PREPARED BY VERSIÓN - al-enterprise.com · hotspot networks. The main characteristics of the...

PREPARED BY Engineering Department of Blue Octopus WiFi VERSIÓN 1.0

INTEROPERABILITY DOCUMENT BETWEEN OMNIACCESS

STELLAR SOLUTION AND OCTOPUS WIFI

Interoperability Document

Table of contents

1. INTRODUCTION 3

2. SOLUTION ADVENTAGES 4

2.1 MAIN FEATURES 4

2.2 MAIN BENEFITS 4

3. BACKGROUND 6

3.1 OVERALL WORKFLOWS 6

3.2 OCTOPUS PLATFORM, LOGICAL STRUCTURE. 8

3.3 INTEGRATION DETAILS 10

3.3.1. HTTP REDIRECT 10

3.3.2. HTTP POST LOGIN 10

3.3.3. HTTP LOGOUT 11

3.3.4. RADIUS AUTHENTICATION ATTRIBUTES 11

4. CONFIGURATIONS 12

4.1 PREVIOUS REQUIREMENTS 12

4.1.1. FIREWALL PERMISSIONS 12

4.1.2. COLLECT CUSTOMER INFORMATION. 12

4.2 OCTOPUSWIFI 14

4.2.1. GENERAL 14

4.2.2. ACCESS METHODS 15

4.2.3. WLAN 19

4.3 OMNIACCESS STELLAR EXPRESS 20

4.3.1. WLAN SETTINGS 20

4.3.2. CAPTIVE PORTAL 21

4.3.3. ADICIONAL SETTINGS 24

4.4 OMNIACCESS STELLAR ENTERPRISE 25

4.4.1. RADIUS SERVER 25

4.4.2. AAA SERVER PROFILE 26

4.4.3. ACCESS ROLE PROFILE 27

4.4.4. WLAN SERVICE 28

4.4.5. APPLY CONFIGURATION TO DEVICES 29


1. Introduction

Octopus WiFi complement OmniAccess Stellar solution through a global cloud platform for managing and controlling access to Guest WiFi environments with value-added layers for your business. The platform gathers information on the clients and their behaviour, presenting usage analytics intuitively and offering advanced functionalities to design marketing campaigns and promotions. Octopus WiFi is a platform supported by a solid team of experts in defining global technical solutions, who help companies with their digital transformation.

WiFi ExpressDigital MarketingCampus Networks

WiFi EnterpriseSimple Networks

WiFi Enterprise

Internet


2. Solution Adventages

2.1 Main Features

Cloud Platform: Octopus WiFi is offered as a SaaS service, with different licensing

levels. It’s not necessary to install additional hardware.

Multitenat: Octopus WiFi can be customised to fit your brand image and offered as

the clients’ own service.

Multivendor Platform: Integrates with WLAN solutions from the most common

manufacturers on the market. It is a "trojan horse" to offer Alcatel Hardware in new

installations.

Modular: Advanced management of profiles and users permissions into de companys

(IT, Marketing, Support, Reception, …)

Flexible: Features adapted to any different sectors of the market that require Guest

WiFi. Hospitality, retail, transportation, education, medical centers, restaurants,

corporate offices, commercial headquarters, ..

Radius AAA service that multiplies the options for access types, control mechanisms

and monitoring levels.

Business analytics and marketing campaigns and promotions over WiFi.

Specialized Support and Consultancy: To define the best Guest WiFi solution for your

business, develop special integrations with the business tools.

Compliance with the current law related to the preservation and processing of

personal data.

2.2 Main Benefits

Octopus WIFI helps every company to perform the digital transformation: Wi-Fi as a

new communication channel.

We integrate your business with the Wi-Fi technology. Make profitable your Wi-Fi

service with Marketing steps.

Reinforce the brand image, spread your business image to the Wi-Fi service.


Make the difference between your competitors using a high-quality service, gain

presence in your point of sale

Gain new customers and improve customer loyalty.

Know your customers behaviour: where they go, how much time they spent in your

site, if they come back…

Increase the number of visits and interactions with your website and your social

network profiles and promote the download of your APP.

Make an integration with your Customer Relatinonship Management and other

Digital Marketing Tools.

The results will be visible in short-time.


3. Background

3.1 Overall workflows

The following diagram describes the workflow between all elements of a Wifi Guest

connection, where ALE Stellar APs and Octopus WiFi platform are working.


The different steps in the flow are described below.

1- The wifi device is associated to the OmniAccess Stellar Access Point through

protocol 802.11.

2- The network assigns an IP Address to the device. If MAC-Authentication is

configured in the Access Point, the Radius server receives the MAC-Authentication

packet from AP.

a. If the MAC of wifi device is cached in server, radius will send Access-Accept

a packet to start the connection (Accounting process). Go to ninth point.

b. If the MAC is not cached go to third point.

3- The device opens automatically the browser, or the user opens it manually and

tries to browse.

4- The Stellar AP receives HTTP Request, and sends a HTTP response 302 with an

external redirect URL (Captive Portal defined on the Octopus WiFI).

5- Octopus WiFi platform answers with the captive portal configured in the WifiArea.

6- The user selects an access method in captive portal and complete the form:

a. Authentication OK: Captive portal sends login credentials to Access Point

(seventh point)

b. Authentication NOK: The captive portal show error message (sixth point)

7- The Access Point sends an Access-Request packet to radius server.

8- Radius server answers with an Access-Accept packet. This radius packet contains

some radius attributes for the Access Point to control the user session.

9- The Access Point sends an Accounting-Start packet to the Radius to start control

session.

a. Frequently an Accounting-Interim packets are sent, to update device

session in radius server.

10- The Access Point sends an Accounting-Stop packet for a specific cause:

disconnection of network, session timeout, idle timeout, …


3.2 Octopus platform, logical structure.

The Octopus WIFI platform is designed for the management and control of the access

networks to Internet for the users. It allows you to control, in an individual or gruoped way,

hotspot networks. The main characteristics of the platform are:

Web management: Simple and intuitive interface for the management of different

places, captive portals and access methods, as well as to show analytics and informs.

Multivendor, integratable with the different most-common manufacturers of WLAN

solutions from the market.

Radius AAA Service developed in-house which multiplies the possibilities of access

types, control mechanism and monitoring levels.

Flexible and Modular tool. Octopus WIFI disposes an advanced system of permissions

for different profiles of operators. Besides, it disposses a really flexible structure to

group the different NAS or WiFiAreas (the designed name of all locals).

The next image defines the different concepts that can be managed by the administrators of

the platform.

Domain. Domains are groups of WiFiAreas which allow grouping authentications in a

radius server. The users belonging to the same realm/domain will be able to roam

between WiFiAreas.


Independent WiFiArea. Corresponds with a WiFi Area that is not associated with any

domain, therefore, the users registered on it will not be able to connect to other WiFi

Areas.

The WiFi Area Groups allow seeing added statistics, display promotions at a massive

level and create users with restricted permissions to a group.

The WLAN Groups allow seeing added statistics and display promotions at a massive

level independently of the WiFi Areas.

WLAN: Inside of each WiFiArea it would be able to create different WLAN, associated

to a network segment (SSID/VLAN). In this way, in the same WiFiArea it would be able

to have different captive portals with different authentication methods.

As to the different modules of the Octopus WIFI platform, it's possible to observe them in the

next diagram.


3.3 Integration Details

This section describes the different technical parameters of the Stellar solution, which Octopus

WIFi uses to develop its functionalities.

3.3.1. HTTP Redirect

This is an example of http redirect in the authentication workflow

https:/app.octopuswifi.com/login/hotspot/ale?clientmac=00:00:00:00:00:01&clientip=192.168

.3.160&ssid=GuestCP&switchmac=ff:ff:ff:ff:ff:ff&switchip=10.255.13.155&url=http://www.yah

oo.com

Octopus WiFi uses these parameters:

OctopusWifi Object Parameter name

WifiArea switchmac

WLAN ssid

URL Redirect url

Customer MAC clientmac

Error * errmsg

*It only appears when there is a Radius Reject packet

3.3.2. HTTP POST Login

The web portal page gathers the user’s login credentials and sends to the Access Point though

a HTTP POST message with this format.

OctopusWifi Object Parameter name

URL Login http://cportal.enterprise.alcatel-lucent.com/login

username user

password password


URL Redirect url

3.3.3. HTTP Logout

Users can be disconnected by sending a request to the following URL:

http://cportal.enterprise.alcatel-lucent.com/logout

3.3.4. Radius Authentication Attributes

Radius is one of a number of Authentication, Authorization, and Accounting (AAA) protocols,

for them it is necessary to use a series of attributes. In particular Octopus WiFi uses the

following:

Radius Packet OctopusWifi Object Parameter name

Access-Request,

Accounting-Request

WifiArea (AP MAC) Called-Station-ID (MAC)

Access-Request,

Accounting-Request

WLAN (SSID) Called-Station-ID (SSID)

Access-Request,

Accounting-Request

Username User-Name

Access-Request Password User-Password

Access-Accept Session-Timeout Session-Timeout

Access-Accept Idle Timeout Idle-Tiemout

Access-Accept Upload Speed Limit WISPr-Bandwidth-Max-Up

Access-Accept Download Speed Limit WISPr-Bandwidth-Max-Down


4. Configurations

4.1 Previous requirements

4.1.1. Firewall permissions

If there is a firewall in the network that might block the traffic, you will need to allow access to

some domains to enable user's authentication:

Radius Servers:

- Primary: <IP-radius1>ports 1812 and 1813 UDP

- Secondary: <IP-radius2> ports 1812 and 1813 UDP

Splash Portal servers:

- Domain < domain-name> ports 80 and 443 TCP

4.1.2. Collect customer information.

Collect everything necessary to configure the guest access:

WiFiArea Name. It will be the name of the installation in octopus WIFI platform.

Location. It shows the location of the WiFiArea in a map.

Access Methods:

- User Registration: The user will be authenticated after he completes a form with

his personal information.

- Social Networks: Access using the credentials of different social networks.

Nowadays, Octopus WIFI platform supports the following social networks:

Facebook, Twitter, Instagram, LinkedIn and Google+

- Ticket o Voucher: And access code will be generated in Octopus WIFI platform.

http://app.taowifi.io/


- Free Access: The user will be authenticated with a “click” and accepting the terms

and conditions of the service.

- Paypal: The user will pay for the access code using the Paypal gateway.

- SMS: The access codes are sent by SMS after the user fill up a form.

- Sponsor: The user must ask the host or sponsor for his credentials and the host will

accept or reject his request via email.

- Other methods: integration with CRMs, validation using other APPs, etc.

WLANs: SSIDs that will use the Octopus WIFI captive portal to authenticate the users. In order

to allow the users authentication, the WLAN name configured in Octopus WIFI platform must

be the same that the one radiated by the access points.

Redirection web site: Web site where the users will be redirected after their successful

authentication in the captive portal.

WLAN Solution: WLAN Hardware solution where the redirection to the captive portal and the

Radius server parameters will be configured. In this case “ALE”

NAS (Network Access Control): It will be necessary to add the MAC addresses of the devices

that will send the user's authentication requests to the Radius Server. These MAC addresses

can be obtained from the AP section.


After having opened the AP section, it can be checked the MAC address of each access point.

4.2 OctopusWiFi

4.2.1. General

With the Octopus WIFI platform you can manage the different hotspots or WifiAreas, selecting

the profiles and the desired validation methods. The different configuration possibilities are

described below.

It is advisable to create a WifiArea for each physical installation and thus be able to

disaggregate statistics and have maximum flexibility in terms of configurations. Here are the

different fields:

Name of WifiArea or WiFi Hotspot.

Physical address of the WifiArea. Once the address is written, verify it in google maps,

otherwise the WifiArea cannot be generated correctly.

Selection of the domain to which the associated WifiArea belongs or if it is an

independent one. It is important to be clear about this concept, because once the

WifiArea is created, this parameter cannot be changed since all the radius connection

relations will be generated with this dependency.

WLAN solution or infrastructure manufacturer (ALE Stellar). Depending on the

selected manufacturer there will be a link to the configuration manual with detailed

instructions.


MAC of the NAS, or supplicant teams to the Radius server, to identify where the

requests come from. In the configuration manual there will be instructions to visualize

the necessary MACs that must be added in each case.

4.2.2. Access methods

In this submenu you can configure the different WiFi service access methods that will appear

in the captive portal. They may be selected from the following:

User registration: In this case, the users, through the captive portal, will be able to complete a

form to register and with which they will be stored in the database. You can configure the

fields of the form and its obligatory nature. The selectable fields are:

Mail

Name and surname

Birth date

Sex

Telephone number

Postal Code

Country

Room number (Intended for hotels)

Social networks: Possibility of access through the credentials of different social networks that

are detailed below.


Facebook. It is possible, depending on the assignment that the user selects, to collect

the following data:

ID Facebook

Name and surname

Mail (Depending on user privacy)

Sex (Depending on user privacy)

Age (Obtaining APP permits and depending on user privacy)

"Likes" (Obtaining APP permissions and depending on user privacy

Twitter. Data to be collected:

Twitter ID

Name and Surname (Alias of twitter that does not usually coincide)

Mail (obtaining APP permissions)

Linkedin. Data to be collected:

LinkedIn ID

First name

Surnames

Mail (depending user privacy)

Instagram. Data to be collected:

Instagram ID

First name

Surnames

Google. Data to be collected:

Google ID

First name

Surnames

Email.

Accept Conditions or Free Access. In this case, the access will be by pressing a "Sign in" button,

after accepting the conditions of use of the service. The only identifying data of the user's

connection will be the MAC Address.


Ticket or Voucher: It will be possible to configure the different formats that can be generated

in the "Ticket Tickets" module. Depending on the configuration, the credentials can be printed,

sent by mail or generated from an external API. There will be 4 formats:

Individual Ticket: Intended for individual use, although you can configure the number

of simultaneous devices for which the generated ticket will be valid, since the same

user can use several devices simultaneously. They are fixed time and are also ideal if

the rates are associated with a price.

Variable Time Ticket Also for individual use, but have the particularity that you can

choose the validity time of the ticket in a certain range of dates.

Group Ticket. You can select the number of simultaneous users that can connect with

that ticket. Ideal for groups of people.

Customizable ticket In this case the ticket is fully customizable (including access

credentials) and is ideal for special cases such as events or similar.

In addition to selecting the types of codes for the emission, it is possible to configure other 3

important characteristics:

Methods of issuing tickets: Printing (with several formats) and sending mail (possibility

of configuring SMTP mail).

Format of access codes: User / Password or just Passcode.

Extra fields of validation form in case you want to collect other customer data: Mail,

Name and Surname, Date Birth, sex, ... The access form will be composed of the

passcode or user / password + personal data configured.

Paypal or access via payment gateway: Possibility of configuring in the captive portal a

previous payment access, through the PayPal gateway. The user can make the payment by

entering the credit card information or, directly if you have a PayPal account.

It is possible to configure a Paypal Business account in the Settings section so that the charges

are redirected to it.

SMS: Sending messages with credentials to authenticate access to the service. Previously the

user will have to make a record with the mobile number.


It will be possible to request extra fields of validation form if you want to collect other

customer information: Mail, Name and Surname, Date of Birth, sex, ... The access form will be

composed of the passcode received by SMS + personal data configured .

It is possible to configure SMS gateways for sending them in the Settings section.

APP: If the client has an APP, a direct validation for WiFi access can be made. To develop this

functionality, contact TCN support where the development instructions that must be included

in the APP will be delivered.

PMS: In the case of hotels, access through personal data of the user's check-in (room number

and surname), which allows it to be self-service and at the same time access is controlled for

only guests. In addition to being able to carry out only the validation during the checkin-

checkout dates, the platform is prepared so that different services can be selected and

depending on this one may entail a charge to the room.

It must be taken into account that this access method must have a special integration between

the different systems. In case of doubt consult with the support team.

Sponsor or WiFi Sponsored: Functionality oriented to office environments or access

environments for guests who do not want to depend on certain people for the delivery of

credentials; with which it will allow to offer the service of connection directly between the

guest and the host. For this, the client will be in charge of requesting their credentials through

the captive portal and will receive them through email or SMS, upon acceptance of the host.

Configurable parameters:

Channel for sending credentials to the guest: By Mail or SMS. Depending on the option

chosen, you must select the SMTP mail server or SMS gateway from which the data is

sent.

Domains allowed to send emails to the host. Configurable the domains of authorized

mail to request the mail, the idea is that it is the domains of the corporative mail of the

companies.

Extra fields of validation form if you want to collect other customer data: Mail, Name

and Surname, Date Birth, sex, ...


With each of the access methods there is also the possibility of making the following

configurations:

Possibility of returning RADIUS attributes to the WLAN solution in the response of user

validation to Wi-Fi controllers, such as speed limits, session time, idle time and the

redirection page - which appears after login - after the Captive portal. Depending on

the WLAN solution there will be more or less parameters.

Possibility of configuring MAC-Caching functionality for a specific time. Explained in

another section.

Maximum number of simultaneous devices that can be accessed with a single user.

4.2.3. WLAN

Within the WifiAreas itself there is the possibility of creating different WLANs, that is, different

captive portals associated with different SSIDs configured in the network. Within WLANs you

can configure:

WLAN tag: Depending on the manufacturer, there will be a WLAN tag to identify the

connections of a specific SSID or VLAN. In the configuration instructions of each

manufacturer, it will appear where to configure it in the HW solution.

Captive portal template. You can select the design of the captive portal configured in

the section WifiAreas> Portals.

Access methods that we want to appear in the WLAN of the configurations in the

previous section.

Terms and conditions of use. Very important field since the conditions of use will be

accepted by users before accessing the service, as well as information on the

processing of personal data.

Redirect URL or Landing Page after login. Configurable depending on the access

method.

Legal regulation. Check boxes. Legal fields selectable by clients after login, according

to 05/25/2018 GDPR regulation. Texts are editable for each language configured in the

portal

https://octopuswifi.atlassian.net/wiki/spaces/WIKIEN/blog/2018/05/14/14155907/Regulation+Adaptation+GDPR


4.3 OmniAccess Stellar Express

4.3.1. WLAN Settings

First of all, to configure an external captive portal in a SSID, it is necessary to add a new WLAN

or edit an existing one. To add the new WLAN, go to the WLAN section and click in New.

Configure the following parameters once the WLAN configuration window is displayed.

WLAN Name: SSID name that will be visible to the wireless users.

Security Level: Open

Captive Portal: Yes

Inactivity Timeout Status: on

Inactivity Timeout Interval: 900

Enable: Yes


After having performed this changes, please click in Save to save the new configuration.

4.3.2. Captive Portal

Then, it is necessary to configure all the parameters related to the captive portal. Go to Access

> Authentication and click in Authentication to access to the configuration window.

Once the configuration window is displayed, please perform the following configuration as it is

shown below:

HTTPS: on

External Captive Portal: check this option.


Captive Portal Server:

Hostname: <domain-name>

Redirect URL: /login/hotspot/ale

Redirect URL param: disable

Authentication Server:

Server IP/Hostname: <radius1-ip>

Authentication Server Port: 1812

Secret: <radius1-secret>

Confirm: <radius1-secret>

Radius Accounting: check this option.

Accounting Server Port: 1813

Accounting Interval: 600

After having done all the configuration, please click in the Save button to save all these

changes.

Finally, it is required to add the domains that the users will be able to visit without being

authenticated in the captive portal. Go to the Access > Black List & White List section and open

the Walled Garden tab.

Then, select the Domain option and add all the required domains.


Octopus WIFI app.octopuswifi.com (or whitelabel domain) www.google-analytics.com

Facebook

www.facebook.com m.facebook.com facebook.com connect.facebook.net static.xx.fbcdn.net akamaihd.net fbcdn.net

Twitter

twitter.com mobile.twitter.com api.twitter.com twimg.com abs.twimg.com abs-0.twimg.com pbs.twimg.com

Linkedin

linkedin.com licdn.net licdn.com www.linkedin.com static.licdn.com

Instagram instagram.com api.instagram.com www.instagram.com

Google accounts.google.com ssl.gstatic.com accounts.youtube.com accounts.google.es

Paypal paypal.com paypalobjects.com


4.3.3. Adicional Settings

MAC Authentication

To enable MAC Authentication, it is necessary to edit the WLAN in use, so click in the WLAN

that will use this new functionality to be able to configure it.

Once the configuration window is displayed, please select the corresponding WLAN and

perform the following configuration:

MAC Authentication: check this option.

Server IP/Hostname: <radius1-ip>

Authentication Server Port: 1812

Secret: <radius1-secret>

Confirm: <radius1-secret>

Account: check this option.

Accounting Server Port: 1813

Accounting Interval: 600


After having done all the required changes, please click in Save to save the new configuration.

4.4 OmniAccess Stellar Enterprise

4.4.1. Radius Server

The first thing will be to configure the radius servers of the platform. Go to the section:

"Security> Authentication Servers> Radius" and add a new radius (modify if you want one

already created). Enter the following values:

Server Name: Radius1

Host Name / IP Address: <radius1-ip>

Backup Host Name / IP Address: <radius2-ip>

Retires: 3

Timeout: 2

Shared Secret: <radius1-secret>

Confirm Secret: <radius1- secret >

Authentication Port: 1812

Accounting Port: 1813


4.4.2. AAA Server Profile

Within the OmniVista interface, go to "WLAN> AAA Server Profile" and add a new profile

(modify if you want one already created). Edit the following parameters:

Profile name: For example aaaServerProfile_Guest

Authentication Servers > Captive portal > Captive Portal Primary, and select the radius

created above: Radius1

Accounting Servers > Captive portal > Captive Portal Primary, and select the radius

created above: Radius1


4.4.3. Access Role Profile

Within the OmniVista interface, go to "WLAN> AAA Role Profile" and add a new profile (modify

if you want one already created). Edit the following parameters:

Profile name. For example: accessRoleProfile_Guest

Section Walled Garden, add the basic and desired domains depending on the services

you want to configure.

Octopus WIFI app.octopuswifi.com (or whitelabel domain) www.google-analytics.com

Facebook

www.facebook.com m.facebook.com facebook.com connect.facebook.net static.xx.fbcdn.net akamaihd.net fbcdn.net

Twitter

twitter.com mobile.twitter.com api.twitter.com twimg.com abs.twimg.com abs-0.twimg.com pbs.twimg.com

Linkedin

linkedin.com licdn.net licdn.com www.linkedin.com static.licdn.com

Instagram instagram.com api.instagram.com www.instagram.com

Google accounts.google.com ssl.gstatic.com accounts.youtube.com accounts.google.es

Paypal paypal.com paypalobjects.com

In Captive Portal Attributes complete with the following information:

o Captive Portal Auth: External.

o Portal Server: <domain-name>


o Redirect-URL: /login/hotspot/ale

o HTTPS Redirectión: Enable

o AAA Server Profile. Select the server profile created above:

aaaServerProfile_Guest

4.4.4. WLAN Service

Within the OmniVista interface, go to "WLAN> WLAN Service" and add a new profile (modify if

you want one already created). Edit the following parameters:

Service Name. For wample: wlanService_Guest

SSID Settings > Basic:

o ESSID: SSID Guest name, for example "WIFIGuest"

o Hide SSID: Disabled

o Enable SSID: Enabled

SSID Settings > Security

o Security Level: Open


o MAC Auth: Disabled

Default Access Role Profile: Select the role profile created

above, accessRoleProfile_Guest

4.4.5. Apply Configuration to devices

Once all the configuration has been created, deploy the configuration to the devices:

- Go to WLAN > Access Role Profile, select the new rol created to WifiGuest and click

the "Apply to Devices" button. Subsequently, select the VLAN to the rol will be

mapped, and the AP Group where it will be deployed. Finally check that it has

been displayed correctly.


- Within WLAN > WLAN Services, select the new service created to WifiGuest and

click the "Apply to Devices" button. Subsequently, select the AP Group where the

WLAN service will be deployed. Finally check that it has been displayed correctly.

PREPARED BY VERSIÓN - al-enterprise.com · hotspot networks. The main characteristics of the...

Documents

Transcript of PREPARED BY VERSIÓN - al-enterprise.com · hotspot networks. The main characteristics of the...