Versionen im Vergleich

Schlüssel

  • Diese Zeile wurde hinzugefügt.
  • Diese Zeile wurde entfernt.
  • Formatierung wurde geändert.


Seiteneigenschaften




Description:
This document describes how to configure a wireless network supported by multiple LANCOM access points, where guest users have to enter their user credentials at the central gateway in order to communicate with the Internet (Public Spot).

Requirements:


Info

The use of the device with active Public Spot as gateway and DNS server in the Public Spot network is mandatory!

The management ports for HTTP (port 80) and HTTPS (port 443) must not be changed and have to be left on the default values! Please refer to  this article in our Knowledge Base  (see steps 1.8) - 1.9)).

If the integrated SSL certificate is used, a warning is displayed when invoking an HTTPS website due to an unknown certificate! Please refer to  this article in our Knowledge Base  (see "Security notice for the SSL-HTTPS certificate"). 



Scenario:
  • After logging in to the Public Spot via the LAN and/or WLAN, guests should be able to communicate with the Internet.
  • Employees should be able to use the LAN and/or WLAN to communicate with the Internet and intranet without having to login.
  • No communication is allowed between the guest and company networks.
Image Removed
Image Added
The following steps describe how to configure the central LANCOM gateway with its Public Spot option, and also the configuration of the LANCOM switch and a LANCOM access point. To operate more than one LANCOM access point, the steps taken for the configuration can be repeated for any number of APs.


Procedure:
1) Configuring the local networks and VLANs on the gateway router:
1.1) Open the configuration of the gateway router in LANconfig and go to the menu IPv4 → General → IP networks.
Image Modified
1.2) In the IP networks dialog, click the Add button to create a new network.
Image Modified
1.3) Change the following parameters for the GUEST network:
  • Network name: Enter a descriptive name for the guest network (in this case GUEST).
  • IP addressEnter an IP address from an IP address range which is not already in use.
  • NetmaskEnter the subnet mask which is associated with the IP address.

Image Modified

1.4) The table IP networks has to appear as follows afterwards:
Image Modified
1.5) Go to the menu IPv4 → DHCPv4 → DHCP networks.
Image Modified
1.6) Click Add to enter a new entry in the table DHCP networks.
Image Modified
1.7) Edit the following parameters:
  • Network name: In the dropdown menu select the network created in step 1.3) (in this example the network GUEST). 
  • DHCP server enabled: In the dropdown menu select Yes to activate the DHCP server.
Info

If the address 0.0.0.0 is stored for each parameter in the configuration items Addresses for DHCP clients and Name server addresses, the router assigns its own IP address in this network as gateway and DNS server. Furthermore all free IP addresses within this network are used for assigning IP addresses. If necessary you can change the parameters.

Image Modified
1.8) The table DHCP networks has to appear as follows afterwards:
Image Modified
1.9) Go to the menu Interfaces → VLAN and activate the VLAN module.
Image Modified
1.10) Go to the menu Network table.
Image Modified
1.11) Select the entry Default_VLAN and click on the Edit button.
Image Modified
1.12) Click on the Select button  next to Port list to select the interface LAN-1.


Info

The VLAN ID 1 is assigned to the company network.


Image Modified
Image Modified
1.13) Create a new entry and change the following parameters:
  • VLAN name: Enter a descriptive name for the VLAN (in this example GUEST).
  • VLAN ID: Enter the VLAN ID 2.
  • Port list: Select the locial interface LAN-1
Image Modified
1.14) The Network table has to appear as follows afterwards:
Image Modified
1.15) Go to the menu Port table.
Image Modified
1.16) Select the VLAN port LAN-1: Local area network 1 and click Edit.
Image Modified
1.17) Change the following parameters:
  • VLAN tagging mode: Make sure that the tagging mode Hybrid (Mixed) is selected.
  • Port VLAN ID: Make sure that the VLAN ID 1 is used.

Image Modified

1.18) Go to the menu IPv4 → General → IP networks to add the VLAN IDs to the networks.
Image Modified
1.19) Select the network INTRANET and click Edit.
Image Modified
1.20) Enter the VLAN-ID 1 since it belongs to the company network (INTRANET).
Image Modified
1.21) Edit the network GUEST and change the following parameters:
  • VLAN ID: Enter the VLAN ID 2.
  • Interface tag: Enter an Interface tag unequal 0, so that the communication between the network GUEST and the network INTRANET is prevented (in this example the tag 1 is used).
Info

Networks that have been given an interface tag can only communicate with networks that share the same interface tag.

This also means that the network  INTRANET , which has the interface tag 0, is able to communicate with  all networks , whatever interface tag they have.

This makes it easier to access the  guest network  from the  company network . It is not possible to communicate from the  guest network  to the  company network .

Image Modified

1.22) The table IP networks has to appear as follows afterwards:
Image Modified
1.23) The network and VLAN configuration is complete. Write the configuration back into the router.


2) Configuring the Public Spot and the RADIUS server on the gateway router
2.1) Go to the menu Public-Spot → Authentication and select the mode Authenticate with name and password.
Image Modified
2.2) Go to the menu Public Spot → Server → Operational settings
Image Modified
2.3) Go to the menu Interfaces.
Image Modified
2.4) Select the Interface for the Public Spot authentication (in this example the interface LAN-1), and click Edit.
Image Modified
2.5) Activate the User Authentication for the interface LAN-1: Local area network 1.
Image Modified
2.6) Go to the menu Network table to specify which VLAN ID should be used in conjunction with the Public Spot.
Image Modified
2.7) Click Add to create a new entry.
Image Modified
2.8) Select the VLAN ID 2.
Image Modified
2.9) Go to the menu Public Spot → Users → RADIUS server to point to the integrated RADIUS server.
Image Modified
2.10) Ex factory there is an entry named LOCAL. It points to the integrated RADIUS and Accounting server.


Info

If the entry LOCAL doesn't exist, create an entry and enter any name.

Make sure that the following parameters are used:

  • Auth. server address: 127.0.0.1
  • Auth. server port: 1812
  • Acc. server address127.0.0.1
  • Acc. server port: 1813

Image Modified

2.11) Go to the menu Public Spot → Wizard → Public Spot SSIDs.
Image Modified
2.12) Create a new entry and change the following parameters:
  • SSID: Enter the SSID for the guest network created in step 4.4) (in this example Guest), to print the name of the SSID on the Public Spot voucher.
  • SSID selected: Set this option to Yes, in order for the SSID to be printed on the Public Spot voucher whenever a Public Spot user is created and the voucher printed via the setup wizard Create Public Spot Account.

Image Modified

2.13) Go to the menu RADIUS → Server and activate the functions RADIUS authentication and RADIUS accounting.
Image Modified
2.14) Go to the menu RADIUS services ports.
Image Modified
2.15) Make sure that the Authentication port is set to 1812 and the Accounting port to 1813.
Image Modified
2.16) The configuration of the Public Spot and the RADIUS server is complete. Write the configuration back into the router.


3) Configuring the VLAN on the LANCOM switch:
3.1) Open the configuration of the LANCOM switch in a web browser and go to the menu Configuration → VLAN → VLAN Membership.
3.2) In this example the switch ports should be configured as follows:
  • LANCOM Access Point at Port 1
  • LANCOM gateway router at Port 3
  • Port 23 is used for access to the company network (192.168.0.0/24) via LAN.
  • Port 24 is used for access to the guest network (192.168.1.0/24) via LAN. The authentication is controlled via the Public Spot.
3.3) Edit the existing Default VLAN and enter the name of the network (in this example COMPANY).
3.4) Add a new VLAN via the button Add New VLAN. Enter the name of the network (in this example GUEST) and enter the VLAN ID 2.
3.5) Tick the checkboxes with the Ports 1, 3 and 24 for the VLAN GUEST.
Image Modified
3.6) Go to the menu Ports and edit the port configuration for the ports 1, 3, 23 and 24:
  • Make sure, that the Egress Rule is set to Hybrid for the Ports 1 and 3 and that the PVID is set to 1.
Image Modified
  • For the Port 23 set the Egress Rule to  Access and make sure, that the PVID is set to 1.
  • For the Port 24 set the Egress Rule to  Access and make sure, that the PVID is set to 2.
Image Modified
3.7) The VLAN configuration of the switch is complete. Write the configuration back into the device.


4) Configuring a LANCOM access point
4.1) Go to the menu IPv4 → General → IP networks.
Image Modified
4.2) Assign an IP address from the company network to the Access Point (in this example the network 192.168.0.0/24) and enter the VLAN ID 1.
Image Modified
4.3) Go to the menu Wireless-LAN → General → Logical WLAN settings.
Image Modified
4.4) Create a WLAN for the company network and the guest network for each radio module and edit the encryption parameters.
WLAN interface 1 - Network 1:
Network tab:
  • Make sure, that the checkbox WLAN network enabled is ticked.
  • Enter a descriptive name for the SSID (in this example the name Comp).

Encryption tab:

  • Enter a WPA key for Key 1/passphrase. It has to be entered in WLAN devices to be able to connect to the WLAN. 

Image Modified   Image Modified


WLAN interface 1 - Network 2:
Network tab:
  • Make sure, that the checkbox WLAN network enabled is ticked.
  • Enter a descriptive name for the SSID (in this example the name Guest).

Encryption tab:

  • Deactivate the encryption. WLAN devices should authenticate themselves at the Public Spot via login credentials.

Image Modified   Image Modified


WLAN-Interface 2 - Netzwerk 1:
Network tab:
  • Make sure, that the checkbox WLAN network enabled is ticked.
  • Enter a descriptive name for the SSID (in this example the name Comp).

Encryption tab:

  • Enter the same WPA key for Key 1/passphrase you used for the interface WLAN interface 1 - Network 1
Image Modified   Image Modified

WLAN interface 2 - Netzwerk 2:
Network tab:
  • Make sure, that the checkbox WLAN network enabled is ticked.
  • Enter a descriptive name for the SSID (in this example the name Guest).

Encryption tab:

  • Deactivate the encryption. WLAN devices should authenticate themselves at the Public Spot via login credentials.
Image Modified   Image Modified
4.5) Go to the menu Interfaces → VLAN and activate the VLAN module.
Image Modified
4.6) Go to the menu Network table.
Image Modified
4.7) Select the entry Default_VLAN and click Edit.
Image Modified
4.8) In the Port list click Select to add the logical interfaces for the company network


Info

If the Port list contains the wildcard *-* which stands for all logical interfaces, it is recommended to delete it and enter the interfaces which are used instead.

Image Modified
4.9) Select all logical interfaces, which should communicate via the company network (in this example the interfaces LAN-1, WLAN-1 and WLAN-2).
Image Modified
4.10) Create a new entry and enter the following parameters:
  • VLAN name: Enter a descriptive name for this VLAN (in this example GUEST).
  • VLAN ID: Enter the VLAN ID 2.
  • Afterwards click on Select in the Port list to add the logical interfaces for the guest network

Image Modified

4.11) Select all logical interfaces, which should communicate via the guest network (in this example the interfaces LAN-1, WLAN-1-2 and WLAN-2-2).

Image Modified

4.12) The Network table has to appear as follows afterwards:

Image Modified
4.13) Go to the menu Port table.
Image Modified
4.14) Edit the individual logical interfaces as follows:
LAN-1:
  • VLAN tagging mode: Make sure, that the tagging mode Hybrid (Mixed) is used.
  • Port VLAN ID: Make sure, that the Port VLAN ID 1 is used. 

Image Modified 

WLAN-1:
  • VLAN tagging mode: In the dropdown menu select the tagging mode Access (Never).
  • Port VLAN ID: Make sure, that the Port VLAN ID 1 is used. 

WLAN-2:

  • VLAN tagging mode: In the dropdown menu select the tagging mode Access (Never).
  • Port VLAN ID: Make sure, that the Port VLAN ID 1 is used. 

Image Modified     Image Modified

WLAN-1-2:
  • VLAN tagging mode: In the dropdown menu select the tagging mode Access (Never).
  • Port VLAN ID: Enter the Port VLAN ID 2

WLAN-2-2:

  • VLAN tagging mode: In the dropdown menu select the tagging mode Access (Never).
  • Port VLAN ID: Enter the Port VLAN ID 2

Image Modified  Image Modified

4.15) The Port table has to appear as follows afterwards:
Image Modified
4.16) The configuration of the access point is complete. Write the configuration back into the device.


5) Configuring a further administrator for adding and managing Public Spot users:
5.1) Open the configuration of the gateway router in LANconfig and go to the menu Management → Admin → Further administrators.
Image Modified
5.2) Create a further administrator and edit the following parameters:
  • Administrator: Enter a descriptive name for the further administrator.
  • Password: Enter a password for the administrator.
  • Access rights: Select None in the dropdown menu.
  • Deactivate all Function rights except Public spot wizard (add user) and Public spot wizard (manage user), so that the further administrator is able to add and manage Public Spot users.

Image Modified

5.3) The configuration of the further administrator is complete. Write the configuration back into the device.


6) Adding and managing Public Spot users in WEBconfig:
6.1) Invoke the IP address of the gateway router in a web browser and login with the login credentials of the further administrator (see step 5.2)).
 Image Modified
6.2) It is possible to carry out the following actions in the menu Create Public Spot Account:
  • Create one or several Public Spot users by clicking on the button Create and Print.
  • Create one or several Public Spot users by clicking on the button Create and CSV-Expor. Additionally the user data will be exported into a CSV file so that it can be processed further.
  • By clicking on the button User Management you can invoke the menu Manage Public Spot Account.

Image Modified

6.3) It is possible to carry out the following actions in the menu Manage Public Spot Account:
  • The button Show/Hide column allows to mask individual columns. In the default setting all columns are displayed.
  • By clicking Save as CSV a CSV file can be saved which contains all Public Spot users in the database. 
  • It is possible to change individual parameters (e.g. the Password or Expiry-Type) and save them.
  • By clicking the button Delete you can delete individual users.
  • By clicking on the button Print you can print vouchers for Public Spot users after creating them. 
  • By clicking on the button Add user you can invoke the menu Create Public Spot Account.

Image Modified