mbox HSG typically runs in gateway mode as an all-in-one layer 3 device (router, firewall, captive portal, AAA server). Usually, HSG will intercept initial user http/https requests and prompt with a captive portal page for login before granting further access. Refer to this link for detail flow.

However, sometimes it is desirable to run HSG in bypass-all mode. In bypass-all mode, HSG does not prompt user for login and seamless grants access without any user interventions.

Why do we want to do this? It's usually required for below scenarios:

  1. We want to give seamless user experience without them having to login at landing page level, eg. we only want HSG to act as a router, firewall and enforce per device/session access controls only. For example, if users already login using WPA-EAP at wireless AP level, there's no need for them to login again through a login page, eg. Wireless@SGx in Singapore.
  2. We already have other third party captive portal solutions (landing page and AAA are done by third party devices), and only want to use HSG advanced gateway features such as firewall, session control, dynamic bandwidth control and details accounting etc.

Note that when HSG is running in bypass-all mode, following features are lost:

  1. No username in RADIUS accounting recording, eg. MAC address will be shown as username, together with all other detail AAA records
  2. No URL redirection upon granting access. It's not possible to redirect user browser to another external URL after they're granted accesses.


In this configuration scenario, we have 3rd-party wireless LAN controllers managing its own Access Points, and the WLC is handling below functions:

  • AP management
  • WPA-EAP Authentication (forwarded to mbox RADIUS)

Required features from mbox HSG

  • Router, stateful firewall, DHCP server
  • RADIUS server for WPA authentication (requested from WLC)
  • Per client session control (time, bandwidth etc) and detail session accounting

In addition to all other basic network settings, below hotspot configurations are required:

  1. RADIUS server setting
  2. HotSpot configuration


security hotstpot vlan10

bypass-all bandwidth <max_download_peruser> <max_upload_peruser> time <max_usage_time_perday>

  • bandwidth. This option enforces per user bandwidth limit, at a defined rate <max_download_peruser> <max_upload_peruser>
  • time. This option defines per device usage quota/time per day, in seconds


  • both bandwidth and time are optional entries but they are related. if only bandwidth is defined, the default time is 3600 seconds (1 hour); if only time if defined, default bandwidth is 4Mbps upload/download;
  • if neither bandwidth nor time is defined (only bypass-enable), HSG will bypass all clients without any user access control. However, RADIUS accounting record is still available for each session
  • after user exceed defined usage time, they will be logged out and their browser will be redirected to showing their quota is used out.


!security radius-server client key testing123 name LOCAL-HSG client key Letmein99 name WLC <--add WLC as a RADIUS client start!security hotspot eth1 description "Wireless@SG Captive Portal" hotspot-id ida01 location Wireless@SG_iDA hotspot-wan eth0 hotspot-server ports 5000 5001 client-network client-dhcp lease 900 client-dhcp-dns client-bandwidth 2048000 2048000 bypass-all bandwidth 1024000 1024000 time 3600 allowed-domain, allowed-url, radius-server localhost testing123 hotspot-online-portal start


To verify the results with configured values, use "show security hotspot clients"

mbox# show security hotspot clients User 0 MAC: 84-B1-53-75-40-D1 IP Address: Session ID: 55916ce70000058b Username: 84-B1-53-75-40-D1 Duration / Max: 701/10800 Idle / Max: 348/1800 Input Octets / Max: 50423302/0 Output Octets / Max: 1607608/0 Max Total Octets: 0 Using swapoctets: 0 % / Max Up Bandwidth: 0%/2097152 % / Max Down Bandwidth: 0%/2097152 Original URL:

Attached below is the complete config for HSG.