AAA/RADIUS overview

mbox HSG has a build RADIUS server that provides user authentication using stored credentials (within local SQL database) and instructs mbox Access Controller to enforce the necessary access control (authorization) for each user, based on the access profile attached/created for each user.

HSG RADIUS can also be used as a generic RADIUS server to authenticate 3rd-party devices using standard RADIUS protocol, eg. provide authentication for other wireless controllers using WPA2-EAP, EAP-SIM, or even for switch-port 802.1x authentication with dynamic VLAN assignment etc.

User authentication support

When mbox is used as a RADIUS to authenticate user access, it supports follow types of authentication methods:

    • Manual account creation using local database. User accounts can be manually created by administrator (and attach to different access profiles etc). Unlike some other controller appliances, mbox has no limit on the amount of user accounts that can be created and stored locally because mbox comes with a local SSD storage. All accounts and access records can be stored. mbox also has built-in automation process to clean and optimize the database when the storage/records grow. This method is typically by enterprise Wi-Fi owners, hotels/hostels, or other venues with VIP members or static guest/user accounts.
    • Auto account registration use local database. For new users, mbox captive portal page can be customized to ask for user registration/signup by putting in basic user details, such as name, email, mobile, etc (fields can be customized). Upon successful registration, an account will be generated (typically username is the email or mobile) and send to user via SMS, or instantly flash out on the registration page for immediate login. Next time users can use back the same account details to login without having to register again. At the same time, Wi-Fi provider can login to mfusion portal to retrieve the user registration list. This method is typically used by F&B, malls and retail outlets who want to build up their client database while offering free Wi-Fi access.
    • Proxy to external RADIUS server. Instead of keeping accounts locally with mbox RADIUS database, mbox can proxy authentication requests to external RADIUS server. When an authentication requests comes in (with username and password included in the requests), mbox first checks its internal database, if username is not found, then it checks for its realm setting, if there’s a match, it will proxy the request to external RADIUS server for account validation. This method is widely deployed for Wireless@SG service authentications in Singapore. When mbox is used as the HotSpot gateway for Wireless@SG service in Singapore, the user credentials are forwarded/proxied by mbox to local ISP RADIUS servers for final validation. See external integration.
    • Integration with corporate LDAP/AD server. Similar to RADIUS proxy, instead of keeping user account locally within mbox database, mbox can forward authentication requests to external LDAP or AD server using standard LDAP protocols. This method is typically used for enterprise Wi-Fi, where organizations can allow users to use the same account to login to corporate domains and Wi-Fi. See external integration.
    • Integration with Social media accounts. mbox can allow users to login with their social media accounts such as Facebook, Google+, Twitter, wechat, etc. mbox can build API integration with these sites, so when users login, their credentials are forwarded to their respective social media provider for validation, at the same time, mbox can pull off their public profile details (name, email, mobile, gender, locale/country, etc) and store their details locally within mbox. So that Wi-Fi venue owners can login export out the user information to build up their client database or for data analytics. This method is typically used by Malls, F&B, retails, etc. It’s one of the most wanted features by many free Wi-Fi providers today. See details on social media integration.
    • Integration with membership/CRM database or HMS. mbox can use API provided by many membership/CRM database engines to authenticate user access. This is typically used by many venues where they want to offer differentiated services levels between members and non-members. mbox can also integrate with some hotel management system to allow guests to login with their room no. and surname as credentials.
    • Integration with POS system for voucher management. Many F&B outlets today offers free Wi-Fi for their customers to attract more crowds, but the biggest challenge is to ensure the users are the real customers who have made the purchases from the outlets (instead of people nearby or those who simply sit down there to enjoy free Wi-Fi). mbox has developed an open API for external POS server to communicate and sync each invoice no. into mbox RADIUS database, which can be used as Wi-Fi passcodes. By integrating with POS server, a passcode will be printed on the receipt as a voucher to login to Wi-Fi, each time when users make a purchase. The passcode is unique (eg. invoice no.) to make sure it can’t be re-used and it’s only valid for a limited duration (eg. 1 hour). This makes sure users do not hog the seats and if they do need to stay, they will buy another drink from the outlets. Indirectly, it also helps to drive up potential sales for the venue owners.
    • Integration with voucher printer. mbox works with some thermal printer to print temporary vouchers for guest login. By pressing button 1 for 1 hour (or 1 day), botton 2 for 2 hour (or 2 day), venue owners can sell or give free Wi-Fi vouchers easily to guest patrons. The voucher accounts are created and stored locally within mbox RADIUS database. Its simplicity allows many hotels, F&B or retail outlets to offer guest wifi easier. See GMC for details.
    • mboxAPI integration with ANY 3rd-party system. mbox has open API that allows external 3rd-party system (eg. CRM, voucher management system, billing system, corporate database servers, PMS etc) to integrate with mbox RADIUS seamlessly. It allows 3rd-party system to retrieve local user accounts, user access records (eg. for external data analytics purpose) and profiles, and it also allows external system to create/insert user accounts into mbox RADIUS database through external applications.

More details on managing/access RADIUS can be found here.