HotSpot Gateway (HSG) Overview

HSG is a HotSpot Gateway to provide guest Internet access with granular user access control and security enforcement. It allows enterprises or venue owners (hotels, malls, clubs, F&B, etc) to offer flexible and differentiated Internet access for guests, VIP members or visitors.

Sitting at the Internet edge, mbox HSG manages user Internet access through a few key modules:

    • Router, stateful firewall, DHCP server
    • HotSpot Access Controller (hotspot instance)
    • Captive Portal (CP)
    • User Authentication Authorization and Accounting (AAA, also called RADIUS).
    • mbox Access Point Cloud Controller (MACC)
    • Advertising gateway

HotSpot Access Controller combines DHCP server, firewall and bandwidth control engines, granting user Internet access, and enforces their respective rights based on AAA/RADIUS client policies. It intercepts users initial browsing requests and redirects to to a captive portal (also called landing page in many places) for entering authentication credentials and accepting terms, and enforces the authorization (client rights) returned by AAA/RADIUS server for each authenticated users. (Note the HotSpot Access Controller here is not referring to wireless access controller).

One mbox HSG can support multiple instances of HotSpot Access Controller. Typically each instances maps to a different VLAN or network for different access controls (eg. different login/landing pages, different bandwidth control policies), so that we can enforce different user experience for users coming from different networks.

HSG hotspot Access controller supports following features:

    • Multi-instance, multi-VLAN support.
    • Built-In DHCP server for client DHCP address assignment for each VLAN. Each instance of HotSpot Access controller (for each VLAN) can issue different subnets of DHCP addresses, and redirects to different captive portal login page.
    • MAC address bypass (eg. default pass through for some devices), domain bypass, and URL bypass (eg. default pass through for some destination domains or URLs).
    • Per user, per session bandwidth control based on username or user VLANs
    • Dynamic bandwidth allocation per user, dynamically re-allocating per user bandwidth by adapting to back-haul link utilization.
  • HTTP injection for in-session ads periodically

HSG captive portal is a built-in web server that prompts user with a customizable web login page. It also interacts with Access Controller and AAA/RADIUS server to enable user credential inputs and integrates with RansNet cloud advertising server to stream landing page ads etc.

HSG AAA server (or RADIUS server) validates user credentials, and passes user access policies (bandwidth per user, session time, volume/usage, etc) to the Access Controller for enforcement.

NOTE: MACC and advertising gateway modules will be covered in separate sections.

1. User hotspot access flow with HSG

When HSG functions as a gateway (eg. in on-premise model), a typical user hotspot access flows as below:

    1. User device (mobile device or computer) connects to the Local Area Network (LAN) through open wireless (can be any wireless Infra, either MAP or 3rd-party AP) or normal switch port via UTP cable. In the case of wireless access, the AP will bridge SSID to a VLAN and trunk to HSG; if it's a switch/LAN access, the switch will trunk directly to HSG. HSG HotSpot Access Controller will then issue DHCP address to client device.
    2. User tries to browse Internet using a standard browser. The browsing request comes into mbox LAN/VLAN interface and is intercepted by HotSpot Access Controller. NOTE: many modern smart phone will auto initiate a browsing requests once gets DHCP IP.
    3. mbox Access controller redirects user browser to a captive portal login page.
    4. (optional) if landing page ads is enabled (integrated with RansNet cloud advertising server), user will see a ads pop up, optionally watch the ads for a few seconds (configurable), before seeing the actual login page.
    5. From login page, user enters his username & password, which is forwarded by portal to Access Controller, which then sends to RADIUS server for validation. RADIUS server validates user credentials and returns access/reject result to Access Controller, together with a set of authorization profiles stating access rights for the authenticated user. NOTE: the RADIUS here can be mbox local RADIUS or 3rd-party standard RADIUS server.
    6. HSG HotSpot Access Controller grants user Internet access and enforces respective rights given by RADIUS.
    7. User traffic breaks out from HSG WAN interface to Internet. HSG performs NAT for user source IP.
    8. (optional) if in-session ads injection is enabled (integrated with RansNet cloud advertising server), user will periodically (configurable) see pop up ads in their browser.

2. User hotspot access flow with MAP/HSA

Because mbox Access Point (MAP) and HSA only have Access Controller, when MAP/HSA is deployed in cloud model (or centralized model, with one MAP at each remote location and one HSG in HQ/Cloud), they must work with external HSG for Captive Portal and RADIUS authentication.

Below is how the flow looks like when MAP/HSA works with a external HSG.

    1. User device (mobile device or computer) connects to MAP/HSA wireless SSID. Because in cloud model, MAP is configured in NAT mode, mbox HotSpot Access Controller will then issue DHCP address to client device. (if MAP is configured in bridge mode in a on-premise design model, the scenario will be same as above #1).
    2. User tries to browse Internet using a standard browser. The browsing request comes into MAP/HSA, and is intercepted by HotSpot Access Controller.
    3. HotSpot Access controller redirects user browsing requests to an external captive portal login page hosted on an external HSG.
    4. (optional) if landing page ads is enabled (integrated with RansNet cloud advertising server), user will see a ads pop up, optionally watch the ads for a few seconds (configurable), before seeing the actual login page.
    5. From login page, user enters his username & password, which is forwarded by portal to RADIUS server for validation. RADIUS server validates user credentials and returns access/reject result to MAP/HSA HotSpot Access Controller, together with a set of authorization profiles stating access rights for the authenticated user. NOTE: the remote captive portal and RADIUS must be on the same HSG.
    6. MAP HotSpot Access Controller grants user Internet access and enforces the respective rights issued by RADIUS
    7. User traffic breaks out from MAP/HSA GE interface directly to Internet. MAP/HSA performs NAT for user source IP.

NOTE: MAP does not support in-session ads, and does not support dynamic bandwidth control.

NOTE:

    • one HSG can support multiple MAP/HSA. Sizing of HSG is based on 10 x no. of MAP/HSA. Eg. to support up to 20 MAP/HSA, use HSG-200; to support up to 80 MAP/HSA, use HSG-800.
    • Different organizations need to have dedicated HSG since the RADIUS database can not be shared.
    • In cloud model, the external HSG can be running on a virtual machine since it’s not functioning as a gateway, and only hosting RADIUS and Captive Portals for MAP/HSA.