Hotspot Settings

The hotspot can be enabled or disabled by clicking on the main switch at the top of the page. When enabled (i.e., the switch is green ), one of three roles can be selected:

1. Master/Standalone hotspot or Standalone hotspot

When the hotspot is used as a Master all the configuration data, even those of the satellites, e.g., user database, portal configuration, setting, logs, and so on, are stored locally and the management tasks are performed on this hotspot.

This role can only be Standalone hotspot if the Endian UTM Appliance is a Mini, while when it is another software of hardware appliance, the hotspot can also be a Master, i.e., it stores all the administrative settings and data that are reused by the satellite hotspots, which can connect to the master by means of OpenVPN accounts (see below).

For the Master role, one setting is available and also the available VPN accounts are shown that can be assigned to the satellites.

Hotspot password

This is the Master Hotspot’s password. Remote satellite systems need to use it to connect to the master hotspot. If this field is left blank, a new random password will be generated.

Hotspot satellites

The list of available OpenVPN tunnels for use in connecting a remote satellite system. One or more systems can be selected from this list.

2. Satellite hotspot

A satellite hotspot does not store any configuration, but relies on the Master to verify user data, ticket availability, and all the settings. When selecting this option, the IP address and the password of the Master hotspot must be specified, along with the VPN tunnel name (see below). In detail, these are the available options:

Master hotspot IP address

Specify in this field the IP address of the master hotspot, which is usually the first IP address available in the special OpenVPN subnet (see The zones) defined in the OpenVPN server settings (under Menubar ‣ VPN ‣ OpenVPN server ‣ Server configuration) of the Master hotspot.

Master hotspot password

The Master hotspot password. This is typically auto-generated on the Master. Click on the Show checkbox to reveal the password mask.

Hotspot VPN tunnel

From this drop-down menu, select the OpenVPN tunnel used to reach the Master hotspot.

3. External RADIUS server

In this configuration, the hotspot relies on an external RADIUS server, like FreeRadius for its activities: It connects and ask for authentication to the RADIUS server, which stores all the data about accounting, settings, ticketing and connections. Several information about the RADIUS server are required for its correct functioning: the IP address, password, and ports, the IP address of the fallback server. Additionally, the external portal can be used.

RADIUS Server IP address

The IP address of the external RADIUS Server.

Fallback RADIUS Server IP address

The IP address of the fallback external RADIUS Server.

RADIUS Server password

The password for the RADIUS Server. Click on the Show checkbox to reveal the password.

RADIUS Server AUTH port

The RADIUS Server AUTH (Authentication) port number.

RADIUS Server ACCT port

The RADIUS Server ACCT (Accounting) port number.

RADIUS Server COA port

The RADIUS Server COA (Change of Authorisation) port number.

Hint

The default values for the RADIUS port are: 1812 (AUTH), 1813 (ACCT), and 3799 (COA)

Use external Portal

When this option is chosen, an external portal can be configured as the login interface that the users see when they want to connect through the hotspot. The external portal must be compatible and communicate with chilli. The following options should be configured to activate the external portal.

External Portal URL

The location on which the portal is located.

NAS ID

The Network Access Server IDentifier of the RADIUS server that identifies the portal.

UAM Secret

The UAM shared secret from the external RADIUS server. While it is possible to not define a value for this option, it is suggested to define it, since it improves security.

Allowed Sites / Access

A list of websites accessible even without registering to the hotspot.

Enable AnyIP

Allows clients without an active DHCP client to connect to the hotspot.

Note

The setup of a RADIUS server is not discussed here since it is outside the scope and duties of Endian, who does not provide assistance in this task.

Master/Satellite roles and VPN.

The Master/Satellite roles can prove useful when wide areas should be covered and one hotspot does not suffice. When such an architecture is employed, all the management tasks for users and tickets are carried out on the master only. On the satellite systems only the Reports section (under the hotspot administration Interface) will be available.

Any Endian UTM Appliances can be used as both Master and Satellite systems, except for the Mini appliances, both the old Intel Mini and the New Arm Mini, that can only act as Standalone or Satellite, i.e., a Mini cannot be a Master in a Master/Satellite setup.

The connection between the Master and its satellites is set up by creating OpenVPN accounts on the Master, using one for each Satellite, and creating a VPN tunnel between each Master-Satellite pair. Many tasks have to be competed before setting up this configuration, both on the Master and the Satellite systems, that are grouped in two parts, each encompassing operations to be carried out on either the Master, in which case they are labelled with M#, or on the Satellite, labelled with S#.

When a Master and one (or more) Satellite hotspots have already configured, an additional Satellite only requires that only tasks M3, M4, and M5 on the Master be carried out, but all tasks on the Satellite.

M0. Set the hotspot as standalone (This is optional).

M1. On the The VPN Menu section (VPN ‣ OpenVPN server), set up the hotspot as OpenVPN server with a routed connection type and an ad-hoc network range (say xxx.yyy.zzz.0/24) that must be different from the subnets of the other Endian UTM Appliance zones.

M2. A new virtual interface is created that routes the traffic from the OpenVPN tunnels. The Master acquires the IP xxx.yyy.zzz.1 (i.e., the first available IP address in the network range) and acts as the gateway for all the OpenVPN tunnels.

M3. Create one unique OpenVPN account for each remote satellite system (from under Menubar ‣ VPN ‣ OpenVPN server ‣ Accounts) The OpenVPN account must be configured with a static IP address. The IP addresses assigned to the satellites must fall within the subnet defined in step M1. Within that subnet, IP addresses ending with 0, 255, and the first IP of the subnet range are not available to Satellites.

Hint

Good practices suggest to assign to each new Satellite the lowest IP available, so that they remain in order.

Once all the necessary client accounts have been created and before activating the Master/Satellite configuration, it is necessary to verify that the OpenVPN connection be setup correctly. Hence, on the Satellite side two steps are needed:

S1. Create the OpenVPN client account (VPN ‣ OpenVPN client (Gw2Gw)), using one of the accounts created at step M3.

S2. Connect to the Master and verify that the connection is established and the traffic can flow.

Now it is possible to activate the Master and complete the setup:

M4. Open the Hotspot settings page and enable the necessary VPN account in the list of hotspot satellite systems.

M5. Click on Save and then on Apply to activate the changes.

The set up of the master is now finished, so proceed to complete the Satellite setup:

S3. Enter the hotspot menu, choose the Satellite hotspot, enter the first IP address available in the OpenVPN subnet of the Master and the Master hotspot password, and select the Hotspot VPN tunnel from the drop-down menu.

S4. Click on Save and then on Apply to activate the changes.

To verify that the satellite system is properly connected, open the satellite system’s Hotspot Administration interface: Only a limited interface shows up, containing the Reports section and nothing else: all the management’s task are delegated to the Master.

The setup in now complete: both the Master and the Satellite systems are correctly working.