The hotspot can be enabled or disabled by clicking on the main switch at the top of the page. When enabled (i.e., the switch is green ), one of three roles can be selected:
When the hotspot is used as a Master all the configuration data, even those of the satellites, e.g., user database, portal configuration, setting, logs, and so on, are stored locally and the management tasks are performed on this hotspot.
This role can only be Standalone hotspot for the smallest hardware Endian UTM Appliances, whereas for Software-, Virtual and the bigger hardware Endian UTM Appliances the role can also be Master. Master means that it will store all the administrative settings and data that are reused by the satellite hotspots, which can connect to the master by means of OpenVPN accounts (see below).
For the Master role, one setting is available and also the available VPN accounts are shown that can be assigned to the satellites.
A satellite hotspot does not store any configuration, but relies on the Master to verify user data, ticket availability, and all the settings. When selecting this option, the IP address and the password of the Master hotspot must be specified, along with the VPN tunnel name (see below). In detail, these are the available options:
In this configuration, the hotspot relies on an external RADIUS server, like FreeRadius for its activities: It connects and ask for authentication to the RADIUS server, which stores all the data about accounting, settings, ticketing and connections. Several information about the RADIUS server are required for its correct functioning: the IP address, password, and ports, the IP address of the fallback server. Additionally, the external portal can be used.
Hint
The default values for the RADIUS port are: 1812 (AUTH), 1813 (ACCT), and 3799 (COA)
Note
The setup of a RADIUS server is not discussed here since it is outside the scope and duties of Endian, who does not provide assistance in this task.
Master/Satellite roles and VPN.
The Master/Satellite roles can prove useful when wide areas should be covered and one hotspot does not suffice. When such an architecture is employed, all the management tasks for users and tickets are carried out on the master only. On the satellite systems only the Reports section (under the hotspot administration Interface) will be available.
All Endian UTM Appliances can be used as both Master and Satellite systems, except for the smallest hardware appliances (i.e. all desktop-based appliances).
The connection between the Master and its satellites is set up by creating OpenVPN accounts on the Master, using one for each Satellite, and creating a VPN tunnel between each Master-Satellite pair. Many tasks have to be competed before setting up this configuration, both on the Master and the Satellite systems, that are grouped in two parts, each encompassing operations to be carried out on either the Master, in which case they are labelled with M#, or on the Satellite, labelled with S#.
When a Master and one (or more) Satellite hotspots have already configured, an additional Satellite only requires that only tasks M3, M4, and M5 on the Master be carried out, but all tasks on the Satellite.
M0. Set the hotspot as standalone (This is optional).
M1. On the The VPN Menu section ( ), set up the hotspot as OpenVPN server with a routed connection type and an ad-hoc network range (say xxx.yyy.zzz.0/24) that must be different from the subnets of the other Endian UTM Appliance zones.
M2. A new virtual interface is created that routes the traffic from the OpenVPN tunnels. The Master acquires the IP xxx.yyy.zzz.1 (i.e., the first available IP address in the network range) and acts as the gateway for all the OpenVPN tunnels.
M3. Create one unique OpenVPN account for each remote satellite system (from under
) The OpenVPN account must be configured with a static IP address. The IP addresses assigned to the satellites must fall within the subnet defined in step M1. Within that subnet, IP addresses ending with 0, 255, and the first IP of the subnet range are not available to Satellites.Hint
Good practices suggest to assign to each new Satellite the lowest IP available, so that they remain in order.
Once all the necessary client accounts have been created and before activating the Master/Satellite configuration, it is necessary to verify that the OpenVPN connection be setup correctly. Hence, on the Satellite side two steps are needed:
S1. Create the OpenVPN client account (
), using one of the accounts created at step M3.S2. Connect to the Master and verify that the connection is established and the traffic can flow.
Now it is possible to activate the Master and complete the setup:
M4. Open the Hotspot settings page and enable the necessary VPN account in the list of hotspot satellite systems.
M5. Click on Save and then on Apply to activate the changes.
The set up of the master is now finished, so proceed to complete the Satellite setup:
S3. Enter the hotspot menu, choose the Satellite hotspot, enter the first IP address available in the OpenVPN subnet of the Master and the Master hotspot password, and select the Hotspot VPN tunnel from the drop-down menu.
S4. Click on Save and then on Apply to activate the changes.
To verify that the satellite system is properly connected, open the satellite system’s Hotspot Administration interface: Only a limited interface shows up, containing the Reports section and nothing else: all the management’s task are delegated to the Master.
The setup in now complete: both the Master and the Satellite systems are correctly working.
New in version 3.0.
When the role of the Hotspot is Master / Standalone hotspot, it has now the ability to rely on an external resource only for the purpose of authenticating the users, while keeping accounting, logging, user database, and all other settings locally on the Endian UTM Appliance. In other words, the data of a user are copied locally from the external server, either a RADIUS or a LDAP server, allowing her to provide her credentials of the remote server and immediately use the hotspot, without the need to create a new account.
To allow the Hotspot to connect to the remote server and retrieve the data, there is an option available:
This drop-down menu allows to choose one of the two supported servers, either LDAP or RADIUS and changes the configuration options displayed accordingly.
Note
The additional configuration options that will appear are very similar to those that appear in
.For the LDAP server, the following configuration options are available (see the example on the right for more details):
The IP address or hostname of the LDAP server, in LDAP format.
Hint
The port specification, if needed, can be written after the URL, like e.g., ldap://192.168.0.20:389/. The standard port, 389, can safely be omitted.
For the RADIUS server, the following configuration options are available: