hostname of the end-user device that has been subjected to the interstitial redirect.%group%The effective group of the end-user when the interstitial redirect was initiated. %policy%The effective policy of the end-user when the interstitial redirect was initiated. %landing_portal%The landing portal associated with the effective policy of the end-user when the interstitial redirect was initiated. If no landing portal enforcement record exists, then the value of this variable will be 'default'.%portal_controller%The custom portal controller name associated with the effective policy of the end-user when the interstitial redirect was initiated. If no landing portal enforcement record exists, then the value of this variable will be 'default'.%random_number%A random eight digit integer.
An example of a URL that utilizes substitution variables is:
https://%rxg%/portal/%portal_controller%/interstitial?desired_url=%url%
The WAN targets field limits the effect of the interstitial redirect settings defined by this record to traffic that is originating from or destined to the IP addresses or DNS names listed in the selected WAN targets. By default, an interstitial redirect record affects all HTTP traffic matched by the policy regardless of WAN origin / destination. Setting a WAN target causes the breadth of the interstitial redirect to be limited to the specified hosts in the manner specified by the WAN target mode.
The WAN target mode field determines the effect of choosing WAN targets. When set to ignore, all HTTP requests originating from end-users and devices selected by the associated policy will take part in the interstitial redirect except for the requests that are headed to the IP addresses and DNS names in the chosen WAN targets.
The policy field relates this record to a set of groups through a policy record.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
URL Replacements
The URL replacements scaffold enables fine grain configuration of the rXg HTTP URL request rewriting mechanism. URL replacements enable arbitrary modifications to the URL in an HTTP request. Thus an end-user retrieves a web page that is different from what they originally requested. The URL replacements mechanism uses the same underlying technology as the interstitial redirection feature. The key difference between the two is that the URL replacements mechanism allows for fine grain control. The interstitial redirection mechanism replaces the entire URL whereas the URL replacements mechanism only replaces a portion of the URL.
URL replacements must be associated with a interstitial redirection in order to function. The timing of the URL replacement is defined in the interstitial redirection. Only the first HTTP request in the periodicity defined in the interstitial redirection will be rewritten. All subsequent HTTP requests will pass unchanged.
The match and replacement fields configure the search and replace parameters used to rewrite the URL. For example if a match of microsoft
is configured with a replacement of apple
then an end-user HTTP request forwww.microsoft.com
would be rewritten to www.apple.com
. The match and replacement fields may also be used to modify the parameters passed in a HTTP GET. For example, a match of ?query=hello
and a replacement of?query=goodbye
would result in payload of the variablequery
being changed from hello
to goodbye
. Thus an end-user that enters the string hello
into an HTML form with an input of query
that is submitted via a HTTP GET would end up being rewritten into submitting the stringgoodbye
.
Packet Filters
The packet filters view presents the scaffolds that configure settings to modify the rXg per-packet filtering engine.
The packet filtering is most often configured to deny certain end-users and/or devices access to certain kinds of applications. For example, some revenue generating network operators choose to deny access to P2P file sharing applications in order to conserve bandwidth. The rXg application filters scaffold is used to accomplish this.
Selection of end-users and/or devices is accomplished by associating a policy and applications are selected by associating application definitions to an application filter record. Since account group membership is usually determined by end-user self-provisioning via the captive portal web application, it is possible to enforce different application filters based on the usage plan selected by the end-user (and hence, revenue generated). This enables revenue generating network operators to limit access to certain applications (e.g., P2P file sharing and VoIP) to plans that are premium offerings.
Application Filters
An entry in the application filters scaffold creates a firewall rule that prohibits a particular application from reaching and/or being reached by specified WAN targets
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
Rules for a given policy are checked in a top-down order, and the LAST rule to match a packet is the one which will be applied. Care should be given to order the rules appropriately to achieve the desired behavior and avoid being overly restrictive or permissive. More specific rules should be placed below more general rules.
The Action field allows the operator to set the mode to either Block or Pass the traffic as defined in the WAN Targets and Applications fields.
The direction field limits the prohibition of traffic to packets transiting the rXg in a particular direction. The outbound setting configures the firewall rule to drop packets originating from the LAN and destined for the WAN. Conversely, the inbound setting configures the firewall rule to drop packets originating from the WAN and destined for the LAN. The both setting drops all matching packets regardless of the direction of travel.
The WAN targets field limits the effect of the application filter rule defined by this record to traffic that is originating from or destined to the IP addresses or DNS names listed in the selected WAN targets. By default, an application filter denies all traffic matched by the policy regardless of WAN origin / destination. Setting a WAN target causes the breadth of the application filter to be limited to the specified hosts.
By default the WAN Target acts as a blacklist, however by checking the*Invert(!) WAN Targets* box, it will reverse the rule and make it a whitelist so instead of blocking access to what is defined in the WAN target it, it will only allow access to what is defined in the WAN target.
The applications field configures the kinds of applications that will be blocked by the application filter defined by this rule. Selecting multiple application groups applies this rule to all of the selected applications (logical or). By default, all types of packets that match the chosen policy , WAN targets , and applications are blocked.
The policy field relates this record to a set of groups through a policy record.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Filtering rules are applied in a top down order, with the last rule that matches being the one the takes effect, thus rule ordering is important. The Application Filters scaffold also has links to "Move Up" or "Move Down" an entry. More general rules should be at the top of the list and and as the rules get more specific they should be moved down. For example if there are two rules created, one that blocks all traffic and another that passes traffic to a set of WAN targets, the rule blocking all traffic should be moved up to the top, and the rule passing traffic to the set of WAN targets should be below it. This will block all traffic except for sites defined in the WAN target. If the rule order were reversed, where the pass rule is positioned at the top of the list and the rule blocking all traffic is below it, all traffic would be blocked including what is defined in the pass rule because the last rule that matched is the block rule.
Subnet Filters
The subnets filter scaffold configures the rXg packet filtering to enable or disable reachability between LAN subnets. By default, with no subnet filters configured, the rXg permits routing between subnets.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The policies field configures which clients will not be able to access hosts on LAN subnets other than their own. The filtering is unidirectional; clients affiliated with a policy that does not have a subnets filter configured can still access other subnets.
The WAN targets field configures a list of destination hosts that are exempt from the filtering. Clients of the selected policies will still be able to access these hosts, even if they are on a different subnet.
Example filter configurations.
Multi Tenant Example
In this example users will be blocked from communicating across subnets but will have access to a shared resource. First we need to define the resources we want to share by creating a WAN Target by navigating to Identities::Definitions. Create a new WAN Target , the Name field is arbitrary. Enter the IP address or FQDN of resources to be shared. Click Create.
Next navigate to Policies::Packet Filters , edit the existing Subnet Filter or create a new one. The Name field is arbitrary. Select the Shared Printer in the WAN Target field. Lastly use the Policies field to select the policies that should be included for this Subnet Filter. Click Create or Update.
With this configurations tenants will not be allowed to communicate with anything outside of their subnet with the exception of the Shared Printer.
Content Filter Example
In this example an Application Filter will be created that will block streaming services. By default the rXg comes with Applications that includes both Destination Ports and WAN Targets for popular streaming services. Create a new Application Filter , the Name field is arbitrary. Specify if inbound/outbound or both should be blocked using the Direction field. Leave the WAN Target field blank as the WAN Targets are attached to the Applications already in the included applications. In the Applications field, select the Applications to block. Lastly using the Policies field select the policies that this filter should be applied to. Click Create.
Block all traffic except what is whitelisted.
In this example the packet filter will be configured to block all traffic except for what is defined in the selected Wan Targets.
First define the site or sites we wish to allow access to by creating a WAN Target. Navigate to Identities::Definitions. Create or edit and existing WAN Target. For this example Social Media will be allowed but everything else will be blocked.
Next navigate to Policies::Packet Filters and create a new Application. The Name field is arbitrary. Protocol field should be set to tcp udp. For the Destination ports field enter >0, this will include all ports greater than 0. Click Create.
Next create a new Application Filter , the Name field is arbitrary. Set the Direction field to both. Use the WAN Targets field to select the desired WAN targets. To make the WAN targets a whitellist instead of a blacklist check the*Invert (!) WAN Targets* checkbox. In the Applications field select the Application created earlier that contains all ports. Lastly use the Policies field to select the policies to apply the filter to.
This configuration will only allow members of the Bronze policy access to social media sites and not allow them to access other sites.
Pass/Block Filter Example
In this example a rule will be created that blocks ICMP to the 8.8.8.0/24 subnet, and another rule will be created to pass ICMP traffic to 8.8.8.8.
First create the WAN target that contains the IP's to be blocked and another that contains the IP's to allow. Navigate to Identities::Definitions. Create a new WAN Target. Give the WAN target a name, and for the target enter 8.8.8.0/24. Click Create.
Create another WAN Target , this time the target will be the address to allow, in this case 8.8.8.8, click Create.
Next navigate to Policies::Packet Filters and create a new Application Filter. Give the application filter a name, Action should be set to block , Direction set to both. In the WAN Target field select the WAN target that contains the 8.8.8.0/24 subnet. In the Applications field select the ICMP application. Select the policies this rule should apply to, and click Create.
Create another Application Filter , give it a name. The Action field should be set to pass , and the Direction Field set to both. In the WAN Targets field select the WAN target contaning the addresses that are to be allowed. Select the ICMP application in the Applications field. Select the polcies the filter should apply to and click Create.
Now members of the Bronze and Silver policies can ping 8.8.8.8 but cannot ping other addresses in the 8.8.8.0/24 subnet. NOTE: the order of the rules are important, for this to work the PASS rule must be below the block rule in the scaffold. The order can be changed by clicking the Enable Drag & Drop link above the scaffold, or using the Move Up/Move Down links for an individual rule.
Packet Forwards
The packet forwards view presents the scaffolds that configure settings to modify the per-packet forwarding configuration.
The rXg packet forwarding engine enables the revenue generating network operator to reroute traffic according to predefined rules. There are classes of forwarding rules that the operator may specify. The operator may choose to create rXg forwards that reroute traffic that is originally destined for the rXg. In addition, the operator may choose to create transit traffic forwards that reroute traffic that originates from the LAN and is transitting the rXg ot the WAN.
rXg forwards enable the operator to deploy publicly accessible services on hosts that are on private IP addresses and using NAT to access the WAN. In a typical scenario, rXg forwards are used to enable remote access to infrastructure management mechanisms, public web servers, etc. When deployed generically, this concept is called port forwarding.
The rXg packet forwarding mechanism builds upon the generic port forwarding concept by enabling the same port to be forwarded to different hosts depending on the originating (WAN) host. In addition, the application forward is limited in effect via policy. This enables the revenue generating network operator to use application forwarding to sell a premium service in a similar manner to application filters.
Transit traffic forwards enable the operator to reroute end-user traffic to operator specified destinations. In a typical scenario, transit traffic forwards are used to require end-users to use operator specified proxies. For example, transit traffic forwards are particularly useful for rerouting all outbound email tranmissions through an operator specified SMTP relay. Another example would be to forward all Jabber IM requests to a Jabber proxy that injects advertising.
The operator specifies which end-users are affected by transit traffic forwards through policies. This fits naturally with the rXg zero operator intervention provisioning methodology and enables operators to deploy transit traffic forwarding as a premium service. For example, hotspot operators may desire to charge a premium for SMTP relay.
rXg Forwards
An entry in the rXg forwards scaffold creates a packet forwarding rule that reroutes traffic originally destined for the specified applications on the rXg to a destination specified by one or more IP groups associated with the selected policy.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The applications field configures the class(es) of packets that will be forwarded by the rules generated as a result of this record. Selecting multiple application groups applies this rule to all of the selected applications (logical or).
The source WAN targets field limits the effect of the inbound application forward rule defined by this record to traffic that is originating from the IP addresses or DNS names listed in the selected source WAN targets. By default, an rXg forward rule acts as a generic port forwarder that redirects all traffic matching the configured applications. Setting a source WAN target causes the rXg forward to limit the breadth of the rule to packets originating from the specified host(s).
The destination port override field specifies an alternative port to send the forward traffic. If left unspecified, the original destination port specified by the application is used as the destination port. If specified, all traffic is redirected to the selected port. For example, if the application is configured to be SMTP (destination port 25) and the destination port override is configured to be 587, all port 25 traffic will be forwarded to port 587 on hosts contained in the destination policies.
The policy field relates this record to a set of groups through a policy record.
The policy mode field configures the forwarding behavior when the linked policy contains multiple groups or multiple members in a group. The first member only option causes all traffic coming in from the WAN to the port specified by the application to be forwarded to the first member of the first group. The round-robin option causes inbound traffic on the port specified by application to be load balanced between all members linked to the policy. If only a single group with a single member is linked to the enforcement record, the behavior will be identical to first member only. This option is useful for having inbound requests load balanced to a farm of servers. The autoincrement option causes the enforcement record to create a many to many mapping between ports and group members. For example, if the application specifies a port of 5000, and the policy links to a group with members 10.0.1.100, 10.0.1.101 and 10.0.1.102, then port 5000 will forward to 10.0.1.100, port 5001 will forward to 10.0.1.101, port 5002 will forward to 10.0.1.102, etc. The autoincrement option is useful for easily configuring remote monitoring of a large number of LAN devices when site-to-site VPN is not possible.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Transit Traffic Forwards
An entry in the transit traffic forwards scaffold creates a forwarding rule that reroutes traffic originating from the LAN to the destination specified on the WAN. The rXg transit traffic forwarding mechanism supports generic (universal) port forwarding as well as policy specific forwarding.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The applications field configures the class(es) of packets that will be forwarded by firewall rules generated as a result of this record. Selecting multiple application groups applies this rule to all of the selected applications (logical or).
The policy field relates this record to a set of groups through a policy record.
The policy mode field for outbound forwards is always set to round-robin. If only a single WAN target is specified, then all traffic will always be redirect to the specified WAN target. If multiple WAN targets are specified, outbound traffic is load balanced amongst the specified WAN targets /.
The destination WAN targets field specifies the destination of the traffic for the transit traffic forward. If multiple hosts are defined by the specified WAN targets, the destinations are forwarded connections on a round-robin basis.
The destination port override field specifies an alternative port to send the forward traffic. If left unspecified, the original destination port specified by the application is used as the destination port. If specified, all traffic is redirected to the selected port. For example, if the application is configured to be SMTP (destination port 25) and the destination port override is configured to be 587, all port 25 traffic will be forwarded to port 587 on hosts contained in the destination WAN targets.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Payload Rewriting
The payload rewriting feature of the rXg allows operators to dynamically modify the content of any or all HTML pages that transit the rXg. Payload rewriting is embodied by two key features: HTML injection and HTML rewriting. HTML injection enables operators to easily add content to transit web pages. HTML rewriting enables operators to arbitrarily modify the HTML of transit web pages.
Enabling the payload rewriting feature of the rXg is accomplished by add the desired rewriting configurations into a HTML Payload Rewrites record which is related to a Policy. The effect of the rewrite is controlled by configuring the HTML Injections and HTML Rewrites scaffolds.
HTML Payload Rewrites
The HTML payload rewrites scaffold configures the replacement of web content in web pages that transit the rXg. It is used to link the definitions of desired rewriting configured in the HTML Injections and HTML Rewrites scaffolds to a Policy.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The WAN targets field limits the effect of the HTML payload rewrite settings defined by this record to traffic that is originating from or destined to the IP addresses or DNS names listed in the selected WAN targets. By default, an HTML payload rewrite record affects all HTTP traffic matched by the policy regardless of WAN origin / destination. Setting a WAN target causes the breadth of the HTML payload rewrite to be limited to the specified hosts in the manner specified by the WAN target mode.
The WAN target mode field determines the effect of choosing WAN targets. When set to ignore, all HTTP requests originating from end-users and devices selected by the associated policy will take part in the HTML payload rewrite except for the requests that are headed to the IP addresses and DNS names in the chosen WAN targets.
The policy field relates this record to a set of groups through a policy record.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
HTML Injections
The HTML injections scaffold configures the insertion of operator specified web content into web pages that transit the rXg.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The position field specifies the location where the operator specified web content will be inserted into every web page that transits the rXg.
The recipe field configures which methodology the rXg will use to inject HTML content into web pages. Setting this field to virtual frames will result in HTML content being injected as a header, footer or sidebar (depending on the setting of the position ). Setting this field to floating overlay results in the injected HTML payload being delivered in a stylized HTML div element that floats over existing web content. The ad element overlay option is a specialized recipe designed to work with the rXg integrated advertising rotation mechanism to deliver advertising overlay.
The CSS and HTML fields specify the web content that will be inserted into every web page that transits the rXg.
The policy field relates this record to a set of groups through a policy record.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
HTML injection is a unique capability of the rXg that enables operators to insert snippets of HTML into any transit web page. When enabled, the response from upstream web servers (or local stores if the persistent cache is enabled) are buffered into the RAM of the rXg. The payload is then analyzed for compatibility with injection.
Compatible payloads are rewritten according to the operator selected recipe. The virtual frames recipe converts the original web page into one that uses CSS to emulate frames. The original web content appears at the center of the frame emulated page with operator specified content around the four edges.
The floating overlay recipe enables operators to insert contant that they desire in a stylized HTML div that is present on all web pages. A small red button is present so that the end-user may close the overlay in case critical content is residing behind the div.
The ad element overlay recipe specifically targets well known advertising delivery mechanisms for HTML injection. This recipe demonstrates the ability of the rXg to seemlessly deliver advertising impressions by overlaying existing publisher-controlled advertisments with operator-controlled advertising inventory.
The ad element overlay recipe works in conjunction with the rXg integrated advertising delivery mechanism. This recipe expects that rotators named "160x600," "180x150", "300x250" and "728x90" exist. Rotatees associated with the appropriate rotator should contain the operator-controlled advertising inventory that will be overlaid on top of publisher-controlled advertising content that is present on web pages. Furthermore, the advertising overlay script must be executed by injecting:
<script type='text/javascript'>
adRotatorOverlay();
</script>
HTML injection is typically deployed for three purposes: messaging, up-selling and advertising.
One common application of HTML injection is operators to broadcast messages to the end-user population. Operators are most often going to communicate service messages such as notification of a scheduled system outage. Some operators choose to make use of HTML injection messaging as part of a larger emergency notification system strategy. Sometimes it is possible for operators to leverage this capability to partially fund their networks using federal emergency management grants.
Operators may also use the HTML injection mechanism to up-sell premium services. For example, injection may be used to bring parts of the captive portal into the view to allow an end-user to easily purchase more quota, higher rate limits, etc. In a typical deployment, a quota trigger is configured to place end-users with high percentage or absolute value of quota utilization into a transient group that is associated with a policy that has injection enabled. The injection payload is then configured to notify the end-user of their high utilization and offer them the option of clicking through to purchase more quota and/or upgrade to a higher bandwidth plan.
Many operators choose to use the HTML injection mechanism to deliver advertising. By incorporating operator specified content into potentially every single web page that transits the rXg, a tremendous number of advertising impressions may be generated. In a typical deployment, HTML injection used to generate advertising impressions is associated with a policy that contains "free" end-users while paid end-users do not experience any advertisements.
HTML Replacements
The HTML replacements scaffold configures the generic search-and-replace engine for web pages that transit the rXg.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The match field the string that the engine will use to search for. The entirety of the match field will be replaced with the contents of the replacement field. Parenthesis may be used to store all or part of the contents in the match field for use in the replacement field.
The replacement field is the string that will be used by the engine to replace the match string. The replacement field may contain text or substitution variables such as $1, $2, etc. The number after the $ represents the contents of the parenthesis specified in the match.
The replacement field may also contain a server-side include substitution variable of the form %ssi%FILENAME%. For example, %ssi%/space/portals/your_portal/static/abc.html% will substitute tag with the contents of the file abc.html.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
HTML rewriting enables operators to perform "search and replace" on the web pages that transit the web page. The operator configures a string to match and a string to replace. The rXg loads each transit web page in memory and looks for the match string. If found, the match string is removed and the replacement is inserted in its place.
Consider the following example:
<html>
<head>
<title> A Simple Page</title>
</head>
<body>
<h1> Simple Web Page </h1>
This is the simplest web page possible.
Here is an image:
<img src="/some_photo.jpg"/>
</body>
</html>
If a HTML rewriting record is created with the match field set to simplest
and the replacement field set to most complicated
, the resulting web page that the end-user sees would be:
<html>
<head>
<title> A Simple Page</title>
</head>
<body>
<h1> Simple Web Page </h1>
This is the simplest web page possible.
Here is an image:
<img src="/some_photo.jpg"/>
</body>
</html>
HTML rewriting records apply to every part of the HTML present in the web page. This allows the operator to effect dramatic changes to the look and feel as well as the structure of the web page. For example, it is possible to create a match rule to replace the stylesheet referenced by a page or add a CSS class to every instance of a particular element. The generic nature of the HTML rewriting engine opens up a broad spectrum of possible applications.
Persistent Caching
Persistent caching is a feature of the rXg that benefits the both end-users and operators with both a perceived and actual increase in performance and as well as a decrease in uplink utilization. When enabled, the local persistent store is consulted before any request is sent to the original web server destination. The request is serviced using a local copy if one exists. If not, the request is serviced by originating a HTTP request from the rXg and transmitting the response to the original end-user or device that made the request.
The HTTP headers of the response are checked for cache control options. If the content is cacheable, it is placed into the persistent store. To keep the cached content up to date, the proxy will transmit a request to the original web server to check to see if content has modified based on an expiration timetable configured by the operator. Enabling the persistent cache is a simple way to dramatically improve the performance and reduce the WAN uplink utilization of most revenue generating networks.
Web Caches
Records in the web caches scaffold enable the rXg integrated transparent web cache. The transparent web cache utilizes persistent storage to store HTML pages and assets that transit the rXg. Enabling the web cache reduces WAN uplink utilization as commonly accessed files will be served from the rXg persistent store.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The Intercept SSL/TLS checkbox enables the rXg integrated HTTPS proxy. Enabling this feature tells the rXg to intercept all HTTPS traffic, determine the destination and generate an SSL certificate matching the destinaion on-the-fly. Client software will report an SSL certificate error unless the rXg SSL certificate which is used to sign all of the on-the-fly generated certificates is installed on the client device.
The WAN targets field limits the effect of the web cache settings defined by this record to traffic that is originating from or destined to the IP addresses or DNS names listed in the selected WAN targets. By default, a web cache record affects all HTTP traffic matched by the policy regardless of WAN origin / destination. Setting a WAN target causes the breadth of the web cache to be limited to the specified hosts in the manner specified by the WAN target mode.
The WAN target mode field determines the effect of choosing WAN targets. When set to ignore, all HTTP requests originating from end-users and devices selected by the associated policy will take part in the web cache except for the requests that are headed to the IP addresses and DNS names in the chosen WAN targets. Conversely, when set to cache, only the HTTP requests headed to the chosen WAN targets originating from end-users selected via the policy will be cached and all other requests will not be cached.
The policy field relates this record to a set of groups through a policy record.
Web Proxy Servers
Entries in the Web Proxy Servers scaffold define configuration profiles for the rXg integrated web proxy and cache.
The active field enables an option set. Exactly one option set may be active at any time. Enabling a particular option set will automatically disable another existing active option set.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The mode field affects how and when objects are cached.
The memory (diskless) option utilizes an in-memory cache that is faster than storing cached objects to disk, but sacrifices caching larger files. This mode utilizes a heap GDSF algorithm which optimizes object hit rate by keeping smaller popular objects in the cache so a request has a better chance of getting a hit. It achieves a lower byte hit rate by evicting larger (possibly popular) objects.
The disk + memory option utilizes both an in-memory cache and a disk cache, which facilitates caching larger objects, and more content in general, which optimizes uplink bandwidth utilization at the expense of performance compared to the memory-only mode. The disk cache utilizes a heap LFUDA algorithm which keeps popular objects in cache regardless of their size and thus optimizes byte hit rate at the expense of hit rate since one large, popular object will prevent many smaller, slightly less popular objects from being cached.
The disabled (proxy-only) mode disables all object caching and is useful in conjunction with the content filtering and/or payload rewriting proxies, when caching is not desired or performance is of higher priority than optimizing uplink utilization.
The disk cache size field limits the amount of disk space to use for the disk cache when the mode field includes the disk method. This field is automatically calculated based on the size of the system's disk and cannot be set higher. Setting it lower may be desired to affect cache behavior.
The disk file size field limits the maximum size of an object cached to disk. This field may be changed to affect the byte versus object hit rate of the disk cache.
The memory file size field limits the maximum size of an object cached to memory. This field may be changed to affect the byte versus object hit rate of the memory cache.
The prefetch limit field sets an upper limit on how far (number of bytes) into the file a Range request may be to cause the web cache to prefetch the whole file. If beyond this limit, the proxy forwards the Range request as it is and the result is NOT cached. This is to stop a far ahead range request (lets say start at 17MB) from making the web proxy fetch the whole object up to that point before sending anything to the client. A size of 0 causes the web proxy to never fetch more than the client requested.
The clear cache field forces the disk cache to be flushed. It is necessary to check this field when making changes to some of the above options.
The Certificate Authority and Certificate fields are used to specify the rXg certifcate that will be used to sign the on-the-fly generated certificates used by the SSL intercept mechanism. The certificate specified here must be installed on client devices that participate an rXg policy with SSL interception enabled in order to avoid certificate errors. The Certificate Authority and Certificate fields are mutually exclusive (only one may be specified).
By default, access to rXg services are either limited to the LAN or disabled entirely. In certain cases, the operator may desire to permit accessibility to services over the WAN and/or LAN. To enable access to rXg services over the WAN, the operator should specify one or more WAN targets containing the list of allowed hosts and then set the visibility appropriately. If no WAN target is specified and WAN visibility is enabled, any node on the WAN may connect to the service. It is highly recommended that this wide-open configuration be avoided to ensure system security. If LAN visibility is included then all authenticated nodes on the LAN may access this service.
Traffic Shaping
The rXg traffic shaping mechanism offers five key bandwidth management capabilities: rate limiting, link share equalization, burst rates, bandwidth guarantees and packet prioritization.
All shaping capabilities are configured through bandwidth queue records which are specified to operate on each individual IP, each group or the policy as a whole. Multiple bandwidth queue records may be associated with a single policy to define a hierarchy of shaping controls.
Furthermore, enforcement may be limited to specific applications and/or WAN targets. The rXg applies more specific definitions first when multiple bandwidth queues records are associated with the same policy.
Rate Limiting
Rate limiting is a key capability that enables operators to oversubscribe WAN uplinks. In most usage scenarios, end-users consume little to no bandwidth most of the time interspersed with occasional spikes of heavy utilization. Rate limiting controls the maximum value of the heavy utilization periods. Preventing a handful of end-users from overwhelming the network with heavy utilization enables operators to dramatically oversubscribe WAN uplinks and profit from the results.
Rate limiting is a central aspect to the marketing program of most revenue generating networks. For example, the operator may choose to offer three tiers of service (768k / 256k, 1.5M / 512k, 5M / 1M) at prices that increase appropriately ($19, $39, $99). These tiers of service are configured as rate limits and tied to the billing system through group membership. When an end-user comes to the captive portal, they are given the opportunity to choose from the plans being offered. Once a plan is selected, they will be charged appropriately and then placed into a group automatically which has been associated with the appropriate bandwidth queue. Thus the rXg enables operators to offer multiple tiers of service that are integrated into the billing system and self-provisioned by the end-user with zero operator intervention.
Link Sharing and Flow Equalization
Profitable networks are oversubscribed and heavily oversubscribed networks will have periods where uplinks will be saturated. Many traffic shaping solutions fail to address the potential for random flow starvation with saturated uplinks that is a result of the nature of packet based network architectures. For example, if the uplink is 10 Mbps and the rate limit is 3 Mbps and there are 10 end-users, then just 4 out of the 10 end-users can fully saturate the uplink at which point some of the end-users will undoubtedly have a very poor experience due to the random nature of packets being dropped.
The rXg automatically enforces heuristic link sharing and per-flow packet rate equalization when traffic shaping is enabled. This feature prevents flow rate reduction from being exacerbated into extremely poor service. The rXg automatically slows down the highest rate flows as uplinks begin to saturate. Given a 10 Mbps uplink and 10 end-users that are all attempting to pull the full 3 Mbps specified in their rate limit, the rXg would automatically enforce link sharing at 1 Mbps to each end-user.
Burst Rates
Highly profitable revenue generating networks depend on creative service offerings that entice end-users to purchase premium services. Burst rate limiting enables operators to make service offerings that have a higher initial rate. The burst rate is typically much higher than the sustained rate limit in order to maximize marketing potential. For example, an operator may wish to offer a basic service that has a 3 Mbps sustained rate limit and a premium service that has a 5 Mbps sustained rate limit. The premium service could be enhanced with a 20 Mbps burst rate without dramatically affecting the oversubscription ratio. A premium service of 20 Mbps burst with 5 Mbps sustained is dramatically more attractive than the 5 Mbps sustained without the burst rate.
The rXg enforces burst rate limiting when the queue for an end-user is empty. The end-user will be delivered the burst rate at best effort for the configured burst time. Once the burst time has expired then the sustained rate limit will be delivered at best effort. The burst rate may be delivered to the end-user again if the end-user queue empties. It is important to note that the burst rate is delivered with best effort. It is unlikely that burst rates will ever be delivered when a link is saturated as the rXg will enforce linkshare equalization on highly oversaturated links.
Bandwidth Guarantees
Bandwidth guarantees enables operators to offer service level agreements that specify a minimum committed rate. In a typical deployment scenario, bandwidth guarantees are packaged as a premium service offering to end-users. For example, a "business class" offering may include a committed symmetric rate of 1.544 Mbps as a T-1 equivalent. Another common offering is a 128 Kbps committed symmetric rate for VoIP.
Bandwidth guarantees may not compose more than a fraction of the total available bandwidth on a WAN uplink. A good rule of thumb is that no more than 25% of the total available bandwidth should be allocated as a guarantee. Furthermore, bandwidth guarantees are only relevant within traffic shaping definitions that have the same priority.
The automatic link sharing and flow equalization feature of the rXg traffic shaping mechanism obviates the need to explicitly specify a rate guarantee for "best effort" service delivery. Guarantees should deployed carefully and always in conjunction with a premium service offerings to maximize revenue potential. In most cases, it is appropriate to think of the bandwidth guarantee as a mechanism to override linkshare equalization and give a small population of end-users an unequal share of the bandwidth.
Packet Prioritization
Packet prioritization enables operators to enforce hard priority on different classes of traffic. This enables the operator to ensure that certain end-users or devices are always serviced before other end-users or devices.
In a typical usage scenario a very high priority is assigned for VoIP and infrastructure management traffic. This ensures proper voice quality and the ability to manage the devices that power the infrastructure. In addition, "free" and pre-authenticated end-user traffic is typically given a very low priority.
Hierarchachal Enforcement
The rXg enables the operator to specify the traffic shaping enforcement at three different levels. Shaping by IP address is the finest grain enforcement support of the rXg and is at the bottom of a shaping hierarchy. Enforcement of shaping by group and policy enables operators to configure aggregate queuing and build up two more levels of a traffic shaping hieararchy.
The operator may specify up to three hierarchachal levels of enforcement for a given set of applications and WAN targets. Levels of the heirarchy that are omitted default to 100% of the parent. The implied parent of all policies is the uplink.
Shaping by IP address treats the configured bandwidth queue as a template to be replicated to each and every associated IP address. Every IP in the CIDR range that is associated with a linked bandwidth queue is assigned independent rate limits, bursts and guarantees when shaping by IP enforcement is enabled for policies associated with IP groups. Similarly, when shaping by IP enforcement is enabled for other types of groups (e.g., MAC groups, Account groups, RADIUS groups, etc.), each resolved IP address that is a member of associated groups is assigned an independent rate limit, burst and guarantee.
Shaping by group treats the configured bandwidth queue as a template to be replicated for each group linked to the bandwidth queue. This shaping mode is useful for applying the same rate limits to a set of groups linked through a single policy. Consider a network where VLANs are being used to identify end-users. Unique IP groups could be created for each VLAN and then the IP groups could all be associated through one or more policies associated with a single bandwidth queue.
Shaping by policy creates a single aggregate queue for each policy associated with the bandwidth queue. This shaping mode is less granular than shaping by group. All IP groups , MAC groups , etc., associated with a single policy will be assigned to the same aggregate queue. However if multiple policies are associated with the bandwidth queue then each policy will each be shaped independently.
The rXg generates a diagram of the configured hierarchy to help operators visualize the enforcement. The lowest level of the hierarchy (shaping by IP) is on the left. Packets are first shaped by IP, then by group and then by policy moving from the left to the right of the diagram.
The first example (shown above) depicts the simplest case of traffic shaping where an aggregate queue over all entities within a policy is desired. Since only the policy level of the hierarchy is defined the other levels default to 100%.
Alternatively the operator might desire to only configure shaping by IP without any aggregate queueing. This scenario is depicted in the example shown above. The diagram gets more interesting when more levels of the traffic shaping heirarchy are configured.
In the example given above, all three levels of the heirarchy are explicity specified. Thus an individual IP address is limited to 1 Mbps / 512 Kbps (with a 2 Mbps / 1 Mbps burst), while the group that the IP belongs (which in this case represents a corporate account) to is limited to 2 / 1 Mbps (with a 3 / 2 burst) and finally the set of all corporate accounts that fall within this structure are limited to 5 / 3 Mbps.
Bandwidth Queues
Bandwidth queues define traffic shaping policies.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The priority field determines the relative priority of the traffic that is assigned to this bandwidth queue. All packets waiting in a queue with higher priority are forwarded before packets waiting queues in lower priorities are serviced. The priority is completely independent from the rate limits and guarantees of a queue.
The absolute value of the priority field has no meaning as the enforcement of the packet priority policy is based on the relative values of each queue. The priority of 0 is the lowest and used to designate queues that are filled with packets that are least important or the least sensitive to delay. For example, bulk web traffic might be assigned a priority of 1 while VoIP traffic might be assigned a priority of 5.
The download rate limit and upload rate limit fields configure the absolute maximum steady-state transfer rate for this queue. These values are often described as being delivered with "best effort" in oversubscribed networks. This is because the actual maximum transfer rate is determined by numerous factors such as the size of the WAN uplink and the amount of traffic being generated by other end-users.
In heavily oversubscribed scenarios, the actual achievable maximum transfer rate experienced by the end-user will likely be much lower than the rates specified. In lightly used networks or networks with lower oversubscription ratios the data transfer rate may come be equal to but will never exceed the rate specified by these values unless a burst setting is configured.
The download rate burst and upload rate burst determine the initial maximum traffic rates for the specified burst time. These optional values allow the operator to offer end-users an initial burst of higher speed for a short period of time. These values are similar to the download rate limit and upload rate limit fields in that the specified rates are delivered with "best effort" and the actual maximum rate is determined by the amount of traffic being generated by the end-user population.
The download rate guarantee and upload rate guarantee are optional fields that configure the desired of amount of bandwidth that is dedicated to the queue. This value must be set carefully as it is a true dedicated guarantee and may not be oversubscribed. The operator should never guarantee more than 25% of the available bandwidth at any given time as doing so will likely result in an unstable network. It is particularly important to be very judicious with the use guarantees when configuring per-device Bandwidth Queues scenarios because the actual bandwidth guaranteed is determined by the specified value multiplied by the number of end-user devices. The bandwidth required to configure the guarantee may quickly become unmanageably large if an unexpectedly large number of end-users joins the network.
The WAN targets field limits traffic admitted to the queue defined by this record to traffic that is originating from the IP addresses or DNS names listed in the selected WAN targets. By default, a bandwidth queue will admit all traffic that is originating from and destined for the end-users and devices linked through the associated policies. Setting a WAN target causes the bandwidth queue to limit the breadth of admission to traffic destined for and originating from the designated hosts.
The applications field configures the kinds of packets that will be admitted to the bandwidth queue defined by this record. Selecting multiple application groups admits the packets from all of the selected applications (logical or). By default, all types of packets that match the chosen policy and WAN targets are admitted. Selecting one or more applications reduces the breadth of the queue admission configured by this record to the packets classified as being part of the chosen applications.
The shaping field configures the granularity of the traffic shaping enforcement. Setting this field to policy , group account or IP results in the configured settings being used as a template that is replicated for each associated policy , group or IP respectively. See the full traffic shaping help page for details.
The disable auto-IP queues field (a.k.a. LPV-mode) can be enabled only for queues configured for group or account sharing. This option disables the generation of the auto-IP queues for each IP member of an IP group, unless there is an explicit device sharing queue that also applies to the device. This drastically reduces the number of queues and firewall rules, thereby enhancing packet processing performance in scenarios where there is no portal and no device-specific rules. The trade-off to this is that there are no longer per-IP queue counters to instrument, meaning some visibility into device traffic rates is lost. This mode is not enabled if the policy has multiple link controls, since it would cause all traffic within the group to use a single uplink, or if there is a Captive Portal, since device-specific rules are required to pass traffic after authentication.
The policy field relates this record to a set of groups through a policy record.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Uplink Control
The uplink control view presents the scaffolds that configure the multiple uplink control mechanism of the rXg.
The multiple uplink control mechanism of the rXg enables operators to leverage the capacity and diversity of multiple WAN uplinks without the complexity, operational difficulty and support burden associated with traditional multihoming techniques (e.g., ARIN ASNs, upstream network cooperation and reconfiguration, etc. ). Multiple uplink control provides the operator with four distinct capabilities: bandwidth aggregation, uplink failover, carrier diversity and application affinity.
Bandwidth Aggregation
The rXg multiple uplink control mechanism utilizes multiple WAN uplinks as a team. This allows the operator to treat several uplinks as if they were a single high bandwidth uplink. Significant operational cost savings may be achieved through proper employment of this feature. For example, a turn-key rXg can be deployed with multiple uplink control to aggregate seven standard 7.1 Mbps x 768 Kbps ADSLs resulting in a virtual link that is nearly 50 x 5.5 Mbps. The MRCs associated with seven ADSLs is approximately $300, a fraction of the $5000 or more that would be incurred for a 45 Mbps T3.
Aggregating numerous WAN uplinks is also an effective way to scale uplink bandwidth with the end-user population. Since MRCs tend to scale with uplink bandwidth and revenue tends to scale with end-user population, multiple uplink control enables proportional scaling of cost with revenue. In addition, most high-bandwidth leased lines have long deployment lead times. Multiple uplink control enables operators to quickly deploy RGNs with one or two commonly available WAN uplinks (e.g., cable modems and DSLs). The operator may then dynamically increase total available bandwidth by simply adding more WAN uplinks from any ISP of the operator's choosing.
Uplink Failover
The multiple uplink control mechanism enables operators to easily increase the fault tolerance of the network and decrease the dependence of operator on WAN uplink providers. When several WAN uplinks are configured for aggregation, the rXg automatically monitors the health of the WAN uplinks and removes uplinks that have failed from the active pool. If a failed uplink returns to proper operation, the rXg automatically adds the WAN uplink to the active pool.
In addition, the rXg supports explicit configuration of backup WAN uplinks. This is useful for situations where a backup uplink that has different characteristics from the one or more primary uplinks. For example, satellite WAN uplink may be designated as an explicit backup uplink that is never used unless all members of a pool of primary DSLs have failed.
Carrier Diversity
The rXg multiple uplink control mechanism operates independently of the upstream carriers. The upstream carriers do not need to make any configuration changes or cooperate with the operator in any way. The multiple uplink control mechanism is so transparent that in most cases upstream carriers do not even know that their link is taking part in a connection pool. The rXg supports multiple uplink control over any number of carriers that are supplying an arbitrary set of uplinks.
With third-party ping targets configured, the rXg multiple uplink control mechanism can determine the health of the uplink carrier's upstream connectivity. This capability combined with WAN uplinks that are being supplied provided by different upstream carriers enables the rXg to provide carrier diversity and failover. Uplinks that are associated with carriers that are having peering difficulty are removed from the active pool.
Application Affinity
The rXg multiple uplink control mechanism can affine specific outgoing traffic to particular WAN uplinks. This capability enables operators to maximize the utilization and capabilities available through a diverse set of WAN uplinks. In a typical configuration, most traffic is sent across one set of WAN uplinks while traffic with special needs are sent through a different set of WAN uplinks.
For example, an operator that has a single T-1 and three ADSLs may choose to affine all VoIP traffic to the T-1. This allows the VoIP to be delivered at a lower latency that will make a noticeable difference in call quality. Link affinity may also be used in conjunction with application forwards and DNS mappings to reserve certain WAN uplinks for public facing services.
Link Controls
The records in the link controls scaffold defines the configuration of the multiple rXg uplink control mechanism.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The uplinks field determines which WAN uplinks will take part in the multiple uplink control policy configured by this record. When more than one uplink is set, the rXg will automatically load balance the links. The distribution of load across the selected uplinks is determined by the weight field of the WAN uplink records.
The backup checkbox configures the link control group configured by this record to remain inactive unless all other links associated with a link control record that is not designated as a backup have failed. At least two link control records (one designated as backup and that is not) must be associated with the same policy in order for this field to have any effect.
The WAN targets field limits the effect of the link control defined by this record to traffic that is originating from or destined to the IP addresses or DNS names listed in the selected WAN targets. By default, a link control affects all traffic originating from and destined to the members of all groups associated through the linked policies. Setting a WAN target causes the link control to limit the breadth of the rule to the specified hosts.
The applications field configures the kinds of packets that will be link controlled as a result of this record. Selecting multiple application groups applies this rule to all of the selected applications (logical or). By default, all types of packets that match the chosen policy and WAN targets are link controlled. Selecting one or more applications reduces the breadth of the rule configured by this record to the packets classified as being part of the chosen applications.
The policy field relates this record to a set of groups through a policy record.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Uplinks
This scaffold brings visibility to the columns of the uplinks scaffold that are relevant for multiple uplink control. Since uplinks are defined via the uplinks scaffold in the WAN view of the Network subsystem, this scaffold is limited to editing settings relevant to multiple uplink control.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The priority field determines the order of precedence during failover in a link control scenario. When only one uplink is configured, this field has no effect as there is no uplink to failover to. When multiple uplinks are configured and connection aggregation is enabled, a failure of a link will cause another member of the pool to forward all traffic. If aggregation is not enabled, or all uplinks within a pool have failed, then the uplink with the highest priority amongst all of the remaining uplinks will be used to forward the traffic.
The weight field is used to determine how load is distributed across a set of uplinks that have been grouped together into a single link control. If all upinks in the link control have the same weight, the end-users will be assigned to the uplinks in an simple round-robin (uniformly distributed) fashion. If the uplinks have different weights, end-users are assigned to uplinks in a distribution that uses the uplink weight as a ratio with respect to the sum total of the weights. For example, if a link control has two uplinks associated with it and the weights of the uplinks are 2 and 5, 28% (2/7) of the end-users will be will be assigned to the first link and 72% (5/7) of the end-users will be assigned to the second link.
The ping targets field associates ping targets with this uplink. Ping targets are used to determine the health of the uplink. When all of the associated ping targets are not reachable via an ICMP ping, the uplink is marked as down until at least one of the ping targets responds.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Ping Targets
The ping targets scaffold configures the third-party ping targets that are used to determine uplink availability. Each uplink should have more than one ping target associated with it in order to properly determine uplink health.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The target is the IP address of the device that is to be sent an ICMP ping.
The timeout is the number of seconds that the rXg will wait for a response from the target to an ICMP ping request.
The attempts is the number of times an ICMP ping will be tried before the ping target is considered to be down.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Simple Example Configurations
A minimum of two Uplinks must be configured to enable multiple uplink control functionality. Physically connect two distinct Internet connections to the rXg. Use the Network :: WAN view to create the appropriate Network Address objects as well as the associated Uplink objects. Ensure that reasonable Ping Targets are associated with each Uplink object.
Link Control is defined by Policy. The operator must identify the people and/or devices through to which they wish to apply Link Control. For the purposes of demonstration the creation of a single IP Group to cover the management Network Address is sufficient. Most production environments will have Account Groups representing tiers of service. In either case, Policy objects connected to Uplink Control object(s) determine the behavior.
Link Aggregation and Failover
Link aggregation is configured by associating a single Uplink Control enforcement to a Policy. The Uplink Control enforcement must have multiple Uplinks selected to enable aggregation. If a single link in the aggregation pool fails all traffic will be automatically moved over to the remaining operational uplink(s).
Link Failover Only
Link failover without aggregation is configured by associating at least two Uplink Control enforcements to a Policy. The Uplink Control enforcement for the primary uplink must have the Backup checkbox cleared and the appropriate Uplink associated. The Uplink Control enforcement for the failover uplink must have the Backup checkbox enabled and the appropriate Uplink associated. All traffic will flow over the primary Uplink until there is a failiure. No traffic will pass over the secondary Uplink until primary uplink failure occurs.
Application Affinity
Link affinity is configured by associating at least two Uplink Control enforcements to a Policy. The Uplink Control enforcement for the primary Uplink should have the appropriate Uplink associated. The Uplink Control enforcement for the specific traffic designed to over over the secondary uplink should have the appropriate Application and/or WAN Target configured as well as the appropriate Uplink associated.
Billing
Zero operator intervention provisioning is a key benefit of using an rXg as the head-end for revenue generating networks. Automated subscriber provisioning reduces costs and increases reliability for the operator while simultaneously providing subscribers with instantaneous changes to their network experience. rXg automated provisioning enables the operator to deploy a broad spectrum of product offerings with unparalleled agility through a combination of internal and external integrations.
The rXg incorporates hundreds of capabilities that are typically deployed using individual point solutions resulting in a the rack of equipment and a jumble of virtual machines. Dozens of third-party integrations with the distribution infrastructure equipment enable operators to create unprecedented mash-ups with rXg internal capabilities. The breadth of capabilities enabled by the rXg combined with the in-depth control of each individual feature enables operators to generate profits through entirely new business models that leverage automation, microtransactions and subscriptions.
Automated billing is a key component of zero operator intervention provisioning. The rXg billing engine allows operators to define a set of billable items and tie these to deliverables. The full spectrum of rXg features may be tied through deliverables. Examples of possible deliverables with fully automated and instanteous subscriber provisioning may include, but are not limited to:
Layer | Example Deliverables |
---|---|
Layer 1 | Enable Ethernet switch port(s), custom SSID name |
Layer 2 | Admission to a particular VLAN, enable temporary group VLAN |
Layer 3 | cgNAT vs dedicated public IP, multiple public IPs, choice of a particular uplink |
Layer 4 | throughput rate limits and guarantees, usage quotas |
Layer 5 | time online, VPN |
Layer 7 | Content filtering, deep packet inspection |
Subscriptions are typically established using the rXg integrated captive portal. End-users typically arrive at the portal through forced browser redirection at which point they are asked to select and pay for a usage plan. Once payment has cleared, the rXg automatically provisions the policy defined by the end-user. During the course of normal RGN operation where end-users are signing up and selecting services, the RGN operator is a passive recipient of notifications. For many RG Nets customers, once the rXg is installed and configured, they can sit back and simply watch as the money flows into their bank accounts.
The billing menu enables the operator to access the views associated with configuring the rXg billing system. The operator uses the billing menu to configure usage plans, credit card merchant gateways as well as promotional coupons. The billing menu also enables operators to access historical billing information.
Billing Dashboard
The billing dashboard presents an overview of recent end-user signups, transactions and the plans that are currently being offered.
The dialog along the top of the billing dashboard presents a summary of recent revenue and activity.
In the center of the billing dashboard are graphs that presents a summary of revenue and transaction trends.
The amount charged, plan selected and merchant used are displayed of recent transactions are displayed. Click on the details link to navigate to the complete transaction log.
Below the billing dashboard are dialogs that presents a summary of the recent transactions.
The account, name and group association of the plans are displayed in the dialog. Click on the details link to navigate to the plan configuration page.
Plans
The plans view presents the scaffolds that configure usage plans that are offered to end-users for purchase.
Usage Plans
Each record in the usage plans scaffold represents a service offering that the end-user may select.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The optional description field will be displayed to users in the captive portal if you want to add further detail. The data in this field has no bearing on the provisioning or billing of the service offering represented by this record.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Provisioning
The account group field specifies the group that the end-user will be placed in upon selecting this usage plan. This field enables zero operator intervention provisioning. The end-user experience is determined by the policies that are associated with a group. By automatically putting an end-user into group based, end-users are instantly provisioned into defined of service offering upon plan selection.
The splash portals and landing portals fields define which captive portals that this plan may be purchased from. Use these fields to limit the availability of certain plans to specific portals which in turn are displayed based on geographic location, the expected class end-users, etc.
The social login strategies field defines which Social Login Strategies may use this plan. If an account has logged in via social login, they will only see usage plans that include their strategy in the list of available usage plans.
The PMS guest matches field defines which users will see this plan in the portal. PMS guest match rules are configured in the Billing::Gateways page of the admin console.
The automatic login field configures end-users that selects this plan with a flag that causes the rXg to log the end-user in without displaying the captive portal. When combined with recurring billing, this feature enables operators to use the captive portal as a zero operator intervention end-user self-service provisioning system for long term recurring subscriptions.
The automatic provision field configures the rXg to automatically add devices in the same subnet to an end-users account. This is useful when deploying dynamic pre-shared keys. This enables an end user to input their pre-shared key to gain access to their VLAN, and automatically register the new device to their account, without requiring captive portal input.
The lock MAC field sets the corresponding field in the account record when the usage plan is purchased. Devices with locked MAC addresses may only purchase usage plans when they are logged in as the account with the corresponding MAC. This feature is most often used in fixed wireless broadband environments to prevent end-users from avoiding disconnect, reconnect and late fees. This feature is incompatible with quick purchase and other transient specific portal methodologies where accounts are created automatically. Attempting to user this feature in portal workflows that involve automatic account creation will result in the denial of subsequent transactions initiated by the same end-user using the same piece of equipment because a new user account cannot be created for the same MAC address.
Lifetime
The fields in the lifetime section allows the operator to configure how the utilization defined by the time and quota portions of the usage plan will expire.
The relative lifetime configures how long the utilization will remain usable relative to the time that the end-user selects the usage plan. The absolute lifetime configures a specific date and time in the future when the utilization will expire. If both a relative lifetime and an absolute lifetime is configured, the shorter of the two defines the actual lifetime of the utilization. If the unlimited lifetime check box is set, the utilization defined by the associated quota and time never expires.
If the do not set lifetime check box is set, then the utilization lifetime present in the account record is carried forward unmodified. If there is no utilization lifetime present in the account record, then the behavior specified by the absolute lifetime , relative lifetime and unlimited lifetime fields is then configured.
Included Plan Features
This section defines the plan attributes that will be provisioned if the user does not select any Plan Addons.
The Quota selection specifies the Quota Plan that will be applied if the user does not select an alternate Quota Plan from the Optional Quota Plans section.
The Time selection specifies the Time Plan that will be applied if the user does not select an alternate Time Plan from the Optional Time Plans section.
The max sessions field specifies the maximum number of simultaneously logged in devices for the account.
The max devices field specifies the maximum number of devices that may be stored in the account. When more devices exist in an account than its max sessions value, subsequent login attempts require logging out another device before logging in.
The max party devices field specifies the maximum number of devices that may be joined to LAN parties for the account in order to allow guest devices from another account to join a temporary shared VLAN to have direct access to one another while the LAN party is active.
The max dedicated IPs field specifies the maximum number of dynamic WAN IP addresses that the account may use for port forwarding and DMZ purposes. The IPs may change between sessions, unless the Dedicated IPs are static option is enabled.
The Dedicated IPs are static option specifies that the number of public IPs specified in the max dedicated IPs field will be assigned to the account and remain constant for the lifetime of the account. This is useful when accounts wish to host servers and require consistent IPs.
The UPnP permitted option allows the user to enable UPnP (Universal Plug-N-Play) so that devices may negotiate port forward requirements with the Rxg automatically. This is required for some games as well as some applications.
Available Plan Addons
The Plan Addons selection makes Plan Addon packages available to the user in the portal so that they may customize the usage plan's contents. Plan addons that have the included with plan option selected will be included in this plan automatically and will not be displayed to the user in the portal.
The optional Quota Plans selection makes additional Quota Plans other than the one specified in the included Quota Plan available to the user as options in the portal. The user's selection will override the included Quota Plan.
The optional Time Plans selection makes additional Time Plans other than the one specified in the included Time Plan available to the user as options in the portal. The user's selection will override the included Time Plan.
Billing
The fields in the billing section allows the operator to configure fully automated end-user billing. For example, if the operator wishes to automatically charge credit cards, these fields configure where the charges will be sent.
The merchant field relates this usage plan to a payment gateway defined by an entry in the merchant scaffold. Each usage plan is related a merchant independently from all other plans. Thus it is possible for an operator to use different merchants for different classes of service to facilitate separation of revenue by account.
The currency field specifies the localized currency that will be used to whenever the aforementioned merchant is contacted to execute a transaction. The currency must be supported by the payment gateway specified by the merchant merchant in order for the transaction to be processed.
If the prorate credit check box is set, then the account is refunded for unused usage time when purchasing a different plan. The refund is given in the form of credit and is automatically deducted from the price of the purchase. Any remaining credit is stored in the user's account. Additional credit may be given to a account manually by the operator via the users scaffold, or the account may redeem a coupon to obtain credit.
The manual billing check box dictates that transactions must be approved by an admin before applying the usage to the account. This billing method assumes that the user physically exchanges money with an operator (reseller) who then approves the user's transaction via the AR Transactions scaffold or FOM Operator Portal to complete the login process.
The fields in the recurrence section contains fields that allow an operator to configure this usage plan to repeatedly bill the end-user on a specified schedule. These fields enable the operator to offer recurring services (e.g., monthly billed IP-data similar to DSL and cable modem).
The interval field defines the recurring billing interval. By default, the interval field is set to none which indicates that the usage plan will only be billed when the end-user selects it. Choosing any other interval will enable recurring billing. Note that off site merchants such as PayPal Website Payments Standard do not support recurring billing.
The recurring day field configures the number of days into the interval during which the end-user will be billed. If the relative checkbox is set, then the recurring day will be configured relative to the day that the end-user first selected the plan. For example, if the interval is set to monthly, the recurring day is set to 5 and the relative checkbox is unset, then the end-user will be billed on the 5th day of every month regardless of when they first selected the usage plan. Given the same scenario with the relative checkbox set would result in the end-user being billed 5 days after the day that they first selected the usage plan.
The charge retry grace time specifies the interval between billing attempts if a billing transaction failure occurs. When an end-user selects a plan that has a recurring method other than none, the end-user is billed automatically according to the predefined interval. If the transaction fails for any reason, the rXg will retry the transaction repeatedly according to the rate specified by the recurring retry grace time until the number of retries is exhausted. The number of retries is defined by the max charge attempts field.
The permit unpaid A/R checkbox allows the operator to offer a usage plan on A/R terms. If this checkbox is set, then the policy associated with a usage plan will continue to be provisioned to an end-user even in the event of billing transaction failure. If this happens, a receivable will be posted to the end-user's journal.
The aged A/R penalties field associates the usage plan with one or more records in the aged A/R penalties scaffold. Each of these associations triggers the posting of a receivable given the conditions set in the associated record. Associated records may also disable the account. The use of aged A/R penalties requires the setting of the permit unpaid A/R checkbox.
Account Validation
A usage plan may be configured to require that the end user validate either their Email address or mobile phone number or both prior to the usage plan being applied to the account.
The validation method field specifies which forms of validation must take place before applying the plan.
The validation grace minutes field allows the plan to be applied to the account for a limited amount of time, allowing the end user time to access their Email and retrieve the validation code. This value will be set to 0 if the validation method does not include Email.
The SMS Gateway field specifies the SMS Gateway that will be utilized when sending validation codes via SMS.
Time Plans
Usage plans consist of three elements. This is the time element. This is where you configure how long the customer will have access.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The Price entered will make up a part of the total usage plan price a customer will see when signing up for a plan.
The optional Description will be displayed to users in the captive portal if you want to add further detail.
The Time and Time unit make up the actual amount of time provisioned to an associated account. Check the Unlimited checkbox if you want to allow unlimited online time.
The Rollover checkbox will allow an associated account to keep any unused time when purchasing a new plan from a captive portal.
Check the Usage Plans that this time configuration should be a part of. This is usually configured in the usage plans configuration section.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Quota Plans
Usage plans consist of three elements. This is the quota element. This is where you configure how much data the user can transfer over the period of the usage plan.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The Price entered will make up a part of the total usage plan price a customer will see when signing up for a plan.
The optional Description will be displayed to users in the captive portal if you want to add further detail.
The Upload and Upload unit make up the upload portion of the quota provisioned to an associated account. Check the Unlimited U/L checkbox if you want to allow an unlimited amount of upload.
The Download and Download unit make up the download portion of the quota provisioned to an associated account. Check the Unlimited D/L checkbox if you want to allow an unlimited amount of download.
The Rollover checkbox will allow an associated account to keep any unused quota when purchasing a new plan from a captive portal.
Check the Usage Plans that this quota configuration should be a part of. This is usually configured in the usage plans configuration section.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Aged A/R Penalties
Each record in the Aged A/R Penalty scaffold defines an action to take given certain A/R conditions. This scaffold is used to define late fees and reconnect fees. It is also used to automatically disconnect delinquent users.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The days field specifies the number of days that the A/R must be aged in order for the penalty specifies in this record to take effect.
The amount field specifies a monetary amount to post to the end-user's journal when the conditions are met. For example, if a late fee or reconnect fee is to be imposed, field should be populated with the amount of the fee that should be collected from the end-user.
Setting the suspend user checkbox will cause an end-user to be suspended if the conditions in this record are met.
Selecting a custom message will email the end-user when the conditions in this record are met.
The usage plans field associates the penalty defined by this record with one or more usage plans. An aged A/R penalty must be associated with a usage plan that has the permit unpaid A/R checkbox set to have any effect.
Gateways
The gateways view presents the scaffolds that configure the third-party automatic charge posting mechanisms that are built into the rXg.
The rXg has a fully integrated double-entry accounting system that keeps an accounting journal for each Account. The rXg may be configured to automatically post credits to the journals associated with each Account through a number of manual and automated mechanisms. The operator may choose to manually issue credit based on manual payment processing. Alternatively, the operator may sell or issue coupons that are automatically redeemed for credits in the captive portal.
The mechanism that achieves the most benefit when deployed in conjunction with zero operator intervention is fully automatic payment processing. To accomplish this, the rXg integrates with third party billing gateways through well understood and published APIs. The rXg sends messages to the configured gateways when billing events occur. The rXg then expects replies from the third party billing gateways in the format specified by their API. When properly configured, absolutely no operator intervention needs to occur to process payments and provision customers.
Merchants
In order to accept payment via credit card, or other mechanism such as PayPal, you need to configure a merchant record that contains the information necessary to contact the external payment gateway. Each merchant record requires an account that must be setup with the external payment gateway before any charges may be posted. For example, having a valid PayPal account is a prerequisite to creating a working merchant record that posts to PayPal.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
Some merchants support Test or sandbox mode. Checking this checkbox will alert the merchant that you are operating in a testing mode and will not charge the accounts used while testing is enabled. Refer to your merchant's documentation for more information, as some merchants (e.g., Paypal) require you to create special test accounts to use sandbox mode.
The Login, Password, Signature, and Partner fields will be provided by the merchant you are using. Not all merchants use all four pieces of information.
When performing a charge to direct merchant gateways (e.g., Authorize.Net), the id of the Merchant Transaction record stored on the rXg is passed along to the merchant as the invoice and order_id fields. The optional invoice prefix field is prepended to the invoice and order_id. For offsite merchant gateways (e.g., PayPal Website Payments Standard), the invoice and order_id fields are determined by the merchant.
You will also need to check the Usage Plans that you want to be purchasable through this merchant. Please note that this can also be done from the usage plan configuration section.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Direct Gateways
The rXg supports the following direct payment gateways.
name | supported countries |
---|---|
1stPayGateway.Net | US |
Adyen | AT, AU, BE, BG, BR, CH, CY, CZ, DE, DK, EE, ES, FI, FR, GB, GI, GR, HK, HU, IE, IS, IT, LI, LT, LU, LV, MC, MT, MX, NL, NO, PL, PT, RO, SE, SG, SK, SI, US |
Allied Wallet | US |
Authorize.Net | AU, CA, US |
Axcess MS | AD, AT, BE, BG, BR, CA, CH, CY, CZ, DE, DK, EE, ES, FI, FO, FR, GB, GI, GR, HR, HU, IE, IL, IM, IS, IT, LI, LT, LU, LV, MC, MT, MX, NL, NO, PL, PT, RO, RU, SE, SI, SK, TR, US, VA |
Bambora Asia-Pacific | AU, NZ |
Bank Frick | LI, US |
Banwire | MX |
Barclaycard Smartpay | AL, AD, AM, AT, AZ, BY, BE, BA, BG, HR, CY, CZ, DK, EE, FI, FR, DE, GR, HU, IS, IE, IT, KZ, LV, LI, LT, LU, MK, MT, MD, MC, ME, NL, NO, PL, PT, RO, RU, SM, RS, SK, SI, ES, SE, CH, TR, UA, GB, VA |
Barclays ePDQ Extra Plus | GB |
BBS Netaxept | NO, DK, SE, FI |
Be2Bill | FR |
Beanstream.com | CA, US |
BluePay | US, CA |
BlueSnap | US, CA, GB, AT, BE, BG, HR, CY, CZ, DK, EE, FI, FR, DE, GR, HU, IE, IT, LV, LT, LU, MT, NL, PL, PT, RO, SK, SI, ES, SE, AR, BO, BR, BZ, CL, CO, CR, DO, EC, GF, GP, GT, HN, HT, MF, MQ, MX, NI, PA, PE, PR, PY, SV, UY, VE |
Bogus | |
Borgun | IS, GB, HU, CZ, DE, DK, SE |
BPoint | AU |
Braintree | US, CA, AD, AT, BE, BG, HR, CY, CZ, DK, EE, FI, FR, GI, DE, GR, GG, HU, IS, IM, IE, IT, JE, LV, LI, LT, LU, MT, MC, NL, NO, PL, PT, RO, SM, SK, SI, ES, SE, CH, TR, GB, SG, HK, MY, AU, NZ |
Braintree (Blue Platform) | US, CA, AD, AT, BE, BG, HR, CY, CZ, DK, EE, FI, FR, GI, DE, GR, GG, HU, IS, IM, IE, IT, JE, LV, LI, LT, LU, MT, MC, NL, NO, PL, PT, RO, SM, SK, SI, ES, SE, CH, TR, GB, SG, HK, MY, AU, NZ |
Braintree (Orange Platform) | US |
BridgePay | CA, US |
CAMS: Central Account Management System | US |
Card Connect | US |
Cardknox | US, CA, GB |
CardProcess VR-Pay | BE, BG, CZ, DK, DE, EE, IE, ES, FR, HR, IT, CY, LV, LT, LU, MT, HU, NL, AT, PL, PT, RO, SI, SK, FI, SE, GB, IS, LI, NO, CH, ME, MK, AL, RS, TR, BA |
CardSave | GB |
CardStream | GB, US, CH, SE, SG, NO, JP, IS, HK, NL, CZ, CA, AU |
CC5 | |
Cecabank | ES |
CenPOS | AD, AI, AG, AR, AU, AT, BS, BB, BE, BZ, BM, BR, BN, BG, CA, HR, CY, CZ, DK, DM, EE, FI, FR, DE, GR, GD, GY, HK, HU, IS, IL, IT, JP, LV, LI, LT, LU, MY, MT, MX, MC, MS, NL, PA, PL, PT, KN, LC, MF, VC, SM, SG, SK, SI, ZA, ES, SR, SE, CH, TR, GB, US, UY |
Checkout.com | AD, AT, BE, BG, CH, CY, CZ, DE, DK, EE, ES, FO, FI, FR, GB, GI, GL, GR, HR, HU, IE, IS, IL, IT, LI, LT, LU, LV, MC, MT, NL, NO, PL, PT, RO, SE, SI, SM, SK, SJ, TR, VA |
Checkout.com Unified Payments | AD, AE, AR, AT, AU, BE, BG, BH, BR, CH, CL, CN, CO, CY, CZ, DE, DK, EE, EG, ES, FI, FR, GB, GR, HK, HR, HU, IE, IS, IT, JO, JP, KW, LI, LT, LU, LV, MC, MT, MX, MY, NL, NO, NZ, OM, PE, PL, PT, QA, RO, SA, SE, SG, SI, SK, SM, TR, US |
Citrus Pay | AR, AU, BR, FR, DE, HK, MX, NZ, SG, GB, US |
Clearhaus | DK, NO, SE, FI, DE, CH, NL, AD, AT, BE, BG, HR, CY, CZ, FO, GL, EE, FR, GR, HU, IS, IE, IT, LV, LI, LT, LU, MT, PL, PT, RO, SK, SI, ES, GB |
CommerceGate | AD, AT, AX, BE, BG, CH, CY, CZ, DE, DK, ES, FI, FR, GB, GG, GI, GR, HR, HU, IE, IM, IS, IT, JE, LI, LT, LU, LV, MC, MT, NL, NO, PL, PT, RO, SE, SI, SK, VA |
Conekta Gateway | MX |
Creditcall | US |
Credorax Gateway | AD, AT, BE, BG, HR, CY, CZ, DK, EE, FR, DE, GI, GR, GG, HU, IS, IE, IM, IT, JE, LV, LI, LT, LU, MT, MC, NO, PL, PT, RO, SM, SK, ES, SE, CH, GB |
CT Payment | US, CA |
Culqi | PE |
CyberSource | US, AE, BR, CA, CN, DK, FI, FR, DE, IN, JP, MX, NO, SE, GB, SG, LB, PK |
DataCash | GB |
Decidir | AR |
DIBS | US, FI, NO, SE, GB |
Digitzs | US |
dLocal | AR, BR, CL, CO, MX, PE, UY, TR |
E-xact | CA, US |
EBANX | BR, MX, CO, CL, AR, PE |
Efsnet | US |
Elavon MyVirtualMerchant | US, CA, PR, DE, IE, NO, PL, LU, BE, NL, MX |
Element | US |
ePay | DK, SE, NO |
EVO Canada | CA |
eWAY | AU |
eWay Managed Payments | AU |
eWAY Rapid 3.1 | AU, NZ, GB, SG, MY, HK |
Ezic | AU, CA, CN, FR, DE, GI, IL, MT, MU, MX, NL, NZ, PA, PH, RU, SG, KR, ES, KN, GB, US |
Fat Zebra | AU |
Federated Canada | CA |
Finansbank WebPOS | US, TR |
FirstData Global Gateway e4 | CA, US |
FirstData Global Gateway e4 v27 | CA, US |
Flo2Cash | NZ |
Flo2Cash Simple | |
Forte | US |
Garanti Sanal POS | US, TR |
Global Transport | CA, PR, US |
GlobalCollect | AD, AE, AG, AI, AL, AM, AO, AR, AS, AT, AU, AW, AX, AZ, BA, BB, BD, BE, BF, BG, BH, BI, BJ, BL, BM, BN, BO, BQ, BR, BS, BT, BW, BY, BZ, CA, CC, CD, CF, CH, CI, CK, CL, CM, CN, CO, CR, CU, CV, CW, CX, CY, CZ, DE, DJ, DK, DM, DO, DZ, EC, EE, EG, ER, ES, ET, FI, FJ, FK, FM, FO, FR, GA, GB, GD, GE, GF, GH, GI, GL, GM, GN, GP, GQ, GR, GS, GT, GU, GW, GY, HK, HN, HR, HT, HU, ID, IE, IL, IM, IN, IS, IT, JM, JO, JP, KE, KG, KH, KI, KM, KN, KR, KW, KY, KZ, LA, LB, LC, LI, LK, LR, LS, LT, LU, LV, MA, MC, MD, ME, MF, MG, MH, MK, MM, MN, MO, MP, MQ, MR, MS, MT, MU, MV, MW, MX, MY, MZ, NA, NC, NE, NG, NI, NL, NO, NP, NR, NU, NZ, OM, PA, PE, PF, PG, PH, PL, PN, PS, PT, PW, QA, RE, RO, RS, RU, RW, SA, SB, SC, SE, SG, SH, SI, SJ, SK, SL, SM, SN, SR, ST, SV, SZ, TC, TD, TG, TH, TJ, TL, TM, TN, TO, TR, TT, TV, TW, TZ, UA, UG, US, UY, UZ, VC, VE, VG, VI, VN, WF, WS, ZA, ZM, ZW |
HDFC | IN |
Heartland Payment Systems | US |
iATS Payments | AU, BR, CA, CH, DE, DK, ES, FI, FR, GR, HK, IE, IT, NL, NO, PT, SE, SG, TR, GB, US, TH, ID, PH, BE |
Inspire Commerce | US |
InstaPay | US |
IPP | AU |
Iridium | GB, ES |
iTransact | US |
iVeri | US, ZA, GB |
Ixopay | AO, AQ, AR, AS, AT, AU, AW, AX, AZ, BA, BB, BD, BE, BF, BG, BH, BI, BJ, BL, BM, BN, BO, BQ, BQ, BR, BS, BT, BV, BW, BY, BZ, CA, CC, CD, CF, CG, CH, CI, CK, CL, CM, CN, CO, CR, CU, CV, CW, CX, CY, CZ, DE, DJ, DK, DM, DO, DZ, EC, EE, EG, EH, ER, ES, ET, FI, FJ, FK, FM, FO, FR, GA, GB, GD, GE, GF, GG, GH, GI, GL, GM, GN, GP, GQ, GR, GS, GT, GU, GW, GY, HK, HM, HN, HR, HT, HU, ID, IE, IL, IM, IN, IO, IQ, IR, IS, IT, JE, JM, JO, JP, KE, KG, KH, KI, KM, KN, KP, KR, KW, KY, KZ, LA, LB, LC, LI, LK, LR, LS, LT, LU, LV, LY, MA, MC, MD, ME, MF, MG, MH, MK, ML, MM, MN, MO, MP, MQ, MR, MS, MT, MU, MV, MW, MX, MY, MZ, NA, NC, NE, NF, NG, NI, NL, NO, NP, NR, NU, NZ, OM, PA, PE, PF, PG, PH, PK, PL, PM, PN, PR, PS, PT, PW, PY, QA, RE, RO, RS, RU, RW, SA, SB, SC, SD, SE, SG, SH, SI, SJ, SK, SL, SM, SN, SO, SR, SS, ST, SV, SX, SY, SZ, TC, TD, TF, TG, TH, TJ, TK, TL, TM, TN, TO, TR, TT, TV, TW, TZ, UA, UG, UM, US, UY, UZ, VA, VC, VE, VG, VI, VN, VU, WF, WS, YE, YT, ZA, ZM, ZW |
JetPay | US, CA |
JetPay | US, CA |
Komoju | JP |
Kushki | CL, CO, EC, MX, PE |
Latitude19 Gateway | US, CA |
LinkPoint | US |
MasterCard Internet Gateway Service (MiGS) | AU, AE, BD, BN, EG, HK, ID, JO, KW, LB, LK, MU, MV, MY, NZ, OM, PH, QA, SA, SG, TT, VN |
maxiPago! | BR |
Mercado Pago | AR, BR, CL, CO, MX, PE, UY |
Merchant e-Solutions | US |
Merchant One Gateway | US |
Merchant Partners | US |
Merchant Warrior | AU |
MerchantWARE | US |
Metrics Global | US |
micropayment | DE |
Modern Payments | US |
Monei | AD, AT, BE, BG, CA, CH, CY, CZ, DE, DK, EE, ES, FI, FO, FR, GB, GI, GR, HU, IE, IL, IS, IT, LI, LT, LU, LV, MT, NL, NO, PL, PT, RO, SE, SI, SK, TR, US, VA |
Moneris | CA |
MoneyMovers | US |
Mundipagg | US |
NAB Transact | AU |
NCR Secure Pay | US |
NELiX TransaX | US |
Netbanx by PaySafe | AF, AX, AL, DZ, AS, AD, AO, AI, AQ, AG, AR, AM, AW, AU, AT, AZ, BS, BH, BD, BB, BY, BE, BZ, BJ, BM, BT, BO, BQ, BA, BW, BV, BR, IO, BN, BG, BF, BI, KH, CM, CA, CV, KY, CF, TD, CL, CN, CX, CC, CO, KM, CG, CD, CK, CR, CI, HR, CU, CW, CY, CZ, DK, DJ, DM, DO, EC, EG, SV, GQ, ER, EE, ET, FK, FO, FJ, FI, FR, GF, PF, TF, GA, GM, GE, DE, GH, GI, GR, GL, GD, GP, GU, GT, GG, GN, GW, GY, HT, HM, HN, HK, HU, IS, IN, ID, IR, IQ, IE, IM, IL, IT, JM, JP, JE, JO, KZ, KE, KI, KP, KR, KW, KG, LA, LV, LB, LS, LR, LY, LI, LT, LU, MO, MK, MG, MW, MY, MV, ML, MT, MH, MQ, MR, MU, YT, MX, FM, MD, MC, MN, ME, MS, MA, MZ, MM, NA, NR, NP, NC, NZ, NI, NE, NG, NU, NF, MP, NO, OM, PK, PW, PS, PA, PG, PY, PE, PH, PN, PL, PT, PR, QA, RE, RO, RU, RW, BL, SH, KN, LC, MF, VC, WS, SM, ST, SA, SN, RS, SC, SL, SG, SX, SK, SI, SB, SO, ZA, GS, SS, ES, LK, PM, SD, SR, SJ, SZ, SE, CH, SY, TW, TJ, TZ, TH, NL, TL, TG, TK, TO, TT, TN, TR, TM, TC, TV, UG, UA, AE, GB, US, UM, UY, UZ, VU, VA, VE, VN, VG, VI, WF, EH, YE, ZM, ZW |
NETbilling | US |
NETPAY Gateway | MX |
NetRegistry | AU |
Network Merchants (NMI) | US |
NMI | US |
Ogone | BE, DE, FR, NL, AT, CH |
Omise | TH, JP |
Open Payment Platform | AD, AI, AG, AR, AU, AT, BS, BB, BE, BZ, BM, BR, BN, BG, CA, HR, CY, CZ, DK, DM, EE, FI, FR, DE, GR, GD, GY, HK, HU, IS, IN, IL, IT, JP, LV, LI, LT, LU, MY, MT, MX, MC, MS, NL, PA, PL, PT, KN, LC, MF, VC, SM, SG, SK, SI, ZA, ES, SR, SE, CH, TR, GB, US, UY |
Openpay | CO, MX |
Optimal Payments | CA, US, GB, AU, AT, BE, BG, HR, CY, CZ, DK, EE, FI, DE, GR, HU, IE, IT, LV, LT, LU, MT, NL, NO, PL, PT, RO, SK, SI, ES, SE, CH |
Orbital Paymentech | US, CA |
Pagar.me | BR |
PagoFacil | MX |
Pay Way | AU |
Paybox Direct | FR |
PayConex | US, CA |
Payeezy | US, CA |
Payex | DK, FI, NO, SE |
PayGate PayXML | US, ZA |
PayHub | US |
PayJunction | US |
PayJunction | US |
Paymentez | MX, EC, CO, BR, CL, PE |
PAYMILL | AD, AT, BE, BG, CH, CY, CZ, DE, DK, EE, ES, FI, FO, FR, GB, GI, GR, HR, HU, IE, IL, IM, IS, IT, LI, LT, LU, LV, MC, MT, NL, NO, PL, PT, RO, SE, SI, SK, TR, VA |
PayPal Express Checkout | |
PayPal Payflow Pro | US, CA, NZ, AU |
PayPal Payments Pro (UK) | GB |
PayPal Payments Pro (US) | CA, NZ, GB, US |
PayPal Website Payments Pro (CA) | CA |
Payscout | US |
PaySecure | AU |
Paystation | NZ |
PayU India | IN |
PayU Latam | AR, BR, CL, CO, MX, PA, PE |
Pin Payments | AU |
Plug'n Pay | US |
ProPay | US, CA |
Psigate | CA |
PSL Payment Solutions | GB |
Quantum Gateway | US |
QuickBooks Merchant Services | US |
QuickBooks Payments | US |
Quickpay | |
Qvalent | AU |
Raven | US |
Realex | IE, GB, FR, BE, NL, LU, IT, US, CA, ES |
Redsys | ES |
S5 | DK |
SafeCharge | AT, BE, BG, CY, CZ, DE, DK, EE, GR, ES, FI, FR, GI, HK, HR, HU, IE, IS, IT, LI, LT, LU, LV, MT, MX, NL, NO, PL, PT, RO, SE, SG, SI, SK, GB, US |
SagePay | GB, IE |
Sallie Mae | US |
SecureNet | US |
SecurePay | US, CA, GB, AU |
SecurePay (AU) | AU |
SecurePayTech | NZ |
SecurionPay | AD, BE, BG, CH, CY, CZ, DE, DK, EE, ES, FI, FO, FR, GI, GL, GR, GS, GT, HR, HU, IE, IS, IT, LI, LR, LT, LU, LV, MC, MT, MU, MV, MW, NL, NO, PL, RO, SE, SI |
SkipJack | US, CA |
SoEasyPay | US, CA, AT, BE, BG, HR, CY, CZ, DK, EE, FI, FR, DE, GR, HU, IE, IT, LV, LT, LU, MT, NL, PL, PT, RO, SK, SI, ES, SE, GB, IS, NO, CH |
Spreedly | AD, AE, AT, AU, BD, BE, BG, BN, CA, CH, CY, CZ, DE, DK, EE, EG, ES, FI, FR, GB, GI, GR, HK, HU, ID, IE, IL, IM, IN, IS, IT, JO, KW, LB, LI, LK, LT, LU, LV, MC, MT, MU, MV, MX, MY, NL, NO, NZ, OM, PH, PL, PT, QA, RO, SA, SE, SG, SI, SK, SM, TR, TT, UM, US, VA, VN, ZA |
Stripe (Legacy) | AT, AU, BE, BG, BR, CA, CH, CY, CZ, DE, DK, EE, ES, FI, FR, GB, GR, HK, IE, IT, JP, LT, LU, LV, MT, MX, NL, NO, NZ, PL, PT, RO, SE, SG, SI, SK, US |
Stripe Payment Intents | AT, AU, BE, BG, BR, CA, CH, CY, CZ, DE, DK, EE, ES, FI, FR, GB, GR, HK, IE, IT, JP, LT, LU, LV, MT, MX, NL, NO, NZ, PL, PT, RO, SE, SG, SI, SK, US |
Swipe Checkout | NZ, CA |
Telr | AE, IN, SA |
TNS | AR, AU, BR, FR, DE, HK, MX, NZ, SG, GB, US |
Transact Pro | US |
TransFirst | US |
TransFirst Transaction Express | US |
Transnational | US |
Trexle | AD, AE, AT, AU, BD, BE, BG, BN, CA, CH, CY, CZ, DE, DK, EE, EG, ES, FI, FR, GB, GI, GR, HK, HU, ID, IE, IL, IM, IN, IS, IT, JO, KW, LB, LI, LK, LT, LU, LV, MC, MT, MU, MV, MX, MY, NL, NO, NZ, OM, PH, PL, PT, QA, RO, SA, SE, SG, SI, SK, SM, TR, TT, UM, US, VA, VN, ZA |
TrustCommerce | US |
USA ePay | US |
USA ePay Advanced SOAP Interface | US |
UsaEpay | |
Vanco Payment Solutions | US |
Verifi | US |
ViaKLIX | US |
VisaNet Peru Gateway | US, PE |
WebPay | JP |
WePay | US, CA |
Windcave (formerly PaymentExpress) | AU, FJ, GB, HK, IE, MY, NZ, PG, SG, US |
Wirecard | AD, CY, GI, IM, MT, RO, CH, AT, DK, GR, IT, MC, SM, TR, BE, EE, HU, LV, NL, SK, GB, BG, FI, IS, LI, NO, SI, VA, FR, IL, LT, PL, ES, CZ, DE, IE, LU, PT, SE |
WorldNet | IE, GB, US |
Worldpay Global | HK, GB, AU, AD, AR, BE, BR, CA, CH, CN, CO, CR, CY, CZ, DE, DK, ES, FI, FR, GI, GR, HU, IE, IN, IT, JP, LI, LU, MC, MT, MY, MX, NL, NO, NZ, PA, PE, PL, PT, SE, SG, SI, SM, TR, UM, VA |
Worldpay Online Payments | HK, US, GB, BE, CH, CZ, DE, DK, ES, FI, FR, GR, HU, IE, IT, LU, MT, NL, NO, PL, PT, SE, SG, TR |
Worldpay US | US |
Offsite Gateways
The rXg supports the following offsite payment gateways.
Example Configuration for Gateways
- Card Connect (Direct Gateway)
- Authorize.net (Direct Gateway)
- PayPal (Offsite Gateway) ## PMS Servers
The PMS servers scaffold configures the rXg property management system interface mechanism. The rXg property management system interface operates in a manner that is nearly identical to that of credit card processing gateways. However, rather than sending credit card information to the third-party server for processing, the PMS interface sends credentials such as a room number and guest name or number for charge posting. Successful charge posts result in a credit being applied to the Account journal.
Once a PMS server record is created, the rXg will immediately begin communication with the PMS and synchronize the guest database. Thus it is absolutely necessary that the PMS be setup and ready to receive interface communication from the rXg before a PMS server record is created.
Use the Guests action link on the right side of each PMS server record to view list of all guests that the rXg believes to be currently checked in and valid for charge posting. The Guests sub scaffold is particularly useful when a hospitality guest reports that they cannot login with their credentials. Searching the Guests sub scaffold is the easiest way to find what credentials the rXg is expecting for a given guest.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The interface field configures the API that the rXg will use to communicate with the property management system. The property management system must be configured accept communication using the same protocol that is specified here.
The usage plans field enables the operator to choose plans that are allowed to be billed to the property management system. Usage plans may only be associated with one external billing gateway such as a merchant or a property management system. Thus any usage plan that is being directly billed to a credit card may not be used in conjunction with a pms server record.
The account sharing field configures how accounts are shared between multiple registered guests in a room's folio. per-Device: an Account is created for every device (old behavior). per-Guest: an Account is created for each unique guest name checked into a room and shared by all devices that supplied the same name and room. per-Room: an Account is created for each set of guest names checked into a room at the same time and shared between all devices.
The host field must contain the IP address or domain name of the property management system interface server. It is assumed that the property management system interface server will use TCP/IP for third-party integration.
The port field must contain the port on which the property management system is listening for connections. The rXg will initiate the connection from a random high port. It is expected that traffic originating from any port on the rXg be allowed to access the property management server on this port.
The timeout field specifies the number of seconds that the rXg will wait for a response from the property management system. If the property management system fails to respond by the configured timeout , the transaction will be considered a failure by the rXg.
The UDF Behaviors define patterns that will be used to determine deployment specific behavior for particular cases of updates to the PMS. For instance, in the Infor REST integration, this is used to define patterns that will be considered for detecting when the guest has been assigned a one time access (OTA) email from a travel platform like Expedient, Agoda or similar. This is only implemented for Infor REST currently.
The dialed digits (DD) field is used by the rXg to communicate the MAC address of the end-user device that executed the charge posting. This allows the operator to understand how many individual devices are being used by a hospitality guest to access the Internet. The DD format field configures how the end-user's MAC address is formatted before sending it to the property management system as the DD field. The rXg sends the MAC address in decimal format by default because the FIAS standard specifies that the DD field be numeric. However, in practice many operators find that sending the MAC in hex is the easiest way to ensure that the posts for hospitality guests is accurate.
The subsequent transaction fields configure the PMS gateway to change the amount billed for subsequent transactions that originate from the same PMS guest. This feature allows the operator to charge less (or charge nothing) for a specified number of additional devices beyond the primary registered device. A follow-on transaction will only be marked subsequent (and thus discounted), if it satisfies both the subsequent transaction max count restriction as well as the subsequent transaction lifetime restriction.
The subsequent transaction max count specifies the maximum number of transactions that will be considered subsequent after a primary (non-subsequent) transaction. Setting the subsequent transaction max count to 0 disables this feature entirely as no transactions will ever be considered subsequent.
The subsequent transaction lifetime (s) field specifies the maximum amount of time (in seconds) that may elapse between a primary (non-subsequent) transaction and a sub-sequent transaction. If the elapsed time between a primary (non-subsequent) transaction and a follow-on transaction exceeds the configured subsequent transaction lifetime (s), the transaction will not be marked as subsequent and will not be discounted.
The subsequent transaction price reduction specifies the reduction in amount to be charged for follow-on transactions marked as subsequent. The value may be specified as an absolute number (e.g., 12.95) or as a percentage (e.g., 75%). If an absolute number is specified, the specified value will be subtracted from the plan price. If the resulting amount is less than zero, a charge of 0.00 will be sent to the PMS. Similarly, if a percentage is specified, the final amount transmitted to the PMS is calculated by discounting the specified percentage of the original usage plan price.
For example, if an operator wishes to allow three devices per day to acquire Internet access based on a PMS charge posting, the appropriate settings are:
| subsequent transaction max count | 2 | | subsequent transaction lifetime | 86400 | | subsequent price reduction | 99999 |
Alternatively, if an operator wishes to allow up to 5 additional devices to acquire Internet at a significant (75%) discount within two days the first full price PMS posting, the appropriate settings are:
| subsequent transaction max count | 5 | | subsequent transaction lifetime | 172800 | | subsequent price reduction | 75% |
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
PMS Guest Matches
The PMS Guest Matches scaffold enables operators to control the availability of the Usage Plans that are associated with the PMS Server to certain PMS Guests. For example, this scaffold may be used to configure the rXg to offer free Internet to PMS Guests who are checked in with a rate code ofINTC
, reduced price Internet to PMS Guests with a block code of ACORP
and special high speed, high priority Internet access with an SLA for PMS Guests staying in suites (identified by room type STE
).
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The Guest Field specifies the PMS Guest field that is the location that will be considered for this PMS Guest Match rule. The operator may choose from almost any field present in the PMS Guest record. The most frequently used options for this are the custom0
, custom1
, ... custom9
fields which correspond to the FIAS A0
, A1
, ...A9
fields. Typically, the Ax
FIAS fields are mapped to:
Field Name A0
Rate Code A1
Group Code A2
Block Code A3
Room Type A4
Membership Type A5
Membership Number A6
Source
The Pattern field specifies a string that must match the value of the field specified in the Guest Field parameter in order for this PMS Guest Match to be effective. For example, if the operator desires to have this match rule take effect when the rate code is INTC
, the Guest Field would be set to custom0
and the Pattern would be set toINTC
.
The Min transactions and Max transactions fields restrict this PMS Guest Match rule to only affect a PMS Guest that has completed a certain number of transactions. Only transactions that represent active (non-expired) Usage Plans purchased by the PMS guest are counted. For example, the PMS Guest Match mechanism will not count a transaction made by a PMS Guest that purchases a Usage Plan with two days of usage when the guest comes back to purchase another plan three days later.
One common use of the Min transactions and Max transactions fields is to configure the availability of "free Internet for the first device." To accomplish this the operator would create a PMS Guest Match rule with Min transactions set to 0 and Max transactions to set 1 linked to a Usage Plan that is free. Thus the PMS Guest has access to purchasing the "free plan" when there are no active Usage Plans associated with the account. The PMS Guest Match mechanism determines that there are no active Usage Plans because none have been purchased or because the ones that have been purchased have already expired.
These fields may also be used to configure the converse, for example, "buy one device, get free Internet for three additional devices." To accomplish this the operator would create a PMS Guest Match rule with Min transactions set to 1 and Max transactions set to 4. In this case access to the the "free plan" is only available to PMS Guests that have at least one active (non-expired) Usage Plan which the PMS Guest would have to pay for.
The checkboxes specified by the Usage Plans field are the Usage Plans that will be available to the user that is matched by this PMS Guest Match rule.
To create a "catch all" or "default" rule, create a PMS Guest Match rule with an empty Guest Field and Pattern. The Usage Plans selected by a PMS Guest Match rule configured as a "catch all" will be available to all PMS Guests that do not match any PMS Guest Match rules with an explicitly defined Guest Field and Pattern.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
PMS Guest Match Examples
Example 1: Match "free" in custom 0 field and offer free plan.
In this example we will be looking at Custom field 0 containing a value of "free". If the field contains the word free the guest will have access to the same plan as other guests, but at zero cost. Guests that do not match will in this case pay $10.
When configuring the PMS server the following settings should be set to ensure the guest only sees the plans that match, and not the plan(s) that are available if they don't match anything. These settings are under the Plan Behavior section of the PMS server configuration. The main setting we are interested in here is the Show only matched plans checkbox. With this enabled the guest will only be displayed plans that they have matched against.
At a minimum we need to have two plans configured 1 that will be displayed to guests that match and the other free plan that will be displayed to guests that match our configured guest match. Below we can see that we have two plans configured 1 with a $5 price and the other with a price of free.
Next we will configure the Guest Match. Navigate to Billing::Gateways and create a new Guest Match. The Name field is arbitrary. The Guest Field for this example shoudl be set to custom0. The pattern we are looking for is the word free so we will enter that into the Pattern field. The Min transaction field is the minimum number of transactions the guest has before this plan will be displayed, in this case it should be set to 0 as we want the guest to be presented with this plan immediatly. The Max Transactions field can be used to no longer display a plan to a guest if they exceed the number of transactions, in this case we want the guest to always be presented with the free plan if they match. Lasty the Usage Plans field is used to pick which plans will be displayed to the guest if they match, for this example the Free PMS Plan will be selected. Then click the Create button.
Now we will look at a guest that does not have the word free in the Custom0 field. Below is a screenshot showing that the guest Khan does not the word free in the Custom0 field.
The screenshots below shows the guest entering their credentials and being presented with only the paid plan.
Next we will look at a guest that has the word free in the Custom0 field.
The screenshots below shows the guest entering their credentials and being presented with only the free plan.
Example 2: If room type is a suite offer free 200Mbps plan.
In this example we will configure a room type match against suite. We will leave the plans from above but also include a 200mbps plan that is paid and another that is free. We will also leave the free guest match we created before. This time when we log in with the guest room and name we will be offered the 200Mbps plan for free instead of the free plan.
Next we will create a new Guest Match that will match against the room_type field. The Name field is arbitrary. For Guest Match we will set the Guest Field to room_type , and the Pattern field to suite. Min and Max Transaction fields can be adjusted to change how many transactions the guest must have before it shows up, and determine after a number of transactions when the plan will no longer be offered. In this example we want it to be available to the guest all the time so Min Transactions will be set to 0, and Max Transactions will be set to 99 so that the guest would have to have over 99 transactions before the plan would no longer be presented. Lastly in the Usage Plans field we want to select the plans to be presented when the room type is suite, in this case we will select the 200Mbps Free Plan
Now we will look at a guest that does not have a room_type of "suite". We will use the guest Khan from the first example because we know they will not match.
Now we will find a guest that has "suite" in the room_type field.
The below screenshots show the guest with the room_type set to suite logging in and being presented with the 200Mbps free plan.
Card Connect Setup
When creating a Card Connect account there will be 3 pieces of information needed to setup the merchant in the rXg. Card Connect will provide an API Username & Password, along with a Merchant ID. For this example the API Username & Password will be testing:testing123, and the Merchant ID will be 496160873888.
Create a new Merchant. The Name field is arbitrary. Select the Usage plans that can use this merchant by selecting them in the Usage Plans field. Select Card Connect in the Direct Gateway field. The API Username testing will go into the Login field. The API Password testing123 will go into the Password field. Lastly the Merchant ID 496160873888 will go in the Partner field.
Authorize.net Setup
When creating an Authorize.net account there will be 2 pieces of information needed to setup the merchant in the rXg. Authorize.net will provide an API Login ID, and a Transaction Key. For example the API Login ID will be 63RkqZy7B, and the Transaction Key will be 6HKJywh3634Md83g.
Create a new Merchant. The Name field is arbitrary. Select the Usage plans that can use this merchant by selecting them in the Usage Plans field. Select Authorize.net in the Direct Gateway field. The API Login ID 63RkqZy7B will go into the Login field. The Transaction Key 6HKJywh3634Md83g will go in the Password field.
PayPal Setup
When creating a PayPal merchant you only need to enter in the email address associated to the PayPal account you want the transactions to be delivered to. The PayPal account must have IPN (Instant Payment Notifications) enabled. If IPN is not enabled the rXg will not receive notification that the payment was successful. PayPal must be whitelisted in the Splash Portal otherwise users will not be able to communicate with PayPal and will not be able to complete the transaction.
Create a new Merchant. The Name field is arbitrary. Select the Usage plans that can use this merchant by selecting them in the Usage Plans field. Select Paypal Website Payments Standard from the Offsite Gateway field. Put the email address associated to your Paypal account in the Login field.
PMS Properties
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The code field is a place to put a string that correlates with this property and its rooms.
Transactions
The transactions view presents the list of all credit card transactions that have been processed.
Every credit card transaction record has an ID number that is used to uniquely identify the transaction. The date , time and amount charged are stored in the transaction record along with two boolean flags denoting whether the transaction was a success and whether or not it was a test.
Transaction records are linked to accounts , the payment method (which contains the credit card information), the usage plan selected and the merchant used to clear the transaction. Clicking on any of these fields in the list view of the transaction log displays the linked record.
Coupons
Coupons enable an operator to offer new or existing end-users an operator defined credit.
Coupons are similar to tokens in that the operator generates a batch of codes that are to be distributed to end-users. Whereas tokens may be used as login credentials, coupons require the end-user to have an account. Coupons may be redeemed for credit by an end-user during the sign-up process or through a specific link on the captive portal web application.
There is a diverse set of use cases for coupons. Operators may generate a batch of coupons to enable end-users to "try before they buy" service. By using coupons the operator is able to capture the personal information from potential subscriber and use that for direct marketing. Coupons are also often used as a mechanism to avoid micro-payment transactions fees. Tokens can accomplish the same goal, however, with coupons, the operator maintains an identifiable database of end-users.
Coupons must be assigned a numerical credit or an association to a usage plan , that allows the end user to redeem the coupon to purchase the plan or unlocks the plan for purchase. When assigned a credit , the amount is transferred into the end-user's account upon redemption of the coupon. The end-user may then use the credit to purchase any plan of their choosing. When associated with a usage plan , the coupon enables the end-user to select the associated plan without supplying direct payment via credit card. Alternatively a usage plan may be unlocked and becomes avialable for purchase.
The Code field shows the code that the end user will enter to redeem the coupon on the captive portal.
The Batch field is an automatically assinged value to each set of coupons generated by the administrator. This allows the administrator to quickly locate all of the coupons that were generated at the same time.
The Credit field displays the credit value that will be received by the end user when the coupon is redeemed, if applicable.
The Usage Plan field displays the plan the end user will be granted when redeeming the coupon.
The Expires field displays the date and time the coupon will no longer be valid, if applicable..
Coupons are also assigned an expiration date and time via the expires field. This allows the operator to issue coupons for time-limited promotions or to support event management.
The Usage Plans field displays which usage plans are unlocked for purchase by redeeming the coupon.
The Redeemed coupons field displays how many times the coupon has been redeemed. Coupons that have no remaining redemptions left will be removed from the Coupons list.
When creating a new Coupon , the Copies field will determine the number of coupons that will be created. The operator can specify the number of times a coupon can be redeemed using the Max redemptions field, check the unlimited box to allow unlimited redemptions. The Character code dropdown lets the operator specify which characters will be used when generating the code. The Length field allows the operator to specify the number of characters the code will be in length. The Prefix / Suffix field allows the operator to attach a specific set of characters to the beginning and/or ending of the generated code. The Expires field allows the operator to specify the date and time the coupon will no longer be valid if desired. The Note field is for internal notes and will have no bearing on the generation of the coupon. Under Coupon Effect the Usage Plan dropdown allows the operator to select a specific usage plan that will be granted to the end user when redeemed. The Credit field is used to specify the amount of credit that will be applied when redeemed. The Usage Plans Available for Purchase field allows the operator to specify which usage plans will become available for purchase after redeeming the code. This is used to only allow certain plans to be purchased if the end user has the code to ulock them (Gated Access).
Examples of Coupon Usage
1. MDU - Each lease holder gets a code that unlocks free service, without code only paid plans are available.
For this scenario create a new Coupon. Enter the number of copies of the coupon to be created in the Copies field. For this scenario the Max redemptions field should be left at the default of 1 to prevent the coupon from being given out to those that should not have access. Change the Character code , Length and, Prefix / Suffix field if desired. It is up to the operator if they want to set an expiration using the Expires field. Note that once the coupon is redeemed it will no longer be valid. For this use case the fields under Coupon Effect will not be used. Under Usage Plans Available for Purchase select the plan(s) that this coupon will unlock, in thise case it will be the Gated Plan. Click Create.
In this scenario when an end user is redirected to the portal and signs up for an account if they do not have a code only the Public Plan will be presented.
With Coupon that allows access to the Gated Plan.
2. Dorm Rooms - Each room is issued a code that is good for a number of signups equal to the number of people sharing the room.
For this scenario create a new Coupon. Enter the number of copies of the coupon to be created in the Copies field. In this case the Max redemptions field should be set to the number of people the room is shared with. Change the Character code , Length and, Prefix / Suffix field if desired. It is up to the operator if they want to set an expiration using the Expires field. Note that once the coupon is redeemed it will no longer be valid. For this use case the fields under Coupon Effect will not be used. Under Usage Plans Available for Purchase select the plan(s) that this coupon will unlock, in thise case it will be the Gated Plan. Click Create.
In this scenario when an end user is redirected to the portal and signs up for an account if they do not have a code the will not be able to gain access.
With a Coupon code the user will gain access to the plan(s) the operator has selected.
3. MTU - Leasing office has a unique code for each property.
For this scenario 2 coupons will be created one that allows access to Property 1 and the second coupon will allow access for property 2. For the first coupon enter the number of copies to be created in the Copies field. In this case the Max redemptions field will be set to unlimited. Change the Character code and Length field if desired. In this case the Prefix field will be set to pr1 to denote the property. It is up to the operator if they want to set an expiration using the Expires field. For this use case the fields under Coupon Effect will not be used. Under Usage Plans Available for Purchase select the plan(s) that this coupon will unlock, in thise case it will be the Gated Plan. Click Create.
Repeat the previous steps for the second coupon this time change the Prefix field to represent the 2nd property, and select the appropriate Usage Plan.
Now depending on which code is entered different plans will be presented.
Using the coupon for the second property we are presented with the plan for that location.
Customers
The customers view displays the payment information for the end-users of the network. These records are created and updated by your end-users though an operator can also update these records if necessary.
All credit card information is stored using symmetric encryption to maintain PCI compliance. In addition, CVV2 data is never stored per PCD guidelines. All stored data is exportable and viewable by administrators who have read privilege to the billing section.
The active checkbox signifies which set of billing data is currently being used for a specific users recurring bills. If a customer recharges, this will also be the billing information used by default unless changed.
The CC Number is the credit card number.
The Expiration month and Expiration year make up the expiration for the above credit card.
The First Name , Middle Name or initial, and Last Name need to match the name on the credit card.
Company is an optional field. Some corporate cards require that this field be filled out appropriately.
The Address1, Address2, City, State, Zip, and Country need to match the billing address of the credit card.
The Phone Number should also match the records on file with the credit card company.
The Account is the end-user account that this billing information is associated with.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Plans
The plans view presents the scaffolds that configure usage plans that are offered to end-users for purchase.
Usage Plans
Each record in the usage plans scaffold represents a service offering that the end-user may select.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The optional description field will be displayed to users in the captive portal if you want to add further detail. The data in this field has no bearing on the provisioning or billing of the service offering represented by this record.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Provisioning
The account group field specifies the group that the end-user will be placed in upon selecting this usage plan. This field enables zero operator intervention provisioning. The end-user experience is determined by the policies that are associated with a group. By automatically putting an end-user into group based, end-users are instantly provisioned into defined of service offering upon plan selection.
The splash portals and landing portals fields define which captive portals that this plan may be purchased from. Use these fields to limit the availability of certain plans to specific portals which in turn are displayed based on geographic location, the expected class end-users, etc.
The social login strategies field defines which Social Login Strategies may use this plan. If an account has logged in via social login, they will only see usage plans that include their strategy in the list of available usage plans.
The PMS guest matches field defines which users will see this plan in the portal. PMS guest match rules are configured in the Billing::Gateways page of the admin console.
The automatic login field configures end-users that selects this plan with a flag that causes the rXg to log the end-user in without displaying the captive portal. When combined with recurring billing, this feature enables operators to use the captive portal as a zero operator intervention end-user self-service provisioning system for long term recurring subscriptions.
The automatic provision field configures the rXg to automatically add devices in the same subnet to an end-users account. This is useful when deploying dynamic pre-shared keys. This enables an end user to input their pre-shared key to gain access to their VLAN, and automatically register the new device to their account, without requiring captive portal input.
The lock MAC field sets the corresponding field in the account record when the usage plan is purchased. Devices with locked MAC addresses may only purchase usage plans when they are logged in as the account with the corresponding MAC. This feature is most often used in fixed wireless broadband environments to prevent end-users from avoiding disconnect, reconnect and late fees. This feature is incompatible with quick purchase and other transient specific portal methodologies where accounts are created automatically. Attempting to user this feature in portal workflows that involve automatic account creation will result in the denial of subsequent transactions initiated by the same end-user using the same piece of equipment because a new user account cannot be created for the same MAC address.
Lifetime
The fields in the lifetime section allows the operator to configure how the utilization defined by the time and quota portions of the usage plan will expire.
The relative lifetime configures how long the utilization will remain usable relative to the time that the end-user selects the usage plan. The absolute lifetime configures a specific date and time in the future when the utilization will expire. If both a relative lifetime and an absolute lifetime is configured, the shorter of the two defines the actual lifetime of the utilization. If the unlimited lifetime check box is set, the utilization defined by the associated quota and time never expires.
If the do not set lifetime check box is set, then the utilization lifetime present in the account record is carried forward unmodified. If there is no utilization lifetime present in the account record, then the behavior specified by the absolute lifetime , relative lifetime and unlimited lifetime fields is then configured.
Included Plan Features
This section defines the plan attributes that will be provisioned if the user does not select any Plan Addons.
The Quota selection specifies the Quota Plan that will be applied if the user does not select an alternate Quota Plan from the Optional Quota Plans section.
The Time selection specifies the Time Plan that will be applied if the user does not select an alternate Time Plan from the Optional Time Plans section.
The max sessions field specifies the maximum number of simultaneously logged in devices for the account.
The max devices field specifies the maximum number of devices that may be stored in the account. When more devices exist in an account than its max sessions value, subsequent login attempts require logging out another device before logging in.
The max party devices field specifies the maximum number of devices that may be joined to LAN parties for the account in order to allow guest devices from another account to join a temporary shared VLAN to have direct access to one another while the LAN party is active.
The max dedicated IPs field specifies the maximum number of dynamic WAN IP addresses that the account may use for port forwarding and DMZ purposes. The IPs may change between sessions, unless the Dedicated IPs are static option is enabled.
The Dedicated IPs are static option specifies that the number of public IPs specified in the max dedicated IPs field will be assigned to the account and remain constant for the lifetime of the account. This is useful when accounts wish to host servers and require consistent IPs.
The UPnP permitted option allows the user to enable UPnP (Universal Plug-N-Play) so that devices may negotiate port forward requirements with the Rxg automatically. This is required for some games as well as some applications.
Available Plan Addons
The Plan Addons selection makes Plan Addon packages available to the user in the portal so that they may customize the usage plan's contents. Plan addons that have the included with plan option selected will be included in this plan automatically and will not be displayed to the user in the portal.
The optional Quota Plans selection makes additional Quota Plans other than the one specified in the included Quota Plan available to the user as options in the portal. The user's selection will override the included Quota Plan.
The optional Time Plans selection makes additional Time Plans other than the one specified in the included Time Plan available to the user as options in the portal. The user's selection will override the included Time Plan.
Billing
The fields in the billing section allows the operator to configure fully automated end-user billing. For example, if the operator wishes to automatically charge credit cards, these fields configure where the charges will be sent.
The merchant field relates this usage plan to a payment gateway defined by an entry in the merchant scaffold. Each usage plan is related a merchant independently from all other plans. Thus it is possible for an operator to use different merchants for different classes of service to facilitate separation of revenue by account.
The currency field specifies the localized currency that will be used to whenever the aforementioned merchant is contacted to execute a transaction. The currency must be supported by the payment gateway specified by the merchant merchant in order for the transaction to be processed.
If the prorate credit check box is set, then the account is refunded for unused usage time when purchasing a different plan. The refund is given in the form of credit and is automatically deducted from the price of the purchase. Any remaining credit is stored in the user's account. Additional credit may be given to a account manually by the operator via the users scaffold, or the account may redeem a coupon to obtain credit.
The manual billing check box dictates that transactions must be approved by an admin before applying the usage to the account. This billing method assumes that the user physically exchanges money with an operator (reseller) who then approves the user's transaction via the AR Transactions scaffold or FOM Operator Portal to complete the login process.
The fields in the recurrence section contains fields that allow an operator to configure this usage plan to repeatedly bill the end-user on a specified schedule. These fields enable the operator to offer recurring services (e.g., monthly billed IP-data similar to DSL and cable modem).
The interval field defines the recurring billing interval. By default, the interval field is set to none which indicates that the usage plan will only be billed when the end-user selects it. Choosing any other interval will enable recurring billing. Note that off site merchants such as PayPal Website Payments Standard do not support recurring billing.
The recurring day field configures the number of days into the interval during which the end-user will be billed. If the relative checkbox is set, then the recurring day will be configured relative to the day that the end-user first selected the plan. For example, if the interval is set to monthly, the recurring day is set to 5 and the relative checkbox is unset, then the end-user will be billed on the 5th day of every month regardless of when they first selected the usage plan. Given the same scenario with the relative checkbox set would result in the end-user being billed 5 days after the day that they first selected the usage plan.
The charge retry grace time specifies the interval between billing attempts if a billing transaction failure occurs. When an end-user selects a plan that has a recurring method other than none, the end-user is billed automatically according to the predefined interval. If the transaction fails for any reason, the rXg will retry the transaction repeatedly according to the rate specified by the recurring retry grace time until the number of retries is exhausted. The number of retries is defined by the max charge attempts field.
The permit unpaid A/R checkbox allows the operator to offer a usage plan on A/R terms. If this checkbox is set, then the policy associated with a usage plan will continue to be provisioned to an end-user even in the event of billing transaction failure. If this happens, a receivable will be posted to the end-user's journal.
The aged A/R penalties field associates the usage plan with one or more records in the aged A/R penalties scaffold. Each of these associations triggers the posting of a receivable given the conditions set in the associated record. Associated records may also disable the account. The use of aged A/R penalties requires the setting of the permit unpaid A/R checkbox.
Account Validation
A usage plan may be configured to require that the end user validate either their Email address or mobile phone number or both prior to the usage plan being applied to the account.
The validation method field specifies which forms of validation must take place before applying the plan.
The validation grace minutes field allows the plan to be applied to the account for a limited amount of time, allowing the end user time to access their Email and retrieve the validation code. This value will be set to 0 if the validation method does not include Email.
The SMS Gateway field specifies the SMS Gateway that will be utilized when sending validation codes via SMS.
Time Plans
Usage plans consist of three elements. This is the time element. This is where you configure how long the customer will have access.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The Price entered will make up a part of the total usage plan price a customer will see when signing up for a plan.
The optional Description will be displayed to users in the captive portal if you want to add further detail.
The Time and Time unit make up the actual amount of time provisioned to an associated account. Check the Unlimited checkbox if you want to allow unlimited online time.
The Rollover checkbox will allow an associated account to keep any unused time when purchasing a new plan from a captive portal.
Check the Usage Plans that this time configuration should be a part of. This is usually configured in the usage plans configuration section.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Quota Plans
Usage plans consist of three elements. This is the quota element. This is where you configure how much data the user can transfer over the period of the usage plan.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The Price entered will make up a part of the total usage plan price a customer will see when signing up for a plan.
The optional Description will be displayed to users in the captive portal if you want to add further detail.
The Upload and Upload unit make up the upload portion of the quota provisioned to an associated account. Check the Unlimited U/L checkbox if you want to allow an unlimited amount of upload.
The Download and Download unit make up the download portion of the quota provisioned to an associated account. Check the Unlimited D/L checkbox if you want to allow an unlimited amount of download.
The Rollover checkbox will allow an associated account to keep any unused quota when purchasing a new plan from a captive portal.
Check the Usage Plans that this quota configuration should be a part of. This is usually configured in the usage plans configuration section.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Aged A/R Penalties
Each record in the Aged A/R Penalty scaffold defines an action to take given certain A/R conditions. This scaffold is used to define late fees and reconnect fees. It is also used to automatically disconnect delinquent users.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The days field specifies the number of days that the A/R must be aged in order for the penalty specifies in this record to take effect.
The amount field specifies a monetary amount to post to the end-user's journal when the conditions are met. For example, if a late fee or reconnect fee is to be imposed, field should be populated with the amount of the fee that should be collected from the end-user.
Setting the suspend user checkbox will cause an end-user to be suspended if the conditions in this record are met.
Selecting a custom message will email the end-user when the conditions in this record are met.
The usage plans field associates the penalty defined by this record with one or more usage plans. An aged A/R penalty must be associated with a usage plan that has the permit unpaid A/R checkbox set to have any effect.
Gateways
The gateways view presents the scaffolds that configure the third-party automatic charge posting mechanisms that are built into the rXg.
The rXg has a fully integrated double-entry accounting system that keeps an accounting journal for each Account. The rXg may be configured to automatically post credits to the journals associated with each Account through a number of manual and automated mechanisms. The operator may choose to manually issue credit based on manual payment processing. Alternatively, the operator may sell or issue coupons that are automatically redeemed for credits in the captive portal.
The mechanism that achieves the most benefit when deployed in conjunction with zero operator intervention is fully automatic payment processing. To accomplish this, the rXg integrates with third party billing gateways through well understood and published APIs. The rXg sends messages to the configured gateways when billing events occur. The rXg then expects replies from the third party billing gateways in the format specified by their API. When properly configured, absolutely no operator intervention needs to occur to process payments and provision customers.
Merchants
In order to accept payment via credit card, or other mechanism such as PayPal, you need to configure a merchant record that contains the information necessary to contact the external payment gateway. Each merchant record requires an account that must be setup with the external payment gateway before any charges may be posted. For example, having a valid PayPal account is a prerequisite to creating a working merchant record that posts to PayPal.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
Some merchants support Test or sandbox mode. Checking this checkbox will alert the merchant that you are operating in a testing mode and will not charge the accounts used while testing is enabled. Refer to your merchant's documentation for more information, as some merchants (e.g., Paypal) require you to create special test accounts to use sandbox mode.
The Login, Password, Signature, and Partner fields will be provided by the merchant you are using. Not all merchants use all four pieces of information.
When performing a charge to direct merchant gateways (e.g., Authorize.Net), the id of the Merchant Transaction record stored on the rXg is passed along to the merchant as the invoice and order_id fields. The optional invoice prefix field is prepended to the invoice and order_id. For offsite merchant gateways (e.g., PayPal Website Payments Standard), the invoice and order_id fields are determined by the merchant.
You will also need to check the Usage Plans that you want to be purchasable through this merchant. Please note that this can also be done from the usage plan configuration section.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Direct Gateways
The rXg supports the following direct payment gateways.
name | supported countries |
---|---|
1stPayGateway.Net | US |
Adyen | AT, AU, BE, BG, BR, CH, CY, CZ, DE, DK, EE, ES, FI, FR, GB, GI, GR, HK, HU, IE, IS, IT, LI, LT, LU, LV, MC, MT, MX, NL, NO, PL, PT, RO, SE, SG, SK, SI, US |
Allied Wallet | US |
Authorize.Net | AU, CA, US |
Axcess MS | AD, AT, BE, BG, BR, CA, CH, CY, CZ, DE, DK, EE, ES, FI, FO, FR, GB, GI, GR, HR, HU, IE, IL, IM, IS, IT, LI, LT, LU, LV, MC, MT, MX, NL, NO, PL, PT, RO, RU, SE, SI, SK, TR, US, VA |
Bambora Asia-Pacific | AU, NZ |
Bank Frick | LI, US |
Banwire | MX |
Barclaycard Smartpay | AL, AD, AM, AT, AZ, BY, BE, BA, BG, HR, CY, CZ, DK, EE, FI, FR, DE, GR, HU, IS, IE, IT, KZ, LV, LI, LT, LU, MK, MT, MD, MC, ME, NL, NO, PL, PT, RO, RU, SM, RS, SK, SI, ES, SE, CH, TR, UA, GB, VA |
Barclays ePDQ Extra Plus | GB |
BBS Netaxept | NO, DK, SE, FI |
Be2Bill | FR |
Beanstream.com | CA, US |
BluePay | US, CA |
BlueSnap | US, CA, GB, AT, BE, BG, HR, CY, CZ, DK, EE, FI, FR, DE, GR, HU, IE, IT, LV, LT, LU, MT, NL, PL, PT, RO, SK, SI, ES, SE, AR, BO, BR, BZ, CL, CO, CR, DO, EC, GF, GP, GT, HN, HT, MF, MQ, MX, NI, PA, PE, PR, PY, SV, UY, VE |
Bogus | |
Borgun | IS, GB, HU, CZ, DE, DK, SE |
BPoint | AU |
Braintree | US, CA, AD, AT, BE, BG, HR, CY, CZ, DK, EE, FI, FR, GI, DE, GR, GG, HU, IS, IM, IE, IT, JE, LV, LI, LT, LU, MT, MC, NL, NO, PL, PT, RO, SM, SK, SI, ES, SE, CH, TR, GB, SG, HK, MY, AU, NZ |
Braintree (Blue Platform) | US, CA, AD, AT, BE, BG, HR, CY, CZ, DK, EE, FI, FR, GI, DE, GR, GG, HU, IS, IM, IE, IT, JE, LV, LI, LT, LU, MT, MC, NL, NO, PL, PT, RO, SM, SK, SI, ES, SE, CH, TR, GB, SG, HK, MY, AU, NZ |
Braintree (Orange Platform) | US |
BridgePay | CA, US |
CAMS: Central Account Management System | US |
Card Connect | US |
Cardknox | US, CA, GB |
CardProcess VR-Pay | BE, BG, CZ, DK, DE, EE, IE, ES, FR, HR, IT, CY, LV, LT, LU, MT, HU, NL, AT, PL, PT, RO, SI, SK, FI, SE, GB, IS, LI, NO, CH, ME, MK, AL, RS, TR, BA |
CardSave | GB |
CardStream | GB, US, CH, SE, SG, NO, JP, IS, HK, NL, CZ, CA, AU |
CC5 | |
Cecabank | ES |
CenPOS | AD, AI, AG, AR, AU, AT, BS, BB, BE, BZ, BM, BR, BN, BG, CA, HR, CY, CZ, DK, DM, EE, FI, FR, DE, GR, GD, GY, HK, HU, IS, IL, IT, JP, LV, LI, LT, LU, MY, MT, MX, MC, MS, NL, PA, PL, PT, KN, LC, MF, VC, SM, SG, SK, SI, ZA, ES, SR, SE, CH, TR, GB, US, UY |
Checkout.com | AD, AT, BE, BG, CH, CY, CZ, DE, DK, EE, ES, FO, FI, FR, GB, GI, GL, GR, HR, HU, IE, IS, IL, IT, LI, LT, LU, LV, MC, MT, NL, NO, PL, PT, RO, SE, SI, SM, SK, SJ, TR, VA |
Checkout.com Unified Payments | AD, AE, AR, AT, AU, BE, BG, BH, BR, CH, CL, CN, CO, CY, CZ, DE, DK, EE, EG, ES, FI, FR, GB, GR, HK, HR, HU, IE, IS, IT, JO, JP, KW, LI, LT, LU, LV, MC, MT, MX, MY, NL, NO, NZ, OM, PE, PL, PT, QA, RO, SA, SE, SG, SI, SK, SM, TR, US |
Citrus Pay | AR, AU, BR, FR, DE, HK, MX, NZ, SG, GB, US |
Clearhaus | DK, NO, SE, FI, DE, CH, NL, AD, AT, BE, BG, HR, CY, CZ, FO, GL, EE, FR, GR, HU, IS, IE, IT, LV, LI, LT, LU, MT, PL, PT, RO, SK, SI, ES, GB |
CommerceGate | AD, AT, AX, BE, BG, CH, CY, CZ, DE, DK, ES, FI, FR, GB, GG, GI, GR, HR, HU, IE, IM, IS, IT, JE, LI, LT, LU, LV, MC, MT, NL, NO, PL, PT, RO, SE, SI, SK, VA |
Conekta Gateway | MX |
Creditcall | US |
Credorax Gateway | AD, AT, BE, BG, HR, CY, CZ, DK, EE, FR, DE, GI, GR, GG, HU, IS, IE, IM, IT, JE, LV, LI, LT, LU, MT, MC, NO, PL, PT, RO, SM, SK, ES, SE, CH, GB |
CT Payment | US, CA |
Culqi | PE |
CyberSource | US, AE, BR, CA, CN, DK, FI, FR, DE, IN, JP, MX, NO, SE, GB, SG, LB, PK |
DataCash | GB |
Decidir | AR |
DIBS | US, FI, NO, SE, GB |
Digitzs | US |
dLocal | AR, BR, CL, CO, MX, PE, UY, TR |
E-xact | CA, US |
EBANX | BR, MX, CO, CL, AR, PE |
Efsnet | US |
Elavon MyVirtualMerchant | US, CA, PR, DE, IE, NO, PL, LU, BE, NL, MX |
Element | US |
ePay | DK, SE, NO |
EVO Canada | CA |
eWAY | AU |
eWay Managed Payments | AU |
eWAY Rapid 3.1 | AU, NZ, GB, SG, MY, HK |
Ezic | AU, CA, CN, FR, DE, GI, IL, MT, MU, MX, NL, NZ, PA, PH, RU, SG, KR, ES, KN, GB, US |
Fat Zebra | AU |
Federated Canada | CA |
Finansbank WebPOS | US, TR |
FirstData Global Gateway e4 | CA, US |
FirstData Global Gateway e4 v27 | CA, US |
Flo2Cash | NZ |
Flo2Cash Simple | |
Forte | US |
Garanti Sanal POS | US, TR |
Global Transport | CA, PR, US |
GlobalCollect | AD, AE, AG, AI, AL, AM, AO, AR, AS, AT, AU, AW, AX, AZ, BA, BB, BD, BE, BF, BG, BH, BI, BJ, BL, BM, BN, BO, BQ, BR, BS, BT, BW, BY, BZ, CA, CC, CD, CF, CH, CI, CK, CL, CM, CN, CO, CR, CU, CV, CW, CX, CY, CZ, DE, DJ, DK, DM, DO, DZ, EC, EE, EG, ER, ES, ET, FI, FJ, FK, FM, FO, FR, GA, GB, GD, GE, GF, GH, GI, GL, GM, GN, GP, GQ, GR, GS, GT, GU, GW, GY, HK, HN, HR, HT, HU, ID, IE, IL, IM, IN, IS, IT, JM, JO, JP, KE, KG, KH, KI, KM, KN, KR, KW, KY, KZ, LA, LB, LC, LI, LK, LR, LS, LT, LU, LV, MA, MC, MD, ME, MF, MG, MH, MK, MM, MN, MO, MP, MQ, MR, MS, MT, MU, MV, MW, MX, MY, MZ, NA, NC, NE, NG, NI, NL, NO, NP, NR, NU, NZ, OM, PA, PE, PF, PG, PH, PL, PN, PS, PT, PW, QA, RE, RO, RS, RU, RW, SA, SB, SC, SE, SG, SH, SI, SJ, SK, SL, SM, SN, SR, ST, SV, SZ, TC, TD, TG, TH, TJ, TL, TM, TN, TO, TR, TT, TV, TW, TZ, UA, UG, US, UY, UZ, VC, VE, VG, VI, VN, WF, WS, ZA, ZM, ZW |
HDFC | IN |
Heartland Payment Systems | US |
iATS Payments | AU, BR, CA, CH, DE, DK, ES, FI, FR, GR, HK, IE, IT, NL, NO, PT, SE, SG, TR, GB, US, TH, ID, PH, BE |
Inspire Commerce | US |
InstaPay | US |
IPP | AU |
Iridium | GB, ES |
iTransact | US |
iVeri | US, ZA, GB |
Ixopay | AO, AQ, AR, AS, AT, AU, AW, AX, AZ, BA, BB, BD, BE, BF, BG, BH, BI, BJ, BL, BM, BN, BO, BQ, BQ, BR, BS, BT, BV, BW, BY, BZ, CA, CC, CD, CF, CG, CH, CI, CK, CL, CM, CN, CO, CR, CU, CV, CW, CX, CY, CZ, DE, DJ, DK, DM, DO, DZ, EC, EE, EG, EH, ER, ES, ET, FI, FJ, FK, FM, FO, FR, GA, GB, GD, GE, GF, GG, GH, GI, GL, GM, GN, GP, GQ, GR, GS, GT, GU, GW, GY, HK, HM, HN, HR, HT, HU, ID, IE, IL, IM, IN, IO, IQ, IR, IS, IT, JE, JM, JO, JP, KE, KG, KH, KI, KM, KN, KP, KR, KW, KY, KZ, LA, LB, LC, LI, LK, LR, LS, LT, LU, LV, LY, MA, MC, MD, ME, MF, MG, MH, MK, ML, MM, MN, MO, MP, MQ, MR, MS, MT, MU, MV, MW, MX, MY, MZ, NA, NC, NE, NF, NG, NI, NL, NO, NP, NR, NU, NZ, OM, PA, PE, PF, PG, PH, PK, PL, PM, PN, PR, PS, PT, PW, PY, QA, RE, RO, RS, RU, RW, SA, SB, SC, SD, SE, SG, SH, SI, SJ, SK, SL, SM, SN, SO, SR, SS, ST, SV, SX, SY, SZ, TC, TD, TF, TG, TH, TJ, TK, TL, TM, TN, TO, TR, TT, TV, TW, TZ, UA, UG, UM, US, UY, UZ, VA, VC, VE, VG, VI, VN, VU, WF, WS, YE, YT, ZA, ZM, ZW |
JetPay | US, CA |
JetPay | US, CA |
Komoju | JP |
Kushki | CL, CO, EC, MX, PE |
Latitude19 Gateway | US, CA |
LinkPoint | US |
MasterCard Internet Gateway Service (MiGS) | AU, AE, BD, BN, EG, HK, ID, JO, KW, LB, LK, MU, MV, MY, NZ, OM, PH, QA, SA, SG, TT, VN |
maxiPago! | BR |
Mercado Pago | AR, BR, CL, CO, MX, PE, UY |
Merchant e-Solutions | US |
Merchant One Gateway | US |
Merchant Partners | US |
Merchant Warrior | AU |
MerchantWARE | US |
Metrics Global | US |
micropayment | DE |
Modern Payments | US |
Monei | AD, AT, BE, BG, CA, CH, CY, CZ, DE, DK, EE, ES, FI, FO, FR, GB, GI, GR, HU, IE, IL, IS, IT, LI, LT, LU, LV, MT, NL, NO, PL, PT, RO, SE, SI, SK, TR, US, VA |
Moneris | CA |
MoneyMovers | US |
Mundipagg | US |
NAB Transact | AU |
NCR Secure Pay | US |
NELiX TransaX | US |
Netbanx by PaySafe | AF, AX, AL, DZ, AS, AD, AO, AI, AQ, AG, AR, AM, AW, AU, AT, AZ, BS, BH, BD, BB, BY, BE, BZ, BJ, BM, BT, BO, BQ, BA, BW, BV, BR, IO, BN, BG, BF, BI, KH, CM, CA, CV, KY, CF, TD, CL, CN, CX, CC, CO, KM, CG, CD, CK, CR, CI, HR, CU, CW, CY, CZ, DK, DJ, DM, DO, EC, EG, SV, GQ, ER, EE, ET, FK, FO, FJ, FI, FR, GF, PF, TF, GA, GM, GE, DE, GH, GI, GR, GL, GD, GP, GU, GT, GG, GN, GW, GY, HT, HM, HN, HK, HU, IS, IN, ID, IR, IQ, IE, IM, IL, IT, JM, JP, JE, JO, KZ, KE, KI, KP, KR, KW, KG, LA, LV, LB, LS, LR, LY, LI, LT, LU, MO, MK, MG, MW, MY, MV, ML, MT, MH, MQ, MR, MU, YT, MX, FM, MD, MC, MN, ME, MS, MA, MZ, MM, NA, NR, NP, NC, NZ, NI, NE, NG, NU, NF, MP, NO, OM, PK, PW, PS, PA, PG, PY, PE, PH, PN, PL, PT, PR, QA, RE, RO, RU, RW, BL, SH, KN, LC, MF, VC, WS, SM, ST, SA, SN, RS, SC, SL, SG, SX, SK, SI, SB, SO, ZA, GS, SS, ES, LK, PM, SD, SR, SJ, SZ, SE, CH, SY, TW, TJ, TZ, TH, NL, TL, TG, TK, TO, TT, TN, TR, TM, TC, TV, UG, UA, AE, GB, US, UM, UY, UZ, VU, VA, VE, VN, VG, VI, WF, EH, YE, ZM, ZW |
NETbilling | US |
NETPAY Gateway | MX |
NetRegistry | AU |
Network Merchants (NMI) | US |
NMI | US |
Ogone | BE, DE, FR, NL, AT, CH |
Omise | TH, JP |
Open Payment Platform | AD, AI, AG, AR, AU, AT, BS, BB, BE, BZ, BM, BR, BN, BG, CA, HR, CY, CZ, DK, DM, EE, FI, FR, DE, GR, GD, GY, HK, HU, IS, IN, IL, IT, JP, LV, LI, LT, LU, MY, MT, MX, MC, MS, NL, PA, PL, PT, KN, LC, MF, VC, SM, SG, SK, SI, ZA, ES, SR, SE, CH, TR, GB, US, UY |
Openpay | CO, MX |
Optimal Payments | CA, US, GB, AU, AT, BE, BG, HR, CY, CZ, DK, EE, FI, DE, GR, HU, IE, IT, LV, LT, LU, MT, NL, NO, PL, PT, RO, SK, SI, ES, SE, CH |
Orbital Paymentech | US, CA |
Pagar.me | BR |
PagoFacil | MX |
Pay Way | AU |
Paybox Direct | FR |
PayConex | US, CA |
Payeezy | US, CA |
Payex | DK, FI, NO, SE |
PayGate PayXML | US, ZA |
PayHub | US |
PayJunction | US |
PayJunction | US |
Paymentez | MX, EC, CO, BR, CL, PE |
PAYMILL | AD, AT, BE, BG, CH, CY, CZ, DE, DK, EE, ES, FI, FO, FR, GB, GI, GR, HR, HU, IE, IL, IM, IS, IT, LI, LT, LU, LV, MC, MT, NL, NO, PL, PT, RO, SE, SI, SK, TR, VA |
PayPal Express Checkout | |
PayPal Payflow Pro | US, CA, NZ, AU |
PayPal Payments Pro (UK) | GB |
PayPal Payments Pro (US) | CA, NZ, GB, US |
PayPal Website Payments Pro (CA) | CA |
Payscout | US |
PaySecure | AU |
Paystation | NZ |
PayU India | IN |
PayU Latam | AR, BR, CL, CO, MX, PA, PE |
Pin Payments | AU |
Plug'n Pay | US |
ProPay | US, CA |
Psigate | CA |
PSL Payment Solutions | GB |
Quantum Gateway | US |
QuickBooks Merchant Services | US |
QuickBooks Payments | US |
Quickpay | |
Qvalent | AU |
Raven | US |
Realex | IE, GB, FR, BE, NL, LU, IT, US, CA, ES |
Redsys | ES |
S5 | DK |
SafeCharge | AT, BE, BG, CY, CZ, DE, DK, EE, GR, ES, FI, FR, GI, HK, HR, HU, IE, IS, IT, LI, LT, LU, LV, MT, MX, NL, NO, PL, PT, RO, SE, SG, SI, SK, GB, US |
SagePay | GB, IE |
Sallie Mae | US |
SecureNet | US |
SecurePay | US, CA, GB, AU |
SecurePay (AU) | AU |
SecurePayTech | NZ |
SecurionPay | AD, BE, BG, CH, CY, CZ, DE, DK, EE, ES, FI, FO, FR, GI, GL, GR, GS, GT, HR, HU, IE, IS, IT, LI, LR, LT, LU, LV, MC, MT, MU, MV, MW, NL, NO, PL, RO, SE, SI |
SkipJack | US, CA |
SoEasyPay | US, CA, AT, BE, BG, HR, CY, CZ, DK, EE, FI, FR, DE, GR, HU, IE, IT, LV, LT, LU, MT, NL, PL, PT, RO, SK, SI, ES, SE, GB, IS, NO, CH |
Spreedly | AD, AE, AT, AU, BD, BE, BG, BN, CA, CH, CY, CZ, DE, DK, EE, EG, ES, FI, FR, GB, GI, GR, HK, HU, ID, IE, IL, IM, IN, IS, IT, JO, KW, LB, LI, LK, LT, LU, LV, MC, MT, MU, MV, MX, MY, NL, NO, NZ, OM, PH, PL, PT, QA, RO, SA, SE, SG, SI, SK, SM, TR, TT, UM, US, VA, VN, ZA |
Stripe (Legacy) | AT, AU, BE, BG, BR, CA, CH, CY, CZ, DE, DK, EE, ES, FI, FR, GB, GR, HK, IE, IT, JP, LT, LU, LV, MT, MX, NL, NO, NZ, PL, PT, RO, SE, SG, SI, SK, US |
Stripe Payment Intents | AT, AU, BE, BG, BR, CA, CH, CY, CZ, DE, DK, EE, ES, FI, FR, GB, GR, HK, IE, IT, JP, LT, LU, LV, MT, MX, NL, NO, NZ, PL, PT, RO, SE, SG, SI, SK, US |
Swipe Checkout | NZ, CA |
Telr | AE, IN, SA |
TNS | AR, AU, BR, FR, DE, HK, MX, NZ, SG, GB, US |
Transact Pro | US |
TransFirst | US |
TransFirst Transaction Express | US |
Transnational | US |
Trexle | AD, AE, AT, AU, BD, BE, BG, BN, CA, CH, CY, CZ, DE, DK, EE, EG, ES, FI, FR, GB, GI, GR, HK, HU, ID, IE, IL, IM, IN, IS, IT, JO, KW, LB, LI, LK, LT, LU, LV, MC, MT, MU, MV, MX, MY, NL, NO, NZ, OM, PH, PL, PT, QA, RO, SA, SE, SG, SI, SK, SM, TR, TT, UM, US, VA, VN, ZA |
TrustCommerce | US |
USA ePay | US |
USA ePay Advanced SOAP Interface | US |
UsaEpay | |
Vanco Payment Solutions | US |
Verifi | US |
ViaKLIX | US |
VisaNet Peru Gateway | US, PE |
WebPay | JP |
WePay | US, CA |
Windcave (formerly PaymentExpress) | AU, FJ, GB, HK, IE, MY, NZ, PG, SG, US |
Wirecard | AD, CY, GI, IM, MT, RO, CH, AT, DK, GR, IT, MC, SM, TR, BE, EE, HU, LV, NL, SK, GB, BG, FI, IS, LI, NO, SI, VA, FR, IL, LT, PL, ES, CZ, DE, IE, LU, PT, SE |
WorldNet | IE, GB, US |
Worldpay Global | HK, GB, AU, AD, AR, BE, BR, CA, CH, CN, CO, CR, CY, CZ, DE, DK, ES, FI, FR, GI, GR, HU, IE, IN, IT, JP, LI, LU, MC, MT, MY, MX, NL, NO, NZ, PA, PE, PL, PT, SE, SG, SI, SM, TR, UM, VA |
Worldpay Online Payments | HK, US, GB, BE, CH, CZ, DE, DK, ES, FI, FR, GR, HU, IE, IT, LU, MT, NL, NO, PL, PT, SE, SG, TR |
Worldpay US | US |
Offsite Gateways
The rXg supports the following offsite payment gateways.
Example Configuration for Gateways
- Card Connect (Direct Gateway)
- Authorize.net (Direct Gateway)
- PayPal (Offsite Gateway) ## PMS Servers
The PMS servers scaffold configures the rXg property management system interface mechanism. The rXg property management system interface operates in a manner that is nearly identical to that of credit card processing gateways. However, rather than sending credit card information to the third-party server for processing, the PMS interface sends credentials such as a room number and guest name or number for charge posting. Successful charge posts result in a credit being applied to the Account journal.
Once a PMS server record is created, the rXg will immediately begin communication with the PMS and synchronize the guest database. Thus it is absolutely necessary that the PMS be setup and ready to receive interface communication from the rXg before a PMS server record is created.
Use the Guests action link on the right side of each PMS server record to view list of all guests that the rXg believes to be currently checked in and valid for charge posting. The Guests sub scaffold is particularly useful when a hospitality guest reports that they cannot login with their credentials. Searching the Guests sub scaffold is the easiest way to find what credentials the rXg is expecting for a given guest.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The interface field configures the API that the rXg will use to communicate with the property management system. The property management system must be configured accept communication using the same protocol that is specified here.
The usage plans field enables the operator to choose plans that are allowed to be billed to the property management system. Usage plans may only be associated with one external billing gateway such as a merchant or a property management system. Thus any usage plan that is being directly billed to a credit card may not be used in conjunction with a pms server record.
The account sharing field configures how accounts are shared between multiple registered guests in a room's folio. per-Device: an Account is created for every device (old behavior). per-Guest: an Account is created for each unique guest name checked into a room and shared by all devices that supplied the same name and room. per-Room: an Account is created for each set of guest names checked into a room at the same time and shared between all devices.
The host field must contain the IP address or domain name of the property management system interface server. It is assumed that the property management system interface server will use TCP/IP for third-party integration.
The port field must contain the port on which the property management system is listening for connections. The rXg will initiate the connection from a random high port. It is expected that traffic originating from any port on the rXg be allowed to access the property management server on this port.
The timeout field specifies the number of seconds that the rXg will wait for a response from the property management system. If the property management system fails to respond by the configured timeout , the transaction will be considered a failure by the rXg.
The UDF Behaviors define patterns that will be used to determine deployment specific behavior for particular cases of updates to the PMS. For instance, in the Infor REST integration, this is used to define patterns that will be considered for detecting when the guest has been assigned a one time access (OTA) email from a travel platform like Expedient, Agoda or similar. This is only implemented for Infor REST currently.
The dialed digits (DD) field is used by the rXg to communicate the MAC address of the end-user device that executed the charge posting. This allows the operator to understand how many individual devices are being used by a hospitality guest to access the Internet. The DD format field configures how the end-user's MAC address is formatted before sending it to the property management system as the DD field. The rXg sends the MAC address in decimal format by default because the FIAS standard specifies that the DD field be numeric. However, in practice many operators find that sending the MAC in hex is the easiest way to ensure that the posts for hospitality guests is accurate.
The subsequent transaction fields configure the PMS gateway to change the amount billed for subsequent transactions that originate from the same PMS guest. This feature allows the operator to charge less (or charge nothing) for a specified number of additional devices beyond the primary registered device. A follow-on transaction will only be marked subsequent (and thus discounted), if it satisfies both the subsequent transaction max count restriction as well as the subsequent transaction lifetime restriction.
The subsequent transaction max count specifies the maximum number of transactions that will be considered subsequent after a primary (non-subsequent) transaction. Setting the subsequent transaction max count to 0 disables this feature entirely as no transactions will ever be considered subsequent.
The subsequent transaction lifetime (s) field specifies the maximum amount of time (in seconds) that may elapse between a primary (non-subsequent) transaction and a sub-sequent transaction. If the elapsed time between a primary (non-subsequent) transaction and a follow-on transaction exceeds the configured subsequent transaction lifetime (s), the transaction will not be marked as subsequent and will not be discounted.
The subsequent transaction price reduction specifies the reduction in amount to be charged for follow-on transactions marked as subsequent. The value may be specified as an absolute number (e.g., 12.95) or as a percentage (e.g., 75%). If an absolute number is specified, the specified value will be subtracted from the plan price. If the resulting amount is less than zero, a charge of 0.00 will be sent to the PMS. Similarly, if a percentage is specified, the final amount transmitted to the PMS is calculated by discounting the specified percentage of the original usage plan price.
For example, if an operator wishes to allow three devices per day to acquire Internet access based on a PMS charge posting, the appropriate settings are:
| subsequent transaction max count | 2 | | subsequent transaction lifetime | 86400 | | subsequent price reduction | 99999 |
Alternatively, if an operator wishes to allow up to 5 additional devices to acquire Internet at a significant (75%) discount within two days the first full price PMS posting, the appropriate settings are:
| subsequent transaction max count | 5 | | subsequent transaction lifetime | 172800 | | subsequent price reduction | 75% |
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
PMS Guest Matches
The PMS Guest Matches scaffold enables operators to control the availability of the Usage Plans that are associated with the PMS Server to certain PMS Guests. For example, this scaffold may be used to configure the rXg to offer free Internet to PMS Guests who are checked in with a rate code ofINTC
, reduced price Internet to PMS Guests with a block code of ACORP
and special high speed, high priority Internet access with an SLA for PMS Guests staying in suites (identified by room type STE
).
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The Guest Field specifies the PMS Guest field that is the location that will be considered for this PMS Guest Match rule. The operator may choose from almost any field present in the PMS Guest record. The most frequently used options for this are the custom0
, custom1
, ... custom9
fields which correspond to the FIAS A0
, A1
, ...A9
fields. Typically, the Ax
FIAS fields are mapped to:
Field Name A0
Rate Code A1
Group Code A2
Block Code A3
Room Type A4
Membership Type A5
Membership Number A6
Source
The Pattern field specifies a string that must match the value of the field specified in the Guest Field parameter in order for this PMS Guest Match to be effective. For example, if the operator desires to have this match rule take effect when the rate code is INTC
, the Guest Field would be set to custom0
and the Pattern would be set toINTC
.
The Min transactions and Max transactions fields restrict this PMS Guest Match rule to only affect a PMS Guest that has completed a certain number of transactions. Only transactions that represent active (non-expired) Usage Plans purchased by the PMS guest are counted. For example, the PMS Guest Match mechanism will not count a transaction made by a PMS Guest that purchases a Usage Plan with two days of usage when the guest comes back to purchase another plan three days later.
One common use of the Min transactions and Max transactions fields is to configure the availability of "free Internet for the first device." To accomplish this the operator would create a PMS Guest Match rule with Min transactions set to 0 and Max transactions to set 1 linked to a Usage Plan that is free. Thus the PMS Guest has access to purchasing the "free plan" when there are no active Usage Plans associated with the account. The PMS Guest Match mechanism determines that there are no active Usage Plans because none have been purchased or because the ones that have been purchased have already expired.
These fields may also be used to configure the converse, for example, "buy one device, get free Internet for three additional devices." To accomplish this the operator would create a PMS Guest Match rule with Min transactions set to 1 and Max transactions set to 4. In this case access to the the "free plan" is only available to PMS Guests that have at least one active (non-expired) Usage Plan which the PMS Guest would have to pay for.
The checkboxes specified by the Usage Plans field are the Usage Plans that will be available to the user that is matched by this PMS Guest Match rule.
To create a "catch all" or "default" rule, create a PMS Guest Match rule with an empty Guest Field and Pattern. The Usage Plans selected by a PMS Guest Match rule configured as a "catch all" will be available to all PMS Guests that do not match any PMS Guest Match rules with an explicitly defined Guest Field and Pattern.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
PMS Guest Match Examples
Example 1: Match "free" in custom 0 field and offer free plan.
In this example we will be looking at Custom field 0 containing a value of "free". If the field contains the word free the guest will have access to the same plan as other guests, but at zero cost. Guests that do not match will in this case pay $10.
When configuring the PMS server the following settings should be set to ensure the guest only sees the plans that match, and not the plan(s) that are available if they don't match anything. These settings are under the Plan Behavior section of the PMS server configuration. The main setting we are interested in here is the Show only matched plans checkbox. With this enabled the guest will only be displayed plans that they have matched against.
At a minimum we need to have two plans configured 1 that will be displayed to guests that match and the other free plan that will be displayed to guests that match our configured guest match. Below we can see that we have two plans configured 1 with a $5 price and the other with a price of free.
Next we will configure the Guest Match. Navigate to Billing::Gateways and create a new Guest Match. The Name field is arbitrary. The Guest Field for this example shoudl be set to custom0. The pattern we are looking for is the word free so we will enter that into the Pattern field. The Min transaction field is the minimum number of transactions the guest has before this plan will be displayed, in this case it should be set to 0 as we want the guest to be presented with this plan immediatly. The Max Transactions field can be used to no longer display a plan to a guest if they exceed the number of transactions, in this case we want the guest to always be presented with the free plan if they match. Lasty the Usage Plans field is used to pick which plans will be displayed to the guest if they match, for this example the Free PMS Plan will be selected. Then click the Create button.
Now we will look at a guest that does not have the word free in the Custom0 field. Below is a screenshot showing that the guest Khan does not the word free in the Custom0 field.
The screenshots below shows the guest entering their credentials and being presented with only the paid plan.
Next we will look at a guest that has the word free in the Custom0 field.
The screenshots below shows the guest entering their credentials and being presented with only the free plan.
Example 2: If room type is a suite offer free 200Mbps plan.
In this example we will configure a room type match against suite. We will leave the plans from above but also include a 200mbps plan that is paid and another that is free. We will also leave the free guest match we created before. This time when we log in with the guest room and name we will be offered the 200Mbps plan for free instead of the free plan.
Next we will create a new Guest Match that will match against the room_type field. The Name field is arbitrary. For Guest Match we will set the Guest Field to room_type , and the Pattern field to suite. Min and Max Transaction fields can be adjusted to change how many transactions the guest must have before it shows up, and determine after a number of transactions when the plan will no longer be offered. In this example we want it to be available to the guest all the time so Min Transactions will be set to 0, and Max Transactions will be set to 99 so that the guest would have to have over 99 transactions before the plan would no longer be presented. Lastly in the Usage Plans field we want to select the plans to be presented when the room type is suite, in this case we will select the 200Mbps Free Plan
Now we will look at a guest that does not have a room_type of "suite". We will use the guest Khan from the first example because we know they will not match.
Now we will find a guest that has "suite" in the room_type field.
The below screenshots show the guest with the room_type set to suite logging in and being presented with the 200Mbps free plan.
Card Connect Setup
When creating a Card Connect account there will be 3 pieces of information needed to setup the merchant in the rXg. Card Connect will provide an API Username & Password, along with a Merchant ID. For this example the API Username & Password will be testing:testing123, and the Merchant ID will be 496160873888.
Create a new Merchant. The Name field is arbitrary. Select the Usage plans that can use this merchant by selecting them in the Usage Plans field. Select Card Connect in the Direct Gateway field. The API Username testing will go into the Login field. The API Password testing123 will go into the Password field. Lastly the Merchant ID 496160873888 will go in the Partner field.
Authorize.net Setup
When creating an Authorize.net account there will be 2 pieces of information needed to setup the merchant in the rXg. Authorize.net will provide an API Login ID, and a Transaction Key. For example the API Login ID will be 63RkqZy7B, and the Transaction Key will be 6HKJywh3634Md83g.
Create a new Merchant. The Name field is arbitrary. Select the Usage plans that can use this merchant by selecting them in the Usage Plans field. Select Authorize.net in the Direct Gateway field. The API Login ID 63RkqZy7B will go into the Login field. The Transaction Key 6HKJywh3634Md83g will go in the Password field.
PayPal Setup
When creating a PayPal merchant you only need to enter in the email address associated to the PayPal account you want the transactions to be delivered to. The PayPal account must have IPN (Instant Payment Notifications) enabled. If IPN is not enabled the rXg will not receive notification that the payment was successful. PayPal must be whitelisted in the Splash Portal otherwise users will not be able to communicate with PayPal and will not be able to complete the transaction.
Create a new Merchant. The Name field is arbitrary. Select the Usage plans that can use this merchant by selecting them in the Usage Plans field. Select Paypal Website Payments Standard from the Offsite Gateway field. Put the email address associated to your Paypal account in the Login field.
PMS Properties
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
The code field is a place to put a string that correlates with this property and its rooms.
Transactions
The transactions view presents the list of all credit card transactions that have been processed.
Every credit card transaction record has an ID number that is used to uniquely identify the transaction. The date , time and amount charged are stored in the transaction record along with two boolean flags denoting whether the transaction was a success and whether or not it was a test.
Transaction records are linked to accounts , the payment method (which contains the credit card information), the usage plan selected and the merchant used to clear the transaction. Clicking on any of these fields in the list view of the transaction log displays the linked record.
Coupons
Coupons enable an operator to offer new or existing end-users an operator defined credit.
Coupons are similar to tokens in that the operator generates a batch of codes that are to be distributed to end-users. Whereas tokens may be used as login credentials, coupons require the end-user to have an account. Coupons may be redeemed for credit by an end-user during the sign-up process or through a specific link on the captive portal web application.
There is a diverse set of use cases for coupons. Operators may generate a batch of coupons to enable end-users to "try before they buy" service. By using coupons the operator is able to capture the personal information from potential subscriber and use that for direct marketing. Coupons are also often used as a mechanism to avoid micro-payment transactions fees. Tokens can accomplish the same goal, however, with coupons, the operator maintains an identifiable database of end-users.
Coupons must be assigned a numerical credit or an association to a usage plan , that allows the end user to redeem the coupon to purchase the plan or unlocks the plan for purchase. When assigned a credit , the amount is transferred into the end-user's account upon redemption of the coupon. The end-user may then use the credit to purchase any plan of their choosing. When associated with a usage plan , the coupon enables the end-user to select the associated plan without supplying direct payment via credit card. Alternatively a usage plan may be unlocked and becomes avialable for purchase.
The Code field shows the code that the end user will enter to redeem the coupon on the captive portal.
The Batch field is an automatically assinged value to each set of coupons generated by the administrator. This allows the administrator to quickly locate all of the coupons that were generated at the same time.
The Credit field displays the credit value that will be received by the end user when the coupon is redeemed, if applicable.
The Usage Plan field displays the plan the end user will be granted when redeeming the coupon.
The Expires field displays the date and time the coupon will no longer be valid, if applicable..
Coupons are also assigned an expiration date and time via the expires field. This allows the operator to issue coupons for time-limited promotions or to support event management.
The Usage Plans field displays which usage plans are unlocked for purchase by redeeming the coupon.
The Redeemed coupons field displays how many times the coupon has been redeemed. Coupons that have no remaining redemptions left will be removed from the Coupons list.
When creating a new Coupon , the Copies field will determine the number of coupons that will be created. The operator can specify the number of times a coupon can be redeemed using the Max redemptions field, check the unlimited box to allow unlimited redemptions. The Character code dropdown lets the operator specify which characters will be used when generating the code. The Length field allows the operator to specify the number of characters the code will be in length. The Prefix / Suffix field allows the operator to attach a specific set of characters to the beginning and/or ending of the generated code. The Expires field allows the operator to specify the date and time the coupon will no longer be valid if desired. The Note field is for internal notes and will have no bearing on the generation of the coupon. Under Coupon Effect the Usage Plan dropdown allows the operator to select a specific usage plan that will be granted to the end user when redeemed. The Credit field is used to specify the amount of credit that will be applied when redeemed. The Usage Plans Available for Purchase field allows the operator to specify which usage plans will become available for purchase after redeeming the code. This is used to only allow certain plans to be purchased if the end user has the code to ulock them (Gated Access).
Examples of Coupon Usage
1. MDU - Each lease holder gets a code that unlocks free service, without code only paid plans are available.
For this scenario create a new Coupon. Enter the number of copies of the coupon to be created in the Copies field. For this scenario the Max redemptions field should be left at the default of 1 to prevent the coupon from being given out to those that should not have access. Change the Character code , Length and, Prefix / Suffix field if desired. It is up to the operator if they want to set an expiration using the Expires field. Note that once the coupon is redeemed it will no longer be valid. For this use case the fields under Coupon Effect will not be used. Under Usage Plans Available for Purchase select the plan(s) that this coupon will unlock, in thise case it will be the Gated Plan. Click Create.
In this scenario when an end user is redirected to the portal and signs up for an account if they do not have a code only the Public Plan will be presented.
With Coupon that allows access to the Gated Plan.
2. Dorm Rooms - Each room is issued a code that is good for a number of signups equal to the number of people sharing the room.
For this scenario create a new Coupon. Enter the number of copies of the coupon to be created in the Copies field. In this case the Max redemptions field should be set to the number of people the room is shared with. Change the Character code , Length and, Prefix / Suffix field if desired. It is up to the operator if they want to set an expiration using the Expires field. Note that once the coupon is redeemed it will no longer be valid. For this use case the fields under Coupon Effect will not be used. Under Usage Plans Available for Purchase select the plan(s) that this coupon will unlock, in thise case it will be the Gated Plan. Click Create.
In this scenario when an end user is redirected to the portal and signs up for an account if they do not have a code the will not be able to gain access.
With a Coupon code the user will gain access to the plan(s) the operator has selected.
3. MTU - Leasing office has a unique code for each property.
For this scenario 2 coupons will be created one that allows access to Property 1 and the second coupon will allow access for property 2. For the first coupon enter the number of copies to be created in the Copies field. In this case the Max redemptions field will be set to unlimited. Change the Character code and Length field if desired. In this case the Prefix field will be set to pr1 to denote the property. It is up to the operator if they want to set an expiration using the Expires field. For this use case the fields under Coupon Effect will not be used. Under Usage Plans Available for Purchase select the plan(s) that this coupon will unlock, in thise case it will be the Gated Plan. Click Create.
Repeat the previous steps for the second coupon this time change the Prefix field to represent the 2nd property, and select the appropriate Usage Plan.
Now depending on which code is entered different plans will be presented.
Using the coupon for the second property we are presented with the plan for that location.
Customers
The customers view displays the payment information for the end-users of the network. These records are created and updated by your end-users though an operator can also update these records if necessary.
All credit card information is stored using symmetric encryption to maintain PCI compliance. In addition, CVV2 data is never stored per PCD guidelines. All stored data is exportable and viewable by administrators who have read privilege to the billing section.
The active checkbox signifies which set of billing data is currently being used for a specific users recurring bills. If a customer recharges, this will also be the billing information used by default unless changed.
The CC Number is the credit card number.
The Expiration month and Expiration year make up the expiration for the above credit card.
The First Name , Middle Name or initial, and Last Name need to match the name on the credit card.
Company is an optional field. Some corporate cards require that this field be filled out appropriately.
The Address1, Address2, City, State, Zip, and Country need to match the billing address of the credit card.
The Phone Number should also match the records on file with the credit card company.
The Account is the end-user account that this billing information is associated with.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Archives
The rXg stores long term archives of data instrumented from end-users as well as from the rXg system itself. The archives are most often used to diagnose network problems as well as resolve billing problems.
Archives Dashboard
The archives dashboard presents several dialogs containing the most recent entries in several logs files.
Clicking on each of the dialogs brings up the detailed view of the log where the complete contents of the log file may be viewed.
The set of logs and length of each log that is displayed on the archives dashboard is controlled by the form at the bottom of the detailed view of each log.
Notification Logs
The rXg incorporates a comprehensive system and network monitoring mechanism. Every critical aspect of the rXg system health is continuously monitored for potential problems.
Standalone rXgs maintain their own individual health notices logs and engage in independent reporting. Clustered rXg nodes report all health notices back to the cluster controller for centralized logging and reporting. The network devices may be also be monitored by the health notices mechanism through the creation of ping targets.
Notification Events
When a Notification Action is triggered a Notification Event will be logged by the rXg. It will list the ID of the event, the timestamp when it was Created , the Event Type , along with the Related object (Account, LoginSession, etc). The Resolved checkbox allows the operator to resolve any health notices generated from the event, editing the event and checking the resolved box will cure any health notices generated from the event. The Processed box indecates that the any responses to the event were completed.
Capacity Planning
The primary purpose of the rXg health notice mechanism is to allow the operator to perform capacity planning using true data. To meet this need, the rXg traps and reports the following subsystems for near limit and over-utilization conditions:
- DHCP pools
- DHCP shared networks
- Filesystem
- Identities
- IP addresses
- Load average
- Login sessions
- Memory
- Connections Warnings are issued when the subsystem begins to exceed 80% of the maximum capacity. Critical failure messages are issued when the limits are reached.
When any of these health notices are issued by the rXg, the operator should take immediate action to correct the issue. An rXg that is operating in a condition where these health notices are triggered will not perform properly. Perceived and actual end-user performance will eventually degrade until traffic cannot be passed unless corrective action is taken.
Configuration Errors
The rXg administrative console integrates validation at every step of data entry. When individual records are created, updated and/or deleted, the change is validated before being committed to the database. However, the broad spectrum of features contained within the rXg means that it sometimes is possible for the operator to create a configuration that is partially or completely illegal despite the fact that the individual configuration records are valid.
The rXg creates warning health notices when the following configuration errors are encountered.
- the data in one or more WAN targets is invalid (e.g., bad DNS entry)
- failure to resolve a domain (e.g., a WAN target)
- one or more bandwidth queue definitions are overlapping
- the sum of all configured real-time guarantees exceeds the configured available bandwidth
- configured upload real-time guarantee exceeds capability to deliver
- configured download real-time guarantee exceeds capability to deliver
The rXg creates error health notices when the following configuration errors are encountered.
- missing physical interface for defined Ethernet interface
- email transmission failure
- remote content filter list extraction failure
- PMS server connection failure
- PMS server invalid request
- PMS server socket exception
- PPPoE DNS configuration error
- recurring biller malfunction
- session management malfunction
The rXg creates fatal error health notices when the following configuration errors are encountered.
- invalid time zone
- unable to ping
- primary uplink undefined
- unable to set default route
- failure during PMS demultiplexor initialization
Fatal errors are more severe than errors which are more severe than warnings. However, notification of any of the conditions discussed above requires immediately attention.
System and Network Element Monitoring
The rXg monitors itself for a broad spectrum of error conditions including but not limited to:
- DHCP server failure
- IP address conflict between the rXg and a neighbor node
- IP address conflict between two neighboring nodes
- ARP problems pertaining to critical hosts
- License failure
- Packet filter failure
- Ping target (operator specified) not responding When any of these events occur, a critical failure message is issued. ## DHCP Server Failure
The rXg issues a DHCP server failure heath notice when the DHCP server cannot be started. This failure is usually the result of an error in the operator specified configuration found in the Services :: DHCP view.
Due to the broad spectrum of possible DHCP server configurations, an operator may inadvertently configure the DHCP server into an invalid state. It is strongly recommended that at least two administrators review a complete understanding of a new DHCP configuration before any changes are made.
DHCP server changes should made in single steps. A map of all proposed DHCP server changes should be created and each step executed with a several second delay between steps. By following this simple protocol, the operator is enabling the rXg to restart the DHCP server between steps. If the DHCP server restart fails, then the rXg will issue a DHCP server failed health message. By staging DHCP configuration changes and waiting between steps, the cause of a failed DHCP server restart is isolated to the last change.
Additional information may be found by looking at the DHCP server log. The DHCP server log may be accessed by navigating to the Archives :: Logs view and then clicking on the DHCP sub menu option.
IP address conflicts
The IP address and MAC address of each and every device that communicates with the rXg is stored temporarily. This mechanism enables the rXg to detect when two or more nodes with different MAC addresses attempt to communicate with the rXg using the same IP. It also allows the rXg to detect when any node tries to use an IP configured on the rXg to communicate with the rXg itself.
It is extremely important for the rectify the situation that is causing the production of IP address conflict health notices. An IP address conflict between two end-user nodes often indicates that there is a loop in a network adjacent to the rXg. Furthermore, the rXg will not be able to communicate with all nodes on any adjacent network when a conflict between the IP address of the rXg and a node exists.
Packet Filter Failure
The rXg issues a packet filter failure health notice when the rXg cannot load the packet filter rule set that is generated from the policy enforcement configuration. This situation usually occurs due to operator error when configuring the policy to be enforced.
Policy enforcement changes should made in single steps. A map of all proposed policy enforcement changes should be created and each step executed with a several second delay between steps. By following this simple protocol, the operator is enabling the rXg to reload the packet filter rules between steps. If the packet filter rules fail to load, then the rXg will issue a packet filter failure health message. By staging policy enforcement configuration changes and waiting between steps, the cause of a packet filter failure is isolated to the last change.
Ping Target Not Responding
The rXg issues a ping target not responding health notice when an operator specified ping target does not respond to an ICMP ping message. Operator specified ping targets are configured on the Instruments :: Pings view.
The issuance of a ping target not responding health notice generally does not in any way reflect the health of the rXg itself. Instead, it can reflect the status of the node being targeted or the transit network.
When a ping target not responding message is issued, the operator should check on the status of the target node. If the target node is operational, then the failure notice is most likely due to a problem on the transit network. If the ping target is on the WAN (for example, if the ping target are public DNS servers), then the issuance of a ping target not responding message is an indication of a faulty uplink. Similarly, if the ping target is on the LAN, then the issuance of a ping target not responding health notice is an indication that there is a problem with the LAN distribution network.
Uplink Next Hop Router Not Responding
The rXg constantly monitors the status of the next hop router on all designated uplinks by sending ICMP ping requests. When the next hop router does not respond, the rXg assumes that the link is down. In a single uplink deployment scenario, this would mean that the entire network is down. In a multiple uplink scenario, the uplink associated with the router that does not respond will be removed from the pool of viable uplinks. The precise action that will be taken by the rXg is defined by the multiple uplink control records that have been configured.
The issuance of a uplink next hop router not responding health notice is an extremely critical issue that needs to be addressed by the operator immediately. Even if the uplink appears to come back on its own, a thorough investigation is warranted. Uplinks that periodically drop packets are faulty and will cause performance and reliability problems.
Reports
The network graphs, system graphs, radio metric graphs and accounting graphs views allow the operator to view and configure the rXg graphing mechanisms.
The rXg includes a fully feature graphing package that allows operators to generate graphs for a wide variety data that is collected and stored on the rXg persistent storage. The graphs are divided amongst four views: network graphs, system graphs, radio metric graphs and accounting graphs.
- Network graphs - Interface rates, packet counts, etc.
- System graphs - Global operating system and service data such as the number of simultaneous logins and the number of entries in the ARP table at any given time
- Radio metric graphs - Graphs built from telemetry information ingested from the wireless infrastructure
The network graphs view contains the graphs of interface rates, packet counts, etc. The system graphs view contains the graphs of global operating system and service data such as the number of simultaneous logins and the number of entries in the ARP table at any given time.
Network Graphs
The network graphs scaffold tells the rXg to generate a graph of the specified network statistics.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
Four kinds of data are counted and saved for each network interface: traffic, packets, errors and discards. The unit field tells the graphing system which dataset which of these four to place on the graph.
The bits and bytes options both specify graphing of the traffic dataset with the respective unit. The packets option graphs the count of packets that transited the interface. It is important to use both traffic and packet counts for troubleshooting. Relying on a graph of the traffic or packets alone is an ineffective diagnostic strategy as Ethernet ports are just as easily overrun by a large number of small packets as they are by a small number of large packets.
The errors and discards options count the number of packets that were not processed. Packets that are dropped because of errors arrived at the Ethernet interface in an illegal state. The most common reason is a bad checksum due to a malformed packet. This indicates that there is a physical problem with the connection or a logical issue with the device at the other end of the connection. Well-formed packets that are dropped because of a problem on the rXg are logged as discards. A typical scenario where discards are recorded is when the buffer for the Ethernet interface is overflowing. Errors and discards are only valid for interfaces as this information is not stored for other entities.
The interfaces , PPPoEs , VLANs , queues , policies and accounts fields enable the operator to specify which entities for which to graph data stored data.
The function field tells the graphing system what to do when the pixel resolution is less than the data resolution. A choice of average will cause the graphing system to take the average of the data and plot the result. A choice of max will cause the graphing system to plot the maximum value amongst the data points.
The aggregate check box, when checked, tells the graphing system to add up multiple sources into a single line instead of a line for each source.
The time and image fields link this graph specification to a record in the time range and image configuration scaffolds respectively. The time range controls the span of the x-axis while the image configuration controls the drawing specifications.
When the dashboard check box is enabled, the graph specified by this record will be used in the instruments dashboard. Only one graph may be configured to be the instruments dashboard graph at any given time.
System Graphs
The system graphs scaffold tells the rXg to generate a graph of the specified network statistics.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The instrument field specifies the dataset to graph.
The function field tells the graphing system what to do when the pixel resolution is less than the data resolution. A choice of average will cause the graphing system to take the average of the data and plot the result. A choice of max will cause the graphing system to plot the maximum value amongst the data points.
The aggregate check box, when checked, tells the graphing system to add up multiple sources into a single line instead of a line for each source.
The time and image fields link this graph specification to a record in the time range and image configuration scaffolds respectively. The time range controls the span of the x-axis while the image configuration controls the drawing specifications.
When the dashboard check box is enabled, the graph specified by this record will be used in the instruments dashboard. Only one graph may be configured to be the instruments dashboard graph at any given time.
Radio Metric Graphs
The radio metric graphs view allows the operator to generate graphs based on telemetry information ingested from the wireless infrastructure. This data can be ingested using either GRPC streaming or MQTT. Telemetry is configured on a WLAN Controller. Radio metric graphs provide the operator with granular customizable views of data ingested directly from the network hardware over a specified period of time, empowering them to configure the network to be optimal for any use case.
- Optimize the network - see network throughput and latency to see where your network is struggling
- Grade the network - see real data about what users of the network are experiencing in a given time and location
- Prove the network is meeting requirements - provide documented proof that the network is or is not performing to standards set by SLAs and other agreements
Configuration
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold. The graph time determines what time period the graph will represent. There are default options available and custom time frames can be selected in the time ranges scaffold located directly below the radio metric graphs scaffold. The grouped by option selects what time interval the graph will be divided into, with the smaller the time resulting in more detailed graphs. The metric type and target fields tells the graphing system which set of collected data to use for generating the graph:
- Channel - What channel the radio was operating on for the selected frequency
- Client count - The number of clients connected
- Latency - The latency of the infrastructure
- Rate - The data rate on the network
- RRM - Channel utilization and noise floor statistics
- RSSI - Received signal strength statistics
- SNR - Signal to noise ratio average
- Transfer - The amount of data transferred over the network
The sources tell the graphing system which devices to pull data from to generate the graph. Sources can be individual access point radios, individual access points, or location areas.
Sample Configurations
To begin creating a radio metric graph click the Create New button above the scaffold.
Client Count Graph
This client count graph builds a graph showing the number of clients connected to each of a group of individually selected access points. The information will be presented from information from the last 24 hours and the data will be broken down by the second.
Channel Utilization Graph
This channel utilization graph will show the amount of time a channel is utilized in all of the access points in the location area Lab Access Points over the last 24 hours with the data broken down into one minute samples.
Time Ranges
Entries in the time ranges scaffold define spans of time for creating network graphs and system graphs. Graphs are linked to entries in this scaffold to determine the span of time that will be graphed on the x-axis.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
Custom Reports
In addition to the graphs available in the reporting section, Custom Reports allows for the creation of text reports that may be exported to the Excel , CSV , or XML formats.
Entries in the time ranges scaffold define spans of time for creating network graphs and system graphs. Graphs are linked to entries in this scaffold to determine the span of time that will be graphed on the x-axis.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The type field specifies the template used to generate the report. Templates are instances of the CustomReport ruby class, and new ones may be added, as well as the existing of the x-axis while the image configuration controls the drawing specifications.
The time field links this graph specification to a record in the time range scaffold. The time range controls the span of time used to filter the data.
Admin Logs
The admin logs scaffold provides a detailed history of operator changes to the rXg. By utilizing unique administrator usernames for each operator, non-repudiation is achieved. The length of history can be adjusted in the System::Options scaffold.
Admin Logs
The time column displays the time the associated action took place.
The entry column displays a brief description of the action.
The admin column displays the login of the administrator that performed the action.
The IP column displays the IP associated with the administrative login session.
The scaffold column displays which scaffold in the administrative GUI was modified.
The action column describes what type of action was taken.
The record label column displays a specific entry in a scaffold that was created, modified, or destroyed.
Connection Logs
The connection logs scaffold provides a historical log of every connection that crosses between the LAN and the WAN. All Connections, including but not limited to, every HTTP(S) transaction, every SSH session, every video stream, etc., is recorded in the connection logs. The connection log is a powerful resource from which the rXg acquires complete cognizance over the end-user population. Data within the connection logs is tied to connection triggers, enabling total control.
Connection Logs
The expired column shows a timestamp of the end of the associated connection.
The initiated column shows a timestamp of the start of the associated connection.
The duration column shows the length of time the associated connection was open.
The source , port , and MAC columns display the originating source IP address, MAC address, and TCP/UDP port of the associated connection.
The login , session , and account columns displays layer 5+ source identification of the associated connection.
The destination , and port columns display the destination IP address, and TCP/UDP ports of the associated connection.
The NAT , and port columns display the WAN IP address and translated port used for the associated connection.
The proto column displays layer 4 protocol information for the associated connection.
The application column displays operator definable application information for the associated connection.
The download , upload , pkts down , and pkts up columns display the amount of data transferred in both bytes, and packets for the associated connection.
DHCP and DNS Logs
The DHCP and DNS Logs view is an archive of all expired leases that have been issued by the rXg integrated DHCP server.
DHCP leases are issued by the rXg integrated DHCP server based on the configuration specified by the network operator. End-users that make DHCP requests are issued IPs from pools that intersect the subnet ranges of configured addresses that are associated with the interfaces from which the end-user is connected to. Once an IP is issued to an edn-user, the DHCP server records that there is a lease on that IP. When the lease expires, the an entry is made into the expired DHCP leases scaffold and the IP address is ready to be leased to an end-user again.
Expired DHCP Leases
The issued field is the timestamp recorded when the DHCP lease was originally issued.
The expired field is the timestamp recorded when the DHCP lease expired and the IP has been reclaimed.
The IP field stores the IP address that was leased to the end-user.
The MAC and Hostname fields are the data items recorded that identify the end-user.
The pool field relates this record to the DHCP pool from which the IP was drawn when the lease was issued.
Portal Archives
The portal archives view presents scaffolds that display database records that are created when certain captive portal end-user events occur.
Login Sessions
The login sessions scaffold enables the operator to view a log of all the login sessions that have expired.
The login and logout fields contain the timestamps for when the login session was initiated and when it expired.
The username field stores the login of the user that initiated the login session.
The IP and MAC fields store the IP address and MAC address of the machine from which the end-user logged in.
The online , U/L and D/L fields stores the utilization of the end-user during this login session. Note that these values only account for what is used during this single login session. In environments where accounts are created and automatic login is enabled, end-users may create more than one login sessions over the period of time during which they have Internet access.
The reason field stores information regarding the cause of login session termination. This field helps the operator understand why a login session ends. The following reasons are considered normal termination of login sessions in a zero operator intervention environment:
User-RequestThe end-user clicked on the logout or end session link in their browser when surfing the rXg captive portal.Session-TimeoutThe session reached the maximum allowed time. For example, if the end-user purchased a 3 day plan, the 3 days have elapsed and thus the rXg automatically deleted the end-user session. Another example would be where the end-user is logged in via shared credential group that sets a 1 hour session time limit and 1 hour has elapsed.Quota-ExceededThe end-user device has consumed all of the available quota in the session. For example, if the end-user purchased a 5 GB quota plan and more than 5 GB have been transferred. Another example, the end-user is logged in via a shared credential group that sets a 256 MB maximum transfer and the end-user device transfers more than 256 MB of data.Sessions-ExceededThe end-user exceeded the configured maximum number of login sessions.Recurring-BillThe account has recurring billing enabled and the recurrence interval has been met. For example, if the account is set to monthly recurring billing and 1 month has elapsed since the account was first used. Idle-TimeoutThe end-user device has been idle (no traffic to or from the IP) for at least the amount of time that is configured in the idle timeout setting of the corresponding landing portal.Account-IP-Changed/Device-IP-ChangedThe account or device has come onto the network with a different IP address. This may happen if the DHCP lease for the end-user device has expired and the DHCP server issues a new lease with a different IP address.IP-ReclaimedA different end-user has come onto the network with the IP address associated with this login session and end-user. This may happen if the end-user device leaves the network and the rXg DHCP server assigns the IP address to a different end-user device. The following reasons may be encountered in the login session log during normal rXg operation and are a result of direct operator action: Admin-ResetThe operator manually deleted the login session using the Instruments :: Sessions view.Account-SuspendedThe operator manually deactivated the account by editing the account record. The following reasons are generally indicative of a misconfiguration or of malicious activity on the network: MAC-MismatchThe MAC address of a logged in session changed. This may occur if an end-user or other party deliberately attempts to steal a login session using a second device. For example, if the end-user logs in via a laptop, then shuts down their laptop and statically configures their phone to use the same IP address in an attempt to obtain Internet access for their phone without buying a plan. MAC-Mismatches may also result if the MAC <=> IP mapping network option is set incorrectly or if there is a conflict between the DHCP lease table and the ARP table when both the DHCP lease table and ARP table are both being considered for the MAC <=> IP mapping.
Survey Results
The rXg captive portal includes an end-user survey capability that allows operators to collect arbitrary data from end-users. The results from the end-user surveys are collected and stored in the rXg database. The operator accesses the collected survey data through the survey results scaffold.
The submitted field stores the time stamp of when the survey was collected. This is typically concurrent with the a login event.
The account , shared credential , RADIUS and LDAP fields store the login information that was provided when the survey was submitted. Exactly one of these fields should be populated as it is not possible to login with two sets of credentials.
The session field stores a reference to the IP session that was created when the login was processed.
The answers field stores the questions and answers that the were part of the survey taken and submitted by the end-user. Clicking on the list of answers opens a nested scaffold that displays questions and answers in a tabular format.
Redeemed Coupons
The redeemed coupons scaffold is an archive of all coupons that have been redeemed by end-users.
Coupons are redeemed via the captive portal web application. A successful coupon redemption results in the account being given the credit or access to the usage plan specified in the coupon. In addition, the redeemed coupon is removed from the pool of available coupons and an entry made into the redeemed coupons scaffold.
The redeemed field is the timestamp recorded when the coupon redemption.
The code , batch , credit , usage plan and expires fields contain copies of the data from the coupon that was redeemed.
The account field stores the login of the end-user that redeemed the coupon.
The same coupon code made be present multiple times in the redeemed coupon archive. Once a coupon is redeemed, the code is available and may be chosen by the coupon generator. Thus the same code may be allocated to different coupons at different times. The only stipulation is that the same code is never used for two active coupons at the same time.
The list in redeemed coupons combined with the list of coupons does not represent the set of all coupons that were ever present on the rXg. Coupons that are manually deleted by administrators as well as those that are automatically deleted by the rXg coupon expiration mechanism are not tracked.
Queue Logs
The queue logs scaffold provides a historical log of the bandwith queuing mechanism built in to the rXg.
Queue Logs
The sampled column shows a timestamp of the start of the associated connection.
The bytes , pkts , and direction columns display the amount of data transfered, and whether it was uploaded or downloaded, for the associated connection.
The IP , and MAC columns display layer 2 and 3 source information for the associated connection.
The login , session , account , IP group , account group , MAC Group , shared credential group , RADIUS group , and LDAP group columns display the layer 5+ source information for the associated connection.
The policy column displays the policy matched to the associated connection.
The bandwidth queue column displays the name of the operator-defined queue used for the associated connection.
The uplink column displays the uplink record that was utilized for the associated connection.
The interface , and VLAN columns display the originating LAN for the associated connection.
RADIUS Server Logs
The RADIUS server logs view presents an archive of all RADIUS requests that have been made to the rXg integrated RADIUS server.
The rXg integrated RADIUS server enables operators to expose the local user database for use with RADIUS NAS devices. An entry is made into the RADIUS server logs scaffold whenever a RADIUS NAS makes a successful RADIUS accounting request to the rXg integrated RADIUS server.
RADIUS Server Logs
The received field is the timestamp marking when the RADIUS accounting request was received by the RADIUS server.
The account field relates this accounting request to a account record in the accounts scaffold.
The Acct-Session-Id , Acct-Session-Time , Acct-Session-Id , Acct-Status-Type , Event-Timestamp , and other attributes beginning with Acct- are RADIUS accounting attributes. The possible values and meaning of these attributes are defined by RADIUS Accounting RFC 2139 and RADIUS Extensions RFC 2869.
The class , Framed-IP-Address , NAS-Identifier , NAS-IP-Address , NAS-Port , NAS-Port-Type and other key/value pairs listed are RADIUS attributes. The possible values are meaning of these attributes are defined by RADIUS RFC 2865. When the requesting RADIUS NAS is an rXg, the class attribute is used to pass the group and policy association information which enables differentiated service.
The raw attributes field contains a dump of the unprocessed RADIUS accounting request. This field is useful when troubleshooting problematic RADIUS server to RADIUS NAS connectivity, and may contain key/value pairs for some attributes not listed above.
Triggered Events
The triggered events scaffold stores a log of every event trigger that occurred on the rXg.
Triggered Event Logs
The triggered field stores the time stamp of when the event was triggered.
The IP , MAC , account fields store the identity of the end-user that triggered the event.
The trigger type and trigger name fields store the kind and identifier of the event trigger that occurred.
The reason field specifies a description of why the event trigger fired.
Web Proxy Requests
The web proxy requests view displays data collected by the rXg integrated transparent web proxy. Each and every web request that transits the rXg is logged into the rXg database. This enables the operator to have complete cognizance over the end-user population.
The rXg transparent web proxy must be enabled in order for the web proxy requests to be logged. The rXg transparent web proxy is configured through the persistent caching view of the policies menu. The operator may choose to enable the transparent web cache for only the subset of the end-user population for which deep cognizance is desired.
At the top of the web proxy requests view is a summary report.
Direct access to data is available through a scaffold at the bottom of the view.
The operator may also generate reports for activity by account , IP address or MAC address by using the action links found at the right side of the various scaffolds throughout the administrative console.
In the example above, the operator has accessed a web proxy requests report through the ARP view of the instruments menu. Similar reports may be generated through the scaffolds on the policies , accounts , sessions and DHCP views.
Logs
The logs view enables the operator to delve into the log files generated by the daemons that underly the rXg.
Numerous software modules are utilized to implement many of the features present in the rXg. During the course of normal operations, the software modules generate information which is stored in log files unique to the software module. The logs view enables the operator to browser through the log files for diagnostic purposes.
Log files tend to contain a large amount of data and become unwieldy after a while. The rXg rotates the log files periodically to mitigate size issue. As a result, the logs view contains several navigation mechanisms that assist the operator with browsing the available log files.
The menu near the top lists the names of the software modules. When a module name is clicked, the logs for the named module are brought into focus in the main dialog below. The name that is highlighted in red indicates the current module that is in focus.
The following logs are available:
Admin ConsoleA log of all actions that have been executed on the rXg administrative console along with the name of the administrator that executed the action and the IP address from which the request originated.Proxy HitsThe web proxy logs all request hits here. Proxy ServerThe web proxy logs global information and errors here. DHCP ClientInformation regarding the WAN links that obtain configuration via DHCP is logged here.DHCP ServerThe DHCP server logs global information and errors here. DNS ServerThe DNS server logs global information and errors here. DPI EngineThe deep packet inspection engine logs global information and errors here. Display MessagesOperating system kernel display messages are logged here.Dynamic DNSInformation regarding dynamic DNS servers via DHCP is logged here.HTTP (SSL)The web multiplexer that accepts HTTPS requests for the portal and console writes an entry for all requests in this log.HTTP (dev)The rails servers log here when in development mode. HTTP (prod)The rails servers log here when in production mode. IPsecThe IPsec engine logs connection information and errors here. HTML RewriteThe HTML payload rewriting engine logs information here.PPP(oE)Information about WAN uplinks that are configured for PPPoE is logged here.RADIUS ServerThe RADIUS server logs global information and errors information here.SNMP ServerThe SNMP server logs global information and errors information here.Signature MatchesThe deep packet inspection engine logs matches to configured rules here. System LogThe operating system logs errors and diagnostic information here.rXgThe rXg backend daemon logs diagnostic information and errors here.
At the top of the main dialog is a series of numbers that follow the file label. These numbers represent the various log files that are present on the filesystem for the module chosen in the menu above. The file number 1 represents the current log file that the software module is writing to. The largest number represents the oldest log file that is still present on the rXg filesystem. The number in bold is the log file that is currently in focus.
The rXg periodically rotates the files and deletes the oldest one. The rotation policy depends on the software module. Most logs are rotated daily though some are rotated based on the size of the file. The rXg keeps at least a few rotations worth of log files on the filesystem at any given time to aid in troubleshooting.
Many log files are thousands of lines long to it would be impractical to load entire log files into the browser. The main dialog displays on a slice of the log file chosen above. A series of numbers that follow the page label appear at the bottom of the main dialog that enables the operator to change the focus to a difference slice within the file. Smaller numbers represent slices at the top of the file while large numbers represent slices closer to the bottom. The number in bold represents the current slice of the log file.
At the bottom of the dialog there is a small textfield that allows the operator to enter the number of lines of this log that are desired for the archives dashboard. If the value is zero, then this log will be omitted from the dashboard. It is recommended that no more than five logs with five rows each be placed on the archives dashboard.
Notification Logs
The rXg incorporates a comprehensive system and network monitoring mechanism. Every critical aspect of the rXg system health is continuously monitored for potential problems.
Standalone rXgs maintain their own individual health notices logs and engage in independent reporting. Clustered rXg nodes report all health notices back to the cluster controller for centralized logging and reporting. The network devices may be also be monitored by the health notices mechanism through the creation of ping targets.
Notification Events
When a Notification Action is triggered a Notification Event will be logged by the rXg. It will list the ID of the event, the timestamp when it was Created , the Event Type , along with the Related object (Account, LoginSession, etc). The Resolved checkbox allows the operator to resolve any health notices generated from the event, editing the event and checking the resolved box will cure any health notices generated from the event. The Processed box indecates that the any responses to the event were completed.
Capacity Planning
The primary purpose of the rXg health notice mechanism is to allow the operator to perform capacity planning using true data. To meet this need, the rXg traps and reports the following subsystems for near limit and over-utilization conditions:
- DHCP pools
- DHCP shared networks
- Filesystem
- Identities
- IP addresses
- Load average
- Login sessions
- Memory
- Connections Warnings are issued when the subsystem begins to exceed 80% of the maximum capacity. Critical failure messages are issued when the limits are reached.
When any of these health notices are issued by the rXg, the operator should take immediate action to correct the issue. An rXg that is operating in a condition where these health notices are triggered will not perform properly. Perceived and actual end-user performance will eventually degrade until traffic cannot be passed unless corrective action is taken.
Configuration Errors
The rXg administrative console integrates validation at every step of data entry. When individual records are created, updated and/or deleted, the change is validated before being committed to the database. However, the broad spectrum of features contained within the rXg means that it sometimes is possible for the operator to create a configuration that is partially or completely illegal despite the fact that the individual configuration records are valid.
The rXg creates warning health notices when the following configuration errors are encountered.
- the data in one or more WAN targets is invalid (e.g., bad DNS entry)
- failure to resolve a domain (e.g., a WAN target)
- one or more bandwidth queue definitions are overlapping
- the sum of all configured real-time guarantees exceeds the configured available bandwidth
- configured upload real-time guarantee exceeds capability to deliver
- configured download real-time guarantee exceeds capability to deliver
The rXg creates error health notices when the following configuration errors are encountered.
- missing physical interface for defined Ethernet interface
- email transmission failure
- remote content filter list extraction failure
- PMS server connection failure
- PMS server invalid request
- PMS server socket exception
- PPPoE DNS configuration error
- recurring biller malfunction
- session management malfunction
The rXg creates fatal error health notices when the following configuration errors are encountered.
- invalid time zone
- unable to ping
- primary uplink undefined
- unable to set default route
- failure during PMS demultiplexor initialization
Fatal errors are more severe than errors which are more severe than warnings. However, notification of any of the conditions discussed above requires immediately attention.
System and Network Element Monitoring
The rXg monitors itself for a broad spectrum of error conditions including but not limited to:
- DHCP server failure
- IP address conflict between the rXg and a neighbor node
- IP address conflict between two neighboring nodes
- ARP problems pertaining to critical hosts
- License failure
- Packet filter failure
- Ping target (operator specified) not responding When any of these events occur, a critical failure message is issued. ## DHCP Server Failure
The rXg issues a DHCP server failure heath notice when the DHCP server cannot be started. This failure is usually the result of an error in the operator specified configuration found in the Services :: DHCP view.
Due to the broad spectrum of possible DHCP server configurations, an operator may inadvertently configure the DHCP server into an invalid state. It is strongly recommended that at least two administrators review a complete understanding of a new DHCP configuration before any changes are made.
DHCP server changes should made in single steps. A map of all proposed DHCP server changes should be created and each step executed with a several second delay between steps. By following this simple protocol, the operator is enabling the rXg to restart the DHCP server between steps. If the DHCP server restart fails, then the rXg will issue a DHCP server failed health message. By staging DHCP configuration changes and waiting between steps, the cause of a failed DHCP server restart is isolated to the last change.
Additional information may be found by looking at the DHCP server log. The DHCP server log may be accessed by navigating to the Archives :: Logs view and then clicking on the DHCP sub menu option.
IP address conflicts
The IP address and MAC address of each and every device that communicates with the rXg is stored temporarily. This mechanism enables the rXg to detect when two or more nodes with different MAC addresses attempt to communicate with the rXg using the same IP. It also allows the rXg to detect when any node tries to use an IP configured on the rXg to communicate with the rXg itself.
It is extremely important for the rectify the situation that is causing the production of IP address conflict health notices. An IP address conflict between two end-user nodes often indicates that there is a loop in a network adjacent to the rXg. Furthermore, the rXg will not be able to communicate with all nodes on any adjacent network when a conflict between the IP address of the rXg and a node exists.
Packet Filter Failure
The rXg issues a packet filter failure health notice when the rXg cannot load the packet filter rule set that is generated from the policy enforcement configuration. This situation usually occurs due to operator error when configuring the policy to be enforced.
Policy enforcement changes should made in single steps. A map of all proposed policy enforcement changes should be created and each step executed with a several second delay between steps. By following this simple protocol, the operator is enabling the rXg to reload the packet filter rules between steps. If the packet filter rules fail to load, then the rXg will issue a packet filter failure health message. By staging policy enforcement configuration changes and waiting between steps, the cause of a packet filter failure is isolated to the last change.
Ping Target Not Responding
The rXg issues a ping target not responding health notice when an operator specified ping target does not respond to an ICMP ping message. Operator specified ping targets are configured on the Instruments :: Pings view.
The issuance of a ping target not responding health notice generally does not in any way reflect the health of the rXg itself. Instead, it can reflect the status of the node being targeted or the transit network.
When a ping target not responding message is issued, the operator should check on the status of the target node. If the target node is operational, then the failure notice is most likely due to a problem on the transit network. If the ping target is on the WAN (for example, if the ping target are public DNS servers), then the issuance of a ping target not responding message is an indication of a faulty uplink. Similarly, if the ping target is on the LAN, then the issuance of a ping target not responding health notice is an indication that there is a problem with the LAN distribution network.
Uplink Next Hop Router Not Responding
The rXg constantly monitors the status of the next hop router on all designated uplinks by sending ICMP ping requests. When the next hop router does not respond, the rXg assumes that the link is down. In a single uplink deployment scenario, this would mean that the entire network is down. In a multiple uplink scenario, the uplink associated with the router that does not respond will be removed from the pool of viable uplinks. The precise action that will be taken by the rXg is defined by the multiple uplink control records that have been configured.
The issuance of a uplink next hop router not responding health notice is an extremely critical issue that needs to be addressed by the operator immediately. Even if the uplink appears to come back on its own, a thorough investigation is warranted. Uplinks that periodically drop packets are faulty and will cause performance and reliability problems.
Reports
The network graphs, system graphs, radio metric graphs and accounting graphs views allow the operator to view and configure the rXg graphing mechanisms.
The rXg includes a fully feature graphing package that allows operators to generate graphs for a wide variety data that is collected and stored on the rXg persistent storage. The graphs are divided amongst four views: network graphs, system graphs, radio metric graphs and accounting graphs.
- Network graphs - Interface rates, packet counts, etc.
- System graphs - Global operating system and service data such as the number of simultaneous logins and the number of entries in the ARP table at any given time
- Radio metric graphs - Graphs built from telemetry information ingested from the wireless infrastructure
The network graphs view contains the graphs of interface rates, packet counts, etc. The system graphs view contains the graphs of global operating system and service data such as the number of simultaneous logins and the number of entries in the ARP table at any given time.
Network Graphs
The network graphs scaffold tells the rXg to generate a graph of the specified network statistics.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
Four kinds of data are counted and saved for each network interface: traffic, packets, errors and discards. The unit field tells the graphing system which dataset which of these four to place on the graph.
The bits and bytes options both specify graphing of the traffic dataset with the respective unit. The packets option graphs the count of packets that transited the interface. It is important to use both traffic and packet counts for troubleshooting. Relying on a graph of the traffic or packets alone is an ineffective diagnostic strategy as Ethernet ports are just as easily overrun by a large number of small packets as they are by a small number of large packets.
The errors and discards options count the number of packets that were not processed. Packets that are dropped because of errors arrived at the Ethernet interface in an illegal state. The most common reason is a bad checksum due to a malformed packet. This indicates that there is a physical problem with the connection or a logical issue with the device at the other end of the connection. Well-formed packets that are dropped because of a problem on the rXg are logged as discards. A typical scenario where discards are recorded is when the buffer for the Ethernet interface is overflowing. Errors and discards are only valid for interfaces as this information is not stored for other entities.
The interfaces , PPPoEs , VLANs , queues , policies and accounts fields enable the operator to specify which entities for which to graph data stored data.
The function field tells the graphing system what to do when the pixel resolution is less than the data resolution. A choice of average will cause the graphing system to take the average of the data and plot the result. A choice of max will cause the graphing system to plot the maximum value amongst the data points.
The aggregate check box, when checked, tells the graphing system to add up multiple sources into a single line instead of a line for each source.
The time and image fields link this graph specification to a record in the time range and image configuration scaffolds respectively. The time range controls the span of the x-axis while the image configuration controls the drawing specifications.
When the dashboard check box is enabled, the graph specified by this record will be used in the instruments dashboard. Only one graph may be configured to be the instruments dashboard graph at any given time.
System Graphs
The system graphs scaffold tells the rXg to generate a graph of the specified network statistics.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The instrument field specifies the dataset to graph.
The function field tells the graphing system what to do when the pixel resolution is less than the data resolution. A choice of average will cause the graphing system to take the average of the data and plot the result. A choice of max will cause the graphing system to plot the maximum value amongst the data points.
The aggregate check box, when checked, tells the graphing system to add up multiple sources into a single line instead of a line for each source.
The time and image fields link this graph specification to a record in the time range and image configuration scaffolds respectively. The time range controls the span of the x-axis while the image configuration controls the drawing specifications.
When the dashboard check box is enabled, the graph specified by this record will be used in the instruments dashboard. Only one graph may be configured to be the instruments dashboard graph at any given time.
Radio Metric Graphs
The radio metric graphs view allows the operator to generate graphs based on telemetry information ingested from the wireless infrastructure. This data can be ingested using either GRPC streaming or MQTT. Telemetry is configured on a WLAN Controller. Radio metric graphs provide the operator with granular customizable views of data ingested directly from the network hardware over a specified period of time, empowering them to configure the network to be optimal for any use case.
- Optimize the network - see network throughput and latency to see where your network is struggling
- Grade the network - see real data about what users of the network are experiencing in a given time and location
- Prove the network is meeting requirements - provide documented proof that the network is or is not performing to standards set by SLAs and other agreements
Configuration
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold. The graph time determines what time period the graph will represent. There are default options available and custom time frames can be selected in the time ranges scaffold located directly below the radio metric graphs scaffold. The grouped by option selects what time interval the graph will be divided into, with the smaller the time resulting in more detailed graphs. The metric type and target fields tells the graphing system which set of collected data to use for generating the graph:
- Channel - What channel the radio was operating on for the selected frequency
- Client count - The number of clients connected
- Latency - The latency of the infrastructure
- Rate - The data rate on the network
- RRM - Channel utilization and noise floor statistics
- RSSI - Received signal strength statistics
- SNR - Signal to noise ratio average
- Transfer - The amount of data transferred over the network
The sources tell the graphing system which devices to pull data from to generate the graph. Sources can be individual access point radios, individual access points, or location areas.
Sample Configurations
To begin creating a radio metric graph click the Create New button above the scaffold.
Client Count Graph
This client count graph builds a graph showing the number of clients connected to each of a group of individually selected access points. The information will be presented from information from the last 24 hours and the data will be broken down by the second.
Channel Utilization Graph
This channel utilization graph will show the amount of time a channel is utilized in all of the access points in the location area Lab Access Points over the last 24 hours with the data broken down into one minute samples.
Time Ranges
Entries in the time ranges scaffold define spans of time for creating network graphs and system graphs. Graphs are linked to entries in this scaffold to determine the span of time that will be graphed on the x-axis.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
Custom Reports
In addition to the graphs available in the reporting section, Custom Reports allows for the creation of text reports that may be exported to the Excel , CSV , or XML formats.
Entries in the time ranges scaffold define spans of time for creating network graphs and system graphs. Graphs are linked to entries in this scaffold to determine the span of time that will be graphed on the x-axis.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The type field specifies the template used to generate the report. Templates are instances of the CustomReport ruby class, and new ones may be added, as well as the existing of the x-axis while the image configuration controls the drawing specifications.
The time field links this graph specification to a record in the time range scaffold. The time range controls the span of time used to filter the data.
Admin Logs
The admin logs scaffold provides a detailed history of operator changes to the rXg. By utilizing unique administrator usernames for each operator, non-repudiation is achieved. The length of history can be adjusted in the System::Options scaffold.
Admin Logs
The time column displays the time the associated action took place.
The entry column displays a brief description of the action.
The admin column displays the login of the administrator that performed the action.
The IP column displays the IP associated with the administrative login session.
The scaffold column displays which scaffold in the administrative GUI was modified.
The action column describes what type of action was taken.
The record label column displays a specific entry in a scaffold that was created, modified, or destroyed.
Connection Logs
The connection logs scaffold provides a historical log of every connection that crosses between the LAN and the WAN. All Connections, including but not limited to, every HTTP(S) transaction, every SSH session, every video stream, etc., is recorded in the connection logs. The connection log is a powerful resource from which the rXg acquires complete cognizance over the end-user population. Data within the connection logs is tied to connection triggers, enabling total control.
Connection Logs
The expired column shows a timestamp of the end of the associated connection.
The initiated column shows a timestamp of the start of the associated connection.
The duration column shows the length of time the associated connection was open.
The source , port , and MAC columns display the originating source IP address, MAC address, and TCP/UDP port of the associated connection.
The login , session , and account columns displays layer 5+ source identification of the associated connection.
The destination , and port columns display the destination IP address, and TCP/UDP ports of the associated connection.
The NAT , and port columns display the WAN IP address and translated port used for the associated connection.
The proto column displays layer 4 protocol information for the associated connection.
The application column displays operator definable application information for the associated connection.
The download , upload , pkts down , and pkts up columns display the amount of data transferred in both bytes, and packets for the associated connection.
DHCP and DNS Logs
The DHCP and DNS Logs view is an archive of all expired leases that have been issued by the rXg integrated DHCP server.
DHCP leases are issued by the rXg integrated DHCP server based on the configuration specified by the network operator. End-users that make DHCP requests are issued IPs from pools that intersect the subnet ranges of configured addresses that are associated with the interfaces from which the end-user is connected to. Once an IP is issued to an edn-user, the DHCP server records that there is a lease on that IP. When the lease expires, the an entry is made into the expired DHCP leases scaffold and the IP address is ready to be leased to an end-user again.
Expired DHCP Leases
The issued field is the timestamp recorded when the DHCP lease was originally issued.
The expired field is the timestamp recorded when the DHCP lease expired and the IP has been reclaimed.
The IP field stores the IP address that was leased to the end-user.
The MAC and Hostname fields are the data items recorded that identify the end-user.
The pool field relates this record to the DHCP pool from which the IP was drawn when the lease was issued.
Portal Archives
The portal archives view presents scaffolds that display database records that are created when certain captive portal end-user events occur.
Login Sessions
The login sessions scaffold enables the operator to view a log of all the login sessions that have expired.
The login and logout fields contain the timestamps for when the login session was initiated and when it expired.
The username field stores the login of the user that initiated the login session.
The IP and MAC fields store the IP address and MAC address of the machine from which the end-user logged in.
The online , U/L and D/L fields stores the utilization of the end-user during this login session. Note that these values only account for what is used during this single login session. In environments where accounts are created and automatic login is enabled, end-users may create more than one login sessions over the period of time during which they have Internet access.
The reason field stores information regarding the cause of login session termination. This field helps the operator understand why a login session ends. The following reasons are considered normal termination of login sessions in a zero operator intervention environment:
User-RequestThe end-user clicked on the logout or end session link in their browser when surfing the rXg captive portal.Session-TimeoutThe session reached the maximum allowed time. For example, if the end-user purchased a 3 day plan, the 3 days have elapsed and thus the rXg automatically deleted the end-user session. Another example would be where the end-user is logged in via shared credential group that sets a 1 hour session time limit and 1 hour has elapsed.Quota-ExceededThe end-user device has consumed all of the available quota in the session. For example, if the end-user purchased a 5 GB quota plan and more than 5 GB have been transferred. Another example, the end-user is logged in via a shared credential group that sets a 256 MB maximum transfer and the end-user device transfers more than 256 MB of data.Sessions-ExceededThe end-user exceeded the configured maximum number of login sessions.Recurring-BillThe account has recurring billing enabled and the recurrence interval has been met. For example, if the account is set to monthly recurring billing and 1 month has elapsed since the account was first used. Idle-TimeoutThe end-user device has been idle (no traffic to or from the IP) for at least the amount of time that is configured in the idle timeout setting of the corresponding landing portal.Account-IP-Changed/Device-IP-ChangedThe account or device has come onto the network with a different IP address. This may happen if the DHCP lease for the end-user device has expired and the DHCP server issues a new lease with a different IP address.IP-ReclaimedA different end-user has come onto the network with the IP address associated with this login session and end-user. This may happen if the end-user device leaves the network and the rXg DHCP server assigns the IP address to a different end-user device. The following reasons may be encountered in the login session log during normal rXg operation and are a result of direct operator action: Admin-ResetThe operator manually deleted the login session using the Instruments :: Sessions view.Account-SuspendedThe operator manually deactivated the account by editing the account record. The following reasons are generally indicative of a misconfiguration or of malicious activity on the network: MAC-MismatchThe MAC address of a logged in session changed. This may occur if an end-user or other party deliberately attempts to steal a login session using a second device. For example, if the end-user logs in via a laptop, then shuts down their laptop and statically configures their phone to use the same IP address in an attempt to obtain Internet access for their phone without buying a plan. MAC-Mismatches may also result if the MAC <=> IP mapping network option is set incorrectly or if there is a conflict between the DHCP lease table and the ARP table when both the DHCP lease table and ARP table are both being considered for the MAC <=> IP mapping.
Survey Results
The rXg captive portal includes an end-user survey capability that allows operators to collect arbitrary data from end-users. The results from the end-user surveys are collected and stored in the rXg database. The operator accesses the collected survey data through the survey results scaffold.
The submitted field stores the time stamp of when the survey was collected. This is typically concurrent with the a login event.
The account , shared credential , RADIUS and LDAP fields store the login information that was provided when the survey was submitted. Exactly one of these fields should be populated as it is not possible to login with two sets of credentials.
The session field stores a reference to the IP session that was created when the login was processed.
The answers field stores the questions and answers that the were part of the survey taken and submitted by the end-user. Clicking on the list of answers opens a nested scaffold that displays questions and answers in a tabular format.
Redeemed Coupons
The redeemed coupons scaffold is an archive of all coupons that have been redeemed by end-users.
Coupons are redeemed via the captive portal web application. A successful coupon redemption results in the account being given the credit or access to the usage plan specified in the coupon. In addition, the redeemed coupon is removed from the pool of available coupons and an entry made into the redeemed coupons scaffold.
The redeemed field is the timestamp recorded when the coupon redemption.
The code , batch , credit , usage plan and expires fields contain copies of the data from the coupon that was redeemed.
The account field stores the login of the end-user that redeemed the coupon.
The same coupon code made be present multiple times in the redeemed coupon archive. Once a coupon is redeemed, the code is available and may be chosen by the coupon generator. Thus the same code may be allocated to different coupons at different times. The only stipulation is that the same code is never used for two active coupons at the same time.
The list in redeemed coupons combined with the list of coupons does not represent the set of all coupons that were ever present on the rXg. Coupons that are manually deleted by administrators as well as those that are automatically deleted by the rXg coupon expiration mechanism are not tracked.
Queue Logs
The queue logs scaffold provides a historical log of the bandwith queuing mechanism built in to the rXg.
Queue Logs
The sampled column shows a timestamp of the start of the associated connection.
The bytes , pkts , and direction columns display the amount of data transfered, and whether it was uploaded or downloaded, for the associated connection.
The IP , and MAC columns display layer 2 and 3 source information for the associated connection.
The login , session , account , IP group , account group , MAC Group , shared credential group , RADIUS group , and LDAP group columns display the layer 5+ source information for the associated connection.
The policy column displays the policy matched to the associated connection.
The bandwidth queue column displays the name of the operator-defined queue used for the associated connection.
The uplink column displays the uplink record that was utilized for the associated connection.
The interface , and VLAN columns display the originating LAN for the associated connection.
RADIUS Server Logs
The RADIUS server logs view presents an archive of all RADIUS requests that have been made to the rXg integrated RADIUS server.
The rXg integrated RADIUS server enables operators to expose the local user database for use with RADIUS NAS devices. An entry is made into the RADIUS server logs scaffold whenever a RADIUS NAS makes a successful RADIUS accounting request to the rXg integrated RADIUS server.
RADIUS Server Logs
The received field is the timestamp marking when the RADIUS accounting request was received by the RADIUS server.
The account field relates this accounting request to a account record in the accounts scaffold.
The Acct-Session-Id , Acct-Session-Time , Acct-Session-Id , Acct-Status-Type , Event-Timestamp , and other attributes beginning with Acct- are RADIUS accounting attributes. The possible values and meaning of these attributes are defined by RADIUS Accounting RFC 2139 and RADIUS Extensions RFC 2869.
The class , Framed-IP-Address , NAS-Identifier , NAS-IP-Address , NAS-Port , NAS-Port-Type and other key/value pairs listed are RADIUS attributes. The possible values are meaning of these attributes are defined by RADIUS RFC 2865. When the requesting RADIUS NAS is an rXg, the class attribute is used to pass the group and policy association information which enables differentiated service.
The raw attributes field contains a dump of the unprocessed RADIUS accounting request. This field is useful when troubleshooting problematic RADIUS server to RADIUS NAS connectivity, and may contain key/value pairs for some attributes not listed above.
Triggered Events
The triggered events scaffold stores a log of every event trigger that occurred on the rXg.
Triggered Event Logs
The triggered field stores the time stamp of when the event was triggered.
The IP , MAC , account fields store the identity of the end-user that triggered the event.
The trigger type and trigger name fields store the kind and identifier of the event trigger that occurred.
The reason field specifies a description of why the event trigger fired.
Web Proxy Requests
The web proxy requests view displays data collected by the rXg integrated transparent web proxy. Each and every web request that transits the rXg is logged into the rXg database. This enables the operator to have complete cognizance over the end-user population.
The rXg transparent web proxy must be enabled in order for the web proxy requests to be logged. The rXg transparent web proxy is configured through the persistent caching view of the policies menu. The operator may choose to enable the transparent web cache for only the subset of the end-user population for which deep cognizance is desired.
At the top of the web proxy requests view is a summary report.
Direct access to data is available through a scaffold at the bottom of the view.
The operator may also generate reports for activity by account , IP address or MAC address by using the action links found at the right side of the various scaffolds throughout the administrative console.
In the example above, the operator has accessed a web proxy requests report through the ARP view of the instruments menu. Similar reports may be generated through the scaffolds on the policies , accounts , sessions and DHCP views.
Logs
The logs view enables the operator to delve into the log files generated by the daemons that underly the rXg.
Numerous software modules are utilized to implement many of the features present in the rXg. During the course of normal operations, the software modules generate information which is stored in log files unique to the software module. The logs view enables the operator to browser through the log files for diagnostic purposes.
Log files tend to contain a large amount of data and become unwieldy after a while. The rXg rotates the log files periodically to mitigate size issue. As a result, the logs view contains several navigation mechanisms that assist the operator with browsing the available log files.
The menu near the top lists the names of the software modules. When a module name is clicked, the logs for the named module are brought into focus in the main dialog below. The name that is highlighted in red indicates the current module that is in focus.
The following logs are available:
Admin ConsoleA log of all actions that have been executed on the rXg administrative console along with the name of the administrator that executed the action and the IP address from which the request originated.Proxy HitsThe web proxy logs all request hits here. Proxy ServerThe web proxy logs global information and errors here. DHCP ClientInformation regarding the WAN links that obtain configuration via DHCP is logged here.DHCP ServerThe DHCP server logs global information and errors here. DNS ServerThe DNS server logs global information and errors here. DPI EngineThe deep packet inspection engine logs global information and errors here. Display MessagesOperating system kernel display messages are logged here.Dynamic DNSInformation regarding dynamic DNS servers via DHCP is logged here.HTTP (SSL)The web multiplexer that accepts HTTPS requests for the portal and console writes an entry for all requests in this log.HTTP (dev)The rails servers log here when in development mode. HTTP (prod)The rails servers log here when in production mode. IPsecThe IPsec engine logs connection information and errors here. HTML RewriteThe HTML payload rewriting engine logs information here.PPP(oE)Information about WAN uplinks that are configured for PPPoE is logged here.RADIUS ServerThe RADIUS server logs global information and errors information here.SNMP ServerThe SNMP server logs global information and errors information here.Signature MatchesThe deep packet inspection engine logs matches to configured rules here. System LogThe operating system logs errors and diagnostic information here.rXgThe rXg backend daemon logs diagnostic information and errors here.
At the top of the main dialog is a series of numbers that follow the file label. These numbers represent the various log files that are present on the filesystem for the module chosen in the menu above. The file number 1 represents the current log file that the software module is writing to. The largest number represents the oldest log file that is still present on the rXg filesystem. The number in bold is the log file that is currently in focus.
The rXg periodically rotates the files and deletes the oldest one. The rotation policy depends on the software module. Most logs are rotated daily though some are rotated based on the size of the file. The rXg keeps at least a few rotations worth of log files on the filesystem at any given time to aid in troubleshooting.
Many log files are thousands of lines long to it would be impractical to load entire log files into the browser. The main dialog displays on a slice of the log file chosen above. A series of numbers that follow the page label appear at the bottom of the main dialog that enables the operator to change the focus to a difference slice within the file. Smaller numbers represent slices at the top of the file while large numbers represent slices closer to the bottom. The number in bold represents the current slice of the log file.
At the bottom of the dialog there is a small textfield that allows the operator to enter the number of lines of this log that are desired for the archives dashboard. If the value is zero, then this log will be omitted from the dashboard. It is recommended that no more than five logs with five rows each be placed on the archives dashboard.
Instruments
Instruments provides the operator of the rXg with real time data, such as DHCP, Device sessions, throughput etc.
Instruments Dashboard
The Instruments Dashboard provides the operator with information relating to the current throughput of the WAN, Top Connection and Data Consumers, as well as current number of sessions. It also provides the operator with information about the current status of DHCP pools and vlans.
MAC DHCP DNS
The MAC-DHCP-DNS scaffold allows the operator of the rXg to quickly find/search information about the current MAC Entries, DHCP Leases, and DNS Cache Records. It also provides the operator the status of the DHCP shared Network Stats, and the satus of the configured DHCP Pools.
MAC Entries
MAC Entires displays the IP address, MAC address, and Vendor of devices connected to the rXg. It also provides information regarding when the entry will expire, as well as the Ethernet or VLAN the entry is tied to.
DHCP Leases
DHCP Leases provides the operator of the rXg device a list of the current DHCP leases that have been assigned to client devices. Provides when the lease was issued, when the lease will expire, the IP that was assigned, the MAC address, Vendor, and Hostname of the device. It also includes the Network the DHCP lease belongs to, as well as the Pool, Ethernet or VLAN. Fixed Host provides the operator the ability to quickly create a fixed host for the device. It should be noted that any address assigned to a fixed host should fall outside the range of any configured DHCP pool.
DNS Cache Records
The DNS Cache Records provides the operator with the current entries in the DNS Cache Records.
DHCP Shared Network Stats
DHCP Shared Network Stats shows the stats for each network which includes the Max clients , the number of Used clients , Free clients remaining, and which interface/VLAN the network is on.
DHCP Pool Stats
The DHCP Pool Stats provides the operator of the rXg with the current stats of each DHCP Pool, such as Max Leases , the current number of Used leases , and the nunber of Free leases remaining in each pool.
Connection States
Connection States
The Connection States table provides the operator with a list of the current connection states on the rXg.
Device Sessions
Login Sessions
The Login Sessions table displays the current login sessions. Login displays the username/credential that was provided at login. Account displays the account that username/credential is associated with. IP displays the IP address of the device. MAC displays the MAC address of the device. Hostname will display the hostname of the device if known. Agent will show the agent that was used to login if known. Expires displays when the login session will expire. Online displays how long the device has been online since the login sessions was created. Download and Upload displays the amount of data the device has download and uploaded since the login session was created. Social Profile will display the social profile used to login, for example if Facebook was used to authenticate the login session. Radius Realm displays the RADIUS Realm if any that was used to authorize the device access. LDAP Domain displays the LDAP Domain used if any to authorize the device. Shared Credential Group displays the shared credential group the device belongs to if a shared credential was used as the login mechanism. RADIUS Server Realm displays the RADIUS server realm if any that the device matched during the login process. The Backend field displays the time in seconds it took for the rXg to create the login session.
IP Sessions
The IP Sessions table displays the current IP sessions of devices currently connected to the rXg. The IP field displays the IP address of the session. Created displays the timestamp of when the sessions was created. The Updated field displays the timestamp of the last update on the IP session. Online displays the total lifetime of the session. The Idle field displays the amount of time the IP session has been idle if any.
Interface Assignments
VLAN Tag Assignments
The VLAN Tag Assignments table lists information about each VLAN tag that has been assigned. Assigned field displays when the VLAN Tag Assignment was created. Last seen is the timestamp from when the device was last seen on the network. MAC lists the MAC address of the device. VLAN displays the name of the VLAN or VLAN pool the assignment is from. #VTAs/Tag is the number of devices that have been assigned to that Tag. I-SID shows the I-SID of the vlan if applicable. The Account field displays the account the VLAN Tag Assignment is assigned to. Group displays the group the device belongs to. Party displays the Lan Party the vlan tag belongs to. Room displays the room the VTA is associated with if applicable. Guest displays the name of the guest if applicable. Realm displays the Radius realm that assigned the VLAN Tag Assignment. Called-Station MAC will display the MAC of the AP if used to match the device in the Radius Realm. #Tags/CS displays the number of vlan tags that have been assigned to the AP or switch. Switch Port displays the specific switch port the VTA is assigned to if applicable. Access Point displays the the access point the VTA is specifically assigned to if applicable. Static displays if the VTA has been statically assigned or if it is dynamic, checked being statically assigned.
Uplink Assignments
The Uplink Assignments table displays information that shows the uplink assignment of devices connected to the network if a Link Control has been configured. The IP field displays the IP address of the device. MAC displays the MAC address of the device. Hostname displays the hostname of the device if available. Session displays the current login session of the device. Account displays the account the device belongs to if applicable. Uplink displays the name of the uplink the device has been assigned to. Link Control displays the link control rule that assigned the devices uplink assignment. Policy displays the policy the device belongs to.
NAT Assignments
NAT Assignments
The NAT Assignments table lists the NAT IP address assiged to each device. Assigned is when the NAT assignment was created. IP is the LAN address of the device. NAT IP is the public NAT IP address. MAC is the MAC address of the device. Hostname is the hostname of the device if available. Session is the login session of the device. Account is the account the device belongs to. Network is the LAN network the device is on. Route will list any routes assigned to the device if applicable. Uplink lists the uplink the NAT IP belongs to. If the BiNAT box is checked a BiNAT IP address has been assinged specifically to the device. Pool will list which BiNAT pool the NAT IP belongs to if applicable. Static lists if the device has been assiged a specific NAT IP address. Seen lists the last time the device was seen on the network. Expires is the time the NAT assignment will expire if applicable.
The NAT Pool Stats table lists the current state of the configured NAT Pools. Uplink displays the name of the uplink the pool belongs to. Usable shows the number of IP addresses available for CGNAT. Assigned lists the number of devices assigned to the pool
The BiNAT Pool Stats table lists the current state of any configured BiNAT pools. Uplink lists the uplink the IP addresses of the BiNAT pool belong to. Pool displays the name of the BiNAT pool. Usable lists the number of usable IP addresses in the pool. Assigned displays the number of addresses that have been assigned in the pool. Available displays the remaining number of IP's that are available to be assigned for BiNAT.
Network Monitor
The Network Monitor scaffold displays information regarding the status of AP's, along with channel information for both 2.4ghz and 5ghz. The operator is also able to see that status of any Ping Targets configured, SNMP Trap messages, along with Health Notices.
The above pie chart displays information on the % of AP's that are online/offline, the channels used for 2.4ghz/5ghz and what percentage of AP's are on each channel.
Wireless Clients
The Wireless Clients scaffold displays the current devices connected to the wireless network. The IP field displays the client devices IP address. The MAC field displays the MAC address of the client device. The Hostname field displays the hostname of the device if known. The Login Session field displays the current login session for the device which is the account name followed by the devices IP address. The Account field displays the account the client device is attached to. The Device OS field will dispaly the OS of the client device if known. The VLAN field displays the VLAN pool the VTA assigned to the device comes from, if applicable. The Tag field displays the VLAN that is assigned to the client device. The TX rate and RX rate fields displays the transmist and recieve rate for the client device. The Channel field displays the wireless channel of the AP the client device is connected to. The Access Point field displays the AP the client device is connected to. The WLAN field displays the SSID the client device is connected to. The Controller field displays the wireless infrastructure device that is managing the AP the client device is connected to. The Status field displays the status of the client device. The SNR is the difference between the received wireless signal and the noise floor. The RSSI field is a measurement of how well the device can hear a signal from the AP, closer to 0 being better. The Download and Upload fields display the ammount of data that the client device has download/uploaded during the current login session.
Wired Clients
The Wired Clients scaffold displays the current devices connected on the wired infrastructure. The IP field displays the client devices IP address. The MAC field displays the MAC address of the client device. The Hostname field displays the hostname of the device if known. The Login Session field displays the current login session for the device which is the account name followed by the devices IP address. The Account field displays the account the client device is attached to. The VLAN field displays the VLAN pool the VTA assigned to the device comes from, if applicable. The Tag field displays the VLAN that is assigned to the client device. the Port field displays the phisical port the device the device is connected to, while the Switch scaffold displays the name of the switch as configured in the Network::Wired infrastucture device. The Link Speed field displays the speed the link has.
Ping Targets
The ping targets scaffold configures the third-party ping targets that are used to determine uplink availability. Each uplink should have more than one ping target associated with it in order to properly determine uplink health.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The target is the IP address of the device that is to be sent an ICMP ping.
The timeout is the number of seconds that the rXg will wait for a response from the target to an ICMP ping request.
The attempts is the number of times an ICMP ping will be tried before the ping target is considered to be down.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Speed Tests
Speed Tests allow the operator to setup period speedtest to monitor the speed of a specific uplink, as well as speedtests from different points of the network, via an internet based speedtest and also using iperf3 to monitor the local network infrastructure. The Name field displays the name of the speedtest. The Type field displays the type of speedtest being run, speedtest.net or iperf3. The Passing field displays if the test was a success or failure. The Last result field will display the last test that was run, if it passed and the speeds of the test. The Thresholds field displays the conditions that need to be met in order the test to be deemed a success. The Schedule field displays how often the test is performed. The Last Checked field displays the date and time of the last check, while the Next check field displays the date and time of the next check. The Uplinks field displays the uplinks that the test was run against. The Location Areas field displays any location areas that were selected to run the test from.
Speed Test Results
The Speed Test Results scaffold gives the operator a history of speed tests results. The Initiated field displays the date and time the test was performed. The Passed field displays if the test passed or failed. The Type field displays the type of test performed. The Source field displays the IP address that was used at the time the test ran. The Destination field shows the server that the test ran against. The Download and Upload fields display the results of the test. The Speed Test field displays the name of the Speed Test that was run. The Uplink field will display the uplink that was used for the test if applicable. The Source Device field will display the device that was used for the test if applicable. The Access Point field displays the AP used for the test if applicable.
SNMP Traps
The SNMP Trap table will display information relating to SNMP messages captured by the rXg.
MAC DHCP DNS
The MAC-DHCP-DNS scaffold allows the operator of the rXg to quickly find/search information about the current MAC Entries, DHCP Leases, and DNS Cache Records. It also provides the operator the status of the DHCP shared Network Stats, and the satus of the configured DHCP Pools.
MAC Entries
MAC Entires displays the IP address, MAC address, and Vendor of devices connected to the rXg. It also provides information regarding when the entry will expire, as well as the Ethernet or VLAN the entry is tied to.
DHCP Leases
DHCP Leases provides the operator of the rXg device a list of the current DHCP leases that have been assigned to client devices. Provides when the lease was issued, when the lease will expire, the IP that was assigned, the MAC address, Vendor, and Hostname of the device. It also includes the Network the DHCP lease belongs to, as well as the Pool, Ethernet or VLAN. Fixed Host provides the operator the ability to quickly create a fixed host for the device. It should be noted that any address assigned to a fixed host should fall outside the range of any configured DHCP pool.
DNS Cache Records
The DNS Cache Records provides the operator with the current entries in the DNS Cache Records.
DHCP Shared Network Stats
DHCP Shared Network Stats shows the stats for each network which includes the Max clients , the number of Used clients , Free clients remaining, and which interface/VLAN the network is on.
DHCP Pool Stats
The DHCP Pool Stats provides the operator of the rXg with the current stats of each DHCP Pool, such as Max Leases , the current number of Used leases , and the nunber of Free leases remaining in each pool.
Connection States
Connection States
The Connection States table provides the operator with a list of the current connection states on the rXg.
Device Sessions
Login Sessions
The Login Sessions table displays the current login sessions. Login displays the username/credential that was provided at login. Account displays the account that username/credential is associated with. IP displays the IP address of the device. MAC displays the MAC address of the device. Hostname will display the hostname of the device if known. Agent will show the agent that was used to login if known. Expires displays when the login session will expire. Online displays how long the device has been online since the login sessions was created. Download and Upload displays the amount of data the device has download and uploaded since the login session was created. Social Profile will display the social profile used to login, for example if Facebook was used to authenticate the login session. Radius Realm displays the RADIUS Realm if any that was used to authorize the device access. LDAP Domain displays the LDAP Domain used if any to authorize the device. Shared Credential Group displays the shared credential group the device belongs to if a shared credential was used as the login mechanism. RADIUS Server Realm displays the RADIUS server realm if any that the device matched during the login process. The Backend field displays the time in seconds it took for the rXg to create the login session.
IP Sessions
The IP Sessions table displays the current IP sessions of devices currently connected to the rXg. The IP field displays the IP address of the session. Created displays the timestamp of when the sessions was created. The Updated field displays the timestamp of the last update on the IP session. Online displays the total lifetime of the session. The Idle field displays the amount of time the IP session has been idle if any.
Interface Assignments
VLAN Tag Assignments
The VLAN Tag Assignments table lists information about each VLAN tag that has been assigned. Assigned field displays when the VLAN Tag Assignment was created. Last seen is the timestamp from when the device was last seen on the network. MAC lists the MAC address of the device. VLAN displays the name of the VLAN or VLAN pool the assignment is from. #VTAs/Tag is the number of devices that have been assigned to that Tag. I-SID shows the I-SID of the vlan if applicable. The Account field displays the account the VLAN Tag Assignment is assigned to. Group displays the group the device belongs to. Party displays the Lan Party the vlan tag belongs to. Room displays the room the VTA is associated with if applicable. Guest displays the name of the guest if applicable. Realm displays the Radius realm that assigned the VLAN Tag Assignment. Called-Station MAC will display the MAC of the AP if used to match the device in the Radius Realm. #Tags/CS displays the number of vlan tags that have been assigned to the AP or switch. Switch Port displays the specific switch port the VTA is assigned to if applicable. Access Point displays the the access point the VTA is specifically assigned to if applicable. Static displays if the VTA has been statically assigned or if it is dynamic, checked being statically assigned.
Uplink Assignments
The Uplink Assignments table displays information that shows the uplink assignment of devices connected to the network if a Link Control has been configured. The IP field displays the IP address of the device. MAC displays the MAC address of the device. Hostname displays the hostname of the device if available. Session displays the current login session of the device. Account displays the account the device belongs to if applicable. Uplink displays the name of the uplink the device has been assigned to. Link Control displays the link control rule that assigned the devices uplink assignment. Policy displays the policy the device belongs to.
NAT Assignments
NAT Assignments
The NAT Assignments table lists the NAT IP address assiged to each device. Assigned is when the NAT assignment was created. IP is the LAN address of the device. NAT IP is the public NAT IP address. MAC is the MAC address of the device. Hostname is the hostname of the device if available. Session is the login session of the device. Account is the account the device belongs to. Network is the LAN network the device is on. Route will list any routes assigned to the device if applicable. Uplink lists the uplink the NAT IP belongs to. If the BiNAT box is checked a BiNAT IP address has been assinged specifically to the device. Pool will list which BiNAT pool the NAT IP belongs to if applicable. Static lists if the device has been assiged a specific NAT IP address. Seen lists the last time the device was seen on the network. Expires is the time the NAT assignment will expire if applicable.
The NAT Pool Stats table lists the current state of the configured NAT Pools. Uplink displays the name of the uplink the pool belongs to. Usable shows the number of IP addresses available for CGNAT. Assigned lists the number of devices assigned to the pool
The BiNAT Pool Stats table lists the current state of any configured BiNAT pools. Uplink lists the uplink the IP addresses of the BiNAT pool belong to. Pool displays the name of the BiNAT pool. Usable lists the number of usable IP addresses in the pool. Assigned displays the number of addresses that have been assigned in the pool. Available displays the remaining number of IP's that are available to be assigned for BiNAT.
Network Monitor
The Network Monitor scaffold displays information regarding the status of AP's, along with channel information for both 2.4ghz and 5ghz. The operator is also able to see that status of any Ping Targets configured, SNMP Trap messages, along with Health Notices.
The above pie chart displays information on the % of AP's that are online/offline, the channels used for 2.4ghz/5ghz and what percentage of AP's are on each channel.
Wireless Clients
The Wireless Clients scaffold displays the current devices connected to the wireless network. The IP field displays the client devices IP address. The MAC field displays the MAC address of the client device. The Hostname field displays the hostname of the device if known. The Login Session field displays the current login session for the device which is the account name followed by the devices IP address. The Account field displays the account the client device is attached to. The Device OS field will dispaly the OS of the client device if known. The VLAN field displays the VLAN pool the VTA assigned to the device comes from, if applicable. The Tag field displays the VLAN that is assigned to the client device. The TX rate and RX rate fields displays the transmist and recieve rate for the client device. The Channel field displays the wireless channel of the AP the client device is connected to. The Access Point field displays the AP the client device is connected to. The WLAN field displays the SSID the client device is connected to. The Controller field displays the wireless infrastructure device that is managing the AP the client device is connected to. The Status field displays the status of the client device. The SNR is the difference between the received wireless signal and the noise floor. The RSSI field is a measurement of how well the device can hear a signal from the AP, closer to 0 being better. The Download and Upload fields display the ammount of data that the client device has download/uploaded during the current login session.
Wired Clients
The Wired Clients scaffold displays the current devices connected on the wired infrastructure. The IP field displays the client devices IP address. The MAC field displays the MAC address of the client device. The Hostname field displays the hostname of the device if known. The Login Session field displays the current login session for the device which is the account name followed by the devices IP address. The Account field displays the account the client device is attached to. The VLAN field displays the VLAN pool the VTA assigned to the device comes from, if applicable. The Tag field displays the VLAN that is assigned to the client device. the Port field displays the phisical port the device the device is connected to, while the Switch scaffold displays the name of the switch as configured in the Network::Wired infrastucture device. The Link Speed field displays the speed the link has.
Ping Targets
The ping targets scaffold configures the third-party ping targets that are used to determine uplink availability. Each uplink should have more than one ping target associated with it in order to properly determine uplink health.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The target is the IP address of the device that is to be sent an ICMP ping.
The timeout is the number of seconds that the rXg will wait for a response from the target to an ICMP ping request.
The attempts is the number of times an ICMP ping will be tried before the ping target is considered to be down.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Speed Tests
Speed Tests allow the operator to setup period speedtest to monitor the speed of a specific uplink, as well as speedtests from different points of the network, via an internet based speedtest and also using iperf3 to monitor the local network infrastructure. The Name field displays the name of the speedtest. The Type field displays the type of speedtest being run, speedtest.net or iperf3. The Passing field displays if the test was a success or failure. The Last result field will display the last test that was run, if it passed and the speeds of the test. The Thresholds field displays the conditions that need to be met in order the test to be deemed a success. The Schedule field displays how often the test is performed. The Last Checked field displays the date and time of the last check, while the Next check field displays the date and time of the next check. The Uplinks field displays the uplinks that the test was run against. The Location Areas field displays any location areas that were selected to run the test from.
Speed Test Results
The Speed Test Results scaffold gives the operator a history of speed tests results. The Initiated field displays the date and time the test was performed. The Passed field displays if the test passed or failed. The Type field displays the type of test performed. The Source field displays the IP address that was used at the time the test ran. The Destination field shows the server that the test ran against. The Download and Upload fields display the results of the test. The Speed Test field displays the name of the Speed Test that was run. The Uplink field will display the uplink that was used for the test if applicable. The Source Device field will display the device that was used for the test if applicable. The Access Point field displays the AP used for the test if applicable.
SNMP Traps
The SNMP Trap table will display information relating to SNMP messages captured by the rXg.
Installation
The rXg may be installed on bare metal or in virutalization platforms including, but not limited to, VMware ESXi, Microsoft Hyper-V and Linux QEMU.
Installation on VMware ESXi
Step 1: Set up switches
The rXg is a router, and thus it requires separate network segments for the WAN and LAN. A default VMware ESXI installation includes a single virtual switch. Youll need to edit the existing switch as well as create a second virtual switch.
Navigate to the networking settings and edit the default switch.
Click Actions >> Edit Settings and enable all the options under the security setting. This allows DHCP to pass.
Create a second virtual switch and enable all the options under the security setting as you did before.
It is also possible to use the command line to easily create an arbitrary number of virtual switches. This is typically done to create a large number of isolated L2 segments within a single hypervisor. The command to create a single virtual switch on the ESXi CLI is:
esxcli network vswitch standard add -v VS_NAME
Here is a script that you can run on ESXi to create an arbitrary number of virtual switches:
if ["$#" -ne 1]; then max=8; else max=$1; fi
for i in `seq 0 $max`
do
n=`printf "%02d\n" $i`
esxcli network vswitch standard add -v isol_$n
done
Step 2: Create port groups
You need to create port groups for the LAN and WAN. Navigate to the port groups tab and create the WAN port group.
Attach the WAN port group to your desired switch attached to the interface. Repeat this for the LAN, attaching it to the other switch. You must set the VLAN ID of this port group to 4095 in order to enable it as a trunk port.
It is also possible to use the command line to easily create an arbitrary number of virtual switches. This is typically done to create a large number of isolated L2 segments within a single hypervisor. The command to create a single virtual switch on the ESXi CLI is:
esxcli network vswitch standard portgroup add -v VS_NAME -p VS_NAME_trunk
esxcli network vswitch standard portgroup set -p VS_NAME_trunk --vlan-id 4095
Here is a script that you can run on ESXi to create an arbitrary number of port groups:
if ["$#" -ne 1]; then max=8; else max=$1; fi
for i in `seq 0 $max`
do
n=`printf "%02d\n" $i`
esxcli network vswitch standard portgroup add -v isol_$n -p isol_$n_tnk
esxcli network vswitch standard portgroup set -p isol_$n_tnk --vlan-id 4095
done
Step 3: Prepare the storage subsystem
Navigate to the storage settings and select New datastore.
Format your new datastore as VMFS.
Name your datastore and click through to Finish.
Step 4: Upload the rXg ISO to the ESXI datastore using the browser.
Click on the name of the datastore and Datastore browser.
Find Upload
This may take a few minutes to complete. Select the uploaded file and close.
Step 5: Create the rXg virtual machine.
Select Virtual Machines from the menu on the left, and then Create / Register VM.
The guide will pop up on the screen. Select Next to move to Step 2: Select a name and guest OS. Choose Other as the Guest OS family and FreeBSD 13 (64-bit) for the Guest OS Version.
Click on Next two times.
In Step 4: Customize Settings, youll need to configure the CPU, RAM and disk settings based on the values required for this installation.
Add at least one more network adapter. In this example we have added three additional network adapters.
We use the VMX net 3 adapter type. Be careful to attach the network adapters to the appropriate port groups.
Finally, attach the rXg ISO file to the CDROM.
Click Next and Finish.
Select your newly created virtual machine and power on to start the installation.
Installation will begin. Hit enter to proceed past the prompt.
The installation will take a few minutes to complete. Once the installation is complete, power down the virtual machine.
Step 6: Edit the settings of the virtual machine
Click on Edit and use the VM options tab.
Select Advanced and Edit Configuration. Search for Ethernet.
Youll need to enter a reasonable sequence for the slot numbers to ensure that the Network Adapters line up with the virtual interfaces. In this example we use 1184, 2208, 3232, and 4256. These are known good values. If you need more we know that 5280, 6304 and 7328 work for the next few interfaces.
Save these settings and power on the virtual machine.
The rXg virtual machine will go through the initialization process. This will take several minutes. Once this is complete you may now proceed with accessing the web GUI.
Installation on VMware ESXi
Step 1: Set up switches
The rXg is a router, and thus it requires separate network segments for the WAN and LAN. A default VMware ESXI installation includes a single virtual switch. Youll need to edit the existing switch as well as create a second virtual switch.
Navigate to the networking settings and edit the default switch.
Click Actions >> Edit Settings and enable all the options under the security setting. This allows DHCP to pass.
Create a second virtual switch and enable all the options under the security setting as you did before.
It is also possible to use the command line to easily create an arbitrary number of virtual switches. This is typically done to create a large number of isolated L2 segments within a single hypervisor. The command to create a single virtual switch on the ESXi CLI is:
esxcli network vswitch standard add -v VS_NAME
Here is a script that you can run on ESXi to create an arbitrary number of virtual switches:
if ["$#" -ne 1]; then max=8; else max=$1; fi
for i in `seq 0 $max`
do
n=`printf "%02d\n" $i`
esxcli network vswitch standard add -v isol_$n
done
Step 2: Create port groups
You need to create port groups for the LAN and WAN. Navigate to the port groups tab and create the WAN port group.
Attach the WAN port group to your desired switch attached to the interface. Repeat this for the LAN, attaching it to the other switch. You must set the VLAN ID of this port group to 4095 in order to enable it as a trunk port.
It is also possible to use the command line to easily create an arbitrary number of virtual switches. This is typically done to create a large number of isolated L2 segments within a single hypervisor. The command to create a single virtual switch on the ESXi CLI is:
esxcli network vswitch standard portgroup add -v VS_NAME -p VS_NAME_trunk
esxcli network vswitch standard portgroup set -p VS_NAME_trunk --vlan-id 4095
Here is a script that you can run on ESXi to create an arbitrary number of port groups:
if ["$#" -ne 1]; then max=8; else max=$1; fi
for i in `seq 0 $max`
do
n=`printf "%02d\n" $i`
esxcli network vswitch standard portgroup add -v isol_$n -p isol_$n_tnk
esxcli network vswitch standard portgroup set -p isol_$n_tnk --vlan-id 4095
done
Step 3: Prepare the storage subsystem
Navigate to the storage settings and select New datastore.
Format your new datastore as VMFS.
Name your datastore and click through to Finish.
Step 4: Upload the rXg ISO to the ESXI datastore using the browser.
Click on the name of the datastore and Datastore browser.
Find Upload
This may take a few minutes to complete. Select the uploaded file and close.
Step 5: Create the rXg virtual machine.
Select Virtual Machines from the menu on the left, and then Create / Register VM.
The guide will pop up on the screen. Select Next to move to Step 2: Select a name and guest OS. Choose Other as the Guest OS family and FreeBSD 13 (64-bit) for the Guest OS Version.
Click on Next two times.
In Step 4: Customize Settings, youll need to configure the CPU, RAM and disk settings based on the values required for this installation.
Add at least one more network adapter. In this example we have added three additional network adapters.
We use the VMX net 3 adapter type. Be careful to attach the network adapters to the appropriate port groups.
Finally, attach the rXg ISO file to the CDROM.
Click Next and Finish.
Select your newly created virtual machine and power on to start the installation.
Installation will begin. Hit enter to proceed past the prompt.
The installation will take a few minutes to complete. Once the installation is complete, power down the virtual machine.
Step 6: Edit the settings of the virtual machine
Click on Edit and use the VM options tab.
Select Advanced and Edit Configuration. Search for Ethernet.
Youll need to enter a reasonable sequence for the slot numbers to ensure that the Network Adapters line up with the virtual interfaces. In this example we use 1184, 2208, 3232, and 4256. These are known good values. If you need more we know that 5280, 6304 and 7328 work for the next few interfaces.
Save these settings and power on the virtual machine.
The rXg virtual machine will go through the initialization process. This will take several minutes. Once this is complete you may now proceed with accessing the web GUI.
Lab Manual
The Lab Manual contains instructions for many common configurations.
Bootstrap License
Access the rXg Admin interface
After installing the ISO and viewing the CLI, find the IP address and use a browser to navigate to https://%lt;ip.address%gt;/admin and you will be presented with the create first admin GUI.
You may choose to access the rXg from the LAN or the WAN. For the purposes of this lab, use your management computer to connect to the LAN side of the rXg via the wireless network that has been created for your lab (lab0X SSID).
When configuring a single physical rXg, this will be the_highest_ numbered port. Usually this is EM3 or IGB3. For a virtual installation, you must connect to the same vSwitch portgroup as the last virtual interface of the guest VM.
The LAN interface runs a DHCP server, handing out addresses in consecutive /30 subnets starting at 192.168.5.0/30. Check your computers network configuration to find the default gateway you were assigned (usually will be 192.168.5.1 ). This is the IP you will use to access the rXg from the LAN.
Alternatively, the lowest numbered port (EM0 or IGB0) will act as the default WAN port, and will function by default as a DHCP_client_. If you have a DHCP server connected to the WAN side, you can see the IP address that the rXg receives by checking the DHCP servers logs or by looking at the physical or virtual console:
In a web browser, access the url https://<ip.of.rxg>/admin. For example:
Surf to https://192.168.5.1/admin/
Accept the self-signed certificate warning.
Create the first Administrator
When creating the first administrator credentials, strong passwords are required. Passwords should include lower case, upper case, numbers and symbols. If you have a private/public key pair that you will use for SSH/ SCP access to the rXg, include the public key in your admin record. Note: When creating the first administrator you will see a QR Code and a long string of alpha numeric characters. You will need to copy these characters to license your copy of the rXg.
Click Create New in the Administrators scaffold.
Enter a login and a secure password. Passwords that do not meet complexity requirements will not be accepted. Good passwords are long, and contain characters from multiple classes (lower case, upper case, numbers and symbols). If you have a private/public key pair that you wish to use for SSH/SCP access to the rXg, you may enter your public key in your admin record.
Click Create when finished.
Access License Portal
When you signed up for your Free version of the rXg or made your purchase, an asset was assigned to your unique credentials on the store. Login to https://store.rgnets.com with those same credentials to obtain your license.
The rXg will not route traffic until it is licensed. Connect to a network with Internet access ( RGNets Training SSID).
Visit https://store.rgnets.com and log in with your RG Nets support credentials. Click on Asset Manager on the top of the page.
Update DNS name
Within the Asset Manager at https://store.rgnets.com navigate to "Asset Manager" in the main navigation. Find the asset assigned in the table below, if this is your first installation or the Free Version of the rXg you will only have one asset to update the FQDN and IUI. In the space provided, type or paste the fully qualified domain name (can be subdomained) associated with this installation (example shown here for lab04-cc1.netlab.ninja).
Enter fully qualified domain name and press the rename button. Press the Set FQDN button when complete.
Update the IUI
From the initial "Create First Administrator" screen, copy and paste the Installation Unique Identifier (IUI) in the field provided in the Asset Manager table.
The IUI uniquely identifies the rXg installation, and is tied to the hardware in the system. Any hardware changes after the IUI has been entered into the licensing portal requires re-licensing with RG Nets.
Enter the IUI obtained from the first new admin view of the rXg admin console and press the Set IUI button. On the next screen press Set IUI button again.
Obtain License
Once you have set the FQDN and IUI, click the Get License button. In the popup, the Asset Manager will provide a unique license key. Press the Copy to Clipboard button to copy the license.
Navigate to System :: Licenses
Edit the License Key
Click Edit in the license keys scaffold.
Paste the license from license portal
Click Update when complete.
After updating the license, the rXg will take a moment to restart its background processes to open up access to the rest of the admin console.
Bootstrap WAN
After licensing the system, we will configure the WAN uplink.
Navigate to Network :: WAN
Edit Uplink
Lower Priority to 5
The Priority field determines the order of precedence during failover in a link control scenario. When only one uplink is configured, this field has no effect as there is no uplink to failover to. When multiple uplinks are configured and connection aggregation is enabled, a failure of a link will cause another member of the pool to forward all traffic. If aggregation is not enabled, or all uplinks within a pool have failed, then the uplink with the highest priority amongst all of the remaining uplinks will be used to forward the traffic. The Uplink with the highest priority becomes the default route for the rXg.
Create New em1 Ethernet Interface
Click Create New under Ethernet interfaces. Accept the defaults provided to add the em1 interface.
Create the Charter Cable Uplink
Click Create New under the Uplinks scaffold.
Field | Value |
---|---|
Ethernet | em1 |
Priority | 9 |
DHCP | Unchecked |
Gateway IP | Obtain from Lab Sheet |
Download | 60 Mbps |
Upload | 40 Mbps |
DNS | Google Public DNS servers |
Ping Targets | Google Public DNS servers |
Create the Charter Cable Network Address
Click Create New under the Network Addresses scaffold.
Field | Value |
---|---|
Name | Charter Cable |
IP | Obtain from lab sheet |
Subnet | Obtain from lab sheet |
Autoincrement | 1 |
Span | 1 |
Autoincrement tells the rXg to automatically configure multiple, consecutively addressed, subnets on a single native or logical (VLAN) interface. Span tells the rXg to consume one or more consecutive IP addresses on a native or logical (VLAN) interface.
Final result
We now have a higher-priority static uplink, and a lower priority DHCP uplink.
Bootstrap System
Navigate to System :: Options
Enter the FQDN and Timezone
Edit the Default System Options and enter the rXgs fully qualified domain name ( FQDN ). Leave all other defaults. Click Update when done.
System :: Certificates
Create a new Certificate
Click Create New in the Certificates scaffold. The name will be filled in automatically from the system options. The rXg has generated a private key for the certificate already, and nothing else needs to be added yet. The private key will be utilized when the rXg generates a Certificate Signing Request in the next step.
Create a new Certificate Signing Request
Click Create New in the Certificate Signing Requests scaffold.
Complete the form with information to identify yourself to your 3rd party signing authority.
The Common Name (CN) must match the FQDN that will be used to access this rXg. If you will be purchasing a wildcard certificate from your certificate vendor, the CN should be *.domain.com
The email address will be tied to the certificate, so do not use your personal email address.
Copy the CSR
Copy the entire textblock of the CSR column of the newly created record, including -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST-----
The CSR will be provided to your certificate vendor, which they will use to generate the intermediate and server certificates used in the next steps.
Submit CSR to 3rd party Certificate Authority
Submit the CSR obtained above and provide it to the certificate authority for them to generate and sign your certificate. When downloading the certificates, you should request apache format.
Once you have the intermediate certificates and the server certificates from your CA, proceed with the next step.
Update the Certificate Chain
Open the downloaded intermediate and server certificates in a text editor. For the purposes of this lab, intermediate and server certificates will be provided to you by the instructor.
Click Edit on the Certificate we created previously and supply the entire text of the intermediate and server certificates. Ensure that the Active checkbox is enabled. Click Update when complete. The webserver will restart while the new certificate is activated.
Bootstrap LAN
We will now configure the LAN side of the rXg.
Review Network Dashboard
The network dashboard shows a dynamic overview of the current network topology as well as utilization info.
Network :: LAN
Edit the Management LAN Network Address
Change the subnet mask to be 255.255.255.0 (changing from a /30 to a /24).
Set autoincrement to 1
Create an Infrastructure Device
Create an Infrastructure Device for your labs wireless controller. In this case, it is a RUCKUS virtual SmartZone (vSZ).
Field | Value |
---|---|
Device | RUCKUS SmartZone |
IP | 192.168.5.2 |
Protocol | SSH |
Port | 22 |
Username | admin |
Password | lab01admin! *note: substitute lab number for 01 |
Enable Password | lab01admin! *note: substitute lab number for 01 |
Creation of an Infrastructure Device allows the rXg to notify the RADIUS NAS (either the wireless controller or the wired switch) that a VLAN change has taken place, and that the connected device should be disconnected and immediately reconnected in order to re-initiate the RADIUS authentication process and be assigned the new VLAN tag assignment. Infrastructure Devices are also utilized by the conference tool to allow configuration changes such as the creation of WLANs for the duration of a conference.
Create a new em3 Ethernet Interface
This interface will be the source of the VLAN-tagged traffic coming from our wireless infrastructure.
Create a new Customer VLAN
Click Create New in the VLANs scaffold.
Name it Customer VLAN 1100. Select our newly created em3 interface. Enter 1100 for the VLAN ID. Do not check auto increment.
Create a new Customer Network Address
Click Create New in the Network Addresses scaffold.
Make sure Ethernet does not have a selection. Select our newly created VLAN (Customer VLAN 1100).
Field | Value |
---|---|
Ethernet | - Select - *make sure this has no option selected |
VLAN | Customer VLAN 1100 |
IP | 10.0.0.1 |
Subnet | 255.255.255.0 |
Autoincrement | 1 |
Span | 1 |
DHCP pool | checked |
Final result
Navigate to System :: Portals
Create a new HTTP Virtual Host
An HTTP Virtual Host proxies web access to devices on the LAN based on the hostname of the request.
Click Create New in the HTTP Virtual Host scaffold.
Enter the FQDN of your wireless controller, as listed on your lab sheet.
Field | Value |
---|---|
Hostname | Obtain from lab sheet |
IP | 192.168.5.2 |
Local server HTTP(s) Port | 8443 |
HTTPS | checked |
ENABLE AUTOINCREMENTED VLANs
Edit the Customer LAN Network Address
Click Edit on the Customer LAN Network Address.
Change the Subnet to 255.255.255.252 (/30) and change Autoincrement to 64.
The rXg will automatically configure 64 contiguous /30 subnets to replace the single /24 subnet we created previously.
Note: Because 64 /30 subnets fit exactly into a single /24 subnet, we are still consuming the same overall network address space, and therefore do not need to edit our DHCP pools. If we had chosen a smaller or larger autoincrement number, the DHCP pool that was created automatically when this Network Address was created would now be invalid, raising a health notice and requiring manual intervention.
Edit the Customer VLAN
Click Edit on the Customer VLAN 1100 record in the VLANs scaffold.
Enable the Autoincrement checkbox.
Set the Autoincrement Ratio to 8.
Click Update.
If the autoincrement ratio were set to 1, the rXg would automatically create one VLAN interface for each autoincremented subnet in the associated Network Address (64 unique VLAN interfaces). Because we have set a ratio of 8, the rXg will create one VLAN interface for every 8 subnets. (64 subnets / 8 = 8 unique VLAN interfaces).
Final Result
Dynamic VLANs
Navigate to Identities :: Groups
Notice that there is already an IP Group for the vSZ. It was created automatically when we created the infrastructure device.
Create a Management IP Group
Click Create New in the IP Groups scaffold.
Field | Value |
---|---|
Name | Management |
Priority | 8 |
Addresses | Management LAN |
Navigate to Policies :: Captive Portals
Create the Management Policy
Notice there is already a Lab vSZ policy, which was created when the infrastructure device was created.
Click Create New in the Policies scaffold. This policy will be added to the RADIUS server ACL in the next step.
Field | Value |
---|---|
Name | Management |
IP Groups | Management |
Navigate to Services :: RADIUS
Edit the Default RADIUS Server Options
Click Edit in the Default record of the RADIUS Server Options scaffold.
Enable the Management policy. Notice that the Lab vSZ Policy was added automatically at creation.
Click Update.
Create a New RADIUS Server Realm
Click Create New in the RADIUS Server Realm scaffold.
Field | Value |
---|---|
Name | Customer Assignment |
Policies | None selected |
Attribute Patterns | |
Priority | 0 |
Attribute | Called-Station-ID |
Pattern | lab01-customer |
Sharing | Per-Device |
VLANs | Customer VLAN 1100 |
Reuse | Checked |
Infrastructure Devices | Lab vSZ |
Respone Attributes | Tunnel-Type: VLAN |
Tunnel-Medium-Type: IEEE-802 Tunnel-Private-Group-ID: %vlan_tag_assignment.tag% |
Final result
CONFIGURE CONTROLLER FOR DVLAN
Create AAA Server
Ruckus Switch
Navigate to Network::Wired
Create New Switch
Click on Create New in the switches scaffold. Use the table below, substituting your lab number for 01
Field | Value |
---|---|
Name | lab01-switch |
Type | RUCKUS ICX |
Host | 172.16.0.4 |
Subnet Mask | 255.255.255.0 |
Gateway IP | 172.16.0.1 |
Username | super |
Password | lab01admin! |
Bootstrap Switch Config
A new record will appear in the switches scaffold. The switch is currently offline. Click on Sync not enabled to generate a bootstrap configuration.
Enter the current device password, and click on Download Bootstrap Configuration
A plaintext file will be downloaded that should resemble:
! PHASE 1 - Increase max VLANs (requires a reboot)
enable
config terminal
system-max vlan 4095
write mem
exit
reload
y
! PHASE 2 (after reboot) - Configure remaining settings
enable
config terminal
skip-page-display
crypto key generate rsa modulus 2048
ip ssh key-exchange-method dh-group14-sha1
aaa authentication web-server default local
aaa authentication login default local
aaa authentication dot1x default radius
lldp run
snmp-server community public ro
username super password lab01admin!
aaa authentication login default local
vlan 1
ip address 172.16.0.4 255.255.255.0
management-vlan
default-gateway 172.16.0.1 1
exit
ntp
server 172.16.0.1
exit
write mem
SSH or console into the switch (switch will get DHCP by default). Type the commands from Phase 1 in, one at a time. The switch will reboot. Once it reboots, SSH in again, and copy/paste all of Phase 2.
Enable Config Sync
The switch should now show as "Online" in the switches scaffold. Although the switch is bootstrapped, click on Sync not enabled to start the sync process.
Click on Generate Diff to Enable Sync
The remaining configuration to synchronize the switch is displayed. Click Enable Config Synchronization
Click OK at the warning prompt
Results will be displayed showing "Configuration is now in sync. Running config saved to startup.
i
The sync status will turn green, displaying the last upate timestamp. The switchports can now be configured on the rXg
Adding VLANs to a Switchport
Click Edit on a switchport in order to add VLANs to that port.
Choose the VLANs from the list, and click Update
The rXg will automatically run the necessary commands on the switch to enforce these changes. The timestamp in the "Config Sync Status" will also be updated.
Adtran vWLAN
Deploy vWLAN controller in VMware.
On windows machine navigate to ESXI host and download the ova file from the datastore. Storage-->Lab Files-->Browse Datastore. Download the vWLAN-X-X-X.ova file.
Create new virtual machine, select "Deploy a virtual machine from an OVF or OVA file".
Give the vm a name, click on "Click to select files or drag/drop" and select the ova file, click next.
Select datastore1 (should be selected by default), click next.
Deployment options network mappings: VM Network change to VM Lan Network, leave the reset default and click next.
Click Finish, and wait for the VM to be deployed.
In ESXi click on the adtran wlc VM to get IP address it received via DHCP from the rXg.
Access the vWLAN, use system on the mgmt lan, OR create virtual host for initial access remotely. Default username/password for Adtran WLC is [email protected]/blueblue. Set a static IP address to 172.16.0.5 by navigating to Configuration-->Network Interfaces-->Public. Uncheck DHCP and change the fields to the correct values, and click update network interface.
Field | Value |
---|---|
Address | 172.16.0.5 |
Netmask | 255.255.255.0 |
Gateway | 172.168.0.1 |
DNS 1 | 172.16.0.1 |
DNS 2 | 8.8.8.8 |
Hostname | vwlan |
Changes will not take effect until you run the Platform Task in the wlc. Click on Platform Tasks in the upper right corner and run the "Must restart network" task by clicking on it.
We will now upgrade the WLC navigate to Administration-->Platform Upgrade (Remember to use the new IP address that was configured in the previous step). Click Choose File and select the vWLAN-X-X-X-xxxxxx.img file, click "Run Task" and wait for it to complete.
Click on Platform Tasks in the upper right corner and run any pending tasks. Apply license to AP by navigating to Configuration-->Wireless-->AP Licenses, click on Upload AP Licenses. Click choose file and select the txt file the license key is saved it, set Domain to default and click Upload licenses.
Create DNS entries for AP discovery in rXg
Create DNS entries so that the AP can find the vWLAN. In the rXg navigate to Services-->DNS and create a new DNS Zone. Name: .local Type: master Domain name: local Master hostname: rxg.local. Hostmaster email: hostmaster@local Click on create.
Field | Value |
---|---|
Name | .local |
Type | master |
Domain name | local |
Master hostname | rxg.local. |
Hostmaster email | hostmaster@local |
Create a new DNS record, Name: apdiscovery.local Type: A Host: apdiscovery remove dynamic data Data: 172.16.0.5 TTL 60 Zone: .local Click create.
Field | Value |
---|---|
Name | apdiscovery.local |
Type | A |
Host | apdiscovery |
Data | 172.16.0.5 |
TTL | 60 |
Zone | .local |
Add Adtran vWLAN controller as infrastructure device.
Add the vWLAN as infrastructure device. Navigate to Network-->Wireless and create a new WLAN Controller. Name: Adtran WLC Type: ADTRAN vWLAN Host: Ip address of vWLAN change username/password accept defaults click create.
Field | Value |
---|---|
Name | Adtran vWLAN |
Type | ADTRAN vWLAN |
Host | IP address of vWLAN |
Reload page and click "Sync not enabled"
Click enable config sync
Create WLAN.
Navigate to Network-->Wireless and create new WLAN. Fill out the name with your lab number, select the Adtran controller, fill out SSID, and click create.
Field | Value |
---|---|
Name | lab0X |
Controller | ADTRAN vWLAN |
SSID | lab0X |
Encryption | none |
Authentication | none |
Ruckus vSZ
Deploy the vSZ Controller in vmware
On windows machine navigate to ESXI host and download the ova file from the datastore. Storage-->Lab Files-->Browse Datastore. Download the vscg-X.X.X.X.XXX.ova file.
Create new virtual machine, select "Deploy a virtual machine from an OVF or OVA file".
Give the vm a name, click on "Click to select files or drag/drop" and select the ova file, click next.
Select datastore1 (should be selected by default), click next.
Agree to the License Agreements by clicking 'I Agree', and then click next.
Deployment options network mappings: VM Network change to VM Lan Network Uncheck 'Power on automatically', and click next.
Click Finish, and wait for the VM to be deployed.
Edit Settings on the VM, and delete network adapters 2 & 3.
It should resemble this:
Power on the VM.
Configure IP Address, and Admin Password
Using the vmware console, login to the vSZ. Default credentials are admin / admin Run the command 'setup' to start the setup wizard
Field | Value |
---|---|
vSZ Profile | Essentials |
IP Version Support | IPv4 Only |
IPv4 configuration | Manual |
IP Address | 172.16.0.5 |
Netmask | 255.255.255.0 |
Gateway | 172.16.0.1 |
Primary DNS | 172.16.0.1 |
Enter 'y' to apply settings Enter 'y' to accept changes
Browse to https://172.16.0.5:8443Fill in cluster name, controller name, and description, leave other defaults
Enter 'lab01admin!' for the admin, and enable passwords.
Click finish.
Wait while the controller initializes.
This screen means you are ready to continue.
Add RUCKUS vSZ Controller as Infrastructure Device
Navigate to Network::Wireless
Click on 'create new' in the WLAN Controllers scaffold. Use the following table to populate the form, and click create.
Field | Value |
---|---|
Name | ruckus vSZ |
Type | RUCKUS SmartZone |
Host | 172.16.0.5 |
Username | admin |
Password | lab01admin! |
After a few seconds the Controller will appear online. Click on Sync not enabled.
Click on 'Enable Config Synchronization'.
The Controller is now managed by the rXg
Create WLAN
Navigate to Network::Wireless and create new WLAN. Fill out the name with your lab number, select the vSZ, fill out SSID, and click create.
Field | Value |
---|---|
Name | lab0X |
Controller | ruckus vSZ |
SSID | lab0X |
Encryption | none |
Authentication | none |
Extreme WiNG
Build VX9000 in vmware
Create a new virtual machine, select 'Create a new virtual machine'. Click next.
Add a name, and choose 'Other' for OS Family, and 'Other (64-bit)' for OS Version. Click next.
Select 'datastore1' for storage (default). Click Next.
Increase Memory to 4GB Increase Hard Disk to 20GB Select 'Thin Provisioned' under Hard Disk options. Scroll down
For 'CD/DVD Media' select 'Datastore ISO file', and choose the VX9000-DEMO-x.x.x.x-xxxR.iso. Click Next
Verify settings, and click finish.
Power on the VM. Using the vmware console press enter/return to start the installation
Accept these defaults by pressing enter/return
The installation is finished when you reach this screen. Go to VM Settings, and change CD/DVD back to 'Host Device'.
Press enter/return to intiate the reboot.
Add VX9000 to Wireless Infrastructure Devices
Navigate to Network::Wireless
Click 'Create New' on the WLAN Controllers scaffold. Populate the form using the following:
Field | Value |
---|---|
Name | VX9000 |
Type | Extreme WiNG VX/NX |
Host | 172.16.0.5 |
Subnet Mask | 255.255.255.0 |
Gateway IP | 172.16.0.1 |
Username | admin |
Password | lab01admin! |
Click on "Sync not enabled" to generate a bootstrap configuration
Apply Bootstrap Configuration and Enable Sync
In vmware console, login to the VX9000 with default credentials admin/admin123 . You will be prompted to change the password. Type 'lab01admin!' substituting your lab number. Then type the commands from the bootstrap configuration.
The VX9000 will become reachable, refreshing the rXg screen. Click 'Enable Config Synchronization'.
The VX9000 is now managed by the rXg
Create WLAN
Navigate to Network::Wireless and create new WLAN. Fill out the name with your lab number, select the VX9000, fill out SSID, and click create.
Field | Value |
---|---|
Name | lab0X |
Controller | VX9000 |
SSID | lab0X |
Encryption | none |
Authentication | none |
Aruba Wireless
Deploy a Mobility Master (MM)
Follow manufacturer guidelines for deployment, and licensing, of Aruba Networks Mobility Master. MPSK is only available with a MM.
Configure Mobility Master
Locate the MAC address of the Mobility Controller by logging into the MC GUI, or running
show switchinfo
at the MC CLIAdd a Mobility Controller (MC) to the Managed Network Section.
Add the IP address of the MC to the controller definition.
Add the MAC from the MC to the controller definition.
Choose the appropriate device type for the controller definition.
Click the "Mobility Master" heirarchy level of the left panel, then Configuration -> Controllers.
Create a new controller IPSec key value. (This will be used in the MC deployment)
Deploy changes
Deploy Mobility Controller (MC)
Follow manufacturer guidelines for deployment of Aruba Networks Mobility Controller. Provide the IP, and IPSec PSK of the MM during setup.
Configure Mobility Controller
Once the MC is added to the Mobility Master, configuration is completed from the MM GUI.
At the heirarchy level of the group created in step 1 above, deploy a WLAN.
Provide an SSID Name, and choose Tunneling
Leave the default VLAN selection.
Set the security to wpa2personal, choose mpsk.
Create a new RADIUS Authentication Server with details with regards to rXg
Leave the default role selections
MAC authentication is enabled with MPSK by defualt. Manually edit the profile in order to associate the WLAN with the correct AAA server group. It does not use the server assigned for MPSK settings.
- From the group hierarchy level go to configuration -> system -> profiles -> Wireless LAN -> AAA -> (wlanname)_aaa_prof -> MAC Authentication Server Group -> set to the (wlanname)_dot1_svg group that got created from the mpsk 802.1x settings
On the Group level, go to Configuration -> Interfaces -> VLANs and create the range of possible VLANs
In the same section, verify the ethernet port you are using is set to "trunk allow all", under the Ports tab
Deploy changes
Configure Aruba Central
- Make sure the correct group is selected that contains the AP(s), you can verify this by looking in the upper left corner.
Click on devices, which will take us to the WLANs section. Click Add SSID
Give the SSID a name. Click next.
In the VLAN section leave defaults and click next.
Change Key Management to MPSK AES.Click the + in the Primary Server field, give the Server a name, and copy the shared secret from the Radius Server Options to the Shared Key and retype Key fields. Set the IP field to the IP Aruba Central will talk to the rxg on, and click OK. The Shared Secret can be obtained by navigating to Services::Radius in the rXg.
Expand advanced settings and enable "Called station ID include SSID" Click next.
For the Access section, click next without making changes.
Verify settings in the Summary view and click Finish. Note that with Aruba MPSK it is required that a devices MAC address be present in an account for the MPSK to work on any given device.
Configure Change of Authorization (CoA)
- At the Group heirarchy level, navigate to Configuration -> Authentication -> Auth Servers -> All Servers
- Create a new server, and provide the rXg IP, and RADIUS shared secret
Edit the AAA Profile and specify the newly created server under RFC3576
At the MC Heirarchy level (NOT the group level), navigate to Configuration -> Authentication -> Advanced
Set the RADIUS Client to the correct interface, and IP of the MC, so that the NAS-IP of RADIUS requests will be the MC (where CoA must be sent), and not the MM.
Configure rXg
Associate a RADIUS Server Attribute "Aruba-MPSK-Passphrase" with the value "%account.pre_shared_key%" to the RADIUS Realm
Cambium Wireless
Deploy cnMaestro On-Premises in vmware
Navigate to ESXI host and create new virtual machine, select "Deply a virtual machine from an OVF or OVA file".
Give the vm a name, click on "Click to select files or drag/drop" and select the ova file, click next.
Select the storage where VM will be created, click next.
Agree to the License Agreements by clicking 'I Agree', and then click next.
Select the appropriate Network mapping for your network, should be connect to the LAN of the rXg. Verify settings, click next.
Click Finish, and wait for the VM to be deployed.
Configure cnMaestro
For On-Premises navigate to IP address of cnMaestro VM and login with admin/admin.
Set Country and Time Zone.
Change the Default "Admin user" Password, and re-authenticate.
Enable API by navigating to Network Services => API Client.
Click the "Add API Client" button.
Enter a name/description (can be anything), click save.
Now there will be a Client Id and Client Secret. The Client Id is the username and the Client Secret is the password.
Enable SNMP. Note: This step should be skipped if not using On-Premises. First navigate to Administration =>
Expand Optional Features and check the Enable SNMP box, click save.
Set SNMPv2c RO Community name, by navigating to Network Services => SNMP Configuration.
Set the SNMPv2c RO Community string and click save.
Point AP to the controller. Access the AP via it's IP address and login using admin/admin.
Select System from the menu and look for cnMaestro under Management. Enter the URL or IP address of the cnMaestro in the cnMaestro URL. Click Save.
Next we need to claim the AP, navigate to the cnMaestro Dashboard and click onboarding under Devices.
Approve the AP by clikcing the Approve button.
Next add AP to Wi-Fi AP Group. Click on Monitor and Manage and find the AP under Networks, click on the 3 dots next to the AP and select edit.
Under Device Configuration, change AP group to Default Enterprise and Apply Configuration.
Add Cambium cnMaestro Controller as Infrastructure Device
Navigate to Network::Wireless.
Create a new WLAN Controller.
Enter a name in the Name field. Select Cambium cnMaestro from the Device Type drop down menu. Enter the IP address on the controller in the Host field. API port field set to 443. Enter the Username and password in respective fields. Click create.
NOTE: If you are using the Cambium Cloud, the Host field will be cloud.cambiumnetworks.com. The username and password fields are the same as a local instance documented above.
After a few seconds the Controller will appear online. Click on Sync not enabled.
Click on 'Enable Config Synchronization'.
The Controller is now managed by the rXg.
TP-Link Omada
Environment
This document was created using the following hardware and software:
rXg: Version: 14.284 Controller Model: tp-link Omada Controller (Windows) Controller Version: 5.6.13 AP Model: EAP610-Outdoor(US) v1.0 AP Version: 1.1.0 Build 20220930 Rel 65326
Deploy tp-link Omada controller on Windows.
Obtain the Omada installation file from tp-link. Double-click to begin the installation. Click "Next" through the typical installation wizard. On the final screen, make sure that "Start Omada Controller after installation is checked"
Allow access through the Windows firewall.
Click "Launch" to open the configuration page at https://localhost:8043
Click "Let's Get Started"
Set your timezone Set your deployment scenario Click "Next"
Click "Skip"
Click "Skip"
Click "Skip"
Configure credentials for the controller and access points. Disable Cloud Access Accept Terms of Use Click "Next"
Click "Finish"
tp-link Omada Controller Configuration for PPSK
Login using the credentials created in the previous step.
You can skip the tutorial here by clicking the X.
Configure AAA
Click the gear icon in the bottom left-hand corner for settings. Browse to Authentication >> RADIUS Profile Click "+ Create New RADIUS Profile"
Before you configure this section, you will need to have the IP address of the rXg, and the RADIUS shared secret. The IP address of the rXg should be reachable from the Omada controller. The shared secret can be obtained from the Admin UI by browsing to Services >> RADIUS
and then scroll down to the RADIUS Server Options
scaffold. Use this password for all password fields in the RADIUS profile below.
Click "Save" once the form is complete.
We now need to configure a RADIUS profile so that the Omada controller can send RADIUS requests to the rXg.
Add Access Points
In this next section, we need to add access points to the Omada controller. On the Omada Admin UI, browse to Devices
on the side menu.
In this section, we need to adopt the access points. The easiest way to do this is by using the batch adopt button under Batch Action.
Then select all of the access points and click "Done".
Once the adoption process is complete, you should see the AP show connected.
Add WLAN
In this section, we will configure a WLAN for unbound PSK.
In the bottom left corner, click "Settings".
Click "Wireless Networks" to expand the menu. Click "WLAN"
Click "+ Create Wireless Network".
Complete the form below as indicated. Be sure to uncheck the 6 GHz band or the SSID will not broadcast. Click "Apply"
You should now see the SSID being broadcast as a secure network.
rXg Configuration
The following configuration assumes that the rXg has been previously configured for an MDU deployment. The steps below demonstrate how to add the tp-link Omada controller to the existing configuration.
Add Omada Controller and WLAN
From the rXg UI, browse to Network >> Wireless
Click "Create New" on the WLAN Controllers
scaffold.
Complete the following fields with the appropriate information as it relates to the Omada controller. Click "Create"
Click "Create New" on the WLANs
scaffold.
Configure the following fields as indicated.
Configure RADIUS
From the rXg UI, browse to Services >> RADIUS
Click "Create New" on the RADIUS Server Attributes
scaffold.
Set the Name of the Attribute to TPLink-EAPOL-Found-PMK
Set the Value of the Attribute to %account.pre_shared_key%
Make sure that your Post-Auth realm is selected. Click "Create"
At this point, you should be able to associate to the ppsk SSID and enter a Pre-Shared Key that was previously configured for an account.
Add Account VLANs
Navigate to Network :: LAN
Create the Account VLANs
Click Create New in the VLAN Interfaces scaffold.
Field | Value |
---|---|
Name | Account VLANs |
Ethernet | em3 |
VLAN IDs | 1108 |
Autoincrement | Checked |
Autoincrement Ratio | 1 |
Addresses | None selected |
Create the Account Network Address
Click Create New in the Network Addresses scaffold.
Field | Value |
---|---|
Name | Account LANs |
Ethernet | None selected |
VLAN | Account VLANs |
IP | 10.0.1.1 |
Subnet | 255.255.255.240 |
Autoincrement | 64 |
Span | 1 |
Create DHCP Pool | Checked |
Review Network Dashboard
Click on the Network menu header to see the updated network diagram.
Navigate to Services :: RADIUS
Create the Account RADIUS Server Realm
Click Create New in the RADIUS Server Realms scaffold.
Field | Value |
---|---|
Name | Account Assignment |
Policies | None selected |
Attribute Patterns | None |
Sharing | Per-Account |
VLANs | Account VLANs |
Reuse | Unchecked |
Infrastructure Devices | Lab vSZ |
Respone Attributes | Tunnel-Type: VLAN |
Tunnel-Medium-Type: IEEE-802 Tunnel-Private-Group-ID: %vlan_tag_assignment.tag% |
Identities
Navigate to Identities :: Groups
Create a new Customer Onboarding IP Group
Click Create New in the IP Groups scaffold.
Field | Value |
---|---|
Name | Customer Onboarding |
Priority | 2 |
Addresses | Customer LAN |
Create Accounts IP Group
Click Create New in the IP Groups scaffold.
Field | Value |
---|---|
Name | Account Networks |
Priority | 2 |
Addresses | Account LANs |
Create Free Account Group
Click Create New in the Account Groups scaffold.
Field | Value |
---|---|
Name | Free |
Priority | 4 |
Policy | None selected |
Create Basic Account Group
Click Create New in the Account Groups scaffold.
Field | Value |
---|---|
Name | Basic |
Priority | 4 |
Policy | None selected |
Create Premium Account Group
Click Create New in the Account Groups scaffold.
Field | Value |
---|---|
Name | Premium |
Priority | 4 |
Policy | None selected |
Create Business Account Group
Click Create New in the Account Groups scaffold.
Field | Value |
---|---|
Name | Business |
Priority | 4 |
Policy | None selected |
Navigate to Identities :: Shared Credentials
Create Free Shared Credential Group
Click Create New in the Shared Credential Groups scaffold.
Field | Value |
---|---|
Name | Free |
Priority | 5 |
Credential | free (note: case sensitive) |
Policy | None Selected |
Time | 1 Hour |
Quota | Unlimited (up and down) |
Recurring | none |
Simultaneous | unlimited |
Intersession | 1 day |
Automatic Login | Unchecked |
Portal Policies
Navigate to Policies :: Captive Portal
Create Default Splash Portal
Click Create New in the Splash Portals scaffold.
Field | Value |
---|---|
Name | Default Splash |
portal | default |
whitelist | paypal |
background mode | MAC |
portal mode | MAC or Cookie |
Policies | Default |
Shared Credential Groups | Free |
Create Default Landing Portal
Click Create New in the Landing Portals scaffold.
Field | Value |
---|---|
Name | Default Landing |
portal | default |
whitelist | paypal |
background mode | MAC |
portal mode | MAC or Cookie |
Session Limit | unrestricted |
Idle Timeout | 20 minutes |
Grace Time | 15 minutes |
Policies | None Selected |
Create a new Survey Question
Click Create New in the Survey Questions scaffold.
Field | Value |
---|---|
Question | Email Address |
Position | 1 |
Type | Email Address |
Required | Checked |
Splash Portals | Default Splash |
Landing Portals | Default Landing |
Create Customer Onboarding Policy
Click Create New in the Policies scaffold.
Field | Value |
---|---|
Name | Customer Onboarding |
Splash Portal | Default Splash |
IP Groups | Customer Onboarding |
Create Free Policy
Click Create New in the Policies scaffold.
Field | Value |
---|---|
Name | Free |
Landing Portal | Default Landing |
Account Groups | Free |
Shared Credential Groups | Free |
Create Basic Policy
Click Create New in the Policies scaffold.
Field | Value |
---|---|
Name | Basic |
Landing Portal | Default Landing |
IP Groups | Account Networks |
Account Groups | Basic |
Create Premium Policy
Click Create New in the Policies scaffold.
Field | Value |
---|---|
Name | Premium |
Landing Portal | Default Landing |
Account Groups | Premium |
Create Business Policy
Click Create New in the Policies scaffold.
Field | Value |
---|---|
Name | Business |
Landing Portal | Default Landing |
Account Groups | Business |
Final result
Review Policy Dashboard
Click on the Policies menu link to view the Policy Dashboard. This page gives a graphical representation of the policy enforcement engine. Network devices are categorized into the highest priority group to which they belong, and that groups policy is applied.
In the graph, Groups are listed on the left, Policies in the middle, and Policy Enforcement Elements on the right. Groups may only have 1 associated policy. Devices will typically belong to multiple groups (such as an IP group and an Account Group), but only the highest priority group has an effect on the devices policy. Policy enforcement elements may be shared between multiple policies.
Gateways and Plans
Navigate to developer.authorize.net
Click Sign Up
Sign up for a free account
Collect API Credentials
Navigate to Billing :: Gateways
Create a Merchant
Field | Value |
---|---|
Name | Auth.net Developer |
Direct Gateway | Authorize.net |
Store Credit Cards | checked |
Login | API login ID from authorize.net API credential page |
Password | Transaction key from API credential page |
Test mode | checked |
Create Paypal Offiste Merchant
Click Create New in the Merchants scaffold.
Field | Value |
---|---|
Name | Paypal Standard |
Offsite Gateway | PayPal Website Payments Standard |
Login | your email |
Navigate to Billing :: Plans
Create an Unlimited Time Plan
Create a 5GB/2GB Quota Plan (free)
Create a 15GB/7GB Quota Plan ($10)
Create a 50GB/25GB Quota Plan ($25)
Create an Unlimited Quota Plan ($50)
Create a Business SLA Misc. Plan ($100)
Create a CPE Lease Misc Plan ($5)
Create One Day Free 5GB Usage Plan
Field | Value |
---|---|
Name | One Day Free 5GB |
Account Group | Free |
Splash Portals | Default Splash |
Landing Portals | Default Landing |
Time Plan | Unlimited |
Quota Plan | 5GB |
Misc. Plans | none selected |
Relative Lifetime | 1 day |
Automatic Login | checked |
Max Sessions | 3 |
Max Devices | unlimited |
Max BiNATs | 0 |
Lock Devices | checked |
Merchants | none selected |
Interval | None |
Expiration | Never |
Create One Day 15GB Usage Plan
Field | Value |
---|---|
Name | One Day 15GB |
Account Group | Basic |
Splash Portals | Default Splash |
Landing Portals | Default Landing |
Time Plan | Unlimited |
Quota Plan | 15GB |
Misc. Plans | none selected |
Relative Lifetime | 1 day |
Automatic Login | checked |
Max Sessions | 3 |
Max Devices | unlimited |
Max BiNATs | 0 |
Lock Devices | checked |
Merchants | Authorize.net Developer, Paypal |
Interval | None |
Expiration | Never |
Create One Month Basic 50GB Usage Plan
Field | Value |
---|---|
Name | One Month Basic 50GB |
Account Group | Basic |
Splash Portals | Default Splash |
Landing Portals | Default Landing |
Time Plan | Unlimited |
Quota Plan | 50GB |
Misc. Plans | none selected |
Relative Lifetime | 1 month |
Automatic Login | checked |
Max Sessions | 3 |
Max Devices | unlimited |
Max BiNATs | 0 |
Lock Devices | checked |
Merchants | Authorize.net Developer |
Interval | Monthly |
Expiration | Never |
Create One Month Business Class Usage Plan
Field | Value |
---|---|
Name | One Month Business Class |
Account Group | Business |
Splash Portals | Default Splash |
Landing Portals | Default Landing |
Time Plan | Unlimited |
Quota Plan | Unlimited |
Misc. Plans | Business SLA |
Relative Lifetime | 1 month |
Automatic Login | checked |
Max Sessions | unlimited |
Max Devices | unlimited |
Max BiNATs | 0 |
Lock Devices | checked |
Merchants | Authorize.net Developer |
Pro-rate Credit | checked |
Interval | Monthly |
Expiration | Never |
Create On-Demand 50GB Usage Plan
Field | Value |
---|---|
Name | On Demand 50GB |
Account Group | Premium |
Splash Portals | Default Splash |
Landing Portals | Default Landing |
Time Plan | Unlimited |
Quota Plan | 50GB |
Misc. Plans | none selected |
Unlimited Lifetime | checked |
Automatic Login | checked |
Max Sessions | unlimited |
Max Devices | unlimited |
Max BiNATs | 0 |
Lock Devices | checked |
Merchants | Authorize.net Developer |
Interval | Monthly |
Expiration | Never |
Content Filter Policies
Navigate to Policies :: Content Filtering
Create a new Remote Content Filter Blacklist
Edit the new Remote Content Filter Blacklist
Select gamble from the multi-select category list. You may select other categories by holding down the command or control key. Click Update when finished.
Create a new Content Filter
The Content Filter is the policy element that gets tied to a specific policy. It may reference Content Filter Blacklists or Remote Content Filter Blacklists , or specify phrase categories that should be filtered. The rXg will inspect the contents of all HTTP traffic to determine if the content is permitted. If not, the user is redirected to the specified page of the captive portal.
Click Create New in the Content Filters scaffold.
Field | Value |
---|---|
Name | Block Gambling |
Policies | Free |
Remote Blacklists | Shalla Blacklist Gambling |
Interstitial Redirection Policies
Navigate to Policies :: Interstitial Redirection
Create a new Interstitial Redirect
An interstitial redirect forces end user browser redirection to a page of your choosing based on a timed interval. You may specify how many minutes the end user may browser before being redirected ( Initial minutes ), how often the user is redirected after the initial redirect ( Minutes ), as well as how long the rXg should force redirection at each redirect interval ( Duration ).
Click Create New in the Interstitial Redirect scaffold.
Field | Value |
---|---|
Name | Test Redirect |
URL | Accept default |
Initial Minutes | 3 |
Minutes | 15 |
Duration | 0 |
Policies | Free |
Create a new URL Replacement
A URL replacement will rewrite the URL of every matching HTTP URL which transits the rXg, allowing the operator to substitute phrases or even entire domains of the users attempted URL.
Click Create New in the Interstitial Redirect scaffold.
Field | Value |
---|---|
Name | rewrite restaurant search |
Interstitial Redirect | Test Redirection |
Match | q=restaurant |
Replacement | q=bjs restaurant |
Packet Filter Policies
Navigate to Policies :: Packet Filters
Create a new Application
Click Create New in the Applications scaffold.
Field | Value |
---|---|
Name | smtp |
protocol | tcp udp |
Destination ports | 25 |
source ports |
Create a new Application Filter
Click Create New in the Application Filter scaffold.
Field | Value |
---|---|
Name | block smtp |
direction | outbound |
Applications | smtp |
Policies | Free |
Update the Subnet Filter
A Subnet Filter instructs the rXg to block all packets that attempt to cross from one subnet to another. Because the rXg is the default route for all devices, any attempt to reach another subnet must pass through the rXg. Any device which is in a policy attached to the subnet filter will not be able to route to any other local subnet, except those defined in an associated WAN target.
Click Edit on the Block Subnets subnet filter (this filter was created by default upon installation).
Include all of the customer facing policies:
Default, Basic, Business, Free, Premium
Packet Forward Policies
Navigate to Policies :: Packet Forwards
Create a new Application
Click Create New in the Application scaffold.
Field | Value |
---|---|
Name | 8443 |
Protocol | tcp udp |
Destination Ports | 8443 |
Source Ports |
Create a new rXg Forward
Click Create New in the rXg Forwards scaffold.
Field | Value |
---|---|
Name | forward 8443 to vSZ |
Applications | 8443 |
Destination Policy | Lab vSZ |
Policy Mode | first member only |
Payload Rewriting Policies
Navigate to Policies :: Payload Rewriting
Create a new HTML Injection
An HTML Injection allows the operator to insert content into the body of the HTTP pages which transit the rXg. The rXg offers several recipes for injecting content into the page. The HTML injection does not become active until it is tied to a HTML Payload Rewrite record.
Virtual Frames: Place an iframe into the page in the position of your choice which contains your custom content.
Floating Overlay: Place a floating div onto the page in the position of your choice which contains your custom content.
Ad Element Overlay (beta): Position a floating element onto the page on top of existing advertisements, as determined by common well-known banner dimensions.
Click Create New in the HTML Injections scaffold.
Field | Value |
---|---|
Name | test injection |
position | top |
Recipe | floating overlay |
HTML | <h1>This is a test</h1> |
Create a new HTML Payload Rewrite
An HTML Payload Rewrite ties an HTML Injection or HTML Replacement record to a policy. Some sites may render incorrectly when an injection or replacement is performed. WAN Targets allow the operator to exclude specific sites from the payload rewrite.
Click Create New in the rXg Forwards scaffold.
Field | Value |
---|---|
Name | test injection |
Injection | test injection |
Policies | Free |
Persistent Caching Policies
Navigate to Policies :: Persistent Caching
Edit the Web Cache
Click Edit on the Cache web cache record. Enable the Free , Basic and Default policies.
Traffic Shaping Policies
Navigate to Policies :: Traffic Shaping
Create a new 3x1 w/ burst Bandwidth Queue
Click Create New in the Bandwidth Queues scaffold.
Field | Value |
---|---|
Name | 3x1 Mbps with burst |
Priority | 0 |
Download Rate Limit | 3 Mbps |
Upload Rate Limit | 1 Mbps |
Download Rate Burst | 10 Mbps |
Upload Rate Burst | 2 Mbps |
Burst time | 5000 |
Guarantee | none |
Create a new 20x2/acct Bandwidth Queue
Click Create New in the Bandwidth Queues scaffold.
Field | Value |
---|---|
Name | 20x2 Mbps per account |
Priority | 0 |
Download Rate Limit | 20 Mbps |
Upload Rate Limit | 2 Mbps |
Burst | none |
Guarantee | none |
Shaping | Account |
Policies | Basic |
Create a new 50x2 w/guarantee Bandwidth Queue
Click Create New in the Bandwidth Queues scaffold.
Field | Value |
---|---|
Name | 50x2 Mbps with guarantee |
Priority | 0 |
Download Rate Limit | 50 Mbps |
Upload Rate Limit | 2 Mbps |
Burst | none |
Download Rate Guarantee | 10 Mbps |
Upload Rate Guarantee | 1 Mbps |
Shaping | Account |
Policies | Business |
Create a new 512x128 Kbps usenet Bandwidth Queue
Click Create New in the Bandwidth Queues scaffold.
Field | Value |
---|---|
Name | 512x128 Kbps usenet |
Priority | 0 |
Download Rate Limit | 512 Kbps |
Upload Rate Limit | 128 Kbps |
Burst | none |
Guarantee | none |
Applications | usenet |
Policies | Basic, Free |
Create a new 50x2/account Bandwidth Queue
Click Create New in the Bandwidth Queues scaffold.
Field | Value |
---|---|
Name | 50x2 Mbps per account |
Priority | 0 |
Download Rate Limit | 50 Mbps |
Upload Rate Limit | 2 Mbps |
Burst | none |
Guarantee | none |
Shaping | Account |
Policies | Premium |
Final Bandwidth Queue Result
Uplink Control Policies
Navigate to Policies :: Uplink Control
Edit the Uplink
Click Edit on the Uplink record of the Uplinks scaffold. Enable the Google Public DNS 1 and Google Public Dns 2 ping targets.
Ping Targets are necessary for the rXg to monitor uplink health and ensure proper link, and you cannot add an Uplink to a Link Control unless it has at least 2 ping targets.
Create a new Load Balance Link Control
Link Controls enable the operator to control which Uplinks the user population utilizes. Policies may be restricted to using one or more uplinks. When multiple Uplinks exist in a policys Link Control, the user devices will be load balanced across those Uplinks in accordance with the weight of the associated uplinks.
The breadth of Link Controls effect can be limited by associating Applications or WAN Targets. When either are selected, there must be a Bandwidth Queue for the same combination of Applications or WAN Targets.
Click Create New in the Link Controls scaffold.
Field | Value |
---|---|
Name | Load Balance |
Uplinks | Uplink, Charter Cable |
Policies | Premium, Basic |
Create a Charter Only Link Control
Click Create New in the Link Controls scaffold.
Field | Value |
---|---|
Name | Charter only |
Uplinks | Charter Cable |
Policies | Business |
Create an Uplink Only Link Control
Click Create New in the Link Controls scaffold.
Field | Value |
---|---|
Name | Uplink only |
Uplinks | Uplink |
Policies | Free |
Create a Backup Link Control
Click Create New in the Link Controls scaffold.
Field | Value |
---|---|
Name | uplink backup |
Uplinks | Uplink |
Backup | checked |
Policies | Business |
Create an Application-Specific Bandwidth Queue
Click Create New in the Link Controls scaffold.
Field | Value |
---|---|
Name | usenet through uplink |
Uplinks | Uplink |
Applications | usenet |
Policies | Basic |
Event Trigger Policies
Navigate to Identities :: Groups
Create a Quarantine IP Group
We will temporarily place users who violate our DPI and Connection Event Triggers into a Transient IP Group. We will assign the Quarantine Group to the Triggers, and while in this group, users will not have internet access and will be directed to the Splash Portal associated with the Customer Onboarding Policy.
Click Create New in the Link Controls scaffold.
Field | Value |
---|---|
Name | Quarantine |
Priority | 7 |
Policy | Customer Onboarding |
Navigate to Policies :: Event Triggers
Create a new Connections Trigger
Click Create New in the Connections Triggers scaffold.
Field | Value |
---|---|
Name | 1000 Connections |
Policies | Basic, Free |
Max Connections | 1000 |
Duration | 15 minutes |
IP Group | Quarantine |
Flush Connection States | checked |
Create a new Quota Trigger
Click Create New in the Connections Triggers scaffold.
Field | Value |
---|---|
Name | Premium Abuser slowdown |
Policies | Premium |
Download | 50 GB |
Upload | 25 GB |
Window | 7 days |
Duration | 1 days |
Account Group | Basic |
Create a new Remote DPI Signature
Click Create New in the Remote DPI Signature scaffold. Accept the defaults, which will pull from emergingthreats.net
Edit the Emerging Threats Remote DPI Signature
Click Edit on the Emerging Threats Remote DPI Signature record. Review the list of categories and select several categories by command or control clicking items in the box.
Create a new DPI Trigger
Click Create New in the DPI Triggers scaffold.
Field | Value |
---|---|
Name | Quarantine Bad Behavior |
Policies | Basic, Free, Premium |
Remote Signatures | Emerging Threats |
IP Group | Quarantine |
Duration | 30 Minutes |
Flush connection states | Checked |
Review Policy Dashboard
Click Policies in the top menu. The Policy Dashboard now illustrates our policy enforcement configuration.
Navigate to Identities :: Groups
Update Basic Account Group Priority
When users trigger the Premium Quota Trigger, they are temporarily placed into the Basic Account Group (a transient group membership). Currently, the groups priority is the same as the Premium Account Group (all account groups are set to 4 by default). We need to increase the priority of the Basic Account Group so that it takes priority over the devices other group memberships.
Click Edit on the Basic Account Group.
Increase the priority to 5
Review Final Policy Dashboard
Logs Hits Trigger
The Log Hits Trigger function automatically adds identified IP addresses to a WAN target for a predefined timeframe when events such as repeated failed SSH login attempts or excessive traffic directed at a web server occur. This function allows for targeted restrictions on specific types of traffic, including blocking SSH, HTTP, or HTTPS access. This functionality works on both the LAN and the WAN. The configuration outlined below is intended for events on the WAN side of the rXg.
Create Blacklisted WAN Target Click on Identity :: Definitions. Create a WAN Target definition.
Add WAN Target to Admin ACL Click on System :: Admins. Modify ACL by adding a defined WAN Target.
Create Log Hits Triggers
Proceed to Policies :: Event Triggers. - Click create. - Name the trigger for identification. - Select the Policy that will be enforced. - Define Enforcement Thresholds. - Specify the Duration of transient membership. - Assign a blacklisted WAN target. - Select an email notification for the Log Hits Trigger Record.
Viewing Event Logs Navigate to Archives :: Trigger Logs for detailed event logs.
Additionally the Trigger Logs button under each listed Log Hits Trigger will display the log as well.
IPs are automatically removed after the expiration of the set threshold time duration.
SAML Admin Authentication
Create a SAML App in Google Admin Console
Log in to your Google Admin Console and navigate to "Apps"
Click on "SAML Apps"
Click "Add a service/App to your domain"
Click "Setup My Own Custom App"
Copy the SSO URL, and click "Next"
Give the Application a Unique Name. Optionally provide a description and custom logo, then Click "Next"
Create a new SSO Strategy in rXg
On the rXg, navigate to System::Admins. Create a new SSO Strategy. Paste the SSO URL Copied Earlier.
After clicking "Create", wait for the webserver to restart. Click "Show" on the SSO Strategy.
Copy the OAuth Redirect URLs (this is needed in the Google Admin Console).
Click on the Oauth Metadata URLs and locate the "entityID" field. (This is also needed in the Google Admin Console)
Finish SAML App in Google Admin Console
Provide the Redirect URL from above as the ACS URL. Also provide the Entity ID, and click "Next".
Create Attribute Mappings for all desired attributes. This example shows first_name
and last_name
. Additional custom attributes will be added, and mapped in later steps. Once complete click "Finish"
The new SAML App will be created disabled by default. Make sure to turn the App on for it to function.
Add Custom Attributes to GSuite Users
Navigate to "Users" in the Google Admin Console, and choose "Manage Custom Attributes" under the More dropdown menu.
Click on "Add a Custom Attribute" and provide a category name. Create a field for each custom attribute you want to provide. In this example an attribute field of admin_role
will be used to assign an Administrative Role on the rXg.
Edit a user to see the new Custom Attributes category, along with the defined fields. Populate the field with the name of an Administrative Role on the rXg.
Return to the SAML Application settings in the Google Admin Console, and add an attribute mapping for any custom attributes that have been added.
Log in Using SAML
You can now see a SAML login option available on the admin login portal.
Alternatively, an app is available in the list of Google Apps, that will immediately take you to the rXg administrative interface, as the user logged in to Google.
Radius Based Location
Navigate to Network :: Locattion
Create a new Location Area
Name is arbitrary. Set Type to Floor. Choose File to use as the Floorplan. Click Create.
Click on the floorplan and create a Region
In the Add a Region section give the Region a name, and select a color if desired. Click Add Region Drag the Region to the upper left corner of the room it represents and drag the corner to expand the Region to cover the room. Click Save in the Region to save the size and placement of the region.
Place the Access Point
In the Place an Access Point / Sensor section click the dropdown and select the Access Point. Click the Drag me button, and drag the Access Point into the Region that was previously created. Click Save on the Access Point box. Click the Green box in the upper right corner to close the Floorplan.
Create a new Location Category
Create a new Location Category. Name is arbitrary. For the Areas field select the Region creatd previously that contains the Access Point. For the Access Point field, click into the box and select the AP that is located within the Region created previously. Click Create.
Example of Location based Space-Time Trigger
In this example we will setup a Space-Time Trigger that looks at the dwell time of a device and sends an email when the dwell time is exceeded. First we will need to create the email to send out when the dwell time is exceeded. Navigate to Services :: Notifications.
Create a new Custom Message. Name is arbitrary. Destination should have the End-user check box selected by default, do not select any Administrative Roles unless you want those admins to also recieve the message. Under Message, set the Subject and fill out the Body with the message you want the end user or admin to receive. Click Create.
Navigate to Policies :: Event Triggers.
Create a new Space-Time Trigger. Name is arbitrary. Select the Policies that the Space-Time Trigger will be enforced on. Under Space Enforcement set the Current Area to area the Access Point is associated with. Set Current dwell to the amount of time that must be met to set off the trigger. Under Transition Behavior uncheck Flush connection states. Under Notifications specify the message that will be sent by clicking in the Messages box and then select the message created previously. Click Create.
This will now send an email to end user if they dwell in the area for more than 10 minutes.
Example of Location based Crowd Event
Navigate to Network :: Location
Edit the Location Area where the crowd event should take place. Click Show for Crowd Event. Set the Threshold to the desired number of devices that should trigger the event. Click Update.
Navigate to Services :: Notifications
Create a new Custom Message. Name is arbitrary. Destination should have the End-user check box unselected. Check the admin roles you want to receive the crowd formed message. Under Message, set the Subject and fill out the Body with the message you want admin to receive. Click Create.
Create a new Notification Action. Name is arbitrary. Set Event Type to Location: Crowd Formed. Click in the Messages box and select the Custom Message created in the previous step. Click Create. Now when a crowd forms a message will be sent to the admin(s) roles selected.
FIAS PMS Simulator
Setup the FIAS simulator to start on boot
Login to the machine via SSH. Elevate to root access.
Create an rc.local.hook
that contains the appropriate commands to generate a fresh guest list and start the PMS simulator upon boot.
cat > /etc/rc.local.hook
#!/bin/sh
/space/rxg/rxgd/debug/gen_fias_guest_list > /space/guest_list.csv
nohup /space/rxg/rxgd/debug/fias_server.py -g /space/guest_list.csv &
CTRL-D
Now make the rc.local.hook
executable.
chmod +x /etc/rc.local.hook
Reboot the rXg to ensure that the FIAS simulator comes up. You may manually start the FIAS simulator without rebooting by executing sh /etc/rc.local.hook
with root privileges. You may check on the status of the FIAS simulator by running ps ax | grep fias
.
Configure rXg to communicate with local PMS simulator
Navigate to Gateways view through the Billing menu. Create a record in the PMS Server scaffold. We call it FIAS simulator. You may call it whatever you wish.
In the Interface Specifications subsection choose the MICROS FIAS for the Internet. Set the Host to be 127.0.0.1
and the Port to be 5010
.
Refresh the page to find the Guests scaffold populated with Guest and Room data from the FIAS simulator. This information should match the entires in the guest_list.csv
file.
Bootable USB
Overview
dd
is a command line utility for FreeBSD that allows the rXg to write to a USB drive. This capability is beneficial if you have out-of-band access to a rXg such as IPMI or iDRAC and wish to reinstall the OS remotely.
As with any remote operation, things can go wrong, so only perform these steps if you are willing to accept the risk. Make sure to have a backup plan, such as deploying somebody to the site if this process fails.
Once this process is complete, make sure that you either remove the USB drive or change the boot order of the system to avoid booting to the USB during a power cycle.
Process
SSH to the rXg and ensure you are root.
Check if the USB is plugged in by typing
geom disk list
. You can also get the drive name here for later in the process. In the image below, you can see a SanDisk Ultra USB is plugged in with a name of 'da0'.
- The next step is to get the source .img file on the rXg. There are many methods that can be used to accomplish this. In this example, the image file will be directly downloaded from the RG Nets build server. Now the rXg will fetch the image using
wget
.
cd /tmp
wget --user your_user_name --ask-password https://build.rgnets.com/build/official/iso/13.1-RELEASE-amd64-rxg-14.065.img
After submitting the above command, you should see the progress of the file download.
- Unmount the media
umount -f /media/
- Finally, use dd to write the file to the USB. Note the drive name 'da0' may be different in your environment. You can use
geom disk list
to check.
dd if=/tmp/13.1-RELEASE-amd64-rxg-14.065.img of=/dev/da0 bs=1m conv=noerror,sync
Once you have issued the dd command, you will have to wait for some time. The amount of time will vary based on the type of USB drive being used. It could be anywhere from 10 minutes to multiple hours. You can open a separate session and type gstat -p
to see if the USB drive is busy.
When the CLI returns, the USB is ready to be used.
Once the installation is complete, make sure that you either remove the USB drive or change the boot order of the system to avoid booting to the USB during a power cycle.
Piglet Sensors
Overview
The Piglet is a powerful network monitoring application developed by RG Nets, specifically designed to be installed on a Raspberry Pi (3 or 4). Commonly referred to as a network sensor, the Piglet is a versatile tool aimed at providing comprehensive insights into network performance.
Deployment and Functionality
The Piglet is strategically deployed within a network south of the rXg. It is capable of running tests over both wired and wireless connections, with the results being sent back to the rXg. These results can either be reviewed directly via the rXg interface or trigger notifications to network administrators for further action.
Testing Capabilities
A Piglet can execute two primary types of tests:
1. Ping Tests
Purpose: Measure latency, jitter, and uptime. Targets: Can be directed towards a specified target over the wired connection of the Piglet or a specified wireless LAN.
2. Speed Tests
- Internet Based Speed Test: Perform a standard internet speed test by setting the destination to speedtest.net.
- iPerf3: Configure the Piglet to run speed tests using iPerf3 to a specified destination. The rXg includes a built-in iPerf server which can be used as a target for these tests, effectively evaluating the LAN infrastructure.
3. Trace Routes
Use Cases
The Piglet is an essential tool for a variety of network monitoring and validation tasks:
- Throughput and Reliability Testing: Assess the performance of downstream network infrastructure.
- Client Network Experience Measurement: Evaluate the actual network experience from any client location within the network.
- Policy and Segmentation Verification: Remotely confirm the effectiveness of network policies, segmentation, and routing. Particularly beneficial if there's a lack of complete trust in the downstream infrastructure.
WLAN-Scoping
The Piglet also supports WLAN-Scoping, which allows all aforementioned tests to be configured over a specified wireless network. This ensures that network administrators have continuous visibility into the performance of all wireless networks within the environment.
Environment
This document was written and tested using the following components from the RG Nets and Respberry Pi ecosystem.
Manufacturer | Component | Version |
---|---|---|
RG Nets | rXg | 13.2 - 15.513-47 |
RG Nets | Piglet | Build #60 |
RG Nets | Boot Loader | |
Raspberry Pi | Compute Module 4 | Rev 1.1 |
Resoberry Pi | 4 Model B 4 GB RAM |
Hardware
Raspberry Pi
Version 1 - Raspberry Pi 4 Compute Module 4
Note: This version can be purchased directly from RG Nets. Product Code: Piglet-HW
- No SD/USB Required
Internal Wireless Adapter: - PCIE to mPCIE adaptor - AX210 WiFi 6E Card
Version 2 - Raspberry Pi (3 or 4)
- Recommended to use a USB instead of SD card.
Samsung Bar Plus (USB 3.1 Flash Drive) 32 GB
- Minimum 8 GB Memory
External Wireless Adapters: - Netgear AC 1200 A6210
Installation
Install Boot Loader Image (CM4)
To flash the eMCC directly you will need to run a provisioner on your local network and provide the boot loader image to the active project.
- To reprovision CM4 connect a USB cable between the provisioning server and the micro USB port of the Raspberry Pi Compute Module 4 IO Board.
- Put a jumper on the CM 4 IO Board.
This will cause the compute module to perform a USB boot, in which case the provisioning server will transfer the files of the utility OS over USB.
After the utility OS has booted, it will contact the provisioning server over Ethernet to receive further instructions, and download additional files (e.g. the OS image to be written to eMMC) as usual.
Install Boot Loader Image (Raspberry Pi 3 or 4)
Piglets rely on a compact boot loader that automates rXg server discovery. This boot loader also enables remote software updates for piglets, eliminating the need for physical intervention. It contains no inherent functionality aside from the ability to deploy images provided by the controller. Currently RG nets provides one full image but you can use the boot loader with any image that is supported by the Piglet hardware.
- Use a program such as Rufus (Windows) or balenaEtcher (MAC) to create a bootable USB or SD card with the boot loader image. It is recommended to use a USB drive.
Add a Piglet Image to the rXg
- Browse to Network >> Wireless >> Device Firmware
- Select "Create New" on the Device Firmware scaffold.
a. Select a name for the record.
b. Select "Choose File" and browse to the piglet image that you wish to upload. Alternatively, you can have the rXg fetch the image by providing a remote URL, username, and password. - If you wish this image to be used as the default, you can check the "Default" field.
- Click "Create"
Note: rXg Device Firmware management can be used for other images that are compatible with Raspberry Pi such as WLAN Pi.
Configure the rXg for Piglet Discovery
- Browse to Network >> Wireless >> WLAN Controllers
- Select "Create New" on the WLAN Controllers scaffold.
a. Select a name for the record.
b. Set the Device Type to "Piglet".
c. Set the host address to "127.0.0.1". - Click "Create"
Approve Piglet and Select Default Image
When the piglet boots, it will automatically pull a DHCP address and discover the rXg.
- Browse to Network >> Wireless >> Access Points
- Edit the record for the newly discovered piglet.
- Select the desired "Device firmware".
- Click "Update".
- Click "Approve" on the appropriate row.
Configuration
Ping Tests
Ping tests can be scheduled to run from any approved piglet on either the wired or wireless connection.
- Browse to Instruments >> Network Monitor >> Ping Targets.
- Click "Create New" on the ping targets scaffold.
a. Select a meaningful name for this target that accurately reflects the purpose.
b. Select the destination address that you would like to have the piglet ping.
c. Select wired to use the wired interface, or select a WLAN to use a wireless interface.
d. Select the piglet and radio that the ping should source from.
Results
There are (2) methods that you can use to see the results being generated by the piglets:
1. Click "Graph" on the Ping Targets record scaffold.
2. Create a System Graph.
- Browse to Archives >> Reports >> System Graphs.
- Click "Create New" on the Systems Graphs scaffold.
a. Select a meaningful name for this target that accurately reflects the purpose.
b. Select which instrument you would like to graph. There are several that applicable to ping targets.
c. Select the period to be used for data visualization.
d. Select the data interval for the results to be grouped by.
e. Select the ping target to be graphed. - Click "Create"
Speed Tests
Speed tests can be scheduled to run from any approved piglet on either the wired or wireless connection.
- Browse to Instruments >> Network Monitor >> Speed Tests.
- Click "Create New" on the speed tests scaffold.
a. Select a meaningful name for this target that accurately reflects the purpose.
b. Select the type of speed test that you would like to run. You can select iperf 3 and then either choose from the following list of public targets or you can specify your own target. Alternatively, you can set the type to Speedtest.net and the rXg will automatically determine the closest server on the WAN and run a speed test against that server.
c. If you selected iPerf3 in the previous step, and left Public iPerf3 target empty, you can designate an iPerf3 server here that exists on the WAN or LAN of the rXg.
d. Select wired to use the wired interface, or select a WLAN to use a wireless interface.
e. Select the piglet and radio that the speed test should source from.
f. Select how frequently you would like the speed test to run. - Click "Create"
Note: An iperf server must exist prior to creating this test if using iPerf3 to the rXg gateway. More Information
Results
There are (2) methods that you can use to see the results being generated by the piglets:
1. Click "History" on the speed test record.
2. Browse to Instruments >> Network Monitor >> Speed Test Results
Trace Routes
Coming Soon...
Frequently Asked Questions
Q: Why would the piglet allow me to adopt it, but then not boot after downloading the piglet image.
Possible Answers:
- Most likely you are running a Raspberry Pi with insufficient memory. You should have a minimum of 8 GB of memory.
- Ensure that you have selected an image in the AP profile to be loaded to the piglet.
Q: How can I remotely reflash a piglet?
A: Change the fimware version in the AP profile for the piglet and then reboot.
Q: Can piglets be installed on remote networks?
A: Yes, by default the Piglet contacts its default gateway as the controller. In case the piglet is on a remote network from the controller you can tell it the IP address of the controller through a custom DHCP option.
Option 43: suboption 1, type text, data: the ip of the rXg controller
Note: The Piglet sends a Vendor Client Identifier (option 60) RG Nets
OpenWiFi
Bhyve Setup
1. Setup Virtualization Hosts
To install the OpenWiFi controller in Bhyve first we must ensure we have a Virtualization Host to install to. Navigate to Services::Virtualization, if a host does not exist create a new Virtualization Host.
Give the Virtualization Host a name, the name field is an arbitrary string used to identify the host here I've set the name as the FQDN. Autostart Delay, and Reserved CPU count will be left at default values. Next name the Virtual Switches to make it easier to identify. Here I name my WAN and LAN connections, we will only need the LAN connection for our OpenWiFi controller. Click Create.
2. Install OpenWiFi Controller as a Virtual Machine
We will use a built in Config Template to automatically download the OpenWiFi controller software. Navigate to System::Backup and find the Config Template named "Example: 06 Download rXg Openwifi Image Config". If you do not see any example config templates click the "Show Examples" link.
We do not need to modify this template, it is going to download the openwifi img file and make it available as a disk image. Click apply to have it download the image.
After clicking apply we should get a Success message.
We can verify that the image was downloaded by navigating to Services::Virtualization and clicking Disk Images on the record for our Virtualization host.
Now that we have confirmed that the image has been downloaded we are ready to create the Virtual Machine. We will utilize another config template to automatically deploy the VM. Navigate to System::Backup, and find the config template named "Example: 07 Deploy Virtual Openwifi Controller Config". Do not click apply, instead click Edit. We will need to modify the template to match our networking.
Adjust the name variable if desired, I will leave the name as "openwifi". Next I am looking for the line with "mapped_switches". I am going to change this line from: "mapped_switches = ["igb0", "igb1", "igb2"]" to; "mapped_switches = ["vmx4 LAN"]
This is NOT the name of the interface but rather the name of the virual switch, I named mine "vmx4 LAN" so I need to make sure that matches. To verify the name navigate to Services::Virtualization and look at the Virtual Switches scaffold and find the name of the switch the OpenWiFi controller will be connected to.
You may also need to adust the IP address asigned to the controller. Look for the cidr, gateway, and nameservers variables, and adjust accordingling. This controller in this setup will be on the 192.168.5.x network.
I have adjusted the variables to match my network below.
Next we need to specify an SSH key pair. For this I will leverage the ssh key tied to my admin account. In the real world it is best to make a new ssh keypair for this so it is not tied to an individual. Now that I have adjusted the config template I can click the update button.
Now we are ready to apply the template. When we click apply this will create a new VM, connected to the interfaces we specified in the template (just vmx4 LAN in this case), we can see that the VM will have 8GB of memory, 8 cpu cores, and a 10GB HDD.
We can confirm that the new VM was created by navigating to Services::Virtualization and review the Virtual Machines scaffold.
In addtion to creating the VM, the template also created a DNS override for "openwifi.wlan.local" this is because in a later step we will need to hit that URL to access the controller and need it to resolve to the IP address of the controller. To verify that the DNS override is setup correctly, navigate to Services::DNS and review the DNS Records scaffold.
What this entry does is overrides any DNS for "openwifi.wlan.local", so that if I am behind this system and point my browser to the FQDN it will resolve to 192.168.5.9 and allow me to access the controller. This is important without this we will not be able to login to the controller as we will see in a future step.
Now we must start the installation process on the VM, navigate to Servcies::Virtualization. The openwifi Virtual Machine has a commands link to the righthand side, select start from the list. This will turn on the machine and begin the installation process.
VM state will change from stopped to Running. Note that installation takes about 2 minutes.
To verify that the controller is up and running click the VNC viewer option and open the console window. Note that we do not need to login or do anything via the console window it can be closed.
3. Create new user on controller
Now that the controller is installed we need to login using the default credentials and create a new user and remove the default user (if desired). To do this navigate to https://openwifi.wlan.local:8443 and login with the default username password.
Username: [email protected] Password: openwifi
At this point if you login and get an invalid credentials message, even though you are using the correct username/password. This is because its trying to hit a different port and will get stopped by the certificate since it is not valid. You can direct your browser to the following URL https://openwifi.wlan.local:16001/api/v1/oauth2?requirements=true and accept the certificate and then login again.
When you login for the first time it will prompt you to change the password.
After changing the password you will be logged in. We will want to create a new user, to do this select users from the menu on the left.
Next click the "+" sign in the upper right corner.
Fill out the email, name fields, and set a password. Toggle force Password Change off otherwise you will be prompted to change the password you just set again upon first logging in. Toggle Email Validation off. Then click the disk icon in the upper right.
Next logout and log back in with new user and delete the default user.
3. Add OpenWiFi as infrastucture Device
Now that we have installed the OpenWifi Controller and we have created a user we can add it as an infrastucture device. Navigate to Network::Wireless and create a new WLAN Controller.
Give the controller a name, change the Type field to OpenWifi. Enter the controllers IP address in the Host field. Change the username field from admin to the email address of the user created in the previous step and enter the password in the password field below. Change the Timeout field from 5 to to 30. Click Create at the bottom of the record.
After creating the WLAN Controller record it will takea few seconds and then the Online field should change from offline to Online.
Next select Import on the far right of the WLAN Controller entry, and click on Import. Enter the CIDR of the network(s) the controller should look at for APs.
Next click on "Sync not enabled".
Click on Generate Diff.
After clicking Generate Diff any changes will show up in the Synchonize field. The first time you join the AP it will have more than what we see here, regardless, the next step is to click Enable Config Synchonization.
After this step the Openwifi controller should be online and in sync.
Notes
If you click on the Generate Diff button and nothing seems to happen this is likely because the AP's are not configured correctly. In the above example I had to login to the tip portal and do an AP transfer. To do this I logged into the portal, and clicked on the Transfers option on the left menu.
Click the Create Transfer Button.
Enter the MAC address in the Serial Number field, the Redirector should be set to openwifi.wlan.local, and then enter a reason for the request. Then click Start Transfer. After completing this process I was then able to generate the diff and click enable sync after factory resetting the AP.
Bootstrap License
Access the rXg Admin interface
After installing the ISO and viewing the CLI, find the IP address and use a browser to navigate to https://%lt;ip.address%gt;/admin and you will be presented with the create first admin GUI.
You may choose to access the rXg from the LAN or the WAN. For the purposes of this lab, use your management computer to connect to the LAN side of the rXg via the wireless network that has been created for your lab (lab0X SSID).
When configuring a single physical rXg, this will be the_highest_ numbered port. Usually this is EM3 or IGB3. For a virtual installation, you must connect to the same vSwitch portgroup as the last virtual interface of the guest VM.
The LAN interface runs a DHCP server, handing out addresses in consecutive /30 subnets starting at 192.168.5.0/30. Check your computers network configuration to find the default gateway you were assigned (usually will be 192.168.5.1 ). This is the IP you will use to access the rXg from the LAN.
Alternatively, the lowest numbered port (EM0 or IGB0) will act as the default WAN port, and will function by default as a DHCP_client_. If you have a DHCP server connected to the WAN side, you can see the IP address that the rXg receives by checking the DHCP servers logs or by looking at the physical or virtual console:
In a web browser, access the url https://<ip.of.rxg>/admin. For example:
Surf to https://192.168.5.1/admin/
Accept the self-signed certificate warning.
Create the first Administrator
When creating the first administrator credentials, strong passwords are required. Passwords should include lower case, upper case, numbers and symbols. If you have a private/public key pair that you will use for SSH/ SCP access to the rXg, include the public key in your admin record. Note: When creating the first administrator you will see a QR Code and a long string of alpha numeric characters. You will need to copy these characters to license your copy of the rXg.
Click Create New in the Administrators scaffold.
Enter a login and a secure password. Passwords that do not meet complexity requirements will not be accepted. Good passwords are long, and contain characters from multiple classes (lower case, upper case, numbers and symbols). If you have a private/public key pair that you wish to use for SSH/SCP access to the rXg, you may enter your public key in your admin record.
Click Create when finished.
Access License Portal
When you signed up for your Free version of the rXg or made your purchase, an asset was assigned to your unique credentials on the store. Login to https://store.rgnets.com with those same credentials to obtain your license.
The rXg will not route traffic until it is licensed. Connect to a network with Internet access ( RGNets Training SSID).
Visit https://store.rgnets.com and log in with your RG Nets support credentials. Click on Asset Manager on the top of the page.
Update DNS name
Within the Asset Manager at https://store.rgnets.com navigate to "Asset Manager" in the main navigation. Find the asset assigned in the table below, if this is your first installation or the Free Version of the rXg you will only have one asset to update the FQDN and IUI. In the space provided, type or paste the fully qualified domain name (can be subdomained) associated with this installation (example shown here for lab04-cc1.netlab.ninja).
Enter fully qualified domain name and press the rename button. Press the Set FQDN button when complete.
Update the IUI
From the initial "Create First Administrator" screen, copy and paste the Installation Unique Identifier (IUI) in the field provided in the Asset Manager table.
The IUI uniquely identifies the rXg installation, and is tied to the hardware in the system. Any hardware changes after the IUI has been entered into the licensing portal requires re-licensing with RG Nets.
Enter the IUI obtained from the first new admin view of the rXg admin console and press the Set IUI button. On the next screen press Set IUI button again.
Obtain License
Once you have set the FQDN and IUI, click the Get License button. In the popup, the Asset Manager will provide a unique license key. Press the Copy to Clipboard button to copy the license.
Navigate to System :: Licenses
Edit the License Key
Click Edit in the license keys scaffold.
Paste the license from license portal
Click Update when complete.
After updating the license, the rXg will take a moment to restart its background processes to open up access to the rest of the admin console.
Bootstrap WAN
After licensing the system, we will configure the WAN uplink.
Navigate to Network :: WAN
Edit Uplink
Lower Priority to 5
The Priority field determines the order of precedence during failover in a link control scenario. When only one uplink is configured, this field has no effect as there is no uplink to failover to. When multiple uplinks are configured and connection aggregation is enabled, a failure of a link will cause another member of the pool to forward all traffic. If aggregation is not enabled, or all uplinks within a pool have failed, then the uplink with the highest priority amongst all of the remaining uplinks will be used to forward the traffic. The Uplink with the highest priority becomes the default route for the rXg.
Create New em1 Ethernet Interface
Click Create New under Ethernet interfaces. Accept the defaults provided to add the em1 interface.
Create the Charter Cable Uplink
Click Create New under the Uplinks scaffold.
Field | Value |
---|---|
Ethernet | em1 |
Priority | 9 |
DHCP | Unchecked |
Gateway IP | Obtain from Lab Sheet |
Download | 60 Mbps |
Upload | 40 Mbps |
DNS | Google Public DNS servers |
Ping Targets | Google Public DNS servers |
Create the Charter Cable Network Address
Click Create New under the Network Addresses scaffold.
Field | Value |
---|---|
Name | Charter Cable |
IP | Obtain from lab sheet |
Subnet | Obtain from lab sheet |
Autoincrement | 1 |
Span | 1 |
Autoincrement tells the rXg to automatically configure multiple, consecutively addressed, subnets on a single native or logical (VLAN) interface. Span tells the rXg to consume one or more consecutive IP addresses on a native or logical (VLAN) interface.
Final result
We now have a higher-priority static uplink, and a lower priority DHCP uplink.
Bootstrap System
Navigate to System :: Options
Enter the FQDN and Timezone
Edit the Default System Options and enter the rXgs fully qualified domain name ( FQDN ). Leave all other defaults. Click Update when done.
System :: Certificates
Create a new Certificate
Click Create New in the Certificates scaffold. The name will be filled in automatically from the system options. The rXg has generated a private key for the certificate already, and nothing else needs to be added yet. The private key will be utilized when the rXg generates a Certificate Signing Request in the next step.
Create a new Certificate Signing Request
Click Create New in the Certificate Signing Requests scaffold.
Complete the form with information to identify yourself to your 3rd party signing authority.
The Common Name (CN) must match the FQDN that will be used to access this rXg. If you will be purchasing a wildcard certificate from your certificate vendor, the CN should be *.domain.com
The email address will be tied to the certificate, so do not use your personal email address.
Copy the CSR
Copy the entire textblock of the CSR column of the newly created record, including -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST-----
The CSR will be provided to your certificate vendor, which they will use to generate the intermediate and server certificates used in the next steps.
Submit CSR to 3rd party Certificate Authority
Submit the CSR obtained above and provide it to the certificate authority for them to generate and sign your certificate. When downloading the certificates, you should request apache format.
Once you have the intermediate certificates and the server certificates from your CA, proceed with the next step.
Update the Certificate Chain
Open the downloaded intermediate and server certificates in a text editor. For the purposes of this lab, intermediate and server certificates will be provided to you by the instructor.
Click Edit on the Certificate we created previously and supply the entire text of the intermediate and server certificates. Ensure that the Active checkbox is enabled. Click Update when complete. The webserver will restart while the new certificate is activated.
Bootstrap LAN
We will now configure the LAN side of the rXg.
Review Network Dashboard
The network dashboard shows a dynamic overview of the current network topology as well as utilization info.
Network :: LAN
Edit the Management LAN Network Address
Change the subnet mask to be 255.255.255.0 (changing from a /30 to a /24).
Set autoincrement to 1
Create an Infrastructure Device
Create an Infrastructure Device for your labs wireless controller. In this case, it is a RUCKUS virtual SmartZone (vSZ).
Field | Value |
---|---|
Device | RUCKUS SmartZone |
IP | 192.168.5.2 |
Protocol | SSH |
Port | 22 |
Username | admin |
Password | lab01admin! *note: substitute lab number for 01 |
Enable Password | lab01admin! *note: substitute lab number for 01 |
Creation of an Infrastructure Device allows the rXg to notify the RADIUS NAS (either the wireless controller or the wired switch) that a VLAN change has taken place, and that the connected device should be disconnected and immediately reconnected in order to re-initiate the RADIUS authentication process and be assigned the new VLAN tag assignment. Infrastructure Devices are also utilized by the conference tool to allow configuration changes such as the creation of WLANs for the duration of a conference.
Create a new em3 Ethernet Interface
This interface will be the source of the VLAN-tagged traffic coming from our wireless infrastructure.
Create a new Customer VLAN
Click Create New in the VLANs scaffold.
Name it Customer VLAN 1100. Select our newly created em3 interface. Enter 1100 for the VLAN ID. Do not check auto increment.
Create a new Customer Network Address
Click Create New in the Network Addresses scaffold.
Make sure Ethernet does not have a selection. Select our newly created VLAN (Customer VLAN 1100).
Field | Value |
---|---|
Ethernet | - Select - *make sure this has no option selected |
VLAN | Customer VLAN 1100 |
IP | 10.0.0.1 |
Subnet | 255.255.255.0 |
Autoincrement | 1 |
Span | 1 |
DHCP pool | checked |
Final result
Navigate to System :: Portals
Create a new HTTP Virtual Host
An HTTP Virtual Host proxies web access to devices on the LAN based on the hostname of the request.
Click Create New in the HTTP Virtual Host scaffold.
Enter the FQDN of your wireless controller, as listed on your lab sheet.
Field | Value |
---|---|
Hostname | Obtain from lab sheet |
IP | 192.168.5.2 |
Local server HTTP(s) Port | 8443 |
HTTPS | checked |
ENABLE AUTOINCREMENTED VLANs
Edit the Customer LAN Network Address
Click Edit on the Customer LAN Network Address.
Change the Subnet to 255.255.255.252 (/30) and change Autoincrement to 64.
The rXg will automatically configure 64 contiguous /30 subnets to replace the single /24 subnet we created previously.
Note: Because 64 /30 subnets fit exactly into a single /24 subnet, we are still consuming the same overall network address space, and therefore do not need to edit our DHCP pools. If we had chosen a smaller or larger autoincrement number, the DHCP pool that was created automatically when this Network Address was created would now be invalid, raising a health notice and requiring manual intervention.
Edit the Customer VLAN
Click Edit on the Customer VLAN 1100 record in the VLANs scaffold.
Enable the Autoincrement checkbox.
Set the Autoincrement Ratio to 8.
Click Update.
If the autoincrement ratio were set to 1, the rXg would automatically create one VLAN interface for each autoincremented subnet in the associated Network Address (64 unique VLAN interfaces). Because we have set a ratio of 8, the rXg will create one VLAN interface for every 8 subnets. (64 subnets / 8 = 8 unique VLAN interfaces).
Final Result
Dynamic VLANs
Navigate to Identities :: Groups
Notice that there is already an IP Group for the vSZ. It was created automatically when we created the infrastructure device.
Create a Management IP Group
Click Create New in the IP Groups scaffold.
Field | Value |
---|---|
Name | Management |
Priority | 8 |
Addresses | Management LAN |
Navigate to Policies :: Captive Portals
Create the Management Policy
Notice there is already a Lab vSZ policy, which was created when the infrastructure device was created.
Click Create New in the Policies scaffold. This policy will be added to the RADIUS server ACL in the next step.
Field | Value |
---|---|
Name | Management |
IP Groups | Management |
Navigate to Services :: RADIUS
Edit the Default RADIUS Server Options
Click Edit in the Default record of the RADIUS Server Options scaffold.
Enable the Management policy. Notice that the Lab vSZ Policy was added automatically at creation.
Click Update.
Create a New RADIUS Server Realm
Click Create New in the RADIUS Server Realm scaffold.
Field | Value |
---|---|
Name | Customer Assignment |
Policies | None selected |
Attribute Patterns | |
Priority | 0 |
Attribute | Called-Station-ID |
Pattern | lab01-customer |
Sharing | Per-Device |
VLANs | Customer VLAN 1100 |
Reuse | Checked |
Infrastructure Devices | Lab vSZ |
Respone Attributes | Tunnel-Type: VLAN |
Tunnel-Medium-Type: IEEE-802 Tunnel-Private-Group-ID: %vlan_tag_assignment.tag% |
Final result
CONFIGURE CONTROLLER FOR DVLAN
Create AAA Server
Ruckus Switch
Navigate to Network::Wired
Create New Switch
Click on Create New in the switches scaffold. Use the table below, substituting your lab number for 01
Field | Value |
---|---|
Name | lab01-switch |
Type | RUCKUS ICX |
Host | 172.16.0.4 |
Subnet Mask | 255.255.255.0 |
Gateway IP | 172.16.0.1 |
Username | super |
Password | lab01admin! |
Bootstrap Switch Config
A new record will appear in the switches scaffold. The switch is currently offline. Click on Sync not enabled to generate a bootstrap configuration.
Enter the current device password, and click on Download Bootstrap Configuration
A plaintext file will be downloaded that should resemble:
! PHASE 1 - Increase max VLANs (requires a reboot)
enable
config terminal
system-max vlan 4095
write mem
exit
reload
y
! PHASE 2 (after reboot) - Configure remaining settings
enable
config terminal
skip-page-display
crypto key generate rsa modulus 2048
ip ssh key-exchange-method dh-group14-sha1
aaa authentication web-server default local
aaa authentication login default local
aaa authentication dot1x default radius
lldp run
snmp-server community public ro
username super password lab01admin!
aaa authentication login default local
vlan 1
ip address 172.16.0.4 255.255.255.0
management-vlan
default-gateway 172.16.0.1 1
exit
ntp
server 172.16.0.1
exit
write mem
SSH or console into the switch (switch will get DHCP by default). Type the commands from Phase 1 in, one at a time. The switch will reboot. Once it reboots, SSH in again, and copy/paste all of Phase 2.
Enable Config Sync
The switch should now show as "Online" in the switches scaffold. Although the switch is bootstrapped, click on Sync not enabled to start the sync process.
Click on Generate Diff to Enable Sync
The remaining configuration to synchronize the switch is displayed. Click Enable Config Synchronization
Click OK at the warning prompt
Results will be displayed showing "Configuration is now in sync. Running config saved to startup.
i
The sync status will turn green, displaying the last upate timestamp. The switchports can now be configured on the rXg
Adding VLANs to a Switchport
Click Edit on a switchport in order to add VLANs to that port.
Choose the VLANs from the list, and click Update
The rXg will automatically run the necessary commands on the switch to enforce these changes. The timestamp in the "Config Sync Status" will also be updated.
Adtran vWLAN
Deploy vWLAN controller in VMware.
On windows machine navigate to ESXI host and download the ova file from the datastore. Storage-->Lab Files-->Browse Datastore. Download the vWLAN-X-X-X.ova file.
Create new virtual machine, select "Deploy a virtual machine from an OVF or OVA file".
Give the vm a name, click on "Click to select files or drag/drop" and select the ova file, click next.
Select datastore1 (should be selected by default), click next.
Deployment options network mappings: VM Network change to VM Lan Network, leave the reset default and click next.
Click Finish, and wait for the VM to be deployed.
In ESXi click on the adtran wlc VM to get IP address it received via DHCP from the rXg.
Access the vWLAN, use system on the mgmt lan, OR create virtual host for initial access remotely. Default username/password for Adtran WLC is [email protected]/blueblue. Set a static IP address to 172.16.0.5 by navigating to Configuration-->Network Interfaces-->Public. Uncheck DHCP and change the fields to the correct values, and click update network interface.
Field | Value |
---|---|
Address | 172.16.0.5 |
Netmask | 255.255.255.0 |
Gateway | 172.168.0.1 |
DNS 1 | 172.16.0.1 |
DNS 2 | 8.8.8.8 |
Hostname | vwlan |
Changes will not take effect until you run the Platform Task in the wlc. Click on Platform Tasks in the upper right corner and run the "Must restart network" task by clicking on it.
We will now upgrade the WLC navigate to Administration-->Platform Upgrade (Remember to use the new IP address that was configured in the previous step). Click Choose File and select the vWLAN-X-X-X-xxxxxx.img file, click "Run Task" and wait for it to complete.
Click on Platform Tasks in the upper right corner and run any pending tasks. Apply license to AP by navigating to Configuration-->Wireless-->AP Licenses, click on Upload AP Licenses. Click choose file and select the txt file the license key is saved it, set Domain to default and click Upload licenses.
Create DNS entries for AP discovery in rXg
Create DNS entries so that the AP can find the vWLAN. In the rXg navigate to Services-->DNS and create a new DNS Zone. Name: .local Type: master Domain name: local Master hostname: rxg.local. Hostmaster email: hostmaster@local Click on create.
Field | Value |
---|---|
Name | .local |
Type | master |
Domain name | local |
Master hostname | rxg.local. |
Hostmaster email | hostmaster@local |
Create a new DNS record, Name: apdiscovery.local Type: A Host: apdiscovery remove dynamic data Data: 172.16.0.5 TTL 60 Zone: .local Click create.
Field | Value |
---|---|
Name | apdiscovery.local |
Type | A |
Host | apdiscovery |
Data | 172.16.0.5 |
TTL | 60 |
Zone | .local |
Add Adtran vWLAN controller as infrastructure device.
Add the vWLAN as infrastructure device. Navigate to Network-->Wireless and create a new WLAN Controller. Name: Adtran WLC Type: ADTRAN vWLAN Host: Ip address of vWLAN change username/password accept defaults click create.
Field | Value |
---|---|
Name | Adtran vWLAN |
Type | ADTRAN vWLAN |
Host | IP address of vWLAN |
Reload page and click "Sync not enabled"
Click enable config sync
Create WLAN.
Navigate to Network-->Wireless and create new WLAN. Fill out the name with your lab number, select the Adtran controller, fill out SSID, and click create.
Field | Value |
---|---|
Name | lab0X |
Controller | ADTRAN vWLAN |
SSID | lab0X |
Encryption | none |
Authentication | none |
Ruckus vSZ
Deploy the vSZ Controller in vmware
On windows machine navigate to ESXI host and download the ova file from the datastore. Storage-->Lab Files-->Browse Datastore. Download the vscg-X.X.X.X.XXX.ova file.
Create new virtual machine, select "Deploy a virtual machine from an OVF or OVA file".
Give the vm a name, click on "Click to select files or drag/drop" and select the ova file, click next.
Select datastore1 (should be selected by default), click next.
Agree to the License Agreements by clicking 'I Agree', and then click next.
Deployment options network mappings: VM Network change to VM Lan Network Uncheck 'Power on automatically', and click next.
Click Finish, and wait for the VM to be deployed.
Edit Settings on the VM, and delete network adapters 2 & 3.
It should resemble this:
Power on the VM.
Configure IP Address, and Admin Password
Using the vmware console, login to the vSZ. Default credentials are admin / admin Run the command 'setup' to start the setup wizard
Field | Value |
---|---|
vSZ Profile | Essentials |
IP Version Support | IPv4 Only |
IPv4 configuration | Manual |
IP Address | 172.16.0.5 |
Netmask | 255.255.255.0 |
Gateway | 172.16.0.1 |
Primary DNS | 172.16.0.1 |
Enter 'y' to apply settings Enter 'y' to accept changes
Browse to https://172.16.0.5:8443Fill in cluster name, controller name, and description, leave other defaults
Enter 'lab01admin!' for the admin, and enable passwords.
Click finish.
Wait while the controller initializes.
This screen means you are ready to continue.
Add RUCKUS vSZ Controller as Infrastructure Device
Navigate to Network::Wireless
Click on 'create new' in the WLAN Controllers scaffold. Use the following table to populate the form, and click create.
Field | Value |
---|---|
Name | ruckus vSZ |
Type | RUCKUS SmartZone |
Host | 172.16.0.5 |
Username | admin |
Password | lab01admin! |
After a few seconds the Controller will appear online. Click on Sync not enabled.
Click on 'Enable Config Synchronization'.
The Controller is now managed by the rXg
Create WLAN
Navigate to Network::Wireless and create new WLAN. Fill out the name with your lab number, select the vSZ, fill out SSID, and click create.
Field | Value |
---|---|
Name | lab0X |
Controller | ruckus vSZ |
SSID | lab0X |
Encryption | none |
Authentication | none |
Extreme WiNG
Build VX9000 in vmware
Create a new virtual machine, select 'Create a new virtual machine'. Click next.
Add a name, and choose 'Other' for OS Family, and 'Other (64-bit)' for OS Version. Click next.
Select 'datastore1' for storage (default). Click Next.
Increase Memory to 4GB Increase Hard Disk to 20GB Select 'Thin Provisioned' under Hard Disk options. Scroll down
For 'CD/DVD Media' select 'Datastore ISO file', and choose the VX9000-DEMO-x.x.x.x-xxxR.iso. Click Next
Verify settings, and click finish.
Power on the VM. Using the vmware console press enter/return to start the installation
Accept these defaults by pressing enter/return
The installation is finished when you reach this screen. Go to VM Settings, and change CD/DVD back to 'Host Device'.
Press enter/return to intiate the reboot.
Add VX9000 to Wireless Infrastructure Devices
Navigate to Network::Wireless
Click 'Create New' on the WLAN Controllers scaffold. Populate the form using the following:
Field | Value |
---|---|
Name | VX9000 |
Type | Extreme WiNG VX/NX |
Host | 172.16.0.5 |
Subnet Mask | 255.255.255.0 |
Gateway IP | 172.16.0.1 |
Username | admin |
Password | lab01admin! |
Click on "Sync not enabled" to generate a bootstrap configuration
Apply Bootstrap Configuration and Enable Sync
In vmware console, login to the VX9000 with default credentials admin/admin123 . You will be prompted to change the password. Type 'lab01admin!' substituting your lab number. Then type the commands from the bootstrap configuration.
The VX9000 will become reachable, refreshing the rXg screen. Click 'Enable Config Synchronization'.
The VX9000 is now managed by the rXg
Create WLAN
Navigate to Network::Wireless and create new WLAN. Fill out the name with your lab number, select the VX9000, fill out SSID, and click create.
Field | Value |
---|---|
Name | lab0X |
Controller | VX9000 |
SSID | lab0X |
Encryption | none |
Authentication | none |
Aruba Wireless
Deploy a Mobility Master (MM)
Follow manufacturer guidelines for deployment, and licensing, of Aruba Networks Mobility Master. MPSK is only available with a MM.
Configure Mobility Master
Locate the MAC address of the Mobility Controller by logging into the MC GUI, or running
show switchinfo
at the MC CLIAdd a Mobility Controller (MC) to the Managed Network Section.
Add the IP address of the MC to the controller definition.
Add the MAC from the MC to the controller definition.
Choose the appropriate device type for the controller definition.
Click the "Mobility Master" heirarchy level of the left panel, then Configuration -> Controllers.
Create a new controller IPSec key value. (This will be used in the MC deployment)
Deploy changes
Deploy Mobility Controller (MC)
Follow manufacturer guidelines for deployment of Aruba Networks Mobility Controller. Provide the IP, and IPSec PSK of the MM during setup.
Configure Mobility Controller
Once the MC is added to the Mobility Master, configuration is completed from the MM GUI.
At the heirarchy level of the group created in step 1 above, deploy a WLAN.
Provide an SSID Name, and choose Tunneling
Leave the default VLAN selection.
Set the security to wpa2personal, choose mpsk.
Create a new RADIUS Authentication Server with details with regards to rXg
Leave the default role selections
MAC authentication is enabled with MPSK by defualt. Manually edit the profile in order to associate the WLAN with the correct AAA server group. It does not use the server assigned for MPSK settings.
- From the group hierarchy level go to configuration -> system -> profiles -> Wireless LAN -> AAA -> (wlanname)_aaa_prof -> MAC Authentication Server Group -> set to the (wlanname)_dot1_svg group that got created from the mpsk 802.1x settings
On the Group level, go to Configuration -> Interfaces -> VLANs and create the range of possible VLANs
In the same section, verify the ethernet port you are using is set to "trunk allow all", under the Ports tab
Deploy changes
Configure Aruba Central
- Make sure the correct group is selected that contains the AP(s), you can verify this by looking in the upper left corner.
Click on devices, which will take us to the WLANs section. Click Add SSID
Give the SSID a name. Click next.
In the VLAN section leave defaults and click next.
Change Key Management to MPSK AES.Click the + in the Primary Server field, give the Server a name, and copy the shared secret from the Radius Server Options to the Shared Key and retype Key fields. Set the IP field to the IP Aruba Central will talk to the rxg on, and click OK. The Shared Secret can be obtained by navigating to Services::Radius in the rXg.
Expand advanced settings and enable "Called station ID include SSID" Click next.
For the Access section, click next without making changes.
Verify settings in the Summary view and click Finish. Note that with Aruba MPSK it is required that a devices MAC address be present in an account for the MPSK to work on any given device.
Configure Change of Authorization (CoA)
- At the Group heirarchy level, navigate to Configuration -> Authentication -> Auth Servers -> All Servers
- Create a new server, and provide the rXg IP, and RADIUS shared secret
Edit the AAA Profile and specify the newly created server under RFC3576
At the MC Heirarchy level (NOT the group level), navigate to Configuration -> Authentication -> Advanced
Set the RADIUS Client to the correct interface, and IP of the MC, so that the NAS-IP of RADIUS requests will be the MC (where CoA must be sent), and not the MM.
Configure rXg
Associate a RADIUS Server Attribute "Aruba-MPSK-Passphrase" with the value "%account.pre_shared_key%" to the RADIUS Realm
Cambium Wireless
Deploy cnMaestro On-Premises in vmware
Navigate to ESXI host and create new virtual machine, select "Deply a virtual machine from an OVF or OVA file".
Give the vm a name, click on "Click to select files or drag/drop" and select the ova file, click next.
Select the storage where VM will be created, click next.
Agree to the License Agreements by clicking 'I Agree', and then click next.
Select the appropriate Network mapping for your network, should be connect to the LAN of the rXg. Verify settings, click next.
Click Finish, and wait for the VM to be deployed.
Configure cnMaestro
For On-Premises navigate to IP address of cnMaestro VM and login with admin/admin.
Set Country and Time Zone.
Change the Default "Admin user" Password, and re-authenticate.
Enable API by navigating to Network Services => API Client.
Click the "Add API Client" button.
Enter a name/description (can be anything), click save.
Now there will be a Client Id and Client Secret. The Client Id is the username and the Client Secret is the password.
Enable SNMP. Note: This step should be skipped if not using On-Premises. First navigate to Administration =>
Expand Optional Features and check the Enable SNMP box, click save.
Set SNMPv2c RO Community name, by navigating to Network Services => SNMP Configuration.
Set the SNMPv2c RO Community string and click save.
Point AP to the controller. Access the AP via it's IP address and login using admin/admin.
Select System from the menu and look for cnMaestro under Management. Enter the URL or IP address of the cnMaestro in the cnMaestro URL. Click Save.
Next we need to claim the AP, navigate to the cnMaestro Dashboard and click onboarding under Devices.
Approve the AP by clikcing the Approve button.
Next add AP to Wi-Fi AP Group. Click on Monitor and Manage and find the AP under Networks, click on the 3 dots next to the AP and select edit.
Under Device Configuration, change AP group to Default Enterprise and Apply Configuration.
Add Cambium cnMaestro Controller as Infrastructure Device
Navigate to Network::Wireless.
Create a new WLAN Controller.
Enter a name in the Name field. Select Cambium cnMaestro from the Device Type drop down menu. Enter the IP address on the controller in the Host field. API port field set to 443. Enter the Username and password in respective fields. Click create.
NOTE: If you are using the Cambium Cloud, the Host field will be cloud.cambiumnetworks.com. The username and password fields are the same as a local instance documented above.
After a few seconds the Controller will appear online. Click on Sync not enabled.
Click on 'Enable Config Synchronization'.
The Controller is now managed by the rXg.
TP-Link Omada
Environment
This document was created using the following hardware and software:
rXg: Version: 14.284 Controller Model: tp-link Omada Controller (Windows) Controller Version: 5.6.13 AP Model: EAP610-Outdoor(US) v1.0 AP Version: 1.1.0 Build 20220930 Rel 65326
Deploy tp-link Omada controller on Windows.
Obtain the Omada installation file from tp-link. Double-click to begin the installation. Click "Next" through the typical installation wizard. On the final screen, make sure that "Start Omada Controller after installation is checked"
Allow access through the Windows firewall.
Click "Launch" to open the configuration page at https://localhost:8043
Click "Let's Get Started"
Set your timezone Set your deployment scenario Click "Next"
Click "Skip"
Click "Skip"
Click "Skip"
Configure credentials for the controller and access points. Disable Cloud Access Accept Terms of Use Click "Next"
Click "Finish"
tp-link Omada Controller Configuration for PPSK
Login using the credentials created in the previous step.
You can skip the tutorial here by clicking the X.
Configure AAA
Click the gear icon in the bottom left-hand corner for settings. Browse to Authentication >> RADIUS Profile Click "+ Create New RADIUS Profile"
Before you configure this section, you will need to have the IP address of the rXg, and the RADIUS shared secret. The IP address of the rXg should be reachable from the Omada controller. The shared secret can be obtained from the Admin UI by browsing to Services >> RADIUS
and then scroll down to the RADIUS Server Options
scaffold. Use this password for all password fields in the RADIUS profile below.
Click "Save" once the form is complete.
We now need to configure a RADIUS profile so that the Omada controller can send RADIUS requests to the rXg.
Add Access Points
In this next section, we need to add access points to the Omada controller. On the Omada Admin UI, browse to Devices
on the side menu.
In this section, we need to adopt the access points. The easiest way to do this is by using the batch adopt button under Batch Action.
Then select all of the access points and click "Done".
Once the adoption process is complete, you should see the AP show connected.
Add WLAN
In this section, we will configure a WLAN for unbound PSK.
In the bottom left corner, click "Settings".
Click "Wireless Networks" to expand the menu. Click "WLAN"
Click "+ Create Wireless Network".
Complete the form below as indicated. Be sure to uncheck the 6 GHz band or the SSID will not broadcast. Click "Apply"
You should now see the SSID being broadcast as a secure network.
rXg Configuration
The following configuration assumes that the rXg has been previously configured for an MDU deployment. The steps below demonstrate how to add the tp-link Omada controller to the existing configuration.
Add Omada Controller and WLAN
From the rXg UI, browse to Network >> Wireless
Click "Create New" on the WLAN Controllers
scaffold.
Complete the following fields with the appropriate information as it relates to the Omada controller. Click "Create"
Click "Create New" on the WLANs
scaffold.
Configure the following fields as indicated.
Configure RADIUS
From the rXg UI, browse to Services >> RADIUS
Click "Create New" on the RADIUS Server Attributes
scaffold.
Set the Name of the Attribute to TPLink-EAPOL-Found-PMK
Set the Value of the Attribute to %account.pre_shared_key%
Make sure that your Post-Auth realm is selected. Click "Create"
At this point, you should be able to associate to the ppsk SSID and enter a Pre-Shared Key that was previously configured for an account.
Add Account VLANs
Navigate to Network :: LAN
Create the Account VLANs
Click Create New in the VLAN Interfaces scaffold.
Field | Value |
---|---|
Name | Account VLANs |
Ethernet | em3 |
VLAN IDs | 1108 |
Autoincrement | Checked |
Autoincrement Ratio | 1 |
Addresses | None selected |
Create the Account Network Address
Click Create New in the Network Addresses scaffold.
Field | Value |
---|---|
Name | Account LANs |
Ethernet | None selected |
VLAN | Account VLANs |
IP | 10.0.1.1 |
Subnet | 255.255.255.240 |
Autoincrement | 64 |
Span | 1 |
Create DHCP Pool | Checked |
Review Network Dashboard
Click on the Network menu header to see the updated network diagram.
Navigate to Services :: RADIUS
Create the Account RADIUS Server Realm
Click Create New in the RADIUS Server Realms scaffold.
Field | Value |
---|---|
Name | Account Assignment |
Policies | None selected |
Attribute Patterns | None |
Sharing | Per-Account |
VLANs | Account VLANs |
Reuse | Unchecked |
Infrastructure Devices | Lab vSZ |
Respone Attributes | Tunnel-Type: VLAN |
Tunnel-Medium-Type: IEEE-802 Tunnel-Private-Group-ID: %vlan_tag_assignment.tag% |
Identities
Navigate to Identities :: Groups
Create a new Customer Onboarding IP Group
Click Create New in the IP Groups scaffold.
Field | Value |
---|---|
Name | Customer Onboarding |
Priority | 2 |
Addresses | Customer LAN |
Create Accounts IP Group
Click Create New in the IP Groups scaffold.
Field | Value |
---|---|
Name | Account Networks |
Priority | 2 |
Addresses | Account LANs |
Create Free Account Group
Click Create New in the Account Groups scaffold.
Field | Value |
---|---|
Name | Free |
Priority | 4 |
Policy | None selected |
Create Basic Account Group
Click Create New in the Account Groups scaffold.
Field | Value |
---|---|
Name | Basic |
Priority | 4 |
Policy | None selected |
Create Premium Account Group
Click Create New in the Account Groups scaffold.
Field | Value |
---|---|
Name | Premium |
Priority | 4 |
Policy | None selected |
Create Business Account Group
Click Create New in the Account Groups scaffold.
Field | Value |
---|---|
Name | Business |
Priority | 4 |
Policy | None selected |
Navigate to Identities :: Shared Credentials
Create Free Shared Credential Group
Click Create New in the Shared Credential Groups scaffold.
Field | Value |
---|---|
Name | Free |
Priority | 5 |
Credential | free (note: case sensitive) |
Policy | None Selected |
Time | 1 Hour |
Quota | Unlimited (up and down) |
Recurring | none |
Simultaneous | unlimited |
Intersession | 1 day |
Automatic Login | Unchecked |
Portal Policies
Navigate to Policies :: Captive Portal
Create Default Splash Portal
Click Create New in the Splash Portals scaffold.
Field | Value |
---|---|
Name | Default Splash |
portal | default |
whitelist | paypal |
background mode | MAC |
portal mode | MAC or Cookie |
Policies | Default |
Shared Credential Groups | Free |
Create Default Landing Portal
Click Create New in the Landing Portals scaffold.
Field | Value |
---|---|
Name | Default Landing |
portal | default |
whitelist | paypal |
background mode | MAC |
portal mode | MAC or Cookie |
Session Limit | unrestricted |
Idle Timeout | 20 minutes |
Grace Time | 15 minutes |
Policies | None Selected |
Create a new Survey Question
Click Create New in the Survey Questions scaffold.
Field | Value |
---|---|
Question | Email Address |
Position | 1 |
Type | Email Address |
Required | Checked |
Splash Portals | Default Splash |
Landing Portals | Default Landing |
Create Customer Onboarding Policy
Click Create New in the Policies scaffold.
Field | Value |
---|---|
Name | Customer Onboarding |
Splash Portal | Default Splash |
IP Groups | Customer Onboarding |
Create Free Policy
Click Create New in the Policies scaffold.
Field | Value |
---|---|
Name | Free |
Landing Portal | Default Landing |
Account Groups | Free |
Shared Credential Groups | Free |
Create Basic Policy
Click Create New in the Policies scaffold.
Field | Value |
---|---|
Name | Basic |
Landing Portal | Default Landing |
IP Groups | Account Networks |
Account Groups | Basic |
Create Premium Policy
Click Create New in the Policies scaffold.
Field | Value |
---|---|
Name | Premium |
Landing Portal | Default Landing |
Account Groups | Premium |
Create Business Policy
Click Create New in the Policies scaffold.
Field | Value |
---|---|
Name | Business |
Landing Portal | Default Landing |
Account Groups | Business |
Final result
Review Policy Dashboard
Click on the Policies menu link to view the Policy Dashboard. This page gives a graphical representation of the policy enforcement engine. Network devices are categorized into the highest priority group to which they belong, and that groups policy is applied.
In the graph, Groups are listed on the left, Policies in the middle, and Policy Enforcement Elements on the right. Groups may only have 1 associated policy. Devices will typically belong to multiple groups (such as an IP group and an Account Group), but only the highest priority group has an effect on the devices policy. Policy enforcement elements may be shared between multiple policies.
Gateways and Plans
Navigate to developer.authorize.net
Click Sign Up
Sign up for a free account
Collect API Credentials
Navigate to Billing :: Gateways
Create a Merchant
Field | Value |
---|---|
Name | Auth.net Developer |
Direct Gateway | Authorize.net |
Store Credit Cards | checked |
Login | API login ID from authorize.net API credential page |
Password | Transaction key from API credential page |
Test mode | checked |
Create Paypal Offiste Merchant
Click Create New in the Merchants scaffold.
Field | Value |
---|---|
Name | Paypal Standard |
Offsite Gateway | PayPal Website Payments Standard |
Login | your email |
Navigate to Billing :: Plans
Create an Unlimited Time Plan
Create a 5GB/2GB Quota Plan (free)
Create a 15GB/7GB Quota Plan ($10)
Create a 50GB/25GB Quota Plan ($25)
Create an Unlimited Quota Plan ($50)
Create a Business SLA Misc. Plan ($100)
Create a CPE Lease Misc Plan ($5)
Create One Day Free 5GB Usage Plan
Field | Value |
---|---|
Name | One Day Free 5GB |
Account Group | Free |
Splash Portals | Default Splash |
Landing Portals | Default Landing |
Time Plan | Unlimited |
Quota Plan | 5GB |
Misc. Plans | none selected |
Relative Lifetime | 1 day |
Automatic Login | checked |
Max Sessions | 3 |
Max Devices | unlimited |
Max BiNATs | 0 |
Lock Devices | checked |
Merchants | none selected |
Interval | None |
Expiration | Never |
Create One Day 15GB Usage Plan
Field | Value |
---|---|
Name | One Day 15GB |
Account Group | Basic |
Splash Portals | Default Splash |
Landing Portals | Default Landing |
Time Plan | Unlimited |
Quota Plan | 15GB |
Misc. Plans | none selected |
Relative Lifetime | 1 day |
Automatic Login | checked |
Max Sessions | 3 |
Max Devices | unlimited |
Max BiNATs | 0 |
Lock Devices | checked |
Merchants | Authorize.net Developer, Paypal |
Interval | None |
Expiration | Never |
Create One Month Basic 50GB Usage Plan
Field | Value |
---|---|
Name | One Month Basic 50GB |
Account Group | Basic |
Splash Portals | Default Splash |
Landing Portals | Default Landing |
Time Plan | Unlimited |
Quota Plan | 50GB |
Misc. Plans | none selected |
Relative Lifetime | 1 month |
Automatic Login | checked |
Max Sessions | 3 |
Max Devices | unlimited |
Max BiNATs | 0 |
Lock Devices | checked |
Merchants | Authorize.net Developer |
Interval | Monthly |
Expiration | Never |
Create One Month Business Class Usage Plan
Field | Value |
---|---|
Name | One Month Business Class |
Account Group | Business |
Splash Portals | Default Splash |
Landing Portals | Default Landing |
Time Plan | Unlimited |
Quota Plan | Unlimited |
Misc. Plans | Business SLA |
Relative Lifetime | 1 month |
Automatic Login | checked |
Max Sessions | unlimited |
Max Devices | unlimited |
Max BiNATs | 0 |
Lock Devices | checked |
Merchants | Authorize.net Developer |
Pro-rate Credit | checked |
Interval | Monthly |
Expiration | Never |
Create On-Demand 50GB Usage Plan
Field | Value |
---|---|
Name | On Demand 50GB |
Account Group | Premium |
Splash Portals | Default Splash |
Landing Portals | Default Landing |
Time Plan | Unlimited |
Quota Plan | 50GB |
Misc. Plans | none selected |
Unlimited Lifetime | checked |
Automatic Login | checked |
Max Sessions | unlimited |
Max Devices | unlimited |
Max BiNATs | 0 |
Lock Devices | checked |
Merchants | Authorize.net Developer |
Interval | Monthly |
Expiration | Never |
Content Filter Policies
Navigate to Policies :: Content Filtering
Create a new Remote Content Filter Blacklist
Edit the new Remote Content Filter Blacklist
Select gamble from the multi-select category list. You may select other categories by holding down the command or control key. Click Update when finished.
Create a new Content Filter
The Content Filter is the policy element that gets tied to a specific policy. It may reference Content Filter Blacklists or Remote Content Filter Blacklists , or specify phrase categories that should be filtered. The rXg will inspect the contents of all HTTP traffic to determine if the content is permitted. If not, the user is redirected to the specified page of the captive portal.
Click Create New in the Content Filters scaffold.
Field | Value |
---|---|
Name | Block Gambling |
Policies | Free |
Remote Blacklists | Shalla Blacklist Gambling |
Interstitial Redirection Policies
Navigate to Policies :: Interstitial Redirection
Create a new Interstitial Redirect
An interstitial redirect forces end user browser redirection to a page of your choosing based on a timed interval. You may specify how many minutes the end user may browser before being redirected ( Initial minutes ), how often the user is redirected after the initial redirect ( Minutes ), as well as how long the rXg should force redirection at each redirect interval ( Duration ).
Click Create New in the Interstitial Redirect scaffold.
Field | Value |
---|---|
Name | Test Redirect |
URL | Accept default |
Initial Minutes | 3 |
Minutes | 15 |
Duration | 0 |
Policies | Free |
Create a new URL Replacement
A URL replacement will rewrite the URL of every matching HTTP URL which transits the rXg, allowing the operator to substitute phrases or even entire domains of the users attempted URL.
Click Create New in the Interstitial Redirect scaffold.
Field | Value |
---|---|
Name | rewrite restaurant search |
Interstitial Redirect | Test Redirection |
Match | q=restaurant |
Replacement | q=bjs restaurant |
Packet Filter Policies
Navigate to Policies :: Packet Filters
Create a new Application
Click Create New in the Applications scaffold.
Field | Value |
---|---|
Name | smtp |
protocol | tcp udp |
Destination ports | 25 |
source ports |
Create a new Application Filter
Click Create New in the Application Filter scaffold.
Field | Value |
---|---|
Name | block smtp |
direction | outbound |
Applications | smtp |
Policies | Free |
Update the Subnet Filter
A Subnet Filter instructs the rXg to block all packets that attempt to cross from one subnet to another. Because the rXg is the default route for all devices, any attempt to reach another subnet must pass through the rXg. Any device which is in a policy attached to the subnet filter will not be able to route to any other local subnet, except those defined in an associated WAN target.
Click Edit on the Block Subnets subnet filter (this filter was created by default upon installation).
Include all of the customer facing policies:
Default, Basic, Business, Free, Premium
Packet Forward Policies
Navigate to Policies :: Packet Forwards
Create a new Application
Click Create New in the Application scaffold.
Field | Value |
---|---|
Name | 8443 |
Protocol | tcp udp |
Destination Ports | 8443 |
Source Ports |
Create a new rXg Forward
Click Create New in the rXg Forwards scaffold.
Field | Value |
---|---|
Name | forward 8443 to vSZ |
Applications | 8443 |
Destination Policy | Lab vSZ |
Policy Mode | first member only |
Payload Rewriting Policies
Navigate to Policies :: Payload Rewriting
Create a new HTML Injection
An HTML Injection allows the operator to insert content into the body of the HTTP pages which transit the rXg. The rXg offers several recipes for injecting content into the page. The HTML injection does not become active until it is tied to a HTML Payload Rewrite record.
Virtual Frames: Place an iframe into the page in the position of your choice which contains your custom content.
Floating Overlay: Place a floating div onto the page in the position of your choice which contains your custom content.
Ad Element Overlay (beta): Position a floating element onto the page on top of existing advertisements, as determined by common well-known banner dimensions.
Click Create New in the HTML Injections scaffold.
Field | Value |
---|---|
Name | test injection |
position | top |
Recipe | floating overlay |
HTML | <h1>This is a test</h1> |
Create a new HTML Payload Rewrite
An HTML Payload Rewrite ties an HTML Injection or HTML Replacement record to a policy. Some sites may render incorrectly when an injection or replacement is performed. WAN Targets allow the operator to exclude specific sites from the payload rewrite.
Click Create New in the rXg Forwards scaffold.
Field | Value |
---|---|
Name | test injection |
Injection | test injection |
Policies | Free |
Persistent Caching Policies
Navigate to Policies :: Persistent Caching
Edit the Web Cache
Click Edit on the Cache web cache record. Enable the Free , Basic and Default policies.
Traffic Shaping Policies
Navigate to Policies :: Traffic Shaping
Create a new 3x1 w/ burst Bandwidth Queue
Click Create New in the Bandwidth Queues scaffold.
Field | Value |
---|---|
Name | 3x1 Mbps with burst |
Priority | 0 |
Download Rate Limit | 3 Mbps |
Upload Rate Limit | 1 Mbps |
Download Rate Burst | 10 Mbps |
Upload Rate Burst | 2 Mbps |
Burst time | 5000 |
Guarantee | none |
Create a new 20x2/acct Bandwidth Queue
Click Create New in the Bandwidth Queues scaffold.
Field | Value |
---|---|
Name | 20x2 Mbps per account |
Priority | 0 |
Download Rate Limit | 20 Mbps |
Upload Rate Limit | 2 Mbps |
Burst | none |
Guarantee | none |
Shaping | Account |
Policies | Basic |
Create a new 50x2 w/guarantee Bandwidth Queue
Click Create New in the Bandwidth Queues scaffold.
Field | Value |
---|---|
Name | 50x2 Mbps with guarantee |
Priority | 0 |
Download Rate Limit | 50 Mbps |
Upload Rate Limit | 2 Mbps |
Burst | none |
Download Rate Guarantee | 10 Mbps |
Upload Rate Guarantee | 1 Mbps |
Shaping | Account |
Policies | Business |
Create a new 512x128 Kbps usenet Bandwidth Queue
Click Create New in the Bandwidth Queues scaffold.
Field | Value |
---|---|
Name | 512x128 Kbps usenet |
Priority | 0 |
Download Rate Limit | 512 Kbps |
Upload Rate Limit | 128 Kbps |
Burst | none |
Guarantee | none |
Applications | usenet |
Policies | Basic, Free |
Create a new 50x2/account Bandwidth Queue
Click Create New in the Bandwidth Queues scaffold.
Field | Value |
---|---|
Name | 50x2 Mbps per account |
Priority | 0 |
Download Rate Limit | 50 Mbps |
Upload Rate Limit | 2 Mbps |
Burst | none |
Guarantee | none |
Shaping | Account |
Policies | Premium |
Final Bandwidth Queue Result
Uplink Control Policies
Navigate to Policies :: Uplink Control
Edit the Uplink
Click Edit on the Uplink record of the Uplinks scaffold. Enable the Google Public DNS 1 and Google Public Dns 2 ping targets.
Ping Targets are necessary for the rXg to monitor uplink health and ensure proper link, and you cannot add an Uplink to a Link Control unless it has at least 2 ping targets.
Create a new Load Balance Link Control
Link Controls enable the operator to control which Uplinks the user population utilizes. Policies may be restricted to using one or more uplinks. When multiple Uplinks exist in a policys Link Control, the user devices will be load balanced across those Uplinks in accordance with the weight of the associated uplinks.
The breadth of Link Controls effect can be limited by associating Applications or WAN Targets. When either are selected, there must be a Bandwidth Queue for the same combination of Applications or WAN Targets.
Click Create New in the Link Controls scaffold.
Field | Value |
---|---|
Name | Load Balance |
Uplinks | Uplink, Charter Cable |
Policies | Premium, Basic |
Create a Charter Only Link Control
Click Create New in the Link Controls scaffold.
Field | Value |
---|---|
Name | Charter only |
Uplinks | Charter Cable |
Policies | Business |
Create an Uplink Only Link Control
Click Create New in the Link Controls scaffold.
Field | Value |
---|---|
Name | Uplink only |
Uplinks | Uplink |
Policies | Free |
Create a Backup Link Control
Click Create New in the Link Controls scaffold.
Field | Value |
---|---|
Name | uplink backup |
Uplinks | Uplink |
Backup | checked |
Policies | Business |
Create an Application-Specific Bandwidth Queue
Click Create New in the Link Controls scaffold.
Field | Value |
---|---|
Name | usenet through uplink |
Uplinks | Uplink |
Applications | usenet |
Policies | Basic |
Event Trigger Policies
Navigate to Identities :: Groups
Create a Quarantine IP Group
We will temporarily place users who violate our DPI and Connection Event Triggers into a Transient IP Group. We will assign the Quarantine Group to the Triggers, and while in this group, users will not have internet access and will be directed to the Splash Portal associated with the Customer Onboarding Policy.
Click Create New in the Link Controls scaffold.
Field | Value |
---|---|
Name | Quarantine |
Priority | 7 |
Policy | Customer Onboarding |
Navigate to Policies :: Event Triggers
Create a new Connections Trigger
Click Create New in the Connections Triggers scaffold.
Field | Value |
---|---|
Name | 1000 Connections |
Policies | Basic, Free |
Max Connections | 1000 |
Duration | 15 minutes |
IP Group | Quarantine |
Flush Connection States | checked |
Create a new Quota Trigger
Click Create New in the Connections Triggers scaffold.
Field | Value |
---|---|
Name | Premium Abuser slowdown |
Policies | Premium |
Download | 50 GB |
Upload | 25 GB |
Window | 7 days |
Duration | 1 days |
Account Group | Basic |
Create a new Remote DPI Signature
Click Create New in the Remote DPI Signature scaffold. Accept the defaults, which will pull from emergingthreats.net
Edit the Emerging Threats Remote DPI Signature
Click Edit on the Emerging Threats Remote DPI Signature record. Review the list of categories and select several categories by command or control clicking items in the box.
Create a new DPI Trigger
Click Create New in the DPI Triggers scaffold.
Field | Value |
---|---|
Name | Quarantine Bad Behavior |
Policies | Basic, Free, Premium |
Remote Signatures | Emerging Threats |
IP Group | Quarantine |
Duration | 30 Minutes |
Flush connection states | Checked |
Review Policy Dashboard
Click Policies in the top menu. The Policy Dashboard now illustrates our policy enforcement configuration.
Navigate to Identities :: Groups
Update Basic Account Group Priority
When users trigger the Premium Quota Trigger, they are temporarily placed into the Basic Account Group (a transient group membership). Currently, the groups priority is the same as the Premium Account Group (all account groups are set to 4 by default). We need to increase the priority of the Basic Account Group so that it takes priority over the devices other group memberships.
Click Edit on the Basic Account Group.
Increase the priority to 5
Review Final Policy Dashboard
Logs Hits Trigger
The Log Hits Trigger function automatically adds identified IP addresses to a WAN target for a predefined timeframe when events such as repeated failed SSH login attempts or excessive traffic directed at a web server occur. This function allows for targeted restrictions on specific types of traffic, including blocking SSH, HTTP, or HTTPS access. This functionality works on both the LAN and the WAN. The configuration outlined below is intended for events on the WAN side of the rXg.
Create Blacklisted WAN Target Click on Identity :: Definitions. Create a WAN Target definition.
Add WAN Target to Admin ACL Click on System :: Admins. Modify ACL by adding a defined WAN Target.
Create Log Hits Triggers
Proceed to Policies :: Event Triggers. - Click create. - Name the trigger for identification. - Select the Policy that will be enforced. - Define Enforcement Thresholds. - Specify the Duration of transient membership. - Assign a blacklisted WAN target. - Select an email notification for the Log Hits Trigger Record.
Viewing Event Logs Navigate to Archives :: Trigger Logs for detailed event logs.
Additionally the Trigger Logs button under each listed Log Hits Trigger will display the log as well.
IPs are automatically removed after the expiration of the set threshold time duration.
SAML Admin Authentication
Create a SAML App in Google Admin Console
Log in to your Google Admin Console and navigate to "Apps"
Click on "SAML Apps"
Click "Add a service/App to your domain"
Click "Setup My Own Custom App"
Copy the SSO URL, and click "Next"
Give the Application a Unique Name. Optionally provide a description and custom logo, then Click "Next"
Create a new SSO Strategy in rXg
On the rXg, navigate to System::Admins. Create a new SSO Strategy. Paste the SSO URL Copied Earlier.
After clicking "Create", wait for the webserver to restart. Click "Show" on the SSO Strategy.
Copy the OAuth Redirect URLs (this is needed in the Google Admin Console).
Click on the Oauth Metadata URLs and locate the "entityID" field. (This is also needed in the Google Admin Console)
Finish SAML App in Google Admin Console
Provide the Redirect URL from above as the ACS URL. Also provide the Entity ID, and click "Next".
Create Attribute Mappings for all desired attributes. This example shows first_name
and last_name
. Additional custom attributes will be added, and mapped in later steps. Once complete click "Finish"
The new SAML App will be created disabled by default. Make sure to turn the App on for it to function.
Add Custom Attributes to GSuite Users
Navigate to "Users" in the Google Admin Console, and choose "Manage Custom Attributes" under the More dropdown menu.
Click on "Add a Custom Attribute" and provide a category name. Create a field for each custom attribute you want to provide. In this example an attribute field of admin_role
will be used to assign an Administrative Role on the rXg.
Edit a user to see the new Custom Attributes category, along with the defined fields. Populate the field with the name of an Administrative Role on the rXg.
Return to the SAML Application settings in the Google Admin Console, and add an attribute mapping for any custom attributes that have been added.
Log in Using SAML
You can now see a SAML login option available on the admin login portal.
Alternatively, an app is available in the list of Google Apps, that will immediately take you to the rXg administrative interface, as the user logged in to Google.
Radius Based Location
Navigate to Network :: Locattion
Create a new Location Area
Name is arbitrary. Set Type to Floor. Choose File to use as the Floorplan. Click Create.
Click on the floorplan and create a Region
In the Add a Region section give the Region a name, and select a color if desired. Click Add Region Drag the Region to the upper left corner of the room it represents and drag the corner to expand the Region to cover the room. Click Save in the Region to save the size and placement of the region.
Place the Access Point
In the Place an Access Point / Sensor section click the dropdown and select the Access Point. Click the Drag me button, and drag the Access Point into the Region that was previously created. Click Save on the Access Point box. Click the Green box in the upper right corner to close the Floorplan.
Create a new Location Category
Create a new Location Category. Name is arbitrary. For the Areas field select the Region creatd previously that contains the Access Point. For the Access Point field, click into the box and select the AP that is located within the Region created previously. Click Create.
Example of Location based Space-Time Trigger
In this example we will setup a Space-Time Trigger that looks at the dwell time of a device and sends an email when the dwell time is exceeded. First we will need to create the email to send out when the dwell time is exceeded. Navigate to Services :: Notifications.
Create a new Custom Message. Name is arbitrary. Destination should have the End-user check box selected by default, do not select any Administrative Roles unless you want those admins to also recieve the message. Under Message, set the Subject and fill out the Body with the message you want the end user or admin to receive. Click Create.
Navigate to Policies :: Event Triggers.
Create a new Space-Time Trigger. Name is arbitrary. Select the Policies that the Space-Time Trigger will be enforced on. Under Space Enforcement set the Current Area to area the Access Point is associated with. Set Current dwell to the amount of time that must be met to set off the trigger. Under Transition Behavior uncheck Flush connection states. Under Notifications specify the message that will be sent by clicking in the Messages box and then select the message created previously. Click Create.
This will now send an email to end user if they dwell in the area for more than 10 minutes.
Example of Location based Crowd Event
Navigate to Network :: Location
Edit the Location Area where the crowd event should take place. Click Show for Crowd Event. Set the Threshold to the desired number of devices that should trigger the event. Click Update.
Navigate to Services :: Notifications
Create a new Custom Message. Name is arbitrary. Destination should have the End-user check box unselected. Check the admin roles you want to receive the crowd formed message. Under Message, set the Subject and fill out the Body with the message you want admin to receive. Click Create.
Create a new Notification Action. Name is arbitrary. Set Event Type to Location: Crowd Formed. Click in the Messages box and select the Custom Message created in the previous step. Click Create. Now when a crowd forms a message will be sent to the admin(s) roles selected.
FIAS PMS Simulator
Setup the FIAS simulator to start on boot
Login to the machine via SSH. Elevate to root access.
Create an rc.local.hook
that contains the appropriate commands to generate a fresh guest list and start the PMS simulator upon boot.
cat > /etc/rc.local.hook
#!/bin/sh
/space/rxg/rxgd/debug/gen_fias_guest_list > /space/guest_list.csv
nohup /space/rxg/rxgd/debug/fias_server.py -g /space/guest_list.csv &
CTRL-D
Now make the rc.local.hook
executable.
chmod +x /etc/rc.local.hook
Reboot the rXg to ensure that the FIAS simulator comes up. You may manually start the FIAS simulator without rebooting by executing sh /etc/rc.local.hook
with root privileges. You may check on the status of the FIAS simulator by running ps ax | grep fias
.
Configure rXg to communicate with local PMS simulator
Navigate to Gateways view through the Billing menu. Create a record in the PMS Server scaffold. We call it FIAS simulator. You may call it whatever you wish.
In the Interface Specifications subsection choose the MICROS FIAS for the Internet. Set the Host to be 127.0.0.1
and the Port to be 5010
.
Refresh the page to find the Guests scaffold populated with Guest and Room data from the FIAS simulator. This information should match the entires in the guest_list.csv
file.
Bootable USB
Overview
dd
is a command line utility for FreeBSD that allows the rXg to write to a USB drive. This capability is beneficial if you have out-of-band access to a rXg such as IPMI or iDRAC and wish to reinstall the OS remotely.
As with any remote operation, things can go wrong, so only perform these steps if you are willing to accept the risk. Make sure to have a backup plan, such as deploying somebody to the site if this process fails.
Once this process is complete, make sure that you either remove the USB drive or change the boot order of the system to avoid booting to the USB during a power cycle.
Process
SSH to the rXg and ensure you are root.
Check if the USB is plugged in by typing
geom disk list
. You can also get the drive name here for later in the process. In the image below, you can see a SanDisk Ultra USB is plugged in with a name of 'da0'.
- The next step is to get the source .img file on the rXg. There are many methods that can be used to accomplish this. In this example, the image file will be directly downloaded from the RG Nets build server. Now the rXg will fetch the image using
wget
.
cd /tmp
wget --user your_user_name --ask-password https://build.rgnets.com/build/official/iso/13.1-RELEASE-amd64-rxg-14.065.img
After submitting the above command, you should see the progress of the file download.
- Unmount the media
umount -f /media/
- Finally, use dd to write the file to the USB. Note the drive name 'da0' may be different in your environment. You can use
geom disk list
to check.
dd if=/tmp/13.1-RELEASE-amd64-rxg-14.065.img of=/dev/da0 bs=1m conv=noerror,sync
Once you have issued the dd command, you will have to wait for some time. The amount of time will vary based on the type of USB drive being used. It could be anywhere from 10 minutes to multiple hours. You can open a separate session and type gstat -p
to see if the USB drive is busy.
When the CLI returns, the USB is ready to be used.
Once the installation is complete, make sure that you either remove the USB drive or change the boot order of the system to avoid booting to the USB during a power cycle.
Piglet Sensors
Overview
The Piglet is a powerful network monitoring application developed by RG Nets, specifically designed to be installed on a Raspberry Pi (3 or 4). Commonly referred to as a network sensor, the Piglet is a versatile tool aimed at providing comprehensive insights into network performance.
Deployment and Functionality
The Piglet is strategically deployed within a network south of the rXg. It is capable of running tests over both wired and wireless connections, with the results being sent back to the rXg. These results can either be reviewed directly via the rXg interface or trigger notifications to network administrators for further action.
Testing Capabilities
A Piglet can execute two primary types of tests:
1. Ping Tests
Purpose: Measure latency, jitter, and uptime. Targets: Can be directed towards a specified target over the wired connection of the Piglet or a specified wireless LAN.
2. Speed Tests
- Internet Based Speed Test: Perform a standard internet speed test by setting the destination to speedtest.net.
- iPerf3: Configure the Piglet to run speed tests using iPerf3 to a specified destination. The rXg includes a built-in iPerf server which can be used as a target for these tests, effectively evaluating the LAN infrastructure.
3. Trace Routes
Use Cases
The Piglet is an essential tool for a variety of network monitoring and validation tasks:
- Throughput and Reliability Testing: Assess the performance of downstream network infrastructure.
- Client Network Experience Measurement: Evaluate the actual network experience from any client location within the network.
- Policy and Segmentation Verification: Remotely confirm the effectiveness of network policies, segmentation, and routing. Particularly beneficial if there's a lack of complete trust in the downstream infrastructure.
WLAN-Scoping
The Piglet also supports WLAN-Scoping, which allows all aforementioned tests to be configured over a specified wireless network. This ensures that network administrators have continuous visibility into the performance of all wireless networks within the environment.
Environment
This document was written and tested using the following components from the RG Nets and Respberry Pi ecosystem.
Manufacturer | Component | Version |
---|---|---|
RG Nets | rXg | 13.2 - 15.513-47 |
RG Nets | Piglet | Build #60 |
RG Nets | Boot Loader | |
Raspberry Pi | Compute Module 4 | Rev 1.1 |
Resoberry Pi | 4 Model B 4 GB RAM |
Hardware
Raspberry Pi
Version 1 - Raspberry Pi 4 Compute Module 4
Note: This version can be purchased directly from RG Nets. Product Code: Piglet-HW
- No SD/USB Required
Internal Wireless Adapter: - PCIE to mPCIE adaptor - AX210 WiFi 6E Card
Version 2 - Raspberry Pi (3 or 4)
- Recommended to use a USB instead of SD card.
Samsung Bar Plus (USB 3.1 Flash Drive) 32 GB
- Minimum 8 GB Memory
External Wireless Adapters: - Netgear AC 1200 A6210
Installation
Install Boot Loader Image (CM4)
To flash the eMCC directly you will need to run a provisioner on your local network and provide the boot loader image to the active project.
- To reprovision CM4 connect a USB cable between the provisioning server and the micro USB port of the Raspberry Pi Compute Module 4 IO Board.
- Put a jumper on the CM 4 IO Board.
This will cause the compute module to perform a USB boot, in which case the provisioning server will transfer the files of the utility OS over USB.
After the utility OS has booted, it will contact the provisioning server over Ethernet to receive further instructions, and download additional files (e.g. the OS image to be written to eMMC) as usual.
Install Boot Loader Image (Raspberry Pi 3 or 4)
Piglets rely on a compact boot loader that automates rXg server discovery. This boot loader also enables remote software updates for piglets, eliminating the need for physical intervention. It contains no inherent functionality aside from the ability to deploy images provided by the controller. Currently RG nets provides one full image but you can use the boot loader with any image that is supported by the Piglet hardware.
- Use a program such as Rufus (Windows) or balenaEtcher (MAC) to create a bootable USB or SD card with the boot loader image. It is recommended to use a USB drive.
Add a Piglet Image to the rXg
- Browse to Network >> Wireless >> Device Firmware
- Select "Create New" on the Device Firmware scaffold.
a. Select a name for the record.
b. Select "Choose File" and browse to the piglet image that you wish to upload. Alternatively, you can have the rXg fetch the image by providing a remote URL, username, and password. - If you wish this image to be used as the default, you can check the "Default" field.
- Click "Create"
Note: rXg Device Firmware management can be used for other images that are compatible with Raspberry Pi such as WLAN Pi.
Configure the rXg for Piglet Discovery
- Browse to Network >> Wireless >> WLAN Controllers
- Select "Create New" on the WLAN Controllers scaffold.
a. Select a name for the record.
b. Set the Device Type to "Piglet".
c. Set the host address to "127.0.0.1". - Click "Create"
Approve Piglet and Select Default Image
When the piglet boots, it will automatically pull a DHCP address and discover the rXg.
- Browse to Network >> Wireless >> Access Points
- Edit the record for the newly discovered piglet.
- Select the desired "Device firmware".
- Click "Update".
- Click "Approve" on the appropriate row.
Configuration
Ping Tests
Ping tests can be scheduled to run from any approved piglet on either the wired or wireless connection.
- Browse to Instruments >> Network Monitor >> Ping Targets.
- Click "Create New" on the ping targets scaffold.
a. Select a meaningful name for this target that accurately reflects the purpose.
b. Select the destination address that you would like to have the piglet ping.
c. Select wired to use the wired interface, or select a WLAN to use a wireless interface.
d. Select the piglet and radio that the ping should source from.
Results
There are (2) methods that you can use to see the results being generated by the piglets:
1. Click "Graph" on the Ping Targets record scaffold.
2. Create a System Graph.
- Browse to Archives >> Reports >> System Graphs.
- Click "Create New" on the Systems Graphs scaffold.
a. Select a meaningful name for this target that accurately reflects the purpose.
b. Select which instrument you would like to graph. There are several that applicable to ping targets.
c. Select the period to be used for data visualization.
d. Select the data interval for the results to be grouped by.
e. Select the ping target to be graphed. - Click "Create"
Speed Tests
Speed tests can be scheduled to run from any approved piglet on either the wired or wireless connection.
- Browse to Instruments >> Network Monitor >> Speed Tests.
- Click "Create New" on the speed tests scaffold.
a. Select a meaningful name for this target that accurately reflects the purpose.
b. Select the type of speed test that you would like to run. You can select iperf 3 and then either choose from the following list of public targets or you can specify your own target. Alternatively, you can set the type to Speedtest.net and the rXg will automatically determine the closest server on the WAN and run a speed test against that server.
c. If you selected iPerf3 in the previous step, and left Public iPerf3 target empty, you can designate an iPerf3 server here that exists on the WAN or LAN of the rXg.
d. Select wired to use the wired interface, or select a WLAN to use a wireless interface.
e. Select the piglet and radio that the speed test should source from.
f. Select how frequently you would like the speed test to run. - Click "Create"
Note: An iperf server must exist prior to creating this test if using iPerf3 to the rXg gateway. More Information
Results
There are (2) methods that you can use to see the results being generated by the piglets:
1. Click "History" on the speed test record.
2. Browse to Instruments >> Network Monitor >> Speed Test Results
Trace Routes
Coming Soon...
Frequently Asked Questions
Q: Why would the piglet allow me to adopt it, but then not boot after downloading the piglet image.
Possible Answers:
- Most likely you are running a Raspberry Pi with insufficient memory. You should have a minimum of 8 GB of memory.
- Ensure that you have selected an image in the AP profile to be loaded to the piglet.
Q: How can I remotely reflash a piglet?
A: Change the fimware version in the AP profile for the piglet and then reboot.
Q: Can piglets be installed on remote networks?
A: Yes, by default the Piglet contacts its default gateway as the controller. In case the piglet is on a remote network from the controller you can tell it the IP address of the controller through a custom DHCP option.
Option 43: suboption 1, type text, data: the ip of the rXg controller
Note: The Piglet sends a Vendor Client Identifier (option 60) RG Nets
OpenWiFi
Bhyve Setup
1. Setup Virtualization Hosts
To install the OpenWiFi controller in Bhyve first we must ensure we have a Virtualization Host to install to. Navigate to Services::Virtualization, if a host does not exist create a new Virtualization Host.
Give the Virtualization Host a name, the name field is an arbitrary string used to identify the host here I've set the name as the FQDN. Autostart Delay, and Reserved CPU count will be left at default values. Next name the Virtual Switches to make it easier to identify. Here I name my WAN and LAN connections, we will only need the LAN connection for our OpenWiFi controller. Click Create.
2. Install OpenWiFi Controller as a Virtual Machine
We will use a built in Config Template to automatically download the OpenWiFi controller software. Navigate to System::Backup and find the Config Template named "Example: 06 Download rXg Openwifi Image Config". If you do not see any example config templates click the "Show Examples" link.
We do not need to modify this template, it is going to download the openwifi img file and make it available as a disk image. Click apply to have it download the image.
After clicking apply we should get a Success message.
We can verify that the image was downloaded by navigating to Services::Virtualization and clicking Disk Images on the record for our Virtualization host.
Now that we have confirmed that the image has been downloaded we are ready to create the Virtual Machine. We will utilize another config template to automatically deploy the VM. Navigate to System::Backup, and find the config template named "Example: 07 Deploy Virtual Openwifi Controller Config". Do not click apply, instead click Edit. We will need to modify the template to match our networking.
Adjust the name variable if desired, I will leave the name as "openwifi". Next I am looking for the line with "mapped_switches". I am going to change this line from: "mapped_switches = ["igb0", "igb1", "igb2"]" to; "mapped_switches = ["vmx4 LAN"]
This is NOT the name of the interface but rather the name of the virual switch, I named mine "vmx4 LAN" so I need to make sure that matches. To verify the name navigate to Services::Virtualization and look at the Virtual Switches scaffold and find the name of the switch the OpenWiFi controller will be connected to.
You may also need to adust the IP address asigned to the controller. Look for the cidr, gateway, and nameservers variables, and adjust accordingling. This controller in this setup will be on the 192.168.5.x network.
I have adjusted the variables to match my network below.
Next we need to specify an SSH key pair. For this I will leverage the ssh key tied to my admin account. In the real world it is best to make a new ssh keypair for this so it is not tied to an individual. Now that I have adjusted the config template I can click the update button.
Now we are ready to apply the template. When we click apply this will create a new VM, connected to the interfaces we specified in the template (just vmx4 LAN in this case), we can see that the VM will have 8GB of memory, 8 cpu cores, and a 10GB HDD.
We can confirm that the new VM was created by navigating to Services::Virtualization and review the Virtual Machines scaffold.
In addtion to creating the VM, the template also created a DNS override for "openwifi.wlan.local" this is because in a later step we will need to hit that URL to access the controller and need it to resolve to the IP address of the controller. To verify that the DNS override is setup correctly, navigate to Services::DNS and review the DNS Records scaffold.
What this entry does is overrides any DNS for "openwifi.wlan.local", so that if I am behind this system and point my browser to the FQDN it will resolve to 192.168.5.9 and allow me to access the controller. This is important without this we will not be able to login to the controller as we will see in a future step.
Now we must start the installation process on the VM, navigate to Servcies::Virtualization. The openwifi Virtual Machine has a commands link to the righthand side, select start from the list. This will turn on the machine and begin the installation process.
VM state will change from stopped to Running. Note that installation takes about 2 minutes.
To verify that the controller is up and running click the VNC viewer option and open the console window. Note that we do not need to login or do anything via the console window it can be closed.
3. Create new user on controller
Now that the controller is installed we need to login using the default credentials and create a new user and remove the default user (if desired). To do this navigate to https://openwifi.wlan.local:8443 and login with the default username password.
Username: [email protected] Password: openwifi
At this point if you login and get an invalid credentials message, even though you are using the correct username/password. This is because its trying to hit a different port and will get stopped by the certificate since it is not valid. You can direct your browser to the following URL https://openwifi.wlan.local:16001/api/v1/oauth2?requirements=true and accept the certificate and then login again.
When you login for the first time it will prompt you to change the password.
After changing the password you will be logged in. We will want to create a new user, to do this select users from the menu on the left.
Next click the "+" sign in the upper right corner.
Fill out the email, name fields, and set a password. Toggle force Password Change off otherwise you will be prompted to change the password you just set again upon first logging in. Toggle Email Validation off. Then click the disk icon in the upper right.
Next logout and log back in with new user and delete the default user.
3. Add OpenWiFi as infrastucture Device
Now that we have installed the OpenWifi Controller and we have created a user we can add it as an infrastucture device. Navigate to Network::Wireless and create a new WLAN Controller.
Give the controller a name, change the Type field to OpenWifi. Enter the controllers IP address in the Host field. Change the username field from admin to the email address of the user created in the previous step and enter the password in the password field below. Change the Timeout field from 5 to to 30. Click Create at the bottom of the record.
After creating the WLAN Controller record it will takea few seconds and then the Online field should change from offline to Online.
Next select Import on the far right of the WLAN Controller entry, and click on Import. Enter the CIDR of the network(s) the controller should look at for APs.
Next click on "Sync not enabled".
Click on Generate Diff.
After clicking Generate Diff any changes will show up in the Synchonize field. The first time you join the AP it will have more than what we see here, regardless, the next step is to click Enable Config Synchonization.
After this step the Openwifi controller should be online and in sync.
Notes
If you click on the Generate Diff button and nothing seems to happen this is likely because the AP's are not configured correctly. In the above example I had to login to the tip portal and do an AP transfer. To do this I logged into the portal, and clicked on the Transfers option on the left menu.
Click the Create Transfer Button.
Enter the MAC address in the Serial Number field, the Redirector should be set to openwifi.wlan.local, and then enter a reason for the request. Then click Start Transfer. After completing this process I was then able to generate the diff and click enable sync after factory resetting the AP.
Portal Customization
The predominant forced browser redirection deployment methodology is to use the rXg captive portal as the destination for web requests originating from unauthenticated devices. End-users then navigate and utilize the functionality present in the captive portal web application to obtain transit to the WAN. Thus the rXg captive portal represents the vast majority of the end-user experience and customization of the captive portal is an integral facet of the operator marketing strategy.
The default captive portal web application contains a plethora of functionality that is fully integrated into the packet management capabilities of the rXg. The operator may choose to instantly deploy a fully operational revenue generating network by using the default captive portal as is. Alternatively, the operator may choose to customize the captive portal in a number of ways ranging from changing the artwork and layout to implementing entirely new functionality through the underlying the Ruby on Rails infrastructure.
Modifying the artwork and layout of the default captive portal is easily accomplished. The rXg uses industry standard CSS and HTML to control the presentation of the captive portal. Anybody who is skilled in the art of web publishing is capable of dramatically changing the default look and feel into any of the examples depicted.
Ruby on Rails is the web application infrastructure used to implement the rXg captive portal. When customizing the captive portal, the operator has complete access to the underlying Ruby on Rails infrastructure. Using rails, the operator can modify the default captive portal functionality in nearly any way imaginable.
The rails framework also enables the operator to rapidly create entirely new functionality that is not present on the default rXg. Most operators create new functionality in the portal to benefit the end-user experience in some way. One popular customization is integration of the token and/or coupon generation functionality with an external trigger. For example, this allows an operator to have real-time token or coupon generation linked to a point-of-sale system.
New functionality is not limited to end-user facing capabilities. Full access to the rXg persistent store through the rails-based database abstraction layer enables the operator to implement entirely new administrative capabilities through the portal customization infrastructure. For example, many operators use the captive portal infrastructure to create reporting engines. Some have even integrated their accounting system with the rXg using a custom portal view. Rails can even be used to open network sockets for real-time event-driven integration with external systems.
Setup
There are several prerequisites that must be completed before captive portal customization may begin. First and foremost the web developer must be given access to the rXg filesystem by an administrator. The rXg supports filesystem access via SSH/SFTP as well as SMB/CIFS. SSH/SFTP is the preferred method as it is generally considered to be more secure and is much more reliable when used over the WAN. SMB/CIFS is a less desirable alternative that is suitable for use from developer machines on the LAN as well as over encrypted VPN connections.
SSH / SFTP Access
There are three main steps to granting administrative access to the rXg filesystem over SSH/SFTP. First, The administrator's computer must have an SSH client installed and a key pair must be generated. Next, administrative access to the rXg file system via SSH must be granted by installing the administrator's public key. Finally, the operator must declare that a new customizable portal controller is to be created and specify a name.
SSH and SFTP are the mechanisms used to access the rXg file system and make changes to custom portals. Thus an SSH client must be installed on the computer that will be used by the administrator who will be customizing the portals. OpenSSHis included with MacOS X and most UNIX and Linux distributions. Microsoft does not ship with SSH by default, but there are many third party options for running SSH on Windows.
The rXg requires the use of the public key authentication to gain access to the file system. To accomplish this, a key pair must be generated that is 4096-bit RSA or stronger. For example, togenerate an OpenSSH keypair, use the command linessh-keygen -t rsa -b 4096 -f rxg
. Most of the Windows SSH utilities come with a GUI to generate keys. Make sure that the private key stored in a safe place on the administrators computer. Keep the public key handy (e.g., pasted into a notepad or textedit window) as it needs to be installed onto the rXg in the next step to enable remote access to the file system.
An administrator with SSH access must be established to enable access to the rXg file system. This is accomplished through the Admins view in the System sub-menu. To enable SSH, a change must be made (or the data validated) in at least one record in both scaffolds that are present in this view.
An SSH public key must be added to a record in the administrators scaffold. The operator may choose to edit an existing record or create a new record to grant access to an individual who has never before required administrative access to the rXg. In either case, the public SSH key must be pasted into the text area that is provided. In addition, the role field must be set to an administrative role that has SSH access enabled.
By default, there is a "Web Designer" admin role that will allow members of that role to SSH to the box to edit and save captive portals, as well as view logs and graphs. Of course, custom roles with SSH access may be created if the default ones are not sufficient.
When creating or editing a role that will contain administrators that need to customize captive portals, the check box next to the SSH field should be checked. To disable SSH access for administrators that are assigned a role that has the SSH field is checked, delete the public SSH key from the administrator record.
SMB / CIFS Access
Access to the rXg filesystem via SMB / CIFS is disabled by default. An administrator must create an active record in the SMB Server scaffold found on the Admins view.
SMB / CIFS access must be restricted to the specific IP addresses that will be used by the web developers to access the rXg filesystem. LAN IPs and CIDRs are added to the SMB / CIFS ACL by associating the SMB Server record with a Policy record that is linked to IP and MAC groups. WAN IPs and DNS names are added to the SMB / CIFS ACL by associating the SMB Server record with WAN targets listing devices that should be allowed access.
Only Administrators that are members of Administrative Roles that have SMB access enabled will be able to gain access over SMB / CIFS. By default, no Administrative Roles have SMB / CIFS access enabled. To enable SMB / CIFS access, an administrator must check the SMB checkbox in an administrative role. If no roles have SMB checked, the SMB server will not be started.
Once the SMB Server is properly configured, the web developer uses the Explorer (Windows), Finder.app (Mac OS X) or SMB client (UNIX) to browser to the IP address or DNS name of the rXg. The captive portals are located in a share called portals.
The username and password credentials that are used for web administrative console access are also used to obtain SMB / CIFS access.
Once authenticated, the web developer may access the captive portals stored on the rXg filesystem as a network share. Most operating systems make SMB / CIFS network shares behave like locally stored files.
SMB / CIFS access is designed to facilitate rapid portal development for operators with web development resources. The SMB / CIFS server should only be used on dedicated development rXgs. It is strongly recommended that SMB / CIFS never be used on production rXgs as the overall security of the SMB / CIFS protocol is inferior to the SSH / SFTP protocol. Once a portal has been developed, the SSH / SFTP protocol should be used to move portals onto production rXgs.
Create New Portal
The default rXg captive portal may be not edited directly. To create a custom portal, a copy of the default portal is made and saved to an operator chosen name. This is accomplished using the Portals view of the System menu.
To begin, use the create action in the custom portals scaffold. This will drop down a dialog with two fields that must be completed. The name field is an arbitrary name you choose for this portal and will be used in other areas of the administration console. The controller name field will be the text inserted into the URL when users access this portal. This field should be all lowercase and only one word. If it is left blank, it will be the same as the name field you entered above.
In order for your new captive portal to become usable, you will need to restart the web server. Click on either Production or Development buttons in the Restart Web Server dialog. Production mode is the normal operating mode and is recommended when the rXg is deployed. Development mode will limit access to the administrative console and portals to only one simultaneous user. In addition, server-side page caching is disabled in development mode so changes that are made are reflected immediately.
It is highly recommended that the rXg be left in development mode while captive portals are being developed. This prevents issues from coming about due to the uploaded or edited portals being out of the sync with the version in memory. In addition, it is critically important to click on the Production button even if the web server is running in production mode on when the captive portal is updated on a deployed rXg. Failure to follow this procedure will result in all sorts of bizarre issues ranging from improperly rendered images to browsers intermittently displaying an error 500.
At this point, you should now have a custom captive portal that is a copy of the default portal running on an rXg. You can preview this portal by visiting https://rxg.domain/portal/my_custom_controller
in your browser. rxg.domain
is the domain name or IP address of your rXg. my_custom_controller
is the one-word lowercase name you defined above.
Structure
The default working directory presented to a client when the rXg file system is accessed via SSH is the administrator's home directory. A subdirectory called portals
is present in every administrator's home directory that is linked to the location of where all captive portal as stored. A single persistent storage location is used for all custom captive portals on an rXg and is shared by all administrators.
Within the portals
is a series of subdirectories. Each subdirectory contains a custom captive portal. The name of the subdirectory will be the same as the 'Controller name' as defined when creating the portal. Using SSH, it is possible to login to the rXg and edit the custom portal files directly using the built-in text editor vi. However, in most cases, administrators will want to use a SCP or SFTP client to copy the files from the rXg to a local computer for editing.
If you are using an SSH command line tool such as OpenSSH, a command like the following will copy the contents of the custom portal named by CONTROLLER_NAME into the local current working directory.
scp **ADMIN\_LOGIN** @rxg.domain:~/portals/ **CONTROLLER\_NAME**.
Most GUI SSH clients have enable bulk copying of entire directory trees from a remote file system. Typically, this is accomplished by logging into the remote server and then dragging and dropping the desired folder onto a destination on the local machine.
We recommend that the administrators copy the entire directory tree of a custom portal onto a local workstation, making changes, and then copying the entire directory tree back to the rXg. Although this requires more transfer time between the administrative workstation and the rXg, adhering to this protocol helps prevent numerous classes of common issues that result in strange portal behavior.
The folder structure for a custom captive portal looks like the following:
CONTROLLER_NAME/
images/
javascripts/
static/
stylesheets/
views/
CONTROLLER_NAME.erb
CONTROLLER_NAME.rb
images/ The directory where artwork assets are stored. javascripts/ The directory where the client-side JavaScript code assets are stored. The portal.js.erb
file is the only file that needs to be referenced by the portal. All other files that are present in this directory are automatically assembled into a single URI that is referenced in the layout via the Rails asset pipelining mechanism. static The directory where file resources are stored that can be accessed from the WAN. Downloadable files etc. stylesheets The directory where cascading style sheet assets are stored. Both CSS and Sass/SCSS are supported. Additional stylesheets may be placed into this directory and referenced for asset pipelining. Each file that should be included must be listed at the top of the portal.css.scss.erb
or the portal_mobile.css.scss.erb
file. views/ The directory where HTML files with embedded ruby templates for the views, and partials are stored. Templates for views are named according to the controller action that is requested. For example, when the end-user browser requests /portal/CONTROLLER_NAME/session_info/
, the session_info.erb
file is picked for rendering. Partials being with an underscore character (_
) and are included by file name within the view through one or more render partial
rails statement. CONTROLLER_NAME.erb The desktop portal layout. This file is the foundation of the portal and incorporates the HTML and embedded Ruby that will be present in all rails generated views.CONTROLLER_NAME.rb The controller file for the custom captive portal. Existing actions may be customized and new actions may be created by editing this file. This file may be ignored if only cosmetic changes are desired. The rXg portal is implemented in Ruby on Rails. Becoming versed in rails is a critical aspect of portal customization. Mastery of rails enables the administrator to create entirely new functionality that suit your exact needs. However, it is possible to customize the presentation of a portal without knowing any knowledge or experience with Ruby on Rails. Knowledge of HTML and CSS are all that is required to change the look and feel of the default portal. Dramatic results may be achieved through modification of the CSS alone.
Layout
The CONTROLLER_NAME.erb file is called the layout in Ruby on Rails. This file contains all of the HTML and embedded Ruby that is present in all rails rendered views of a captive portal. Any content that is present in the layout is visible on all the pages of the portal. A simplified version of the default portal layout follows.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>Captive Portal</title>
<%= portal_stylesheet_link_tag %>
<%= portal_javascript_include_tag %>
</head>
<body>
<!-- renders view based on the action (e.g., sign up, login, etc.) -->
<%= yield %>
</body>
</html>
There are four bits of ruby in the above example. Three of which are in the <head>
element and include the CSS and javascript into your portal. The fourth is <%= yield %>
. That very simple line of code calls the code for the individual views, as defined in the views folder, and places the result in that location.
We will look at the individual views later, for now we will continue to work on the main layout. While this example is sufficient, it is pretty boring and contains no branding. Lets take the above example and include a company logo and some verbiage. First we need to copy an image into the images folder, simply drag a file, lets call it logo.png into the images folder inside your custom directory. For simplicity, lets only look at the <body>
element.
<body> <%= portal_image_tag('logo.png') %>
<p>Welcome to my captive portal!</p>
<!-- renders the content of the page being viewed (e.g., sign up, login, etc.) -->
<%= yield %>
</body>
With two more lines we now have a portal that is starting to look real. It is branded with your logo and has some text in it. The only line that needs further explanation is the line that contains portal_image_tag. That function creates an <img>
tag that will link to the image specified. In the above example the location just links to the portal currently being viewed and logo.png is the file we placed in the images folder inside our portal.
Assets
All aspects of the rXg captive portal web application may take advantage of assets that are loaded over HTTP. You may add an arbitrary number of static web assets (e.g., HTML pages, images, etc.) to a rXg captive portal. Static HTML assets should be placed within the base portal directory (CONTROLLER_NAME/
). Static image assets should be placed within the CONTROLLER_NAME/images/
directory.
Static HTML assets may be included from within embedded ruby files using the following syntax:
<%= portal_static_path 'YOURFILE.html' %>
Rendering a referenced static HTML asset takes longer than rendering directly from embedded ruby. However, externalized static HTML may make the captive portal more maintainable. For example, an operator may choose to place all portal presentation conditionals within.erb
files and all bare text within .html
files.
For example, if the operator wished to display different messages depending on whether the end-user is logged in, the following might be a part of a embedded ruby file:
<% if logged_in %>
<%= portal_static_path 'logged_in_message.html' %>
<% else %>
<%= portal_static_path 'not_logged_in_message.html' %>
<% end %>
Static image assets may be placed inside embedded ruby files using<%= portal_image_tag 'YOURFILE.jpg' %>
. Static HTML assets may also reference static image assets using the HTML <img />
tag. Operators may also use CSS to incorporate images by setting the background-image
property of any element.
For example, let us assume that the operator wishes to incorporate an image called example.jpg
. The first step is to copy the example.jpg
file into the CONTROLLER_NAME/images/
directory. To incorporate the image directly into an embedded ruby file, the following code would be placed into a layout or view:
<%= portal_image_tag 'example.jpg' %>
Alternatively, the operator may choose to incorporate the image via CSS. To accomplish this, the operator must include a named element into the embedded ruby (or a reference static HTML asset). For example, incorporate the following <div
into the embedded ruby:
<div id=someUniqueName />
Then edit the CONTROLLER_NAME/CONTROLLER_NAME.css.scss.erb
file and add the following:
div#someUniqueName {
width: 320px;
height: 240px;
background-image: url(<%= portal_asset_data_uri 'example.jpg' %>);
}
The result will be an image that appears where the <div>
tag is placed. Images that are referenced from the stylesheets are precompiled and integrated into the stylesheet resulting in a significant performance improvement. Use stylesheet images to when possible in order to maximize portal performance.
Files that the operator wants to make available for download should be placed into the static directory within the portal files. The files can then be accessed via https://fqdn.of.rxg/static/portal/custom/yourfile.ext. Note that fqnd.of.rxg should be changed to the domain name that resolves to your system, and "custom" is the controller name of the custom portal.
For example placing an image file named logo.png into the static directory of a custom portal allows anyone to access that file by going to https://fqdn.of.rxg/static/portal/access/logo.png (in this case the custom portal controller is access).
We can view our image by going to https://fqdn.of.rxg/static/portal/access/logo.png, results in the below image.
Menu
Ruby on Rails uses the link_to
keyword to generate HTML anchor tags with hyper link reference attributes. In a typical portal, a series of link_to
tags are used to create a navigation menu. The code below expands on the simple example used to describe the structure of the captive portal.
<body>
<%= portal_image_tag 'logo.png' %>
<p>Welcome to my captive portal!</p>
<div> <!-- BEGIN MENU -->
<%= link_to 'Home', { :action => :index }, { :class => 'menu' } %>
<% unless @logged_in %>
<%= link_to 'Login', { :action => :login }, { :class => 'menu' } %>
<%= link_to 'Sign Up', { :action => :account_new }, { :class => 'menu' } %>
<% else -%>
<%= link_to 'Logout', { :action => :login_session_destroy, :method => :delete }, { :class => 'menu' } %>
<% end -%>
<%= link_to 'Usage Plans', { :action => :usage_plan_list }, { :class => 'menu' } %>
<%= link_to 'Custom Example', { :action => :custom_example }, { :class => 'menu' } %>
</div> <!-- END MENU -->
<!-- renders the content of the page being viewed, such as sign up, or login -->
<%= yield %>
</body>
The code contained with the <div>
tags delimited by the BEGIN MENU
and END MENU
comments. Each link in the menu has been given a class named 'menu'. A style sheet must be defined the look and feel of the links. The default style sheet comes with a presentation that may be accessed by creating HTML unordered list items with the class menuparent
and is shown below. The presentation may be customized to almost anything imaginable by simply editing the CSS file.
There are several embedded Ruby elements incorporated into the menu example above. Starting from the top, the first Ruby element we see is link_to. The first argument to link_to is the name of the link as you want it displayed. The second argument is the action definition, this definition determines what page should be viewed after clicking the link. The last argument is the optional class argument that will specify the class of your link.
Embedded Ruby conditionals in the code change the HTML that is generated based on whether or not the end-user viewing the portal is logged in. Most end-users will first reach the portal while not logged in and first see the default menu example as shown above.
Once the end-user logs in, the menu will change. We only want to display the 'Login' and 'Sign Up' links if the user is not already logged in. The line <% unless @logged_in %>
executes the lines of code underneath it when @logged_in
variable is not set. The conditional ends with the <% end -%>
element. The HTML and embedded Ruby from the unless
all the way to the end
are subject to the conditional.
The @logged_in
variable is dynamically created based on the current state of the user looking at your captive portal.@logged_in
is only set when the end-user has provided valid credentials to the portal web application. Thus the link_to
embedded Ruby anchor HREF generators for Login and Sign Up links are ignored when the end-user is logged in. The embedded Ruby else
clause causes the Logout link to be displayed in their place.
<%= link_to 'Custom Example', { :action => :custom_example }, { :class => 'menu' } %>
Continuing with the example, the next element demonstrates how to add a custom view to the menu. The link specifies custom_example
as the target. Aside from all of the built-in views for things such as login and usage_plan_list, you can create your own custom view. One has been created for you called custom_example.
You may also want to display static content that is not framed by your portal layout. One example would be a page that is intended for printing that should not be contain the portal menu. You can do this by using normal HTML anchor tags with a little bit of Ruby helper to get the content.
<a href="<%= portal_static_path 'static.html' class="menu">Static Example</a>
This example shows that ruby can even be included in-line into an html tag. Our example says, lets get content from the current portal being viewed. Any content referenced in this manner will come from the 'static' folder. Keep in mind html without any ruby is perfectly acceptable.
To add drop-down sub-menus that appear when the mouse moves over the menu items, add a unordered list (HTML ul
tag) with list items (HTML li
tags) within the context of the menu item. The menu is defined in the PORTAL_CONTROLLER_NAME.erb
file.
For example, given the original menu item:
<li class="menuactive"> <%= link_to 'Home', { :action => :index }, { :class => 'menuactive' } %> <!-- INSERT HERE --> </li>
Add the following code:
<ul>
<li><%= link_to 'Custom Template', { :action => :custom_example }, { :class => 'menuactive' } %></li>
<!-- MORE MENU ITEMS HERE-->
</ul>
The result should look like the following:
<li class="menuactive"> <%= link_to 'Home', { :action => :index }, { :class => 'menuactive' } %>
<ul>
<li><%= link_to 'Custom Template', { :action => :custom_example }, { :class => 'menuactive' } %></li>
<!-- MORE MENU ITEMS HERE-->
</ul>
</li>
By integrating the code above with the layout example shown previously, you have a fully functional portal with menu. Now you can clean it up, add your own design, style, etc. All with just normal HTML, using the example Ruby from above where necessary.
Views
Full pages rendered in the web browser are called views in Ruby on Rails. Views are usually displayed as a result of the end-user clicking on a link that is generated via the link_to
function present in the menu generator. It is also possible to manually specify a URL to go directly to each full view. End-user web browser makes requests of the formhttps://rxg/portal/CONTROLLER_NAME/ACTION
. TheCONTROLLER_NAME
is typically the name of the custom portal and the ACTION
is one of the various web pages of the portal that present the functionality.
In our main page layout example we had the following line of code:<%= link_to 'Home', { :action => :index }, { :class =>
'menu' } %>
. Lets now look closer at the action portion. The { :action => :index }
portion says, I want to link to the full view called index. The corresponding file in your views folder is index.erb
. The index view also happens to be the view displayed if no view is specified. This could also be thought of as the splash view.
Another way to look at it is that the action name, such asindex
above, is determined from its filename. The portion before the .erb
in the filename is the name of the action. For example, if the end-user web browser requests the URLhttps://rxg/portal/CONTROLLER_NAME/session_info
, then the file session_info.erb
will be used to render the presentation.
There are three valid suffixes on the filename that coincides with an action: .tablet.erb
, .mobile.erb
and simply.erb
. This enables the administrator to create different presentations for different kinds of devices and/or browsers. By default, a desktop web browser that requests the URLhttps://rxg/portal/CONTROLLER_NAME/action
, will loadaction.erb
. Similarly, a web browser running on a mobile device (e.g., an iPhone, BlackBerry, etc.) will loadaction.mobile.erb
. If the administrator does not wish to differentiate between the desktop, tablet, or mobile views, a singleaction.erb
file may be created and that will always be used.
All of the views that ship with the default captive portal are functional as-is and require no modification. However if you would like to edit the verbiage or change the layout of a specific view, you can edit it as you see fit. The contents of a view file are HTML and embedded Ruby, similar to that of the layout file. Below is a simple example of a view.
<h2>Login</h2>
<%= portal_image_tag 'login.jpg' %>
<%= render :partial => 'login_form_account' %>
Notice that HTML elements (<h2>) are present side by side with embedded ruby elements (<% ruby code %>). Since the view will be rendered into the layout where the yield
command is, the view file does not contain the HTML that forms the foundation of the page (e.g.,<head>
, <body>
, etc.).
Minimizing redundant HTML and embedded Ruby code is an important part of custom captive portal implementation. Ruby on Rails supports the use of page partials that are reusable within many views. To create a partial, put whatever HTML and/or embedded Ruby code into a file with a name that begins with an underscore (_) character. You may then reference the file name (without the underscore) in any view using the embedded Ruby code
<%= render :partial => 'PARTIAL_FILE_NAME' %>
to have the partial rendered in place.
Custom Data Sets and Keys
The use of Custom Data Sets and Custom data Keys always revolves around doing portal customization. Logic can be added to the portal so that it can pull data from a Custom Data Key, that allows you to deploy the same portal code in many locations and "configure it" with Custom Data Sets and Keys. The below example will show how to use Custom Data Keys to display an address in the footer of a custom portal. This allows the address to be changed at each location by changing the Custom Data Key and not editing the portal directly. For most use cases Portal Modifications may be the better option, Custom Data Sets/Keys can also be combined with Portal Modifications.
For this example we do not need to use a Custom Data Set, we could just use a Custom Data Key by itself, we will configure it both ways. First without using a Custom Data Set. First navigate to System::Portals and create a new Custom Data Key.
Leave the Dataset field set to -select->. Give the record a name, the name will be refereced in the code so the name should reflect the purpose of the record. This will be named address since that is the information we are storing. It should be noted that while Custom Data Set names are unique it is possible to have mutlple Custom Data Key records with the same name. The address will be entered into the Text field. A value of each type can be stored in a single Custom Data Key if desired. Click Create.
To display this data in a portal we can edit the footer view in the portal or we can use a Portal Modification to override the footer view in the portal. For the purpose of this example we will create a Portal Modification. Create a new Portal Modification.
Give the Portal Modification a name, and select which portals the Portal Modification will apply to. In this case we will select both the Splash and Landing portals, if we selected only Splash then the address would only display in the Splash side of the portal and will not be present in the Landing portal after the user authenticates. In the Parital tab start to type footer and select footer from the dropdown menu. In the HTML b> field we can enter the code the will call the address, we can also use HTML here to center the data. To access the data stored in the Custom Data Key use <%= CustomDataKey.find_by(name: 'address').value_text %>. Click Create.
Now if we visit the portal we will see the address displayed in the footer. However it is all on one line.
This can be corrected by editing the Custom Data Key and adding <br> after each line, then updating the record.
Now when the portal is viewed, each line of the address will now be on its own line.
There may be a need to display a different address on another portal, we could create a Custom Data Key, but we would need to change the name of the key which means we cannot use the same code on each portal. However if we tie the Key into a Custom Data Set we can recall the Key from the Set. To configure this for this example create a new Custom Data Set.
Give the Custom Data Set record a name, this will be used in the code to reference the record. For this example we do not need to restrict the Set to specifc policy or group of policies so do not select any. Under Attributes check the address record in the Key field, and click Create.
Next we need to edit the Portal Modification we created earlier.
We need to change the line <%= CustomDataKey.find_by(name: 'address').value_text %> to <%= CustomDataSet.find_by(name: 'location1').get('address') %>. Update the record. When viewing the portal it will display the same information we are just pulling it from the Key via the Data Set instead of directly from the Key itself.
Portal Mods
Portal Mods allow the operator of the rXg to modify an existing portal, content can be modified by selecting the view and adding HTML content that will replace the view. Images can also be replaced as well. This allows the operator to easily change images and specify the login options for example.
Example Portal Mod
In this example Portal Mods will be used to change the greeting on the default portal, the login types and the logo on the splash and landing page. To change the default greeting (Good Morning, Good Aftgernoon, and Good Evening) create a new Portal Mod. The Name field is arbitrary. Select the Splash portal the change should be applied to. In the Partial Override select welcome_message from the drop down. In the HTML field the code for the welcome_message view is displayed, and can be edited.
If the goal is to change the message that is displayed in the afternoon the following code can be changed on lines 31 and 41 "greeting_afternoon = _('Good Afternoon')". If "Good Afternoon" is changed to "Hello, Good Afternoon", then in the afternoon the message displayed will change from "Good Afternoon" to "Hello, Good Afternoon".
This will result in the following change, the first image is the unmodified portal and the 2nd is with the modification.
It is also possible to replace the code entirely. Here is an example where the code has been erased and replaced with custom code to display a static greeting message.
This results in the following to be displayed regardless of time of day.
Using Portal Modifications the operator of the rXg can also change which login options are displayed overriding the default portal that displays login options based on the configuration. The operator may only want to display a click through option and PMS login for example. The below image shows the default portal with the login options displayed dynamically based on what is currently configured on the rXg.
To only display the free options an the PMS room/name login, create a new Portal Modification. The Name field is arbitrary, enter a name for the record, check the Splash portal(s) this modification will apply to. The Mod type field should be set to Partial Override , and the Partial Override field should be set to login_forms_conditional. To display the free option and PMS room/name option on the portal remove or comment out the section of code for the login option that is to be removed.
Now the portal will only display the login options we put in the Portal Modification.
In this last example we will change the logo displayed at the top of the portal page.
To change the logo, create a new Portal Modification , give it a name, select both the Splash and Landing portals the logo will be changed on. Change the Mod type field to Image Override , a URL can be entered load the image from a remote location, for this example we will use the Image field and click the Choose File button and select the file to be used. In the Image To Replace field enter "default_icon.svg". Click Create.
Now the logo displayed at the top is changed. Note: that if this is done on a cluster the configuration will be pushed to the portal on each node, there is no need to create a record for each node in the cluster.
Example: Using template to replace portal logo.
In this example, a template will be used to upload an image to replace the default logo. Below is the template that will be used, the variable data will be populated with the image after it is run through a Base64 Image Encoder, note for the sake of space the data variable has been truncated. For this example https://www.base64-image.de was used to convert the rgnets_logo.png to Base64.
<%
mod_name = 'Replace Logo'
image_to_replace = 'default_icon.svg'
filename = 'rgnets_logo.png'
data = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAawAAABXCAYAAABY6nHCAAAEsmlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPD94cGF"
%>
PortalMod:
- name: <%= mod_name %>
image_to_replace: <%= image_to replace %>
image:
data: <%= data %>
filename: <%= filename %>
Navigate to System::Backup and create a new Config Template.
Give the Config Template a name, and enter the code into the Config field. Check the Apply Template box, this will save the template and apply it at the same time. Click Create
Next navigate to Policies::Captive Portal , the template has created a Portal Modification that can be used to replace the default_icon.svg file.
Example: Using Actiontext With Portal Mods
In this example we will create a Portal Modification that will allow us to quickly and easily modify the information found in the footer of portals all from a single location. Operators can use this to change or modify all or a select group of portals all at once. There are two portals that will be modified in this example.
Navigate to Policies::Captive Portal. First we need to create a Portal Modification that will display the custom view we are going to create to display our footer information.
Give it a name and select which portals this Portal Mod will be applied to. In this example we want the information we are including in the footer to display on each page, so we will select both portals under the Custom field. If we only want the information to display on the splash portal then we would select both portals under the Splash field, and the same could be done for Landing as well. Since we are modifying the footer we need to specify that under the Partial field. When you start to type the name of the Partial it will give you a list to choose from, we want to select footer. For this first Portal Mod leave the Content mode set to HTML. Here we are creating a div that will display the view we will create in the next step, this also allows us to give it some formatting like centering the text. See screenshot below, click Create.
Next create a second Portal Modification , this one will contain the information we want to display in the footer. Give it a name and select which portals this content will be added to. For this example I am selecting both portals under the Custom field. In the Partial field we are going to enter in the name of the view we are calling in the previous step, in this example that was footer_content. Change the Content mode to Rich Text , we can now enter in the content for our footer. Images can be included as well by clicking the paperclip icon and selecting an image. Click Create.
Now if we visit the default portal which the Portal modifications haven't been applied to we get the following.
If we visit portalone or portaltwo we will see that the mods we created show up because these were the portals we selected.
We can take this a step further by editing the Portal Modification record that contains the phone number and image and change it so that it only applies to portalone, and we will create another record that applies to only portaltwo. Edit the record and unselect portaltwo.
Now create a new Portal Modification selecting only portaltwo, and change the content. We will move the logo above the other content for this one.
Now if we look at portalone, we get the following result.
And finally looking at portal two we get the following result.
Example: Change Background Image
In this example, we will use Portal Modifications to add a background image to the default portal. Because the default portal's background gradient is defined solely using CSS rules, we will need to add some CSS in order to set a background-image. We will create two portal modifications to accomplish this. The first will serve the purpose of storing the background image, which will be referenced by the second Portal Mod's CSS rules.
Give the portal mod a name, which should reflect the purpose of the modification (this name will be referenced by our second Portal Mod). For this example we will use "Default-bgimage". Since this Portal Mod won't be rendered directly, there is no need to select any portals in the Custom, Splash, or Landing fields so those fields should be left blank. Next, click on the Choose File button and select the image to be used for the background. Click Create. Note: recommended formats are .jpg for reduced size or .svg for better resizing.
Create a Second Portal Mod, which will modify the CSS Partial. Give the portal mod a name, again it should reflect its purpose. Select the Splash and Landing portal to which it will apply. Enter "CSS" in the partial field. Add the following code to the HTML(ERB) field:
<style>
body, body.bg-dark {
background-image: url(<%= rails_blob_url PortalMod.find_by(name: 'Default-bgimage').image %>) !important;
}
</style>
Click Create.
We should have two Portal Modifications now, and when we view the default portal it will have our new background image.
Social Login (OAuth)
The portal supports logging in users against several Oauth providers:
- SAML
When a user logs in with one of these platforms, a local account will be created and the user will be logged in with that account. At that point, the user can proceed to purchase a usage plan from the plans associated with the strategy and the current captive/landing portal. If there is only one plan and it is free, it will be applied for the user automatically. If there are no usage plans associated with the strategy, the usage plans are controlled by the normal captive/landing portal logic. The user may continue to log in via the social provider on return visits, and they will be logged into their existing account.
The information returned from the provider's API will also be stored into a Social Profile record associated with the account, which may be viewed by clicking on the 'Social Logins' submenu item on the 'Archives::Portal Logs' page.
Requirements
Utilizing an Oauth login flow requires first creating an application with the desired provider, and Oauth login must be enabled in the application. The steps required to do this vary by provider, and are subject to change in the future, but a general outline is below.
A WAN Target should be associated with the Captive Portal where you intend to use the strategy which allows the user to access the provider's site for the login process. Twitter, Facebook, and Google WAN Targets are created automatically and should be selected when utilizing these providers.
If you have not done so, you will need to upgrade your personal Facebook account to a developer account.You may do this, as well as register the app for your business at the following link:
- https://developers.facebook.com/docs/apps/register When prompted for choose a platform, select "Website (WWW)".You will need to specify a category for your application before you make make the app live.
Once you have created the app, go to your Facebook developers dashboard, and add the 'Facebook Login' product to your app. In the 'Client OAuth Settings' dialog, ensure that the 'Web OAuth Login' option is set to YES.
After making any other desired changes to the application (image, etc), copy your App ID and App Secret from the Basic Settings page, as they will be used in the configuration on the rXg.
IMPORTANT: In order for Facebook to allow OAuth requests from this rXg, the redirect URIs must be whitelisted in your app's Facebook Login settings. Complete the section below titled Configuration , then click the show link in the Social Login Strategies scaffold next to Facebook strategy you created. Obtain the list of OAuth Redirect URIs which must be entered within the Facebook developer console's Facebook Login settings section. If this step is not completed, users will experience an error when Facebook login is initiated.
Based on the current configuration of this rXg, the following URIs may need to be added to the application:
Before your app can be used by the public, you must make it 'live' by going to the App Review page and taking the app out of development by setting the toggle to 'YES'. By default, the rXg does not ask for any user permissions that require Facebook to review the application before going live.
Visit the Twitter Apps page to create your app:
- https://apps.twitter.com/ Click 'Create New App' and fill out the resulting form.
Give the app a name and description. The website and Callback URL fields must also be filled out. The website can be your business' main website, or the address of the rXg. The Callback URL will be provided by the rXg during authentication, but we must enter any URL here in order for OAuth to be enabled for the app.
Once you've created your application and customized it as desired, go to the 'Keys and Access Tokens' to obtain your API Key and API Secret which will be utilized in the configuration of the rXg.
IMPORTANT: In order for Twitter to allow OAuth requests from this rXg, the redirect URIs must be whitelisted in your app's redirect URI list. Complete the section below titled Configuration , then click the show link in the Social Login Strategies scaffold next to the Twitter strategy you created. Obtain the list of OAuth Redirect URIs which must be entered into the application's Callback URLs field of the application's settings tab. If this step is not completed, users will experience an error when Twitter login is initiated.
Based on the current configuration of this Rxg, the following URIs may need to be added to the application:
- Go to https://console.developers.google.com
- under the 'Select a project' dropdown, select or create a new app.
- Click 'Library' on the left.
- Enable the "Contacts API" and "Google+ API" (optional -- this is not required to provide credential verification functionality).
- Go to 'Credentials' on the left, then select the 'OAuth consent screen' tab on top, and provide an 'EMAIL ADDRESS' and a 'PRODUCT NAME'
- Wait 10 minutes for changes to take effect.
- Click 'Create Credentials' and choose 'OAuth Client ID'
- Choose 'Web Application' and give it a name
- IMPORTANT: Google requires that the complete Redirect URI be entered, rather than just the hostname. Based on the current configuration of this rXg, the following URIs should be added to the application:
- Enter the client ID and client Secret into the social login configuration
Visit the Instagram Developer page to create your app:
- http://instagram.com/developer/ Click 'Register Your Application' and fill out the resulting form to register as a developer if you are not already. Register a new Client ID and fill out name, description, and other mandatory fields.
Once you've created your application and customized it as desired, click 'Manage' to obtain your Client ID and Client Secret which will be utilized in the configuration of the rXg.
IMPORTANT: In order for Instagram to allow OAuth requests from this rXg, the redirect URIs must be whitelisted in your app's redirect URI list. Complete the section below titled Configuration , then click the show link in the Social Login Strategies scaffold next to the Instagram strategy you created. Obtain the list of OAuth Redirect URIs which must be entered into the application's Valid redirect URIs field of the application's security settings. To access these settings, click the Manage Clients button at the top of the Instagram Developers console, and click the Manage button next to the client you registered in the previous step, then click the Security tab. If this step is not completed, users will experience an error when Instagram login is initiated.
Based on the current configuration of this rXg, the following URIs may need to be added to the application:
Visit the LinkedIn Apps page to create your app:
- https://www.linkedin.com/secure/developer Click 'Create Application' button and fill out the resulting form.
Once you've created your application, go to the Authentication portion of the Application's settings to obtain your Client ID and Client Secret which will be utilized in the configuration of the rXg. You may also choose to include the r_emailaddress default application permission to allow for retrieval of the user's Email address after authentication.
IMPORTANT: In order for LinkedIn to allow OAuth requests from this rXg, the redirect URIs must be whitelisted in your app's redirect URI list. Complete the section below titled Configuration , then click the show link in the Social Login Strategies scaffold next to Facebook strategy you created. Obtain the list of OAuth Redirect URIs which must be added to the application's OAuth 2.0 Authorized Redirect URLs within the settings section. If this step is not completed, users will experience an error when LinkedIn login is initiated.
Based on the current configuration of this Rxg, the following URIs may need to be added to the application:
SAML
Configuration begins by creating a Social Login Strategy on the rXg. This can be accomplished on the System::Portals view.
Next, enter the Identity Provider's metadata URL into the IdP Metadata URL field. The rXg will retrieve the metadata from the Identity Provider and attempt to locate the Single Sign-On URL and Fingerprint. If the remote metadata cannot be retrieved or parsed, the values may be entered manually.
After the record has been saved, click the show link. Depending on the configured usage plans, captive portals, and cluster nodes, one or more metadata URLs will be listed. These can be provided to the Identity Provider out of band to be established as a Service Provider for login trust.
Visit the following URL for an introduction to the concepts of SAML oauth login:
Omniauth Strategies
The Social Login Strategies scaffold enables creation, modification, and deletion of login strategies for supported Omniauth providers.
The name field identifies this login strategy in the system.
The provider name field determines which Oauth provider this strategy relates to. Select a supported provider from the list.
The app ID field defines the ID of the application that has been created with the provider chosen in the provider name field. For Facebook, this is the App ID , but for Twitter this is the API Key. This value should be obtained from the developer console of the associated provider.
The app secret field defines the app's secret value which authenticates the app. This value should be obtained from the developer console of the associated provider.
The captive portals selections define for which captive portals this strategy is enabled. This strategy will not be available unless it is associated with at least one captive portal.
The usage plans selections determine which usage plans are available for users who log in using this strategy. The plans selected here must also be associated with the end user's effective portal; however, users who have not logged in via this strategy won't be able to see these plans in the usage plan list. If there are no usage plans associated with this strategy, an account will be created for the user, who will then be redirected to the usage plan list view. If there is only one associated usage plan, and it is free, the plan will automatically be applied to the account.
The SAML section contains configuration options which pertain only to SAML login strategies. When utilizing a SAML strategy, the App ID and App Key are not necessary.
A SAML configuration requires at a minimum, an Identity Provider (IdP) SSO URL, and optionally, a IdP Cert Fingerprint to enable validation of the IdP's certificate. Both the SSO URL and Fingerprint may be determined automatically by providing a IdP metadata URL.
The Service Provider (SP) Entity ID is a unique identifier for the service provider, which will be entered into the IdP when adding the SP.
After creating the login strategy , the webserver will restart. Clicking the show link will provide the metadata URL that can be provided out-of-band to the Identity Provider in order to establish a login trust.
Users who log in with an Omniauth strategy only have access to usage plans that are associated with their strategy AND the current captive portal. Users who log in with a non-social account do not have access to the usage plans associated with the portal's Omniauth strategies.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
A WAN target should be associated with the captive portal where the operator intends to use the strategy which allows the user to access the provider's site for the login process. Twitter, Facebook, and Google WAN targets are created automatically and should be selected when utilizing these providers.
Customized Login Flow
If you wish to customize the actions taken when a user successfully logs in with a defined strategy, you may override the <provider>_success and <provider>_failure actions of the portal controller (ie, facebook_success or twitter_failure).
SMS Integration
The rXg offers the ability to require validated contact information for a user prior to registering for service. A user who wishes to subscribe to a usage plan that requires Acccount validation must retrieve a validation code, either by SMS message, or by Email, depending on the configuration of the usage plan.
The rXg also supports password resets after validating that the user has access to the account's mobile number or email address, depending on the configuration of the active Splash Portal.
In order to send SMS messages, the operator must first register for service with a supported provider and configure a record in the SMS Gateways scaffold with a valid phone number or shortcode, and the API credentials required to access the API of the slected provider.
Twilio Configuration
To begin, visit Twilio to register for a trial account. After creating an account, you will be prompted to create a new project. Under the Products heading, select the Programmable SMS option and click continue. Give your project a name.
A trial account may only send messages to its own phone number. Click the Upgradelink in the upper right hand corner of the page. Verify your phone number and provide payment details to fund your account. SMS messaging requires a Twilio phone number, which has a cost of $1 per month, and pricing per message varies by location. See the Twilio Pricing page for more details.
From your Twilio dashboard, click the Programmable SMS icon in the left hand menu, and follow the prompt to get started. Request a Twilio phone number by clicking Get a Number. Record the assigned number to enter into the SMS Gateway record in the rXg. You may manage your Twilio Phone Numbersto add or change phone numbers at a later date.
Visit the Settingspage of your dashboard and obtain the Account SID and Auth Token values (click the Auth Token to view the unobscured value), which act as the API credentials in order to send SMS messages via Twilio's REST API. Be sure to obtain the LIVE API credentials, not the TEST credentials.
Once you have your phone number, Account SID and Auth Token, proceed with configuring the SMS Gateway record in the System::Portals view of the rXg admin console.
SMS Gateways
The SMS Gateways scaffold enables the creation of an SMS Gateway service which will be utilized for verifying a user's mobile number for the purpose of new account signups and/or password resets.
The name field identifies this SMS Gateway in the system.
The provider field specifies which provider this SMS Gateway relates to. Select a supported provider from the list.
The from field specifies the phone number, shortcode, or Alphanumeric Sender ID (not supported in all countries) to be used when sending SMS messages through this gateway. This value must correspond to a number purchased from or ported to the provider.
The Account SID and Auth Token fields specify the API credentials used to access the provider's REST API, and may be obtained from your dashboard within the provider's website.
The Usage Plans selections determine which usage plans are configured to utilize this SMS Gateway. The usage plan must also specify a validation method which includes SMS in order for messages to be sent via SMS.
The Splash Portals selections determine which splash portals are configured to utilize this SMS Gateway for the purposes of performing password resets. Accounts with a valid mobile phone number may request a password reset token via SMS or Email, depending on the password reset method specified in the splash portal.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Free SMS alternative
As an alternative to SMS integration via a paid third-party SMS Gateway, the rXg also supports a simplified SMS account signup flow which attempts to deliver SMS messages by sending an Email to an Email-to-SMS gateway provided by the end user's cellular carrier. This method does not integrate with Usage Plans, and requires that the user select their cellular carrier from a dropdown list, and not all carriers are supported. Delivery is on a best-effort basis.
To enable the simplified SMS signup flow, simply create an Account Group with the name 'SMS', and an additional login option will be presented in the captive portal, which, upon completion, will place the user into the SMS Account Group with unlimited usage.
Internationalization
All aspects of the rXg captive portal web application are internationalized and capable of supporting localized presentations. This enables operators to deploy captive portals that vary in presentation based on browser language preference and/or manually selected language overrides.
Localization Selection
The rXg captive portal web application internationalization supports selection of localization in two different ways:
- Automatic determination of preferred localization through browser preference supplied via HTTP header
- Manual selection of desired localization via CGI parameter
Most operators will choose to use both localization selectors in parallel. The automatic selector is used to determine the initial localization preference and display a portal. The assumption is that the end-user will have selected a language preference in their browser or OS that is reasonable and meaningful. However, in some cases the OS and/or browser setting may be incorrect or insufficient to select an appropriate localization for display. Therefore most localized portals will also have links incorporated into the views them that enable manual localization override.
The key of the CGI parameter used to override the localization preference read from the browser is locale
. The value of the locale
key is the desired language abbreviation (e.g., en
, fr
, etc.). An example of a link to override the automatically selected localization is:
<a href="/portal/default/?locale=en">English</a>
Localization Implementation
The rXg captive portal web application internationalization features support implementation of localization in three different ways:
- String Translation with Gettext
- Localization conditionals within a view
- Selection of localized views Operators may choose to use any of the three available mechanisms individually or in any combination that is desired. ## String Translation with Gettext
The globalization support features of the rXg captive portal web application implement translation using the gettext application. Gettext allows the externalization of translation text while still maintaining the readability of the underlying views and partials. The source language is used in the views within the _()
helper function, and external files map these strings to their translated counterparts.
For example, consider the following simple (untranslated) view (logout_success.erb
):
<h2> Logout Successful </h2>
<p> You have successfully logged out. </p>
<p> Please come and visit us again. </p>
Implementing the string translation mechanism results in the following code for the view:
<h2> <%= _('Logout Successful') %> </h2>
<p> <%= _('You have successfully logged out.') %> </p>
<p> <%= _('Please come and visit us again.') %> </p>
The view code calls the _()
function to look up a localized string in the appropriate place in the view. The set of available strings are stored in resource files in the locale/gettext
directory of a custom portal.
An example of the source language (English) Gettext resource file (en.po
) that corresponds to the string view shown above is shown below:
msgid "Logout Successful"
msgstr ""
msgid "You have successfully logged out."
msgstr ""
msgid "Please come and visit us again."
msgstr ""
An example of a French Gettext resource file (fr.po
) that would work with the same view we have been considering is shown below:
msgid "Logout Successful"
msgstr "Dconnexion russie"
msgid "You have successfully logged out."
msgstr "Vous vous tes dconnect avec succs."
msgid "Please come and visit us again."
msgstr "S'il vous plat revenez nous rendre visite."
The default.pot
template file may be copied into the portals gettext directory as_languagecode_.po (where languagecode represents the two-letter locale code for the language, e.g. fr
or es
) and edited/translated directly, or it may be provided to a third-party translation service, with the resulting .po files stored in the gettext directory of the custom portal.
For example, a new French locale translation file for the myportal Custom Portal can be started by running
mkdir -p /space/portals/myportal/gettext
cp /space/rxg/console/config/locales/gettext/default.pot /space/portals/myportal/gettext/fr.po
and then editing the fr.po file with the appropriate translations for the listed strings.
This enables the captive portal web application to use the appropriate strings for a given language preference. The strings in the source files are used when the captive portal web application renders the the view for a request from a web browser with an English language preference. The strings in the portal_directory/gettext/fr.po
file are used when a request is fulfilled from a browser with a French language preference.
Inline Conditionals
Conditionals may be placed inline in a layout or a view to modify content based on language preference. For example, if a captive portal is localized for English and Spanish languages, then it would be appropriate to have an English override link when Spanish is being displayed and vice versa. The following code fragment exemplifies how this might be accomplished:
<% if I18n.locale == :en %>
<li class="menuparent"> <%= link_to 'Espaol',
{ :action => :index, :locale => :es },
{ :class => 'menuactive' } %></li>
<% else %>
<li class="menuparent"> <%= link_to 'English',
{ :action => :index, :locale => :en },
{ :class => 'menuactive' } %></li>
<% end %>
It is possible to use inline conditionals instead of string externalization to change the text being displayed. However the result is view code that is difficult to read. Thus, inline conditionals should be reserved for situations where small structural changes to the view are desired.
View Selection
The rXg captive portal web application supports view selection based on language preference. The operator may choose to have bothlogout_success.en.erb
and logout_success.fr.erb
files instead of a single logout_success.erb
view file. Thus entirely different views may be presented to the end-user based on browser language preference.
Environment
One feature that you may want to use in your portal frame is the flash notice. The flash notice is available for you to use after certain events happen. For example after a user logs in, a message that states, 'login successful' is available for you to display in your portal. You can render this flash message anywhere in your portal layout with the following additional code:
<%= render :partial => 'flash', :object => flash %>
The flash notice is one of many aspects of the portal environment. Variables are another aspect of the portal environment that we wish to consider. We briefly touched on this subject above when looking at the @logged_in variable. There are many variables available for you to use, and are used in the many pre-defined views. You can see the available variables by turning on debugging. First you will need to add the following code into your main portal layout:
<% if params.has_key? :debug %>
<br />
<%= debug_inline.html_safe %>
<% end %>
Once you have that code in your main layout, you can enable the debugging by adding ?debug=true
to the end of the URL you are using to view the portal. You can use these variables to dynamically generate content that suits your needs.
The debug variables may also be brought up by clicking on the_Show Debug Popup_ button that is displayed at the top of every page when the web server is in development mode.
The following variables are relevant for most portal conditionals:
@current_login_identifierThe login of the end-user. This is usable for both local and remote authentication.@current_accountThe current local user object for a logged in end-user (if local authentication is being used).@client_ipThe IP address of the device that is hitting the portal.@client_macThe MAC address of the device that is hitting the portal.@effective_portal The end-user's configured splash portal or landing portal depending upon login state. Landing_portal is usually defined only if logged_in?
is true. An exception is when an end-user has an existing LoginSession stored but has to re-authenticate because her session is empty (cleared cookies/new browser).@groupThe effective group of the end-user. If the end-user is a member of multiple groups, only the final disambiguated group (based on group priority) is reported.@policyThe policy that is linked to the effective group of the end-user. @logged_intrue
if the end-user has supplied valid credentials to the portal.@portal_nameThe controller name of the portal being displayed.@portal_controllerThe controller name of the portal being displayed.@usage_plansThe list of usage plans that this end-user may select from.
Example Customization
One very simple and common portal customization is to change the display of the usage plans. A quick search of the captive portal directory structure reveals the following:
$ ls | grep usage
_current_usage_plan.erb
_online_usage.erb
_usage_plan.erb
_usage_plan_purchase_link.erb
usage_plan_charge.erb
usage_plan_list.erb
usage_plan_purchase.erb
The display of an individual usage plan are rendered by the partial _usage_plan.erb
and the display of the set of all available usage plans is rendered by the viewusage_plan_list.erb
.
The contents of the default usage_plan_list.erb
should resemble the following:
<h2>Usage Plan List</h2>
<%= render :partial => 'prorated_credit' %>
<table>
<% @usage_plans.each do |usage_plan| %>
<tr>
<td>
<%= render :partial => 'usage_plan',
:object => usage_plan %>
</td>
<td>
<%= render :partial => 'usage_plan_purchase_link',
:locals => { :usage_plan => usage_plan } %>
</td>
</tr>
<tr><td> <br/> </td></tr>
<% end %>
</table>
One simple way to change the order of the list of usage plans is to modify the looping structure. The default structure
@usage_plans.each do |usage_plan|
generates a list that may appear to be randomly ordered. To generate a list of the usage plans sorted by price, the looping structure should be changed to:
@usage_plans.sort_by(&:price_cents).each do |usage_plan|
To generate a list of the usage plans sorted by name, the looping structure should be changed to:
@usage_plans.sort_by(&:name).each do |usage_plan|
A custom sort order may be easily achieved by using the note field present in each usage plan record. Place a number (prefixed with a zero for multiple digits) inside the note field. Then change the looping structure to:
@usage_plans.sort_by(&:note).each do |usage_plan|
Another common portal customization is to change the layout of the usage plan list. For example, instead of a simple list, the operator may desire to have a multicolumn column list. One simple way to achieve this is add a variable to keep track of which column the usage plan should appear in. For example:
<h2>Usage Plan List</h2>
<%= render :partial => 'prorated_credit' %>
<table>
<% @u_p_cnt = 0 %>
<% @u_p_columns = 3 %>
<% @usage_plans.each do |usage_plan| %>
<% if @u_p_cnt % @u_p_columns == 0 %>
<tr><td>
<% else %>
<td>
<% end %>
<%= render :partial => 'usage_plan',
:object => usage_plan %>
<br/>
<%= render :partial => 'usage_plan_purchase_link',
:locals => { :usage_plan => usage_plan } %>
<% if @u_p_cnt % @u_p_columns == 0 %>
</td></tr>
<% else %>
</td>
<% end %>
<% @u_p_cnt = @u_p_cnt + 1 %>
<% end %>
</table>
The code above will generate a three column list of usage plans. The @up_cnt
variable starts at zero and is incremented every time a usage plan is rendered. Every third usage plan (as determined by the modulo operation), a new table row is created. To change the number of rows, one would only need to change the value of the @u_p_columns
variable.
Setup
There are several prerequisites that must be completed before captive portal customization may begin. First and foremost the web developer must be given access to the rXg filesystem by an administrator. The rXg supports filesystem access via SSH/SFTP as well as SMB/CIFS. SSH/SFTP is the preferred method as it is generally considered to be more secure and is much more reliable when used over the WAN. SMB/CIFS is a less desirable alternative that is suitable for use from developer machines on the LAN as well as over encrypted VPN connections.
SSH / SFTP Access
There are three main steps to granting administrative access to the rXg filesystem over SSH/SFTP. First, The administrator's computer must have an SSH client installed and a key pair must be generated. Next, administrative access to the rXg file system via SSH must be granted by installing the administrator's public key. Finally, the operator must declare that a new customizable portal controller is to be created and specify a name.
SSH and SFTP are the mechanisms used to access the rXg file system and make changes to custom portals. Thus an SSH client must be installed on the computer that will be used by the administrator who will be customizing the portals. OpenSSHis included with MacOS X and most UNIX and Linux distributions. Microsoft does not ship with SSH by default, but there are many third party options for running SSH on Windows.
The rXg requires the use of the public key authentication to gain access to the file system. To accomplish this, a key pair must be generated that is 4096-bit RSA or stronger. For example, togenerate an OpenSSH keypair, use the command linessh-keygen -t rsa -b 4096 -f rxg
. Most of the Windows SSH utilities come with a GUI to generate keys. Make sure that the private key stored in a safe place on the administrators computer. Keep the public key handy (e.g., pasted into a notepad or textedit window) as it needs to be installed onto the rXg in the next step to enable remote access to the file system.
An administrator with SSH access must be established to enable access to the rXg file system. This is accomplished through the Admins view in the System sub-menu. To enable SSH, a change must be made (or the data validated) in at least one record in both scaffolds that are present in this view.
An SSH public key must be added to a record in the administrators scaffold. The operator may choose to edit an existing record or create a new record to grant access to an individual who has never before required administrative access to the rXg. In either case, the public SSH key must be pasted into the text area that is provided. In addition, the role field must be set to an administrative role that has SSH access enabled.
By default, there is a "Web Designer" admin role that will allow members of that role to SSH to the box to edit and save captive portals, as well as view logs and graphs. Of course, custom roles with SSH access may be created if the default ones are not sufficient.
When creating or editing a role that will contain administrators that need to customize captive portals, the check box next to the SSH field should be checked. To disable SSH access for administrators that are assigned a role that has the SSH field is checked, delete the public SSH key from the administrator record.
SMB / CIFS Access
Access to the rXg filesystem via SMB / CIFS is disabled by default. An administrator must create an active record in the SMB Server scaffold found on the Admins view.
SMB / CIFS access must be restricted to the specific IP addresses that will be used by the web developers to access the rXg filesystem. LAN IPs and CIDRs are added to the SMB / CIFS ACL by associating the SMB Server record with a Policy record that is linked to IP and MAC groups. WAN IPs and DNS names are added to the SMB / CIFS ACL by associating the SMB Server record with WAN targets listing devices that should be allowed access.
Only Administrators that are members of Administrative Roles that have SMB access enabled will be able to gain access over SMB / CIFS. By default, no Administrative Roles have SMB / CIFS access enabled. To enable SMB / CIFS access, an administrator must check the SMB checkbox in an administrative role. If no roles have SMB checked, the SMB server will not be started.
Once the SMB Server is properly configured, the web developer uses the Explorer (Windows), Finder.app (Mac OS X) or SMB client (UNIX) to browser to the IP address or DNS name of the rXg. The captive portals are located in a share called portals.
The username and password credentials that are used for web administrative console access are also used to obtain SMB / CIFS access.
Once authenticated, the web developer may access the captive portals stored on the rXg filesystem as a network share. Most operating systems make SMB / CIFS network shares behave like locally stored files.
SMB / CIFS access is designed to facilitate rapid portal development for operators with web development resources. The SMB / CIFS server should only be used on dedicated development rXgs. It is strongly recommended that SMB / CIFS never be used on production rXgs as the overall security of the SMB / CIFS protocol is inferior to the SSH / SFTP protocol. Once a portal has been developed, the SSH / SFTP protocol should be used to move portals onto production rXgs.
Create New Portal
The default rXg captive portal may be not edited directly. To create a custom portal, a copy of the default portal is made and saved to an operator chosen name. This is accomplished using the Portals view of the System menu.
To begin, use the create action in the custom portals scaffold. This will drop down a dialog with two fields that must be completed. The name field is an arbitrary name you choose for this portal and will be used in other areas of the administration console. The controller name field will be the text inserted into the URL when users access this portal. This field should be all lowercase and only one word. If it is left blank, it will be the same as the name field you entered above.
In order for your new captive portal to become usable, you will need to restart the web server. Click on either Production or Development buttons in the Restart Web Server dialog. Production mode is the normal operating mode and is recommended when the rXg is deployed. Development mode will limit access to the administrative console and portals to only one simultaneous user. In addition, server-side page caching is disabled in development mode so changes that are made are reflected immediately.
It is highly recommended that the rXg be left in development mode while captive portals are being developed. This prevents issues from coming about due to the uploaded or edited portals being out of the sync with the version in memory. In addition, it is critically important to click on the Production button even if the web server is running in production mode on when the captive portal is updated on a deployed rXg. Failure to follow this procedure will result in all sorts of bizarre issues ranging from improperly rendered images to browsers intermittently displaying an error 500.
At this point, you should now have a custom captive portal that is a copy of the default portal running on an rXg. You can preview this portal by visiting https://rxg.domain/portal/my_custom_controller
in your browser. rxg.domain
is the domain name or IP address of your rXg. my_custom_controller
is the one-word lowercase name you defined above.
Structure
The default working directory presented to a client when the rXg file system is accessed via SSH is the administrator's home directory. A subdirectory called portals
is present in every administrator's home directory that is linked to the location of where all captive portal as stored. A single persistent storage location is used for all custom captive portals on an rXg and is shared by all administrators.
Within the portals
is a series of subdirectories. Each subdirectory contains a custom captive portal. The name of the subdirectory will be the same as the 'Controller name' as defined when creating the portal. Using SSH, it is possible to login to the rXg and edit the custom portal files directly using the built-in text editor vi. However, in most cases, administrators will want to use a SCP or SFTP client to copy the files from the rXg to a local computer for editing.
If you are using an SSH command line tool such as OpenSSH, a command like the following will copy the contents of the custom portal named by CONTROLLER_NAME into the local current working directory.
scp **ADMIN\_LOGIN** @rxg.domain:~/portals/ **CONTROLLER\_NAME**.
Most GUI SSH clients have enable bulk copying of entire directory trees from a remote file system. Typically, this is accomplished by logging into the remote server and then dragging and dropping the desired folder onto a destination on the local machine.
We recommend that the administrators copy the entire directory tree of a custom portal onto a local workstation, making changes, and then copying the entire directory tree back to the rXg. Although this requires more transfer time between the administrative workstation and the rXg, adhering to this protocol helps prevent numerous classes of common issues that result in strange portal behavior.
The folder structure for a custom captive portal looks like the following:
CONTROLLER_NAME/
images/
javascripts/
static/
stylesheets/
views/
CONTROLLER_NAME.erb
CONTROLLER_NAME.rb
images/ The directory where artwork assets are stored. javascripts/ The directory where the client-side JavaScript code assets are stored. The portal.js.erb
file is the only file that needs to be referenced by the portal. All other files that are present in this directory are automatically assembled into a single URI that is referenced in the layout via the Rails asset pipelining mechanism. static The directory where file resources are stored that can be accessed from the WAN. Downloadable files etc. stylesheets The directory where cascading style sheet assets are stored. Both CSS and Sass/SCSS are supported. Additional stylesheets may be placed into this directory and referenced for asset pipelining. Each file that should be included must be listed at the top of the portal.css.scss.erb
or the portal_mobile.css.scss.erb
file. views/ The directory where HTML files with embedded ruby templates for the views, and partials are stored. Templates for views are named according to the controller action that is requested. For example, when the end-user browser requests /portal/CONTROLLER_NAME/session_info/
, the session_info.erb
file is picked for rendering. Partials being with an underscore character (_
) and are included by file name within the view through one or more render partial
rails statement. CONTROLLER_NAME.erb The desktop portal layout. This file is the foundation of the portal and incorporates the HTML and embedded Ruby that will be present in all rails generated views.CONTROLLER_NAME.rb The controller file for the custom captive portal. Existing actions may be customized and new actions may be created by editing this file. This file may be ignored if only cosmetic changes are desired. The rXg portal is implemented in Ruby on Rails. Becoming versed in rails is a critical aspect of portal customization. Mastery of rails enables the administrator to create entirely new functionality that suit your exact needs. However, it is possible to customize the presentation of a portal without knowing any knowledge or experience with Ruby on Rails. Knowledge of HTML and CSS are all that is required to change the look and feel of the default portal. Dramatic results may be achieved through modification of the CSS alone.
Layout
The CONTROLLER_NAME.erb file is called the layout in Ruby on Rails. This file contains all of the HTML and embedded Ruby that is present in all rails rendered views of a captive portal. Any content that is present in the layout is visible on all the pages of the portal. A simplified version of the default portal layout follows.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>Captive Portal</title>
<%= portal_stylesheet_link_tag %>
<%= portal_javascript_include_tag %>
</head>
<body>
<!-- renders view based on the action (e.g., sign up, login, etc.) -->
<%= yield %>
</body>
</html>
There are four bits of ruby in the above example. Three of which are in the <head>
element and include the CSS and javascript into your portal. The fourth is <%= yield %>
. That very simple line of code calls the code for the individual views, as defined in the views folder, and places the result in that location.
We will look at the individual views later, for now we will continue to work on the main layout. While this example is sufficient, it is pretty boring and contains no branding. Lets take the above example and include a company logo and some verbiage. First we need to copy an image into the images folder, simply drag a file, lets call it logo.png into the images folder inside your custom directory. For simplicity, lets only look at the <body>
element.
<body> <%= portal_image_tag('logo.png') %>
<p>Welcome to my captive portal!</p>
<!-- renders the content of the page being viewed (e.g., sign up, login, etc.) -->
<%= yield %>
</body>
With two more lines we now have a portal that is starting to look real. It is branded with your logo and has some text in it. The only line that needs further explanation is the line that contains portal_image_tag. That function creates an <img>
tag that will link to the image specified. In the above example the location just links to the portal currently being viewed and logo.png is the file we placed in the images folder inside our portal.
Assets
All aspects of the rXg captive portal web application may take advantage of assets that are loaded over HTTP. You may add an arbitrary number of static web assets (e.g., HTML pages, images, etc.) to a rXg captive portal. Static HTML assets should be placed within the base portal directory (CONTROLLER_NAME/
). Static image assets should be placed within the CONTROLLER_NAME/images/
directory.
Static HTML assets may be included from within embedded ruby files using the following syntax:
<%= portal_static_path 'YOURFILE.html' %>
Rendering a referenced static HTML asset takes longer than rendering directly from embedded ruby. However, externalized static HTML may make the captive portal more maintainable. For example, an operator may choose to place all portal presentation conditionals within.erb
files and all bare text within .html
files.
For example, if the operator wished to display different messages depending on whether the end-user is logged in, the following might be a part of a embedded ruby file:
<% if logged_in %>
<%= portal_static_path 'logged_in_message.html' %>
<% else %>
<%= portal_static_path 'not_logged_in_message.html' %>
<% end %>
Static image assets may be placed inside embedded ruby files using<%= portal_image_tag 'YOURFILE.jpg' %>
. Static HTML assets may also reference static image assets using the HTML <img />
tag. Operators may also use CSS to incorporate images by setting the background-image
property of any element.
For example, let us assume that the operator wishes to incorporate an image called example.jpg
. The first step is to copy the example.jpg
file into the CONTROLLER_NAME/images/
directory. To incorporate the image directly into an embedded ruby file, the following code would be placed into a layout or view:
<%= portal_image_tag 'example.jpg' %>
Alternatively, the operator may choose to incorporate the image via CSS. To accomplish this, the operator must include a named element into the embedded ruby (or a reference static HTML asset). For example, incorporate the following <div
into the embedded ruby:
<div id=someUniqueName />
Then edit the CONTROLLER_NAME/CONTROLLER_NAME.css.scss.erb
file and add the following:
div#someUniqueName {
width: 320px;
height: 240px;
background-image: url(<%= portal_asset_data_uri 'example.jpg' %>);
}
The result will be an image that appears where the <div>
tag is placed. Images that are referenced from the stylesheets are precompiled and integrated into the stylesheet resulting in a significant performance improvement. Use stylesheet images to when possible in order to maximize portal performance.
Files that the operator wants to make available for download should be placed into the static directory within the portal files. The files can then be accessed via https://fqdn.of.rxg/static/portal/custom/yourfile.ext. Note that fqnd.of.rxg should be changed to the domain name that resolves to your system, and "custom" is the controller name of the custom portal.
For example placing an image file named logo.png into the static directory of a custom portal allows anyone to access that file by going to https://fqdn.of.rxg/static/portal/access/logo.png (in this case the custom portal controller is access).
We can view our image by going to https://fqdn.of.rxg/static/portal/access/logo.png, results in the below image.
Menu
Ruby on Rails uses the link_to
keyword to generate HTML anchor tags with hyper link reference attributes. In a typical portal, a series of link_to
tags are used to create a navigation menu. The code below expands on the simple example used to describe the structure of the captive portal.
<body>
<%= portal_image_tag 'logo.png' %>
<p>Welcome to my captive portal!</p>
<div> <!-- BEGIN MENU -->
<%= link_to 'Home', { :action => :index }, { :class => 'menu' } %>
<% unless @logged_in %>
<%= link_to 'Login', { :action => :login }, { :class => 'menu' } %>
<%= link_to 'Sign Up', { :action => :account_new }, { :class => 'menu' } %>
<% else -%>
<%= link_to 'Logout', { :action => :login_session_destroy, :method => :delete }, { :class => 'menu' } %>
<% end -%>
<%= link_to 'Usage Plans', { :action => :usage_plan_list }, { :class => 'menu' } %>
<%= link_to 'Custom Example', { :action => :custom_example }, { :class => 'menu' } %>
</div> <!-- END MENU -->
<!-- renders the content of the page being viewed, such as sign up, or login -->
<%= yield %>
</body>
The code contained with the <div>
tags delimited by the BEGIN MENU
and END MENU
comments. Each link in the menu has been given a class named 'menu'. A style sheet must be defined the look and feel of the links. The default style sheet comes with a presentation that may be accessed by creating HTML unordered list items with the class menuparent
and is shown below. The presentation may be customized to almost anything imaginable by simply editing the CSS file.
There are several embedded Ruby elements incorporated into the menu example above. Starting from the top, the first Ruby element we see is link_to. The first argument to link_to is the name of the link as you want it displayed. The second argument is the action definition, this definition determines what page should be viewed after clicking the link. The last argument is the optional class argument that will specify the class of your link.
Embedded Ruby conditionals in the code change the HTML that is generated based on whether or not the end-user viewing the portal is logged in. Most end-users will first reach the portal while not logged in and first see the default menu example as shown above.
Once the end-user logs in, the menu will change. We only want to display the 'Login' and 'Sign Up' links if the user is not already logged in. The line <% unless @logged_in %>
executes the lines of code underneath it when @logged_in
variable is not set. The conditional ends with the <% end -%>
element. The HTML and embedded Ruby from the unless
all the way to the end
are subject to the conditional.
The @logged_in
variable is dynamically created based on the current state of the user looking at your captive portal.@logged_in
is only set when the end-user has provided valid credentials to the portal web application. Thus the link_to
embedded Ruby anchor HREF generators for Login and Sign Up links are ignored when the end-user is logged in. The embedded Ruby else
clause causes the Logout link to be displayed in their place.
<%= link_to 'Custom Example', { :action => :custom_example }, { :class => 'menu' } %>
Continuing with the example, the next element demonstrates how to add a custom view to the menu. The link specifies custom_example
as the target. Aside from all of the built-in views for things such as login and usage_plan_list, you can create your own custom view. One has been created for you called custom_example.
You may also want to display static content that is not framed by your portal layout. One example would be a page that is intended for printing that should not be contain the portal menu. You can do this by using normal HTML anchor tags with a little bit of Ruby helper to get the content.
<a href="<%= portal_static_path 'static.html' class="menu">Static Example</a>
This example shows that ruby can even be included in-line into an html tag. Our example says, lets get content from the current portal being viewed. Any content referenced in this manner will come from the 'static' folder. Keep in mind html without any ruby is perfectly acceptable.
To add drop-down sub-menus that appear when the mouse moves over the menu items, add a unordered list (HTML ul
tag) with list items (HTML li
tags) within the context of the menu item. The menu is defined in the PORTAL_CONTROLLER_NAME.erb
file.
For example, given the original menu item:
<li class="menuactive"> <%= link_to 'Home', { :action => :index }, { :class => 'menuactive' } %> <!-- INSERT HERE --> </li>
Add the following code:
<ul>
<li><%= link_to 'Custom Template', { :action => :custom_example }, { :class => 'menuactive' } %></li>
<!-- MORE MENU ITEMS HERE-->
</ul>
The result should look like the following:
<li class="menuactive"> <%= link_to 'Home', { :action => :index }, { :class => 'menuactive' } %>
<ul>
<li><%= link_to 'Custom Template', { :action => :custom_example }, { :class => 'menuactive' } %></li>
<!-- MORE MENU ITEMS HERE-->
</ul>
</li>
By integrating the code above with the layout example shown previously, you have a fully functional portal with menu. Now you can clean it up, add your own design, style, etc. All with just normal HTML, using the example Ruby from above where necessary.
Views
Full pages rendered in the web browser are called views in Ruby on Rails. Views are usually displayed as a result of the end-user clicking on a link that is generated via the link_to
function present in the menu generator. It is also possible to manually specify a URL to go directly to each full view. End-user web browser makes requests of the formhttps://rxg/portal/CONTROLLER_NAME/ACTION
. TheCONTROLLER_NAME
is typically the name of the custom portal and the ACTION
is one of the various web pages of the portal that present the functionality.
In our main page layout example we had the following line of code:<%= link_to 'Home', { :action => :index }, { :class =>
'menu' } %>
. Lets now look closer at the action portion. The { :action => :index }
portion says, I want to link to the full view called index. The corresponding file in your views folder is index.erb
. The index view also happens to be the view displayed if no view is specified. This could also be thought of as the splash view.
Another way to look at it is that the action name, such asindex
above, is determined from its filename. The portion before the .erb
in the filename is the name of the action. For example, if the end-user web browser requests the URLhttps://rxg/portal/CONTROLLER_NAME/session_info
, then the file session_info.erb
will be used to render the presentation.
There are three valid suffixes on the filename that coincides with an action: .tablet.erb
, .mobile.erb
and simply.erb
. This enables the administrator to create different presentations for different kinds of devices and/or browsers. By default, a desktop web browser that requests the URLhttps://rxg/portal/CONTROLLER_NAME/action
, will loadaction.erb
. Similarly, a web browser running on a mobile device (e.g., an iPhone, BlackBerry, etc.) will loadaction.mobile.erb
. If the administrator does not wish to differentiate between the desktop, tablet, or mobile views, a singleaction.erb
file may be created and that will always be used.
All of the views that ship with the default captive portal are functional as-is and require no modification. However if you would like to edit the verbiage or change the layout of a specific view, you can edit it as you see fit. The contents of a view file are HTML and embedded Ruby, similar to that of the layout file. Below is a simple example of a view.
<h2>Login</h2>
<%= portal_image_tag 'login.jpg' %>
<%= render :partial => 'login_form_account' %>
Notice that HTML elements (<h2>) are present side by side with embedded ruby elements (<% ruby code %>). Since the view will be rendered into the layout where the yield
command is, the view file does not contain the HTML that forms the foundation of the page (e.g.,<head>
, <body>
, etc.).
Minimizing redundant HTML and embedded Ruby code is an important part of custom captive portal implementation. Ruby on Rails supports the use of page partials that are reusable within many views. To create a partial, put whatever HTML and/or embedded Ruby code into a file with a name that begins with an underscore (_) character. You may then reference the file name (without the underscore) in any view using the embedded Ruby code
<%= render :partial => 'PARTIAL_FILE_NAME' %>
to have the partial rendered in place.
Custom Data Sets and Keys
The use of Custom Data Sets and Custom data Keys always revolves around doing portal customization. Logic can be added to the portal so that it can pull data from a Custom Data Key, that allows you to deploy the same portal code in many locations and "configure it" with Custom Data Sets and Keys. The below example will show how to use Custom Data Keys to display an address in the footer of a custom portal. This allows the address to be changed at each location by changing the Custom Data Key and not editing the portal directly. For most use cases Portal Modifications may be the better option, Custom Data Sets/Keys can also be combined with Portal Modifications.
For this example we do not need to use a Custom Data Set, we could just use a Custom Data Key by itself, we will configure it both ways. First without using a Custom Data Set. First navigate to System::Portals and create a new Custom Data Key.
Leave the Dataset field set to -select->. Give the record a name, the name will be refereced in the code so the name should reflect the purpose of the record. This will be named address since that is the information we are storing. It should be noted that while Custom Data Set names are unique it is possible to have mutlple Custom Data Key records with the same name. The address will be entered into the Text field. A value of each type can be stored in a single Custom Data Key if desired. Click Create.
To display this data in a portal we can edit the footer view in the portal or we can use a Portal Modification to override the footer view in the portal. For the purpose of this example we will create a Portal Modification. Create a new Portal Modification.
Give the Portal Modification a name, and select which portals the Portal Modification will apply to. In this case we will select both the Splash and Landing portals, if we selected only Splash then the address would only display in the Splash side of the portal and will not be present in the Landing portal after the user authenticates. In the Parital tab start to type footer and select footer from the dropdown menu. In the HTML b> field we can enter the code the will call the address, we can also use HTML here to center the data. To access the data stored in the Custom Data Key use <%= CustomDataKey.find_by(name: 'address').value_text %>. Click Create.
Now if we visit the portal we will see the address displayed in the footer. However it is all on one line.
This can be corrected by editing the Custom Data Key and adding <br> after each line, then updating the record.
Now when the portal is viewed, each line of the address will now be on its own line.
There may be a need to display a different address on another portal, we could create a Custom Data Key, but we would need to change the name of the key which means we cannot use the same code on each portal. However if we tie the Key into a Custom Data Set we can recall the Key from the Set. To configure this for this example create a new Custom Data Set.
Give the Custom Data Set record a name, this will be used in the code to reference the record. For this example we do not need to restrict the Set to specifc policy or group of policies so do not select any. Under Attributes check the address record in the Key field, and click Create.
Next we need to edit the Portal Modification we created earlier.
We need to change the line <%= CustomDataKey.find_by(name: 'address').value_text %> to <%= CustomDataSet.find_by(name: 'location1').get('address') %>. Update the record. When viewing the portal it will display the same information we are just pulling it from the Key via the Data Set instead of directly from the Key itself.
Portal Mods
Portal Mods allow the operator of the rXg to modify an existing portal, content can be modified by selecting the view and adding HTML content that will replace the view. Images can also be replaced as well. This allows the operator to easily change images and specify the login options for example.
Example Portal Mod
In this example Portal Mods will be used to change the greeting on the default portal, the login types and the logo on the splash and landing page. To change the default greeting (Good Morning, Good Aftgernoon, and Good Evening) create a new Portal Mod. The Name field is arbitrary. Select the Splash portal the change should be applied to. In the Partial Override select welcome_message from the drop down. In the HTML field the code for the welcome_message view is displayed, and can be edited.
If the goal is to change the message that is displayed in the afternoon the following code can be changed on lines 31 and 41 "greeting_afternoon = _('Good Afternoon')". If "Good Afternoon" is changed to "Hello, Good Afternoon", then in the afternoon the message displayed will change from "Good Afternoon" to "Hello, Good Afternoon".
This will result in the following change, the first image is the unmodified portal and the 2nd is with the modification.
It is also possible to replace the code entirely. Here is an example where the code has been erased and replaced with custom code to display a static greeting message.
This results in the following to be displayed regardless of time of day.
Using Portal Modifications the operator of the rXg can also change which login options are displayed overriding the default portal that displays login options based on the configuration. The operator may only want to display a click through option and PMS login for example. The below image shows the default portal with the login options displayed dynamically based on what is currently configured on the rXg.
To only display the free options an the PMS room/name login, create a new Portal Modification. The Name field is arbitrary, enter a name for the record, check the Splash portal(s) this modification will apply to. The Mod type field should be set to Partial Override , and the Partial Override field should be set to login_forms_conditional. To display the free option and PMS room/name option on the portal remove or comment out the section of code for the login option that is to be removed.
Now the portal will only display the login options we put in the Portal Modification.
In this last example we will change the logo displayed at the top of the portal page.
To change the logo, create a new Portal Modification , give it a name, select both the Splash and Landing portals the logo will be changed on. Change the Mod type field to Image Override , a URL can be entered load the image from a remote location, for this example we will use the Image field and click the Choose File button and select the file to be used. In the Image To Replace field enter "default_icon.svg". Click Create.
Now the logo displayed at the top is changed. Note: that if this is done on a cluster the configuration will be pushed to the portal on each node, there is no need to create a record for each node in the cluster.
Example: Using template to replace portal logo.
In this example, a template will be used to upload an image to replace the default logo. Below is the template that will be used, the variable data will be populated with the image after it is run through a Base64 Image Encoder, note for the sake of space the data variable has been truncated. For this example https://www.base64-image.de was used to convert the rgnets_logo.png to Base64.
<%
mod_name = 'Replace Logo'
image_to_replace = 'default_icon.svg'
filename = 'rgnets_logo.png'
data = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAawAAABXCAYAAABY6nHCAAAEsmlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPD94cGF"
%>
PortalMod:
- name: <%= mod_name %>
image_to_replace: <%= image_to replace %>
image:
data: <%= data %>
filename: <%= filename %>
Navigate to System::Backup and create a new Config Template.
Give the Config Template a name, and enter the code into the Config field. Check the Apply Template box, this will save the template and apply it at the same time. Click Create
Next navigate to Policies::Captive Portal , the template has created a Portal Modification that can be used to replace the default_icon.svg file.
Example: Using Actiontext With Portal Mods
In this example we will create a Portal Modification that will allow us to quickly and easily modify the information found in the footer of portals all from a single location. Operators can use this to change or modify all or a select group of portals all at once. There are two portals that will be modified in this example.
Navigate to Policies::Captive Portal. First we need to create a Portal Modification that will display the custom view we are going to create to display our footer information.
Give it a name and select which portals this Portal Mod will be applied to. In this example we want the information we are including in the footer to display on each page, so we will select both portals under the Custom field. If we only want the information to display on the splash portal then we would select both portals under the Splash field, and the same could be done for Landing as well. Since we are modifying the footer we need to specify that under the Partial field. When you start to type the name of the Partial it will give you a list to choose from, we want to select footer. For this first Portal Mod leave the Content mode set to HTML. Here we are creating a div that will display the view we will create in the next step, this also allows us to give it some formatting like centering the text. See screenshot below, click Create.
Next create a second Portal Modification , this one will contain the information we want to display in the footer. Give it a name and select which portals this content will be added to. For this example I am selecting both portals under the Custom field. In the Partial field we are going to enter in the name of the view we are calling in the previous step, in this example that was footer_content. Change the Content mode to Rich Text , we can now enter in the content for our footer. Images can be included as well by clicking the paperclip icon and selecting an image. Click Create.
Now if we visit the default portal which the Portal modifications haven't been applied to we get the following.
If we visit portalone or portaltwo we will see that the mods we created show up because these were the portals we selected.
We can take this a step further by editing the Portal Modification record that contains the phone number and image and change it so that it only applies to portalone, and we will create another record that applies to only portaltwo. Edit the record and unselect portaltwo.
Now create a new Portal Modification selecting only portaltwo, and change the content. We will move the logo above the other content for this one.
Now if we look at portalone, we get the following result.
And finally looking at portal two we get the following result.
Example: Change Background Image
In this example, we will use Portal Modifications to add a background image to the default portal. Because the default portal's background gradient is defined solely using CSS rules, we will need to add some CSS in order to set a background-image. We will create two portal modifications to accomplish this. The first will serve the purpose of storing the background image, which will be referenced by the second Portal Mod's CSS rules.
Give the portal mod a name, which should reflect the purpose of the modification (this name will be referenced by our second Portal Mod). For this example we will use "Default-bgimage". Since this Portal Mod won't be rendered directly, there is no need to select any portals in the Custom, Splash, or Landing fields so those fields should be left blank. Next, click on the Choose File button and select the image to be used for the background. Click Create. Note: recommended formats are .jpg for reduced size or .svg for better resizing.
Create a Second Portal Mod, which will modify the CSS Partial. Give the portal mod a name, again it should reflect its purpose. Select the Splash and Landing portal to which it will apply. Enter "CSS" in the partial field. Add the following code to the HTML(ERB) field:
<style>
body, body.bg-dark {
background-image: url(<%= rails_blob_url PortalMod.find_by(name: 'Default-bgimage').image %>) !important;
}
</style>
Click Create.
We should have two Portal Modifications now, and when we view the default portal it will have our new background image.
Social Login (OAuth)
The portal supports logging in users against several Oauth providers:
- SAML
When a user logs in with one of these platforms, a local account will be created and the user will be logged in with that account. At that point, the user can proceed to purchase a usage plan from the plans associated with the strategy and the current captive/landing portal. If there is only one plan and it is free, it will be applied for the user automatically. If there are no usage plans associated with the strategy, the usage plans are controlled by the normal captive/landing portal logic. The user may continue to log in via the social provider on return visits, and they will be logged into their existing account.
The information returned from the provider's API will also be stored into a Social Profile record associated with the account, which may be viewed by clicking on the 'Social Logins' submenu item on the 'Archives::Portal Logs' page.
Requirements
Utilizing an Oauth login flow requires first creating an application with the desired provider, and Oauth login must be enabled in the application. The steps required to do this vary by provider, and are subject to change in the future, but a general outline is below.
A WAN Target should be associated with the Captive Portal where you intend to use the strategy which allows the user to access the provider's site for the login process. Twitter, Facebook, and Google WAN Targets are created automatically and should be selected when utilizing these providers.
If you have not done so, you will need to upgrade your personal Facebook account to a developer account.You may do this, as well as register the app for your business at the following link:
- https://developers.facebook.com/docs/apps/register When prompted for choose a platform, select "Website (WWW)".You will need to specify a category for your application before you make make the app live.
Once you have created the app, go to your Facebook developers dashboard, and add the 'Facebook Login' product to your app. In the 'Client OAuth Settings' dialog, ensure that the 'Web OAuth Login' option is set to YES.
After making any other desired changes to the application (image, etc), copy your App ID and App Secret from the Basic Settings page, as they will be used in the configuration on the rXg.
IMPORTANT: In order for Facebook to allow OAuth requests from this rXg, the redirect URIs must be whitelisted in your app's Facebook Login settings. Complete the section below titled Configuration , then click the show link in the Social Login Strategies scaffold next to Facebook strategy you created. Obtain the list of OAuth Redirect URIs which must be entered within the Facebook developer console's Facebook Login settings section. If this step is not completed, users will experience an error when Facebook login is initiated.
Based on the current configuration of this rXg, the following URIs may need to be added to the application:
Before your app can be used by the public, you must make it 'live' by going to the App Review page and taking the app out of development by setting the toggle to 'YES'. By default, the rXg does not ask for any user permissions that require Facebook to review the application before going live.
Visit the Twitter Apps page to create your app:
- https://apps.twitter.com/ Click 'Create New App' and fill out the resulting form.
Give the app a name and description. The website and Callback URL fields must also be filled out. The website can be your business' main website, or the address of the rXg. The Callback URL will be provided by the rXg during authentication, but we must enter any URL here in order for OAuth to be enabled for the app.
Once you've created your application and customized it as desired, go to the 'Keys and Access Tokens' to obtain your API Key and API Secret which will be utilized in the configuration of the rXg.
IMPORTANT: In order for Twitter to allow OAuth requests from this rXg, the redirect URIs must be whitelisted in your app's redirect URI list. Complete the section below titled Configuration , then click the show link in the Social Login Strategies scaffold next to the Twitter strategy you created. Obtain the list of OAuth Redirect URIs which must be entered into the application's Callback URLs field of the application's settings tab. If this step is not completed, users will experience an error when Twitter login is initiated.
Based on the current configuration of this Rxg, the following URIs may need to be added to the application:
- Go to https://console.developers.google.com
- under the 'Select a project' dropdown, select or create a new app.
- Click 'Library' on the left.
- Enable the "Contacts API" and "Google+ API" (optional -- this is not required to provide credential verification functionality).
- Go to 'Credentials' on the left, then select the 'OAuth consent screen' tab on top, and provide an 'EMAIL ADDRESS' and a 'PRODUCT NAME'
- Wait 10 minutes for changes to take effect.
- Click 'Create Credentials' and choose 'OAuth Client ID'
- Choose 'Web Application' and give it a name
- IMPORTANT: Google requires that the complete Redirect URI be entered, rather than just the hostname. Based on the current configuration of this rXg, the following URIs should be added to the application:
- Enter the client ID and client Secret into the social login configuration
Visit the Instagram Developer page to create your app:
- http://instagram.com/developer/ Click 'Register Your Application' and fill out the resulting form to register as a developer if you are not already. Register a new Client ID and fill out name, description, and other mandatory fields.
Once you've created your application and customized it as desired, click 'Manage' to obtain your Client ID and Client Secret which will be utilized in the configuration of the rXg.
IMPORTANT: In order for Instagram to allow OAuth requests from this rXg, the redirect URIs must be whitelisted in your app's redirect URI list. Complete the section below titled Configuration , then click the show link in the Social Login Strategies scaffold next to the Instagram strategy you created. Obtain the list of OAuth Redirect URIs which must be entered into the application's Valid redirect URIs field of the application's security settings. To access these settings, click the Manage Clients button at the top of the Instagram Developers console, and click the Manage button next to the client you registered in the previous step, then click the Security tab. If this step is not completed, users will experience an error when Instagram login is initiated.
Based on the current configuration of this rXg, the following URIs may need to be added to the application:
Visit the LinkedIn Apps page to create your app:
- https://www.linkedin.com/secure/developer Click 'Create Application' button and fill out the resulting form.
Once you've created your application, go to the Authentication portion of the Application's settings to obtain your Client ID and Client Secret which will be utilized in the configuration of the rXg. You may also choose to include the r_emailaddress default application permission to allow for retrieval of the user's Email address after authentication.
IMPORTANT: In order for LinkedIn to allow OAuth requests from this rXg, the redirect URIs must be whitelisted in your app's redirect URI list. Complete the section below titled Configuration , then click the show link in the Social Login Strategies scaffold next to Facebook strategy you created. Obtain the list of OAuth Redirect URIs which must be added to the application's OAuth 2.0 Authorized Redirect URLs within the settings section. If this step is not completed, users will experience an error when LinkedIn login is initiated.
Based on the current configuration of this Rxg, the following URIs may need to be added to the application:
SAML
Configuration begins by creating a Social Login Strategy on the rXg. This can be accomplished on the System::Portals view.
Next, enter the Identity Provider's metadata URL into the IdP Metadata URL field. The rXg will retrieve the metadata from the Identity Provider and attempt to locate the Single Sign-On URL and Fingerprint. If the remote metadata cannot be retrieved or parsed, the values may be entered manually.
After the record has been saved, click the show link. Depending on the configured usage plans, captive portals, and cluster nodes, one or more metadata URLs will be listed. These can be provided to the Identity Provider out of band to be established as a Service Provider for login trust.
Visit the following URL for an introduction to the concepts of SAML oauth login:
Omniauth Strategies
The Social Login Strategies scaffold enables creation, modification, and deletion of login strategies for supported Omniauth providers.
The name field identifies this login strategy in the system.
The provider name field determines which Oauth provider this strategy relates to. Select a supported provider from the list.
The app ID field defines the ID of the application that has been created with the provider chosen in the provider name field. For Facebook, this is the App ID , but for Twitter this is the API Key. This value should be obtained from the developer console of the associated provider.
The app secret field defines the app's secret value which authenticates the app. This value should be obtained from the developer console of the associated provider.
The captive portals selections define for which captive portals this strategy is enabled. This strategy will not be available unless it is associated with at least one captive portal.
The usage plans selections determine which usage plans are available for users who log in using this strategy. The plans selected here must also be associated with the end user's effective portal; however, users who have not logged in via this strategy won't be able to see these plans in the usage plan list. If there are no usage plans associated with this strategy, an account will be created for the user, who will then be redirected to the usage plan list view. If there is only one associated usage plan, and it is free, the plan will automatically be applied to the account.
The SAML section contains configuration options which pertain only to SAML login strategies. When utilizing a SAML strategy, the App ID and App Key are not necessary.
A SAML configuration requires at a minimum, an Identity Provider (IdP) SSO URL, and optionally, a IdP Cert Fingerprint to enable validation of the IdP's certificate. Both the SSO URL and Fingerprint may be determined automatically by providing a IdP metadata URL.
The Service Provider (SP) Entity ID is a unique identifier for the service provider, which will be entered into the IdP when adding the SP.
After creating the login strategy , the webserver will restart. Clicking the show link will provide the metadata URL that can be provided out-of-band to the Identity Provider in order to establish a login trust.
Users who log in with an Omniauth strategy only have access to usage plans that are associated with their strategy AND the current captive portal. Users who log in with a non-social account do not have access to the usage plans associated with the portal's Omniauth strategies.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
A WAN target should be associated with the captive portal where the operator intends to use the strategy which allows the user to access the provider's site for the login process. Twitter, Facebook, and Google WAN targets are created automatically and should be selected when utilizing these providers.
Customized Login Flow
If you wish to customize the actions taken when a user successfully logs in with a defined strategy, you may override the <provider>_success and <provider>_failure actions of the portal controller (ie, facebook_success or twitter_failure).
SMS Integration
The rXg offers the ability to require validated contact information for a user prior to registering for service. A user who wishes to subscribe to a usage plan that requires Acccount validation must retrieve a validation code, either by SMS message, or by Email, depending on the configuration of the usage plan.
The rXg also supports password resets after validating that the user has access to the account's mobile number or email address, depending on the configuration of the active Splash Portal.
In order to send SMS messages, the operator must first register for service with a supported provider and configure a record in the SMS Gateways scaffold with a valid phone number or shortcode, and the API credentials required to access the API of the slected provider.
Twilio Configuration
To begin, visit Twilio to register for a trial account. After creating an account, you will be prompted to create a new project. Under the Products heading, select the Programmable SMS option and click continue. Give your project a name.
A trial account may only send messages to its own phone number. Click the Upgradelink in the upper right hand corner of the page. Verify your phone number and provide payment details to fund your account. SMS messaging requires a Twilio phone number, which has a cost of $1 per month, and pricing per message varies by location. See the Twilio Pricing page for more details.
From your Twilio dashboard, click the Programmable SMS icon in the left hand menu, and follow the prompt to get started. Request a Twilio phone number by clicking Get a Number. Record the assigned number to enter into the SMS Gateway record in the rXg. You may manage your Twilio Phone Numbersto add or change phone numbers at a later date.
Visit the Settingspage of your dashboard and obtain the Account SID and Auth Token values (click the Auth Token to view the unobscured value), which act as the API credentials in order to send SMS messages via Twilio's REST API. Be sure to obtain the LIVE API credentials, not the TEST credentials.
Once you have your phone number, Account SID and Auth Token, proceed with configuring the SMS Gateway record in the System::Portals view of the rXg admin console.
SMS Gateways
The SMS Gateways scaffold enables the creation of an SMS Gateway service which will be utilized for verifying a user's mobile number for the purpose of new account signups and/or password resets.
The name field identifies this SMS Gateway in the system.
The provider field specifies which provider this SMS Gateway relates to. Select a supported provider from the list.
The from field specifies the phone number, shortcode, or Alphanumeric Sender ID (not supported in all countries) to be used when sending SMS messages through this gateway. This value must correspond to a number purchased from or ported to the provider.
The Account SID and Auth Token fields specify the API credentials used to access the provider's REST API, and may be obtained from your dashboard within the provider's website.
The Usage Plans selections determine which usage plans are configured to utilize this SMS Gateway. The usage plan must also specify a validation method which includes SMS in order for messages to be sent via SMS.
The Splash Portals selections determine which splash portals are configured to utilize this SMS Gateway for the purposes of performing password resets. Accounts with a valid mobile phone number may request a password reset token via SMS or Email, depending on the password reset method specified in the splash portal.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
Free SMS alternative
As an alternative to SMS integration via a paid third-party SMS Gateway, the rXg also supports a simplified SMS account signup flow which attempts to deliver SMS messages by sending an Email to an Email-to-SMS gateway provided by the end user's cellular carrier. This method does not integrate with Usage Plans, and requires that the user select their cellular carrier from a dropdown list, and not all carriers are supported. Delivery is on a best-effort basis.
To enable the simplified SMS signup flow, simply create an Account Group with the name 'SMS', and an additional login option will be presented in the captive portal, which, upon completion, will place the user into the SMS Account Group with unlimited usage.
Internationalization
All aspects of the rXg captive portal web application are internationalized and capable of supporting localized presentations. This enables operators to deploy captive portals that vary in presentation based on browser language preference and/or manually selected language overrides.
Localization Selection
The rXg captive portal web application internationalization supports selection of localization in two different ways:
- Automatic determination of preferred localization through browser preference supplied via HTTP header
- Manual selection of desired localization via CGI parameter
Most operators will choose to use both localization selectors in parallel. The automatic selector is used to determine the initial localization preference and display a portal. The assumption is that the end-user will have selected a language preference in their browser or OS that is reasonable and meaningful. However, in some cases the OS and/or browser setting may be incorrect or insufficient to select an appropriate localization for display. Therefore most localized portals will also have links incorporated into the views them that enable manual localization override.
The key of the CGI parameter used to override the localization preference read from the browser is locale
. The value of the locale
key is the desired language abbreviation (e.g., en
, fr
, etc.). An example of a link to override the automatically selected localization is:
<a href="/portal/default/?locale=en">English</a>
Localization Implementation
The rXg captive portal web application internationalization features support implementation of localization in three different ways:
- String Translation with Gettext
- Localization conditionals within a view
- Selection of localized views Operators may choose to use any of the three available mechanisms individually or in any combination that is desired. ## String Translation with Gettext
The globalization support features of the rXg captive portal web application implement translation using the gettext application. Gettext allows the externalization of translation text while still maintaining the readability of the underlying views and partials. The source language is used in the views within the _()
helper function, and external files map these strings to their translated counterparts.
For example, consider the following simple (untranslated) view (logout_success.erb
):
<h2> Logout Successful </h2>
<p> You have successfully logged out. </p>
<p> Please come and visit us again. </p>
Implementing the string translation mechanism results in the following code for the view:
<h2> <%= _('Logout Successful') %> </h2>
<p> <%= _('You have successfully logged out.') %> </p>
<p> <%= _('Please come and visit us again.') %> </p>
The view code calls the _()
function to look up a localized string in the appropriate place in the view. The set of available strings are stored in resource files in the locale/gettext
directory of a custom portal.
An example of the source language (English) Gettext resource file (en.po
) that corresponds to the string view shown above is shown below:
msgid "Logout Successful"
msgstr ""
msgid "You have successfully logged out."
msgstr ""
msgid "Please come and visit us again."
msgstr ""
An example of a French Gettext resource file (fr.po
) that would work with the same view we have been considering is shown below:
msgid "Logout Successful"
msgstr "Dconnexion russie"
msgid "You have successfully logged out."
msgstr "Vous vous tes dconnect avec succs."
msgid "Please come and visit us again."
msgstr "S'il vous plat revenez nous rendre visite."
The default.pot
template file may be copied into the portals gettext directory as_languagecode_.po (where languagecode represents the two-letter locale code for the language, e.g. fr
or es
) and edited/translated directly, or it may be provided to a third-party translation service, with the resulting .po files stored in the gettext directory of the custom portal.
For example, a new French locale translation file for the myportal Custom Portal can be started by running
mkdir -p /space/portals/myportal/gettext
cp /space/rxg/console/config/locales/gettext/default.pot /space/portals/myportal/gettext/fr.po
and then editing the fr.po file with the appropriate translations for the listed strings.
This enables the captive portal web application to use the appropriate strings for a given language preference. The strings in the source files are used when the captive portal web application renders the the view for a request from a web browser with an English language preference. The strings in the portal_directory/gettext/fr.po
file are used when a request is fulfilled from a browser with a French language preference.
Inline Conditionals
Conditionals may be placed inline in a layout or a view to modify content based on language preference. For example, if a captive portal is localized for English and Spanish languages, then it would be appropriate to have an English override link when Spanish is being displayed and vice versa. The following code fragment exemplifies how this might be accomplished:
<% if I18n.locale == :en %>
<li class="menuparent"> <%= link_to 'Espaol',
{ :action => :index, :locale => :es },
{ :class => 'menuactive' } %></li>
<% else %>
<li class="menuparent"> <%= link_to 'English',
{ :action => :index, :locale => :en },
{ :class => 'menuactive' } %></li>
<% end %>
It is possible to use inline conditionals instead of string externalization to change the text being displayed. However the result is view code that is difficult to read. Thus, inline conditionals should be reserved for situations where small structural changes to the view are desired.
View Selection
The rXg captive portal web application supports view selection based on language preference. The operator may choose to have bothlogout_success.en.erb
and logout_success.fr.erb
files instead of a single logout_success.erb
view file. Thus entirely different views may be presented to the end-user based on browser language preference.
Environment
One feature that you may want to use in your portal frame is the flash notice. The flash notice is available for you to use after certain events happen. For example after a user logs in, a message that states, 'login successful' is available for you to display in your portal. You can render this flash message anywhere in your portal layout with the following additional code:
<%= render :partial => 'flash', :object => flash %>
The flash notice is one of many aspects of the portal environment. Variables are another aspect of the portal environment that we wish to consider. We briefly touched on this subject above when looking at the @logged_in variable. There are many variables available for you to use, and are used in the many pre-defined views. You can see the available variables by turning on debugging. First you will need to add the following code into your main portal layout:
<% if params.has_key? :debug %>
<br />
<%= debug_inline.html_safe %>
<% end %>
Once you have that code in your main layout, you can enable the debugging by adding ?debug=true
to the end of the URL you are using to view the portal. You can use these variables to dynamically generate content that suits your needs.
The debug variables may also be brought up by clicking on the_Show Debug Popup_ button that is displayed at the top of every page when the web server is in development mode.
The following variables are relevant for most portal conditionals:
@current_login_identifierThe login of the end-user. This is usable for both local and remote authentication.@current_accountThe current local user object for a logged in end-user (if local authentication is being used).@client_ipThe IP address of the device that is hitting the portal.@client_macThe MAC address of the device that is hitting the portal.@effective_portal The end-user's configured splash portal or landing portal depending upon login state. Landing_portal is usually defined only if logged_in?
is true. An exception is when an end-user has an existing LoginSession stored but has to re-authenticate because her session is empty (cleared cookies/new browser).@groupThe effective group of the end-user. If the end-user is a member of multiple groups, only the final disambiguated group (based on group priority) is reported.@policyThe policy that is linked to the effective group of the end-user. @logged_intrue
if the end-user has supplied valid credentials to the portal.@portal_nameThe controller name of the portal being displayed.@portal_controllerThe controller name of the portal being displayed.@usage_plansThe list of usage plans that this end-user may select from.
Example Customization
One very simple and common portal customization is to change the display of the usage plans. A quick search of the captive portal directory structure reveals the following:
$ ls | grep usage
_current_usage_plan.erb
_online_usage.erb
_usage_plan.erb
_usage_plan_purchase_link.erb
usage_plan_charge.erb
usage_plan_list.erb
usage_plan_purchase.erb
The display of an individual usage plan are rendered by the partial _usage_plan.erb
and the display of the set of all available usage plans is rendered by the viewusage_plan_list.erb
.
The contents of the default usage_plan_list.erb
should resemble the following:
<h2>Usage Plan List</h2>
<%= render :partial => 'prorated_credit' %>
<table>
<% @usage_plans.each do |usage_plan| %>
<tr>
<td>
<%= render :partial => 'usage_plan',
:object => usage_plan %>
</td>
<td>
<%= render :partial => 'usage_plan_purchase_link',
:locals => { :usage_plan => usage_plan } %>
</td>
</tr>
<tr><td> <br/> </td></tr>
<% end %>
</table>
One simple way to change the order of the list of usage plans is to modify the looping structure. The default structure
@usage_plans.each do |usage_plan|
generates a list that may appear to be randomly ordered. To generate a list of the usage plans sorted by price, the looping structure should be changed to:
@usage_plans.sort_by(&:price_cents).each do |usage_plan|
To generate a list of the usage plans sorted by name, the looping structure should be changed to:
@usage_plans.sort_by(&:name).each do |usage_plan|
A custom sort order may be easily achieved by using the note field present in each usage plan record. Place a number (prefixed with a zero for multiple digits) inside the note field. Then change the looping structure to:
@usage_plans.sort_by(&:note).each do |usage_plan|
Another common portal customization is to change the layout of the usage plan list. For example, instead of a simple list, the operator may desire to have a multicolumn column list. One simple way to achieve this is add a variable to keep track of which column the usage plan should appear in. For example:
<h2>Usage Plan List</h2>
<%= render :partial => 'prorated_credit' %>
<table>
<% @u_p_cnt = 0 %>
<% @u_p_columns = 3 %>
<% @usage_plans.each do |usage_plan| %>
<% if @u_p_cnt % @u_p_columns == 0 %>
<tr><td>
<% else %>
<td>
<% end %>
<%= render :partial => 'usage_plan',
:object => usage_plan %>
<br/>
<%= render :partial => 'usage_plan_purchase_link',
:locals => { :usage_plan => usage_plan } %>
<% if @u_p_cnt % @u_p_columns == 0 %>
</td></tr>
<% else %>
</td>
<% end %>
<% @u_p_cnt = @u_p_cnt + 1 %>
<% end %>
</table>
The code above will generate a three column list of usage plans. The @up_cnt
variable starts at zero and is incremented every time a usage plan is rendered. Every third usage plan (as determined by the modulo operation), a new table row is created. To change the number of rows, one would only need to change the value of the @u_p_columns
variable.
RESTful API
The rXg exposes a RESTful API to support third-party integration. Access to the rXg via the RESTful API is controlled by the API key mechanism. Use theAdmins page to setup API key access. It is good security practice to ensure that separate accounts (and hence, unique API keys ) are used for each mechanism that will access the rXg via the RESTful API. Furthermore, each account and associated API key should be limited to the absolute minimum access rights needed to accomplish the desired tasks.
The base URL for RESTful API key access follows the form:
https://DNS.record.for.rXg/admin/scaffolds/
The use of HTTPS is required. Thus it is necessary to ensure that a proper DNS record and SSL certificate is configured on the target rXg. Furthermore, it is important that the caller be able to correctly validate the installed SSL certificate.
The desired model must be appended to the base URL. The model describes the underlying database table that will be accessed. For example:
https://DNS.record.for.rXg/admin/scaffolds/accounts/
The models that are available for access via the RESTful API are described in the rXg API documentation.
The desired action must also be appended to the URL. For example:
https://DNS.record.for.rXg/admin/scaffolds/accounts/create/
The set of possible actions are create, show (or list), update and destroy. These correspond to the standard database CRUD semantics. The appropriate HTTP verb must be used in conjunction with the selected action.
| create | HTTP POST | | show | HTTP GET | | list | HTTP GET | | update | HTTP PUT | | destroy | HTTP DELETE |
There is an optional format parameter that may be appended to the URL. For example:
https://DNS.record.for.rXg/admin/scaffolds/accounts/index.html/
https://DNS.record.for.rXg/admin/scaffolds/accounts/index.xml/
https://DNS.record.for.rXg/admin/scaffolds/accounts/index.json/
Specifying the optional parameter changes the format for both the input and output presentation. For example, sending a HTTP GET to:
https://DNS.record.for.rXg/admin/scaffolds/accounts/index/3.html
Results in the following output:
`
- Login
- cpatterson746
- First name
- Colin
- Last name
- Patterson
- [email protected] [unknown]
...
`
Use the XML format specification by sending sending a HTTP GET to:
https://DNS.record.for.rXg/admin/scaffolds/accounts/index/3.xml
Results in the following output:
<account>
<bill-at type="datetime" nil="true"/>
<created-at type="datetime">2012-05-10T11:41:40-04:00</created-at>
<email>[email protected]</email>
<first-name>Colin</first-name>
<id type="integer">3</id>
<last-name>Patterson</last-name>
<logged-in-at type="datetime">2012-05-08T01:24:51-04:00</logged-in-at>
<login>cpatterson746</login>
...
For JSON, send a HTTP GET such as:
https://DNS.record.for.rXg/admin/scaffolds/accounts/index/3.json
Results in the following output:
{"created_at":"2012-05-10T11:41:40-04:00",
"email":"[email protected]","first_name":"Colin","id":3,
"last_name":"Patterson","logged_in_at":"2012-05-08T01:24:51-04:00",
"login":"cpatterson746",
...
}
It is also necessary to set the Content-Type HTTP header to the appropriate value (e.g., application/xml for XML) when using the optional format parameters.
Create
Creating a record is simply a matter of sending an HTTP POST to the appropriate URL. Consider the simple example of creating a WAN Target. To accomplish this an HTTP POST request would be sent to a URL of the form:
https://rxg.dns/admin/scaffolds/wan_targets/create.xml?api_key=8f8eab...868c
with a header containing:
Content-Type: application/xml
and a payload of the form:
<?xml version="1.0"?>
<record>
<name>Desired New Name</name>
<targets>1.2.3.4</targets>
</record>
This entire process may be accomplished by using the cURLcommand line utility. Below is an example command line that demonstrates the use of cURL to execute a create through the RESTful API.
curl -i -X POST -H 'Content-Type: application/xml'
-d '<?xml version="1.0"?><record><name>Desired New Name</name>
<targets>1.2.3.4</targets></record>'
https://rxg.dns/admin/scaffolds/wan_targets/create.xml?api_key=486...a5a
The RESTful API endpoint will respond with a HTTP/1.1 201 Created
that has a Location
header containing the URL to retrieve the record upon successful creation. The content of the response is a copy of the created record.
```
HTTP/1.1 201 Created
Location: https://rxg.dns/admin/scaffolds/wan_targets/show/5.xml?api_key=486...876a
Content-Type: application/xml; charset=utf-8
X-UA-Compatible: IE=Edge
ETag: "40c13943442b4dd5646d264fdb738909"
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie: _rxg_console_session=BAh7Ck...ea6e5; path=/; HttpOnly
X-Request-Id: 43eda966fa00bd1347f48583f37e5392
X-Runtime: 0.439131
Content-Length: 155
Connection: keep-alive
Server: thin 1.3.1 codename Triple Espresso
<?xml version="1.0" encoding="UTF-8"?>
If an error occurs and the record is not created the response will be an HTTP error status (usually `HTTP/1.1 422`) and the content will contain the error messages. For example, if the same request is run twice, then the response would take the form:
HTTP/1.1 422
Content-Type: application/xml; charset=utf-8
Cache-Control: no-cache
Date: Mon, 28 May 2012 17:35:23 GMT
X-UA-Compatible: IE=Edge,chrome=1
Set-Cookie: _rxg_console_session=BAh7C...098b1; path=/; HttpOnly
X-Request-Id: 63bb95530945b6be578eaf4485d7a337
X-Runtime: 1.800010
X-Rack-Cache: invalidate, pass
Connection: close
Server: thin 1.3.1 codename Triple Espresso
<?xml version="1.0" encoding="UTF-8"?>
Hitting the appropriate URL without sending the required input will result in a dump of error messages that describe the requirements. For example, using cURL to send the following request:
curl -i -X POST -H 'Content-Type: application/xml'
-d '<?xml version="1.0"?><record><login>restfulapitest</login></record>'
https://rxg.dns/admin/scaffolds/accounts/create.xml?api_key=WR5..KLw
Results in the the following response.
```
HTTP/1.1 422
Content-Type: application/xml; charset=utf-8
X-UA-Compatible: IE=Edge,chrome=1
Cache-Control: no-cache
Set-Cookie: _rxg_console_session=BAh...8b1; path=/; HttpOnly
X-Request-Id: 63bb95530945b6be578eaf4485d7a337
X-Runtime: 1.800010
Date: Mon, 28 May 2012 14:32:18 GMT
X-Rack-Cache: invalidate, pass
Connection: close
Server: thin 1.3.1 codename Triple Espresso
<?xml version="1.0" encoding="UTF-8"?>
The reported errors may be used to construct a correct request to send to the RESTful API endpoint such as the following example:
curl -i -X POST -H 'Content-Type: application/xml' \
-d '<?xml version="1.0"?>
Which results in a response of:
HTTP/1.1 201 Created
Location: https://rxg.dns/admin/scaffolds/accounts/show/36.xml?api_key=WR5...KLw
Content-Type: application/xml; charset=utf-8
X-UA-Compatible: IE=Edge,chrome=1
ETag: "e71...4c7"
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie: _rxg_console_session=BAh...dc6; path=/; HttpOnly
X-Request-Id: 111b836e66f0883a4900d37a8c0ff42e
X-Runtime: 0.040524
Date: Mon, 28 May 2012 18:55:57 GMT
X-Rack-Cache: invalidate, pass
Connection: close
Server: thin 1.3.1 codename Triple Espresso
<?xml version="1.0" encoding="UTF-8"?>
**Accounts** must be assigned policy in order for enforcement to take effect. **Policies** are associated to **Accounts** through **Account Groups**. Associating **Accounts** with **Account Groups** is usually accomplished by setting either the `do_apply_usage_plan`or the `do_bill_and_apply_usage_plan` virtual attribute. For example:
curl -i -X POST -H 'Content-Type: application/xml'
-d '<?xml version="1.0"?>
Notice that the usage time, usage expiration and upload/download usages are not specified because they are defined by the plan. Also notice that the `usage-plan` attribute is used to specify the desired **Usage Plan** by ID. The **Usage Plan** ID may be acquired by using the `list` action for the `usage-plans`scaffold. Note that the value of `do_apply_usage_plan` or the `do_bill_and_apply_usage_plan` virtual attributes should always be `1`. If you set the value of the`do_apply_usage_plan` or the `do_bill_and_apply_usage_plan`to anything other than `1` then the system will not execute the command at all. The following is an example of the response to a successful **Account** record creation with **Usage Plan** specification and application as shown above.
HTTP/1.1 201 Created
Location: https://rxg.dns/admin/scaffolds/accounts/show/24.xml?api_key=LjU...kkQ
Content-Type: application/xml; charset=utf-8
X-UA-Compatible: IE=Edge,chrome=1
ETag: "4dcf...2322"
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie: _rxg_console_session=BAh...03f; path=/; HttpOnly
X-Request-Id: 5c4...841
X-Runtime: 0.039446
Date: Fri, 22 Jun 2012 21:49:40 GMT
X-Rack-Cache: invalidate, pass
Connection: close
Server: thin 1.3.1 codename Triple Espresso
<?xml version="1.0" encoding="UTF-8"?>
Show
Retrieving a single record is simply a matter of hitting the appropriate URL with a HTTP GET. Record retrieval via show requires knowledge of the record ID. It is more appropriate to use the list action is when searching is required. For example, hitting a URL of the form:
https://rxg.dns/admin/scaffolds/accounts/show/3.json?api_key=P7Z...idA
Results in the rXg retrieving the account with record ID 3 and sending a response of the form:
{"address1":null,"address2":null,"automatic_login":null,"bill_at":null,
"city":null,"company":null,"country":null,"created_at":"2012-05-10T11:41:40-04:00",
"created_by":null,"email":"[email protected]","first_name":"Colin","id":3,
"last_name":"Patterson","lock_devices":null,"logged_in_at":"2012-05-08T01:24:51-04:00",
"login":"cpatterson746","note":"Automatically generated by script run by root\n",
"phone":"4997197472","region":null,"state":"active",
"updated_at":"2012-05-10T11:41:40-04:00","updated_by":null,
"usage_expiration":null,"usage_minutes":28180,"zip":null}
Similarly hitting a URL of the form:
https://rxg.dns/admin/scaffolds/accounts/show/3.xml?api_key=P7Z...idA
Results in a response of the form:
<account>
<address1 nil="true"/>
<address2 nil="true"/>
<automatic-login type="boolean" nil="true"/>
<bill-at type="datetime" nil="true"/>
<charge-attempted-at type="datetime" nil="true"/>
<city nil="true"/>
<company nil="true"/>
<country nil="true"/>
<created-at type="datetime">2012-05-10T11:41:40-04:00</created-at>
<created-by nil="true"/>
<crypted-password>V3QlqyDanC4/mfbe+tIN3Zpfzbs=</crypted-password>
<email>[email protected]</email>
<first-name>Colin</first-name>
<id type="integer">3</id>
<last-name>Patterson</last-name>
<lock-mac type="boolean" nil="true"/>
<lock-version type="integer">0</lock-version>
<logged-in-at type="datetime">2012-05-08T01:24:51-04:00</logged-in-at>
<login>cpatterson746</login>
<mb-down type="integer">3747</mb-down>
<mb-up type="integer">730</mb-up>
<no-usage-expiration type="boolean">true</no-usage-expiration>
<note>Automatically generated by script run by root</note>
<phone>4997197472</phone>
<pkts-down type="integer">251049192</pkts-down>
<pkts-up type="integer">70080583</pkts-up>
<region nil="true"/>
<relative-usage-lifetime type="integer" nil="true"/>
<salt>964fbe3ceea48ac7a1960bc99bed912f0cafae53</salt>
<state>active</state>
<unlimited-usage-mb-down type="boolean">false</unlimited-usage-mb-down>
<unlimited-usage-mb-up type="boolean">false</unlimited-usage-mb-up>
<unlimited-usage-minutes type="boolean">false</unlimited-usage-minutes>
<updated-at type="datetime">2012-05-10T11:41:40-04:00</updated-at>
<updated-by nil="true"/>
<usage-expiration type="datetime" nil="true"/>
<usage-mb-down type="integer">1372</usage-mb-down>
<usage-mb-up type="integer">293</usage-mb-up>
<usage-minutes type="integer">28180</usage-minutes>
<usage-plan-id type="integer">1</usage-plan-id>
<zip nil="true"/>
</account>
List
Retrieving a set of records through the RESTful API is simply a matter of sending an HTTP GET to the appropriate URL. Let us consider the example of retrieving the ping targets instrument for the purpose of integrating edge device monitoring with a central NMS. Using cURL to execute the following command:
curl https://rxg.dns/admin/scaffolds/ping_targets/index.json?api_key=P7Z...idA
The rXg responds with a JSON formatted dump of the current state of the ping targets.
[{"name":"Google Public DNS 1","online":true,
"target":"8.8.8.8","updated_at":"2012-06-13T17:11:04-04:00"},
{"name":"Google Public DNS 2","online":true,
"target":"8.8.4.4","updated_at":"2012-04-23T12:10:11-04:00"},
{"name":"IDF Switch 2","online":true,
"target":"192.168.117.20","updated_at":"2012-06-13T18:10:09-04:00"},
{"name":"VM NAT Net Router","online":false,
"target":"192.168.117.254","updated_at":"2012-06-13T18:09:53-04:00"},
{"name":"Zone Director","online":false,
"target":"172.30.80.10","updated_at":"2012-06-13T18:10:48-04:00"}]
The suffix may be changed to retrieve the same information in XML format.
```
<?xml version="1.0" encoding="UTF-8"?>
...
Filtering of the list is accomplished by passing CGI parameters to the RESTful API endpoint that match the fields of the model being retrieved. For example:
curl https://rxg.dns/admin/scaffolds/ping_targets/index.json?api_key=P7Z...idA&name=Zone+Director'
Results in the filtered response:
[{"name":"Zone Director","online":false,
"target":"172.30.80.10","updated_at":"2012-06-13T18:10:48-04:00"}]
The same example formatted in XML:
curl https://rxg.dns/admin/scaffolds/ping_targets/index.xml?api_key=P7Z...idA&name=Zone+Director'
Results in the filtered response:
<?xml version="1.0" encoding="UTF-8"?>
Filtering a retrieved list is commonly used to acquire the ID that needs to be passed during the create or update of a record. For example, if a **account** needs to be placed into a specific **account group** , the ID of the **account group** must be passed into the update request. It is highly recommended that external systems rely on names rather than IDs because the ID of records are automatically generated by the rXg and are not reliably replicated across a fleet. Therefore, most external systems must look up the ID of related objects before executing a create or update. Consider the following example Perl script:
use LWP::Simple;
use XML::Simple;
my $api_key = 'P7Z...idA'; my $groupname = 'Premium'; my $rxg = 'rxg.dns'; my $ctrl_action = 'admin/scaffolds/account_groups/index.xml';
$xml_raw = get("https://$rxg/$ctrl_action?api_key=$api_key;name=$groupname"); my $doc = XMLin($xml_raw); my $id_of_group = ${$doc}{'account-group'}{'id'}{'content'};
print "ID: $id_of_group\n"; ``` This script acquires the record ID of the account group named "Premium". The external system can reliably move a account object into the "Premium" account_group by running this script to acquire the appropriate record ID.
Update
Updating a record is accomplished by sending a HTTP PUT to the appropriate URL. The form of the URL requires knowledge of the record ID being updated. If the record ID is not known, then it must be looked up using the list action. The payload of the PUT needs to only contain the fields that are to be changed. The contents of the payload must meet the model requirements otherwise an error will be thrown. Consider the following example where the first name associated with account ID 36 is being updated via XML:
curl -i -X PUT -H 'Content-Type: application/xml'
-d '<?xml version="1.0"?><record><first-name>Alfred</first-name></record>'
https://rxg.dns/admin/scaffolds/accounts/update/36.xml?api_key=WR5...KLw
or via JSON:
curl -i -X PUT -H 'Content-Type: application/json'
-d '{"record": {"first_name": "Anson"}}'
https://rxg.dns/admin/scaffolds/accounts/update/36.xml?api_key=WR5...KLw
If the request is successful the rXg responds with a HTTP/1.1 200 OK:
```
HTTP/1.1 200 OK
Content-Type: application/xml; charset=utf-8
X-UA-Compatible: IE=Edge,chrome=1
ETag: "6189032e56e827aafd5543357368d300"
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie: _rxg_console_session=BAh...66d; path=/; HttpOnly
X-Request-Id: de794ed53142ffc00c9e5c135716edfc
X-Runtime: 0.062918
Date: Thu, 14 Jun 2012 01:07:10 GMT
X-Rack-Cache: invalidate, pass
Connection: close
Server: thin 1.3.1 codename Triple Espresso
<?xml version="1.0" encoding="UTF-8"?>
If the request fails, then the rXg responds with an HTTP error code, usually HTTP/1.1 422. For, example, if an invalid first name is passed in:
curl -i -X PUT -H 'Content-Type: application/xml'
-d '<?xml version="1.0"?>
The response would be:
HTTP/1.1 422
Content-Type: application/xml; charset=utf-8
X-UA-Compatible: IE=Edge,chrome=1
Cache-Control: no-cache
Set-Cookie: _rxg_console_session=BAh...1f6
X-Runtime: 0.041413
Date: Thu, 14 Jun 2012 01:18:57 GMT
X-Rack-Cache: invalidate, pass
Connection: close
Server: thin 1.3.1 codename Triple Espresso
<?xml version="1.0" encoding="UTF-8"?>
Destroy
Deleting a record is accomplished by sending a HTTP DELETE to the appropriate URL. The record ID must be known in order to execute this request. Use the list action to retrieve the record ID if it is not known. To delete account record number 38, an HTTP request such as the following must be sent:
curl -i -X DELETE -H 'Content-Type: application/xml'
https://rxg.dns/admin/scaffolds/accounts/destroy/38.xml?api_key=WR5...KLw
If the record was successfully deleted, a response of the following form will be returned:
HTTP/1.1 200 OK
Content-Type: application/xml; charset=utf-8
X-UA-Compatible: IE=Edge,chrome=1
Cache-Control: no-cache
Set-Cookie: _rxg_console_session=BAh...1f3; path=/; HttpOnly
X-Request-Id: 1fe3fccbf67bc8430ed74bd354cc2c95
X-Runtime: 0.056364
Date: Thu, 14 Jun 2012 01:26:05 GMT
X-Rack-Cache: invalidate, pass
Connection: close
Server: thin 1.3.1 codename Triple Espresso
Attempting to delete a nonexistent record will result in a response of HTTP/1.1 404 Not Found.
Sample SDKs
cURL SDK
The following files are provided as part of a sample SDK that takes advantage of the rXg RESTful API. These shell scripts may be executed on any administrator device that has BASH and cURL installed on it.
00_get_account_id.sh
00_get_bandwidth_queue_id.sh
00_get_device_id.sh
00_get_plan_id.sh
00_get_quota_trigger_id.sh
00_get_time_plan_id.sh
00_set_globals.sh
00_urlencode.sed
00_xml_extract_integer.sh
01_create_account.sh
02_show_account_json.sh
02_show_account_xml.sh
02_show_device_usage.sh
02_show_pfqueuelogs_for_mac.sh
03_reset_total_utilization_counters.sh
03_update_account.sh
04_add_device_to_account.sh
04_remove_device.sh
05_suspend_account.sh
05_unsuspend_account.sh
06_delete_account.sh
07_change_bandwidth_queue.sh
07_change_quota_trigger.sh
07_change_time_plan_price.sh
Rxg_Curl_Class.php
The scripts with the 00
prefix are called from the other scripts. Make sure that all of the scripts with the 00
prefix are accessible and executable before attempting to run any of the other scripts.
The 00_set_globals.sh
script must be edited so that the global variables reflect the target rXg. The RXG_NAME
must be set to the DNS name of the rXg that is being accessed via the RESTful API. Furthermore the RXG_API_KEY
must be changed to reflect an API key that has been obtained from the administrative console.
The scripts in this SDK may be used as provided to integrate a remote portal mechanism. A remote portal application must be able to grant access to certain end-users and devices. To accomplish this the remote server would execute the 01_create_account.sh
script to create an account and then run the04_add_device_to_account.sh
to add the end-user device to the account.
To utilize this pattern the operator must setup Account Groups, Policies and Usage Plans for the various tiers of service. Automatic login should be enabled in the Usage Plans that are to be used with this mechanism. In the example below the operator wishes to authorize the MAC address 00:01:af:cc:38:4f
to have access via a Usage Plan named Basic. Most operators choose to use the MAC address as the Account login if only a single device per Account is desired. For example:
./01_create_account.sh -a 00:01:af:cc:38:4f -p Basic
./04_add_device_to_account.sh 00:01:af:cc:38:4f 00:01:af:cc:38:4f
Changing the provisioned Usage Plan for an Account may be accomplished by running the 03_update_account.sh
script. Following the above example, we would do the following if the end-user upgrades to the Premium plan:
./03_update_account.sh -a 00:01:af:cc:38:4f -p Premium
Suspending an Account for any reason (e.g., payment processing failure) is easily accomplished by using the 05_suspend_account.sh
script. Following the above example:
./05_suspend_account.sh 00:01:af:cc:38:4f
Unsuspending the Account is just as easy:
./05_unsuspend_account.sh 00:01:af:cc:38:4f
The operator has numerous choices on how to instrument the data transfer consumed by an Account or Device. Use the02_show_device_usage.sh
script to retrieve a simple account utilization total for a device over a period of time. For example:
./02_show_device_usage.sh 01:50:56:00:00:99 '2014-03-21 00:00:00' '2014-03-22 23:59:59'
More detailed usage information may be acquired by looking at the PF Queue Logs and the PF Connection Logs. The PF Queue Logs are stored in decreasing resolution over time. Samples are stored every 30 seconds for an hour and then reduced to once an hour for a week and finally once a day after a week has passed. The entries in PF Connection Logs are different from the PF Queue Logs in that they also contain the IP addresses of the destinations.
If multiple Devices are associated with a single Account then their total utilization is stored in the Device object. The mb_up
,mb_down
, pkts_up
and pkts_down
fields reflect the utilization of all Devices associated with the Account. The 02_show_account_xml.sh
retrieves all fields including the four total utilization fields. Use the 03_reset_total_utilization_counters.sh
script to reset the total utilization counters to zero at any time.
PHP SDK
Download the PHP SDK
. Save it into your PHP project directory and require_once
to include the library into your application.
Note: Use of this library requires that the PHP cURL extension be enabled in your php.ini file. Edit the file and uncomment the following line (remove the ; from the beginning of the line):
;extension=php_curl.dll
Examples
<?php
require_once("Rxg_Curl_Class.php");
# Initialize a new instance of the Rxg_Curl_Class
$rxg = new Rxg_Curl_Class("hostname.domain.com", "apikey");
# Create a record
$result = $rxg->create("admins",
array(
"login" => "operator",
"password" => '$uperP@ssword',
"password_confirmation" => '$uperP@ssword',
"admin_role" => 1
)
);
var_dump($result);
# Retrieve a record
$result = $rxg->show("wan_targets", 1);
var_dump($result);
# List all records
$result = $rxg->search("accounts");
var_dump($result);
# List records filtered by search params
$result = $rxg->search("accounts", array('first_name' => 'Romeo'));
var_dump($result);
# Update a record
$result = $rxg->update("accounts", 43, array("first_name" => 'George'));
var_dump($result);
# Delete a record
$result = $rxg->delete("accounts", 41);
var_dump($result);
?>
Graph API
The rXg records a great deal of instrumentation data as it operates. The data is stored in a combination of round-robin database files (RRD files) as well as the standard database, depending on the element of the system being instrumented. The rXg makes this data available through the admin console in the form of interactive graphs, as well as through the Graph API in the form of JSON or XML data points. Graphs may also be retrieved in PNG or PDF format.
Authentication:
All calls to the Graph API must be accompanied by an API key which may be obtained by clicking the show link next to an Admin in the administration console.
Extracting Data points
The database entries consist of timestamp values and the recorded value at the given time. These data points may be extracted using the Graph API.
If there is an existing Graph object stored in the database (created under the Archives::Reports subviews) which references the desired graphables, the Graphs ID may be used to simplify the parameters that must be sent in the request.
If there is no pre-existing Graph object, the necessary parameters may be assembled manually and included in the request.
Endpoint: /admin/graphs/graph_export.[json|xml]
cURL example:
curl -i -X POST -H 'Content-Type: application/json' -d '{ "graph": { "id":"1", "type":"NetworkGraph" } }' https://rxg.dns/admin/graphs/graph_export.json?api_key=rJ8FygG...
Example Request: (no pre-existing graph):
{
"graph":
{
"aggregate":"false",
"graph_time":
{
"past_time":"1",
"past_time_unit":"months"
},
"graphables"=>
[
{"id":"1", "model":"UsagePlan"},
{"id":"2", "model":"UsagePlan"},
{"id":"3", "model":"UsagePlan"}
],
"grouped_by":"week",
"target":"revenue",
"type":"AccountingGraph"
}
}
Example Request: (pre-existing graph):
{
"graph":
{
"id":"4",
"type":"AccountingGraph"
}
}
Note: Clicking on the title of any graph within the admin console and inspecting the resulting URL in the address bar is an easy way to determine the request parameters that comprise that graph.
Example Response (line graph):
{
"about":"RRDtool graph JSON output",
"meta":{
"start":1489193760,
"end":1489280160,
"step":240,
"legend":["WAN in","WAN out"]
},
"Data": [
[69603.195556,39176.017778],
[41630.633333,37621.266667],
[85979.170433,37950.492026],
[...response truncated...]
]
}
The response "meta" data provides the beginning and end timestamps, the interval between each datapoint, as well as the series labels.
Each entry in the "Data" array provides an array of y-axis values for each series for the current time slot.
Example Response (bar graph):
[
{
"values": [
{"x":"Sunday","y":24.0},
{"x":"Monday","y":14.0},
{"x":"Tuesday","y":12.0},
{"x":"Wednesday","y":12.0},
{"x":"Thursday","y":20.0},
{"x":"Friday","y":30.0},
{"x":"Saturday","y":16.0}
],
"key":"Basic",
"color":"#01545A"
},
{
"values": [
{"x":"Sunday","y":10.0},
{"x":"Monday","y":16.0},
{"x":"Tuesday","y":18.0},
{"x":"Wednesday","y":12.0},
{"x":"Thursday","y":8.0},
{"x":"Friday","y":20.0},
{"x":"Saturday","y":12.0}
],
"key":"Enhanced",
"color":"#017351"
}
]
The response array includes an object for each series.
Requesting Graph Images
Obtaining PNG or PDF output is a 3-step process. Upon requesting an image, the system will launch a background process to generate the data, and returns two URLs: one to check on the status of the file generation, and another to retrieve the generated file.
The request parameters are almost identical to the parameters that would be sent to export the datapoints, but also includes the desired image format "image_format". Valid image format values are "png_2k", "png_4k", "pdf".
- ## Generate the file
Endpoint: /admin/graphs/generate_graph_file.[json|xml]
Example Request: (no pre-existing graph):
{
"graph"=>
{
"aggregate"=>"false",
"graph_time"=>
{
"past_time"=>"1",
"past_time_unit"=>"months"
},
"graphables"=>
[
{"id"=>"1", "model"=>"Policy"},
{"id"=>"2", "model"=>"Policy"},
{"id"=>"3", "model"=>"Policy"}
],
"grouped_by"=>"day",
"target"=>"bits",
"type"=>"NetworkGraph"
},
"image_format" => "png_2k"
}
Example Request: (pre-existing graph):
{
"graph"=>
{
"id"=>"4",
"type"=>"AccountingGraph"
},
"image_format" => "png_2k"
}
Example Response:
{
"status_url":"https://gw1.company.com/admin/menu/check_tmp_file.json?filename=rxg.local_NetworkGraph_Uplink_2K_2017-03-14_15-44-50.png",
"download_url":"https://gw1.company.com/admin/menu/send_tmp_file.json?filename=rxg.local_NetworkGraph_Uplink_2K_2017-03-14_16-44-50.png",
"filename":"rxg.local_NetworkGraph_Uplink_2K_2017-03-14_16-44-50.png"
}
- ## Check the Status
Endpoint: https://gw1.company.com/admin/menu/check\_tmp\_file.json?filename=rxg.local\_NetworkGraph\_Uplink\_2K\_2017-03-14\_16-44-50.png (obtained from previous call)
Example Response:
{
"exists":true,
"download_url":"https://gw1.company.com/admin/menu/send_tmp_file.json?filename=rxg.local_NetworkGraph_Uplink_2K_2017-03-14_16-44-50.png"
}
OR
{"exists":false}
- ## Download the file
Endpoint: https://gw1.company.com/admin/menu/send\_tmp\_file.json?filename=rxg.local\_NetworkGraph\_Uplink\_2K\_2017-03-14\_16-44-50.png (obtained from previous call)
Exported graph is returned as a file download
Create
Creating a record is simply a matter of sending an HTTP POST to the appropriate URL. Consider the simple example of creating a WAN Target. To accomplish this an HTTP POST request would be sent to a URL of the form:
https://rxg.dns/admin/scaffolds/wan_targets/create.xml?api_key=8f8eab...868c
with a header containing:
Content-Type: application/xml
and a payload of the form:
<?xml version="1.0"?>
<record>
<name>Desired New Name</name>
<targets>1.2.3.4</targets>
</record>
This entire process may be accomplished by using the cURLcommand line utility. Below is an example command line that demonstrates the use of cURL to execute a create through the RESTful API.
curl -i -X POST -H 'Content-Type: application/xml'
-d '<?xml version="1.0"?><record><name>Desired New Name</name>
<targets>1.2.3.4</targets></record>'
https://rxg.dns/admin/scaffolds/wan_targets/create.xml?api_key=486...a5a
The RESTful API endpoint will respond with a HTTP/1.1 201 Created
that has a Location
header containing the URL to retrieve the record upon successful creation. The content of the response is a copy of the created record.
```
HTTP/1.1 201 Created
Location: https://rxg.dns/admin/scaffolds/wan_targets/show/5.xml?api_key=486...876a
Content-Type: application/xml; charset=utf-8
X-UA-Compatible: IE=Edge
ETag: "40c13943442b4dd5646d264fdb738909"
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie: _rxg_console_session=BAh7Ck...ea6e5; path=/; HttpOnly
X-Request-Id: 43eda966fa00bd1347f48583f37e5392
X-Runtime: 0.439131
Content-Length: 155
Connection: keep-alive
Server: thin 1.3.1 codename Triple Espresso
<?xml version="1.0" encoding="UTF-8"?>
If an error occurs and the record is not created the response will be an HTTP error status (usually `HTTP/1.1 422`) and the content will contain the error messages. For example, if the same request is run twice, then the response would take the form:
HTTP/1.1 422
Content-Type: application/xml; charset=utf-8
Cache-Control: no-cache
Date: Mon, 28 May 2012 17:35:23 GMT
X-UA-Compatible: IE=Edge,chrome=1
Set-Cookie: _rxg_console_session=BAh7C...098b1; path=/; HttpOnly
X-Request-Id: 63bb95530945b6be578eaf4485d7a337
X-Runtime: 1.800010
X-Rack-Cache: invalidate, pass
Connection: close
Server: thin 1.3.1 codename Triple Espresso
<?xml version="1.0" encoding="UTF-8"?>
Hitting the appropriate URL without sending the required input will result in a dump of error messages that describe the requirements. For example, using cURL to send the following request:
curl -i -X POST -H 'Content-Type: application/xml'
-d '<?xml version="1.0"?><record><login>restfulapitest</login></record>'
https://rxg.dns/admin/scaffolds/accounts/create.xml?api_key=WR5..KLw
Results in the the following response.
```
HTTP/1.1 422
Content-Type: application/xml; charset=utf-8
X-UA-Compatible: IE=Edge,chrome=1
Cache-Control: no-cache
Set-Cookie: _rxg_console_session=BAh...8b1; path=/; HttpOnly
X-Request-Id: 63bb95530945b6be578eaf4485d7a337
X-Runtime: 1.800010
Date: Mon, 28 May 2012 14:32:18 GMT
X-Rack-Cache: invalidate, pass
Connection: close
Server: thin 1.3.1 codename Triple Espresso
<?xml version="1.0" encoding="UTF-8"?>
The reported errors may be used to construct a correct request to send to the RESTful API endpoint such as the following example:
curl -i -X POST -H 'Content-Type: application/xml' \
-d '<?xml version="1.0"?>
Which results in a response of:
HTTP/1.1 201 Created
Location: https://rxg.dns/admin/scaffolds/accounts/show/36.xml?api_key=WR5...KLw
Content-Type: application/xml; charset=utf-8
X-UA-Compatible: IE=Edge,chrome=1
ETag: "e71...4c7"
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie: _rxg_console_session=BAh...dc6; path=/; HttpOnly
X-Request-Id: 111b836e66f0883a4900d37a8c0ff42e
X-Runtime: 0.040524
Date: Mon, 28 May 2012 18:55:57 GMT
X-Rack-Cache: invalidate, pass
Connection: close
Server: thin 1.3.1 codename Triple Espresso
<?xml version="1.0" encoding="UTF-8"?>
**Accounts** must be assigned policy in order for enforcement to take effect. **Policies** are associated to **Accounts** through **Account Groups**. Associating **Accounts** with **Account Groups** is usually accomplished by setting either the `do_apply_usage_plan`or the `do_bill_and_apply_usage_plan` virtual attribute. For example:
curl -i -X POST -H 'Content-Type: application/xml'
-d '<?xml version="1.0"?>
Notice that the usage time, usage expiration and upload/download usages are not specified because they are defined by the plan. Also notice that the `usage-plan` attribute is used to specify the desired **Usage Plan** by ID. The **Usage Plan** ID may be acquired by using the `list` action for the `usage-plans`scaffold. Note that the value of `do_apply_usage_plan` or the `do_bill_and_apply_usage_plan` virtual attributes should always be `1`. If you set the value of the`do_apply_usage_plan` or the `do_bill_and_apply_usage_plan`to anything other than `1` then the system will not execute the command at all. The following is an example of the response to a successful **Account** record creation with **Usage Plan** specification and application as shown above.
HTTP/1.1 201 Created
Location: https://rxg.dns/admin/scaffolds/accounts/show/24.xml?api_key=LjU...kkQ
Content-Type: application/xml; charset=utf-8
X-UA-Compatible: IE=Edge,chrome=1
ETag: "4dcf...2322"
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie: _rxg_console_session=BAh...03f; path=/; HttpOnly
X-Request-Id: 5c4...841
X-Runtime: 0.039446
Date: Fri, 22 Jun 2012 21:49:40 GMT
X-Rack-Cache: invalidate, pass
Connection: close
Server: thin 1.3.1 codename Triple Espresso
<?xml version="1.0" encoding="UTF-8"?>
Show
Retrieving a single record is simply a matter of hitting the appropriate URL with a HTTP GET. Record retrieval via show requires knowledge of the record ID. It is more appropriate to use the list action is when searching is required. For example, hitting a URL of the form:
https://rxg.dns/admin/scaffolds/accounts/show/3.json?api_key=P7Z...idA
Results in the rXg retrieving the account with record ID 3 and sending a response of the form:
{"address1":null,"address2":null,"automatic_login":null,"bill_at":null,
"city":null,"company":null,"country":null,"created_at":"2012-05-10T11:41:40-04:00",
"created_by":null,"email":"[email protected]","first_name":"Colin","id":3,
"last_name":"Patterson","lock_devices":null,"logged_in_at":"2012-05-08T01:24:51-04:00",
"login":"cpatterson746","note":"Automatically generated by script run by root\n",
"phone":"4997197472","region":null,"state":"active",
"updated_at":"2012-05-10T11:41:40-04:00","updated_by":null,
"usage_expiration":null,"usage_minutes":28180,"zip":null}
Similarly hitting a URL of the form:
https://rxg.dns/admin/scaffolds/accounts/show/3.xml?api_key=P7Z...idA
Results in a response of the form:
<account>
<address1 nil="true"/>
<address2 nil="true"/>
<automatic-login type="boolean" nil="true"/>
<bill-at type="datetime" nil="true"/>
<charge-attempted-at type="datetime" nil="true"/>
<city nil="true"/>
<company nil="true"/>
<country nil="true"/>
<created-at type="datetime">2012-05-10T11:41:40-04:00</created-at>
<created-by nil="true"/>
<crypted-password>V3QlqyDanC4/mfbe+tIN3Zpfzbs=</crypted-password>
<email>[email protected]</email>
<first-name>Colin</first-name>
<id type="integer">3</id>
<last-name>Patterson</last-name>
<lock-mac type="boolean" nil="true"/>
<lock-version type="integer">0</lock-version>
<logged-in-at type="datetime">2012-05-08T01:24:51-04:00</logged-in-at>
<login>cpatterson746</login>
<mb-down type="integer">3747</mb-down>
<mb-up type="integer">730</mb-up>
<no-usage-expiration type="boolean">true</no-usage-expiration>
<note>Automatically generated by script run by root</note>
<phone>4997197472</phone>
<pkts-down type="integer">251049192</pkts-down>
<pkts-up type="integer">70080583</pkts-up>
<region nil="true"/>
<relative-usage-lifetime type="integer" nil="true"/>
<salt>964fbe3ceea48ac7a1960bc99bed912f0cafae53</salt>
<state>active</state>
<unlimited-usage-mb-down type="boolean">false</unlimited-usage-mb-down>
<unlimited-usage-mb-up type="boolean">false</unlimited-usage-mb-up>
<unlimited-usage-minutes type="boolean">false</unlimited-usage-minutes>
<updated-at type="datetime">2012-05-10T11:41:40-04:00</updated-at>
<updated-by nil="true"/>
<usage-expiration type="datetime" nil="true"/>
<usage-mb-down type="integer">1372</usage-mb-down>
<usage-mb-up type="integer">293</usage-mb-up>
<usage-minutes type="integer">28180</usage-minutes>
<usage-plan-id type="integer">1</usage-plan-id>
<zip nil="true"/>
</account>
List
Retrieving a set of records through the RESTful API is simply a matter of sending an HTTP GET to the appropriate URL. Let us consider the example of retrieving the ping targets instrument for the purpose of integrating edge device monitoring with a central NMS. Using cURL to execute the following command:
curl https://rxg.dns/admin/scaffolds/ping_targets/index.json?api_key=P7Z...idA
The rXg responds with a JSON formatted dump of the current state of the ping targets.
[{"name":"Google Public DNS 1","online":true,
"target":"8.8.8.8","updated_at":"2012-06-13T17:11:04-04:00"},
{"name":"Google Public DNS 2","online":true,
"target":"8.8.4.4","updated_at":"2012-04-23T12:10:11-04:00"},
{"name":"IDF Switch 2","online":true,
"target":"192.168.117.20","updated_at":"2012-06-13T18:10:09-04:00"},
{"name":"VM NAT Net Router","online":false,
"target":"192.168.117.254","updated_at":"2012-06-13T18:09:53-04:00"},
{"name":"Zone Director","online":false,
"target":"172.30.80.10","updated_at":"2012-06-13T18:10:48-04:00"}]
The suffix may be changed to retrieve the same information in XML format.
```
<?xml version="1.0" encoding="UTF-8"?>
...
Filtering of the list is accomplished by passing CGI parameters to the RESTful API endpoint that match the fields of the model being retrieved. For example:
curl https://rxg.dns/admin/scaffolds/ping_targets/index.json?api_key=P7Z...idA&name=Zone+Director'
Results in the filtered response:
[{"name":"Zone Director","online":false,
"target":"172.30.80.10","updated_at":"2012-06-13T18:10:48-04:00"}]
The same example formatted in XML:
curl https://rxg.dns/admin/scaffolds/ping_targets/index.xml?api_key=P7Z...idA&name=Zone+Director'
Results in the filtered response:
<?xml version="1.0" encoding="UTF-8"?>
Filtering a retrieved list is commonly used to acquire the ID that needs to be passed during the create or update of a record. For example, if a **account** needs to be placed into a specific **account group** , the ID of the **account group** must be passed into the update request. It is highly recommended that external systems rely on names rather than IDs because the ID of records are automatically generated by the rXg and are not reliably replicated across a fleet. Therefore, most external systems must look up the ID of related objects before executing a create or update. Consider the following example Perl script:
use LWP::Simple;
use XML::Simple;
my $api_key = 'P7Z...idA'; my $groupname = 'Premium'; my $rxg = 'rxg.dns'; my $ctrl_action = 'admin/scaffolds/account_groups/index.xml';
$xml_raw = get("https://$rxg/$ctrl_action?api_key=$api_key;name=$groupname"); my $doc = XMLin($xml_raw); my $id_of_group = ${$doc}{'account-group'}{'id'}{'content'};
print "ID: $id_of_group\n"; ``` This script acquires the record ID of the account group named "Premium". The external system can reliably move a account object into the "Premium" account_group by running this script to acquire the appropriate record ID.
Update
Updating a record is accomplished by sending a HTTP PUT to the appropriate URL. The form of the URL requires knowledge of the record ID being updated. If the record ID is not known, then it must be looked up using the list action. The payload of the PUT needs to only contain the fields that are to be changed. The contents of the payload must meet the model requirements otherwise an error will be thrown. Consider the following example where the first name associated with account ID 36 is being updated via XML:
curl -i -X PUT -H 'Content-Type: application/xml'
-d '<?xml version="1.0"?><record><first-name>Alfred</first-name></record>'
https://rxg.dns/admin/scaffolds/accounts/update/36.xml?api_key=WR5...KLw
or via JSON:
curl -i -X PUT -H 'Content-Type: application/json'
-d '{"record": {"first_name": "Anson"}}'
https://rxg.dns/admin/scaffolds/accounts/update/36.xml?api_key=WR5...KLw
If the request is successful the rXg responds with a HTTP/1.1 200 OK:
```
HTTP/1.1 200 OK
Content-Type: application/xml; charset=utf-8
X-UA-Compatible: IE=Edge,chrome=1
ETag: "6189032e56e827aafd5543357368d300"
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie: _rxg_console_session=BAh...66d; path=/; HttpOnly
X-Request-Id: de794ed53142ffc00c9e5c135716edfc
X-Runtime: 0.062918
Date: Thu, 14 Jun 2012 01:07:10 GMT
X-Rack-Cache: invalidate, pass
Connection: close
Server: thin 1.3.1 codename Triple Espresso
<?xml version="1.0" encoding="UTF-8"?>
If the request fails, then the rXg responds with an HTTP error code, usually HTTP/1.1 422. For, example, if an invalid first name is passed in:
curl -i -X PUT -H 'Content-Type: application/xml'
-d '<?xml version="1.0"?>
The response would be:
HTTP/1.1 422
Content-Type: application/xml; charset=utf-8
X-UA-Compatible: IE=Edge,chrome=1
Cache-Control: no-cache
Set-Cookie: _rxg_console_session=BAh...1f6
X-Runtime: 0.041413
Date: Thu, 14 Jun 2012 01:18:57 GMT
X-Rack-Cache: invalidate, pass
Connection: close
Server: thin 1.3.1 codename Triple Espresso
<?xml version="1.0" encoding="UTF-8"?>
Destroy
Deleting a record is accomplished by sending a HTTP DELETE to the appropriate URL. The record ID must be known in order to execute this request. Use the list action to retrieve the record ID if it is not known. To delete account record number 38, an HTTP request such as the following must be sent:
curl -i -X DELETE -H 'Content-Type: application/xml'
https://rxg.dns/admin/scaffolds/accounts/destroy/38.xml?api_key=WR5...KLw
If the record was successfully deleted, a response of the following form will be returned:
HTTP/1.1 200 OK
Content-Type: application/xml; charset=utf-8
X-UA-Compatible: IE=Edge,chrome=1
Cache-Control: no-cache
Set-Cookie: _rxg_console_session=BAh...1f3; path=/; HttpOnly
X-Request-Id: 1fe3fccbf67bc8430ed74bd354cc2c95
X-Runtime: 0.056364
Date: Thu, 14 Jun 2012 01:26:05 GMT
X-Rack-Cache: invalidate, pass
Connection: close
Server: thin 1.3.1 codename Triple Espresso
Attempting to delete a nonexistent record will result in a response of HTTP/1.1 404 Not Found.
Sample SDKs
cURL SDK
The following files are provided as part of a sample SDK that takes advantage of the rXg RESTful API. These shell scripts may be executed on any administrator device that has BASH and cURL installed on it.
00_get_account_id.sh
00_get_bandwidth_queue_id.sh
00_get_device_id.sh
00_get_plan_id.sh
00_get_quota_trigger_id.sh
00_get_time_plan_id.sh
00_set_globals.sh
00_urlencode.sed
00_xml_extract_integer.sh
01_create_account.sh
02_show_account_json.sh
02_show_account_xml.sh
02_show_device_usage.sh
02_show_pfqueuelogs_for_mac.sh
03_reset_total_utilization_counters.sh
03_update_account.sh
04_add_device_to_account.sh
04_remove_device.sh
05_suspend_account.sh
05_unsuspend_account.sh
06_delete_account.sh
07_change_bandwidth_queue.sh
07_change_quota_trigger.sh
07_change_time_plan_price.sh
Rxg_Curl_Class.php
The scripts with the 00
prefix are called from the other scripts. Make sure that all of the scripts with the 00
prefix are accessible and executable before attempting to run any of the other scripts.
The 00_set_globals.sh
script must be edited so that the global variables reflect the target rXg. The RXG_NAME
must be set to the DNS name of the rXg that is being accessed via the RESTful API. Furthermore the RXG_API_KEY
must be changed to reflect an API key that has been obtained from the administrative console.
The scripts in this SDK may be used as provided to integrate a remote portal mechanism. A remote portal application must be able to grant access to certain end-users and devices. To accomplish this the remote server would execute the 01_create_account.sh
script to create an account and then run the04_add_device_to_account.sh
to add the end-user device to the account.
To utilize this pattern the operator must setup Account Groups, Policies and Usage Plans for the various tiers of service. Automatic login should be enabled in the Usage Plans that are to be used with this mechanism. In the example below the operator wishes to authorize the MAC address 00:01:af:cc:38:4f
to have access via a Usage Plan named Basic. Most operators choose to use the MAC address as the Account login if only a single device per Account is desired. For example:
./01_create_account.sh -a 00:01:af:cc:38:4f -p Basic
./04_add_device_to_account.sh 00:01:af:cc:38:4f 00:01:af:cc:38:4f
Changing the provisioned Usage Plan for an Account may be accomplished by running the 03_update_account.sh
script. Following the above example, we would do the following if the end-user upgrades to the Premium plan:
./03_update_account.sh -a 00:01:af:cc:38:4f -p Premium
Suspending an Account for any reason (e.g., payment processing failure) is easily accomplished by using the 05_suspend_account.sh
script. Following the above example:
./05_suspend_account.sh 00:01:af:cc:38:4f
Unsuspending the Account is just as easy:
./05_unsuspend_account.sh 00:01:af:cc:38:4f
The operator has numerous choices on how to instrument the data transfer consumed by an Account or Device. Use the02_show_device_usage.sh
script to retrieve a simple account utilization total for a device over a period of time. For example:
./02_show_device_usage.sh 01:50:56:00:00:99 '2014-03-21 00:00:00' '2014-03-22 23:59:59'
More detailed usage information may be acquired by looking at the PF Queue Logs and the PF Connection Logs. The PF Queue Logs are stored in decreasing resolution over time. Samples are stored every 30 seconds for an hour and then reduced to once an hour for a week and finally once a day after a week has passed. The entries in PF Connection Logs are different from the PF Queue Logs in that they also contain the IP addresses of the destinations.
If multiple Devices are associated with a single Account then their total utilization is stored in the Device object. The mb_up
,mb_down
, pkts_up
and pkts_down
fields reflect the utilization of all Devices associated with the Account. The 02_show_account_xml.sh
retrieves all fields including the four total utilization fields. Use the 03_reset_total_utilization_counters.sh
script to reset the total utilization counters to zero at any time.
PHP SDK
Download the PHP SDK
. Save it into your PHP project directory and require_once
to include the library into your application.
Note: Use of this library requires that the PHP cURL extension be enabled in your php.ini file. Edit the file and uncomment the following line (remove the ; from the beginning of the line):
;extension=php_curl.dll
Examples
<?php
require_once("Rxg_Curl_Class.php");
# Initialize a new instance of the Rxg_Curl_Class
$rxg = new Rxg_Curl_Class("hostname.domain.com", "apikey");
# Create a record
$result = $rxg->create("admins",
array(
"login" => "operator",
"password" => '$uperP@ssword',
"password_confirmation" => '$uperP@ssword',
"admin_role" => 1
)
);
var_dump($result);
# Retrieve a record
$result = $rxg->show("wan_targets", 1);
var_dump($result);
# List all records
$result = $rxg->search("accounts");
var_dump($result);
# List records filtered by search params
$result = $rxg->search("accounts", array('first_name' => 'Romeo'));
var_dump($result);
# Update a record
$result = $rxg->update("accounts", 43, array("first_name" => 'George'));
var_dump($result);
# Delete a record
$result = $rxg->delete("accounts", 41);
var_dump($result);
?>
Graph API
The rXg records a great deal of instrumentation data as it operates. The data is stored in a combination of round-robin database files (RRD files) as well as the standard database, depending on the element of the system being instrumented. The rXg makes this data available through the admin console in the form of interactive graphs, as well as through the Graph API in the form of JSON or XML data points. Graphs may also be retrieved in PNG or PDF format.
Authentication:
All calls to the Graph API must be accompanied by an API key which may be obtained by clicking the show link next to an Admin in the administration console.
Extracting Data points
The database entries consist of timestamp values and the recorded value at the given time. These data points may be extracted using the Graph API.
If there is an existing Graph object stored in the database (created under the Archives::Reports subviews) which references the desired graphables, the Graphs ID may be used to simplify the parameters that must be sent in the request.
If there is no pre-existing Graph object, the necessary parameters may be assembled manually and included in the request.
Endpoint: /admin/graphs/graph_export.[json|xml]
cURL example:
curl -i -X POST -H 'Content-Type: application/json' -d '{ "graph": { "id":"1", "type":"NetworkGraph" } }' https://rxg.dns/admin/graphs/graph_export.json?api_key=rJ8FygG...
Example Request: (no pre-existing graph):
{
"graph":
{
"aggregate":"false",
"graph_time":
{
"past_time":"1",
"past_time_unit":"months"
},
"graphables"=>
[
{"id":"1", "model":"UsagePlan"},
{"id":"2", "model":"UsagePlan"},
{"id":"3", "model":"UsagePlan"}
],
"grouped_by":"week",
"target":"revenue",
"type":"AccountingGraph"
}
}
Example Request: (pre-existing graph):
{
"graph":
{
"id":"4",
"type":"AccountingGraph"
}
}
Note: Clicking on the title of any graph within the admin console and inspecting the resulting URL in the address bar is an easy way to determine the request parameters that comprise that graph.
Example Response (line graph):
{
"about":"RRDtool graph JSON output",
"meta":{
"start":1489193760,
"end":1489280160,
"step":240,
"legend":["WAN in","WAN out"]
},
"Data": [
[69603.195556,39176.017778],
[41630.633333,37621.266667],
[85979.170433,37950.492026],
[...response truncated...]
]
}
The response "meta" data provides the beginning and end timestamps, the interval between each datapoint, as well as the series labels.
Each entry in the "Data" array provides an array of y-axis values for each series for the current time slot.
Example Response (bar graph):
[
{
"values": [
{"x":"Sunday","y":24.0},
{"x":"Monday","y":14.0},
{"x":"Tuesday","y":12.0},
{"x":"Wednesday","y":12.0},
{"x":"Thursday","y":20.0},
{"x":"Friday","y":30.0},
{"x":"Saturday","y":16.0}
],
"key":"Basic",
"color":"#01545A"
},
{
"values": [
{"x":"Sunday","y":10.0},
{"x":"Monday","y":16.0},
{"x":"Tuesday","y":18.0},
{"x":"Wednesday","y":12.0},
{"x":"Thursday","y":8.0},
{"x":"Friday","y":20.0},
{"x":"Saturday","y":12.0}
],
"key":"Enhanced",
"color":"#017351"
}
]
The response array includes an object for each series.
Requesting Graph Images
Obtaining PNG or PDF output is a 3-step process. Upon requesting an image, the system will launch a background process to generate the data, and returns two URLs: one to check on the status of the file generation, and another to retrieve the generated file.
The request parameters are almost identical to the parameters that would be sent to export the datapoints, but also includes the desired image format "image_format". Valid image format values are "png_2k", "png_4k", "pdf".
- ## Generate the file
Endpoint: /admin/graphs/generate_graph_file.[json|xml]
Example Request: (no pre-existing graph):
{
"graph"=>
{
"aggregate"=>"false",
"graph_time"=>
{
"past_time"=>"1",
"past_time_unit"=>"months"
},
"graphables"=>
[
{"id"=>"1", "model"=>"Policy"},
{"id"=>"2", "model"=>"Policy"},
{"id"=>"3", "model"=>"Policy"}
],
"grouped_by"=>"day",
"target"=>"bits",
"type"=>"NetworkGraph"
},
"image_format" => "png_2k"
}
Example Request: (pre-existing graph):
{
"graph"=>
{
"id"=>"4",
"type"=>"AccountingGraph"
},
"image_format" => "png_2k"
}
Example Response:
{
"status_url":"https://gw1.company.com/admin/menu/check_tmp_file.json?filename=rxg.local_NetworkGraph_Uplink_2K_2017-03-14_15-44-50.png",
"download_url":"https://gw1.company.com/admin/menu/send_tmp_file.json?filename=rxg.local_NetworkGraph_Uplink_2K_2017-03-14_16-44-50.png",
"filename":"rxg.local_NetworkGraph_Uplink_2K_2017-03-14_16-44-50.png"
}
- ## Check the Status
Endpoint: https://gw1.company.com/admin/menu/check\_tmp\_file.json?filename=rxg.local\_NetworkGraph\_Uplink\_2K\_2017-03-14\_16-44-50.png (obtained from previous call)
Example Response:
{
"exists":true,
"download_url":"https://gw1.company.com/admin/menu/send_tmp_file.json?filename=rxg.local_NetworkGraph_Uplink_2K_2017-03-14_16-44-50.png"
}
OR
{"exists":false}
- ## Download the file
Endpoint: https://gw1.company.com/admin/menu/send\_tmp\_file.json?filename=rxg.local\_NetworkGraph\_Uplink\_2K\_2017-03-14\_16-44-50.png (obtained from previous call)
Exported graph is returned as a file download
Miscellaneous
This section of the manual will include miscellaneous articles.
SoftGRE Tunnels
Ruckus SmartZone Configuration (12/11/2023)
Overview
The following steps will guide you through configuring a SoftGRE tunnel between a Rucks AP and a rXg.
Environment
This document was written and tested using the following components from the RG Nets and RUCKUS ecosystem.
Manufacturer | Component | Version |
---|---|---|
RG Nets | rXg | 13.2 - 15.251 |
RUCKUS | Virtual SmartZone Essentials | 6.1.1.0.959 |
RUCKUS | R650 | 6.1.1.0.1274 |
Important Notes:
- SoftGRE tunnels are a licensed feature with RUCKUS. A demo license or SoftGRE license is required for this application.
- It is recommended to only use SoftGRE tunnels over the LAN as the traffic is currently unencrypted.
Prerequisites
This document assumes the following has already been configured: 1. IP Address for the SmartZone, AP, and rXg are all in the same subnet. 2. The subnet has been tied to an IP group and policy called Management. 3. The AP has already been discovered by the SmartZone 4. While not required, in the case of this lab, a functional eDPSK configuration has already been deployed and tested using config sync.
Configuration
SmartZone
All required configuration changes to the SmartZone will be applied using config sync from the rXg.
rXg WLAN Configuration
Network >> Wireless >> WLANs
The modifications in the WLAN profile are quite simple. On an existing WLAN, you can check the box for tunnel, set the tunnel type to SoftGRE, and then add the IP address for the interface on the rXg that will be the endpoint for the tunnel.
- The Tunnel checkbox instructs access points to build a tunnel to the controller instead of locally bridging the client traffic. In the case of Ruckus, this checkbox will create a SoftGRE tunnel between the APs and the rXg. This capability does require that the Ruckus controller has an appropriate SoftGRE license.
- The GRE Tunnel Type field allows you to select between RuckusGRE and SoftGRE. RuckusGRE is for use with the Ruckus virtual data plane. SoftGRE allows for tunnel creation to the rXg as the endpoint.
- The GRE Tunnel GW IP should be the IP address of the interface on the rXg that the tunnel will connect to.
rXg Pseudo Interfaces
Network >> LAN >> Pseudo Interfaces
- Name for the SoftGRE tunnel interface.
- Select an interface type of SoftGRE.
- Select the interface to be used for untagged traffic.
- Select the VLANs that will be allowed over the SoftGRE tunnel.
- Select the policy that contains the APs that will establish a tunnel.
Troubleshooting
Confirm the presence of interface bridges.
In the GUI this can be confirmed by browsing to Instruments >> System Info >> Interface Configurations and checking that there is a bridge for each VLAN that should be carried over the tunnel. The bridge number will be the same as the VLAN with an extra 1 at the beginning. For example if vlan2000 should be carried over the tunnel, you should also have a bridge12000.
This can also be seen via SSH with a command like ifconfig | grep bridge12000
Confirm the traffic is flowing over the bridge interface.
This can be done by using tcpdump to confirm that you see unicast traffic over the interface. For example, have a client connect and ping 4.2.2.2.
Continuing the use of bridge12000, I will use the following tcpdump statement tcpdump -ni bridge12000
and confirm that I can see unicast traffic from my client device.
Telemetry
Overview
The rXg supports three kinds of telemetry data ingestion, gRPC, MQTT, and Kafka. All of these ingestion types are used to get and analyze radio metrics and client metrics, which are presented in Radio Metric Graphs and the KPI dialog types.
9800 / gRPC and vSZ / MQTT operate with the rXg acting as a server. OpenWifi / Kafka operates with the OpenWifi Kafka process as the server, as known as the broker, in Kafka terminology.
Setup
Common Setup Goals
The WLAN Controller MUST have its time synchronized with the rXg.
OpenWifi Gateway / Kafka
The rXg will automatically try to connect to the OWGW via Kafka on port 9094. If you have installed the OWGW via RGNets' image from the config template example, this is done for you automatically.
9800 WLC / gRPC
The CISCO 9800 Wireless Lan Controller uses gRPC to stream telemetry data.
It MUST have Netconf Yang enabled. This can be done with the netconf-yang
CLI
directive or in the GUI via Administration>HTTP/HTTPS/Netconf/VTY
.
If you use the bootstrap script automatically generated from the rXg, that will
have the netconf-yang
directive in it.
rXg Setup
To enable gRPC streaming, create a WLAN Controller record for your WLAN Controller if there is not one already. If the rXg supports gRPC streaming for your WLAN controller, a gRPC port input field will be available. Put in the port number that you want the rXg to listen on for this device's gRPC telemetry data.
It is critically important to have the port that the rXg is listening for telemetry data on be exactly the same port that the WLC is configured to send the telemetry data TO. If you wish to stream telemetry data from multiple WLCs to one rXg, each WLC must stream to a different port on that rXg.
9800 Setup
Next you will need to configure the subscriptions in the CISCO 9800 WLC. The rXg provides a built in facility for building the exact script necessary to to create these.
First scroll to the right of your WLAN device record to access the Bootstrap view.
Then click on Show to present the telemetry bootstrap configuration script.
Next click on Copy to Clipboard to copy this configuration.
Next paste the configuration into your 9800 to run it:
(NOTE: This will update existing low numbered subscriptions if you have any)
Setup Confirmation
Next you may be wondering if your rXg is receiving the data. Here are a couple of easy ways to confirm.
Check Access Point Radios
The easiest, fastest and simplest way to check if your Telemetry data is streaming in is to check if any Access Point Radios are now present.
In the Network >> Wireless view of your rXg, scroll down to the Access Point Radios Scaffold and see if there are new ones:
Health Check
Another way to check is to make a "Cisco Telemetry Health Check" widget. In order to do this, setup a new custom dashboard with the Cisco Telemetry health check widget on it. Widgets and dashboards and dashboard configuration is covered in the archives>> reports section of this manual, but here is an example of configuring such a widget.
Here is what the widget will look like when the data is being received.
NOTE: You will not receive data for client_oper_data_common_oper_data
,
client_oper_data_dot11_oper_data
or client_oper_data_traffic_stats
when no
clients are associated.
Check on 9800
The best way to check the status of the subscriptions on the 9800 is with the
command show telemetry ietf subscription all detail
.
All the rest of the subscriptions should also say Connected
and Subscription
Validated
as well.
Virtual Smart Zone / MQTT
The rXg can also receive telemetry data from the RUCKUS Virtual Smart Zone via MQTT (Message Queuing Telemetry Transport).
rXg Setup
To enable MQTT streaming, we will need to create a local MQTT server. This can be done by browsing to Network >> Wireless >> WLAN Controllers and editing an existing vSZ WLAN Controller profile, or you can you can create a new one.
Scroll down to the RUCKUS section and create a telemetry_username
and telemetry_password
.
Once the changes are saved, a local MQTT server will be created to receive the streaming data from the vSZ. You can see the MQTT server configuration under Services >> Servers >> MQTT Server.
Assuming that config sync has been enabled, your vSZ will automatically be configured to start sending telemetry data. If you are not using config sync, you can configure manually following the steps below in the "Check Subscription vSZ" section.
Setup Confirmation
Check Access Point Radios
The easiest, fastest and simplest way to check if your Telemetry data is streaming in is to check if any Access Point Radios are now present.
In the Network >> Wireless view of your rXg, scroll down to the Access Point Radios Scaffold and see if there are new ones:
Check Subscription in vSZ
Another good place to check is in the vSZ itself. In Administration >> NB Streaming
you should be able to find your subscription. When it is working, you should see
Connected
to the right in the list view.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The server host field will be the IP address or domain name of the rXg that will receive the streaming data.
The server port will be 8883 by default. This can be changed in the rXg by browsing to Services >> Servers >> MQTT Servers.
User and Password should be the same as what you configured in the WLAN Controller record.
The system ID can be found by browsing in the rXg to Network >> Wireless >> WLAN Controllers and clicking "Show" on the scaffold for the previously configured WLAN controller.
You will then scroll down to the bottom and find the ID field.
Check rXg's MQTT Server
In Services >> Servers in the rXg, scroll down to MQTT Servers. Create or edit an MQTT Server with the following attributes:
active: true
tls version: 1.2
tls_port: 8883
infrastructure_devices: <YOUR vSZ>
In order for your rXg to have firewall visibility for the MQTT Server, you must have an active MQTT Server associated with your WLAN Controller via your WLAN Controller's MQTT Server attribute.
A note on the instrument_from_telemetry
boolean
The instrument_from_telemetry
boolean tells the rXg to create and update
Access Points based on Telemetry data.
If you are running with config sync turned on, or monitoring turned on, your rXg
will be able to import infrastructure updates through the regular infrastructure
monitoring process, and you should have instrument_from_telemetry
turned off.
If you are not using monitoring or config sync and are just receiving telemetry
data from an infrastructure device, then you should have
instrument_from_telemetry
turned on.
OpenWiFi
Deploy OpenWiFi Controller SDK as VM on rXg (10/15/2024)
Overview
The following steps will guide you through building the OpenWiFi Controller SDK as a virtual machine within the rXg application.
Environment
This document was written and tested using the following components from the RG Nets and OpenWifi ecosystem.
Manufacturer | Component | Version |
---|---|---|
RG Nets | rXg | 13.2 - 15.811 |
TIP | OpenWifi Controller | 3.1.0(5) |
Actiontech | WF-196 | TIP-v3.1.0-01c94cf |
Architecture
In this lab example, we will be using a virtual Ubuntu instance on a bare metal rXg node. The OpenWiFi controller SDK is deployed as a set of docker containers inside the Ubuntu VM.
Network Topology
Prerequisites
This deployment requires an rXg node that supports virtualization and has sufficient storage, compute and memory to run the virtual machine. You should also have an admin account with a ssh key defined.
For a small-scale OpenWifi deployment (< 50 APs), we suggest at least:
- 8 GB of memory
- 4 CPU Cores
- 80 GB of storage
Configuration
1. Setup Virtualization Hosts
To install the OpenWiFi controller in Bhyve first we must ensure we have a Virtualization Host to install to. Navigate to Services::Virtualization, if a host does not exist create a new Virtualization Host.
Give the Virtualization Host a name, the name field is an arbitrary string used to identify the host here I've set the name as the FQDN. Autostart Delay, and Reserved CPU count will be left at default values. Next name the Virtual Switches to make it easier to identify. Here I name my WAN and LAN connections, we will only need the LAN connection for our OpenWiFi controller. Click Create.
2. Install OpenWiFi Controller as a Virtual Machine
We will use a built in Config Template to automatically download the OpenWiFi controller software. Navigate to System::Backup and find the Config Template named "Example: 06 Download rXg Openwifi Image Config". If you do not see any example config templates click the "Show Examples" link.
We do not need to modify this template, it is going to download the openwifi img file and make it available as a disk image. Click apply to have it download the image.
After clicking apply we should get a Success message.
We can verify that the image was downloaded by navigating to Services::Virtualization and clicking Disk Images on the record for our Virtualization host.
Now that we have confirmed that the image has been downloaded we are ready to create the Virtual Machine. We will utilize another config template to automatically deploy the VM. Navigate to System::Backup, and find the config template named "Example: 07 Deploy Virtual Openwifi Controller Config". Do not click apply, instead click Edit. We will need to modify the template to match our networking.
Adjust the name variable if desired, I will leave the name as "openwifi". Next I am looking for the line with "mapped_switches". I am going to change this line from: "mapped_switches = ["igb0", "igb1", "igb2"]" to; "mapped_switches = ["vmx4 LAN"]
This is NOT the name of the interface but rather the name of the virual switch, I named mine "vmx4 LAN" so I need to make sure that matches. To verify the name navigate to Services::Virtualization and look at the Virtual Switches scaffold and find the name of the switch the OpenWiFi controller will be connected to.
You may also need to adust the IP address asigned to the controller. Look for the cidr, gateway, and nameservers variables, and adjust accordingly. This controller in this setup will be on the 192.168.5.x network.
I have adjusted the variables to match my network below.
Next we need to specify an SSH key pair. For this I will leverage the ssh key tied to my admin account. In the real world it is best to make a new ssh keypair for this so it is not tied to an individual. Now that I have adjusted the config template I can click the update button.
Now we are ready to apply the template. When we click apply this will create a new VM, connected to the interfaces we specified in the template (just vmx4 LAN in this case), we can see that the VM will have 8GB of memory, 8 cpu cores, and a 10GB HDD.
We can confirm that the new VM was created by navigating to Services::Virtualization and review the Virtual Machines scaffold.
In addtion to creating the VM, the template also created a DNS override for "openwifi.wlan.local" this can be used if we need to access the controller and need it to resolve to the IP address of the controller. To verify that the DNS override is setup correctly, navigate to Services::DNS and review the DNS Records scaffold.
What this entry does is overrides any DNS for "openwifi.wlan.local", so that if I am behind this system and point my browser to the FQDN it will resolve to 192.168.5.9 and allow me to access the controller.
Now we must start the installation process on the VM, navigate to Servcies::Virtualization. The openwifi Virtual Machine has a commands link to the righthand side, select start from the list. This will turn on the machine and begin the installation process.
VM state will change from stopped to Running. Note that installation takes about 2 minutes.
To verify that the controller is up and running click the VNC viewer option and open the console window. Note that we do not need to login or do anything via the console window it can be closed.
3. Add OpenWiFi as infrastucture Device
Now that we have installed the OpenWifi Controller we can add it as an infrastucture device. Navigate to Network::Wireless and create a new WLAN Controller.
Give the controller a name, change the Type field to OpenWifi. Enter the controllers IP address in the Host field. Leave the default Username [email protected], and enter a password of your choosing in the Password field. The password will be updated automatically in the OpenWifi controller. Click Create at the bottom of the record.
After creating the WLAN Controller record it will takea few seconds and then the Online field should change from offline to Online.
Next select Import on the far right of the WLAN Controller entry, and click on Import. Enter the CIDR of the network(s) the controller should look at for APs.
Next click on "Sync not enabled".
Click on Generate Diff.
After clicking Generate Diff any changes will show up in the Synchonize field. The first timre you join the AP it will have more than what we see here, regardless, the next step is to click Enable Config Synchonization.
After this step the Openwifi controller should be online and in sync.
Notes
If you click on the Generate Diff button and nothing seems to happen this is likely because the AP's are not configured correctly. In the above example I had to login to the tip portal and do an AP transfer. To do this I logged into the portal, and clicked on the Transfers option on the left menu.
Click the Create Transfer Button.
Enter the MAC address in the Serial Number field, the Redirector should be set to openwifi.wlan.local, and then enter a reason for the request. Then click Start Transfer. After completing this process I was then able to generate the diff and click enable sync after factory resetting the AP.
Config Sync
Example Ruckus One Setup
Connecting Ruckus One to rXg
Steps to connect Ruckus One
- You will need to collect (3) pieces of information from your Ruckus Cloud Account.
Tenant ID - This can be found under your user profile in the upper right hand corner of your Ruckus One Portal.
Client ID - This can be found by browsing to Administration >> Account Management >> Settings in the Ruckus One portal. Client Secret - This can be found by browsing to Administration >> Account Management >> Settings in the Ruckus One portal.
- Create InfDev for Ruckus One
In the rXg GUI, browse to Network >> Wireless >> WLAN Controllers and click Create New. Update the fields below to use the information you collected in step one and click create.
- On the record that you created in the WLAN Controllers scaffold, click Import. You can then select which zones you would like to import. Leave blank for all zones. Press Import.
- Click Sync Not Enabled
Click Generate Diff This will generate a list of changes that the rXg plans to make once you enable config sync.
Click Enable Config Synchronization If you agree with the diff, click the button to enable config sync.
Example Aruba Setup
Connecting Aruba IAP to rXg
Steps to connect Aruba IAP
- Create InfDev for Aruba IAP
- Generate and apply bootstrap configuration to Aruba IAP
- Import pre-existing WLAN's if needed
Enable sync
Create InfDev for Aruba IAP
Navigate to Network::Wireless and create a new WLAN Controller.
The Name field is arbitrary and can be set to anything. The Type field should be set to Aruba IAP. The Host field is the IP address we want the virtual controller to have. If the controller is local to the rXg then the Subnet mask and Gateway IP fields can be left blank. Set the API port field to the correct port, by default it is set to 4343 and shouldn't be changed the Aruba IAP has been configured to use a different port. Set the Username and Password field with the correct username and password and click Create.
Note: If the Host IP is already set in the Aruba IAP, then it will not show the commands that need to be run. The commands will be provided in a step below.
- Generate and apply bootstrap configuration to Aruba IAP.
Click on the Sync not enabled link.
This will provide the Bootstrap Configuration that must be run on the IAP to allow API commands as well as set the virtual controller IP.
Note: If the virtual controller IP has been set and the Aruba IAP shows as online it will not show the Bootstrap commands. If this is the case the virtual controller IP does not need to be set so only the following commands should be run on the AP by first SSH'ing to it.
configure** allow-rest-api** end commit apply
SSH to the controller IP and run the Bootstrap Configuration commands.
- Import pre-existing WLAN's if needed
To import any existing WLANs that may already exist, click the import link on the WLAN Controllers scaffold.
Any WLANs that exist will then be shown on the WLANs scaffold.
- Enable sync.
This step will allow the rXg sync with the Aruba IAP so that any configuration done on the rXg will be pushed (synchronized) to the Aruba IAP. To enable sync click the Sync not enabled link in the WLAN Controller scaffold.
Next click on the Enable Config Synchronization button.
The rXg has now been configured to take control of the Aruba IAP, configuration changes to the WLANs from the admin gui of the rXg will be pushed automatically to the Aruba IAP.
Aruba MPSK Setup
A WLAN must exist that matches the SSID of the WLAN in the Aruba controller, the rXg can import this information by creating a WLAN Controller. Configure a WLAN Controller by navigating to Network::Wireless and click create new on the WLAN Scaffold. This will allow the rXg to import the WLAN's from the Aruba controller.
Enter a name in the Name field, the Name is arbitrary. The Type field should be set to either ArubaOS or Aruba IAP depending on the type of controller the rXg is connecting to. The Host field is the IP address or domain name of the controller. If the Controller is local, setting a value in the Subnet mask and Gateway IP field is not needed. The Disconnect method , SSH port and API port fields can be left on the default values unless the controller is using non default ports. Enter the Username and Password in the Username and Password fields. Click Create.
The rXg will import the WLANs and AP's from the Aruba controller.
Next the RADIUS Server Realms must be configured to use MPSK. Navigate to Services::Radius.
In order to use MPSK the correct RADIUS Server Attributes must be tied the to the RADIUS Server Realms. By default there is a RADIUS server attribute for use with Aruba MPSK. This Attribute must be tied to each realm that will use MPSK typically this will be the POST auth realms, but for certain locations with pre-setup accounts this may be attached to both POST and PRE auth realms. For this example there will be a RADIUS server attribute created that will have a known PSK and this will be attached to the Onboarding realm. This allows anyone to connect with the known PSK and after account creation they will be able to use their unique MPSK to connect. In the RADIUS Server Attributes scaffold, click edit on the Aruba-MPSK-Passphrase entry.
Select the RADIUs realms that will use the variable MPSK attribute, in this example only the Account Realm will be selected in the RADIUS Server Realms field. Click Update.
Next create a new RADIUS Server Attribute. In the Name field enter Aruba-MPSK-Passphrase. In the Value field enter in the known PSK, in this example lab01admin! will be used as the known PSK. In the RADIUS Server Realms field make sure that only the realms that are using the known PSK are selected in this case only the Onboarding Realm will be selected. Click Create.
With this setup, a user connecting for the first time would connect to the SSID using the known PSK of lab01admin!. This will connect them to the network and they will get redirected to the captive portal where they can then sign up for an account. During account creating the end user will create their own PSK, at this point the end user will need to forget the wireless network on their device and connect using the PSK they set during account creation. The advantage to using MPSK is that now the end user can connect a device and have it attached to their account by simply connecting to the network using their unique PSK. This means that headless devices can be added to an account by connecting to the network and using the unique PSK for the account. The end user will not need to enter the MAC address of the headless device to their account this will be done automatically when connecting to the network. This also means devices with MAC randomization will be added back to the correct account if the MAC address changes without the end user even being aware.
SoftGRE Tunnels
Ruckus SmartZone Configuration (12/11/2023)
Overview
The following steps will guide you through configuring a SoftGRE tunnel between a Rucks AP and a rXg.
Environment
This document was written and tested using the following components from the RG Nets and RUCKUS ecosystem.
Manufacturer | Component | Version |
---|---|---|
RG Nets | rXg | 13.2 - 15.251 |
RUCKUS | Virtual SmartZone Essentials | 6.1.1.0.959 |
RUCKUS | R650 | 6.1.1.0.1274 |
Important Notes:
- SoftGRE tunnels are a licensed feature with RUCKUS. A demo license or SoftGRE license is required for this application.
- It is recommended to only use SoftGRE tunnels over the LAN as the traffic is currently unencrypted.
Prerequisites
This document assumes the following has already been configured: 1. IP Address for the SmartZone, AP, and rXg are all in the same subnet. 2. The subnet has been tied to an IP group and policy called Management. 3. The AP has already been discovered by the SmartZone 4. While not required, in the case of this lab, a functional eDPSK configuration has already been deployed and tested using config sync.
Configuration
SmartZone
All required configuration changes to the SmartZone will be applied using config sync from the rXg.
rXg WLAN Configuration
Network >> Wireless >> WLANs
The modifications in the WLAN profile are quite simple. On an existing WLAN, you can check the box for tunnel, set the tunnel type to SoftGRE, and then add the IP address for the interface on the rXg that will be the endpoint for the tunnel.
- The Tunnel checkbox instructs access points to build a tunnel to the controller instead of locally bridging the client traffic. In the case of Ruckus, this checkbox will create a SoftGRE tunnel between the APs and the rXg. This capability does require that the Ruckus controller has an appropriate SoftGRE license.
- The GRE Tunnel Type field allows you to select between RuckusGRE and SoftGRE. RuckusGRE is for use with the Ruckus virtual data plane. SoftGRE allows for tunnel creation to the rXg as the endpoint.
- The GRE Tunnel GW IP should be the IP address of the interface on the rXg that the tunnel will connect to.
rXg Pseudo Interfaces
Network >> LAN >> Pseudo Interfaces
- Name for the SoftGRE tunnel interface.
- Select an interface type of SoftGRE.
- Select the interface to be used for untagged traffic.
- Select the VLANs that will be allowed over the SoftGRE tunnel.
- Select the policy that contains the APs that will establish a tunnel.
Troubleshooting
Confirm the presence of interface bridges.
In the GUI this can be confirmed by browsing to Instruments >> System Info >> Interface Configurations and checking that there is a bridge for each VLAN that should be carried over the tunnel. The bridge number will be the same as the VLAN with an extra 1 at the beginning. For example if vlan2000 should be carried over the tunnel, you should also have a bridge12000.
This can also be seen via SSH with a command like ifconfig | grep bridge12000
Confirm the traffic is flowing over the bridge interface.
This can be done by using tcpdump to confirm that you see unicast traffic over the interface. For example, have a client connect and ping 4.2.2.2.
Continuing the use of bridge12000, I will use the following tcpdump statement tcpdump -ni bridge12000
and confirm that I can see unicast traffic from my client device.
Telemetry
Overview
The rXg supports three kinds of telemetry data ingestion, gRPC, MQTT, and Kafka. All of these ingestion types are used to get and analyze radio metrics and client metrics, which are presented in Radio Metric Graphs and the KPI dialog types.
9800 / gRPC and vSZ / MQTT operate with the rXg acting as a server. OpenWifi / Kafka operates with the OpenWifi Kafka process as the server, as known as the broker, in Kafka terminology.
Setup
Common Setup Goals
The WLAN Controller MUST have its time synchronized with the rXg.
OpenWifi Gateway / Kafka
The rXg will automatically try to connect to the OWGW via Kafka on port 9094. If you have installed the OWGW via RGNets' image from the config template example, this is done for you automatically.
9800 WLC / gRPC
The CISCO 9800 Wireless Lan Controller uses gRPC to stream telemetry data.
It MUST have Netconf Yang enabled. This can be done with the netconf-yang
CLI
directive or in the GUI via Administration>HTTP/HTTPS/Netconf/VTY
.
If you use the bootstrap script automatically generated from the rXg, that will
have the netconf-yang
directive in it.
rXg Setup
To enable gRPC streaming, create a WLAN Controller record for your WLAN Controller if there is not one already. If the rXg supports gRPC streaming for your WLAN controller, a gRPC port input field will be available. Put in the port number that you want the rXg to listen on for this device's gRPC telemetry data.
It is critically important to have the port that the rXg is listening for telemetry data on be exactly the same port that the WLC is configured to send the telemetry data TO. If you wish to stream telemetry data from multiple WLCs to one rXg, each WLC must stream to a different port on that rXg.
9800 Setup
Next you will need to configure the subscriptions in the CISCO 9800 WLC. The rXg provides a built in facility for building the exact script necessary to to create these.
First scroll to the right of your WLAN device record to access the Bootstrap view.
Then click on Show to present the telemetry bootstrap configuration script.
Next click on Copy to Clipboard to copy this configuration.
Next paste the configuration into your 9800 to run it:
(NOTE: This will update existing low numbered subscriptions if you have any)
Setup Confirmation
Next you may be wondering if your rXg is receiving the data. Here are a couple of easy ways to confirm.
Check Access Point Radios
The easiest, fastest and simplest way to check if your Telemetry data is streaming in is to check if any Access Point Radios are now present.
In the Network >> Wireless view of your rXg, scroll down to the Access Point Radios Scaffold and see if there are new ones:
Health Check
Another way to check is to make a "Cisco Telemetry Health Check" widget. In order to do this, setup a new custom dashboard with the Cisco Telemetry health check widget on it. Widgets and dashboards and dashboard configuration is covered in the archives>> reports section of this manual, but here is an example of configuring such a widget.
Here is what the widget will look like when the data is being received.
NOTE: You will not receive data for client_oper_data_common_oper_data
,
client_oper_data_dot11_oper_data
or client_oper_data_traffic_stats
when no
clients are associated.
Check on 9800
The best way to check the status of the subscriptions on the 9800 is with the
command show telemetry ietf subscription all detail
.
All the rest of the subscriptions should also say Connected
and Subscription
Validated
as well.
Virtual Smart Zone / MQTT
The rXg can also receive telemetry data from the RUCKUS Virtual Smart Zone via MQTT (Message Queuing Telemetry Transport).
rXg Setup
To enable MQTT streaming, we will need to create a local MQTT server. This can be done by browsing to Network >> Wireless >> WLAN Controllers and editing an existing vSZ WLAN Controller profile, or you can you can create a new one.
Scroll down to the RUCKUS section and create a telemetry_username
and telemetry_password
.
Once the changes are saved, a local MQTT server will be created to receive the streaming data from the vSZ. You can see the MQTT server configuration under Services >> Servers >> MQTT Server.
Assuming that config sync has been enabled, your vSZ will automatically be configured to start sending telemetry data. If you are not using config sync, you can configure manually following the steps below in the "Check Subscription vSZ" section.
Setup Confirmation
Check Access Point Radios
The easiest, fastest and simplest way to check if your Telemetry data is streaming in is to check if any Access Point Radios are now present.
In the Network >> Wireless view of your rXg, scroll down to the Access Point Radios Scaffold and see if there are new ones:
Check Subscription in vSZ
Another good place to check is in the vSZ itself. In Administration >> NB Streaming
you should be able to find your subscription. When it is working, you should see
Connected
to the right in the list view.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The server host field will be the IP address or domain name of the rXg that will receive the streaming data.
The server port will be 8883 by default. This can be changed in the rXg by browsing to Services >> Servers >> MQTT Servers.
User and Password should be the same as what you configured in the WLAN Controller record.
The system ID can be found by browsing in the rXg to Network >> Wireless >> WLAN Controllers and clicking "Show" on the scaffold for the previously configured WLAN controller.
You will then scroll down to the bottom and find the ID field.
Check rXg's MQTT Server
In Services >> Servers in the rXg, scroll down to MQTT Servers. Create or edit an MQTT Server with the following attributes:
active: true
tls version: 1.2
tls_port: 8883
infrastructure_devices: <YOUR vSZ>
In order for your rXg to have firewall visibility for the MQTT Server, you must have an active MQTT Server associated with your WLAN Controller via your WLAN Controller's MQTT Server attribute.
A note on the instrument_from_telemetry
boolean
The instrument_from_telemetry
boolean tells the rXg to create and update
Access Points based on Telemetry data.
If you are running with config sync turned on, or monitoring turned on, your rXg
will be able to import infrastructure updates through the regular infrastructure
monitoring process, and you should have instrument_from_telemetry
turned off.
If you are not using monitoring or config sync and are just receiving telemetry
data from an infrastructure device, then you should have
instrument_from_telemetry
turned on.
OpenWiFi
Deploy OpenWiFi Controller SDK as VM on rXg (10/15/2024)
Overview
The following steps will guide you through building the OpenWiFi Controller SDK as a virtual machine within the rXg application.
Environment
This document was written and tested using the following components from the RG Nets and OpenWifi ecosystem.
Manufacturer | Component | Version |
---|---|---|
RG Nets | rXg | 13.2 - 15.811 |
TIP | OpenWifi Controller | 3.1.0(5) |
Actiontech | WF-196 | TIP-v3.1.0-01c94cf |
Architecture
In this lab example, we will be using a virtual Ubuntu instance on a bare metal rXg node. The OpenWiFi controller SDK is deployed as a set of docker containers inside the Ubuntu VM.
Network Topology
Prerequisites
This deployment requires an rXg node that supports virtualization and has sufficient storage, compute and memory to run the virtual machine. You should also have an admin account with a ssh key defined.
For a small-scale OpenWifi deployment (< 50 APs), we suggest at least:
- 8 GB of memory
- 4 CPU Cores
- 80 GB of storage
Configuration
1. Setup Virtualization Hosts
To install the OpenWiFi controller in Bhyve first we must ensure we have a Virtualization Host to install to. Navigate to Services::Virtualization, if a host does not exist create a new Virtualization Host.
Give the Virtualization Host a name, the name field is an arbitrary string used to identify the host here I've set the name as the FQDN. Autostart Delay, and Reserved CPU count will be left at default values. Next name the Virtual Switches to make it easier to identify. Here I name my WAN and LAN connections, we will only need the LAN connection for our OpenWiFi controller. Click Create.
2. Install OpenWiFi Controller as a Virtual Machine
We will use a built in Config Template to automatically download the OpenWiFi controller software. Navigate to System::Backup and find the Config Template named "Example: 06 Download rXg Openwifi Image Config". If you do not see any example config templates click the "Show Examples" link.
We do not need to modify this template, it is going to download the openwifi img file and make it available as a disk image. Click apply to have it download the image.
After clicking apply we should get a Success message.
We can verify that the image was downloaded by navigating to Services::Virtualization and clicking Disk Images on the record for our Virtualization host.
Now that we have confirmed that the image has been downloaded we are ready to create the Virtual Machine. We will utilize another config template to automatically deploy the VM. Navigate to System::Backup, and find the config template named "Example: 07 Deploy Virtual Openwifi Controller Config". Do not click apply, instead click Edit. We will need to modify the template to match our networking.
Adjust the name variable if desired, I will leave the name as "openwifi". Next I am looking for the line with "mapped_switches". I am going to change this line from: "mapped_switches = ["igb0", "igb1", "igb2"]" to; "mapped_switches = ["vmx4 LAN"]
This is NOT the name of the interface but rather the name of the virual switch, I named mine "vmx4 LAN" so I need to make sure that matches. To verify the name navigate to Services::Virtualization and look at the Virtual Switches scaffold and find the name of the switch the OpenWiFi controller will be connected to.
You may also need to adust the IP address asigned to the controller. Look for the cidr, gateway, and nameservers variables, and adjust accordingly. This controller in this setup will be on the 192.168.5.x network.
I have adjusted the variables to match my network below.
Next we need to specify an SSH key pair. For this I will leverage the ssh key tied to my admin account. In the real world it is best to make a new ssh keypair for this so it is not tied to an individual. Now that I have adjusted the config template I can click the update button.
Now we are ready to apply the template. When we click apply this will create a new VM, connected to the interfaces we specified in the template (just vmx4 LAN in this case), we can see that the VM will have 8GB of memory, 8 cpu cores, and a 10GB HDD.
We can confirm that the new VM was created by navigating to Services::Virtualization and review the Virtual Machines scaffold.
In addtion to creating the VM, the template also created a DNS override for "openwifi.wlan.local" this can be used if we need to access the controller and need it to resolve to the IP address of the controller. To verify that the DNS override is setup correctly, navigate to Services::DNS and review the DNS Records scaffold.
What this entry does is overrides any DNS for "openwifi.wlan.local", so that if I am behind this system and point my browser to the FQDN it will resolve to 192.168.5.9 and allow me to access the controller.
Now we must start the installation process on the VM, navigate to Servcies::Virtualization. The openwifi Virtual Machine has a commands link to the righthand side, select start from the list. This will turn on the machine and begin the installation process.
VM state will change from stopped to Running. Note that installation takes about 2 minutes.
To verify that the controller is up and running click the VNC viewer option and open the console window. Note that we do not need to login or do anything via the console window it can be closed.
3. Add OpenWiFi as infrastucture Device
Now that we have installed the OpenWifi Controller we can add it as an infrastucture device. Navigate to Network::Wireless and create a new WLAN Controller.
Give the controller a name, change the Type field to OpenWifi. Enter the controllers IP address in the Host field. Leave the default Username [email protected], and enter a password of your choosing in the Password field. The password will be updated automatically in the OpenWifi controller. Click Create at the bottom of the record.
After creating the WLAN Controller record it will takea few seconds and then the Online field should change from offline to Online.
Next select Import on the far right of the WLAN Controller entry, and click on Import. Enter the CIDR of the network(s) the controller should look at for APs.
Next click on "Sync not enabled".
Click on Generate Diff.
After clicking Generate Diff any changes will show up in the Synchonize field. The first timre you join the AP it will have more than what we see here, regardless, the next step is to click Enable Config Synchonization.
After this step the Openwifi controller should be online and in sync.
Notes
If you click on the Generate Diff button and nothing seems to happen this is likely because the AP's are not configured correctly. In the above example I had to login to the tip portal and do an AP transfer. To do this I logged into the portal, and clicked on the Transfers option on the left menu.
Click the Create Transfer Button.
Enter the MAC address in the Serial Number field, the Redirector should be set to openwifi.wlan.local, and then enter a reason for the request. Then click Start Transfer. After completing this process I was then able to generate the diff and click enable sync after factory resetting the AP.
Config Sync
Example Ruckus One Setup
Connecting Ruckus One to rXg
Steps to connect Ruckus One
- You will need to collect (3) pieces of information from your Ruckus Cloud Account.
Tenant ID - This can be found under your user profile in the upper right hand corner of your Ruckus One Portal.
Client ID - This can be found by browsing to Administration >> Account Management >> Settings in the Ruckus One portal. Client Secret - This can be found by browsing to Administration >> Account Management >> Settings in the Ruckus One portal.
- Create InfDev for Ruckus One
In the rXg GUI, browse to Network >> Wireless >> WLAN Controllers and click Create New. Update the fields below to use the information you collected in step one and click create.
- On the record that you created in the WLAN Controllers scaffold, click Import. You can then select which zones you would like to import. Leave blank for all zones. Press Import.
- Click Sync Not Enabled
Click Generate Diff This will generate a list of changes that the rXg plans to make once you enable config sync.
Click Enable Config Synchronization If you agree with the diff, click the button to enable config sync.
Example Aruba Setup
Connecting Aruba IAP to rXg
Steps to connect Aruba IAP
- Create InfDev for Aruba IAP
- Generate and apply bootstrap configuration to Aruba IAP
- Import pre-existing WLAN's if needed
Enable sync
Create InfDev for Aruba IAP
Navigate to Network::Wireless and create a new WLAN Controller.
The Name field is arbitrary and can be set to anything. The Type field should be set to Aruba IAP. The Host field is the IP address we want the virtual controller to have. If the controller is local to the rXg then the Subnet mask and Gateway IP fields can be left blank. Set the API port field to the correct port, by default it is set to 4343 and shouldn't be changed the Aruba IAP has been configured to use a different port. Set the Username and Password field with the correct username and password and click Create.
Note: If the Host IP is already set in the Aruba IAP, then it will not show the commands that need to be run. The commands will be provided in a step below.
- Generate and apply bootstrap configuration to Aruba IAP.
Click on the Sync not enabled link.
This will provide the Bootstrap Configuration that must be run on the IAP to allow API commands as well as set the virtual controller IP.
Note: If the virtual controller IP has been set and the Aruba IAP shows as online it will not show the Bootstrap commands. If this is the case the virtual controller IP does not need to be set so only the following commands should be run on the AP by first SSH'ing to it.
configure** allow-rest-api** end commit apply
SSH to the controller IP and run the Bootstrap Configuration commands.
- Import pre-existing WLAN's if needed
To import any existing WLANs that may already exist, click the import link on the WLAN Controllers scaffold.
Any WLANs that exist will then be shown on the WLANs scaffold.
- Enable sync.
This step will allow the rXg sync with the Aruba IAP so that any configuration done on the rXg will be pushed (synchronized) to the Aruba IAP. To enable sync click the Sync not enabled link in the WLAN Controller scaffold.
Next click on the Enable Config Synchronization button.
The rXg has now been configured to take control of the Aruba IAP, configuration changes to the WLANs from the admin gui of the rXg will be pushed automatically to the Aruba IAP.
Aruba MPSK Setup
A WLAN must exist that matches the SSID of the WLAN in the Aruba controller, the rXg can import this information by creating a WLAN Controller. Configure a WLAN Controller by navigating to Network::Wireless and click create new on the WLAN Scaffold. This will allow the rXg to import the WLAN's from the Aruba controller.
Enter a name in the Name field, the Name is arbitrary. The Type field should be set to either ArubaOS or Aruba IAP depending on the type of controller the rXg is connecting to. The Host field is the IP address or domain name of the controller. If the Controller is local, setting a value in the Subnet mask and Gateway IP field is not needed. The Disconnect method , SSH port and API port fields can be left on the default values unless the controller is using non default ports. Enter the Username and Password in the Username and Password fields. Click Create.
The rXg will import the WLANs and AP's from the Aruba controller.
Next the RADIUS Server Realms must be configured to use MPSK. Navigate to Services::Radius.
In order to use MPSK the correct RADIUS Server Attributes must be tied the to the RADIUS Server Realms. By default there is a RADIUS server attribute for use with Aruba MPSK. This Attribute must be tied to each realm that will use MPSK typically this will be the POST auth realms, but for certain locations with pre-setup accounts this may be attached to both POST and PRE auth realms. For this example there will be a RADIUS server attribute created that will have a known PSK and this will be attached to the Onboarding realm. This allows anyone to connect with the known PSK and after account creation they will be able to use their unique MPSK to connect. In the RADIUS Server Attributes scaffold, click edit on the Aruba-MPSK-Passphrase entry.
Select the RADIUs realms that will use the variable MPSK attribute, in this example only the Account Realm will be selected in the RADIUS Server Realms field. Click Update.
Next create a new RADIUS Server Attribute. In the Name field enter Aruba-MPSK-Passphrase. In the Value field enter in the known PSK, in this example lab01admin! will be used as the known PSK. In the RADIUS Server Realms field make sure that only the realms that are using the known PSK are selected in this case only the Onboarding Realm will be selected. Click Create.
With this setup, a user connecting for the first time would connect to the SSID using the known PSK of lab01admin!. This will connect them to the network and they will get redirected to the captive portal where they can then sign up for an account. During account creating the end user will create their own PSK, at this point the end user will need to forget the wireless network on their device and connect using the PSK they set during account creation. The advantage to using MPSK is that now the end user can connect a device and have it attached to their account by simply connecting to the network using their unique PSK. This means that headless devices can be added to an account by connecting to the network and using the unique PSK for the account. The end user will not need to enter the MAC address of the headless device to their account this will be done automatically when connecting to the network. This also means devices with MAC randomization will be added back to the correct account if the MAC address changes without the end user even being aware.