centralized Design (other AP)

This design is to work with 3rd-party AP as a hosted model, where there’s a large HSG at central site, together with a central Wireless LAN Controller (WLC) managing all APs at each remote site. Traffic at each location (from remote AP) is tunneled back to central WLC and breakout from central HSG for hotspot access control.

Target environments:

  • F&B chains (with existing 3rd-party wireless AP)


  • Typically used for small, distributed networks, where each remote site/branch already has existing AP.
  • The APs are “managed” centrally by a central Wireless LAN Controller (WLC) and access policies are enforced by a central mbox HSG. The central WLC and HSG are typically hosted in IDC or customr HQ office.
  • All Internet traffic has to route back to the central WLC and breakout from HSG, so there’s some extra latency added and huge consumption of central hosting bandwidth.
  • This model can be used for service providers who provide hosted captive portal services to smaller customers who share similar WiFi captive portal services (eg. Wireless@SG). Each customer network is presented and separated by a dedicated VLAN on HSG, although one customer may potentially have multiple VLANs for different SSIDs. Each VLAN/customer can have different custom captive portal pages and landing pages with different access policies etc.
  • Do note that if some customers require dedicated RADIU database, eg. some may need social media integration or self-signup to understand user profiles and require access to their own RADIUS database for data analytics etc, we need to provision dedicated VM-based UAM/RADIUS server for each customer).

PS: attached file illustrates Cisco WLC configuration to integrate with mbox for WPA-dot1x authentication, using mbox running as a DHCP server as well. This example is for Wireless@SGx, but is applicable to all other wireless scenarios using WPA-EAP , where mbox is used as DHCP and RADIUS server for wireless clients.