bypass-all

mbox HSG typically runs in gateway mode as an all-in-one layer 3 device (router, firewall, captive portal, AAA server). Usually, HSG will intercept initial user http/https requests and prompt with a captive portal page for login before granting further access. Refer to this link for detail flow.

However, sometimes it is desirable to run HSG in bypass-all mode. In bypass-all mode, HSG does not prompt user for login and seamless grants access without any user interventions.

Why do we want to do this? It's usually required for below scenarios:

  1. We want to give seamless user experience without them having to login at landing page level, eg. we only want HSG to act as a router, firewall and enforce per device/session access controls only. For example, if users already login using WPA-EAP at wireless AP level, there's no need for them to login again through a login page, eg. Wireless@SGx in Singapore.
  2. We already have other third party captive portal solutions (landing page and AAA are done by third party devices), and only want to use HSG advanced gateway features such as firewall, session control, dynamic bandwidth control and details accounting etc.

Note that when HSG is running in bypass-all mode, following features are lost:

  1. No username in RADIUS accounting recording, eg. MAC address will be shown as username, together with all other detail AAA records
  2. No URL redirection upon granting access. It's not possible to redirect user browser to another external URL after they're granted accesses.

HOTSPOT BYPASS-ALL CONFIGURATION

In this configuration scenario, we have 3rd-party wireless LAN controllers managing its own Access Points, and the WLC is handling below functions:

  • AP management
  • WPA-EAP Authentication (forwarded to mbox RADIUS)

Required features from mbox HSG

  • Router, stateful firewall, DHCP server
  • RADIUS server for WPA authentication (requested from WLC)
  • Per client session control (time, bandwidth etc) and detail session accounting

In addition to all other basic network settings, below hotspot configurations are required:

  1. RADIUS server setting
  2. HotSpot configuration

COMMAND SUMMARY

security hotstpot vlan10

bypass-all bandwidth <max_download_peruser> <max_upload_peruser> time <max_usage_time_perday>

  • bandwidth. This option enforces per user bandwidth limit, at a defined rate <max_download_peruser> <max_upload_peruser>
  • time. This option defines per device usage quota/time per day, in seconds

NOTE:

  • both bandwidth and time are optional entries but they are related. if only bandwidth is defined, the default time is 3600 seconds (1 hour); if only time if defined, default bandwidth is 4Mbps upload/download;
  • if neither bandwidth nor time is defined (only bypass-enable), HSG will bypass all clients without any user access control. However, RADIUS accounting record is still available for each session
  • after user exceed defined usage time, they will be logged out and their browser will be redirected to http://mbox.ransnet.com showing their quota is used out.

SAMPLE CONFIGURATION

!

security radius-server

client 127.0.0.1 key testing123 name LOCAL-HSG

client 10.138.0.2 key Letmein99 name WLC <--add WLC as a RADIUS client

start

!

security hotspot eth1

description "Wireless@SG Captive Portal"

hotspot-id ida01 location Wireless@SG_iDA

hotspot-wan eth0

hotspot-server 10.138.0.1 ports 5000 5001

client-network 10.138.0.0 255.255.252.0

client-dhcp 10.138.0.5 255.255.252.0 lease 900

client-dhcp-dns 203.211.152.66 210.193.2.66

client-bandwidth 2048000 2048000

bypass-all bandwidth 1024000 1024000 time 3600

allowed-domain .ida.gov.sg,.ransnet.com

allowed-url www.m1.com.sg,wsg.m1net.com.sg

radius-server localhost testing123

hotspot-online-portal http://mbox.ransnet.com

start

VERIFICATION

To verify the results with configured values, use "show security hotspot clients"

mbox# show security hotspot clients

User 0

MAC: 84-B1-53-75-40-D1

IP Address: 192.168.13.101

Session ID: 55916ce70000058b

Username: 84-B1-53-75-40-D1

Duration / Max: 701/10800

Idle / Max: 348/1800

Input Octets / Max: 50423302/0

Output Octets / Max: 1607608/0

Max Total Octets: 0

Using swapoctets: 0

% / Max Up Bandwidth: 0%/2097152

% / Max Down Bandwidth: 0%/2097152

Original URL: http://www.itools.info/kTIjMuoPApBkU2/1HHcfbdKypy16X.html

Attached below is the complete config for HSG.