mbox HSG typically runs in gateway mode as an all-in-one layer 3 device (router, firewall, captive portal, AAA server). Usually, HSG will intercept initial user http/https requests and prompt with a captive portal page for login before granting further access. Refer to this link for detail flow.
However, sometimes it is desirable to run HSG in bypass-all mode. In bypass-all mode, HSG does not prompt user for login and seamless grants access without any user interventions.
Why do we want to do this? It's usually required for below scenarios:
- We want to give seamless user experience without them having to login at landing page level, eg. we only want HSG to act as a router, firewall and enforce per device/session access controls only. For example, if users already login using WPA-EAP at wireless AP level, there's no need for them to login again through a login page, eg. Wireless@SGx in Singapore.
- We already have other third party captive portal solutions (landing page and AAA are done by third party devices), and only want to use HSG advanced gateway features such as firewall, session control, dynamic bandwidth control and details accounting etc.
Note that when HSG is running in bypass-all mode, following features are lost:
- No username in RADIUS accounting recording, eg. MAC address will be shown as username, together with all other detail AAA records
- No URL redirection upon granting access. It's not possible to redirect user browser to another external URL after they're granted accesses.
HOTSPOT BYPASS-ALL CONFIGURATION
In this configuration scenario, we have 3rd-party wireless LAN controllers managing its own Access Points, and the WLC is handling below functions:
- AP management
- WPA-EAP Authentication (forwarded to mbox RADIUS)
Required features from mbox HSG
- Router, stateful firewall, DHCP server
- RADIUS server for WPA authentication (requested from WLC)
- Per client session control (time, bandwidth etc) and detail session accounting
In addition to all other basic network settings, below hotspot configurations are required:
- RADIUS server setting
- HotSpot configuration
security hotstpot vlan10
bypass-all bandwidth <max_download_peruser> <max_upload_peruser> time <max_usage_time_perday>
- bandwidth. This option enforces per user bandwidth limit, at a defined rate <max_download_peruser> <max_upload_peruser>
- time. This option defines per device usage quota/time per day, in seconds
- both bandwidth and time are optional entries but they are related. if only bandwidth is defined, the default time is 3600 seconds (1 hour); if only time if defined, default bandwidth is 4Mbps upload/download;
- if neither bandwidth nor time is defined (only bypass-enable), HSG will bypass all clients without any user access control. However, RADIUS accounting record is still available for each session
- after user exceed defined usage time, they will be logged out and their browser will be redirected to http://mbox.ransnet.com showing their quota is used out.
client 127.0.0.1 key testing123 name LOCAL-HSG
client 10.138.0.2 key Letmein99 name WLC <--add WLC as a RADIUS client
security hotspot eth1
description "Wireless@SG Captive Portal"
hotspot-id ida01 location Wireless@SG_iDA
hotspot-server 10.138.0.1 ports 5000 5001
client-network 10.138.0.0 255.255.252.0
client-dhcp 10.138.0.5 255.255.252.0 lease 900
client-dhcp-dns 126.96.36.199 188.8.131.52
client-bandwidth 2048000 2048000
bypass-all bandwidth 1024000 1024000 time 3600
radius-server localhost testing123
To verify the results with configured values, use "show security hotspot clients"
mbox# show security hotspot clients
IP Address: 192.168.13.101
Session ID: 55916ce70000058b
Duration / Max: 701/10800
Idle / Max: 348/1800
Input Octets / Max: 50423302/0
Output Octets / Max: 1607608/0
Max Total Octets: 0
Using swapoctets: 0
% / Max Up Bandwidth: 0%/2097152
% / Max Down Bandwidth: 0%/2097152
Original URL: http://www.itools.info/kTIjMuoPApBkU2/1HHcfbdKypy16X.html
Attached below is the complete config for HSG.