mbox HSG typically runs in gateway mode as an all-in-one layer 3 device (router, firewall, captive portal, AAA server). Usually, HSG will intercept initial user http/https requests and prompt with a captive portal page for login before granting further access. Refer to this link for detail flow.

However, sometimes it is desirable to run HSG in bypass-all mode. In bypass-all mode, HSG does not prompt user for login and seamless grants access without any user interventions. 

Why do we want to do this? It's usually required for below scenarios:

1. We want to give seamless user experience without them having to login at landing page level, eg. we only want HSG to act as a router, firewall and enforce per device/session access controls only. For example, if users already login using WPA-EAP at wireless AP level, there's no need for them to login again through a login page, eg. Wireless@SGx in Singapore.

2. We already have other third party captive portal solutions (landing page and AAA are done by third party devices), and only want to use HSG advanced gateway features such as firewall, session control, dynamic bandwidth control and details accounting etc.

Note that when HSG is running in bypass-all mode, following features are lost:

1. No username in RADIUS accounting recording, eg. MAC address will be shown as username, together with all other detail AAA records

2. No URL redirection upon granting access. It's not possible to redirect user browser to another external URL after they're granted accesses.

HOTSPOT BYPASS-ALL CONFIGURATION

In this configuration scenario, we have 3rd-party wireless LAN controllers managing its own Access Points, and the WLC is handling below functions:

• AP management

• WPA-EAP Authentication (forwarded to mbox RADIUS)

Required features from mbox HSG

• Router, stateful firewall, DHCP server

• RADIUS server for WPA authentication (requested from WLC)

• Per client session control (time, bandwidth etc) and detail session accounting

In addition to all other basic network settings, below hotspot configurations are required:

1. RADIUS server setting

2. HotSpot configuration

COMMAND SUMMARY 

security hotstpot vlan10

 bypass-all bandwidth <max_download_peruser> <max_upload_peruser> time <max_usage_time_perday>

• bandwidth. This option enforces per user bandwidth limit, at a defined rate <max_download_peruser> <max_upload_peruser>

• time. This option defines per device usage quota/time per day, in seconds

NOTE: 

• both bandwidth and time are optional entries but they are related. if only bandwidth is defined, the default time is 3600 seconds (1 hour); if only time if defined, default bandwidth is 4Mbps upload/download; 

• if neither bandwidth nor time is defined (only bypass-enable), HSG will bypass all clients without any user access control. However, RADIUS accounting record is still available for each session

• after user exceed defined usage time, they will be logged out and their browser will be redirected to http://mbox.ransnet.com showing their quota is used out.

SAMPLE CONFIGURATION

VERIFICATION

To verify the results with configured values, use "show security hotspot clients"

Attached below is the complete config for HSG.