Endian banner

Hotspot Settings

The hotspot can be enabled or disabled by clicking on the main switch swoff at the top of the page. When enabled (i.e., the switch is green swon), one of three roles can be selected:

1. Master/Standalone hotspot or Standalone hotspot

When the hotspot is used as a Master all the configuration data, even those of the satellites, e.g., user database, portal configuration, setting, logs, and so on, are stored locally and the management tasks are performed on this hotspot.

This role can only be Standalone hotspot for the smallest hardware Endian UTM Appliances, whereas for Software-, Virtual and the bigger hardware Endian UTM Appliances the role can also be Master. Master means that it will store all the administrative settings and data that are reused by the satellite hotspots, which can connect to the master by means of OpenVPN accounts (see below).

For the Master role, one setting is available and also the available VPN accounts are shown that can be assigned to the satellites.

Hotspot password
This is the Master Hotspot’s password. Remote satellite systems need to use it to connect to the master hotspot. If this field is left blank, a new random password will be generated.
Hotspot satellites
The list of available OpenVPN tunnels for use in connecting a remote satellite system. One or more systems can be selected from this list.

2. Satellite hotspot

A satellite hotspot does not store any configuration, but relies on the Master to verify user data, ticket availability, and all the settings. When selecting this option, the IP address and the password of the Master hotspot must be specified, along with the VPN tunnel name (see below). In detail, these are the available options:

Master hotspot IP address
Specify in this field the IP address of the master hotspot, which is usually the first IP address available in the special OpenVPN subnet (see The zones) defined in the OpenVPN server settings (under Menubar ‣ VPN ‣ OpenVPN server ‣ Server configuration) of the Master hotspot.
Master hotspot password
The Master hotspot password. This is typically auto-generated on the Master. Click on the Show checkbox to reveal the password mask.
Hotspot VPN tunnel
From this drop-down menu, select the OpenVPN tunnel used to reach the Master hotspot.

3. External RADIUS server

In this configuration, the hotspot relies on an external RADIUS server, like FreeRadius for its activities: It connects and ask for authentication to the RADIUS server, which stores all the data about accounting, settings, ticketing and connections. Several information about the RADIUS server are required for its correct functioning: the IP address, password, and ports, the IP address of the fallback server. Additionally, the external portal can be used.

RADIUS Server IP address
The IP address of the external RADIUS Server.
Fallback RADIUS Server IP address
The IP address of the fallback external RADIUS Server.
RADIUS Server password
The password for the RADIUS Server. Click on the Show checkbox to reveal the password.
RADIUS Server AUTH port
The RADIUS Server AUTH (Authentication) port number.
RADIUS Server ACCT port
The RADIUS Server ACCT (Accounting) port number.
RADIUS Server COA port
The RADIUS Server COA (Change of Authorisation) port number.

Hint

The default values for the RADIUS port are: 1812 (AUTH), 1813 (ACCT), and 3799 (COA)

Use external Portal
When this option is chosen, an external portal can be configured as the login interface that the users see when they want to connect through the hotspot. The external portal must be compatible and communicate with chilli. The following options should be configured to activate the external portal.
External Portal URL
The location on which the portal is located.
NAS ID
The Network Access Server IDentifier of the RADIUS server that identifies the portal.
UAM Secret
The UAM shared secret from the external RADIUS server. While it is possible to not define a value for this option, it is suggested to define it, since it improves security.
Allowed Sites / Access
A list of websites accessible even without registering to the hotspot.
Enable AnyIP
Allows clients without an active DHCP client to connect to the hotspot.

Note

The setup of a RADIUS server is not discussed here since it is outside the scope and duties of Endian, who does not provide assistance in this task.

Master/Satellite roles and VPN.

The Master/Satellite roles can prove useful when wide areas should be covered and one hotspot does not suffice. When such an architecture is employed, all the management tasks for users and tickets are carried out on the master only. On the satellite systems only the Reports section (under the hotspot administration Interface) will be available.

All Endian UTM Appliances can be used as both Master and Satellite systems, except for the smallest hardware appliances (i.e. all desktop-based appliances).

The connection between the Master and its satellites is set up by creating OpenVPN accounts on the Master, using one for each Satellite, and creating a VPN tunnel between each Master-Satellite pair. Many tasks have to be competed before setting up this configuration, both on the Master and the Satellite systems, that are grouped in two parts, each encompassing operations to be carried out on either the Master, in which case they are labelled with M#, or on the Satellite, labelled with S#.

When a Master and one (or more) Satellite hotspots have already configured, an additional Satellite only requires that only tasks M3, M4, and M5 on the Master be carried out, but all tasks on the Satellite.

M0. Set the hotspot as standalone (This is optional).

M1. On the The VPN Menu section (VPN ‣ OpenVPN server), set up the hotspot as OpenVPN server with a routed connection type and an ad-hoc network range (say xxx.yyy.zzz.0/24) that must be different from the subnets of the other Endian UTM Appliance zones.

M2. A new virtual interface is created that routes the traffic from the OpenVPN tunnels. The Master acquires the IP xxx.yyy.zzz.1 (i.e., the first available IP address in the network range) and acts as the gateway for all the OpenVPN tunnels.

M3. Create one unique OpenVPN account for each remote satellite system (from under Menubar ‣ VPN ‣ OpenVPN server ‣ Accounts) The OpenVPN account must be configured with a static IP address. The IP addresses assigned to the satellites must fall within the subnet defined in step M1. Within that subnet, IP addresses ending with 0, 255, and the first IP of the subnet range are not available to Satellites.

Hint

Good practices suggest to assign to each new Satellite the lowest IP available, so that they remain in order.

Once all the necessary client accounts have been created and before activating the Master/Satellite configuration, it is necessary to verify that the OpenVPN connection be setup correctly. Hence, on the Satellite side two steps are needed:

S1. Create the OpenVPN client account (VPN ‣ OpenVPN client (Gw2Gw)), using one of the accounts created at step M3.

S2. Connect to the Master and verify that the connection is established and the traffic can flow.

Now it is possible to activate the Master and complete the setup:

M4. Open the Hotspot settings page and enable the necessary VPN account in the list of hotspot satellite systems.

M5. Click on Save and then on Apply to activate the changes.

The set up of the master is now finished, so proceed to complete the Satellite setup:

S3. Enter the hotspot menu, choose the Satellite hotspot, enter the first IP address available in the OpenVPN subnet of the Master and the Master hotspot password, and select the Hotspot VPN tunnel from the drop-down menu.

S4. Click on Save and then on Apply to activate the changes.

To verify that the satellite system is properly connected, open the satellite system’s Hotspot Administration interface: Only a limited interface shows up, containing the Reports section and nothing else: all the management’s task are delegated to the Master.

The setup in now complete: both the Master and the Satellite systems are correctly working.

4. Use External Authentication

New in version 3.0.

When the role of the Hotspot is Master / Standalone hotspot, it has now the ability to rely on an external resource only for the purpose of authenticating the users, while keeping accounting, logging, user database, and all other settings locally on the Endian UTM Appliance. In other words, the data of a user are copied locally from the external server, either a RADIUS or a LDAP server, allowing her to provide her credentials of the remote server and immediately use the hotspot, without the need to create a new account.

To allow the Hotspot to connect to the remote server and retrieve the data, there is an option available:

Use External Authentication
By ticking this checkbox, the two possible remote authentication modalities are shown, together with all the necessary options to configure them.
Server Type

This drop-down menu allows to choose one of the two supported servers, either LDAP or RADIUS and changes the configuration options displayed accordingly.

Note

The additional configuration options that will appear are very similar to those that appear in Menubar ‣ Proxy ‣ HTTP ‣ Authentication.

For the LDAP server, the following configuration options are available (see the example on the right for more details):

LDAP server type
The drop-down menu allows to choose one of the supported LDAP server types: Generic, active directory, or Novell eDirectory.
LDAP server

The IP address or hostname of the LDAP server, in LDAP format.

Hint

The port specification, if needed, can be written after the URL, like e.g., ldap://192.168.0.20:389/. The standard port, 389, can safely be omitted.

Bind DN settings
This settings define the Distinguished Name of the LDAP server, i.e., the top level node of the LDAP’s tree structure.
Bind DN username
The username to be used for querying the DN. It is necessary to retrieve and authenticate the credentials of the Hotspot’s users.
Bind DN password
The password for the user specified in the previous option. A click on the checkbox on the right shows or hides the characters.
User search filter
The string that shall be used to query the remote LDAP server.
LDAP backup server
The IP address or hostname of the LDAP fallback server, in LDAP format, that shall be used when the primary server is not reachable.
Default rate
The rate that shall be associated to each users that authenticate through this method.

For the RADIUS server, the following configuration options are available:

RADIUS server
The IP address or URL of the RADIUS server.
Port of RADIUS server
The port on which the RADIUS server is listening.
Identifier
An additional identifier.
Shared secret
The password to be used.
RADIUS backup server
The IP address or URL of the fallback RADIUS server, used when the primary server is not reachable.
Default rate
The rate that shall be associated to each users that authenticate through this method.