When entering the Hotspot page, click on the grey Enable hotspot switch to start the Hotspot and show the first configuration options, which are described in the remainder of this page: The role of the hotspot and the external authentication server, if needed.
Since the additional options available settings depend on the selected Role, they are described in the next three sections.
When the hotspot is used as a Master hotspot all the configuration data (like e.g., user database, portal configuration, setting, logs), including those of the satellites, are stored on it; also the management tasks are performed on this hotspot.
This role can only be Standalone hotspot for the smallest hardware Endian UTM Appliances, whereas for Software, Virtual, and the bigger hardware Endian UTM Appliances the role can also be Master. Master means that it will store all the administrative settings and data that are reused by the satellite hotspots, which connect to the master by means of OpenVPN accounts.
For the Master role, one setting is available and also the available VPN accounts are shown that can be assigned to the satellites.
This is the Master Hotspot’s password, only needed by satellite systems to connect to the master hotspot. If this field is left blank, a new random password will be generated.
The list of available OpenVPN tunnels to be used by remote satellite system to connect to the Master. This list is empty if no satellites are needed in the setup or if no OpenVPN accounts have been created; otherwise, one or more systems can be selected from this list.
When the role of the Hotspot is Master / Standalone hotspot, it can rely on an external resource -either a RADIUS or a LDAP server- only for the purpose of user authentication, while keeping accounting, logging, user database, and all other settings locally. In other words, the user data are retrieved from the external server, without the need to create a new account.
To allow the Hotspot to connect to the remote server and retrieve the accounting data, there is one option available:
By ticking this checkbox, new options will appear to allow the configuration of the two supported authentication methods modalities are shown.
This drop-down menu allows to choose one of the two supported servers, either LDAP or RADIUS and changes the configuration options displayed accordingly.
Note
The additional configuration options that will appear are very similar to those that appear in
and .For the LDAP server, the following configuration options are available (see the example on the right for more details):
The drop-down menu allows to choose one of the supported LDAP server types: Generic, Active Directory, or Novell eDirectory.
The IP address or hostname of the LDAP server, in LDAP format.
Hint
The port specification, if needed, can be written after
the URL, like e.g., ldap://192.168.0.20:389/
. The
standard port, 389, can safely be omitted.
This settings define the Distinguished Name of the LDAP server, i.e., the top level node of the LDAP’s tree structure.
The username to be used for querying the DN. It is necessary to retrieve and authenticate the credentials of the Hotspot’s users.
The password for the user specified in the previous option. A click on the checkbox on the right shows or hides the characters.
The string used to query the remote LDAP server.
The IP address or hostname of the LDAP fallback server, in LDAP format, to be used when the primary server is not reachable.
Choose from the drop-down menu the rate associated to users that authenticate through this method.
For the RADIUS server, the following configuration options are available:
The IP address or URL of the RADIUS server.
The port on which the RADIUS server is listening.
An additional identifier.
The password to be used.
The IP address or URL of the fallback RADIUS server, used when the primary server is not reachable.
Choose from the drop-down menu the rate associated to users that authenticate through this method.
A satellite hotspot does not store any configuration, but relies on the Master to verify user data, ticket availability, and all the settings. When selecting this option, the IP address and the password of the Master hotspot must be specified, along with the VPN tunnel name. In detail, these are the available options:
Specify in this field the IP address of the master hotspot, which is usually the first IP address available in the special OpenVPN subnet (see The zones) defined in the OpenVPN server settings (under ) of the Master hotspot.
The Master hotspot password. This is typically auto-generated on the Master. Click on the Show checkbox to show the password.
From this drop-down menu, select the OpenVPN tunnel used to reach the Master hotspot.
See also
The setup of a master/satellite Hotspot is described in this article <https://help.endian.com/hc/en-us/articles/115012672027>.
In this configuration, the hotspot relies on an external RADIUS server, like FreeRadius for its activities: It connects and ask for authentication to the RADIUS server, which stores all the data about accounting, settings, ticketing and connections. Several information about the RADIUS server are required for its correct functioning: the IP address, password, and ports, the IP address of the fallback server. Additionally, the external portal can be used.
The IP address of the external RADIUS Server.
The password for the RADIUS Server. Click on the Show checkbox to reveal the password.
The IP address of the fallback external RADIUS Server.
The RADIUS Server AUTH (Authentication) port number.
The RADIUS Server ACCT (Accounting) port number.
The RADIUS Server COA (Change of Authorisation) port number.
Hint
The default values for the RADIUS port are: 1812 (AUTH), 1813 (ACCT), and 3799 (COA).
When this option is chosen, an external portal can be configured as the login interface that the users see when they want to connect through the hotspot. The external portal must be compatible and communicate with chilli. The following options should be configured to activate the external portal.
The location on which the portal is located.
The Network Access Server IDentifier of the RADIUS server that identifies the portal.
The UAM shared secret from the external RADIUS server. While it is possible to not define a value for this option, it is suggested to define it, since it improves security.
A list of websites accessible even without registering to the hotspot.
Hint
write on each line a domain name (e.g.,
endian.com
) or an IP Address (e.g.,
10.123.124.125
). On both domain name and IP address
it is also possible to prepend the protocol to be used (e.g.,
tcp:www.endian.com
, udp:10.123.124.125
)
and append the port to be used for the connection (e.g.,
10.123.124.125:10443
), or both (e.g.,
tcp:10.123.124.125:10443
).
Allows clients without an active DHCP client to connect to the hotspot.
Note
The setup of a RADIUS server is not discussed here since it is outside the scope and duties of Endian, who does not provide assistance in this task.