Marketing Flash Nomadix Key Features Overview Introduction The Nomadix Public-access Gateways are stand-alone, dedicated network appliances placed at the edge solving key issues of connectivity, security, billing and roaming in Public-access networks. Nomadix offers 4 different platforms capable of serving a wide variety of venue types including airports, hotels, convention centers, college campuses and Wi-Fi HotSpots: AG2100 AG3000 AG5000 AG5000 Metro Based on the proven USG platform that has been successfully deployed in thousands of locations worldwide, the AG family of Gateways handles transparent connectivity, authentication, bandwidth shaping, and service placement supporting flexible configurations of up to 4,000 simultaneous users in a broadband-enabled environment. The AG5000 offers: Up to 2,000 simultaneous users Mobile Connectivity Advanced Security and Access Control Network-based Authentication Bandwidth Management Service Presentment Integration of a Nomadix Gateway into the network enables the rapid rollout of ubiquitous broadband Internet services in any public hot spot. The Nomadix offer a unique set of security and connectivity features for service providers needing to provide universal connectivity and network-based authentication and service presentment. Designed for smaller scale deployments, the AG2100 (max. 50 subscribers) and the AG3000 (max. 200 subscribers) are the platforms of choice. For larger deployments such as airports and larger hotels, the AG5000 platforms can support up to 2,000 subscribers and is the ideal product for these locations.
Table of Contents Introduction... 1 Table of Contents... 2 Listing of Nomadix Key Areas... 4 Plug and Play... 4 Dynamic Address Translation TM... 4 Dynamic Transparent Proxy Support... 5 STUN Support... 5 HTTPS Support... 5 Service Presentment... 5 Internal Web Server (IWS)... 6 Local Web Server... 7 External Web Server (EWS)... 7 Login Page Failover... 7 Information and Control Console (ICC)... 7 Explicit Logout pop-up window... 7 Portal Page Parameter Passing... 7 Goodbye URL Support... 8 Screen Size and JAVA Detect... 9 Splash Screen and Partner Image... 9 International Language Support... 9 End User VPN support... 10 inat TM Functionality... 10 inat TM UDP Packet Fragmentation Support... 10 Bandwidth management... 10 End User Bandwidth Management... 10 Wide Area Network side Bandwidth Management... 10 Simultaneous Authentication... 10 AAA... 11 MAC based Authentication... 11 Group Accounts... 11 IEEE 802.1x Support... 11 RADIUS (AAA) Proxy... 12 NAI Routing... 12 Smart Client Support... 12 RADIUS Re-authentication... 12 Idle User Management... 13 Cookie Placement ( Remember Me feature)... 13 RFC 1493 Cascading Support... 13 Billing... 13 Billing Options... 13 Duration-based Billing... 13 Stand-alone Billing... 14 PMS-support... 14 PMS Query support... 15
Post-paid PMS billing... 15 Credit Card payments... 15 Simultaneous billing time parameter IWS... 15 Max. billable unit support for PMS and Credit Card billing... 16 RADIUS based Billing... 16 RADIUS Attributes... 16 RADIUS counting Packets Sent/Received... 16 Nomadix RADIUS Vendor Specific Attributes (VSA)... 16 Free Access Monitoring... 17 Port-based Policies... 17 Security... 17 Selective Access Control... 17 Tracking Syslogs... 17 SSL support for Internal Web Server... 18 Increased Device Security... 18 URL Filtering... 18 Proxy ARP Support... 19 Security and Denial of Service Management... 19 Session Rate Limiting and MAC Filtering... 19 ICMP Blocking... 19 Secure XML... 19 End User IP address management... 19 Multiple DHCP Pools and Subnets... 19 IP Address Upsell... 20 SNMP Re-Direct... 20 SMTP Support for correctly configured subscribers... 20 DNS support for SMTP redirect... 20 Network Management... 20 Management Interfaces... 20 Static Port Mapping for Devices on Private IPs... 21 Location Identifier... 21 One click DAT TM session clearance... 21 Help Link at Login Screen... 21 Administrative Access policy setting... 22 Remote Authentication Testing Facility... 22 Easier Troubleshooting and Setup... 22 Centralized Management... 22 SNMP MIB... 23 High-Availability... 23 Fail-over... 23 Remote (central) Printer support... 23 Driverless Printing (Click 2 Print)... 23
Listing of Nomadix Key Areas Plug and Play Dynamic Address Translation TM Technical barriers have previously stood in the way of providing profitable, customerfriendly ubiquitous Internet access most notably, the expense and complication of reconfiguring every computer or device so it can access the Internet regardless of how it was originally configured. No client side software Transparent HTTP Proxy support (subscriber does not need to disable their proxies). DNS (Domain Name Server) Redirection (Subscriber s DNS request are redirected to a local server). SMTP server redirection support (subscriber s outgoing email will be redirected to a local server). Nomadix patented Dynamic Address Translation (DAT ) function offers a true plugand-play solution that provides transparent broadband network connectivity covering every PC configuration (static IP, DHCP, DNS, and proxies), ensuring that everyone gets access to the Public-access hot spot or Visitor-based Network (VBN). In addition, Nomadix delivers additional advanced plug-n-play features that allow the seamless sending of email, as well as the transparent usage of VPN services (IPSEC, PPTP) and popular applications such as NetMeeting in an address translated network. No client-side software or changes to the PC s configuration are required in order to get connected in an NSE-enabled network. Nomadix developed DAT to actively monitor every packet transmitted from each device to ensure each packet is correctly configured for the network that the computer is expecting. The result, every customer can get access to the network without having to reconfigure his computer, PDA or other Internet access device or load client-side software. DAT also ensures that a DNS server is always available to a user through the DNS redirection function. The DNS redirection function redirects a user s DNS requests to a
local DNS server closer to the customer s location. This improves the response time and enables true plug-and-play access when the subscriber s configured DNS server is behind a firewall or located on a private Intranet. Dynamic Transparent Proxy Support From 4.3 release, Gateways supports clients that dynamically change their browser s proxy status from non-proxy to proxy. Also, transparent proxy support has been enhanced by offering support for additional assigned port ranges (e.g. ports 800-900, 911). STUN Support The NSE Dynamic Address Translation (DAT) functionality has been enhanced to support the STUN Protocol and to conform to a restricted cone network address translation (NAT_ style of operation. HTTPS Support It is possible for the administrator to set the AG to pass-thru HTTPS traffic in addition to standard port 80 traffic without being redirected. Once access to a non-https address (such as a stock broker or bank) has been requested, the subscriber will then be redirected as usual. Service Presentment Once connected to the Public-access hot spot or VBN, a customer needs to be directed to a Web site for local or personalized services, or to establish an account and pay for services. For example, in an airport, a customer using an 802.11 wireless LAN device can be presented with flight information. In a hotel, guests can be presented with local concierge services, network-based printing offers or other ecommerce content.
Nomadix has developed sophisticated web page redirection technology that allows the service provider to control the initial content experience prior and/or post authentication. Internal Web Server (IWS) The Nomadix Gateways contain an Internal Web Server that can deliver SSL encrypted web pages that come pre-configured for user authentication and authorization. All core parameters of these web pages (e.g. logos, text, font, colors) can be changed without any knowledge of HTML. A banner at the top of each Internal Web Server page is configurable and can contain the hot spot owner s logo or any other image they desire. Login or New Account Verify and Purchase Service Selection
Local Web Server This release introduces the Local Web Server capability which enables the NSE to host a limited number of web pages locally on its flash. These web pages can be served to the subscribers during pre-authentication or during post-authentication phase. These web pages can be updated remotely and uploaded using FTP on to the NSE. With this capability there is no need to have a dedicated web server on site if the requirement is to serve a few custom web pages to the end users. External Web Server (EWS) In External Web Server mode, the URL is defined where the graphics contents of the Home Page Redirect is stored. Login Page Failover For installations that use an External Web Server or a Portal Server to provision their Login and Authentication Pages to the subscribers, the Login Page Failover feature provides a way for administrators to configure secondary or tertiary Login Pages in case the primary Login Page becomes unavailable. This mechanism guarantees that the subscribers will have some way of authenticating themselves and accessing the Internet ifthe External and Portal Servers fail. Information and Control Console (ICC) The ICC drives a JAVA-based applet down to each customer s Internet Browser providing them with the ability to self-select services, upgrade their bandwidth and service plans in a real-time fashion. The existing JAVA-based ICC has been replaced with an HTML/Javascript version to enhance its performance and reduce browser compatibility issues while also allowing its distribution from a centralized location/server. (from 4.3 onwards) The ICC allows the premise owner or service provider to send custom messages and advertising directly to the screen of the customer. For credit card and PMS usage, the ICC displays a dynamic time field to inform customers of the time remaining on their account. Explicit Logout pop-up window The NSE lets the administrator define a simple HTML-based pop-up window for explicit logout that can be used as an alternative to the more fully featured ICC. The Pop Up Log-Out button contains the opportunity to display the elapsed/count-down time and one logo for intra-session service branding. (from 4.3 onwards) Portal Page Parameter Passing The Portal Page Redirect (PPR) feature of the Nomadix Gateways enables the Publicaccess network to intercept the browser s home page setting prior to authentication and redirect it to a new portal page determined by the service provider or premise owner.
When redirecting the customer to a new home page, the original home page (Origin Server) is passed as a parameter to the new home page so the customer can still access their default home page after the local or personalized page has been presented. The Home Page Redirect (HPR) feature of the Nomadix Gateways allow the service provider to display a post-authentication web page tailored either to the users location (e.g. Train Schedules for HotSpot at Waterloo Station) or the user himself (e.g. Welcome John Smith here is your personalized home page for the HotSpot Service). The Gateways contain a comprehensive HTTP page redirection logic that allows for a page redirect before (aka Portal Page Redirect) and/or after the authentication process (aka Home Page Redirect). A defined set of parameters to the portal page redirection logic allows an External Web Server to perform a redirection based on: VLAN ID Subscriber MAC address Externally hosted RADIUS login failure page This means that the network administrator can now perform location-specific service branding (e.g. for an airport lounge) from a centralized web server. Radius Home Page Redirect This feature allows the Gateway to receive a Nomadix VSA from the RADIUS server for URL redirect. This feature provides a method for each user to be redirected to a different site upon login based on a RADIUS attribute. Goodbye URL Support From 4.3 release, Nomadix has created a 5 th step in Service Branding for Operators and other Public-access network operators; the Goodbye Page. The 5 steps in Service Branding now capable in a Nomadix-enabled network include the following: 1. Initial Flash Page branding. 2. Initial Portal Page Redirect (Pre-Authentication). Typically, this is used to redirect the user to a venue-specific welcome and login page. 3. Home Page Redirect (Post-Authentication). This redirect page can be set to the individual user (as part of the RADIUS Reply message, the URL is received by the Nomadix Access Gateway) or set to re-display itself at freely configurable intervals. 4. The ICC contains multiple opportunities for the Operator to display its branding or the branding of partners during the user session. 5. The Goodbye page is a post session page that can either be defined as a RADIUS VSA or be driven by the internal web server in the NSE. Using the Internal Web Server option means that this functionality is available for other post-paid billing mechanisms (e.g. post-paid PMS) as well. This IWS page displays the details of the user s connection such as: - IP address of the user - Type of AAA - Start/Stop time - Bytes sent/received - Freely configurable Hypertext link (in case the ISP wants to link the user back to a sign-up/help page page) The Nomadix 5-Step Service Branding Methodology 1 2 3 4 5
Screen Size and JAVA Detect In order to better support PDAs and other handheld devices, the Nomadix Gateways contain functionality that will automatically format the IWS pages to a screen size that is optimal for the particular device. Since most PDAs today do not support JAVA applets, the Gateway will also contain the necessary intelligence to prevent inconclusive JAVA error messages caused by the IWS. Splash Screen and Partner Image Allow the display of the You are being connected screen and Partner Image even when AAA is turned off. International Language Support Nomadix supports international customers by providing translations of the Information and Control Console (ICC) into Japanese, Chinese, French, German and Spanish. The AG platform allows all IWS text to be freely configurable/translatable. This includes both the text in the IWS dialog boxes and the text on the IWS buttons (e.g. Enter, Back, etc).
End User VPN support inat TM Functionality The inat TM feature measurably improves the connection success rate of multiple VPN tunnels to the same termination device, while optimizing the usage of available public IP addresses. It uniquely supports users with static private (e.g. 192.168.x.x) or public (different subnet) IP addresses without any client IP setting changes It dynamically adjusts the mode of address translation during the user s session depending on the packet type inat TM dramatically heightens the reusability factor of costly public IP addresses ( only use them when you need them ), while maintaining the security benefits of traditional address-translation technologies inat TM UDP Packet Fragmentation Support (From version 4.3). Nomadix recently added support for UDP fragmentation within inat to provide more seamless support for certificate-based VPN connections. End User Bandwidth Management Bandwidth management The Bandwidth Management feature of the Nomadix Gateway enables service providers to limit bandwidth usage on a per device (MAC Address/User) basis. This ensures every user has a quality experience by placing a bandwidth ceiling on each device accessing the network so every user gets a fair share of the available bandwidth. The bandwidth for each device can be defined asymmetrically for both upstream and downstream data transmissions. The service provider can also allow the individual user to increase or decrease their bandwidth and/or change their IP address type (private vs. public) dynamically without having to disconnect or re-establish a new session. Wide Area Network side Bandwidth Management The Nomadix Gateway can also manage the WAN Link traffic providing complete bandwidth management through the Public-access hot spot. Bandwidth Management shapes traffic going over the WAN link to prevent its over-utilization. The Gateway queues traffic from overly busy instances in time, and send the packets over the WAN Link when a lull in traffic occurs. Simultaneous Authentication
AAA A Nomadix-enabled network can automatically authenticate, authorize, track, and bill users for broadband access. Customers can be identified and billed according to their Media Access Control (MAC) address, username/password, and/or port identification number. The Authentication, Authorization and Accounting (AAA) module of the Gateway offers various tracking, billing and security features for Web based self-provisioning, including RADIUS Authentication, Authorization and Accounting as well as credit card billing. The AG also supports an open XML Interface for control and integration with other network components. The Nomadix Gateway also simultaneously supports various proprietary and standardsbased authentication methods such as IEEE 802.1x and client-based solutions such as those provided by Boingo Wireless, ipass and GRIC the goal of which is to automate the authentication process rendering the wholesale service provider transparent and enabling Global Roaming across wireless LAN networks at the client level. MAC based Authentication The NSE already supports authentication for Web-based Universal Access Method (UAM) clients and IEEE 802.1x clients. This release adds another method known as MAC authentication. MAC authentication makes it possible for devices that do not support a browser (like PSP, VoIP phones etc.) to be authenticated based on the device MAC address. With this unique methodology, these devices can be automatically authenticated against a RADIUS server using their MAC addresses while simultaneously supporting other types of subscribers, via UAM or IEEE 802.1x. Group Accounts The NSE now supports group accounts or concurrent logins. Administrators can create a special group account with a group username and password. Group members can then login using these credentials. This feature is useful when giving out access to groups of users for special occasions. IEEE 802.1x Support Nomadix supports the IEEE 802.1x standard for port-based authentication. 802.1x is a standard for port-based Access Control that can be used by LAN access concentrators (such as wireless Access Points, switches, hubs, etc.) to turn ports (points where the clients connect to the concentrator) on and off based on the authentication state of the client In order to deploy 802.1x in a network, support for the standard must be present in the client computer (via Windows XP), the point of aggregation (e.g. Access Point) and in the RADIUS server. Also note that many companies are coming out with their own 802.1x clients and that Microsoft is planning patches to most of its Operating Systems to support 802.1x The Nomadix Gateway can now take the place of the Authenticator in an 802.1x enabled network which is a function typically done by an Access Point or some other
LAN access concentrator. By becoming the Authenticator, the Nomadix Gateway allows the deployment of lower costs, non-802.1x enabled Access Points but still derive the benefits of 802.1x within the network. It also allows the administrator to deploy a network that can support both 802.1x enabled clients and non-802.1x enabled clients simultaneously. Edge-driven WISP Roaming RADIUS (AAA) Proxy The purpose of the RADIUS or AAA Proxy functionality in the NSE is to relay authentication and accounting packets between the parties performing the authentication process. Different realms can be set up to directly channel RADIUS messages to the various RADIUS servers. This functionality can be effectively deployed to: Support a wholesale WISP model directly from the edge without the need for any centralized AAA proxy infrastructure Support EAP authenticators (e.g. WLAN Access Point) on the subscriber-side of the NSE to transparently proxy all EAP types (e.g. TLS, SIM) and to allow for the distribution of per-session keys to EAP authenticators and supplicants. NAI Routing Complementing the RADIUS Proxy functionality in the NSE is the ability to route RADIUS messages depending on the Network Access Identifier (NAI). Both prefix (e.g. ISP/username@ISP.net) and suffix-based (username@isp.net) NAI routing mechanisms are supported. Together, the RADIUS Proxy and NAI Routing further support the deployment of the Wholesale Wi-Fi model allowing multiple providers to service one location. Smart Client Support Nomadix supports various broadband Smart Clients being sold to Enterprise users. Support is provided for Smart Clients from ipass, GRIC and Boingo. ipass Generic Interface Specification (GIS) is supported (from 4.3 onwards). Support for all these types of authentication mechanisms enables the concept of global roaming where one bill can follow a mobile professional where ever they travel A dedicated White Paper explaining this new functionality is available from Nomadix tech support. RADIUS Re-authentication Nomadix RADIUS Re-authentication feature supports multiple MAC addresses per UN/PW combination. This enhances the user-friendliness of this feature for users with multiple PCs that only want to use one login. The RADIUS Re-Authentication buffer contained within the NSE has been expanded (from 48) to 720 hours, thus allowing an even more seamless and transparent connection experience for repeat users. (from 4.3 onwards)
Idle User Management There is an option to force Credit Card and PMS subscribers to enter a username and password when they purchase Internet Access. Nomadix allows the network administrator to set a policy to force the user to login after being idle even if they are coming in from the same MAC address. Cookie Placement ( Remember Me feature) This feature allows the IWS to store an encrypted Login Cookie in the browser to "Remember me" using UN/PW/NAI between Access Points, thus creating a better user experience in wireless networks. RFC 1493 Cascading Support From a network architecture perspective, it is common practice to cascade multiple DSLAMs or switches together so a service provider or property owner can increase the port density of the in-building access concentration equipment. Certain Nomadix Gateways are capable supporting up to fifty (50) RFC 1493 compliant DSLAMs, TUT MDU Lite, HR and LR DSLAMs that are cascaded together to correctly perform port location. Nomadix also supports any RFC 1493 compliant 3COM/ RC Networks device that is designed in a cascaded or parallel configuration. In a cascaded configuration, one central switch may control several secondary switches in order to obtain network related information. Thus, the Nomadix Gateway will be able to query the primary switch to retrieve MIB information from the primary switch and any secondary switches. In a parallel configuration, the switches act as peers to one another and will send distinct MIB queries to the Gateway. Billing Options Nomadix provides a very rich set of billing features. 1. Local billing features Connection to Hotel Property Management System for bill to my room Internal AG database for ad-hoc creation of UN/PW 2. Central billing features Credit Card payments (cleared by a remote Credit Card broker) RADIUS Duration-based Billing Billing The purpose of this feature is to let hotels create billing plans that work in a similar fashion to pre-paid telephone cards. This means an Operator can set the Internal Web Server (IWS) of the NSE to let users online for time x over period y. Standard billing plans (time x = period y) can be used concurrently. For example, multiple plans with flexible billing event options can be rolled out such as:
- Plan A: 24 hours, 256kbit/s downstream, 128kbit/s upstream, public IP address, $15 - Plan B: 8 hours to be used over 5 days, 512kbit/s downstream, 256kbit/s upstream, private IP address, $35 - Plan C: 1 week, 1mbit/s downstream, 1mbit/s upstream, public IP address, $99 In addition to credit card billing, Property Management Systems used by hotels are also supported along with the internal data base of the NSE and billing via Nomadix secure XML API. Stand-alone Billing From version 4.3 of the NSE, Gateway supports the option to let the administrator create a set of user profiles (Username, Password, Duration, Bandwidth Up, Bandwidth Down) in the internal database and then start the count down timer upon user login. This functionality has also been added to the NSE s secure XML API. Applications of this functionality can be found in the hospitality arena, as well as in smaller scale stand-alone Public-access networks (e.g. hospitals). PMS-support Nomadix continues to provide certified interoperability with the largest number of property management systems (PMS) in the market. The Nomadix Gateway interoperates with all HOBIC protocol based PMS system, all PMS systems used by Hilton, PMS protocol used in the NH Hotel Group, the Xeta Virtual XL TM call accounting system, Ramesys ImagInn TM, Marriott s proprietary PMS solution, System 21 PMS and igets.net. It also offers post-paid usage-based PMS billing and a private DNS logout option 2-Way OnQ (System 21) Compliance (From version 4.3) The NSE s proven Micros POS emulation interface has been adapted to be interoperable with Hilton Corporation s OnQ PMS system. OnQ is quickly replacing all legacy PMS installations within Hilton North America (H1, H2) and currently Nomadix is the only Gateway vendor that has both approved 1-Way (i.e. posting only, generally used in wired networks) and 2-Way interfaces (i.e. query and post, specifically developed to support Wi-Fi-enabled hotel networks). Galaxy PMS Support (From version 4.3) This release offers a 2-way interface to the Galaxy PMS system. Micros FIAS Interface Compliance (From version 4.3) Nomadix has extended its existing interfaces to the popular Micros Fidelio PMS system to include three new interfaces. These interfaces have been tested and approved by Micros Fidelio. In detail, the new interfaces are: - TCP/IP interface for PMS post messages to Micros Fidelio Opera - Serial FIAS-compliant post interface
- Serial FIAS-compliant extension to the existing Micros POS (i.e. 2-Way) emulation. The new interface includes the option to define a third query field (i.e. reservation number) to enhance security in wireless high-speed Internet access networks in hotels. PMS Query support Nomadix is able to query most popular PMS systems for confirmation of the name and room number of the hotel guest/s. In essence, the Gateway will be a clone of a popular Micros POS system. This will allow the hotel to seamlessly deploy wireless networks or, alternatively, use low-cost wired access concentration equipment (e.g. certain HPNA gateways, DSLAMs, CMTS solutions or even plain hubs) that either do not support port-id or do so in a proprietary format that Nomadix does not currently support and still be able to bill directly to the room. As with standard posting interfaces, most PMS vendors are likely to charge additional fees for the PMS query interface. This feature was developed based on the Micros Specification for 1700/2000/3700/4700/8700 system software (Part Number: 150502-029). PMS solution vendors that have informed Nomadix about their interoperability with the above specification include Micros, Hilton (H1, H2, System 21), HIS, Marriott and GETS. Post-paid PMS billing Nomadix first implemented post-paid PMS billing logic to support the proprietary NH PMS interface. Now, this billing logic has been extended to support all existing PMS interfaces (e.g. all five HOBIC versions, Marriott, Micros Fidelio, etc.). With the new functionality, the hotel guest now has the option to terminate his connection (via the ICC) and be only billed for the actual time he/she was online. Credit Card payments Advanced functionality, such as integration with on-line secure credit card based selfprovisioning, allows the customer to setup a credit or time based pre-paid account. Also, in order to support a revenue splitting business model between access providers and service provider, an integrated Billing Mirror capability is provided that performs logging of customer s billing activities to more than one server. This allows BT to perform adhoc, pay-per-use service creation a critical function to grow its customer base. Simultaneous billing time parameter IWS Nomadix has support for multiple simultaneous billing plans using PMS or Credit Card AAA. For example, a hotel can now offer an hourly plan (e.g. $2) and a daily plan (e.g. $15) at the same time without any External Web Server based XML scripts. Incentive-based Billing: Promotional/discount code support for PMS and Credit Card billing. This functionality offers you the opportunity to provide price incentives to preferred customer groups
Max. billable unit support for PMS and Credit Card billing In conjunction with the Minimum billable unit support, the Maximum billable unit support allows you to define a range of values that the end-user can enter to purchase access, thus preventing user complaints RADIUS based Billing Nomadix has an integrated RADIUS client allowing the service provider to track or bill based upon number of connections, location of the connection, bytes sent and received, connect time, etc. The customer database can exist in a central RADIUS Server, along with associated attributes for each user. When a customer connects into the network, the RADIUS client authenticates the customer with the RADIUS Server, applies associated attributes stored in that customer s profile, and logs their activity (including bytes transferred, connect time, etc.). Our RADIUS implementation also handles vendorspecific attributes (VSAs) required by the emerging class of wireless service providers like BT and others that want to enable more advanced services and billing schemes such as a fixed per device per month connectivity fee. RADIUS Attributes RADIUS Attributes are available to enhance the flexibility of the Nomadix Gateway. These new RADIUS attributes include: NAS-IP Address NAS-Port-Type Acct-Session-ID EAP-Packet Message-Authenticator State Acct-Interim-Interval Acct-Output-Packets Acct-Input-Packets Called-Station-ID Calling-Station-ID RADIUS counting Packets Sent/Received The RADIUS Accounting Start Packets Sent and Received values can be reset to zero after login which gives the network administrator the option of either counting or not counting Walled Garden traffic Nomadix RADIUS Vendor Specific Attributes (VSA) Time-based session timeout. (to terminate a session once a specified time period has been reached) Specified as date and time (e.g. 24:00/30 July 2003). This enhances the usability of the product for pre-paid card visitor-based broadband networks. Volume-Based Session Timeout (to terminate a session once a specified data volume has been reached)
Log-Off-URL (to allow the placement of a Log-Off-URL e.g. 1.1.1.1 on an external portal page) Reject-Message (to allow the customization of reject messages); Session-Terminate-End-Of-Day (to allow business policies terminating the session at midnight of every day) Subnet (to allocate a specific subnet to a user) Please see RADIUS Overview Specification for additional details on the AG RADIUS implementation Free Access Monitoring Nomadix is able to send usage information of free access or non-authenticated users to external servers similar to the existing billing mirror feature. Port-based Policies The Port Location capabilities on the NSE have been enhanced. It is now possible to define a policy per port. The billing methods (RADIUS, Credit Card, PMS, L2TP Tunneling) and the billing plans available on each port can now be individually configured. A practical application of this feature is to have a hotel guest room with a plan that is for $9.99 a day with and ability to bill to the room using the property management system (PMS) billing and have a hotel meeting room with a plan of $14.99 an hour with Credit Card billing. Security Selective Access Control The Nomadix Gateways can be used to create a walled garden, allowing visitors to access the network to predetermined Web sites, services or applications even though they may not have subscribed to the broadband Internet service. A Nomadix-enabled network provides up to 300 IP pass-through addresses and allows the service provider to enforce security based upon whether or not the customer has been authenticated. The walled garden can be used to push local content and services providing a custom experience dependent upon the public hot spot owner. By allowing selective access control to the network before the customer authenticates themselves, service selection and Web based self-provisioning can be provided in a standard, efficient, low cost and convenient way that does not depend upon the transport technology (wired or wireless). Tracking Syslogs The NSE now supports Tracking Syslogs. This is a part of the Nomadic Lawful Intercept compliance strategy. The Tracking Syslogs can be enabled to monitor all the port assignments for the users accessing a public network. These tracking logs enable trace-back to a particular MAC address and Username based on port and IP information available to an external site that has been attacked, hacked or used in an illegal fashion.
The tracking logs carry the following information. 1) Time Stamp 2) Source IP 3) Source Port 4) Destination IP 5) Destination Port 6) Translated IP 7) Translated Port 8) User Details a. MAC Address b. Local IP assigned c. Type of user (RADIUS, PMS, Credit Card, XML, Admin Added...) d. Username (if available) A Sample Tracking Log example: 2005-06-24 01:11:29 Local1.Info 67.130.149.4 INFO [HSG v2.4.113] LI : IN-->: FRI JUN 24 00:57:00 2005 Site Name S(192.168.2.4/3562), D(81.241.232.211/3478), X(67.130.149.4/5003), non-proxy, 00:90:27:78:81:00, RADIUS, IPASS/0U0000 SSL support for Internal Web Server This feature allow for the creation of an end-to-end encrypted link between the Noamdix Gateway and the clients by enabling the IWS to display pages under a secure link. This is important when transmitting AAA information in a wireless network, in particular when using RADIUS. Adding SSL support to the Gateway s functionality will also mean that the service provider will have to obtain a digital certificate from VeriSign to create HTTPS pages. Charges for the certificate depend on the encryption level (40bit or 128 bit) and generally range from approx. $350 to $900. Instructions on how to obtain such certificates will be furnished by Nomadix. Increased Device Security The Nomadix Gateways now incorporates a master access control list that checks the source (IP address) of administrator logins. This allows an administrator login only if a match is made with the master list contained on the product. If a match is not made, the login is denied, even if a correct login name and password are supplied. The access control list supports up to 50 entries in the form of a specific IP address. URL Filtering The Nomadix Gateway can now restrict access to up to 300 specified websites based on URLs defined by the administrator. URL filtering will block access to a list of sites and/or domains entered by the administrator via three ways: Host IP address (e.g. 64.209.75.254) Host DNS name (e.g. www.yahoo.com) DNS domain name (e.g. *.yahoo.com, meaning all sites under the yahoo.com hierarchy, e.g. finance.yahoo.com, sports.yahoo.com, etc).
The system administrator will be able to dynamically add or remove specific IP addresses and domain names to be filtered for each property allowing service providers and property owners to restrict certain sites from being visited, i.e. pornography, gambling, etc. Proxy ARP Support Network administrators can enable simultaneous network security and same subnet VoIP communication with the flexible proxy ARP definition feature. Changes in the WMI enable the easy configuration of the Proxy ARP functionality Security and Denial of Service Management Session Rate Limiting and MAC Filtering Session Rate Limiting (SRL) and MAC Address Filtering provide enhancements to Nomadix Access Control technology; significantly reducing the risks of Denial of Service attacks by allowing administrators to throttle the number sessions any one user can take over a given time period and if necessary, then block a malicious user. ICMP Blocking This release of the NSE now contains the option to block all ICMP traffic from pending or non authenticated users that are destined to addresses other than those defined in the pass-through (walled garden) list. Please note that the default setting for this option is off since ICMP pass-through is a useful end-user troubleshooting feature and also required by certain smart clients (e.g. GRIC). Secure XML This feature allows the Operator to use Nomadix popular XML API using the built-in SSL certificate functionality in the NSE so parameters passed between the Gateway and the centralized web server are secured via SSL. Multiple DHCP Pools and Subnets End User IP address management Subnets and DHCP pool scopes can be assigned a number by a variety of methods such as:
Location ID (e.g. via VLAN ID) Nomadix RADIUS VSA ( Subnet ) Administratively assigned The Nomadix Gateways have two separate DHCP pools that can be defined. The first pool of addresses will contain private addresses; the second will contain public addresses. This feature allows a service provider to keep a centralized pool of public IP addresses at the NOC and use the Gateway to distribute private IP addresses. When a subscriber selects a service plan with a public pool address, Nomadix will associate their MAC address with their public IP address for the duration of the service level agreement. This feature also allows the administrator to set two different DHCP pools for the same physical LAN. Multi-subnet support allows you to: Use non-contiguous public DHCP pools. For example, if you need to provide Internet access to 1,000 DHCP users and only have non-contiguous Class C pools, you can now define these separate pools in the Nomadix gateway Use mixed public and private pools to meet the requirements of a varied network topology as well as customer sets (residential vs. business). For example, all residential users will get a private IP address and be address translated, whereas all business customers will get a public IP and not be address translated Differentiate your customers depending on their location. For example, you may want to place all users in one building in the same VLAN and provision all their IP address from a dedicated pool Allocate different lease times to different users dependent on the peak usage patterns of the network Keep all devices (e.g. Access Points) on a separate public subnet that will not get address translated IP Address Upsell IP Upsell provides another method of revenue generation for the service provider by allowing the upsell of added services by purchasing public IP addresses. SMTP Support for correctly configured subscribers SNMP Re-Direct The administrator could set the Nomadix Gateway to pass all SMTP traffic through the SMTP relay server independent of the PC s settings. DNS support for SMTP redirect This functionality allows you to use DNS load balancing for your SMTP servers Management Interfaces The following interfaces are supported Network Management
Command Line Interface (CLI), i.e. A terminal session directly connected via a serial cable. Telnet session, i.e. Similar to CLI but remotely done Web Management Interface (WMI) i.e. Remotely through any Web Browser. FTP (File Transfer Protocol)., i.e For managing files in the flash of the Nomadix Access Gateway SNMP (Simple Network Management Protocol) Using stander networking tools. Web Management Interface (WMI) and Command Line Interface (CLI) interfaces are synchronized in several key areas (e.g. dmac, Current, URL filtering). This expands the management options for network administrators. Now most of the commonly used configuration options are available in both the WMI and CLI. The CLI displays the bytes sent and received for every MAC address The number of simultaneous operator logins has been extended to 3. This aligns the feature with most carrier help desk operations. In order to ease the initial setup and ongoing configuration of the NSE, the Subscriber Side Configuration UI feature allows administrators to access the configuration interfaces (WMI, CLI, TELNET, SFTP, and SSH) from the Subscriber/LAN side of the NSE. Prior to this feature, the only way to get access to the configuration interface was through the Network/WAN interface. This is particularly useful for the wireless gateway, and can facilitate substantial savings in time and effort in implementing installation and configuration changes. Static Port Mapping for Devices on Private IPs This feature allows the network administrator to setup a port mapping scheme that forwards packets received on a specific port to a particular static IP (typically private and mis-configured) and port number on the subscriber side of the NSE. The advantage for the network administrator is that free private IP addresses can be used to manage devices (such as Access Points) on the subscriber side of the NSE without setting them up with Public IP addresses. Location Identifier The purpose of this feature is to aid in the management and monitoring of multiple NSE devices via a browser by placing the Location information of the NSE device in the corner of the WMI screen. This allows the administrator to quickly identify which location he is viewing when multiple browser windows are open. One click DAT TM session clearance Network administrators can now clear all existing DAT TM sessions without rebooting the device to overcome any potential session limitation issues Help Link at Login Screen The Internal Web Server Login page will now allow a Help link that is configurable by the Administrator
Administrative Access policy setting The Network Administrator will now be able to define two levels of administrative access Manager Level: Read, Write and Reboot access to all configuration screens Operator Level: Read only access to all configuration screens This provides the ability for a desk clerk to be able to view the status of the Gateway without risking damaging configuration changes It will also provide a Management Access history which details the last 500 entry logs of administrative access Remote Authentication Testing Facility Nomadix provides a "secure" web page (password protected) that enables an administrator to type a username/password that commands the Gateway to send a RADIUS Access-Request to the RADIUS Server following the same basic rules as if it was from a subscriber. The Gateway would send a meta-refresh HTTP page (displaying "Please wait...") until it displays an error/success message (accept, reject, timeout, internal failure) result. This enables an administrator to test the back-end RADIUS implementation remotely Easier Troubleshooting and Setup The Nomadix Gateways platform now allows complete and unconditional access to devices on the subscriber side with its Bridge Mode feature. When Bridge Mode is enabled, it is effectively transparent to the network in which it is located, allowing clusters of switches (especially Cisco Systems switch clusters) to be managed using STP (Spanning Tree Protocol). All packets are unmodified and can be forwarded in both directions (except those addressed to the Gateway s network side port). Bridge Mode provides easier troubleshooting of the network by removing the Gateway from the network without physically taking it out of the rack. Centralized Management The Nomadix Gateways enable system administrators to upgrade the firmware for all Gateways in their network from a new, stand-alone Centralized Management Application. This supports a simple, easy, remote upgrading of the Gateways to new releases of code.
SNMP MIB The Nomadix SNMP MIB includes MIB objects for all relevant configuration parameters. Fail-over High-Availability Many large scale highly prominent networks (e.g. tradeshows, convention centers, etc.) require Fail-over support for all devices in the Public-access network. From 4.3 release of the NSE, the Gateway allows two Nomadix Gateways to act as siblings, where one device will take up the users should the other device become disconnected from the network. As part of this functionality, the settings (except IP addresses) between the two devices will be synchronized automatically. Driverless Printing (Click 2 Print) Remote (central) Printer support Nomadix partnered with Peerless Systems to create a driverless printing solution to allow subscribers to print documents via an Internet Browser without having to make any configuration or driver changes to the subscriber s computer. Peerless Systems has added XML support to their Print Server to communicate with the Nomadix Gateway to allow for billing integration. The Click 2 Print driverless printing solution: Supports printing web pages and offers a print preview option; Allows the print server to be centrally placed in-building or at the NOC to control multiple properties Supports a wide variety of file formats Driverless printing creates another revenue source for the property owner by providing printing services 24 hours a day without requiring the guest to make any configuration changes to their computer.