Post on 17-Aug-2019
transcript
PREPARED BY Engineering Department of Blue Octopus WiFi VERSIÓN 1.0
INTEROPERABILITY DOCUMENT BETWEEN OMNIACCESS
STELLAR SOLUTION AND OCTOPUS WIFI
Interoperability Document
Table of contents
1. INTRODUCTION 3
2. SOLUTION ADVENTAGES 4
2.1 MAIN FEATURES 4
2.2 MAIN BENEFITS 4
3. BACKGROUND 6
3.1 OVERALL WORKFLOWS 6
3.2 OCTOPUS PLATFORM, LOGICAL STRUCTURE. 8
3.3 INTEGRATION DETAILS 10
3.3.1. HTTP REDIRECT 10
3.3.2. HTTP POST LOGIN 10
3.3.3. HTTP LOGOUT 11
3.3.4. RADIUS AUTHENTICATION ATTRIBUTES 11
4. CONFIGURATIONS 12
4.1 PREVIOUS REQUIREMENTS 12
4.1.1. FIREWALL PERMISSIONS 12
4.1.2. COLLECT CUSTOMER INFORMATION. 12
4.2 OCTOPUSWIFI 14
4.2.1. GENERAL 14
4.2.2. ACCESS METHODS 15
4.2.3. WLAN 19
4.3 OMNIACCESS STELLAR EXPRESS 20
4.3.1. WLAN SETTINGS 20
4.3.2. CAPTIVE PORTAL 21
4.3.3. ADICIONAL SETTINGS 24
4.4 OMNIACCESS STELLAR ENTERPRISE 25
4.4.1. RADIUS SERVER 25
4.4.2. AAA SERVER PROFILE 26
4.4.3. ACCESS ROLE PROFILE 27
4.4.4. WLAN SERVICE 28
4.4.5. APPLY CONFIGURATION TO DEVICES 29
Interoperability Document
1. Introduction
Octopus WiFi complement OmniAccess Stellar solution through a global cloud platform for managing and controlling access to Guest WiFi environments with value-added layers for your business. The platform gathers information on the clients and their behaviour, presenting usage analytics intuitively and offering advanced functionalities to design marketing campaigns and promotions. Octopus WiFi is a platform supported by a solid team of experts in defining global technical solutions, who help companies with their digital transformation.
WiFi ExpressDigital MarketingCampus Networks
WiFi EnterpriseSimple Networks
WiFi Enterprise
Internet
Interoperability Document
2. Solution Adventages
2.1 Main Features
Cloud Platform: Octopus WiFi is offered as a SaaS service, with different licensing
levels. It’s not necessary to install additional hardware.
Multitenat: Octopus WiFi can be customised to fit your brand image and offered as
the clients’ own service.
Multivendor Platform: Integrates with WLAN solutions from the most common
manufacturers on the market. It is a "trojan horse" to offer Alcatel Hardware in new
installations.
Modular: Advanced management of profiles and users permissions into de companys
(IT, Marketing, Support, Reception, …)
Flexible: Features adapted to any different sectors of the market that require Guest
WiFi. Hospitality, retail, transportation, education, medical centers, restaurants,
corporate offices, commercial headquarters, ..
Radius AAA service that multiplies the options for access types, control mechanisms
and monitoring levels.
Business analytics and marketing campaigns and promotions over WiFi.
Specialized Support and Consultancy: To define the best Guest WiFi solution for your
business, develop special integrations with the business tools.
Compliance with the current law related to the preservation and processing of
personal data.
2.2 Main Benefits
Octopus WIFI helps every company to perform the digital transformation: Wi-Fi as a
new communication channel.
We integrate your business with the Wi-Fi technology. Make profitable your Wi-Fi
service with Marketing steps.
Reinforce the brand image, spread your business image to the Wi-Fi service.
Interoperability Document
Make the difference between your competitors using a high-quality service, gain
presence in your point of sale
Gain new customers and improve customer loyalty.
Know your customers behaviour: where they go, how much time they spent in your
site, if they come back…
Increase the number of visits and interactions with your website and your social
network profiles and promote the download of your APP.
Make an integration with your Customer Relatinonship Management and other
Digital Marketing Tools.
The results will be visible in short-time.
Interoperability Document
3. Background
3.1 Overall workflows
The following diagram describes the workflow between all elements of a Wifi Guest
connection, where ALE Stellar APs and Octopus WiFi platform are working.
Interoperability Document
The different steps in the flow are described below.
1- The wifi device is associated to the OmniAccess Stellar Access Point through
protocol 802.11.
2- The network assigns an IP Address to the device. If MAC-Authentication is
configured in the Access Point, the Radius server receives the MAC-Authentication
packet from AP.
a. If the MAC of wifi device is cached in server, radius will send Access-Accept
a packet to start the connection (Accounting process). Go to ninth point.
b. If the MAC is not cached go to third point.
3- The device opens automatically the browser, or the user opens it manually and
tries to browse.
4- The Stellar AP receives HTTP Request, and sends a HTTP response 302 with an
external redirect URL (Captive Portal defined on the Octopus WiFI).
5- Octopus WiFi platform answers with the captive portal configured in the WifiArea.
6- The user selects an access method in captive portal and complete the form:
a. Authentication OK: Captive portal sends login credentials to Access Point
(seventh point)
b. Authentication NOK: The captive portal show error message (sixth point)
7- The Access Point sends an Access-Request packet to radius server.
8- Radius server answers with an Access-Accept packet. This radius packet contains
some radius attributes for the Access Point to control the user session.
9- The Access Point sends an Accounting-Start packet to the Radius to start control
session.
a. Frequently an Accounting-Interim packets are sent, to update device
session in radius server.
10- The Access Point sends an Accounting-Stop packet for a specific cause:
disconnection of network, session timeout, idle timeout, …
Interoperability Document
3.2 Octopus platform, logical structure.
The Octopus WIFI platform is designed for the management and control of the access
networks to Internet for the users. It allows you to control, in an individual or gruoped way,
hotspot networks. The main characteristics of the platform are:
Web management: Simple and intuitive interface for the management of different
places, captive portals and access methods, as well as to show analytics and informs.
Multivendor, integratable with the different most-common manufacturers of WLAN
solutions from the market.
Radius AAA Service developed in-house which multiplies the possibilities of access
types, control mechanism and monitoring levels.
Flexible and Modular tool. Octopus WIFI disposes an advanced system of permissions
for different profiles of operators. Besides, it disposses a really flexible structure to
group the different NAS or WiFiAreas (the designed name of all locals).
The next image defines the different concepts that can be managed by the administrators of
the platform.
Domain. Domains are groups of WiFiAreas which allow grouping authentications in a
radius server. The users belonging to the same realm/domain will be able to roam
between WiFiAreas.
Interoperability Document
Independent WiFiArea. Corresponds with a WiFi Area that is not associated with any
domain, therefore, the users registered on it will not be able to connect to other WiFi
Areas.
The WiFi Area Groups allow seeing added statistics, display promotions at a massive
level and create users with restricted permissions to a group.
The WLAN Groups allow seeing added statistics and display promotions at a massive
level independently of the WiFi Areas.
WLAN: Inside of each WiFiArea it would be able to create different WLAN, associated
to a network segment (SSID/VLAN). In this way, in the same WiFiArea it would be able
to have different captive portals with different authentication methods.
As to the different modules of the Octopus WIFI platform, it's possible to observe them in the
next diagram.
Interoperability Document
3.3 Integration Details
This section describes the different technical parameters of the Stellar solution, which Octopus
WIFi uses to develop its functionalities.
3.3.1. HTTP Redirect
This is an example of http redirect in the authentication workflow
https:/app.octopuswifi.com/login/hotspot/ale?clientmac=00:00:00:00:00:01&clientip=192.168
.3.160&ssid=GuestCP&switchmac=ff:ff:ff:ff:ff:ff&switchip=10.255.13.155&url=http://www.yah
oo.com
Octopus WiFi uses these parameters:
OctopusWifi Object Parameter name
WifiArea switchmac
WLAN ssid
URL Redirect url
Customer MAC clientmac
Error * errmsg
*It only appears when there is a Radius Reject packet
3.3.2. HTTP POST Login
The web portal page gathers the user’s login credentials and sends to the Access Point though
a HTTP POST message with this format.
OctopusWifi Object Parameter name
URL Login http://cportal.enterprise.alcatel-lucent.com/login
username user
password password
Interoperability Document
URL Redirect url
3.3.3. HTTP Logout
Users can be disconnected by sending a request to the following URL:
http://cportal.enterprise.alcatel-lucent.com/logout
3.3.4. Radius Authentication Attributes
Radius is one of a number of Authentication, Authorization, and Accounting (AAA) protocols,
for them it is necessary to use a series of attributes. In particular Octopus WiFi uses the
following:
Radius Packet OctopusWifi Object Parameter name
Access-Request,
Accounting-Request
WifiArea (AP MAC) Called-Station-ID (MAC)
Access-Request,
Accounting-Request
WLAN (SSID) Called-Station-ID (SSID)
Access-Request,
Accounting-Request
Username User-Name
Access-Request Password User-Password
Access-Accept Session-Timeout Session-Timeout
Access-Accept Idle Timeout Idle-Tiemout
Access-Accept Upload Speed Limit WISPr-Bandwidth-Max-Up
Access-Accept Download Speed Limit WISPr-Bandwidth-Max-Down
Interoperability Document
4. Configurations
4.1 Previous requirements
4.1.1. Firewall permissions
If there is a firewall in the network that might block the traffic, you will need to allow access to
some domains to enable user's authentication:
Radius Servers:
- Primary: <IP-radius1>ports 1812 and 1813 UDP
- Secondary: <IP-radius2> ports 1812 and 1813 UDP
Splash Portal servers:
- Domain < domain-name> ports 80 and 443 TCP
4.1.2. Collect customer information.
Collect everything necessary to configure the guest access:
WiFiArea Name. It will be the name of the installation in octopus WIFI platform.
Location. It shows the location of the WiFiArea in a map.
Access Methods:
- User Registration: The user will be authenticated after he completes a form with
his personal information.
- Social Networks: Access using the credentials of different social networks.
Nowadays, Octopus WIFI platform supports the following social networks:
Facebook, Twitter, Instagram, LinkedIn and Google+
- Ticket o Voucher: And access code will be generated in Octopus WIFI platform.
Interoperability Document
- Free Access: The user will be authenticated with a “click” and accepting the terms
and conditions of the service.
- Paypal: The user will pay for the access code using the Paypal gateway.
- SMS: The access codes are sent by SMS after the user fill up a form.
- Sponsor: The user must ask the host or sponsor for his credentials and the host will
accept or reject his request via email.
- Other methods: integration with CRMs, validation using other APPs, etc.
WLANs: SSIDs that will use the Octopus WIFI captive portal to authenticate the users. In order
to allow the users authentication, the WLAN name configured in Octopus WIFI platform must
be the same that the one radiated by the access points.
Redirection web site: Web site where the users will be redirected after their successful
authentication in the captive portal.
WLAN Solution: WLAN Hardware solution where the redirection to the captive portal and the
Radius server parameters will be configured. In this case “ALE”
NAS (Network Access Control): It will be necessary to add the MAC addresses of the devices
that will send the user's authentication requests to the Radius Server. These MAC addresses
can be obtained from the AP section.
Interoperability Document
After having opened the AP section, it can be checked the MAC address of each access point.
4.2 OctopusWiFi
4.2.1. General
With the Octopus WIFI platform you can manage the different hotspots or WifiAreas, selecting
the profiles and the desired validation methods. The different configuration possibilities are
described below.
It is advisable to create a WifiArea for each physical installation and thus be able to
disaggregate statistics and have maximum flexibility in terms of configurations. Here are the
different fields:
Name of WifiArea or WiFi Hotspot.
Physical address of the WifiArea. Once the address is written, verify it in google maps,
otherwise the WifiArea cannot be generated correctly.
Selection of the domain to which the associated WifiArea belongs or if it is an
independent one. It is important to be clear about this concept, because once the
WifiArea is created, this parameter cannot be changed since all the radius connection
relations will be generated with this dependency.
WLAN solution or infrastructure manufacturer (ALE Stellar). Depending on the
selected manufacturer there will be a link to the configuration manual with detailed
instructions.
Interoperability Document
MAC of the NAS, or supplicant teams to the Radius server, to identify where the
requests come from. In the configuration manual there will be instructions to visualize
the necessary MACs that must be added in each case.
4.2.2. Access methods
In this submenu you can configure the different WiFi service access methods that will appear
in the captive portal. They may be selected from the following:
User registration: In this case, the users, through the captive portal, will be able to complete a
form to register and with which they will be stored in the database. You can configure the
fields of the form and its obligatory nature. The selectable fields are:
Name and surname
Birth date
Sex
Telephone number
Postal Code
Country
Room number (Intended for hotels)
Social networks: Possibility of access through the credentials of different social networks that
are detailed below.
Interoperability Document
Facebook. It is possible, depending on the assignment that the user selects, to collect
the following data:
ID Facebook
Name and surname
Mail (Depending on user privacy)
Sex (Depending on user privacy)
Age (Obtaining APP permits and depending on user privacy)
"Likes" (Obtaining APP permissions and depending on user privacy
Twitter. Data to be collected:
Twitter ID
Name and Surname (Alias of twitter that does not usually coincide)
Mail (obtaining APP permissions)
Linkedin. Data to be collected:
LinkedIn ID
First name
Surnames
Mail (depending user privacy)
Instagram. Data to be collected:
Instagram ID
First name
Surnames
Google. Data to be collected:
Google ID
First name
Surnames
Email.
Accept Conditions or Free Access. In this case, the access will be by pressing a "Sign in" button,
after accepting the conditions of use of the service. The only identifying data of the user's
connection will be the MAC Address.
Interoperability Document
Ticket or Voucher: It will be possible to configure the different formats that can be generated
in the "Ticket Tickets" module. Depending on the configuration, the credentials can be printed,
sent by mail or generated from an external API. There will be 4 formats:
Individual Ticket: Intended for individual use, although you can configure the number
of simultaneous devices for which the generated ticket will be valid, since the same
user can use several devices simultaneously. They are fixed time and are also ideal if
the rates are associated with a price.
Variable Time Ticket Also for individual use, but have the particularity that you can
choose the validity time of the ticket in a certain range of dates.
Group Ticket. You can select the number of simultaneous users that can connect with
that ticket. Ideal for groups of people.
Customizable ticket In this case the ticket is fully customizable (including access
credentials) and is ideal for special cases such as events or similar.
In addition to selecting the types of codes for the emission, it is possible to configure other 3
important characteristics:
Methods of issuing tickets: Printing (with several formats) and sending mail (possibility
of configuring SMTP mail).
Format of access codes: User / Password or just Passcode.
Extra fields of validation form in case you want to collect other customer data: Mail,
Name and Surname, Date Birth, sex, ... The access form will be composed of the
passcode or user / password + personal data configured.
Paypal or access via payment gateway: Possibility of configuring in the captive portal a
previous payment access, through the PayPal gateway. The user can make the payment by
entering the credit card information or, directly if you have a PayPal account.
It is possible to configure a Paypal Business account in the Settings section so that the charges
are redirected to it.
SMS: Sending messages with credentials to authenticate access to the service. Previously the
user will have to make a record with the mobile number.
Interoperability Document
It will be possible to request extra fields of validation form if you want to collect other
customer information: Mail, Name and Surname, Date of Birth, sex, ... The access form will be
composed of the passcode received by SMS + personal data configured .
It is possible to configure SMS gateways for sending them in the Settings section.
APP: If the client has an APP, a direct validation for WiFi access can be made. To develop this
functionality, contact TCN support where the development instructions that must be included
in the APP will be delivered.
PMS: In the case of hotels, access through personal data of the user's check-in (room number
and surname), which allows it to be self-service and at the same time access is controlled for
only guests. In addition to being able to carry out only the validation during the checkin-
checkout dates, the platform is prepared so that different services can be selected and
depending on this one may entail a charge to the room.
It must be taken into account that this access method must have a special integration between
the different systems. In case of doubt consult with the support team.
Sponsor or WiFi Sponsored: Functionality oriented to office environments or access
environments for guests who do not want to depend on certain people for the delivery of
credentials; with which it will allow to offer the service of connection directly between the
guest and the host. For this, the client will be in charge of requesting their credentials through
the captive portal and will receive them through email or SMS, upon acceptance of the host.
Configurable parameters:
Channel for sending credentials to the guest: By Mail or SMS. Depending on the option
chosen, you must select the SMTP mail server or SMS gateway from which the data is
sent.
Domains allowed to send emails to the host. Configurable the domains of authorized
mail to request the mail, the idea is that it is the domains of the corporative mail of the
companies.
Extra fields of validation form if you want to collect other customer data: Mail, Name
and Surname, Date Birth, sex, ...
Interoperability Document
With each of the access methods there is also the possibility of making the following
configurations:
Possibility of returning RADIUS attributes to the WLAN solution in the response of user
validation to Wi-Fi controllers, such as speed limits, session time, idle time and the
redirection page - which appears after login - after the Captive portal. Depending on
the WLAN solution there will be more or less parameters.
Possibility of configuring MAC-Caching functionality for a specific time. Explained in
another section.
Maximum number of simultaneous devices that can be accessed with a single user.
4.2.3. WLAN
Within the WifiAreas itself there is the possibility of creating different WLANs, that is, different
captive portals associated with different SSIDs configured in the network. Within WLANs you
can configure:
WLAN tag: Depending on the manufacturer, there will be a WLAN tag to identify the
connections of a specific SSID or VLAN. In the configuration instructions of each
manufacturer, it will appear where to configure it in the HW solution.
Captive portal template. You can select the design of the captive portal configured in
the section WifiAreas> Portals.
Access methods that we want to appear in the WLAN of the configurations in the
previous section.
Terms and conditions of use. Very important field since the conditions of use will be
accepted by users before accessing the service, as well as information on the
processing of personal data.
Redirect URL or Landing Page after login. Configurable depending on the access
method.
Legal regulation. Check boxes. Legal fields selectable by clients after login, according
to 05/25/2018 GDPR regulation. Texts are editable for each language configured in the
portal
Interoperability Document
4.3 OmniAccess Stellar Express
4.3.1. WLAN Settings
First of all, to configure an external captive portal in a SSID, it is necessary to add a new WLAN
or edit an existing one. To add the new WLAN, go to the WLAN section and click in New.
Configure the following parameters once the WLAN configuration window is displayed.
WLAN Name: SSID name that will be visible to the wireless users.
Security Level: Open
Captive Portal: Yes
Inactivity Timeout Status: on
Inactivity Timeout Interval: 900
Enable: Yes
Interoperability Document
After having performed this changes, please click in Save to save the new configuration.
4.3.2. Captive Portal
Then, it is necessary to configure all the parameters related to the captive portal. Go to Access
> Authentication and click in Authentication to access to the configuration window.
Once the configuration window is displayed, please perform the following configuration as it is
shown below:
HTTPS: on
External Captive Portal: check this option.
Interoperability Document
Captive Portal Server:
Hostname: <domain-name>
Redirect URL: /login/hotspot/ale
Redirect URL param: disable
Authentication Server:
Server IP/Hostname: <radius1-ip>
Authentication Server Port: 1812
Secret: <radius1-secret>
Confirm: <radius1-secret>
Radius Accounting: check this option.
Accounting Server Port: 1813
Accounting Interval: 600
After having done all the configuration, please click in the Save button to save all these
changes.
Finally, it is required to add the domains that the users will be able to visit without being
authenticated in the captive portal. Go to the Access > Black List & White List section and open
the Walled Garden tab.
Then, select the Domain option and add all the required domains.
Interoperability Document
Octopus WIFI app.octopuswifi.com (or whitelabel domain) www.google-analytics.com
www.facebook.com m.facebook.com facebook.com connect.facebook.net static.xx.fbcdn.net akamaihd.net fbcdn.net
twitter.com mobile.twitter.com api.twitter.com twimg.com abs.twimg.com abs-0.twimg.com pbs.twimg.com
linkedin.com licdn.net licdn.com www.linkedin.com static.licdn.com
Instagram instagram.com api.instagram.com www.instagram.com
Google accounts.google.com ssl.gstatic.com accounts.youtube.com accounts.google.es
Paypal paypal.com paypalobjects.com
Interoperability Document
4.3.3. Adicional Settings
MAC Authentication
To enable MAC Authentication, it is necessary to edit the WLAN in use, so click in the WLAN
that will use this new functionality to be able to configure it.
Once the configuration window is displayed, please select the corresponding WLAN and
perform the following configuration:
MAC Authentication: check this option.
Server IP/Hostname: <radius1-ip>
Authentication Server Port: 1812
Secret: <radius1-secret>
Confirm: <radius1-secret>
Account: check this option.
Accounting Server Port: 1813
Accounting Interval: 600
Interoperability Document
After having done all the required changes, please click in Save to save the new configuration.
4.4 OmniAccess Stellar Enterprise
4.4.1. Radius Server
The first thing will be to configure the radius servers of the platform. Go to the section:
"Security> Authentication Servers> Radius" and add a new radius (modify if you want one
already created). Enter the following values:
Server Name: Radius1
Host Name / IP Address: <radius1-ip>
Backup Host Name / IP Address: <radius2-ip>
Retires: 3
Timeout: 2
Shared Secret: <radius1-secret>
Confirm Secret: <radius1- secret >
Authentication Port: 1812
Accounting Port: 1813
Interoperability Document
4.4.2. AAA Server Profile
Within the OmniVista interface, go to "WLAN> AAA Server Profile" and add a new profile
(modify if you want one already created). Edit the following parameters:
Profile name: For example aaaServerProfile_Guest
Authentication Servers > Captive portal > Captive Portal Primary, and select the radius
created above: Radius1
Accounting Servers > Captive portal > Captive Portal Primary, and select the radius
created above: Radius1
Interoperability Document
4.4.3. Access Role Profile
Within the OmniVista interface, go to "WLAN> AAA Role Profile" and add a new profile (modify
if you want one already created). Edit the following parameters:
Profile name. For example: accessRoleProfile_Guest
Section Walled Garden, add the basic and desired domains depending on the services
you want to configure.
Octopus WIFI app.octopuswifi.com (or whitelabel domain) www.google-analytics.com
www.facebook.com m.facebook.com facebook.com connect.facebook.net static.xx.fbcdn.net akamaihd.net fbcdn.net
twitter.com mobile.twitter.com api.twitter.com twimg.com abs.twimg.com abs-0.twimg.com pbs.twimg.com
linkedin.com licdn.net licdn.com www.linkedin.com static.licdn.com
Instagram instagram.com api.instagram.com www.instagram.com
Google accounts.google.com ssl.gstatic.com accounts.youtube.com accounts.google.es
Paypal paypal.com paypalobjects.com
In Captive Portal Attributes complete with the following information:
o Captive Portal Auth: External.
o Portal Server: <domain-name>
Interoperability Document
o Redirect-URL: /login/hotspot/ale
o HTTPS Redirectión: Enable
o AAA Server Profile. Select the server profile created above:
aaaServerProfile_Guest
4.4.4. WLAN Service
Within the OmniVista interface, go to "WLAN> WLAN Service" and add a new profile (modify if
you want one already created). Edit the following parameters:
Service Name. For wample: wlanService_Guest
SSID Settings > Basic:
o ESSID: SSID Guest name, for example "WIFIGuest"
o Hide SSID: Disabled
o Enable SSID: Enabled
SSID Settings > Security
o Security Level: Open
Interoperability Document
o MAC Auth: Disabled
Default Access Role Profile: Select the role profile created
above, accessRoleProfile_Guest
4.4.5. Apply Configuration to devices
Once all the configuration has been created, deploy the configuration to the devices:
- Go to WLAN > Access Role Profile, select the new rol created to WifiGuest and click
the "Apply to Devices" button. Subsequently, select the VLAN to the rol will be
mapped, and the AP Group where it will be deployed. Finally check that it has
been displayed correctly.
Interoperability Document
- Within WLAN > WLAN Services, select the new service created to WifiGuest and
click the "Apply to Devices" button. Subsequently, select the AP Group where the
WLAN service will be deployed. Finally check that it has been displayed correctly.