WS5100 3.0 Hotspot Document by hedongchenchen

VIEWS: 305 PAGES: 28

									Technology Brief: WS5100 3.0 Hotspots

WS5100 3.0 HOTSPOT IMPLEMENTATION ......................... 2
INTRODUCTION ......................................................................... 2
OVERVIEW ................................................................................... 2
WS5100 HOTSPOT FEATURE................................................... 3
HOTSPOT SETUP OVERVIEW ................................................ 5
   HOTSPOT WEB PAGES ................................................................... 5
   RADIUS SERVER SETUP ................................................................. 6
   ACL’S............................................................................................ 7
   EXAMPLE SCENARIO & CONFIGURATION ..................................... 8
   SAMPLE CONFIGURATION 1 .......................................................... 9
      Configuration Steps ................................................................... 9
   SAMPLE CONFIGURATION 2 ........................................................ 11
      Configuration Steps ................................................................. 11
      Setting up Windows 2003 IIS Server ....................................... 20
      IIS Server Configuration.......................................................... 22
      Sample HTML Pages / CGI Script for External Hotspots ...... 23
   GUEST USER – EASY BUTTON..................................................... 25
   ..................................................................................................... 27
   TROUBLESHOOTING HOTSPOTS .................................................. 28

                                               Page 1 of 28
Technology Brief: WS5100 3.0 Hotspots

WS5100 3.0 Hotspot Implementation

This document serves as a technology brief for the Hotspot feature available in WS5100
3.0 (WiNG). The purpose of this document is to explain the technical details of the
Hotspot feature, provide configuration steps, sample Hotspot configuration files and
recommend best practices for its design and implementation. This document is intended
for use by a Symbol Systems Engineer.

A Hotspot (also referred to as a Captive Portal) is basically a web page that users are
forced to visit before they are granted access to the Internet. With the advent of Wi-Fi
enabled client devices such as laptops and PDA’s – commercial hotspots are quite
common these days and can be found at many airports, hotels and coffee shops. These
Commercial Hotspots are often setup and operated by either a wireless phone company
like T-Mobile/ Sprint or by a specialized service provider (like Boingo/ Wayport).

Given the convenience and many benefits of WiFi, businesses are increasingly keen on
setting up Enterprise Hotspots to provide wireless Internet access to their vendors,
partners and other visitors. This also allows an enterprise to leverage its existing
investment by using the same wireless infrastructure to provide Internet access for guests.
Allowing visitors to use an Enterprise WLAN as a Hotspot is known as enabling Guest

While the most common usage scenario for Enterprise Hotspots is enabling guest access
for visitors in conference rooms, this feature can have some special and very strategic
applications in the vertical markets as well.

    -    Retailers setting up free In-Store-Hotspots could attract more visitors/ potential
    -    Could get existing customers to spend more time (and maybe dollars) per visit.
    -    Generally improve the in store customer experience and build loyalty.
    -    Allow partners and suppliers to access remote information systems to track
         orders, check latest pricing while on a visit.
    -    Healthcare facilities could enable Wi Fi access for visitors.

Commercial hotspots usually charge users a one time access fee or require       a monthly
subscription plan. Enterprise Hotspots are generally setup to provide free      of charge
Internet access. The design goals for commercial and enterprise hotspots        are vastly
different – in their security and QOS considerations. Amongst other things      one of the

                                         Page 2 of 28
Technology Brief: WS5100 3.0 Hotspots

key differences between commercial and enterprise hotspots is the need for a specialized
billing system/ server to handle credit card payments in commercial deployments.

The AAA server on the WS5100 3.0 can be easily integrated with a 3rd party billing
system to enable commercial hotspots. For an Enterprise Hotspot, the WS5100 is
perfectly suited as a Hotpot-in-a box solution - complete with all the components
required to setup free and secure Wi Fi guest access.

This paper is focused on Enterprise Hotspot implementations.

WS5100 Hotspot Feature
The hotspot feature was first introduced in the WS2000 (2.0 firmware release) and has
been available on the WS2000 andAP5131 for some time now. This feature is now also
available on the WS5100 3.0 (WiNG) release.

Basically theWS5100 Hotspot feature re-directs user traffic (for the Hotspot WLAN) to a
web page that requires them to authenticate before allowing them access to the WLAN.
This IP-Redirection requires no special software on the client but it does require that the
client WLAN adapter be set to receive its IP configuration through DHCP. Following a
sequence of events for a user requiring Hotspot access:

    1.  A visitor with a laptop needs Hotspot access.
    2.  User ID/ Password and the Hotspot ESSID are issued by a receptionist or IT staff.
    3.  The user connects their laptop to this ESSID
    4.  Laptop receives its IP configuration via DHCP. This DHCP service can be
        provided by an external DHCP server or it can be provided by the internal DHCP
        server located on the WS5100.
    5. User opens a web browser and tries to connect to their Home Page.
    6. WS5100 re-directs them to the Hotspot Web Page for authentication.
    7. User enters their User ID/ Password.
    8. A RADIUS server authenticates the user.
    9. Upon successful authentication the user is directed to a Welcome Page that lists
        among other things an Acceptable Use Policy, Connection Time remaining and an
        I Agree button**.
    10. User accepts by clicking the I Agree button and now has access to the Internet. (or
        other network services as configured)

                                        Page 3 of 28
Technology Brief: WS5100 3.0 Hotspots

Implementation of HTTP Redirection in the WS5100

To accomplish the redirection of user traffic from their default home page to the login
page theWS5100 uses destination network address translation (destination NAT is similar
to the source NAT/ PAT but the destination ip address and port get modified instead of
the source as in traditional NAT). More specifically when the WS5100 receives an HTTP
web page request from the user (when the client first launches its browser after
connecting to the WLAN), a protocol stack on the WS5100 intercepts this request and
sends back an HTTP response after modifying the network and port address in the packet
thereby acting like a proxy between the User and the web site they are trying to access.

Note the following characteristics of the IP Redirection feature for an unauthenticated
hotspot client:

         -    DHCP and DNS traffic are allowed and not redirected
         -    HTTP traffic is redirected to the Hotspot Login page.
         -    All other traffic is dropped.

This behavior can be understood by observing the following scenario:

An unauthenticated hotspot client associates to the hotspot WLAN. The client WLAN
adapted initiates a DHCP broadcast. WS5100 detects this as DHCP broadcast traffic from
an unauthenticated Hotspot WLAN client. The switch forwards these frames to the
DHCP server and does not redirect them. The DHCP server responds with an IP
configuration for the client and the client is now ready to access the network.

The user then initiates an HTTP session to WS5100 detects this as
DNS traffic and again does not redirect this. The DNS server resolves this domain name
to an ip address like (for The client initiates a TCP
session with host This session begins with the client sending a TCP SYN to
target IP The WS5100 now intercepts this session and responds with a
SYN/ACK back to the client – in the process modifying the source ip address and source
port of this return packet to The client completes the TCP 3 way
handshake with the WS5100 acting as a proxy for the destination IP

Assuming the TCP session opened - the client now sends an HTTP GET to the
destination URL. This HTTP GET is again intercepted by the WS5100 and redirected to
the Hotspot web site The client is now redirected
to the Login.htm web page of the Hotspot instead of landing on their destination web site
( The client enters its identification information and is authenticated
with the Radius server. Upon successful authentication the client is presented with the
Welcome.htm page, all client traffic from this point forward is authenticated and is
forwarded to the Internet. (till the user session expires)

                                         Page 4 of 28
Technology Brief: WS5100 3.0 Hotspots

Hotspot Setup Overview
To setup a Hotspot on a WS5100 first create a WLAN ESSID and select Hotspot
authentication from the Authentication menu. This is simply another way to authenticate
a WLAN user for it would be impractical to authenticate visitors using 802.1x

Tip: In WS5100 3.0 create a WLAN by editing an existing WLAN template. (Select Network -> Wireless LANs -> Edit). See the
System Reference Guide for detailed step by step instructions.

Having enabled a Hotspot – you will need to configure it. There are 2 parts to the Hotspot

     -    Setting up the Hotspot Web Pages. (Click on the Config button next to Hotspot)
     -    Setting up the Radius server. (Click on the Radius Config button on the WLAN
          Edit Popup)

These configuration steps have been detailed in the following sections.

Hotspot Web Pages

3 HTML pages are required for the Hotspot. A Login Page, a Welcome Page and a Failed
Page. The Login Page to allow a user to enter their login credentials. A Welcome Page to
display upon successful authentication and a Failed Page to show an unsuccessful or
failed authentication.

These Hotspot Web Pages on a WS5100 can be setup in 3 modes:

     -    Internal: The 3 HTML pages with the basic functionality are already made
          available on the WS5100’s onboard HTTP server. These 3 pre created pages can
          collect login credentials through Login.htm, send them to a Radius server and
          show a Welcome.htm or a Faliure.htm depending on the result of the
     -    External Mode: A customer may wish to host their own external web server with
          more advanced web content (using XML, Flash). Use the External Mode to point
          theWS5100 to an external hotspot.
     -    Advanced Mode: A customer may wish to use advanced web content (XML,
          Flash) but may not have or would not want to use an external web server choosing
          instead to host the web pages on the WS5100’s HTTP web server. Selecting the
          Advanced mode allows importing the web pages from an external source (like an
          FTP server) and hosting them on theWS5100.

Depending on customer requirements choose one of the above modes for setting up the
Hotspot web server.

                                                     Page 5 of 28
Technology Brief: WS5100 3.0 Hotspots

Radius Server Setup

Radius servers are commonly used for web authentication, 802.1x wired and wireless
authentication. The WS5100 has an onboard Radius server and a built-in User Database
that can be used for Hotspot authentication amongst other applications

NOTE: for a full brief on the Radius functionality and configuration read the WS5100 3.0: Radius, AAA & PKI Technology Brief.

There are 3 options for a Radius setup to be used for Hotspot authentication:

     -    WS5100 Onboard Radius and built-in User Database.
     -    WS5100 Onboard Radius and External User Database (configured using LDAP)
     -    External Radius and External User Database. (Example: Using a Windows Server
          2003’s Radius Server - IAS along with the Windows Active Directory User

Radius implementation preferences will vary based on the customer network and security
environment. Customers with a very high concern for auditing and security may enforce
all authentications on a centralized AAA server. Other customers may choose a
centralized AAA implementation for corporate users but may not want to allow guest
user accounts on their corporate Radius servers – choosing instead to use the onboard
Radius server for temporary accounts required for guest access. Some other customers
may simply choose to use the on-board Radius server for ease of setup and user database

For Hotspot deployments it is generally recommended that you use the onboard Radius
server with the built-in User Database. This will be the easiest setup option and yet offers
a high degree of security and accountability.

Management systems like MSP and Pocono can be used to monitor the switch and track
Hotspot User activity and network utilization. In addition the Radius database records
can be exported to an external system for further analysis.

                                                       Page 6 of 28
Technology Brief: WS5100 3.0 Hotspots

Securing the Corporate Network using VLAN’s and ACL’s

As discussed above setting up a secure Hotspot requires separating the hotspot/guest
traffic from the corporate network. Network traffic separation is achieved by creating a
separate VLAN and mapping the hotspot WLAN to that VLAN. Additional security
measures may be applied based on customer requirements and security policies. These
measures may include restricting guess access to say HTTP traffic only and not allowing
other TCP based services like FTP and Telnet – for the hotspot WLAN.

VLANs have traditionally been used in wired and wireless networks for broadcast
domain separation and for restricting access to network resources. VLAN’s are useful in
a hotspot deployment to separate guess traffic from the corporate network. This
separation of guest traffic means broadcasts from the Guest WLAN won’t reach the
Corporate WLAN and vice versa. Unnecessary broadcast traffic (from guest laptops,
PDA’s) can reduce the battery life of mobile devices on the corporate WLAN – and
hence should not be allowed to reach those devices. Establishing a separate VLAN for
guest traffic and mapping the Hotspot WLAN to this VLAN allows for such broadcast
domain separation.

Implementing VLAN’s on the WS5100 3.0 is a 2 step process. The first step is to create a
Switch Virtual Interface. The Switch Virtual Interface sometimes referred to as the Layer
3 Interface is created by adding an interface, configuring its Layer 3 interface IP address
and assigning it a VLAN identifier. The second step in configuring the VLAN is to assign
this Layer 3 VLAN Interface/ Switch Virtual Interface to an actual switch port (Eth1 or
Eth2). It is recommended the Guest VLAN be created and applied to the Eth2 interface
on the WS5100. Remember this port (Eth2) always has VLAN1 as its default
management VLAN. Adding another VLAN to this port will require changing the
“VLAN mode” of this port from Access to Trunk. See the configuration steps in the
following sections to enable a VLAN interface for the Hotspot WLAN.

However doing this alone will not secure the corporate network. The Hotspot WLAN
may still have access to the corporate network though a router in the network core.
Restricting VLAN clients from accessing network resources can be achieved through the
use of ACL’s. Access Control Lists can be implemented on the Hotspot WLAN’s VLAN
interface to allow guests, access the Internet only without allowing them access to the rest
of the corporate network.

Implementing ACLs on the WS5100 is a 3 step process and requires creating the ACL,
adding associated rule and then applying it to a switch port (Eth1/ Eth2) or to a VLAN

                                        Page 7 of 28
Technology Brief: WS5100 3.0 Hotspots

Example Scenario & Configuration

Consider a scenario where ABC Enterprises has a corporate WLAN implemented using a
WS5100. The company is now interested in extending its WLAN access to visitors to
provide complimentary Internet access using the same wireless infrastructure (WS5100 +
AP300). Security requirements in extending the guest access include separating the
secured corporate WLAN from the less secure hotspot WLAN and limiting guest access
to web browsing only –FTP, Telnet and all other applications should be blocked.

The sample configurations in the following section propose 2 solutions to this scenario.

    -    Sample Configuration 1: Implements the Hotspot portal using the Simple Option
         (WS5100 supplied HTML pages and built in HTTP server) + WS5100 Onboard
         Radius server using the built-in User Database.
    -    Sample Configuration 2: Implements the Hotspot using the External Option (a
         Windows 2003 IIS server) + WS5100 Onboard Radius server using the built-in
         User Database.

                                        Hotspot Network Topology


                                                         Corp          Internet


                                               Page 8 of 28
Technology Brief: WS5100 3.0 Hotspots

Sample Configuration 1

Sample Configuration 1: Implements the Hotspot portal using the Simple Option
(WS5100 supplied HTML pages and built in HTTP server) + WS5100 Onboard Radius
server using the built-in User Database.

Follow these steps to

    -    Create a VLAN interface
    -    Create an ACL
    -    Apply the ACL to this VLAN Interface
    -    Create a Hotspot WLAN
    -    Use the Simple Option to Setup the Hotspot Portal
    -    Use the WS5100 Onboard Radius server using the built-in User Database to
         create a User Account : Bob

NOTE: This configuration uses an external DHCP server on the network.

Configuration Steps

This procedure assumes you have installed a WS5100/ AP300. For assistance with
WS5100 installation refer to the System Reference guide.

Step 1: Login to the Switch CLI and create a VLAN Interface (Highly

     Username: admin


     Welcome to CLI


     WS5100*#conf t

     WS5100(config)*#interface VLAN 101

     WS5100(config-if)#ip address

Step 2: Configure an IP Extended ACL (Recommended but can be skipped)

     WS5100(config)*#access-list 100 permit tcp any any eq 80 wlan 2

     WS5100(config)*#show access-list 100

                                        Page 9 of 28
Technology Brief: WS5100 3.0 Hotspots

     Extended IP access list 100

            permit tcp any any eq 80 wlan 2 rule-precedence 1

Step 3: Apply the ACL to the VLAN Interface (skip this if you skipped Step 2

     WS5100(config)#interface vlan101

     WS5100(config-if)#ip access-group 100 in

Step 4: Create the Hotspot WLAN (Required step)


     WS5100(config–wireless)#wlan 2 ssid hotspot

     WS5100(config-wireless)*#wlan 2 vlan 101

     WS5100(config–wireless)#wlan 2 authentication-type hotspot

     WS5100(config–wireless)#wlan 2 hotspot webpage-location internal

     WS5100(config-wireless)*#wlan 2 radius server primary

     WS5100(config-wireless)*#wlan 2 radius server primary radius-key
     0 symbol

     WS5100(config–wireless)#wlan 2 enable

Step 5: Configuring the Radius Server


     WS5100(config)#radius-server-key 0 symbol

     WS5100(config)*#radius-server local

     WS5100(config-radsrv)*#authentication data-source local

     WS5100(config-radsrv)*#authentication eap-auth-type all

     WS5100(config-radsrv)*#nas key 0 symbol

     WS5100(config-radsrv)*#group hotspot-users

                                        Page 10 of 28
Technology Brief: WS5100 3.0 Hotspots

     WS5100(config-radsrv-group)*#guest enable


     WS5100(config-radsrv)*#rad-user bob password 0 bob group
     hotspot-users guest expiry-date 31:08:2007 expiry-time 19:00

     WS5100(config-radsrv)*#service radius restart

Sample Configuration 2

Sample Configuration 2: Implements the Hotspot using the External Option (a
Windows 2003 IIS server) + WS5100 Onboard Radius server using the built-in User

This example uses the GUI to setup the Hotspot

Configuration Steps

This procedure assumes you have installed a WS5100/ AP300. For assistance with
WS5100 installation refer to the System Reference guide.

Step 1: Login to the Switch GUI and create a VLAN Interface (Highly

1.1 Select Network  Switch Virtual Interface from the menu on the right

                                        Page 11 of 28
Technology Brief: WS5100 3.0 Hotspots

1.2 Click on the Add button (at the bottom) to get the Network  Switch Virtual
Interfaces popup

         1.2.1 Enter VLAN ID as 101
         1.2.2 Select Use DHCP to obtain IP Address automatically
         1.2.3 Click OK

                                        Page 12 of 28
Technology Brief: WS5100 3.0 Hotspots

1.3 Now select Layer 2 Virtual LAN’s from the menu on the left, highlight eth2 (in the
right window) and click Edit to get the Network  Layer 2 Virtual LANs  Edit popup

         1.3.1 Select Trunk from the Mode drop-down
         1.3.2 The Selected VLANs option will become available for editing. Add VLAN
         101 to this list separated by a coma.
         1.3.3 Click OK

                                        Page 13 of 28
Technology Brief: WS5100 3.0 Hotspots

Step 2: Configure an IP Extended ACL (Recommended but can be skipped)

2.1 Select Security  ACLs from the menu on the right.

2.2 Click on the ADD button under the Configuration tab to get the Security ACLs 
Configuration Add popup

         2.2.1 Click on the ACL Type dropdown and select Extended IP List
         2.2.2 Enter ACL ID as 2000
         2.2.3 Click on OK

                                        Page 14 of 28
Technology Brief: WS5100 3.0 Hotspots

2.3 You will now see Extended IP List 2000 appear in the list of ACLs. Highlight this
Extended IP List 2000 by clicking on it and then click on Add from the Associated Rules
window on the right to get the Add Rule popup

         2.3.1 Add appropriate rules with Permit/Deny operations to meet the required
         2.3.2 Click OK

                                        Page 15 of 28
Technology Brief: WS5100 3.0 Hotspots

Step 3: Apply the ACL to the VLAN Interface (skip this if you skipped Step 2)

3.1 Click on Attach (tab)  Add to get the Security ACLsConfigurationAttach

         3.1.1 Select VLAN 101 from the Interface dropdown
         3.1.2 Select ACL ID 2000 from the IP ACL dropdown
         3.1.3 Click OK

Step 4: Create the Hotspot WLAN (Required Step)

4.1 Select Network  Wireless LANs from the Menu on the right

                                        Page 16 of 28
Technology Brief: WS5100 3.0 Hotspots

4.2 Select any available ESSID (which is not already enabled) and click Edit (at the
bottom), the Network  Wireless LAN’s  Edit window will pop up

                                        Page 17 of 28
Technology Brief: WS5100 3.0 Hotspots

         4.2.1 Change ESSID to Hotspot
         4.2.2 Change VLAN ID to 101
         4.2.3 Select Hotspot from the Authentication options
         4.2.4 Click on the Config button next to the hotspot authentication to get the
         following popup.

                                        Page 18 of 28
Technology Brief: WS5100 3.0 Hotspots

         4.2.5 Select External from the dropdown menu and enter the URL locations for
         the 3 HTML pages as shown above.

         NOTE: See the section on Setting up Windows IIS Server 2003 for enabling an
         external web server. See the section on Sample HTML Pages/ CGI Script for
         the content for the HTML pages.

         4.2.6 The Allow List on the right allows you to enter any IP address (for internal
         or external web sites) that may be accessed by the Hotspot user even without

         4.2.7 Click OK to exit from this popup and return to the Network  Wireless
         LAN’s  Edit window.
         4.2.8 Now click on the Radius Config and proceed to 4.3 below.

4.3 Click on the Radius Config button to get the Network  Wireless LANs  Edit
Radius Configuration popup

         4.3.1 Enter as the Radius Server address for the Primary Radius server.

                                        Page 19 of 28
Technology Brief: WS5100 3.0 Hotspots

         4.3.2 Change the Radius Server shared secret to symbol for the Primary Radius
         4.3.3 Click OK
         4.3.4 Click OK again on the Network Wireless LANs  Edit window
         4.3.5 Select the Hotspot WLAN and click Enable in the Network  Wireless
         LANs window

Setting up Windows 2003 IIS Server

IIS services installed on the Windows 2003 server are part of the Application Server. The
Application Server in turn has other components which can selectively be installed during
the Windows 2003 Server installation or can be later added.

If you are working with a windows Server installation that does not include IIS services,
you can add ISS though the following steps:

Step 1: Click on Start Settings  Control Panel  Add or Remove Programs

                                        Page 20 of 28
Technology Brief: WS5100 3.0 Hotspots

Step 2: Click on Add/Remove Windows Components then Select the Application Server
checkbox (if not already checked) and click on details.

Step3: Select the Internet Information Services checkbox and click OK, and then click

                                        Page 21 of 28
Technology Brief: WS5100 3.0 Hotspots

This will start the IIS installation. You may be prompted to insert the Windows 2003
Server CD to complete installation.

IIS Server Configuration

Use Start All ProgramsAdministrative Tools  Internet Information Service (IIS)
Manager to Start/ Stop the Default Web Site. After you have the IIS Server up and
running the 3 Hotspot Web Pages (Login.htm, Welcome.htm and Failure.htm) will need
to be copied to the ISS Web Server’s root directory.

Step 1: Copy the text provided for the 3 HTML files in the Sample HTML Pages section
below into a text editor (MS Word) and save them as (Login.htm, Welcome.htm and

Step 2: Edit the 3 HTML pages to change the IP address in the HTML page to the
IP address of your Wireless Switch (which is running the Radius Server)

Step 3: Copy these 3 htm files onto the Windows IIS Servers root directory – launch
Windows file explorer and copy them under C:\Inetpub\wwwroot

                                        Page 22 of 28
Technology Brief: WS5100 3.0 Hotspots

Sample HTML Pages / CGI Script for External Hotspots


<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<title>Login Page 111</title></head><body link="#FFFF77"
alink="#FFFF77" vlink="
#FFFF77" bgcolor="#225599"><font face="Verdana" color="#EEEEFF">
<center><h2>Network Login 111</h2></center><br><center><h4>Please enter
your use
rname and password 111</h4></center><br><center><table border="0"
" cellpadding="5" bgcolor="#5A77AB">
<form action="" method="POST"
<tr><td><b>Username:</b></td><td><input type="text" size="20"
<tr><td><b>Password:</b></td><td><input type="password" size="20"
<tr><td colspan="2" align="center"><input type="submit" name="submit"

                                        Page 23 of 28
Technology Brief: WS5100 3.0 Hotspots

<center><h5><i>Contact the network administrator if you do not have an
account 111</i></h5></center></font></body></html>


<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<title>Authentication success.222</title></head><body link="#FFFF77"
F77" vlink="#FFFF77" bgcolor="#225599"><font face="Verdana"
<center><img src="222"></center><center><h2>Authentication Success. 222
</h2><br><center><h4>You now have network access.<BR>Click the
disconnect link
below to end this session 222.</h4></center><br><br><br><center><a


<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<title>Unable to authenticate 333</title></head><body link="#FFFF77"
alink="#FFFF77" vlink="#FFFF77" bgcolor="#225599"><font face="Verdana"
<center><img src="333"></center><center><h2>Authentication Failed.
333</h2></center><br><center><h4>Either the username and password are
invalid, or service is
unavailable at this time 333</h4></center><br><br><br><center><a
Again</h4></a></center><center><img src="333">
</center><center><h5><i>Contact the network administrator if you do not
have an
account 333</i></h5></center></font></body></html>

This should be the IP address of your WS5100

This should be the IP address of your IIS Server

                                        Page 24 of 28
Technology Brief: WS5100 3.0 Hotspots

Guest User Application – Easy Button

Enterprise Hotpot environments need to be provisioned such that guest users accounts
can be easily and quickly setup – in most cases by a non technical front desk person. The
WS5100 3.0 provides a special Guest User applet that can be used to create and print
guest user accounts – without having to deal with the Radius server directly.

The Guest User applet is displayed when a Guestadmin user ( a special user type that can
ONLY create guest users) logs in through the WS5100 GUI. Normally when an admin
user logs in through the WS5100 GUI they are directed to the switch configuration pages.
However when the Guestadmin logs in they are directed to the Guest User applet – a
screen shot of which is shown below.

This Guestadmin account is not enabled by default. It needs to be manually configured
and in the current release it can only be configured through the CLI. Following are steps
to setup the Guestadmin account.

Step1: Connect to the WS5100 CLI over the serial or telnet interface and type the
following commands:

WS5100 release
Login as 'cli' to access CLI
WS5100 login: cli
User Access Verification
Username: admin

WS5100#configure terminal
WS5100(config)#username guestadmin password 0 symbol123
WS5100(config)#username guestadmin access snmp
WS5100(config)#username guestadmin privilege superuser webadmin
WS5100(config)#aaa authentication login default local
WS5100#write mem

Step2: Connect to the WS5100 Web GUI by opening a browser and typing to get the following login page. Login using the guestadmin account
and type the password for guestadmin. (created in Step 1 above)

                                        Page 25 of 28
Technology Brief: WS5100 3.0 Hotspots

Step3: You should now see the Guest User creation applet

                                        Page 26 of 28
Technology Brief: WS5100 3.0 Hotspots

A User can be created by typing in the User name. Passwords can be automatically
generated by clicking Generate. If simpler passwords are required, they can simply be
typed in (as long as they meet the minimum password requirement). Select the User
Group from the drop down*. Click Apply to create the User. Then click Print to print a
voucher for the visitor.

*This User Group will need to be pre-created and should be done when the Hotspot
WLAN/ Radius server was setup. This Guest User applet will only create Users, it cannot
be used to create the Hotspot groups or ESSIDs etc.

                                        Page 27 of 28
Technology Brief: WS5100 3.0 Hotspots

Troubleshooting Hotspots

Done everything right but Hotspot still not working!!

Here are some tips for troubleshooting and common gotchas:

    1. Most issues with Hotspots when using the Onboard Radius server with built in
        database are likely to be with.. User authentication! Make sure you have correctly
        followed the Radius Server configuration steps.
    2. If User Authentication is failing check to make sure you have added the switch as
        a Radius client to itself. From the GUI, Security  Radius Server Clients 
    3. During the Radius server setup and while adding the switch as a Radius client to
        itself, make sure you enter the switch ip address (management VLAN ip) as the
        normal ip addresses for eg: Avoid using the loop back interface ip for Radius server setup.
    4. Make sure you have a Group created for the Hotspot, that you selected the Guest
        Group option and added the hotspot WLAN essid to this group.
    5. Same for the Hotspot user. Make sure you selected the Guest User (checkbox)
        when creating the Hotspot user. (if you do this from the switch GUI). Creating a
        user from the special Guest User applet will automatically do this.
    6. If you did all your Radius server configuration from the CLI, make sure you did a
        service-radius-restart else those changes will not take effect.
    7. Make sure you entered the same Radius shared secret for the server and client
    8. If the Guest User applet cannot be accessed by the front desk person make sure
        they have access to the management VLAN (ping switch ip address) from their
    9. If you used the CLI to create a guest user make sure you entered the start time and
        expiration time appropriately. An expired User Account gets deleted from the
        Radius server automatically and that User will not be able to access the Hotspot
    10. If nothing else works, read this document from top to bottom again – only more

                                        Page 28 of 28

To top