Sie zeigen eine alte Version dieser Seite an. Zeigen Sie die aktuelle Version an.

Unterschiede anzeigen Seitenhistorie anzeigen

« Vorherige Version anzeigen Version 16 Nächste Version anzeigen »


Description:
This document describes how to configure a wireless network supported by multiple LANCOM access points, where guest users have to enter their user credentials at the central gateway in order to communicate with the Internet (Public Spot).

Requirements:

The use of the device with active Public Spot as gateway and DNS server in the Public Spot network is mandatory!

The management ports for HTTP (port 80) and HTTPS (port 443) must not be changed and have to be left on the default values! Please refer to this article in our Knowledge Base (see steps 1.8) - 1.9)).

If the integrated SSL certificate is used, a warning is displayed when invoking an HTTPS website due to an unknown certificate! Please refer to this article in our Knowledge Base (see "Security notice for the SSL-HTTPS certificate"). 


Scenario:
  • After logging in to the Public Spot via the LAN and/or WLAN, guests should be able to communicate with the Internet.
  • Employees should be able to use the LAN and/or WLAN to communicate with the Internet and intranet without having to login.
  • No communication is allowed between the guest and company networks.
The following steps describe how to configure the central LANCOM gateway with its Public Spot option, and also the configuration of the LANCOM switch and a LANCOM access point. To operate more than one LANCOM access point, the steps taken for the configuration can be repeated for any number of APs.


Procedure:
1) Configuring the local networks and VLANs on the gateway router:
1.1) Open the configuration of the gateway router in LANconfig and go to the menu IPv4 → General → IP networks.
1.2) In the IP networks dialog, click the Add button to create a new network.
1.3) Change the following parameters for the GUEST network:
  • Network name: Enter a descriptive name for the guest network (in this case GUEST).
  • IP addressEnter an IP address from an IP address range which is not already in use.
  • NetmaskEnter the subnet mask which is associated with the IP address.

1.4) The table IP networks has to appear as follows afterwards:
1.5) Go to the menu IPv4 → DHCPv4 → DHCP networks.
1.6) Click Add to enter a new entry in the table DHCP networks.
1.7) Edit the following parameters:
  • Network name: In the dropdown menu select the network created in step 1.3) (in this example the network GUEST). 
  • DHCP server enabled: In the dropdown menu select Yes to activate the DHCP server.

If the address 0.0.0.0 is stored for each parameter in the configuration items Addresses for DHCP clients and Name server addresses, the router assigns its own IP address in this network as gateway and DNS server. Furthermore all free IP addresses within this network are used for assigning IP addresses. If necessary you can change the parameters.

1.8) The table DHCP networks has to appear as follows afterwards:
1.9) Go to the menu Interfaces → VLAN and activate the VLAN module.
1.10) Go to the menu Network table.
1.11) Select the entry Default_VLAN and click on the Edit button.
1.12) Click on the Select button  next to Port list to select the interface LAN-1.

The VLAN ID 1 is assigned to the company network.

1.13) Create a new entry and change the following parameters:
  • VLAN name: Enter a descriptive name for the VLAN (in this example GUEST).
  • VLAN ID: Enter the VLAN ID 2.
  • Port list: Select the locial interface LAN-1
1.14) The Network table has to appear as follows afterwards:
1.15) Go to the menu Port table.
1.16) Select the VLAN port LAN-1: Local area network 1 and click Edit.
1.17) Change the following parameters:
  • VLAN tagging mode: Make sure that the tagging mode Hybrid (Mixed) is selected.
  • Port VLAN ID: Make sure that the VLAN ID 1 is used.

1.18) Go to the menu IPv4 → General → IP networks to add the VLAN IDs to the networks.
1.19) Select the network INTRANET and click Edit.
1.20) Enter the VLAN-ID 1 since it belongs to the company network (INTRANET).
1.21) Edit the network GUEST and change the following parameters:
  • VLAN ID: Enter the VLAN ID 2.
  • Interface tag: Enter an Interface tag unequal 0, so that the communication between the network GUEST and the network INTRANET is prevented (in this example the tag 1 is used).

Networks that have been given an interface tag can only communicate with networks that share the same interface tag.

This also means that the network INTRANET, which has the interface tag 0, is able to communicate with all networks, whatever interface tag they have.

This makes it easier to access the guest network from the company network. It is not possible to communicate from the guest network to the company network.

1.22) The table IP networks has to appear as follows afterwards:
1.23) The network and VLAN configuration is complete. Write the configuration back into the router.


2) Configuring the Public Spot and the RADIUS server on the gateway router
2.1) Go to the menu Public-Spot → Authentication and select the mode Authenticate with name and password.
2.2) Go to the menu Public Spot → Server → Operational settings
2.3) Go to the menu Interfaces.
2.4) Select the Interface for the Public Spot authentication (in this example the interface LAN-1), and click Edit.
2.5) Activate the User Authentication for the interface LAN-1: Local area network 1.
2.6) Go to the menu Network table to specify which VLAN ID should be used in conjunction with the Public Spot.
2.7) Click Add to create a new entry.
2.8) Select the VLAN ID 2.
2.9) Go to the menu Public Spot → Users → RADIUS server to point to the integrated RADIUS server.
2.10) Ex factory there is an entry named LOCAL. It points to the integrated RADIUS and Accounting server.

If the entry LOCAL doesn't exist, create an entry and enter any name.

Make sure that the following parameters are used:

  • Auth. server address: 127.0.0.1
  • Auth. server port: 1812
  • Acc. server address127.0.0.1
  • Acc. server port: 1813

2.11) Go to the menu Public Spot → Wizard → Public Spot SSIDs.
2.12) Create a new entry and change the following parameters:
  • SSID: Enter the SSID for the guest network created in step 4.4) (in this example Guest), to print the name of the SSID on the Public Spot voucher.
  • SSID selected: Set this option to Yes, in order for the SSID to be printed on the Public Spot voucher whenever a Public Spot user is created and the voucher printed via the setup wizard Create Public Spot Account.

2.13) Go to the menu RADIUS → Server and activate the functions RADIUS authentication and RADIUS accounting.
2.14) Go to the menu RADIUS services ports.
2.15) Make sure that the Authentication port is set to 1812 and the Accounting port to 1813.
2.16) The configuration of the Public Spot and the RADIUS server is complete. Write the configuration back into the router.


3) Configuring the VLAN on the LANCOM switch:
3.1) Open the configuration of the LANCOM switch in a web browser and go to the menu Configuration → VLAN → VLAN Membership.
3.2) In this example the switch ports should be configured as follows:
  • LANCOM Access Point at Port 1
  • LANCOM gateway router at Port 3
  • Port 23 is used for access to the company network (192.168.0.0/24) via LAN.
  • Port 24 is used for access to the guest network (192.168.1.0/24) via LAN. The authentication is controlled via the Public Spot.
3.3) Edit the existing Default VLAN and enter the name of the network (in this example COMPANY).
3.4) Add a new VLAN via the button Add New VLAN. Enter the name of the network (in this example GUEST) and enter the VLAN ID 2.
3.5) Tick the checkboxes with the Ports 1, 3 and 24 for the VLAN GUEST.
3.6) Go to the menu Ports and edit the port configuration for the ports 1, 3, 23 and 24:
  • Make sure, that the Egress Rule is set to Hybrid for the Ports 1 and 3 and that the PVID is set to 1.

  • For the Port 23 set the Egress Rule to  Access and make sure, that the PVID is set to 1.
  • For the Port 24 set the Egress Rule to  Access and make sure, that the PVID is set to 2.
3.7) The VLAN configuration of the switch is complete. Write the configuration back into the device.


4) Configuring a LANCOM access point
4.1) Go to the menu IPv4 → General → IP networks.
4.2) Assign an IP address from the company network to the Access Point (in this example the network 192.168.0.0/24) and enter the VLAN ID 1.
4.3) Go to the menu Wireless-LAN → General → Logical WLAN settings.
4.4) Create a WLAN for the company network and the guest network for each radio module and edit the encryption parameters.
WLAN interface 1 - Network 1:
Network tab:
  • Make sure, that the checkbox WLAN network enabled is ticked.
  • Enter a descriptive name for the SSID (in this example the name Comp).

Encryption tab:

  • Enter a WPA key for Key 1/passphrase. It has to be entered in WLAN devices to be able to connect to the WLAN. 

   


WLAN interface 1 - Network 2:
Network tab:
  • Make sure, that the checkbox WLAN network enabled is ticked.
  • Enter a descriptive name for the SSID (in this example the name Guest).

Encryption tab:

  • Deactivate the encryption. WLAN devices should authenticate themselves at the Public Spot via login credentials.

   


WLAN-Interface 2 - Netzwerk 1:
Network tab:
  • Make sure, that the checkbox WLAN network enabled is ticked.
  • Enter a descriptive name for the SSID (in this example the name Comp).

Encryption tab:

  • Enter the same WPA key for Key 1/passphrase you used for the interface WLAN interface 1 - Network 1
   

WLAN interface 2 - Netzwerk 2:
Network tab:
  • Make sure, that the checkbox WLAN network enabled is ticked.
  • Enter a descriptive name for the SSID (in this example the name Guest).

Encryption tab:

  • Deactivate the encryption. WLAN devices should authenticate themselves at the Public Spot via login credentials.
   
4.5) Go to the menu Interfaces → VLAN and activate the VLAN module.
4.6) Go to the menu Network table.
4.7) Select the entry Default_VLAN and click Edit.
4.8) In the Port list click Select to add the logical interfaces for the company network

If the Port list contains the wildcard *-* which stands for all logical interfaces, it is recommended to delete it and enter the interfaces which are used.

4.9) Select all logical interfaces, which should communicate via the company network (in this example the interfaces LAN-1, WLAN-1 and WLAN-2).
4.10) Create a new entry and enter the following parameters:
  • VLAN name: Enter a descriptive name for this VLAN (in this example GUAST).
  • VLAN ID: Enter the VLAN ID 2.
  • Afterwards click on Select in the Port list to add the logical interfaces for the guest network

4.11) Select all logical interfaces, which should communicate via the guest network (in this example the interfaces LAN-1, WLAN-1-2 and WLAN-2-2).

4.12) The Network table has to appear as follows afterwards:

4.13) Go to the menu Port table.
4.14) Edit the individual logical interfaces as follows:
LAN-1:
  • VLAN tagging mode: Make sure, that the tagging mode Hybrid (Mixed) is used.
  • Port VLAN ID: Make sure, that the Port VLAN ID 1 is used. 

 

WLAN-1:
  • VLAN tagging mode: In the dropdown menu select the tagging mode Access (Never).
  • Port VLAN ID: Make sure, that the Port VLAN ID 1 is used. 

WLAN-2:

  • VLAN tagging mode: In the dropdown menu select the tagging mode Access (Never).
  • Port VLAN ID: Make sure, that the Port VLAN ID 1 is used. 

    

WLAN-1-2:
  • VLAN tagging mode: In the dropdown menu select the tagging mode Access (Never).
  • Port VLAN ID: Enter the Port VLAN ID 2

WLAN-2-2:

  • VLAN tagging mode: In the dropdown menu select the tagging mode Access (Never).
  • Port VLAN ID: Enter the Port VLAN ID 2

  

4.15) The Port table has to appear as follows afterwards:
4.16) The configuration of the access point is complete. Write the configuration back into the device.


5) Configuring a further administrator for adding and managing Public Spot users:
5.1) Open the configuration of the gateway router in LANconfig and go to the menu Management → Admin → Further administrators.
5.2) Create a further administrator and edit the following parameters:
  • Administrator: Enter a descriptive name for the further administrator.
  • Password: Enter a password for the administrator.
  • Access rights: Select None in the dropdown menu.
  • Deactivate all Function rights except Public spot wizard (add user) and Public spot wizard (manage user), so that the further administrator is able to add and manage Public Spot users.

5.3) The configuration of the further administrator is complete. Write the configuration back into the device.


6) Adding and managing Public Spot users in WEBconfig:
6.1) Invoke the IP address of the gateway router in a web browser and login with the login credentials of the further administrator (see step 5.2)).
 
6.2) It is possible to carry out the following actions in the menu Create Public Spot Account:
  • Create one or several Public Spot users by clicking on the button Create and Print.
  • Create one or several Public Spot users by clicking on the button Create and CSV-Expor. Additionally the user data will be exported into a CSV file so that it can be processed further.#
  • By clicking on the button User Management you can invoke the menu Manage Public Spot Account.

6.3) It is possible to carry out the following actions in the menu Manage Public Spot Account:
  • The button Show/Hide column allows to mask individual columns. In the default setting all columns are displayed.
  • By clicking Save as CSV a CSV file can be saved which contains all Public Spot users in the database. 
  • It is possible to change individual parameters (e.g. the Password or Expiry-Type) and save them.
  • By clicking the button Delete you can delete individual users.
  • By clicking on the button Add useryou can invoke the menu Create Public Spot Account.





  • Keine Stichwörter