Hotspot Settings¶

When entering the Hotspot page, click on the grey Enable hotspot switch Disabled to start the Hotspot and show the first configuration options, which are described in the remainder of this page: The role of the hotspot and the external authentication server, if needed.

Since the additional options available settings depend on the selected Role, they are described in the next three sections.

1. Master/Standalone hotspot or Standalone hotspot¶

When the hotspot is used as a Master hotspot all the configuration data (like e.g., user database, portal configuration, setting, logs), including those of the satellites, are stored on it; also the management tasks are performed on this hotspot.

This role can only be Standalone hotspot for the smallest hardware UTMs, whereas for Software, Virtual, and the bigger hardware UTMs the role can also be Master. Master means that it will store all the administrative settings and data that are reused by the satellite hotspots, which connect to the master by means of OpenVPN accounts.

For the Master role, one setting is available and also the available VPN accounts are shown that can be assigned to the satellites.

Hotspot password: This is the Master Hotspot’s password, only needed by satellite systems to connect to the master hotspot. If this field is left blank, a new random password will be generated.
Hotspot satellites: The list of available OpenVPN tunnels to be used by remote satellite system to connect to the Master. This list is empty if no satellites are needed in the setup or if no OpenVPN accounts have been created; otherwise, one or more systems can be selected from this list.

Use External Authentication¶

When the role of the Hotspot is Master / Standalone hotspot, it can rely on an external resource -either a RADIUS or a LDAP server- only for the purpose of user authentication, while keeping accounting, logging, user database, and all other settings locally. In other words, the user data are retrieved from the external server, without the need to create a new account.

To allow the Hotspot to connect to the remote server and retrieve the accounting data, there is one option available:

Use External Authentication: By ticking this checkbox, new options will appear to allow the configuration of the two supported authentication methods modalities are shown.
Server Type: This drop-down menu allows to choose one of the two supported servers, either LDAP or RADIUS and changes the configuration options displayed accordingly.

Note

The additional configuration options that will appear are very similar to those that appear in Menubar ‣ Proxy ‣ HTTP ‣ Authentication and Menubar ‣ OpenVPN ‣ Authentication ‣ Settings ‣ Add new authentication server.

For the LDAP server, the following configuration options are available (see the example on the right for more details):

LDAP server type: The drop-down menu allows to choose one of the supported LDAP server types: Generic, Active Directory, or Novell eDirectory.
LDAP server: The IP address or hostname of the LDAP server, in LDAP format.

Hint

The port specification, if needed, can be written after the URL, like e.g., ldap://192.168.0.20:389/. The standard port, 389, can safely be omitted.
Bind DN settings: This settings define the Distinguished Name of the LDAP server, i.e., the top level node of the LDAP’s tree structure.
Bind DN username: The username to be used for querying the DN. It is necessary to retrieve and authenticate the credentials of the Hotspot’s users.
Bind DN password: The password for the user specified in the previous option. A click on the checkbox on the right shows or hides the characters.
User search filter: The string used to query the remote LDAP server.
LDAP backup server: The IP address or hostname of the LDAP fallback server, in LDAP format, to be used when the primary server is not reachable.
Default rate: Choose from the drop-down menu the rate associated to users that authenticate through this method.

For the RADIUS server, the following configuration options are available:

RADIUS server: The IP address or URL of the RADIUS server.
Port of RADIUS server: The port on which the RADIUS server is listening.
Identifier: An additional identifier.
Shared secret: The password to be used.
RADIUS backup server: The IP address or URL of the fallback RADIUS server, used when the primary server is not reachable.
Default rate: Choose from the drop-down menu the rate associated to users that authenticate through this method.

2. Satellite hotspot¶

A satellite hotspot does not store any configuration, but relies on the Master to verify user data, ticket availability, and all the settings. When selecting this option, the IP address and the password of the Master hotspot must be specified, along with the VPN tunnel name. In detail, these are the available options:

Master hotspot IP address: Specify in this field the IP address of the master hotspot, which is usually the first IP address available in the special OpenVPN subnet (see The zones) defined in the OpenVPN server settings (under Menubar ‣ VPN ‣ OpenVPN server ‣ Server configuration) of the Master hotspot.
Master hotspot password: The Master hotspot password. This is typically auto-generated on the Master. Click on the Show checkbox to show the password.
Hotspot VPN tunnel: From this drop-down menu, select the OpenVPN tunnel used to reach the Master hotspot.

3. External RADIUS server¶

In this configuration, the hotspot relies on an external RADIUS server, like FreeRadius for its activities: It connects and ask for authentication to the RADIUS server, which stores all the data about accounting, settings, ticketing and connections. Several information about the RADIUS server are required for its correct functioning: the IP address, password, and ports, the IP address of the fallback server. Additionally, the external portal can be used.

RADIUS Server IP address: The IP address of the external RADIUS Server.
RADIUS Server password: The password for the RADIUS Server. Click on the Show checkbox to reveal the password.
Fallback RADIUS Server IP address: The IP address of the fallback external RADIUS Server.
RADIUS Server AUTH port: The RADIUS Server AUTH (Authentication) port number.
RADIUS Server ACCT port: The RADIUS Server ACCT (Accounting) port number.
RADIUS Server COA port: The RADIUS Server COA (Change of Authorisation) port number.

Hint

The default values for the RADIUS port are: 1812 (AUTH), 1813 (ACCT), and 3799 (COA).
Use external Portal: When this option is chosen, an external portal can be configured as the login interface that the users see when they want to connect through the hotspot. The external portal must be compatible and communicate with chilli. The following options should be configured to activate the external portal.
External Portal URL: The location on which the portal is located.
NAS ID: The Network Access Server IDentifier of the RADIUS server that identifies the portal.
UAM Secret: The UAM shared secret from the external RADIUS server. While it is possible to not define a value for this option, it is suggested to define it, since it improves security.
Allowed Sites / Access: A list of websites accessible even without registering to the hotspot.

Hint

write on each line a domain name (e.g., endian.com) or an IP Address (e.g., 10.123.124.125). On both domain name and IP address it is also possible to prepend the protocol to be used (e.g., tcp:www.endian.com, udp:10.123.124.125) and append the port to be used for the connection (e.g., 10.123.124.125:10443), or both (e.g., tcp:10.123.124.125:10443).
Enable AnyIP: Allows clients without an active DHCP client to connect to the hotspot.

Note

The setup of a RADIUS server is not discussed here since it is outside the scope and duties of Endian, who does not provide assistance in this task.