Amigopod 3.7

D ep

lo ym

en t

G ui

d e

Copyright

2012 Aruba Networks, Inc. Aruba Networks trademarks include, Aruba Networks, Aruba Wireless Networks, the registered Aruba the Mobile Edge Company logo, Aruba Mobility Management System, Mobile Edge Architecture, People Move. Networks Must Follow, RFProtect, Green Island. All rights reserved. All other trademarks are the property of their respective owners.

Open Source Code

Certain Aruba products include Open Source software code developed by third parties, including software code subject to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open Source Licenses. The Open Source code used can be found at this site:

http://www.arubanetworks.com/open_source

Legal Notice

The use of Aruba Networks, Inc. switching platforms and software, by all individuals or corporations, to terminate other vendors VPN client devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies, in full, Aruba Networks, Inc. from any and all legal actions that might be taken against it with respect to infringement of copyright on behalf of those vendors.

Warranty

This hardware product is protected by the standard Aruba warranty of one year parts/labor. For more information, refer to the ARUBACARE SERVICE AND SUPPORT TERMS AND CONDITIONS.

Altering this device (such as painting it) voids the warranty.

www.arubanetworks.com

1344 Crossman Avenue Sunnyvale, California 94089

Phone: 408.227.4500 Fax 408.227.4550

Amigopod 3.7 | Deployment Guide 0510909-04 | Februaryr 2012

Amigopod 3.7 | Deployment Guide

Contents

Chapter 1 Amigopod Visitor Management Appliance.......................................... 17 About this Manual................................................................................................17

Documentation Conventions.........................................................................17 Documentation Overview..............................................................................18

Getting Support ...................................................................................................19 Field Help ......................................................................................................19 Quick Help ....................................................................................................19 Context-Sensitive Help .................................................................................19 Searching Help..............................................................................................19 If You Need More Assistance........................................................................20

Chapter 2 Management Overview ......................................................................... 21

Visitor Access Scenarios .....................................................................................21

Reference Network Diagram ...............................................................................22

Key Interactions...................................................................................................22

AAA Framework...................................................................................................23

Key Features........................................................................................................25

Visitor Management Terminology........................................................................27

Deployment Process ...........................................................................................28 Security Policy Considerations .....................................................................28 Operational Concerns ...................................................................................28 Network Provisioning ....................................................................................28 Site Preparation Checklist.............................................................................29

Chapter 3 Setup Guide............................................................................................ 31 Hardware Appliance Setup..................................................................................31

Default Network Configuration......................................................................31

Virtual Appliance Setup .......................................................................................32 VMware Workstation or VMware Player .......................................................32 VMware ESXi.................................................................................................32

Accessing the Console User Interface ................................................................33 Console Login ...............................................................................................33 Console User Interface Functions.................................................................33

Accessing the Graphical User Interface ..............................................................34

Setup Wizard .......................................................................................................34 Login Screen .................................................................................................35 Amigopod License Agreement......................................................................35 Set Administrator Password .........................................................................36 Set System Hostname ..................................................................................36 Configure Network Interfaces .......................................................................37 Configure HTTP Proxy ..................................................................................38 Configure SMTP Mail Settings......................................................................39 Configure SNMP ...........................................................................................40 Configure Server Time and Time Zone .........................................................40 Configure Default RADIUS NAS Vendor Type ..............................................41 RADIUS Network Access Servers.................................................................42

| 3

Configure Amigopod Subscription ID ...........................................................42 Install Subscription Updates.........................................................................43 Setup Complete ............................................................................................44

Chapter 4 RADIUS Services ................................................................................... 45 Accessing RADIUS Services ...............................................................................45

Server Control......................................................................................................45 RADIUS Log Snapshot..................................................................................45 Debug RADIUS Server ..................................................................................46 Viewing Failed Authentications .....................................................................46

Server Configuration............................................................................................47 Example: Removing a User-Name Suffix......................................................49 Example: Correcting the NAS-IP-Address Attribute .....................................49 Example: Adding a Reply-Message to an Access-Reject Packet ................49

User Roles ...........................................................................................................49 Creating a User Role .....................................................................................50 Role Attributes ..............................................................................................51 Attribute Tags................................................................................................52 Attribute Authorization Conditions ................................................................52 Example: Time of Day Conditions.................................................................52 Example: Time-Based Authorization.............................................................53 Example: Accounting-Based Authorization ..................................................53 Attribute Value Expressions ..........................................................................54 Example: Using Request Attributes in a Value Expression...........................54 Example: Location-Specific VLAN Assignment ............................................54

Network Access Servers .....................................................................................55 Creating a Network Access Server Entry......................................................55 Importing a List of Network Access Servers.................................................57

Web Logins..........................................................................................................59 Creating a Web Login Page ..........................................................................60 Universal Access Method (UAM) Password Encryption ...............................65 NAS Redirect Parameters .............................................................................65 NAS Login Parameters..................................................................................66 Using Web Login Parameters .......................................................................66

Apple Captive Network Assistant Bypass with Amigopod..................................67 Solution Implementation ...............................................................................69

Database Lists .....................................................................................................71 Database Maintenance Tasks.......................................................................72

Dictionary.............................................................................................................72 Import Dictionary...........................................................................................73 Export Dictionary...........................................................................................73 Reset Dictionary............................................................................................73 Vendors .........................................................................................................73 Creating a New Vendor .................................................................................74 Edit Vendor ...................................................................................................74 Delete Vendor ...............................................................................................74 Export Vendor ...............................................................................................74 Vendor-Specific Attributes............................................................................74 Add a Vendor-Specific Attribute (VSA) .........................................................75 Edit Vendor-Specific Attribute ......................................................................76 Delete Vendor-Specific Attribute ..................................................................76 Add Attribute Value .......................................................................................76 Edit Attribute Value .......................................................................................76 Delete Attribute Value ...................................................................................77

4 | Amigopod 3.7 | Deployment Guide

EAP and 802.1X Authentication ..........................................................................77 Specifying Supported EAP Types.................................................................78 Creating a Server Certificate and Self-Signed Certificate Authority .............79 Requesting a Certificate from a Certificate Authority ..................................81 Importing a Server Certificate .......................................................................82 Installing a Server Certificate from a Certificate Authority ...........................83 Exporting Server Certificates .......................................................................83 PEAP Sample Configuration .........................................................................83

Active Directory Domain Services .......................................................................88 Joining an Active Directory Domain..............................................................88 Testing Active Directory User Authentication ...............................................90 Configuring Active Directory Domain Authentication....................................90 Leaving an Active Directory Domain .............................................................91

External Authentication Servers ..........................................................................91 Types of External Authentication Server.......................................................91 Managing External Authentication Servers ...................................................92 Configuring Properties for External Authentication Servers ........................92 Configuring Authorization for External Authentication Servers.....................99 Testing External Authentication Servers .....................................................104 Managing Certificates for External Authentication Servers ........................106

Chapter 5 Operator Logins................................................................................... 109 Accessing Operator Logins ...............................................................................109

About Operator Logins ......................................................................................109 Role-Based Access Control for Multiple Operator Profiles ........................109

Operator Profiles ...............................................................................................110 Creating an Operator Profile .......................................................................110 Operator Profile Privileges ..........................................................................114 Managing Operator Profiles ........................................................................115

Local Operator Authentication...........................................................................115 Creating a New Operator ............................................................................116 Viewing All Operator Logins........................................................................117 Changing Operator Passwords...................................................................119

LDAP Operator Authentication ..........................................................................119 Manage LDAP Servers ................................................................................119 Creating an LDAP Server ............................................................................119 Advanced LDAP URL Syntax......................................................................122 Viewing the LDAP Server List .....................................................................122 LDAP Operator Server Troubleshooting .....................................................123 LDAP Translation Rules ..............................................................................125 Custom LDAP Translation Processing........................................................127

Operator Logins Configuration ..........................................................................129 Custom Login Message ..............................................................................129 Operator Password Options .......................................................................130 Advanced Operator Login Options .............................................................131

Chapter 6 Guest Management ............................................................................. 133 Accessing Guest Manager ................................................................................133

About Guest Management Processes...............................................................133 Sponsored Guest Access ...........................................................................134 Self Provisioned Guest Access ...................................................................134

Standard Guest Management Features ............................................................135 Creating a Guest Account...........................................................................135 Creating a Guest Account Receipt .............................................................136 Creating Multiple Guest Accounts ..............................................................137

Amigopod 3.7 | Deployment Guide | 5

Creating Multiple Guest Account Receipts.................................................138 Managing Guest Accounts..........................................................................139 Managing Multiple Guest Accounts............................................................142 Importing Guest Accounts ..........................................................................144 Exporting Guest Account Information.........................................................148

Guest Manager Customization..........................................................................148 Default Settings for Account Creation ........................................................149 About Fields, Forms, and Views .................................................................153 Business Logic for Account Creation .........................................................153 Account Expiration Types ...........................................................................155 Standard Fields ...........................................................................................156 Standard Forms and Views.........................................................................156

Customization of Fields .....................................................................................157 Creating a Custom Field .............................................................................158 Duplicating a Field.......................................................................................159 Editing a Field .............................................................................................159 Deleting a Field ...........................................................................................159 Displaying Forms that Use a Field ..............................................................159 Displaying Views that Use a Field ...............................................................159

Customization of Forms and Views...................................................................160 Editing Forms and Views ............................................................................160 Duplicating Forms and Views .....................................................................160 Editing Forms ..............................................................................................161 Form Field Editor.........................................................................................162 Form Display Properties..............................................................................162 Form Validation Properties..........................................................................172 Examples of Form field Validation...............................................................173 Advanced Form Field Properties ................................................................175 Form Field Validation Processing Sequence ..............................................176 Editing Views...............................................................................................179 View Field Editor .........................................................................................180

Customizing Self Provisioned Access ...............................................................181 Self-Registration Sequence Diagram..........................................................181 Creating a Self-Registration Page...............................................................182 Editing Self-Registration Pages ..................................................................183 Basic Properties for Self-Registration.........................................................184 Registration Page Properties ......................................................................186 Default Self-Registration Form Settings .....................................................187 Receipt Page Properties .............................................................................188 Receipt Actions...........................................................................................189 NAS Login Properties..................................................................................191 Login Page Properties.................................................................................192 Self-Service Portal Properties.....................................................................193 Resetting Passwords with the Self-Service Portal......................................195

Customizing Print Templates ............................................................................196 Creating New Print Templates ....................................................................197 Print Template Wizard.................................................................................198 Modifying Wizard-Generated Templates ....................................................199 Setting Print Template Permissions............................................................199

Configuring Access Code Logins ......................................................................200 Customize Random Username and Passwords .........................................200 Create the Print Template ...........................................................................201 Customize the Guest Accounts Form.........................................................202 Create Access Code Guest Accounts ........................................................202

6 | Amigopod 3.7 | Deployment Guide

MAC Authentication on Amigopod....................................................................204 MAC Address Formats................................................................................204 Managing Devices ......................................................................................205 MAC Creation Modes..................................................................................210 Accounting-Based MAC Authentication .....................................................214 Importing MAC Devices ..............................................................................217 Advanced MAC Features ............................................................................217

Active Sessions Management ...........................................................................218 Session States ............................................................................................220 RFC 3576 Dynamic Authorization ...............................................................220 Filtering the List of Active Sessions ............................................................221 Managing Multiple Active Sessions ............................................................221 Sending Multiple SMS Alerts ......................................................................226

SMS Services ....................................................................................................227 Configuring SMS Gateways........................................................................227 Sending an SMS .........................................................................................228 About SMS Credits .....................................................................................229 About SMS Guest Account Receipts..........................................................229 SMS Receipt Options..................................................................................230 Customize SMS Receipt .............................................................................232 SMS Receipt Fields.....................................................................................233

SMTP Services ..................................................................................................234 Configuring SMTP Services ........................................................................234 About Email Receipts..................................................................................234 Email Receipt Options.................................................................................236 SMTP Receipt Fields...................................................................................238

Chapter 7 Report Management............................................................................ 241 Accessing Reporting Manager ..........................................................................241

Viewing Reports.................................................................................................241

Running and Managing Reports........................................................................242 Viewing the Most Recent Report ................................................................242 Report History .............................................................................................242 Previewing the Report ................................................................................242 Run Default .................................................................................................242 Run..............................................................................................................243 Edit a report ................................................................................................243 Delete a Report ...........................................................................................244 Duplicate a Report ......................................................................................244 Permissions.................................................................................................244

Exporting Report Definitions .............................................................................246 Importing report Definitions ........................................................................247 Resetting Report Definitions .......................................................................247

About Custom Reports......................................................................................248 Data Sources ..............................................................................................249 Binning ........................................................................................................249 Binning Example Time Measurements.....................................................249 Groups ........................................................................................................250 Statistics from Classification Groups..........................................................251

Components of the Report Editor .....................................................................251 Report Type ................................................................................................252 Report Parameters ......................................................................................253 Parameter User Interface Editing ................................................................255 Data Source ................................................................................................256 Select Fields................................................................................................257 Source Filters ..............................................................................................259

Amigopod 3.7 | Deployment Guide | 7

Classification Groups..................................................................................261 Statistics and Metrics..................................................................................263 Output Series ..............................................................................................266 Output Series Fields....................................................................................267 Output Filters ..............................................................................................268 Presentation Options ..................................................................................270 Final Report.................................................................................................272

Creating Reports ...............................................................................................272 Creating the Report Step 1 ......................................................................273 Creating the Report Step 2 ......................................................................273

Creating Sample Reports ..................................................................................274 Report Based on Modifying an Existing Report..........................................274 Report Created from Report Manager using Create New Report ..............275 Report Created by Duplicating an Existing Report .....................................277

Report Troubleshooting.....................................................................................279 Report Preview with Debugging .................................................................279 Troubleshooting Tips ..................................................................................280

Chapter 8 Administrator Tasks ............................................................................ 281 Accessing Administrator....................................................................................281

Network Setup...................................................................................................281 Automatic Network Diagnostics..................................................................282 System Hostname.......................................................................................282 Network Interfaces......................................................................................283 Changing Network Interface Settings .........................................................284 Managing Static Routes..............................................................................287 Creating a Tunnel Network Interface ..........................................................287 Creating a VLAN Interface...........................................................................288

Managing VLAN Interfaces................................................................................289 Creating a Secondary Network Interface....................................................290 Login Access Control..................................................................................291 Network Diagnostic Tools ...........................................................................292 Network Diagnostics Packet Capturing ...................................................294 Network Hosts ............................................................................................296 HTTP Proxy Configuration ..........................................................................297 SNMP Configuration ...................................................................................297 Supported MIBs..........................................................................................299 SMTP Configuration....................................................................................300

SSL Certificate...................................................................................................301 Requesting an SSL Certificate ....................................................................301 Installing an SSL Certificate ........................................................................302 Displaying the Current SSL Certificate .......................................................304

Backup and Restore..........................................................................................305 Backing Up Appliance Configuration..........................................................305 Scheduling Automatic Backups..................................................................306 Restoring a Backup.....................................................................................308

Content Manager...............................................................................................309 Uploading Content ......................................................................................310 Downloading Content .................................................................................310 Additional Content Actions .........................................................................311

Security Manager ..............................................................................................311 Performing a Security Audit ........................................................................311 Reviewing Security Audit Results ...............................................................312 Changing Network Security Settings ..........................................................312 Resetting the Root Password .....................................................................313

8 | Amigopod 3.7 | Deployment Guide

Notifications.......................................................................................................313

OS Updates .......................................................................................................314 Manual Operating System Updates............................................................314 Reviewing the Operating System Update Log............................................314 Determining Installed Operating System Packages....................................315

Plugin Manager..................................................................................................315 Managing Subscriptions .............................................................................316 Viewing Available Plugins............................................................................316 Adding or Updating New Plugins................................................................317 Configuring Plugin Update Notifications.....................................................318 Configuring Plugins.....................................................................................318

Server Time........................................................................................................321

System Control ..................................................................................................323 Changing System Configuration Parameters..............................................323 System Log Configuration ..........................................................................323 Managing Data Retention ...........................................................................326 Changing Database Configuration Parameters ..........................................328 Changing Web Application Configuration...................................................329 Changing Web Server Configuration ..........................................................330

System Information ...........................................................................................330 Adding Disk Space......................................................................................331

System Log........................................................................................................333 Filtering the System Log .............................................................................333 Exporting the System Log...........................................................................334 Viewing the Application Log........................................................................334 Searching the Application Log....................................................................335 Exporting the Application Log.....................................................................335

Chapter 9 Hotspot Manager................................................................................. 337 Manage Hotspot Sign-up ..................................................................................338

Captive Portal Integration ...........................................................................339 Look and Feel .............................................................................................339 SMS Services..............................................................................................339

Hotspot Plans ....................................................................................................339 Modifying an Existing Plan..........................................................................340 Creating New Plans.....................................................................................341

Managing Transaction Processors....................................................................341 Creating a New Transaction Processor ......................................................342 Managing Existing Transaction Processors................................................342

Managing Customer Information.......................................................................342

Managing Hotspot Invoice ................................................................................342

Customize User Interface ..................................................................................343 Customize Page One ..................................................................................344 Customize Page Two ..................................................................................344 Customize Page Three................................................................................346

View Hotspot User Interface..............................................................................346

Chapter 10 High Availability Services.................................................................... 347 Accessing High Availability................................................................................347

About High Availability Systems........................................................................347 Terminology & Concepts.............................................................................347 Network Architecture ..................................................................................348 Deploying an SSL Certificate ......................................................................349 Normal Cluster Operation ...........................................................................349

Amigopod 3.7 | Deployment Guide | 9

Failure Detection .........................................................................................349 Database Replication ..................................................................................349 Configuration Replication............................................................................350 Primary Node Failure...................................................................................351 Secondary Node Failure..............................................................................351 Email Notification ........................................................................................352

Cluster Status ....................................................................................................352

Cluster Setup.....................................................................................................353 Prepare Primary Node.................................................................................354 Prepare Secondary Node............................................................................356 Cluster initialization .....................................................................................356 Cluster Deployment ....................................................................................357

Cluster Maintenance..........................................................................................357 Recovering From a Failure ..........................................................................358 Recovering From a Temporary Outage.......................................................358 Recovering From a Hardware Failure .........................................................359 Performing Scheduled Maintenance...........................................................359 Updating Plugins.........................................................................................360 Destroying a Cluster....................................................................................360 Cluster Troubleshooting..............................................................................360

Chapter 11 Reference ............................................................................................. 363 Basic HTML Syntax ...........................................................................................363

Standard HTML Styles ................................................................................364

Smarty Template Syntax ...................................................................................365 Basic Template Syntax ...............................................................................365 Text Substitution .........................................................................................365 Template File Inclusion ...............................................................................365 Comments...................................................................................................366 Variable Assignment ...................................................................................366 Conditional Text Blocks ..............................................................................366 Script Blocks...............................................................................................366 Repeated Text Blocks.................................................................................366 Foreach Text Blocks ...................................................................................367 Modifiers .....................................................................................................367 Predefined Template Functions ..................................................................368 Advanced Developer Reference .................................................................372

Date/Time Format Syntax..................................................................................376 nwadateformat Modifier ..............................................................................376 nwatimeformat Modifier ..............................................................................377 Date/Time Format String Reference ...........................................................378

Programmers Reference...................................................................................379 NwaAlnumPassword...................................................................................379 NwaBoolFormat ..........................................................................................379 NwaByteFormat ..........................................................................................379 NwaByteFormatBase10 ..............................................................................379 NwaComplexPassword...............................................................................379 NwaCsvCache ............................................................................................379 NwaDigitsPassword($len) ...........................................................................380 NwaDynamicLoad.......................................................................................380 NwaGeneratePictureString .........................................................................380 NwaGenerateRandomPasswordMix...........................................................380 NwaLettersDigitsPassword.........................................................................380 NwaLettersPassword ..................................................................................380 NwaMoneyFormat.......................................................................................380 NwaParseCsv..............................................................................................381

10 | Amigopod 3.7 | Deployment Guide

NwaParseXml..............................................................................................382 NwaPasswordByComplexity.......................................................................382 NwaSmsIsValidPhoneNumber ....................................................................382 NwaStrongPassword ..................................................................................382 NwaVLookup...............................................................................................383 NwaWordsPassword...................................................................................383

Field, Form and View Reference........................................................................384 GuestManager Standard Fields ..................................................................384 Hotspot Standard Fields .............................................................................391 SMS Services Standard Fields ...................................................................392 SMTP Services Standard Fields .................................................................392 Format Picture String Symbols ...................................................................394 Form Field Validation Functions..................................................................395 Form Field Conversion Functions ...............................................................397 Form Field Display Formatting Functions ...................................................398 View Display Expression Technical Reference ...........................................400

Standard RADIUS Request Functions...............................................................401 Variables Available in Execution Context....................................................401 AccessReject().............................................................................................401 EnableDebug().............................................................................................402 DisableDebug() ............................................................................................402 GetAttr() .......................................................................................................402 ShowAttr()....................................................................................................402 MacAddr()....................................................................................................402 MacEqual() ..................................................................................................403 MacAddrConvert() .......................................................................................403 GetTraffic()...................................................................................................403 GetTime().....................................................................................................403 GetSessions() ..............................................................................................404 GetCallingStationTraffic() ............................................................................404 GetUserTraffic() ...........................................................................................405 GetIpAddressTraffic() ..................................................................................405 GetCallingStationTime() ..............................................................................405 GetUserTime() .............................................................................................405 GetIpAddressTime() ....................................................................................405 GetCallingStationSessions()........................................................................406 GetUserSessions().......................................................................................406 GetIpAddressSessions()..............................................................................406 GetUserActiveSessions().............................................................................406 GetCurrentSession() ....................................................................................406 GetUserCurrentSession() ............................................................................407 GetIpAddressCurrentSession() ...................................................................407 GetCallingStationCurrentSession() .............................................................407 GetUserStationCount() ................................................................................408 GetSessionTimeRemaining() .......................................................................408 ChangeToRole()...........................................................................................408

RADIUS Server Options.....................................................................................409 General Configuration .................................................................................410 Security Configuration ................................................................................412 Proxy Configuration ....................................................................................412 SNMP Query Configuration.........................................................................413 Thread Pool Configuration ..........................................................................413 Authentication Module Configuration .........................................................415 Database Module Configuration .................................................................416 EAP Module Configuration..........................................................................416 LDAP Module Configuration .......................................................................419 Rewrite Module Configuration ....................................................................422

Amigopod 3.7 | Deployment Guide | 11

List of Standard Radius Attributes ....................................................................423 Authentication Attributes.............................................................................423 RADIUS Server Internal Attributes ..............................................................425

LDAP Standard Attributes for User Class .........................................................425

Regular Expressions..........................................................................................425

Chapter 12 Glossary................................................................................................ 427

Index................................................................................................................................... 429

12 | Amigopod 3.7 | Deployment Guide

Amigopod 3.7 | Deployment Guide

Figures

Figure 1 Visitor access using the Amigopod Visitor Management Appliance ...................21 Figure 2 Reference network diagram for visitor access ....................................................22 Figure 3 Interactions involved in guest access..................................................................23 Figure 4 Sequence diagram for network access using AAA .............................................24 Figure 5 Rear port configuration for AMG-HW-100/-2500 appliances .............................31 Figure 6 RADIUS Role Editor page....................................................................................50 Figure 7 Sequence diagram for guest captive portal and Web login ................................60 Figure 8 Captive Network Assistant on MacOS X.............................................................68 Figure 9 Captive Network Assistant on iPad.....................................................................68 Figure 10 Captive Network Assistant on iPhone .................................................................69 Figure 11 Captive Portal Profile Configuration ....................................................................70 Figure 12 Configuring the Web Login page.........................................................................71 Figure 13 Operator Profile Editor pageUser roles and filters .........................................112 Figure 14 Operator Profile Editor pageCustom forms and views ..................................114 Figure 15 Server Configuration page.................................................................................120 Figure 16 LDAP Plugin.......................................................................................................122 Figure 17 Sponsored guest access with guest created by operator ................................134 Figure 18 Guest access when guest is self-provisioned...................................................134 Figure 19 Customize Guest Manager page (part 1)...........................................................149 Figure 20 Customize Guest Manager page (part 2)continued .......................................151 Figure 21 Customize Guest Manager page (part 3)continued .......................................152 Figure 22 Steps involved in form field processing ............................................................176 Figure 23 Sequence diagram for guest self-registration ...................................................182 Figure 24 Guest self-registration process .........................................................................184 Figure 25 MAC Authentication PluginConfiguration ......................................................205 Figure 26 MAC Authentication Profile ...............................................................................205 Figure 27 Modify fields ......................................................................................................213 Figure 28 RADIUS Role Editor...........................................................................................216 Figure 29 Configure SMS Services Plugin.........................................................................231 Figure 30 Customize SMS Receipt page ..........................................................................233 Figure 31 Customize Email Receipt page .........................................................................236 Figure 32 Customize Email Receipt pagecontinued......................................................237 Figure 33 Report generation process ................................................................................248 Figure 34 Bin number calculation......................................................................................249 Figure 35 Reporting Bin west of GMT ............................................................................250 Figure 36 Reporting Bin east of GMT .............................................................................250 Figure 37 Reporting Bin statistics without groups..........................................................251 Figure 38 Reporting Bin statistics with groups...............................................................251 Figure 39 Components of the Report Editor .....................................................................252 Figure 40 Network diagram showing IP addressing for a GRE tunnel ..............................288 Figure 41 Data Retention Policy page ...............................................................................327 Figure 42 Guest self-provisioning......................................................................................337 Figure 43 Network architecture of high availability cluster................................................348

| 13

14 | Amigopod 3.7 | Deployment Guide

Amigopod 3.7 | Deployment Guide

Tables

Table 1 Quick Links ..........................................................................................................18 Table 2 List of Key features..............................................................................................25 Table 3 Common Terms...................................................................................................27 Table 4 Site Preparation Checklist ...................................................................................29 Table 5 Default Port configurations..................................................................................31 Table 6 Ethernet adapter configuration............................................................................32 Table 7 Virtual ethernet adapter configuration .................................................................32 Table 8 Console access methods ....................................................................................33 Table 9 Web Login Page Syntax ......................................................................................66 Table 10 Operators supported in filters............................................................................113 Table 11 Operators supported in filters............................................................................117 Table 12 Server Type Parameters ....................................................................................121 Table 13 LDAP Error Messages .......................................................................................124 Table 14 Template Variables ............................................................................................127 Table 15 Operators supported in filters............................................................................140 Table 16 Operators supported in filters............................................................................143 Table 17 Account Expiration Types..................................................................................155 Table 18 Visitor Management Forms and Views..............................................................156 Table 19 Operators supported in filters............................................................................206 Table 20 Operators supported in filters............................................................................221 Table 21 Default Table Layouts........................................................................................271 Table 22 Transposed Table Layouts ................................................................................271 Table 23 Template Variables ............................................................................................272 Table 24 Default Interface Settings ..................................................................................286 Table 25 Network Interface States ...................................................................................290 Table 26 Sylog Priority Levels ..........................................................................................326 Table 27 Cluster Status Descriptions...............................................................................352 Table 28 Failure Modes ....................................................................................................358 Table 29 Standard HTML Tags ........................................................................................363 Table 30 Formatting Classes............................................................................................364 Table 31 Smarty Modifiers ...............................................................................................367 Table 32 Navigation Tags.................................................................................................373 Table 33 Date and Time Formats .....................................................................................376 Table 34 Date and Time Format Strings...........................................................................378 Table 35 Parsing Options .................................................................................................381 Table 36 NwaVLookup Options........................................................................................383 Table 37 GuestManager Standard Fields.........................................................................384 Table 38 Hotspot Standard Fields....................................................................................391 Table 39 SMS Services Standard Fields ..........................................................................392 Table 40 SMPT Services Standard Fields........................................................................393 Table 41 Picture String Symbols ......................................................................................394 Table 42 Picture String Example Passwords ...................................................................395 Table 43 Complexity Requirements .................................................................................397 Table 44 Form Field Display Functions ............................................................................398

| 15

Table 45 Display Expressions for Data Formatting ..........................................................400 Table 46 PHP Variables....................................................................................................401 Table 47 General Configuration Settings .........................................................................410 Table 48 Security Configuration Settings.........................................................................412 Table 49 Proxy Configuration Settings.............................................................................412 Table 50 Thread Pool Settings .........................................................................................413 Table 51 Authentication Module Configuration Settings..................................................415 Table 52 Database Modeule Configuration Settings........................................................416 Table 53 Optional EAP Module Options...........................................................................416 Table 54 LDAP Module Settings ......................................................................................419 Table 55 Rewrite Module Configuration Settings.............................................................422 Table 56 Regular Expressions for Pattern Matching........................................................425

16 | Amigopod 3.7 | Deployment Guide

Amigopod 3.7 | Deployment Guide

Chapter 1

Amigopod Visitor Management Appliance

Collaboration between companies and mobility of staff has never been greater. Distributed workforces, traveling sales staff and a dependence on outsourced contractors and consultants requires efficient management, which can pose problems for network security and operational staff.

With visitors increasingly requiring online access to perform their work, Amigopod provides a simple interface that can quickly create and manage visitor accounts within a pre-defined security profile. The faster and easier staff can connect with visitors, the quicker they can start being productive.

The Amigopod Visitor Management Appliance provides a simple and personalized user interface through which operational staff can quickly and securely manage visitor network access. With Amigopod, your non- technical staff have controlled access to a dedicated visitor management user database. Through a customizable Web portal, your staff can easily create an account, reset a password or set an expiry time for visitors. Access permissions to Amigopod functions are controlled via an operator profile which can be integrated with an LDAP server or Active Directory login.

Visitors can be registered at reception and provisioned with an individual guest account that defines their visitor profile and the duration of their visit. The visitor can be given a customized print receipt with account details or they can be delivered wirelessly using the integrated SMS services. Companies are also able to pre-generate custom scratch cards, each with a defined network access time, which can then be handed out in a corporate environment or sold in public access scenarios.

Using the built-in customization features, your visitors are also able to self-provision their own guest accounts using the settings you have defined. The registration experience is delivered with a branded and customized Web portal, ensuring a streamlined and professional user experience. Visitors may also be asked to complete additional survey questions during the self-registration process, with the collected data stored for later analysis by the reporting system to provide additional feedback on your visitors and their usage of the network.

Amigopod integrates with all leading wireless and NAC solutions through its AAA enterprise services interface. This ensures that IT administrators have a standard integration with the network security framework, but gives operational staff the user interface they require.

The Amigopod Visitor Management Appliance is an effective solution to resolve the ever-growing demand for network access from external visitors, contractors and business partners.

About this Manual This deployment manual is intended for system administrators and the persons installing and configuring the Amigopod Visitor Management Appliance. It takes you through the process of installing and configuring Amigopod as your solution for visitor management.

Documentation Conventions Tab and button names are shown in bold, preceded by the appropriate icon, for example, Save

Changes.

Code samples are shown in a fixed-width font; for example:

Sample template code or HTML text

Command link icons are shown in the margin. These icons are used within the Amigopod Visitor Management Appliance as a visual indication of the different components of the software.

Amigopod Visitor Management Appliance | 17

Documentation Overview Click the context-sensitive Help link displayed at the top right of each page to go directly to the relevant section of the deployment guide.

The following quick links may be useful in getting started.

A brief outline of this deployment guide includes:

Chapter 2, Management Overview provides an overview of the processes and interactions involved in visitor management.

Chapter 3, Setup Guide covers the hardware installation (or virtual appliance deployment) and initial configuration of the Amigopod Visitor Management Appliance.

Chapter 4, RADIUS Services provides reference material about implementing network access control using the Amigopods RADIUS services.

Chapter 5, Operator Logins describes how to define operator profiles and operator logins for the Amigopod Visitor Management Appliance, including integrating operator logins with an LDAP directory server.

Chapter 6, Guest Management explains the built-in guest management features and the customization options for provisioning guest accounts, including setting up guest self-provisioning and defining new SMS or email receipts.

Chapter 7, Report Management covers the use of the built-in reports and explains how to create new reports to summarize visitor account information and network usage accounting data.

Chapter 8, Administrator Tasks describes the configuration and maintenance tools used by network administrators to manage the Amigopod Visitor Management Appliance.

Chapter 9, Hotspot Manager introduces the optional features that may be used to deploy a commercial hotspot and enable visitors to purchase self-provisioned network access.

Table 1Quick Links

For information about... Refer to...

What visitor management is and how it works Management Overview

Using the guest management features Standard Guest Management Features

Running reports Running and Managing Reports

Creating new reports Creating Reports

Role-based access control for operators Operator Profiles

Setting up LDAP authentication for operators LDAP Operator Authentication

Guest self-provisioning features Self Provisioned Guest Access

Dynamic authorization extensions RFC 3576 Dynamic Authorization

SMS receipts for guest accounts SMS Services

Email receipts for guest accounts SMTP Services

Network administration of the appliance Administrator Tasks

18 | Amigopod Visitor Management Appliance Amigopod 3.7 | Deployment Guide

Chapter 10, High Availability Services describes the optional high availability services that may be used to deploy a cluster of appliances in a fault-tolerant configuration.

Chapter 11, Reference contains technical reference information about many of the built-in features of the appliance.

Getting Support

Field Help The Amigopod Visitor Management Appliance has field help which is built into every form.

The field help provides a short summary of the purpose of each field at the point you need it most. In many cases this is sufficient to use the application without further assistance or training.

Quick Help In list views, click the Quick Help tab located at the top left of the list to display additional information about the list you are viewing and the actions that are available within the list.

Context-Sensitive Help For more detailed information about the area of the application you are using, click the context-sensitive

Help link displayed at the top right of the page. This will open a new browser window showing the relevant section of this deployment guide.

Searching Help The deployment guide may be searched using the box in the top left corner.

Type in keywords related to your search and click the Search button to display a list of matches. The most relevant matches will be displayed first.

Words may be excluded from the search by typing a minus sign directly before the word to exclude (for example- exclude). Exact phrase matches may also be searched for by enclosing the phrase in double quotes (for example, word phrase).

Amigopod 3.7 | Deployment Guide Amigopod Visitor Management Appliance | 19

If You Need More Assistance If you encounter a problem using the Amigopod Visitor Management Appliance, your first step should be to consult the appropriate section in this Deployment Guide.

If you cannot find an answer here, the next step is to contact your reseller. The reseller can usually provide you with the answer or obtain a solution to your problem.

Failing this, it may be possible to find a solution using the Web Resources command available under Support Services in the Amigopod user interface.

20 | Amigopod Visitor Management Appliance Amigopod 3.7 | Deployment Guide

Amigopod 3.7 | Deployment Guide

Chapter 2

Management Overview

This section explains the terms, concepts, processes, and equipment involved in managing visitor access to a network. The content here is intended for network architects, IT administrators and security consultants who are planning to deploy visitor access, or who are in the early stages of deploying a visitor access solution. Reading this section will enable you to become familiar with the terminology used in this guide and understand how the Amigopod Visitor Management Appliance can be successfully integrated into your network infrastructure.

Visitor Access Scenarios The following figure shows a high-level representation of a typical visitor access scenario. See Figure 1.

Figure 1 Visitor access using the Amigopod Visitor Management Appliance

In this scenario, visitors are using their own mobile devices to access a corporate wireless network. Because access to the network is restricted, visitors must first obtain a username and password. A guest account may be provisioned by a corporate operator such as a receptionist, who can then give the visitor a print receipt that shows their username and password for the network.

When visitors use self-registration, as might be the case for a network offering public access, the process is broadly similar but does not require a corporate operator to create the guest account. The username and password for a self-provisioned guest account may be delivered directly to the visitors Web browser, or sent via SMS or email.

Management Overview | 21

Reference Network Diagram The following figure shows the network connections and protocols used by the Amigopod Visitor Management Appliance. See Figure 2.

Figure 2 Reference network diagram for visitor access

The network administrator, operators and visitors may use different network interfaces to access the visitor management features. The exact topology of the network and the connections made to it will depend on the type of network access offered to visitors and the geographical layout of the access points.

Key Interactions The following figure shows the key interactions between the Amigopod Visitor Management Appliance and the other people and components involved in providing guest access. See Figure 3.

22 | Management Overview Amigopod 3.7 | Deployment Guide

Figure 3 Interactions involved in guest access

The Amigopod Visitor Management Appliance is part of your networks core infrastructure and manages guest access to the network.

NAS devices, such as wireless access points and wired switches on the edge of the network, use the RADIUS protocol to ask the Amigopod Visitor Management Appliance to authenticate the username and password provided by a guest logging in to the network. If authentication is successful, the guest is then authorized to access the network.

Authorized access uses the concept of roles. Each visitor is assigned a role, which consists of a group of RADIUS attributes. These attributes are used to control every aspect of the guests network session, effectively defining a security policy that controls what the guest is permitted to do on the network. Vendor- specific attributes may be used to configure the finer details of the NAS security policy.

The network usage of authorized guests is monitored by the NAS and reported in summary form to the Amigopod Visitor Management Appliance using RADIUS accounting, which allows administrators to generate network usage reports.

AAA Framework The Amigopod Visitor Management Appliance is built on the industry standard AAA framework, which consists of authentication, authorization and accounting components.

The following figure shows how the different components of this framework are employed in a guest access scenario. See Figure 4.

Amigopod 3.7 | Deployment Guide Management Overview | 23

Figure 4 Sequence diagram for network access using AAA

In the standard AAA framework, network access is provided to a user according to the following process:

The user connects to the network by associating with a local access point [1].

A landing page is displayed to the user [2] which allows them to log into the NAS [3], [4] using the login name and password of their guest account.

The NAS authenticates the user with the RADIUS protocol [5].

The Amigopod Visitor Management Appliance determines whether the user is authorized, and if so returns vendor-specific attributes [6] that are used to configure the NAS based on the users role [7].

If the users access is granted, the NAS permits the guest to access the network, based on the settings provided by the Amigopod Visitor Management Appliance.

The NAS reports details about the users session to the Amigopod Visitor Management Appliance using RADIUS accounting messages [8]. After the users session times out [9], the NAS will return the user to an unauthorized state and finalize the details of the users session with an accounting update [10].

Guest NAS Amigopod AMG

Associates [1]

Redirects

Browse to Landing page [2]

Submit form [3]

Login Message page [4] Web login

Automated NAS login

Internet browsing

Complete login form

Unregistered role

Guest role [7]

States: Unauthorized Authenticating Authorized

Access-Request [5]

Access-Accept [6] Authentication

Authorization

Accounting-Request [8]

Accounting-Response Accounting

Session timeout [9]

Accounting-Request [10]

Accounting-Response Accounting

24 | Management Overview Amigopod 3.7 | Deployment Guide

Key Features Refer to the table below for a list of key features and a cross-reference to the relevant section of this deployment guide.

Table 2 List of Key features

Feature Refer to

Visitor Access

RADIUS server providing authentication, authorization, and accounting (AAA) features

RADIUS Services

Support for 802.1X authentication EAP and 802.1X Authentication

Support for external authentication servers, including Microsoft Active Directory and LDAP

External Authentication Servers

Web server providing content delivery for guests Content Manager

Guest self-registration Customizing Self Provisioned Access

Web login portal Web Logins

Visitor Management

Create and manage visitor accounts, individually or in groups Standard Guest Management Features

Manage active RADIUS sessions using RFC 3576 dynamic authorization support

Active Sessions Management

Import and export visitor accounts Importing Guest Accounts

Create guest self-registration forms Creating a Self-Registration Page

Configure a self-service portal for guests Self-Service Portal Properties

Paid access via Hotspot Manager Hotspot Manager

Run reports on all aspects of visitor access Running and Managing Reports

Local printer, SMS or email delivery of account receipts Receipt Page Properties

Role based access control for visitor accounts User Roles

Configure NAS equipment with vendor-specific attributes per visitor role Role Attributes

Visitor Account Features

Independent activation time, expiration time, and maximum usage time Business Logic for Account Creation

Disable or delete at account expiration Account Expiration Types

Amigopod 3.7 | Deployment Guide Management Overview | 25

Logout at account expiration Account Expiration Types

Define unlimited custom fields Customization of Fields

Username up to 64 characters GuestManager Standard Fields

Customization Features

Create new fields and forms for visitor management Customization of Forms and Views

Use built-in data validation to implement visitor survey forms Form Validation Properties

Create print templates for visitor account receipts Receipt Page Properties

Create new Web login pages for visitor NAS access Web Logins

Create new reports Creating Reports

Administrative Management Features

Operators defined and authenticated locally Local Operator Authentication

Operators authenticated via LDAP LDAP Operator Authentication

Restrict operator logins by IP address ranges Creating a VLAN Interface

Role based access control for operators Operator Profiles

Configure network interfaces and run diagnostic checks Network Setup

Integrated backup and restore Backup and Restore

Scheduled backup to FTP or SMB server Scheduling Automatic Backups

Secure Web access with HTTPS SSL Certificate

Plugin based application update service (Web service) Plugin Manager

Perform a security audit of the system Security Manager

Synchronize server time automatically with NTP Server Time

Syslog support Exporting the System Log

SNMP support SNMP Configuration

Advanced RADIUS modules for custom configuration Server Configuration

Customize RADIUS dictionary Dictionary

User Interface Features

Context-sensitive help with searchable online documentation Documentation Overview

Table 2 List of Key features (Continued)

26 | Management Overview Amigopod 3.7 | Deployment Guide

Visitor Management Terminology The following tables describes the common terms used in this guide. See Table 3.

Table 3 Common Terms

Term Explanation

Accounting Accounting is the process of recording summary information about network access by users and devices.

Authentication Authentication is the verification of a users credentials, typically a username and password.

Authorization Authorization controls the type of access that an authenticated user is permitted to have.

Captive Portal Implemented by a Network Access Server to restrict network access to authorized users only.

Field A single item of information about a user account.

Form A collection of fields displayed to an operator.

Network Access Server A device that provides network access to users, such as a wireless access point, network switch, or dial-in terminal server. When a user connects to the NAS device, a RADIUS access request is generated by the NAS.

Operator Profile The characteristics assigned to a class of operators, such as the permissions granted to those operators.

Operator/Operator Login User of Amigopod Visitor Management Appliance to create guest accounts, run reports or perform system administration.

Print Template Formatted template used to generate guest account receipts.

Role The type of access being granted to visitors. You are able to define multiple roles. Such roles could include employee, guest, team member, or press.

Sponsor Operator

User Database A database listing the guest accounts on the Amigopod Visitor Management Appliance.

View Table containing data. Used to interactively display data such as visitor accounts to operators.

Visitor/Guest Someone who is permitted to access the Internet through your Network Access Server.

Visitor Account Settings for a visitor stored in the user database, including username, password and other fields.

Web Login/NAS Login The login page displayed to a guest user.

Amigopod 3.7 | Deployment Guide Management Overview | 27

Deployment Process As part of your preparations for deploying a visitor management solution, you should consider the following areas:

Management decisions about security policy

Decisions about the day-to-day operation of visitor management

Technical decisions related to network provisioning

Security Policy Considerations To ensure that your network remains secure, decisions have to be made regarding guest access:

Do you wish to segregate guest access? Do you want a different VLAN, or different physical network infrastructure to be used by your guests?

What resources are you going to make available to guests (for example, type of network access; permitted times of day; bandwidth allocation)?

Will guest access be separated into different roles? If so, what roles are needed?

How will you prioritize traffic on the network to differentiate quality of service for guest accounts and non-guest accounts?

What will be the password format for guest accounts? Will you be changing this format on a regular basis?

What requirements will you place on the shared secret, between NAS and the RADIUS server to ensure network security is not compromised?

What IP address ranges will operators be using to access the server?

Should HTTPS be required in order to access the visitor management server?

Operational Concerns When deploying a visitor management solution, you should consider these operational concerns:

Who is going to be responsible for managing guest accounts? What privileges will the guest account manager have? Will this person only create guest accounts or will this person also be permitted access to reports?

Do you want guests to be able to self-provision their own network access? What settings should be applied to self-provisioned visitor accounts?

How will operator logins be provisioned? Should operators be authenticated against an LDAP server?

Who will manage reporting of guest access? What are the reports of interest? Are any custom reports needed?

Network Provisioning Deploying the Amigopod Visitor Management Appliance requires provisioning the following:

Physical location rack space, power and cooling requirements; or deployment using virtualization

Network connectivity VLAN selection, IP address and hostname

Security infrastructure SSL certificate

28 | Management Overview Amigopod 3.7 | Deployment Guide

Site Preparation Checklist The following is a checklist of the items that should be considered when setting up the Amigopod Visitor Management Appliance.

Table 4 Site Preparation Checklist

Policy Decision

Security Policy

Segregated guest accounts?

Type of network access?

Time of day access?

Bandwidth allocation to guests?

Prioritization of traffic?

Different guest roles?

IP address ranges for operators?

Enforce access via HTTPS?

Operational Concerns

Who will manage guest accounts?

Guest account self provisioning?

What privileges will the guest managers have?

Who will be responsible for printing reports?

Network Management Policy

Password format for guest accounts?

Shared secret format?

Operator provisioning?

Network Provisioning

Physical location?

Network connectivity?

Security infrastructure?

Amigopod 3.7 | Deployment Guide Management Overview | 29

30 | Management Overview Amigopod 3.7 | Deployment Guide

Amigopod 3.7 | Deployment Guide

Chapter 3

Setup Guide

This section covers the initial deployment and configuration of the Amigopod Visitor Management Appliance.

If you have a hardware appliance, See Hardware Appliance Setup in this chapter. If you are using the Amigopod Visitor Management Appliance in a virtual machine, See Virtual Appliance Setup in this chapter.

Hardware Appliance Setup Refer to the Hardware Setup Guide sheet included in the box with the appliance for detailed installation information for the chassis and rack assembly.

Default Network Configuration The AMG-HW-100 and AMG-HW-2500 appliances have two gigabit Ethernet network ports on the rear of the chassis. See Figure 5.

Figure 5 Rear port configuration for AMG-HW-100/-2500 appliances

The factory default network configuration for these ports is:

Table 5 Default Port configurations

Item MGT Port LAN Port

Configuration Method Static DHCP

IP Address 192.168.88.88

Netmask 255.255.255.0

Gateway 192.168.88.1

DNS

Adapter Name eth0 eth1

Setup Guide | 31

Virtual Appliance Setup

VMware Workstation or VMware Player The virtual appliance is packaged as a zip file containing a directory with the files for the virtual machine.

To install the virtual appliance, extract the contents of the zip file to a new directory and double-click the .vmx file to start the appliance.The configuration for the VMware Player virtual machine includes two virtual Ethernet adapters. The initial network configuration of these adapters is:

VMware ESXi The virtual appliance is packaged as a zip file containing a directory with the files for the virtual machine. An OVF file specifies the details of the virtual machine.

To install the virtual appliance, extract the contents of the zip file to a new directory. Then start VMware vSphere Client and use the File > Deploy OVF Template command to create a new virtual machine from the files in the virtual appliance directory.

The configuration for the virtual machine includes one virtual Ethernet adapter. The initial network configuration of this adapter is:

Hostname Amigopod.localdomain

Table 6 Ethernet adapter configuration

Item Network Adapter Network Adapter 2

Adapter Type NAT Bridged

Configuration Method DHCP DHCP

IP Address

Netmask

Gateway

DNS

Adapter Name eth0 eth1

Hostname Amigopod.localdomain

Table 5 Default Port configurations (Continued)

In version 3.5 of VMware ESXi, the management console is called VMware Infrastructure Client. In this software, use the File > Virtual Appliance > Import command to create a new virtual machine from the files in the virtual appliance directory.

Table 7 Virtual ethernet adapter configuration

Item Network Adapter

Configuration Method DHCP

32 | Setup Guide Amigopod 3.7 | Deployment Guide

Accessing the Console User Interface The appliances console user interface can be used to perform basic administrative functions such as changing the network configuration or viewing the appliances MAC address details. It is also possible to recover a forgotten administrator password, or reset the appliance to its factory default settings.

For hardware appliances you may access the console using a null modem cable connected to the serial port on the rear of the chassis. Use serial port settings of 9600 baud, 8 data bits, no parity, and 1 stop bit. Flow control is not required.

Both hardware and virtual appliances support command-line access directly at the console and remotely via SSH. The following table summarizes the methods that you may use to access the console user interface.

Console Login To access the console user interface, you must log in with the username admin and the appliances root password. This is amigopod by default, but is changed during the initial setup wizard.

Console User Interface Functions When logging in to the console user interface, the following menu options are presented. Make a selection by typing its corresponding number.

1. Change network settings Allows for interactive configuration of the appliances network settings.

2. Restart services Restarts major system services.

IP Address

Netmask

Gateway

DNS

Adapter Name eth0

Hostname Amigopod.localdomain

Table 8 Console access methods

Access Method Hardware Appliance Virtual Appliance

Serial Yes 9600, 8-N-1

No

VGA Console Yes Use VGA display and a PS/2 or USB keyboard

Yes Use hosts virtual console

SSH Yes Yes

Table 7 Virtual ethernet adapter configuration (Continued)

When the administrator password is set during the setup wizard, the root password for the system will also be set to this password. However, once you have set the initial root password, future changes to the administrator password will not change the appliances root password. The username to access the console user interface is always admin and cannot be changed.

Amigopod 3.7 | Deployment Guide Setup Guide | 33

3. Reinitialize database Destroys the entire configuration of the appliance and resets to the factory default state. All guest accounts, operator logins, RADIUS accounting records, application configuration, and customization will be lost.

4. Change shell password Sets the new shell password used to access the console user interface.

5. Reset admin Web password to default Recovers a forgotten Web administration password by restoring the default setting of Amigopod.

6. Reboot appliance Shuts down and restarts the appliance.

7. Reset network settings to default Restores the original factory default network configuration for the appliance.

8. Display physical address information Displays the MAC addresses of the appliances network adapters.

9. Logout Exits the console user interface.

10. Shutdown appliance Shuts down and powers off the appliance.

Accessing the Graphical User Interface After starting the Amigopod appliance, the initial startup screen will be displayed in the console.

Type the displayed URL into your Web browser to open the Amigopod appliances graphical user interface (GUI).

Setup Wizard When you first log in to the appliance using the graphical user interface, you will be guided through an initial configuration process, which is explained in more detail below.

You may use either http: or https: to access the GUI. However, if you use https: to access the setup wizard, you may receive a warning message from your browser about the default self-signed SSL certificate that is installed on the appliance. See SSL Certificate in the Administrator Tasks chapter for information about installing a new SSL certificate.

34 | Setup Guide Amigopod 3.7 | Deployment Guide

Login Screen

To start the setup wizard, log in to the administrative user interface using the default username and password.

Enter the username admin and the password amigopod when logging in for the first time.

Amigopod License Agreement

Review and accept the software license agreement.

If you have any questions about the license agreement, contact Aruba support using the Web site http:// support.arubanetworks.com.

Amigopod 3.7 | Deployment Guide Setup Guide | 35

Set Administrator Password

Create a new password for the administrator account. This account has full access to all settings and areas in the graphical user interface. You can optionally change the username of the administrative account for enhanced security.

When the administrator password is set for the first time, the root password for the system will also be set to this password. The root password is required to log in to the console user interface. See Console

Login in this chapter for a description of how to do this. However, once you have set the initial root password, future changes to the administrator password will not change the appliances root password.

See Resetting the Root Password in the Administrators Tasks chapter for details on resetting the appliances root password.

You can provide an email address for the administrator. While this step is optional, it is recommended that you do provide an email address, as the appliance sends notification emails to this address for various system events.

Set System Hostname To change the system hostname, choose Administrator > Network Setup > System Hostname.

Changing the username of the administrative account does not change the username for logging in to the console user interface. You must use a secure administrator password. By default, the password must be at least eight characters in length and must contain at least one uppercase letter, one lowercase letter, one digit and one symbol.

36 | Setup Guide Amigopod 3.7 | Deployment Guide

The system hostname is a fully-qualified domain name. By default, this is set to amigopod.localdomain, but you may specify another valid domain name.

A valid hostname is a domain name that contains two or more components separated by a period (.). Hostname parameters are:

Each component of the hostname must not exceed 63 characters

The total length of the hostname must not exceed 255 characters

Only letters, numbers, and the hyphen (-) and period (.) characters are allowed

Hostnames may start with numbers, and may contain only numbers

Configure Network Interfaces The Network Interfaces List lets you view details and configure settings for the systems network interfaces. To open this page, choose Administrator > Network Setup > Network Interfaces.

The results of an automated network diagnostic test are displayed at the top of the page. For more details about the network diagnostics, see Automatic Network Diagnostics in the Administrator Tasks chapter.

To change the configuration of a network interface, click the network interfaces row in the list, then click the  Edit command. The row expands to provide configuration options. LAN and MGT network interfaces may be configured for automatic settings using DHCP or BOOTP, or can be manually configured for an IP address. When you choose one of these settings from the Configuration drop-down list, additional options are displayed.

Amigopod 3.7 | Deployment Guide Setup Guide | 37

Your Amigopod visitor management solution must be configured appropriately for your organizations relevant network infrastructure. For details on how to configure your network interface, see Changing

Network Interface Settings in the Administrator Tasks chapter.

Configure HTTP Proxy

If your network configuration requires the use of a HTTP proxy to access the Internet, enter the details for the proxy here and click Save Changes.

If your HTTP proxy requires authentication, supply the username and password in the URL as indicated. For details on HTTP proxy settings, See Automatic Network Diagnostics in the Administrator Tasks chapter.

If you do not need to configure a HTTP proxy, click Skip to Mail Settings to continue with setup.

38 | Setup Guide Amigopod 3.7 | Deployment Guide

Configure SMTP Mail Settings

For details on SMTP configuration, See SNMP Configuration in the Administrator Tasks chapter.

Click the  Send Test Message button to send an email to a test email address in the selected format. This can be used to verify the SMTP configuration, as well as check the delivery of HTML formatted emails.

Click the Save and Close button to save the updated SMTP configuration.

Amigopod 3.7 | Deployment Guide Setup Guide | 39

Configure SNMP

The SNMP Setup form is used to configure the systems SNMP server and enable SNMP access. (For details on SNMP configuration, See SNMP Configuration in the Administrator Tasks chapter.

Click the  Save Changes button to apply the SNMP configuration.

Configure Server Time and Time Zone

Select the servers time zone and set other options related to timekeeping for the server.

40 | Setup Guide Amigopod 3.7 | Deployment Guide

To ensure that authentication, authorization and accounting (AAA) is performed correctly, it is vital that the server maintains the correct time of day at all times. It is strongly recommended that you configure one or more NTP servers to automatically synchronize the servers time.

If available, it is recommended that you use an NTP server that is available on your local network. This will improve timekeeping and will eliminate the need for additional Internet traffic for the time server.

To use a public NTP server, enter the following hostnames:

0.pool.ntp.org

1.pool.ntp.org

2.pool.ntp.org

You can also use NTP pool servers located in your region. For more information, refer to the NTP Pool Project Web site: http://www.pool.ntp.org.

Click the  Save and Continue button to apply the servers time configuration and continue with setup.

Configure Default RADIUS NAS Vendor Type

If your deployment uses only one type of NAS, click the NAS Type drop-down list and select the default NAS vendor type to use when defining RADIUS clients or creating RADIUS Web Login pages that have vendor-specific settings.

Click the Save and Continue button to apply the RADIUS server configuration, or click  Skip to

Network Access Server List to continue with setup.

NTP can interfere with timekeeping in virtual machines. The default virtual machine configuration will automatically synchronize its time with the host server, and so you should not configure NTP within the virtual machine. However, make sure that the host is configured to keep its clock in sync with a suitable time source.

Amigopod 3.7 | Deployment Guide Setup Guide | 41

RADIUS Network Access Servers

Network access servers are RADIUS clients, and must be predefined in order to access the RADIUS server. For security, each NAS device must also have a shared secret which is known only to the device and the RADIUS server.

Use the Network Access Servers list view to define the NAS devices for this server and to make changes to existing NAS devices.

Click the Create tab to define a new NAS entry for the RADIUS server.

For more details about creating NAS entries, See Creating a Network Access Server Entry in the RADIUS Services chapter.

Configure Amigopod Subscription ID

Both hardware and software appliances are shipped with a restricted default license. This license permits each guest account to have only a limited lifetime, as well as restricting other capabilities of the software.

If you are evaluating the Amigopod appliance and do not have a subscription ID, click  Complete

initialization to continue with setup.

42 | Setup Guide Amigopod 3.7 | Deployment Guide

If you have purchased the Amigopod appliance, you will have one or more subscription IDs that enable particular modules of functionality that you have purchased. These subscription IDs will have been provided to you by your reseller at the time of purchase.

A subscription ID consists of number and letter groups separated with hyphens. A typical subscription ID might look like this: xn2ncr-gyjyd4-mxlx2s-fv9gcy-rwy7n6

You can also attach a description to each subscription ID. To do this, write the description and follow it with the corresponding subscription ID in parentheses. For example: Amigopod Subscription (xn2ncr-gyjyd4-mxlx2s-fv9gcy-rwy7n6)

If your subscription includes SMS capabilities, an SMS gateway is automatically created based on your subscription ID.

Incorrectly-formatted subscription IDs cannot be entered in this form. A form validation error is displayed if an incorrect value is entered.

Click the  Save and Continue button once you have entered your subscription IDs.

Install Subscription Updates

If you have entered any subscription IDs, the software will check for available software updates and new plugins that are part of your subscription.

This may include components such as a license plugin, custom skin, new software modules as well as any available updates to the software that was shipped on your Amigopod.

The default selections include all new plugins and any updated plugins that are available. To install the default selections, simply click the Finish button to download and install the selected plugins.

Amigopod 3.7 | Deployment Guide Setup Guide | 43

Setup Complete

After downloading and installing the available plugin updates, the setup process is complete.

Context-sensitive help is available throughout the application. For more detailed information about the area of the application you are using, click the  Help link displayed at the top right of the page. This will open a new browser window showing the relevant section of this deployment guide.

 Operator logins are the login accounts used for administration and management of the Amigopod. The default administrative operator account is configured during the setup process. See About Operator Logins in the Operator Logins chapter for more details on configuring operator logins.

 Visitor accounts are the user accounts for which the Amigopod performs authentication, authorization and accounting (AAA) functions. Visitor accounts are managed by operators using the Guest Manager component of the software. See Guest Management chapter for more details on setting up visitor account provisioning.

 RADIUS Services is for system administrator use, and provides fine-grained control over the AAA functions of the Amigopod. See RADIUS Services chapter for more details on setting up the RADIUS server to perform authentication, authorization and accounting according to your network security policies.

44 | Setup Guide Amigopod 3.7 | Deployment Guide

Amigopod 3.7 | Deployment Guide

Chapter 4

RADIUS Services

RADIUS is a network access-control protocol that verifies and authenticates users. The framework around which RADIUS is built is known as the AAA process, consisting of authentication, authorization, and accounting.

RADIUS authenticates a guest users session by checking that the guests password matches the guests login details stored in the RADIUS database. Guest access is authorized by assigning a user role to the guest account. The properties of the role determine the authorization for each guest session. Dynamic authorization extensions to RADIUS allow for sessions to be disconnected, or for changes in authorization to be made while a guest is connected. Lastly, the RADIUS database records summarized accounting information about each guest session. This allows you to generate reports about guest network usage.

Accessing RADIUS Services Use the RADIUS Services command link on the Amigopod Visitor Management Appliance home page to access RADIUS Services.

Alternatively, use the RADIUS Services navigation menu to jump directly to any of the features within RADIUS Services.

Server Control You are able to use the Server Control page to restart, stop and debug the RADIUS server.

RADIUS Log Snapshot The latest entries in the RADIUS server log are displayed on the Server Control page in reverse chronological order.

The Restart RADIUS Server and Stop RADIUS Server commands take effect the moment either one is clicked. You are not presented with any confirmation windows.

RADIUS Services | 45

Log entries that are displayed include both successful and unsuccessful authentication attempts, the details about any authentication or authorization failures, and server configuration messages when the RADIUS server is started.

Debug RADIUS Server The AAA Debug option on the RADIUS Server Configuration page enables additional debugging messages logged during the handling of RADIUS packets. The default setting is No debugging. This option might be of use when setting up or troubleshooting advanced authorization methods, and you can refer to the application log to view the AAA debug messages. However, for performance reasons, this option should be disabled in a production environment. If you do enable it for troubleshooting, remember to disable it when you are through.

In debugging mode, the detailed log output from the local RADIUS server is redirected to your browser. This can greatly assist in troubleshooting the exact cause of an authentication, authorization or accounting (AAA) problem.

Normally, the RADIUS server runs in the background, processing AAA requests from incoming clients and generating responses. However, if you are troubleshooting an authentication problem, sometimes it is convenient to see exactly what is being sent and received by the RADIUS server. This can help track down configuration problems in NAS clients (such as an incorrect shared secret, or an invalid request attribute), user roles (wrong reply attributes or values), and other problems.

To view this output, the RADIUS server is stopped and restarted in a diagnostic mode. The output generated on each request is redirected to your Web browser.

When you stop the debugger, the normal background operation of the RADIUS server is resumed. No further output will be received once the debugger has been stopped.

During the starting and stopping of the server, there may be brief periods of time during which the RADIUS server is unreachable. RADIUS clients should cope with this outage by retrying their RADIUS requests. However, on a busy network some traffic may still be lost.

To enter debugging mode, click the Debug RADIUS Server command link on the RADIUS > Server

Control page.

Viewing Failed Authentications A list of recent authentication failures can be obtained by clicking the View Failed Authentications command link on the RADIUS > Server Control page.

You can resize the log output area by clicking and dragging the border.

46 | RADIUS Services Amigopod 3.7 | Deployment Guide

Each row in the table groups together authentication attempts based on the username (that is, the User- Name attribute provided to the RADIUS server in the Access-Request).

The Status column displays one of the following messages for each authentication record, explaining the current state of the user account in the system:

Does not exist the user account could not be found

Deleted the user account no longer exists

Disabled the user account is disabled

Additionally, if all authentication attempts are displayed, the following status messages may be displayed:

Expires: date the user account is enabled and has the specified expiration time

Enabled the user account is enabled

The Activity column displays one of the following messages for each authentication record, indicating the recent session activity for the corresponding account:

Never the user has never logged in and no sessions have been recorded

Logged Out the user has previously logged in, but there is no current active session for this user; hover over the text to view the start and stop times for the users most recent session

Logged In the user is currently logged in; hover over the text to view the start time for the users most recent active session

Stale the user has an active accounting session, but no updates have been received recently; the session may be stale. Hover over the text to view the start time and duration for this session.

The Last Attempt and Attempts columns display the time at which the most recent authentication was recorded for the user, and the total number of authentication attempts.

The Reply column displays the RADIUS servers response, and may be either Access-Accept to indicate a successful authentication, or Access-Reject to indicate the authentication attempt failed.

Server Configuration Advanced configuration options for the RADIUS server may be modified using the Server Configuration screen.

Amigopod 3.7 | Deployment Guide RADIUS Services | 47

The NAS Type list may be used to select a default type for network access servers. Use this option if you have a deployment that uses only one type of NAS.

The AAA Debug option on the RADIUS Server Configuration page enables additional debugging messages logged during the handling of RADIUS packets. The default setting is No debugging. This option might be of use when setting up or troubleshooting advanced authorization methods, and you can refer to the application log to view the AAA debug messages. However, for performance reasons, this option should be disabled in a production environment. If you do enable it for troubleshooting, remember to disable it when you are through.

Logging interim accounting updates is optional, and is disabled by default. You can use the check box in the Interim Accounting row to enable or disable logging of RADIUS interim accounting updates.

The Server Options field is a text field that accepts multiple name = value pairs. You can also add comments by entering lines starting with a # character. For available parameters that can be configured with the Server Options field, see RADIUS Server Options in the Reference chapter.

48 | RADIUS Services Amigopod 3.7 | Deployment Guide

Example: Removing a User-Name Suffix Some NAS equipment always appends a realm in the form @domain.com to a RADIUS User-Name attribute in the Access-Request message sent to the RADIUS server.

It is possible to configure the RADIUS server to strip off this additional text, using the attr_rewrite module.

Use the following Server Configuration entries to perform this modification:

module.attr_rewrite.consentry.attribute = User-Name

module.attr_rewrite.consentry.searchin = packet

module.attr_rewrite.consentry.searchfor = "@consentry.com$"

module.attr_rewrite.consentry.replacewith = ""

authorize.after_preprocess.0.name = consentry

Here, an instance of the attr_rewrite module is created, named consentry. Any trailing text that matches the pattern @consentry.com in the User-Name attribute will be removed before the RADIUS server attempts authentication.

Removing a variable-length suffix

It turns out that the Consentry NAS limits username fields to 32 characters. Many email addresses are longer than this, especially with an additional @realm appended, so the suffix string may be truncated at an arbitrary point.

The following Server configuration option can be used in this situation:

module.attr_rewrite.consentry.searchfor = "@consentry\\.com$|@consentry\\.co$|@consentry\\.c$|@consentry\\.$|@consentry$|@cons entr$|@consent$|@consen$|@conse$|@cons$|@con$|@co$|@c$|@$"

Example: Correcting the NAS-IP-Address Attribute Some NAS equipment (notably Chillispot) will send a NAS-IP-Address of 0.0.0.0 in accounting records, which renders the active sessions list view useless as well as any attempt to perform RFC 3576 management such as a session disconnect.

This can be fixed by using the Client-IP-Address internal attribute and rewriting the accounting packet so that the actual IP address the packet is received from is recorded:

# Fix incoming NAS-IP-Address of 0.0.0.0

module.attr_rewrite.fix_nas_ip.attribute = NAS-IP-Address

module.attr_rewrite.fix_nas_ip.searchin = packet

module.attr_rewrite.fix_nas_ip.searchfor = "^0.0.0.0$"

module.attr_rewrite.fix_nas_ip.replacewith = "%{Client-IP-Address}"

preacct.after_preprocess.0.name = "fix_nas_ip"

Example: Adding a Reply-Message to an Access-Reject Packet The postauth.reject.append configuration item can be used to define attribute rewriting specific to the Access-Reject packet:

# adding Reply-Message to an Access-Reject

module.attr_rewrite.reject_message.attribute = Reply-Message

module.attr_rewrite.reject_message.searchin = reply

module.attr_rewrite.reject_message.new_attribute = yes

module.attr_rewrite.reject_message.replacewith = "Authorization failed"

postauth.reject.append.0.name = reject_message

User Roles Each user in the RADIUS database is assigned a role. A user role is a group of RADIUS attributes and rules that define when those attributes should be applied.

Amigopod 3.7 | Deployment Guide RADIUS Services | 49

User roles can be used to apply different security policies to different classes of guest user accounts. For example, guest users, employees and contractors might all have differing network security policies. The RADIUS attributes defined by a user role can then specify what each class of user is authorized to do.

The User Roles list view defines the user roles for the RADIUS server and allows you to make changes to existing user roles.

Each role is identified by a unique number. The ID is shown in the list view. When creating visitor accounts, the role_id field should contain the ID of one of the user roles defined in the RADIUS server.

The RADIUS attributes for each role are shown in the list view. The icon displayed with each attribute indicates the type of condition attached to it:

 The attribute is enabled and will always be included in a RADIUS Access-Accept message.

 The attribute is disabled and will never be included in a RADIUS Access-Accept message.

 The attribute has a condition expression that will determine if it is included in the RADIUS servers response.

Creating a User Role To create a role that will be assigned to guest users, click the  Create a new role link.

Figure 6 RADIUS Role Editor page

Enter a suitable name in the Role Name field. If you are creating a role for the guest users in your network you might choose Guest as the role name as in the example below.

A Description is optional but useful as it appears in the list view of user roles.

Check Session Warnings to prevent users within this role from receiving any session warnings. This option only takes effect if session warnings have been enabled at Customization > Guest Manager.

Attributes are used to define the security policies to be applied to guest sessions. To configure attributes for this user role, click the  Add Attribute tab.

50 | RADIUS Services Amigopod 3.7 | Deployment Guide

Role Attributes RADIUS attributes form the heart of the role-based access control system. Different user roles may have different attributes associated with them, which allows you to control the behavior of network access devices that authenticate users with the RADIUS server.

Furthermore, you can associate a set of rules called a condition with each RADIUS attribute. This allows you to make adjustments to the precise definition of a role depending on what kind of access is being requested.

You can choose to use either the Standard RADIUS attributes that are applicable to all vendors or to use the attributes particular to your vendor.

If you want to use the vendor specific attributes, select the vendor from the drop down list. The available attributes for the selected vendor will be displayed in the drop-down list for the Attribute field.

Additional vendors and attributes may be defined in the RADIUS Dictionary. See Dictionary for more information in this chapter.

Enter a value for this attribute in the Value field. For integer enumerated attributes, choose an appropriate value from the Value drop-down list. To calculate the value of the attribute using an expression, See Dictionary in this chapter.

Additional attributes can be added by clicking the  Add Attribute button at the bottom of the window.

Amigopod 3.7 | Deployment Guide RADIUS Services | 51

When all the attributes have been added, click the  Save Changes button to create this user role.

Attribute Tags Certain attributes, principally those defined in RFC 2868, have a tag value associated with them. The tag value is a small number (1 to 31).

To define a tag value for these attributes, prefix the value with the tag number surrounded by colons (:). For example, to set the Tunnel-Private-Group-Id attribute to 1000 with a tag of 1, type :1:1000 into the Value field.

Attribute Authorization Conditions You are able to attach authorization conditions to attribute definitions. The choices for an attribute condition are:

Always the attribute will always be included in the RADIUS servers response.

Never the attribute is never included in the response. This option can be used to disable an attribute without deleting it.

Enter condition expression the attribute will be included in the response only if the expression is true. See Example: Time of Day Conditions and Example: Time-Based Authorization in this chapter.

Expressions must be entered as PHP code.

Use condition expressions to perform authorization decisions at the time a RADIUS access request is performed. For example, you can alter the authorization for a user role depending on the time of day. It is also possible to refuse access when a certain condition is met.

Several functions are available for use in attribute conditions. See Standard RADIUS Request Functions in the Reference chapter for detailed documentation about these functions.

Example: Time of Day Conditions In this example, the Reply-Message attribute will be modified to provide a greeting to the guest that changes depending on the time of day.

1. Create a new role named Sample role.

You must click the Save Changes button before any of the changes you have made will take effect in the user role. A warning message will be displayed if you attempt to navigate away from the RADIUS Role Editor page while there are unsaved changes.

52 | RADIUS Services Amigopod 3.7 | Deployment Guide

2. Click the  Add Attribute tab.

3. Select the Reply-Message attribute from the drop-down list and enter the string value Good morning,

guest.

4. Select Enter condition expression from the Condition drop-down list and enter the following code in the Expression text field:

return date('a') == 'am';

5. Click the  Add Attribute button.

6. Repeat the above steps, but use the string value Good afternoon, guest and the following code in the Expression text field:

return date('a') == 'pm';

7. Click the  Save Changes button to apply the new settings to the role.

Explanation: PHPs date() function returns the current time and date; http://www.php.net/date for full details. The a argument will cause the function to return either am or pm depending on the servers current time of day. Finally, the result of the == equality comparison is used with the return statement to determine which attribute value is included in the response.

Example: Time-Based Authorization In this example, users will be authorized to access the network only between the local time of 7:30am and 8:00pm.

1. Create a new role named Sample role.

2. Click the  Add Attribute tab.

3. Select the Reply-Message attribute from the drop-down list. Any attribute can be used for this example, because the attribute will never be included in the response.

4. Select Enter condition expression from the Condition drop-down list and enter the following code in the Expression text field:

return (date("Hi") < "0730" || date("Hi") >= "2000") &&

AccessReject();

5. Click the Add Attribute button.

6. Click the Save Changes button to apply the new settings to the role.

Explanation:

This expression is evaluated every time an Access-Request is made.

date("Hi") is the RADIUS server's local time as hours and minutes with a 24-hour clock (0000, 0001, ..., 0730, 0731, ... 1959, 2000, ..., 2359).

If it is before 07.30 (< "0730") or after 20.00 (>= "2000") then an Access-Reject will be generated.

Otherwise, the parenthesized expression will be false, and the attribute will not be sent (nor will an access-reject be sent).

Example: Accounting-Based Authorization Authorization decisions can also be made based on the accounting records available to the RADIUS server. In this example, users will be authorized only if their total traffic in the past day does not exceed 10 MB.

1. Create a new role named Sample role.

2. Click the  Add Attribute tab.

3. Select the Reply-Message attribute from the drop-down list. Any attribute can be used for this example, because the attribute will never be included in the response.

Amigopod 3.7 | Deployment Guide RADIUS Services | 53

4. Select Enter condition expression from the Condition drop-down list and enter the following code in the Expression text field:

return GetUserTraffic(86400) > 10485760 && AccessReject();

5. Click the  Add Attribute button.

6. Click the  Save Changes button to apply the new settings to the role.

The GetUserTraffic() function ( GetUserTraffic() in the Reference chapter) returns the total traffic for the users sessions in the past 24 hours (86,400 seconds). If this is greater than 10 MB (10,485,760 bytes), the AccessReject() function causes the users access request to be rejected. Otherwise, the entire expression will evaluate to false, and the user will be authorized. Note that the attribute will not be included in the response, as the condition expression was evaluated to false.

Attribute Value Expressions A PHP expression can also be used to calculate the value that the RADIUS server should return for a particular attribute.

To use this feature, use one of these two possible syntaxes when entering the value for an attribute:

= expression The PHP expression is evaluated and used as the value for the attribute.

statement; The PHP statement is evaluated. To include a value for the attribute, the statement must be a return statement; that is, return expression;

Several predefined functions and variables are available for use in value expressions. See View Display

Expression Technical Reference in the Reference chapter for details.

Example: Using Request Attributes in a Value Expression In this example, the Reply-Message attribute will be modified to greet the user with their username.

1. Create a new role named Sample role.

2. Click the  Add Attribute tab.

3. Select the Reply-Message attribute from the drop-down list and enter the following value:

= "Hello, " . GetAttr("user-name")

4. Select Always from the Condition drop-down list and click the Add Attribute button.

5. Click the  Save Changes button to apply the new settings to the role.

Explanation: See GetAttr() . This function returns the value of an attribute that was supplied to the RADIUS server with the Access-Request. Here, the User-Name attribute is retrieved. PHPs string concatenation operator (.) is used to build a greeting message, which will be used as the value of the attribute returned to the NAS in the Access-Accept packet.

Example: Location-Specific VLAN Assignment In this example, the value of a vendor-specific VLAN attribute will be modified based on the NAS to which visitors are connecting.

A syntax error in the expression or statement will cause all RADIUS authorization requests to fail with an Access- Reject. To use the RADIUS Debugger feature, See Debug RADIUS Server in this chapter to diagnose any problems with your code in value expressions.

Identical behavior could also be achieved using the following code in the attributes value:

54 | RADIUS Services Amigopod 3.7 | Deployment Guide

The network has an Aruba wireless controller at 192.168.30.2 which should be configured to place all visitor traffic into VLAN ID 100. There is another Aruba wireless controller at 192.168.40.2 which should be configured to place visitor traffic into VLAN ID 200.

1. Create a new role named Sample role

2. Click the  Add Attribute tab.

3. Select the Aruba vendor, and then select the Aruba-User-Vlan attribute from the drop-down list. Enter the following value for the attribute:

4. Select Always from the Condition drop-down list and click the  Add Attribute button.

5. Click the  Save Changes button to apply the new settings to the role.

Explanation: The GetAttr() function returns the value of an attribute that was supplied to the RADIUS server with the Access-Request. Here, the NAS-IP-Address attribute is retrieved, which will contain the IP address of the NAS making the RADIUS request. PHPs ternary operator (?:) is used to check if the NAS is 192.168.30.2; if it is, then 100 is returned as the VLAN ID. In all other cases, the value 200 is returned as the VLAN ID.

Multiple ternary statements can be nested in parentheses to allow more than two values to be checked. For example, to check against three values, and return a default value if none of the values are matched, use a PHP expression like the following:

(GetAttr('NAS-IP-Address') == 'value1' ? 'result1' : (GetAttr('NAS-IP-Address') == 'value2' ? 'result2' : (GetAttr('NAS-IP-Address') == 'value3' ? 'result3' : 'default_value')))

Network Access Servers A Network Access Server (NAS) is a device that provides network access to users, such as a wireless access point, network switch, or dial-in terminal server. When a user connects to the NAS device, a RADIUS user authentication request (Access-Request packet) is generated by the NAS.

Network access servers are RADIUS clients, and must be predefined in order to access the RADIUS server. For security, each NAS device must also have a shared secret which is known only to the device and the RADIUS server.

Use the Network Access Servers list view to define the NAS devices for this server and to make changes to existing NAS devices.

Creating a Network Access Server Entry A new NAS device is added by clicking on the  Create tab.

Amigopod 3.7 | Deployment Guide RADIUS Services | 55

The NAS name is used in the RADIUS server log to identify access requests from NAS servers. This name must be unique.

The NAS type is selected from a drop down list with the following predefined types:

Other NAS

RFC 3576 Dynamic Authorization Extensions Compatible

Aerohive (RFC 3576 support)

Aruba Networks (RFC 3576 support)

Aruba Networks

Bluesocket

Chillispot (RFC 3576 support)

Cisco

Cisco (RFC 3576 support)

Colubris/HP

Consentry Networks

Enterasys

Extreme Networks

Extricom

Infoblox

Juniper Networks

Meraki

Meru Networks

Motorola (RFC 3576 support)

Ruckus Networks

Trapeze Networks (RFC 3576 support)

56 | RADIUS Services Amigopod 3.7 | Deployment Guide

Trendnet

Xirrus

RFC 3576 is used by the RADIUS server to request that a NAS disconnect or reauthorize a session that was previously authorized by the RADIUS server.

If your NAS vendor is not listed, select the Other NAS option. If the NAS is known to support RFC 3576, select the RFC 3576 Dynamic Authorization Extensions Compatible option. See RFC 3576 Dynamic Authorization in the Guest Management chapter for more information about RFC 3576.

The Shared Secret is used to ensure the security of the authentication request to the Amigopod Visitor Management Appliance. It can be a passphrase or a random set of ASCII characters up to 64 characters in length. The term shared secret is used as the same value must be configured on both the RADIUS client and the RADIUS server.

The Web Login check box is displayed when certain vendors are selected. Select this option to automatically create a corresponding RADIUS Web Login page for this NAS. See Example: Time-Based Authorization in this chapter for details on customizing this page.

Click the  Create NAS Device button to create this NAS. If you do not want to proceed, click the  Reset Form button to cancel your entry.

Once a NAS entry has been created, it can be edited, deleted or pinged by clicking on it.

Importing a List of Network Access Servers NAS entries may be created from an existing list by uploading it to the Amigopod Visitor Management Appliance. Click the  Import a list of network access servers linkon the NAS List pageto start the process.

The Upload NAS List form provides you with different options for importing a list of servers

.

To complete the form, you must either specify a file containing the server information, or type or paste in the NAS information to the NAS List Text area.

Advanced import options may be specified by selecting the Show additional import options check box.

The Amigopod Visitor Management Appliance uses the UTF-8 character set encoding internally to store NAS server properties. If your file is not encoded in UTF-8, the import may fail or produce unexpected results if non-ASCII characters are used. To avoid this, you should specify what character set encoding you are using.

The format of the NAS list file is automatically detected. You may specify a particular encoding if the automatic detection is not suitable for your data.

Select the Force first row as header row check box if your data contains a header row that specifies the field names. This option is only required if the header row is not automatically detected.

Click the  Next Step button to upload the data.

In step 2 of 3, the format of the uploaded data is determined and the appropriate fields are matched to the data. The first few records in the data will be displayed, together with any automatically detected field names.

For example, the following data was used:

server1,192.168.22.10,Radius_Secret server2,192.168.22.11,Radius_Secret server3,192.168.22.12,Radius_Secret external,10.22.0.10,Rmd*3n2pEfz9

Because this data does not include a header row that contains field names, the corresponding fields must be identified in the data:

Use the Match Fields form to identify which NAS server fields are present in the imported data. You can also specify the values to be used for fields that are not present in the data.

58 | RADIUS Services Amigopod 3.7 | Deployment Guide

To complete the Match Fields form, make a selection from each of the drop-down lists. Choose a column name (Field 1, Field 2, etc.) to use the values from that column when importing the NAS entries, or select one of the other available options to use a fixed value.

Click the  Next Step button to preview the final result.

In step 3 of 3, a preview of the import operation is displayed. The properties of each NAS are determined, and any conflicts with existing NAS entries are displayed

.

Select the NAS entries to be created or updated with the imported data. The icon displayed in each row indicates if it is a new entry ( ) or if an existing NAS entry will be updated ( ).

Click the  Update existing entries check box to select or unselect all existing NAS entries in the list.

Click the  Create Network Access Servers button to finish the import process. The selected items will be created or updated.

A completion screen is then displayed, showing the results of the import operation.

You must restart the RADIUS server in order for the new NAS entries to be recognized. See Server Control in this chapter for more information.

Web Logins Many NAS devices support Web-based authentication for visitors.

By defining a Web login page on the Amigopod Visitor Management Appliance you are able to provide a customized graphical login page for visitors accessing the network through these NAS devices.

A sequence diagram showing the process for guests to log in using a Web login page is shown below.

Amigopod 3.7 | Deployment Guide RADIUS Services | 59

Figure 7 Sequence diagram for guest captive portal and Web login

In a typical configuration, you would enable the captive portal functionality of your NAS [1], and use the URL of your custom Web login page as the default portal landing page [2] for unauthorized guests.

When the login form is submitted [3], the Login Message page is displayed to the visitor [4]. A subsequent automatic redirect to the NAS will perform the actual login [5], which invokes the AAA process. If this is successful, the NAS will apply the appropriate security policy to the visitors session [6], enabling them to start browsing the Internet [7].

In this way you can provide a branded and customized login page that is integrated with your existing network access devices.

Use this list view to define new Web login pages, and to make changes to existing Web login pages.

Creating a Web Login Page To create a new Web login page, navigate to Customization > Web Logins.

Click  Create a new Web login page to create a Web login page for your guests.

There are five sections to this form.

The first section requires that you enter a name for this login page, as well as an optional page name. You can also provide an optional description of the login page.

To use predefined network settings for NAS equipment, select the appropriate vendor in the Vendor Settings drop-down list. If your NAS vendor is not listed, or if you would prefer to customize all aspects of the Web login page, choose Custom Settings

60 | RADIUS Services Amigopod 3.7 | Deployment Guide

Amigopod 3.7 | Deployment Guide RADIUS Services | 61

The Authentication field provides three options:

Credentialsa username and password. The guest is prompted for a username and password to log in to the network.

Access CodeRequires only username for authentication. The guests password is automatically provided for the login attempt.

AnonymousThis option supports two special usernames: _mac and underscore (_).

When Anonymous is selected, two usernames may be used to enable specific behavior. The guest is not prompted for a username and password; a fixed set of credentials will be used for all guest logins. If you select this option, then the Auto-generate (optional) and Anonymous User (required) fields display.

_mac: This populates the username and password with the users MAC if the user is detected on the system. To enable this first navigate to Administrator > Plugin Manager > MAC Authentication

Plugin. Select the Configuration icon to display the MAC Authentication Plugin page. Select the Allow users to be detected via their MAC address option and click Save Configuration.

On the RADIUS Web Login page, select Anonymous in the Authentication field. Check the Auto-

generate the anonymous account option. Make sure to select the Pre-Auth Check option Local

match a local account and save the configuration.

Underscore (_): Leaves the username and password blank and requires post-processing in the header or footer.

Pre-authentication checks now take place:

None No checks will be made: No checks are made before redirecting to the NAS login.

Local Match local account: Checks the entered username and password before redirecting to the NAS login.

RADIUS Check using RADIUS request: Checks the local database and external authenticationservers for the provided credentials. This provides authentication of the user regardless of where the account is defined.

When the Web login form is submitted, the username and password are submitted to the NAS using the field names specified in Username Field and Password Field:

The visitors username is submitted to the NAS, with any suffix provided in Username Suffix appended to the username. If the username suffix is blank, the username is not modified.

The visitors password will be submitted to the NAS unmodified if the Password Encryption option No encryption (plaintext password) is selected. Otherwise, See Universal Access Method (UAM) Password Encryption in this chapter for details about the supported password encryption methods.

Select the Require a Terms and Conditions confirmation check box to add a check box to the login page that indicates the visitor has read and agreed to the terms and conditions of use. If this option has been selected, the check box must be ticked before the login can proceed.

Select the Override the default labels and error messages check box to customize the text displayed in the login form. If this option is selected, additional fields will be displayed for the Username Label, Password Label, Login In Label, and the Terms Label, Terms Text and Terms Error if the terms and conditions confirmation option has also been selected. Use these fields to enter text that is appropriate for your deployment.

You can provide extra fields if required by your NAS device, and perform processing on parameters that have been supplied by the NAS during the redirect to the Web login page. See NAS Redirect Parameters and NAS Login Parameters in this chapter for details about these parameters.

The NAS parameters and any extra fields specified are available for use within the Submit URL, which may be a template expression. This allows for complex processing of the input if required. See Using Web Login Parameters in this chapter for details about using Web login parameters.

The third section allows you to control the destination that clients will be redirected to after login

.

The NAS is responsible for redirecting a visitor to their original destination after a successful login attempt. The URL Field is the name of a parameter supplied to the NAS that contains the visitors redirection URL.

Normally, this parameter will be provided automatically by the NAS when the visitor is redirected to the Web login page. However, you can use the Default URL field to provide a destination for clients that do not specify a redirection URL. Select the Force default destination for all clients check box to cause all visitor access to redirect to the Default URL after login, instead of the visitors intended access.

The fourth section allows you to control the look and feel of the login page.

When Local Match local account is selected, user accounts defined in Guest Manager will be permitted; user accounts defined in external authentication services will not be permitted to log in

Be sure to use a fully-qualified URL, such as http://www.example.com. The http:// prefix is an important part of the URL.

Amigopod 3.7 | Deployment Guide RADIUS Services | 63

Use the Insert self-registration link drop-down list to insert HTML code that creates a link to an existing guest self-registration page. This may be of use when you are creating a landing page suitable for both registered and unregistered visitors.

You are able to optionally create a login message in this section. This could be used to welcome the guest and outline the terms of usage. The login message is only displayed for the time specified in the Login Delay.

The fifth section allows you to specify access controls for the Web login page.

64 | RADIUS Services Amigopod 3.7 | Deployment Guide

The Allowed Access and Denied Access fields are access control lists that determine if a client is permitted to access this Web login page. You can specify multiple IP addresses and networks, one per line, using the following syntax:

1.2.3.4 IP address

1.2.3.4/24 IP address with network prefix length

1.2.3.4/255.255.255.0 IP address with explicit network mask

The Deny Behavior drop-down list may be used to specify the action to take when access is denied.

The access control rules will be applied in order, from the most specific match to the least specific match.

Access control entries are more specific when they match fewer IP addresses. The most specific entry is a single IP address (for example, 1.2.3.4), while the least specific entry is the match-all address of 0.0.0.0/0.

As another example, the network address 192.168.2.0/24 is less specific than a smaller network such as 192.168.2.192/26, which in turn is less specific than the IP address 192.168.2.201 (which may also be written as 192.168.2.201/32).

To determine the result of the access control list, the most specific rule that matches the clients IP address is used. If the matching rule is in the Denied Access list, then the client will be denied access. If the matching rule is in the Allowed Access list, then the client will be permitted access.

If the Allowed Access list is empty, all access will be allowed, except to clients with an IP address that matches any of the entries in the Denied Access list. This behavior is equivalent to adding the entry 0.0.0.0/0 to the Allowed Access list.

If the Denied Access list is empty, only clients with an IP address that matches one of the entries in the Allowed Access list will be allowed access. This behavior is equivalent to adding the entry 0.0.0.0/0 to the Denied Access list.

Universal Access Method (UAM) Password Encryption Two different forms of password encryption are supported for the Web login page. These are:

UAM basic Equivalent to the Password Authentication Protocol (PAP) scheme.

UAM with shared secret Equivalent to the Challenge Handshake Authentication Protocol (CHAP) scheme.

When using either of these schemes, the NAS must supply a parameter named challenge to the Web login page. This parameter should be a string of hexadecimal digits (hexadecimal challenge string) encoding a binary value at least 128 bits long (binary challenge).

The challenge is used to encrypt the users password as follows:

UAM basic The users password is XORed bytewise with the supplied binary challenge. The result is encoded as a string of hexadecimal characters.

UAM with shared secret The MD5 checksum of the binary challenge followed by the predefined UAM secret is computed (checksum challenge). The encrypted password is the hexadecimal MD5 checksum of a stream consisting of a null byte followed by the users plaintext password and the hexadecimal checksum challenge.

NAS Redirect Parameters The NAS may supply additional parameters when redirecting the user to the Web login page. These are supported and will be passed back to the NAS along with the variables that are defined as part of the Web login form.

For example, some wireless network equipment will pass a wlan parameter that contains the users ESSID to the login page. This might result in the following redirection URL:

Amigopod 3.7 | Deployment Guide RADIUS Services | 65

http://192.168.88.88/weblogin.php/4?wlan=Amigopod

This will in turn result in a hidden field included in the Web login form. The field will be named wlan and will be set to the value Amigopod.

NAS Login Parameters Extra fields in the NAS login form may be defined using name=value pairs in the Web login form configuration. This allows you to specify values required by a particular NAS to log in, or to override values supplied by a NAS.

You can also remove a NAS-supplied field from the form. To do this, list only the name of the field in the Extra Fields, without any equals sign or value for the field. By doing this, any value set for the field will be removed when the form is submitted.

To set a value for a field, but only if the NAS did not supply a value for this field, use the syntax name!=value. This can be used to provide a default parameter to the NAS, if the user was redirected without the parameter.

To rename a field, specify the old and new names using the syntax oldname|newname.

The table below summarizes the syntax that is available in the Web login page extra fields:

Using Web Login Parameters The parameters passed to the Web login page can be used within the template code. Each parameter is defined as a page variable with the same name. You can use the syntax {$var} to display the value of the parameter var. More complicated expressions can be built using Smarty template syntax. See Smarty Template Syntax in the Reference chapter for details.

The NAS redirect parameters are also automatically stored as the properties of a session variable called $extra_fields. You can use this variable to remember the NAS parameters when redirecting the user to a different page that does not include the parameters in the URL.

To access the value of a remembered field called wlan, use the syntax:

Table 9 Web Login Page Syntax

Syntax Meaning

name=value Sets field to a specific value; will override any NAS-provided value for this field

name={$value|} Sets field to a value determined by evaluating the template expression; will override any NAS-provided value for this field

name!=value Sets field to a value, but only if the field was not provided in the redirect to the Web login page. The value may be a template expression.

name Removes field provided by the NAS; this field will not be submitted to the NAS.

old|new Renames the field old to new and keeps its value.

old|new=value Renames the field old to new and assigns a new value.

To display a list of all the parameters available for use on the page, add the following template code to the Footer HTML: {dump var=$params export=html}

66 | RADIUS Services Amigopod 3.7 | Deployment Guide

{$extra_fields.wlan}

To display all the remembered fields for the current visitor session, use the syntax:

{dump var=$extra_fields export=html}

Apple Captive Network Assistant Bypass with Amigopod This section describes the process for leveraging the Amigopod Captive Portal to bypass the Captive Network Assistant (Web sheet) that is displayed on iOS device such as iPhones, iPad and more recently Mac OS X machines running Lion (10.7).

Based on the proposed configuration in this guide, the combination of an Aruba Wi-Fi network and Amigopod Guest Access Solution can effectively be used to bypass the Captive Network Assistant technology implemented by Apple in various of their Wi-Fi enabled mobile devices.

The need to bypass this Web sheet solution for prompting users to perform a Web authentication task will largely be driven by the customer design and need to control the user experience as guest or public access users authenticate to the network.

By enabling a full client Web browser based authentication, this solution enables fully customized Web login experience to be developed and presented through the Amigopod portal options.

Some examples of use cases for the browser-based authentication are as follows but certainly not limited to:

Display of a welcome page to host session statistics, logout button, link to continue to original destination

Display of an interstitial page for the display of advertising media before being granted access to the Internet

Based on browser detection, display a promotional link to a mobile device App from associated App Store for retail applications

Provide mobile device App based Web authentication for transparent Wi-Fi access in retail application

Mobile Device Access Control (MDAC) environments where the Web authentication process is used to push

Device configurations and client certificates to mobile devices.

This Web sheet is displayed on iOS devices when a device connects to a Wi-Fi network that has been configured with Open security, such as those typically found in guest access networks or public hotspots.

The benefit of this feature provided by Apple is to automatically prompt users to log in to the detected Captive Portal network without the need to explicitly open a Web browser. This is useful on mobile devices where many of the common applications are not browser based such as email, social networking applications, media streaming and these applications would otherwise fail to connect without the successful browser based authentication.

The Apple operating systems detect the presence of a Captive Portal enabled network by attempting to request a Web page from the Apple public Web site. This HTTP GET process retrieves a simple success.html file from the Apple Web servers and the operating system uses the successful receipt of this file to assume that it is connected to an Open network without the requirement for Captive Portal style authentication.

If the success.html file is not received, the operating system conversely assumes there is a Captive Portal in place and presents the Web sheet automatically to prompt the user to perform a Web authentication task.

Once the Web authentication has successfully completed, the Web sheet window will be automatically closed down and therefore preventing the display of any subsequent welcome pages or redirecting the user to their configured home page.

Amigopod 3.7 | Deployment Guide RADIUS Services | 67

Also if the user chooses to cancel the Web sheet, the Wi-Fi connection to the Open network will be dropped automatically preventing any further interaction via the full browser or other applications. The following are examples of these Web sheet sessions from a Mac OS X Lion (10.7) laptop, iPad and an iPhone.

Figure 8 Captive Network Assistant on MacOS X

Figure 9 Captive Network Assistant on iPad \

Figure 10 Captive Network Assistant on iPhone

The Web sheet can be easily identified by the lack of a URL bar at the top of the screen and typical menu bar items.

For many customers, this behavior of their Apple wireless devices will be acceptable and a great usability enhancement for their user community.

There are however particular guest access or public access designs where the use of this Web sheet and the lack of ability to control the entire Web authentication user experience is not desirable.

For these customer scenarios, Amigopod have developed a method of bypassing the display of the Web sheet on the Mac OS X Lion or iOS devices. The main driver for this implementation is to restore the ability to control the user experience and display post authentication welcome pages or redirect the Wi-Fi users to their originally requested Web page.

Alternatively, testing of the recommended Captive Portal configuration where SSL secured connections are implemented on both the Aruba controller and Amigopod Web Login page, has shown to also prevent the display of the Captive Network Assistant on Apple devices. It appears that the redirect process to the HTTPS hosted Web Login page on Amigopod, prevents the display of the Web sheet and it is assumed that the Captive Network Assistant only supports HTTP. This recommended approach of using HTTPS to avoid user credentials being passed in the clear for guest and public access networks requires the installation of trusted server certificates on both the controller and the Amigopod. For some customers where securing these user credentials is not essential (for example in Anonymous login designs) the solution proposed in this guide provides the same desired result using HTTP as the transport for the Web authentication traffic.

Solution Implementation In a typical Amigopod deployment integrating with an ArubaOS controller, the Captive Portal profile is configured to redirect all unauthenticated users to the external Captive Portal page hosted on Amigopod.

For further details on the recommended configuration of both Amigopod and the ArubaOS controllers, please refer to the Amigopod & ArubaOS Integration Application Note available for download from the following location: http://www.arubanetworks.com/vrd/

Amigopod 3.7 | Deployment Guide RADIUS Services | 69

The following CLI and WebUI examples so a typical configuration of the Captive Portal profile and of note the login-page is set to point directly to the Amigopod hosted Web Login page.: http://10.169.130.50/ Aruba_Login.php

Captive Portal Profile Configuration aaa authentication captive-portal "guestnet"

default-role auth-guest

direct-pause 3

no logout-popup-window

login-page http://10.169.130.50/Aruba_Login.php

welcome-page http://10.169.130.50/Aruba_welcome.php

switchip-in-redirection-url

Figure 11 Captive Portal Profile Configuration

Amigopod have implemented a new embedded URL within the portal configuration that is designed to address the issue of bypassing the mini browser discussed previously. This new page is available on the following URL: http:// /landing.php/

The new Web page includes the logic to detect the presence of an iOS device or Mac OS X Lion machine being redirected as part of the Aruba controller Captive Portal configuration. If these devices are detected, their initial request to the Apple Web site will be served locally from the Amigopod and hence emulating the environment of an Open connection to the Internet. By emulating the response from the Apple Web site, the iOS device or Mac OS X machine will no longer initiate the Captive Network Assistant and the user can launch their local browser manually as desired.

Now that the devices are able to open the local browser, any attempt to access the Internet will be subsequently be redirected again to the Amigopod. This new function will then differentiate between this Web browser request from the previous Captive Network Assistant request and forward the session onto the configured Amigopod Web Login page.

Given that Amigopod can host multiple Web Login pages, a simple method has been provided to configure the Web Login page that should be used without requiring any additional configuration on Amigopod. This definition of the Web Login page can be specified as part of the Captive Portal profile configuration on the Aruba controller.

70 | RADIUS Services Amigopod 3.7 | Deployment Guide

Figure 12 Configuring the Web Login page

For example, the Captive Portal profile login page configuration sample below will link to an Amigopod hosted Web Login page called Aruba_Login: http:// /landing.php/Aruba_Login.php.

Database Lists This is a list of databases on the NAS server. The Amigopod RADIUS server uses a database to store the user accounts for authentication and other settings for the server.

You can set up as many databases as you like, including databases on other servers. However, exactly one database must be marked as the Active database. This database will be used by the RADIUS server for user authentication. The default configuration of the Amigopod Visitor Management Appliance includes a pre- configured database. Most deployments will not require more than one database. It is recommended that you leave the default configuration unmodified.

Amigopod 3.7 | Deployment Guide RADIUS Services | 71

Database Maintenance Tasks

Database optimization and other maintenance tasks can be performed using this form. These tasks are normally carried out automatically and do not require administrative intervention.

Some system updates may require a database schema upgrade. If this is required, it is indicated on the database list with the  schema upgrade icon. To upgrade the database schema, select the Upgrade an existing database schema operation.

Click the  Perform Operation button to carry out the specified operation.

Dictionary The RADIUS Dictionary is a complete list of all the vendor IDs, vendor-specific attributes, and attribute values used in the RADIUS protocol. The dictionary is used to translate between human-readable strings and the underlying numbers used in RADIUS packets.

Many predefined vendor-specific attributes have already been provided in the dictionary. These items are indicated with a lock icon ( ) and cannot be removed from the dictionary.

You can make changes to the predefined vendors and vendor-specific attributes. The new dictionary entry will be shown without a lock icon ( ). To restore the original value of the dictionary entry, simply delete the new entry.

Use this tree view to define a new vendor, create a new vendor-specific attribute, or modify the list of values available for a particular attribute.

72 | RADIUS Services Amigopod 3.7 | Deployment Guide

The dictionary can be sorted by clicking on a column heading.

Import Dictionary You are able to import RADIUS dictionary entries from a text file using the Import Dictionary command located under the  More Options tab. These text files can be created by you or you can download them from a manufacturer who is not in the standard list.

Export Dictionary You are able to export the dictionary by clicking on the  More Options tab and choosing the Export

Dictionary command. This saves the complete contents of the dictionary as a text file.

Reset Dictionary You can reset the dictionary to its default set of vendors by clicking on the Reset Dictionary command.

All changes to the vendors, vendor-specific attributes and attribute values in the dictionary will be lost.

Click the  Reset Dictionary button to have the dictionary reset.

Vendors Vendors are manufacturers of NAS equipment. Amigopod provides a list of manufacturers but you are able to add to this list.

Vendor-specific attributes as defined in RFC 2865 can be used to configure specific options related to a particular vendors equipment.

Amigopod 3.7 | Deployment Guide RADIUS Services | 73

Creating a New Vendor A new vendor may be added to the dictionary by clicking the  Create Vendor tab at the top of the Dictionary list view.

You are required to enter the Vendor Name. This name cannot already exist in the dictionary. Spaces are not permitted in the Vendor Name. By convention, hyphens are used in vendor and attribute names instead of spaces.

You are required to enter the Vendor Number. This is the IANA Private Enterprise Code assigned to this vendor. It is unique to this vendor and is used by the RADIUS protocol. For the current mapping of vendor names to IANA Private Enterprise Codes, refer to the IANA Web site: http://www.iana.org/assignments/ enterprise-numbers.

The Vendor Number must be less than or equal to 65535.

Once you have completed the form, click the  Create Vendor button to add this vendor to the dictionary.

Edit Vendor You are able to change the Vendors name or number with the  Edit Vendor icon link. This allows you to change the vendor name or number.

Delete Vendor You are able to delete any vendors that you have added to the dictionary. Use the  Delete Vendor icon link for this. Deleting a vendor will also delete all vendor-specific attributes and attribute values for that vendor.

You will be prompted to confirm the delete operation before it takes place.

Vendors with a lock symbol ( ) next to their name are standard RADIUS dictionary entries and cannot be deleted.

Export Vendor The selected vendors attributes and values can be exported as a text file in RADIUS dictionary format by clicking the  Export Vendor icon link.

Vendor-Specific Attributes Vendor-specific attributes identify configuration items specific to that vendors equipment.

74 | RADIUS Services Amigopod 3.7 | Deployment Guide

Add a Vendor-Specific Attribute (VSA) A Vendor Specific Attribute (VSA) is a RADIUS attribute defined for a specific vendor. You are able to add vendor-specific attributes to a vendor by clicking the vendor in the RADIUS dictionary list view and then clicking the  Add VSA icon link.

Each attribute has a name and a unique number specific to that vendor. Refer to your vendors documentation for the attribute name, number and type settings to use.

The attribute type can be one of:

Integer

String

Binary

IPv4 Address

Date/Time

IPv6 Address

IPv6 Prefix

Interface ID (8 octets)

Ascend Binary Filter

Attribute numbers are normally small decimal numbers in the range 0-255. These may be entered in decimal, or in hexadecimal using the 0x prefix. Certain vendors in the dictionary have support for larger attribute values.

If you want the attribute to appear in the active session views and on RADIUS accounting reports, check the Visible in Active Sessions check box. This allows the attribute to be searched and filtered.

Once the data has been entered, click the  Create Attribute button to complete the creation.

Click the  Cancel button if you do not want to proceed with creating this vendor attribute.

Amigopod 3.7 | Deployment Guide RADIUS Services | 75

Edit Vendor-Specific Attribute You can change the properties of an attribute by clicking on the attribute in the RADIUS dictionary list view and then clicking the  Edit Attribute icon link.

Once an attribute has been edited, click the Update Attribute button to save your changes.

Delete Vendor-Specific Attribute Attributes can only be deleted from vendors that you have added to the dictionary. Vendor-specific attributes with a lock symbol ( ) next to their name are standard RADIUS dictionary entries and cannot be deleted.

To delete a vendor-specific attribute, click it in the RADIUS dictionary list view and then click the  Delete Attribute icon link. You will be prompted to confirm the delete operation before it takes place.

Add Attribute Value A Value Name with a corresponding numerical value can be created for a selected attribute. These enumerated values are used to associate meaningful names with the underlying numerical values of the attribute.

Once an integer attribute has been added to a vendor, you are able to define enumerated values for it.

When a vendor-specific attribute is of integer type, this can be used as an explanation of the value, or to specify that the value for an attribute can be only one of a limited number of possibilities.

Edit Attribute Value Enumerated values can be added to an attribute by clicking the attribute in the RADIUS dictionary list view and then clicking the  Add Value icon link.

Enumerated values cannot be defined for attributes of string type.

76 | RADIUS Services Amigopod 3.7 | Deployment Guide

You are required to enter the name of the value to be added as well as its value. Values can only be added to attributes that are of integer type.

Delete Attribute Value Values that have been added to a vendor-specific attribute can be deleted using the  Delete Value button.

Attribute values with a lock symbol ( ) next to their name are standard RADIUS dictionary entries and cannot be deleted.

EAP and 802.1X Authentication The Extensible Authentication Protocol (EAP) supports multiple types of authentication methods, including digital certificates, smart cards, and passwords. This authentication protocol is the basis for the IEEE 802.1X standard, which provides port-based network access control for both wired and wireless networks.

Amigopod OS 2.1 and later supports EAP and 802.1X authentication. This authentication method requires EAP messages to be encapsulated inside RADIUS packets. The RADIUS server must also be configured with the appropriate settings for the EAP types that will be used.

To view or modify a RADIUS servers EAP configuration, go to RADIUS > Authentication > EAP &

802.1X. The Extensible Authentication Protocol page opens, and includes command links for server configuration and certificate management.

Amigopod 3.7 | Deployment Guide RADIUS Services | 77

To specify supported EAP types and the default type, and to configure OCSP options, see Specifying Supported EAP Types.

To create a server certificate and self-signed certificate authority, see Creating a Server Certificate and Self-Signed Certificate Authority.

To request a certificate from another certificate authority, see Requesting a Certificate from a Certificate Authority .

To import a certificate and its private key, see Importing a Server Certificate.

To export a server certificate, see Exporting Server Certificates .

Specifying Supported EAP Types To enable the EAP-TLS, EAP-TTLS, and PEAP options on the EAP Configuration form, you must first configure a digital certificate for the RADIUS server. The server certificate is the RADIUS servers identity and will be provided to clients authenticating with these EAP methods. To create and manage the server certificates, see Creating a Server Certificate and Self-Signed Certificate Authority.

To specify the EAP types the RADIUS server will support, and the default EAP type, click the EAP

Configuration command on the Extensible Authentication Protocol page. The EAP Configuration form opens.

78 | RADIUS Services Amigopod 3.7 | Deployment Guide

1. In the Supported EAP Types row, mark the check box for each type the RADIUS server should support. The available types are EAP-MD5, EAP-MSCHAPv2, EAP-TLS, EAP-TTLS, and PEAP. If you select EAP-TLS, the EAP-TLS Configuration area is added at the bottom of the form.

2. In the Default EAP Type row, use the drop-down list to select the EAP type to use as the default when the server receives an EAP-Identity response.

3. If you selected EAP-TLS as one of the supported types, use the EAP-TLS Configuration area to configure status checks for client certificates. In the drop-down list in the OCSP row, select one of the following options:

Disable certificate revocation status checks (default)If this option is selected, no OCSP checks are made to determine the client certificates revocation status.

Automatically check certificate revocation statusIf this option is selected, an OCSP responder defined in the client certificate is used to obtain revocation status. If no OCSP responder is defined in the client certificate, then the local certificate authority is used to check status.

Manually specify OCSP URL for certificate checksIf this option is selected, the URL specified in the OCSP row of the EAP Configuration form is used to verify revocation status, and any OCSP responder defined in the client certificate is ignored.

The Manually specify OCSP URL for certificate checks option adds the OCSP Responder row to the form.

4. If you chose the manual option for certificate checks, in the OCSP Responder row, enter the URL of the service to be used to check certificate status.

5. Click the Save Changes button.

Creating a Server Certificate and Self-Signed Certificate Authority To create a new server certificate and self-signed certificate authority (CA), go to RADIUS >

Authentication > EAP & 802.1X, then click the Create Server Certificate command link. The Create

Amigopod 3.7 | Deployment Guide RADIUS Services | 79

RADIUS Server Certificate form is displayed. The unique set of identifying details you enter on this form creates the Distinguished Name (DN) for the new certificate.

Creating a new server certificate and self-signed CA is a three-step process:

In step 1, a certificate signing request is created with the identifying details of the Distinguished Name for the RADIUS servers digital certificate.

In step 2, expiration dates for the certificate and root certificate are specified, and a self-signed certificate authority (CA) is created. This CA is then used to sign the servers certificate request, which produces a valid digital certificate for the server.

In step 3, the certificate authority and server certificates are installed on the RADIUS server. The CA root certificate is then downloaded for distribution to clients who will use this RADIUS server for authentication.

To create a self-signed certificate authority and issue a server certificate using this CA, use the process described below. If you already have a certificate authority, or are using a third-party CA, See Requesting a Certificate from a Certificate Authority inthis chapter for details on creating a certificate signing request.

Creating the Certificate Signing Request

The Create RADIUS Server Certificate form is used to specify the details of your RADIUS server. The server certificate is the RADIUS servers identity and will be provided to clients authenticating with EAP- TLS, EAP-TTLS or PEAP.

.

Complete the details for the certificate, and click the  Continue button to proceed to Step 2.

80 | RADIUS Services Amigopod 3.7 | Deployment Guide

Signing RADIUS Server Certificate

For a client to verify that the RADIUS servers identity is valid, the servers certificate must be issued by a certificate authority (CA) that is trusted by the client. This authority may be either a trusted third party CA, or a private certificate authority for which the root certificate has been distributed to clients.

The Sign RADIUS Server Certificate form shows the details you entered in the previous step, and includes fields for expiration dates. It is used to create a private certificate authority and sign the RADIUS servers certificate. By default, the CA certificates expiration is set to be 10 years in the future.

1. If you need to edit any of the identifying information for the certificate, you may do so on this form.

2. To change the default expiration settings for the certificate authority and the certificate, enter the number of days in the CA Expiration and Certificate Expiration fields.

3. Click the Continue button to proceed to step 3.

Installing the Self-Signed RADIUS Server Certificate

On the Certificate Details form, the details of the RADIUS server certificate and its issuer, and the certificates validity period, are displayed for review. The Install Server Certificate form is included.

To confirm the certificates information and complete the process, mark the Use this certificate to

identify this RADIUS server check box in the Confirm row, then click the  Apply Settings button to configure the EAP server certificate.

After installing the certificate, the RADIUS server will need to be restarted to complete the changes.

Requesting a Certificate from a Certificate Authority To create a certificate request to obtain a certificate from a recognized certificate authority (CA), go to RADIUS > Authentication > EAP & 802.1X, click the Create Server Certificate command link, then click the Request a certificate from another certificate authority link. The Server Certificate Request page opens.

The Common Name of the CA certificate will be used to identify it to clients installing it as a trusted CA root. Make sure to choose a sensible name.

Amigopod 3.7 | Deployment Guide RADIUS Services | 81

Complete the details for the certificate, and click the  Download Request button to save the certificate signing request.

This signing request should be submitted to your certificate authority (CA). The CA signs the request to create the servers digital certificate.

Once you have the certificate, you need to import it to set it up for use with EAP. See Importing a Server Certificate.

Importing a Server Certificate To import a digital certificate and its private key, go to RADIUS > Authentication > EAP & 802.1X and

click the Import Server Certificate command link. The Import Server Certificate form opens.

A digital certificate may be imported from either the PKCS#12 format, which is a single file containing one or more certificates and an encrypted private key, or from three individual files for the certificate, private key (optionally encrypted with a passphrase), and the root certificate authority.

82 | RADIUS Services Amigopod 3.7 | Deployment Guide

Complete the form with the details for your certificate, and click Continue to proceed to Step 2.

Installing a Server Certificate from a Certificate Authority The Install Server Certificate form is used to install a digital certificate you have obtained from a third- party certificate authority. This certificate should correspond to a certificate signing request that you previously created using the New Certificate Request form.

Select the certificate file and the certificate authoritys root certificate, and click the  Upload

Certificate button.

Installing an Imported Server Certificate

In step 2, the details of the imported RADIUS server certificate and its issuer are shown, including the certificates validity period.

Select the Use this certificate to identify this RADIUS server check box and click the  Apply

Settings button to complete the import process and configure the EAP server certificate

.

After importing the certificate, the RADIUS server will need to be restarted to complete the changes.

Exporting Server Certificates The Export Server Certificate form is used to export the RADIUS servers digital certificate, or the certificate authoritys root certificate, in several different formats.

Select one of these options to export a certificate file:

Server certificate and CA issuer certificate (PKCS#7) use this option to download a file containing the certificates for the CA and the server.

Server certificate chain including private key (PKCS#12) use this option if you are backing up the servers certificate, or moving it to another server. A passphrase is strongly recommended to protect the private key.

Server certificate only use this option to download just the RADIUS servers certificate, in either PKCS#7, Base-64 encoded (PEM), or binary (DER) formats.

CA issuer certificate only use this option to download the root certificate for the certificate authority.

PEAP Sample Configuration To enable the common case of PEAPv0/MS-CHAPv2 (broadly supported by all wireless clients that implement 802.1X), follow the process described below:

1. Create or import a RADIUS server certificate. See Creating a Server Certificate and Self-Signed Certificate Authority and Importing a Server Certificate in this chapter for details.

2. Select the appropriate PEAP options in the EAP Configuration form, as shown below:

Amigopod 3.7 | Deployment Guide RADIUS Services | 83

3. Click the Save Changes button, and restart the RADIUS Server to apply the configuration.

4. You may verify that the EAP configuration is loaded by checking for a certain startup message on the RADIUS Server Control screen: Tue Nov 17 01:04:05 2009 : Info: rlm_eap_tls: Loading the certificate file as a chain

5. The certificate authority used to issue the servers certificate must be exported. To do this, click the Export Server Certificate command link. In the Export Server Certificate form, select CA issuer certificate only and use the default PKCS#7 container format.

6. Click the Download File button and a file named Amigopod Certificate Authority.p7b will be downloaded (the precise name depends on the common name for the CA certificate).

7. This file must be imported as a trusted root certification authority on any client wishing to authenticate using this RADIUS Server. The reason for this is that the servers identity must be established via a trusted root CA in order for authentication to proceed. When using a well-known third party CA, this step does not need to be performed as the necessary trust relationship already exists in most clients.

Importing a Root Certificate Microsoft Windows Vista and Windows 7

The following steps may be used to import a root certificate on Windows Vista or Windows 7 from a .p7b file exported using the Export Server Certificate form:

1. Open the .p7b file from Windows Explorer:

84 | RADIUS Services Amigopod 3.7 | Deployment Guide

2. Select the certificate in the list. Right-click it and choose Open:

3. Click the Install Certificate button. The Certificate Import Wizard appears

4. Click Next. The Certificate Store form is displayed.

Amigopod 3.7 | Deployment Guide RADIUS Services | 85

5. Click the Browse button to select the Trusted Root Certification Authorities store :

6. Click OK, and then click Next. The last page of the Certificate Import Wizard will be displayed.

86 | RADIUS Services Amigopod 3.7 | Deployment Guide

7. Once you have reached the end of the wizard, click Finish. A security warning dialog box will be displayed, indicating that the root certificate authorities store is about to be updated

:

8. To make use of the imported root certificate, make sure that the CA is specified as a Trusted Root Certification Authority for the wireless network connection that is using PEAP.

.

Active Directory Domain Services To perform certain types of user authentication, such as using the MS-CHAPv2 protocol to verify a username and password, the RADIUS server must first be joined to an Active Directory domain.

For information on Proxy RADIUS, LDAP, and local certifiacate authority external authentication servers, see External Authentication Servers.

To view the current domain information, join or leave a domain, or perform authentication tests for user accounts in the domain, use the Active Directory Services command link on the RADIUS >

Authentication page.

The Domain Summary table shows the current domain settings. Click the  Show details link to see advanced information about the domain.

Joining an Active Directory Domain To start the two-step process to join the domain, click the Join Domain command link on the RADIUS >

Authentication > Active Directory Services page.

The Join Active Directory Domain form is displayed.

88 | RADIUS Services Amigopod 3.7 | Deployment Guide

The process has built-in troubleshooting assistance, which can help with much of the necessary configuration:

When the servers DNS and network settings are correctly configured, all the necessary domain-related information is automatically detected.

Use the  Edit Settings link at the top of this page if any of the automatically detected settings need to be modified.

Joining the server to the Active Directory domain then requires entering the username and password for a domain administrator account. Click the  Join Domain button to complete the process.

Once the domain has been joined, the status is available on the Active Directory Services page.

Amigopod 3.7 | Deployment Guide RADIUS Services | 89

Testing Active Directory User Authentication To verify that the domain has been joined successfully, click the Test Authentication command link on the RADIUS > Authentication > Active Directory page.

Provide a username and password for a user in the domain to verify that authentication is working.

The following options are available in the Authentication drop-down list:

MS-CHAPv2 Encrypted password Use this option to encrypt the users password using the MS- CHAPv2 authentication method and verify it with the server. A successful authentication using this method can only be performed when the Amigopod Visitor Management Appliance has joined the domain.

Plain text password Use this option to perform a plain-text verification of the users password.

Configuring Active Directory Domain Authentication After joining the domain, an additional step is required in order to perform user authentication.

The username and password of a domain user is required to perform an LDAP bind to the Active Directory domain controller, so that LDAP search operations can be performed for other user accounts in the directory. The credentials provided do not need to be those of a domain administrator; a restricted user account may be provided here. Only user lookup operations are performed with this user account.

To provide the domain credentials that will be used when authenticating via LDAP, click the  Configure

Active Directory authentication link on the RADIUS > Active Directory Services page .

90 | RADIUS Services Amigopod 3.7 | Deployment Guide

Leaving an Active Directory Domain To remove the server from the domain, click the Leave Domain command link on the RADIUS >

Authentication > Active Directory page .

As with joining the domain, the credentials for a domain administrator are required to perform this operation.

Provide these credentials in the Leave Active Directory Domain form and click the  Leave Domain button.

External Authentication Servers Many networks have more than one place where user credentials are stored. Networks that have different types of users, geographically separate systems, or networks created by integrating different types of systems are all situations where user account information can be spread across several places.

However, network access equipment is often shared between all of these users. This requires that different authentication sources be integrated for use by the network infrastructure.

The Amigopod RADIUS server supports multiple external authentication servers, allowing user accounts from different places to be authenticated using a common industry-standard interface (RADIUS requests).

Use the Authentication command link on the RADIUS page to create and manage authentication servers, and to modify system settings related to user authentication.

To perform certain types of user authentication, such as using the MS-CHAPv2 protocol to verify a username and password, the RADIUS server must first be joined to an Active Directory domain. See Active Directory Domain Services for more information.

Types of External Authentication Server An authentication server may be one of five types:

 Local user database User accounts defined in Amigopod Guest Manager.

Amigopod 3.7 | Deployment Guide RADIUS Services | 91

 Microsoft Active Directory User accounts defined in a forest or domain and authenticated by the domain controller. Both user and machine accounts may be authenticated. Additionally, support is provided for authenticating users with a supplied username of either DOMAIN\user or user.

 LDAP server (Lightweight Directory Access Protocol) User accounts stored in a directory.

Proxy RADIUS server User accounts authenticated by another RADIUS server.

Local Certificate AuthorityThe client provides their own local certificate authority to issue private certificates for users within its organization. Visitor accounts are authenticated through EAP- TLS, and the authorization method can be configured.

Managing External Authentication Servers To view the list of external RADIUS authentication servers and create, edit, enable or disable, delete, test, view user roles or configure EAP for them, go to RADIUS > Authentication > Authentication Servers.

The RADIUS Authentication Servers page lists all available sources that may be used for authentication.

Changing the properties of an authentication server requires restarting the RADIUS server. When this is necessary, a link is displayed at the top of the page.

The Test Authentication option for a server may be used to check the connection to an authentication server, or verify the authorization rules that have been configured. For Local Certificate Authority external authentication servers, additional testing options are included to simulate EAP-TLS authentication with a client certificate.

For information on editing an external authentication server, see Configuring Properties for External Authentication Servers .

For information on testing an external authentication server, see Testing External Authentication Servers.

Configuring Properties for External Authentication Servers To configure the settings for an external authentication server, click the servers Edit link on the RADIUS Authentication Servers page. The servers row expands to include the Edit Authentication Server form.

92 | RADIUS Services Amigopod 3.7 | Deployment Guide

The top part of the form contains basic properties for the external authentication server.

The middle part of the form differs depending on the type of authentication being performed:

Active Directory Authentication Server See Configuring an Active Directory External Authentication Server

LDAP Authentication Server See Configuring an LDAP External Authentication Server

Proxy RADIUS Authentication Server See Configuring a Proxy RADIUS External Authentication Server

Local Certificate Authority Authentication Server See Configuring a Local Certificate Authority External Authentication Server

The bottom part of the form controls the authorization settings for this server. See Configuring Authorization for External Authentication Servers in this chapter for details.

Configuring an Active Directory External Authentication Server

Microsoft Active Directory user accounts are defined in a forest or domain and authenticated by the domain controller. Both user and machine accounts may be authenticated. Additionally, support is provided for authenticating users with a supplied username of either DOMAIN\user or user. For more information on managing Active Directory domains, see Active Directory Domain Services.

For Active Directory external authentication servers, the following fields are displayed in the Edit Authentication Server form. Most of the settings for the authentication server are automatically detected when joining the domain; however, a Bind Identity (username) and Bind Password are required in order to authenticate users against the directory

Amigopod 3.7 | Deployment Guide RADIUS Services | 93

94 | RADIUS Services Amigopod 3.7 | Deployment Guide

To authorize all users in Active Directory, regardless of the individual user account settings for remote access permission, use the following settings:

access_attr = nonexistentAttribute

access_attr_used_for_allow = no

Additional details about the precise operation of these parameters are as follows:

If access_attr_used_for_allow is yes, then the access_attr attribute is checked for existence in the user object.

If the attribute exists and is not set to FALSE, the user is permitted access.

If the attribute exists and is set to FALSE, the user is denied access.

If the attribute does not exist, the user is denied access.

If access_attr_used_for_allow is no, then the access_attr attribute is checked for existence in the user object.

If the attribute exists, the user is denied access.

If the attribute does not exist, the user is permitted access.

ldap_connections_number = 5

The number of concurrent connections to make to the LDAP server.

timeout = 4

The default settings for the access_attr and access_attr_used_for_allow settings mean that only users with the Remote Access Permission selected above will be authorized.

Amigopod 3.7 | Deployment Guide RADIUS Services | 95

The number of seconds to wait for the LDAP query to finish.

timelimit = 3

The number of seconds the LDAP server has to process the query (server-side time limit).

net_timeout = 1

The number of seconds to wait for a response from the LDAP server (network failures).

use_mppe = yes

If this option is set to yes, MS-CHAP authentication will return the RADIUS attribute MS-CHAP-MPPE- Keys for MS-CHAPv1, and MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2.

require_encryption = yes

If use_mppe is enabled, require_encryption makes encryption moderate.

require_strong = yes

require_strong always requires 128 bit encryption.

with_ntdomain_hack = yes

Windows sends the RADIUS server a username in the form of DOMAIN\user, but sends the challenge response based on only the user portion. Enable this option to handle this behavior correctly.

ntlm_auth_domain = domain name

Domain name to provide when performing an NTLM authentication; this is only required in certain circumstancesfor example, authentication of users in a network using multiple domains and RADIUS servers.

For additional settings, See LDAP Module Configuration in the Reference chapter. The LDAP module options that are described here. Note that to set an advanced option for an Active Directory external authentication server, specify the LDAP module option name without the ldap. prefix.

Configuring an LDAP External Authentication Server

For LDAP external authentication servers, the following fields are displayed in the Edit Authentication Server form.

96 | RADIUS Services Amigopod 3.7 | Deployment Guide

LDAP Server and Port Number the hostname or IP address of the LDAP server, with the corresponding port number of the LDAP service.

Security select from one of these options:

Automatic based on port number LDAP connections to port 636 are encrypted using TLS, while all other port numbers use an unencrypted LDAP connection.

Use Start TLS operation to upgrade to a secure connection this option, when it is supported by the LDAP server, allows a standard LDAP connection on port 389 to be upgraded to a connection supporting TLS.

Use TLS to connect securely enforce a TLS connection regardless of the port number, and never perform unencrypted LDAP.

Certificate Check displayed when one of the TLS security options is selected. See Managing Certificates for External Authentication Servers in this chapter for information about installing digital certificates for external authentication servers. The certificate verification options that may be selected are:

Do not request or verify the servers certificate perform no verification of the servers identity.

Request the servers certificate but do not verify it check the servers identity, but do not fail authentications if the servers identity cannot be verified.

Require a valid server certificate (recommended) check the servers identity, and fail authentications if the servers identity cannot be verified.

Bind Identity and Bind Password credentials used to bind to the directory.

Base DN the LDAP distinguished name of the root of the search tree. This is typically a users container within the directory, but may be different depending on the directorys schema.

Username Attribute the LDAP attribute that corresponds to the username. A filter expression is built that matches the value of the RADIUS Access-Requests User-Name attribute with this attribute value in the directory.

Amigopod 3.7 | Deployment Guide RADIUS Services | 97

LDAP Filter an optional LDAP filter expression that may be used to restrict the matching, over and above the standard filtering applied by usernames. For example, specifying the expression (objectClass=user) will ensure that only LDAP objects with the specified type will be matched.

Advanced Options additional options controlling authentication against the directory. For information about additional LDAP configuration options, including enabling Novell eDirectory support, see LDAP Module Configuration in the Reference chapter.

The following advanced options may be required in several common situations and are documented below:

ldap_opt_referrals = yes

If set to yes, the directory may provide an LDAP referral from the directory to answer the request. This option must be set to no if you are contacting an Active Directory LDAP server.

access_attr_used_for_allow = yes

access_attr = empty

To configure the authorization method for an LDAP external authentication server, see Configuring Authorization for External Authentication Servers.

See Configuring Properties for External Authentication Servers for a description of properties in this chapter.

For additional settings, refer to the LDAP module options. See LDAP Module Configuration in the Reference chapter. Note that to set an advanced option for an LDAP external authentication server, specify the LDAP module option name without the ldap. prefix.

Configuring a Proxy RADIUS External Authentication Server

For Proxy RADIUS external authentication servers, the following fields are displayed in the Edit Authentication Server form.

RADIUS Server and Port Number the hostname or IP address of the RADIUS server, with the corresponding port number of the RADIUS authentication service (typically 1812, but can also be 1645).

Shared Secret the shared secret used by the Amigopod Visitor Management Appliance as a client of the proxy RADIUS server.

Advanced Options additional options controlling authentication against the proxy server. No advanced options are currently defined.

To configure the authorization method for a Proxy RADIUS external authentication server, see Configuring Authorization for External Authentication Servers.

Configuring a Local Certificate Authority External Authentication Server

For Local Certificate Authority authentication servers, the following fields are displayed in the Edit Authentication Server form.

98 | RADIUS Services Amigopod 3.7 | Deployment Guide

1. In the Name field, enter a name to uniquely identify this server.

2. (Optional) You can use the Description field to include additional information.

3. (Optional) To enable RADIUS authentication for this server, mark the check box in the Enabled row.

4. In the Rank row, enter a number to specify the ranking order for this server. Authentication servers are checked in order of increasing rank.

5. Under the Authorization heading, choose an authorization method from the Method drop-down list. Method options available for Local Certificate Authority servers are:

No authorization - Authenticate only

Use the common name of the certificate to match a local user account

Assign a fixed user role (Contractor, Employee, or Guest)

Use PHP code to assign a user role

For information about these authorization methods, see Configuring Authorization for External Authentication Servers.

The Test Authentication form for Local Certificate Authority servers includes EAP-TLS settings. For information on testing a Local Certificate Authority authentication server, see Testing External Authentication Servers.

For Local Certificate Authority authentication servers, the RADIUS Authentication Server form also includes a link to the Extensible Authentication Protocol Configuration page, where you can manage EAP configuration settings and view certificate information for the server. See EAP and 802.1X Authentication in this chapter.

Configuring Authorization for External Authentication Servers The level of authorized access an authenticated user can have is controlled by the external authentication servers authorization method. To configure a servers authorization method, use the options under the Authorization heading of the RADIUS servers Edit Authentication form.

For more information about authorization methods, including examples, see About Authorization Methods in External Authentication Servers in this chapter.

Amigopod 3.7 | Deployment Guide RADIUS Services | 99

No authorizationAuthenticate only may be used to remove all RADIUS attributes not related to authentication

.

The RADIUS server will return an Access-Accept or Access-Reject message indicating the result of the authentication attempt.

Use the common name of the client certificate to match a local user account may be specified for users authenticated via EAP-TLS on a clients local certificate server.

The RADIUS server will return an Access-Accept or Access-Reject message indicating the result of the authentication attempt.

Use attributes from Proxy RADIUS server may be used with a Proxy RADIUS external authentication server.

The RADIUS server passes through the Access-Accept or Access-Reject message from the proxy server, as well as all RADIUS attributes returned by the proxy server.

Use this option when authorization is performed entirely by the proxy RADIUS server.

Assign a fixed user role may be used to map all users authenticated by an external authentication server into a single RADIUS user role.

The RADIUS server will return an Access-Reject message if the user authentication fails.

If the authentication is successful, the user is authorized using the specified role. The RADIUS server will return an Access-Reject message if the authorization fails.

The RADIUS server will return an Access-Accept message that includes the corresponding attributes from the user role if the authentication and authorization steps are both successful.

Use PHP code to assign a user role (Advanced) may be used to control the mapping between the user account returned by an external authentication server and the RADIUS user role.

The RADIUS server will return an Access-Reject message if the user authentication fails.

100 | RADIUS Services Amigopod 3.7 | Deployment Guide

If the authentication is successful, the authorization code is evaluated. The user object returned from the external authentication server is available as the variable $user.

The PHP code should return one of the following values:

The ID of a user role (that is, an integer value) to assign that role to the external user.

NULL to indicate no role (that is, authentication only).

FALSE or a standard result type such as array('error' => 1, 'message' => 'description of failure') to indicate an authorization failure

Authorization of the user then continues using the specified role ID. The RADIUS server will return an Access-Reject message if the authorization fails.

The RADIUS server will return an Access-Accept message that includes the corresponding attributes from the user role if the authentication and authorization steps are both successful.

Click the  Save Changes button to complete the creation or modification of the external authentication server.

About Authorization Methods in External Authentication Servers

The level of authorized access an authenticated user can have is controlled by the external authentication servers authorization method.

There are two aspects to user authorization:

Is the user allowed? Yes/no decisions can be made in the context of authorization. Examples: user account not enabled; user account expired; user account exceeded a traffic quota within a certain time window.

What are the users permitted limits? These are not yes/no decisions, but might involve a calculation based on previous usage (for example, via the accounting-based authorization functions), or based on properties of a user account (for example, maximum session lifetime is based on the expiration time for the account)

Each servers authorization method can be configured. The authorization methods available vary according to the type of authentication server:

No authorization Authenticate only may be used to provide a basic user authentication service. The RADIUS server will respond with an Access-Accept or Access-Reject for the authentication attempt. Only RADIUS attributes directly related to user authentication will be returned; all other attributes will be ignored.

Use role assigned to local user is the only authorization method available for the local user database. If the users authentication attempt is successful, the RADIUS server will respond with an Access-Accept message that includes the RADIUS attributes defined for the users role.

Use the common name of the client certificate to match a local user account may be specified for users authenticated via EAP-TLS on a clients local certificate server.

Use attributes from Proxy RADIUS server is an authorization method available only for Proxy RADIUS servers. The RADIUS attributes returned by the external RADIUS server are returned unmodified.

Assign a fixed user role may be used to assign all authenticated users to a particular user role. If the users authentication attempt is successful, the RADIUS server will respond with an Access-Accept message that includes the RADIUS attributes defined for the fixed role that has been selected for this authentication server.

You will be prompted to restart the RADIUS server after making configuration changes affecting external authentication.

Amigopod 3.7 | Deployment Guide RADIUS Services | 101

Use PHP code to assign a user role (Advanced) may be selected to return a role ID for users authenticated via EAP-TLS on a clients local certificate server. The PHP authorization code is entered on the Edit Authentication Server form.

The RADIUS Authentication diagnostic can be used to demonstrate the difference between the various authorization methods.

To use the diagnostic, navigate to RADIUS Services > Server Control and click the Test RADIUS

Authentication command link. Enter the username and password for a user that is externally authenticated.

Click the Run button to perform RADIUS authentication and display the results:

With authorization method No authorization Authenticate only:

Sending Access-Request of id 165 to 127.0.0.1 port 1812

User-Name = "demouser"

User-Password = "XXXXXXXX"

rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=165, length=20

Note that in this case, no RADIUS attributes are returned. The Access-Accept or Access-Reject result indicates whether the user was successfully authenticated.

With authorization method Assign a fixed user role:

Sending Access-Request of id 122 to 127.0.0.1 port 1812

User-Name = "demouser"

User-Password = "XXXXXXXX"

rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=122, length=27

Reply-Message = "Guest"

Note that in this case, the RADIUS attribute returned (Reply-Message) corresponds to the user role selected.

With authorization method Use PHP code to assign a user role (Advanced) more complex authorization rules can be implemented to specify which role to assign to an authenticated user. Authorization can use any of the available properties of the user account, as well as taking into account other factors such as the time of day, previous usage, and more.

102 | RADIUS Services Amigopod 3.7 | Deployment Guide

Advanced Authorization Example 1

This example covers the case where a domain contains several organizational units (OUs), and the users in each OU are to be mapped to a specific RADIUS role ID.

For example, to implement the following configuration:

OU East should be mapped to RADIUS role ID 4

OU Central should be mapped to RADIUS role ID 5

OU West should be mapped to RADIUS role ID 6

Make sure the following configuration is set:

1. First, ensure that the Base DN for the authentication server is set to the root of the domain for example: DC=Amigopod,DC=local rather than the users container. This is necessary as the organizational units are located below the top level of the directory and cannot be searched from the CN=Users container.

2. Select the authorization method Use PHP code to assign a user role (Advanced) and use the following code:

if (stripos($user['distinguishedname'],'OU=East')!== false) return 4;

if (stripos($user['distinguishedname'],'OU=Central')!== false) return 5;

if (stripos($user['distinguishedname'],'OU=West')!== false) return 6;

return false;

Explanation: During user authorization, the distinguished name of the user (which will contain the users OU) is checked against the defined rules, and an appropriate role ID is returned. If no match is found, false is returned, which means that authorization fails and the users Access-Request will be rejected. Information on the stripos function for case-insensitive substring matching can be found at stripos().

Advanced Authorization Example 2

This example covers the case where users are assigned group memberships, and users in a particular group are to be mapped to a specific RADIUS role ID.

For example, to implement the following configuration:

Members of the Domain Admins group should be mapped to RADIUS role ID 4

Members of the Users group should be mapped to RADIUS role ID 5

All other users should be rejected

Select the authorization method Use PHP code to assign a user role (Advanced) and use the following code:

if (in_array('CN=Domain Admins,CN=Users,DC=Amigopod,DC=local', $user['memberof'])) return 4;

if (in_array('CN=Users,CN=Builtin,DC=Amigopod,DC=local', $user['memberof'])) return 5;

return false;

Explanation: During user authorization, the memberOf attribute of the user (which will contain a list of the groups to which the user belongs) is checked against the defined rules, and an appropriate role ID is

To determine the appropriate role ID, navigate to RADIUS Services > User Roles and check the ID column for the appropriate role.

To determine the appropriate role ID, navigate to RADIUS Services > User Roles and check the ID column for the appropriate role.

Amigopod 3.7 | Deployment Guide RADIUS Services | 103

returned. If no match is found, false is returned, which means that authorization fails and the users Access- Request will be rejected.

The in_array() comparison is done in a case-sensitive manner. Be sure to use the correct case as returned by the LDAP query for the group name. Also note that the complete distinguished name (DN) for the group must be specified, as this is the value checked for in the array of values returned for the memberOf attribute.

The primary group of a user assigned in Active Directory cannot be checked in this way, as Active Directory does not return the primary group in the values of the memberOf attribute. You can build logic that uses the $user['primarygroupid'] property instead to work around this issue.

Testing External Authentication Servers The Test Authentication option for a server may be used to check the connection to an authentication server, or verify the authorization rules that have been configured. To test an authentication server, click its Test Authentication link on the Edit Authentication Server form. The servers row expands to include the Test Authentication form.

1. In the Test Username and Test Password fields, enter the information for a users credentials stored on the server.

2. (Optional) To view additional detailsfor example, authentication rules, or account status or permitted limitsmark the Show detailed authorization info check box in the Advanced row.

3. Click the Run Test button. A progress bar is shown during the test, and results are displayed below the Test Authentication form.

Testing a Local Certificate Authority External Authentication Server

For Local Certificate Authority external authentication servers, additional testing options are included to simulate EAP-TLS authentication with a client certificate.

104 | RADIUS Services Amigopod 3.7 | Deployment Guide

1. To specify the network layer to test against, mark the radio button in the Mode row for either the local RADIUS server or a remote RADIUS server.

2. To indicate the value for the User-Name field for outer authentication in the RADIUS access request, mark one of the radio buttons in the Identity row. You can use either the clients local certificates common name or another value.

3. (Optional) You may enter a value in the MAC Address field for the Calling-Station-Id attribute.

4. In the TLS Identity drop-down list, choose the format of the TLS client certificate. The rest of the options available in the Inner Authentication area of the form depend on the TLS Identity selected. To provide details for the selected TLS identity, do one of the following:

If you selected PKCS#12 container with certificate and key (.p12, .pfx) for the TLS identity:

1. In the PKCS#12 row, browse to the file in your system that contains both the client certificate and the clients private key. When this file is uploaded, if a CA certificate is also included, it is used to verify the servers identity.

2. (Optional) In the Passphrase row, you may enter the passphrase for the clients private key.

3. (Optional) To provide a file containing a CA certificate for verifying the servers identity, you can use the Certificate Authority row to browse to the file.

If you selected Separate certificate and key files (.pem, .cer, .crt ) for the TLS identity:

1. In the PKCS#12 row, browse to the file in your system that contains both the client certificate and the clients private key. When this file is uploaded, if a CA certificate is also included, it is used to verify the servers identity.

2. In the Client Certificate row, browse to the file containing the client certificate. This must be a base-64 encoded (PEM) or binary encoded (DER) certificate.

Amigopod 3.7 | Deployment Guide RADIUS Services | 105

3. In the Client Private Key row, browse to the file containing the clients private key. This must be a base-64 encoded (PEM) or binary encoded (DER) private key file.

4. (Optional) In the Passphrase row, you may enter the passphrase for the clients private key.

5. (Optional) To provide a file containing a CA certificate for verifying the servers identity, you can use the Certificate Authority row to browse to the file.

If you selected Copy and paste as text for the TLS identity:

1. In the PKCS#12 row, browse to the file in your system that contains both the client certificate and the clients private key. When this file is uploaded, if a CA certificate is also included, it is used to verify the servers identity.

2. In the Client Certificate row, copy and paste the client certificate. This block of encoded text must include the lines BEGIN CERTIFICATE and END CERTIFICATE.

3. In the Client Private Key row, copy and paste the clients private key. This block of encoded text must include the lines BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY.

4. (Optional) In the Passphrase row, you may enter the passphrase for the clients private key.

5. (Optional) To provide a file containing a CA certificate for verifying the servers identity, you can use the Certificate Authority row to browse to the file.

When you have completed the fields for the network settings, outer authentication, and inner authentication, click the Run Test button.

Managing Certificates for External Authentication Servers Use the Certificates command link on the RADIUS > Authentication page to manage the list of trusted certificates used to identify external authentication servers.

External authentication servers may be configured to use a TLS (Transport Layer Security) connection. For example, LDAP connections on port 636 use TLS (SSL) to provide a secure connection.

TLS connections offer two kinds of security guarantees: privacy (meaning that the content of communications cannot be intercepted or modified), and authentication (meaning that the identity of the server can be verified).

The public key infrastructure (PKI) required to provide these guarantees is based on the X.509 standard for digital certificates.

To verify the identity of an authentication server, use the RADIUS Certificates list view to install one or more digital certificates for a certificate authority (CA). These certificates will be trusted for the purposes of identifying a remote server.

When a TLS connection to an authentication server is established, the authentication server must identify itself with a certificate issued by one of the trusted certificate authorities. If the authentication servers identity cannot be established, the connection will fail.

106 | RADIUS Services Amigopod 3.7 | Deployment Guide

The list displays the certificates that have been installed. By default, the list is empty.

After selecting a certificate in the list, the following actions are available:

 Show Details display information about the certificate, including its unique fingerprint identifier and technical information about the certificate.

 Export Certificate download the certificate in one of several different formats (PKCS#7, base-64 encoded, binary X.509, or plain text).

 Delete remove the certificate so that it will no longer be used for trust purposes.

To import a new certificate, click the  Import Certificate tab. Use the Import Certificate form to specify a certificate file to upload.

The supported formats for digital certificates are:

Binary X.509 certificate also known as ASN.1 or DER format. Certificates in this format typically have the file extension .cer or .crt.

Base-64 encoded also known as PEM format. Certificates in this format typically have the file extension .cer, .cert or .pem.

PKCS#7 container multiple certificates may be included in these containers. Certificates in this format typically have the file extension .p7b.

Amigopod 3.7 | Deployment Guide RADIUS Services | 107

108 | RADIUS Services Amigopod 3.7 | Deployment Guide

Amigopod 3.7 | Deployment Guide

Chapter 5

Operator Logins

An operator is a companys staff member who is able to log in to the Amigopod Visitor Management Appliance. Different operators may have different roles that can be specified with an operator profile; these profiles could be to administer the Amigopod network, manage guests or run reports.

Operators may be defined locally on the Amigopod Visitor Management Appliance, or externally in an LDAP directory server.

Accessing Operator Logins The Operator Logins management is located within the Administrator section of the Amigopod Visitor Management Appliance.

Use the Operator Logins command link on the Administrator start page to access the Operator Logins features.

Alternatively, use the Administrator navigation menu to jump directly to any of the features within Operator Logins.

About Operator Logins The Amigopod Visitor Management Appliance supports role-based access control through the use of operator profiles. Each operator using the Amigopod is assigned a profile which determines the actions that the operator may perform, as well as global settings such as the look and feel of the user interface.

Your profile may only allow you to create guest accounts, or your profile might allow you to create guest accounts as well as print reports. What your profile permits is determined by the network administrator.

Two types of operator logins are supported: local operators and operators who are defined externally in your companys directory server. Both types of operators use the same login screen.

Role-Based Access Control for Multiple Operator Profiles Using the operator profile editor, the forms and views used in the application may be customized for a specific operator profile, which enables advanced behaviors to be implemented as part of the role-based access control model.

This process is shown in the figure below.

Operator Logins | 109

See About Operator Logins in this chapter for details on configuring different forms and views for operator profiles.

Operator Profiles An operator profile determines what actions an operator is permitted to take when using the Amigopod Visitor Management Appliance.

Some of the settings in an operator profile may be overridden in a specific operators account settings. These customized settings will take precedence over the default values defined in the operator profile.

Click the Manage Operator Profiles command link on the Administrator > Operator Logins page to define new operator profiles, and to make changes to existing operator profiles.

Creating an Operator Profile Click the  Create Operator Profile link to create a new operator profile.

The Operator Profile Editor form is displayed. This form has several sections, which are described in more detail below.

110 | Operator Logins Amigopod 3.7 | Deployment Guide

The fields in the first area of the form identify the operator profile and capture any optional information:

1. You must enter a name for this profile in the Name field.

2. (Optional) You may enter additional information about the profile in the Description field.

The fields in the second area of the form define permissions for the operator profile:

1. To disable a profile, unmark the Allow Operator Logins check box in the Enabled row. If a profile is disabled, any operators with that profile will be unable to log in to the system. This may be useful when performing system maintenance tasks.

2. In the Password Options row, you may keep the default setting or choose an option from the drop- down list. Password options are as follows:

Allow operators to change their password Enables the Change Password link in the navigation, which allows an operator to change their password. This is the default setting.

Prevent operators from changing their password The password cannot be changed by the operator. Use this option if a single operator login will be shared by several people.

Force a password change on their next login The operator will be prompted to change their password the next time they log in to the application.

Force a password change on their first login The operator will be prompted to change their password the first time they log in to the application.

3. In the Privileges area, use the drop-down lists to select the appropriate permissions for this operator profile. For each permission, you may grant No Access, Read Only Access, Full Access, or Custom

Amigopod 3.7 | Deployment Guide Operator Logins | 111

access. The default in all cases is No Access. This means that you must select the appropriate privileges in order for the profile to work. See Operator Profile Privileges in this chapter for details about the available access levels for each privilege.

If you choose the Custom setting for an item, the form expands to include additional privileges specific to that item.

Figure 13 Operator Profile Editor pageUser roles and filters

4. The User Roles list allows you to specify which user databases and roles the operator will be able to access. If one or more roles are selected, then only those roles will be available for the operator to select from when creating a new guest account. The guest account list is also filtered to show only guest accounts with these roles.

If a database is selected in the User Roles list, but no roles within that database are selected, then all roles defined in the database will be available. This is the default option.

5. The Operator Filter may be set to limit the types of accounts that can be viewed by operators. Options include: default, no operator filter, only show accounts created by the operator, and only show accounts created by operators within their profile.

6. The User Account Filter and Session Filter fields are optional, and allow you to create and configure these filtering options:

The User Account Filter field lets you create a persistent filter applied to the user account list. For example, this feature is useful in large deployments where an operator only wants to have a filtered view of some accounts. To create an account filter, enter a comma-delimited list of field-value pairs. Supported operators are described below.

The Session Filter field lets you create a filter for only that session. To create a session filter, enter a comma-delimited list of field-value pairs. Supported operators are described below.

The user can enter a simple substring to match a portion of the username or any other fields that are configured for search, and may include the following operators:

112 | Operator Logins Amigopod 3.7 | Deployment Guide

7. In the Account Limit row, you can enter a number to specify the maximum number of accounts an operator can create. Note that disabled accounts are included in the account limit. To set no limit, leave the Account Limit field blank.

The fields in the third area of the form determine elements of the applications visual appearance and behavior that operators with this profile will see. The Skin, Start Page, Language, and Time Zone options specify the defaults to use for operators with this profile. Individual operator logins may have different settings, which will be used instead of the values specified in the operator profile. For information on specifying options at the individual operator level, see Local Operator Authentication in this chapter.

1. (Optional) In the Skin row, the Default setting indicates that the skin plugin currently marked as enabled in the Plugin Manager will be used. To have a different skin displayed for users with this operator profile, choose one of the available skins from the drop-down list. For more information on skins, see Configuring the Amigopod Skin Plugin in the Administrator Tasks chapter.

2. (Optional) In the Start Page row, the Default setting indicates that the applications standard Home page will be the first page displayed after login. To have a different start page displayed to users with this operator profile, choose a page from the drop-down list. For example, if a profile is designed for users who do only certain tasks, you might want the application to open at the module where those tasks are performed.

3. (Optional) In the Language row, the default setting is Auto-detect. This lets the application determine the operators language preference from their local system settings. To specify a particular language to use in Amigopod, choose the language from the drop-down list.

Table 10 Operators supported in filters

Operator Meaning Additional Information

= is equal to You may search for multiple values when using the equality (=) or inequality !=) operators. To specify multiple values, list them separated by the pipe character ( | ).

For example, specifying the filter "role_id=2|3, custom_field=Value" restricts the user accounts displayed to those with role IDs 2 and 3 (Guest and Employee), and with the field named "custom_field" set to "Value".

!= is not equal to

> is greater than

>= is greater than or equal to

< is less than

<= is less than or equal to

~ matches the regular expression

!~ does not match the regular expression

Amigopod 3.7 | Deployment Guide Operator Logins | 113

4. (Optional) In the Time Zone row, the Default setting indicates that the operators time zone will default to the systems currently configured time zone. You can use the drop-down list to specify a particular time zone.

Figure 14 Operator Profile Editor pageCustom forms and views

5. (Optional) In the Customization row, to specify that an operator profile should use a different form when creating a new visitor account, select the Override the applications forms and views check box. The form expands to show the forms and views that can be modified. If alternative forms or views have been created, you may use the drop-down lists to specify which ones to use.

6. Click the  Save Changes button to complete the creation of an operator profile.

Operator Profile Privileges The privilege selections available for an operator profile provide you with control over the functionality that is available to operators.

No Access means that the operator has no access to this area of the Amigopod system and therefore the options will not appear on the menu.

114 | Operator Logins Amigopod 3.7 | Deployment Guide

Read Only Access means that the operator can see the options available but is unable to make any changes to them.

Full Access means that all the options are available to be used by the operator.

Custom access allows you to choose individual permissions within each group. For example, Guest Manager allows you to control access to the following areas:

Active sessions management

Viewing historical data for active sessions

Changing expiration time of guest accounts

Creating multiple guest accounts

Creating new guest accounts

Editing multiple guest accounts

Exporting guest account data

Full user control of guest accounts

Importing guest accounts

Listing guest accounts

Managing customization of guest accounts

Managing print templates

Removing or disabling guest accounts

Resetting guest passwords

Refer to the description of each individual operator privilege to determine what the effects of granting that permission will be.

Managing Operator Profiles Once a profile has been created you are able to view, to edit and to create new profiles. When you click an operator profile entry in the Operator Profiles list, a menu appears that allows you to perform any of the following operations:

View/Hide Details displays or hides configuration details for the selected operator profile, including the profile name, description, operator login access, and the settings for the defined skin, start page, language and time zone.

Edit changes the properties of the specified operator profile

 Delete removes the operator profile from the Operator Profiles list

Duplicate creates a copy of an operator profile

Create Operator opens the Create Operator Login form, allowing you to create a new operator login associated with the selected operator profile.

Show Operators shows a list of operator login names associated with that operator profile

Show Usage opens a window in the Operator Profiles list that shows if the profile is in use, and lists any LDAP authentication servers, LDAP translation rules and operator logins associated with that profile. Each entry in this window appears as a link to the form that lets you edit that LDAP or operator login setting.

Local Operator Authentication Local operators are those defined on the Amigopod Visitor Management Appliance.

Amigopod 3.7 | Deployment Guide Operator Logins | 115

Creating a New Operator Once you have a profile you can create an operator to use that profile.

Any properties for the operator login that are set to (Default) are taken from the operator profile. The Operator Filter field lets you select from three other options besides Default:

No operator filterAll guest accounts display.

Only show accounts created by the operatorOnly guest accounts created by the operator display.

116 | Operator Logins Amigopod 3.7 | Deployment Guide

Only show accounts by operators created within their profileOnly guest accounts created by all operators within a profile display.

The User Account Filter and Session Filter fields are optional, and allow you to create and configure these filtering options:

The User Account Filter lets you create a filter for the user account list that cannot be overridden by the operator. This filter is designated by role and is persistent. For example, this feature is useful in large deployments where an administrator wants the operators to only have a filtered view of some accounts. To create an account filter, enter a comma-delimited list of field-value pairs. Supported operators are described below.

The Session Filter field lets you create a filter that cannot be overridden by the operator for only that session. To create a session filter, enter a comma-delimited list of field-value pairs. Supported operators are described below.

The user can enter a simple substring to match a portion of the username or any other fields that are configured for search, and may include the following operators:

The Account Limit field lets you set a limit for the number of accounts that an operator can create. Note that disabled accounts are included in the account limit. Leave the Account Limit field blank to use the Operator profiles account limit setting.

Once all the fields have been completed, click the  Create Operator Login button to finalize the creation of this operator login.

Viewing All Operator Logins You are able to view a list of operators using the List All Operator Logins command link.

Table 11 Operators supported in filters

Operator Meaning Additional Information

= is equal to You may search for multiple values when using the equality (=) or inequality !=) operators. To specify multiple values, list them separated by the pipe character ( | ).

For example, specifying the filter "role_id=2|3, custom_field=Value" restricts the user accounts displayed to those with role IDs 2 and 3 (Guest and Employee), and with the field named "custom_field" set to "Value".

!= is not equal to

> is greater than

>= is greater than or equal to

< is less than

<= is less than or equal to

~ matches the regular expression

!~ does not match the regular expression

Amigopod 3.7 | Deployment Guide Operator Logins | 117

When you click an operator login entry in the Operator Logins list, a menu appears that allows you to perform any of the following operations:

View/Hide Detailsdisplays or hides configuration details for the selected operator login.

Editopens the Edit Operator Login page for changing the properties of the specified operator login

Deleteremoves the operator login from the Operator Logins list

Disabletemporarily disables an operator login while retaining its entry in the Operator Logins list

Enablereenables a disabled operator login

Duplicatemakes a copy of the profile to use as a basis for a new profile

Edit Profileopens the operator profile editor, allowing you to edit the operator profile associated with the selected operator login name

Create Operatoropens the Create Operator Login page

Show Operatorsadds a list of the operators that have the selected profile, and shows username, description, and actions for each

Show Usageadds a list of the number of logins and operator servers currently using the selected profile

118 | Operator Logins Amigopod 3.7 | Deployment Guide

Changing Operator Passwords To change the password for an operator, edit the operator login and type a new password in the Operator Password and Confirm Password password fields. You may also want to select Force a password change on their next login under Password Options to allow the operator to select a new password.

Operators can change their own passwords by navigating to Home > Change Password, entering a new password into the Change Password form, then clicking the Set Password button to save your new password.

LDAP Operator Authentication Operators defined externally in your companys directory server form the second type of Amigopod operator. Authentication of the operator is performed using LDAP directory server operations. The attributes stored for an authenticated operator are used to determine what operator profile should be used for that user.

The Manage LDAP Server and the LDAP Translation Rules commands allow you to set up Amigopod operator logins integrated with a Microsoft Active Directory domain or another LDAP server.

Manage LDAP Servers Aruba Amigopod supports a flexible authentication mechanism that can be readily adapted to any LDAP servers method of authenticating users by name. There are built-in defaults for Microsoft Active Directory servers, POSIX-compliant directory servers and RADIUS servers.

When an operator attempts to log in to the Amigopod Visitor Management Appliance, each LDAP server that is enabled for authentication is checked, in order of priority from lowest to highest.

Once a server is found that can authenticate the operators identity (typically with a username and password), the LDAP server is queried for the attributes associated with the user account.

These LDAP attributes are then translated to Amigopod operator attributes using the rules defined in the LDAP translation rules. In particular, an Amigopod operator profile will be assigned to the authenticated user with this process, which controls what that user is permitted to do.

Creating an LDAP Server An LDAP server is created by navigating to the Administrator > Operator Logins > Servers window, then clicking the  Create a new LDAP server icon link. This opens the following window.

The operator management features, such as creating and editing operator logins, apply only to local operator logins defined in the Amigopod Visitor Management Appliance. You cannot create or edit operator logins using LDAP. Only authentication is supported.

Amigopod 3.7 | Deployment Guide Operator Logins | 119

Figure 15 Server Configuration page

To specify a basic LDAP server connection (hostname and optional port number), use a Server URL of the form ldap://hostname/ or ldap://hostname:port/. See Advanced LDAP URL Syntax in this chapter for more details about the types of LDAP URL you may specify.

Select the Enabled option if you want this server to authenticate operator logins.

120 | Operator Logins Amigopod 3.7 | Deployment Guide

This form allows you to specify the type of LDAP server your system will use. Click the Server Type drop- down list and select one of the following options:

Select the Enabled check box under Sponsor Lookups if you want to enable the validation of sponsor emails during self-registration. This option causes this server to look up sponsors during self-registration and double check the attribute used for emails on the LDAP server. This option requires that the sponsor_email and do_ldap_lookup fields are enabled in the registration form. This feature requires the LDAP Sponsor Lookup plugin. Use the Plugin Manager to verify that this plugin is available.

Table 12 Server Type Parameters

Server Type Required Configuration Parameters

Microsoft Active Directory Server URL: The URL of the LDAP server Bind DN: The password to use when binding to the LDAP server, or

empty for an anonymous bind. Bind Password: If your LDAP server does not use anonymous bind,

you must supply the required credentials to bind to the directory. (Leave this field blank to use an anonymous bind.)

Default Profile: The default operator profile to assign to operators authorized by this LDAP server.

POSIX Compliant: Server URL: The URL of the LDAP server Bind DN: The password to use when binding to the LDAP server, or

empty for an anonymous bind. Bind Password: The password to use when binding to the LDAP

server. Leave this field blank to use an anonymous bind. Base DN: The Distinguished Name to use for the LDAP search. Default Profile: The default operator profile to assign to operators

authorized by this LDAP server.

Custom Server URL: The URL of the LDAP server Bind DN: The password to use when binding to the LDAP server, or

empty for an anonymous bind. Bind Password: The password to use when binding to the LDAP

server. Leave this field blank to use an anonymous bind. Base DN: The Distinguished Name to use for the LDAP search. Unique ID: The name of an LDAP attribute used to match the

username. Filter: Additional LDAP filters to use to search for the server. Attributes: List of LDAP attributes to retreive. Or leave bland to

retrieve all attributes (default). Default Profile: The default operator profile to assign to operators

authorized by this LDAP server.

RADIUS RADIUS Server: The hostname or IP address of the RADIUS server. Port Number: The port number of the RADIUS authentication

service. Shared Secret: The shared secret for the RADIUS server. Authentication Method: The authentication method that supplies

the credentials. Default Profile: The default operator profile to assign to operators

authorized by this server.

Amigopod 3.7 | Deployment Guide Operator Logins | 121

Figure 16 LDAP Plugin

Once you have completed the form, check your settings by clicking the  Test Settings button. Use the Test Username and Test Password fields to supply a username and password for the authentication check. If the authentication is successful, the operator profile assigned to the username will be displayed. If the authentication fails, an error message will be displayed. See LDAP Operator Server Troubleshooting in this chapter for information about common error messages and troubleshooting steps to diagnose the problem.

Click the  Save Changes button to save this LDAP Server. If the server is marked as enabled, subsequent operator login attempts will use this server for authentication immediately.

Advanced LDAP URL Syntax For Microsoft Active Directory, the LDAP server connection will use a default distinguished name of the form dc=domain,dc=com, where the domain name components are taken from the bind username.

To specify a different organizational unit within the directory, include a distinguished name in the LDAP server URL, using a format such as:

ldap://192.168.88.1/ou=IT%20Services,ou=Departments,dc=Amigopod,dc=com

To specify a secure connection over SSL/TLS, use the prefix ldaps://.

To specify the use of LDAP v3, use the prefix ldap3://, or ldap3s:// if you are using LDAP v3 over SSL/TLS.

When Microsoft Active Directory is selected as the Server Type, LDAP v3 is automatically used.

An LDAP v3 URL has the format ldap://host:port/dn?attributes?scope?filter?extensions.

dn is the base X.500 distinguished name to use for the search.

attributes is often left empty.

scope may be base, one or sub.

filter is an LDAP filter string, for example, (objectclass=*)

extensions is an optional list of name=value pairs.

Refer to RFC 2255 for further details.

Viewing the LDAP Server List Once you have defined one or more LDAP servers, those servers will appear in the LDAP server list on the Administrator > Operator Logins > Servers page.

.

Select any of the LDAP servers in the list to display options to perform the following actions on the selected server:

 Editchanges the properties of an LDAP server

 Deleteremoves the server from the LDAP server list

 Duplicatecreates a copy of an LDAP server

 Disabletemporarily disables a server while retaining its entry the server list

Enablereenables a disabled LDAP server

Pingsends a ping message (echo request) to the LDAP server to verify connectivity between the LDAP server and the Amigopod console

Test Authadds a Test Operator Login area in the LDAP servers form that allows you to test authentication of operator login values.

Test Lookupadds a Test Operator Lookup form in the LDAP servers list that allows you to look up sponsor names. This option is only available if sponsor lookup has been enabled for the server on the Edit Authentication Server page.

LDAP Operator Server Troubleshooting You can use the LDAP Operator Servers list to troubleshoot network connectivity, operator authentication, and to look up operator usernames.

Testing Connectivity

To test network connectivity between an LDAP server and the Amigopod server, click the Ping link in the servers row. The results of the test appear below the server entry in the LDAP server table.

Testing Operator Login Authentication

1. To test authentication of operator login values, select a server name in the LDAP Server table, then click the Test Auth link. The Test Operator Login area is added to the page.

2. Enter an operator username and password for the LDAP Server.

3. (Optional) Click the Advanced check box to display detailed authorization information for the specified operator.

4. Click Log In to attempt to authenticate the LDAP server, or click Cancel to cancel the test. The Authentication Test area is added above the server names to indicate the tests progress.

Amigopod 3.7 | Deployment Guide Operator Logins | 123

You can also verify operator authentication when you create a new LDAP server configuration using the  Test Settings button on the LDAP Configuration form ( See Creating an LDAP Server in this chapter

for a description).

Looking Up Sponsor Names

This option is only available if sponsor lookup has been enabled for the server on the Edit Authentication Server page.

1. To look up a sponsor, select a server name in the LDAP Server table, then click the Test Lookup link. The Test Operator Lookup area is added to the LDAP servers list.

2. In the Lookup field, enter a lookup value. This can be an exact username, or you can include wildcards.If you use wildcards, the search might return multiple values.

3. In the Search Mode field, use the drop-down list to specify whether to search for an exact match or use wildcard values.

4. (Optional) Click the Advanced check box to display detailed authorization information for the specified sponsor.

5. Click Search Directory to attempt to find sponsor names that match the lookup values, or click Cancel to cancel the test. The Authentication Test area is added above the server names to indicate the searchs progress.

Troubleshooting Error Messages

The error messages in the following table can be used to diagnose error messages such as: LDAP Bind failed: Invalid credentials (80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece), bind DN was:

Table 13 LDAP Error Messages

Error Data Reason

525 User not found

52e Invalid credentials (password is incorrect)

530 Not permitted to log on at this time

531 Not permitted to log on at this workstation

532 Password has expired

533 Account is disabled

701 Account has expired

124 | Operator Logins Amigopod 3.7 | Deployment Guide

Other items to consider when troubleshooting LDAP connection problems:

Verify that you are using the correct LDAP version use ldap:// for version 2 and ldap3:// to specify LDAP version 3.

Verify that you are using an SSL/TLS connection use ldaps:// or ldap3s:// as the prefix of the Server URL.

Verify that the Bind DN is correct the correct DN will depend on the structure of your directory, and is only required if the directory does not permit anonymous bind.

Verify that the Base DN is correct the Base DN for user searches is fixed and must be specified as part of the Server URL. If you need to search in different Base DNs to match different kinds of operators, then you should define multiple LDAP Servers and use the priority of each to control the order in which the directory searches are done.

LDAP Translation Rules LDAP translation rules specify how to determine operator profiles based on LDAP attributes for an authenticated operator.

Translation rules may be created by navigating to Administrator > Operator Logins > LDAP

Translation Rules then clicking the  Create new LDAP translation rule link.

773 User must reset password

775 User account is locked

Table 13 LDAP Error Messages (Continued)

Amigopod 3.7 | Deployment Guide Operator Logins | 125

To create a new LDAP translation rule:

1. In the Name field, enter a self-explanatory name for the translation rule. In the example above the translation rule is to check that the user is an Administrator, hence the name MatchAdmin.

2. Select the Enabled check box to enable this rule once you have created it. If you do not select this check box, the rule you create will appear in the rules list, but will not be active until you enable it.

3. Click the Matching rule drop-down list and select a rule. The Matching Rule field can be one of:

(blank) always matches

contains case-insensitive substring match anywhere in string

matches regular expression match, where the value is a Perl-compatible regular expression including delimiters (for example, to match the regular expression admin case-insensitively, use the value /admin/i; See Regular Expressions in the Reference chapter for more details about regular expressions)

equals case-insensitive string comparison, matches on equality

does not equal case-insensitive string comparison, matches on inequality

less than numerical value is less than the match value

greater than numerical value is greater than the match value

starts with case-insensitive substring match at start of string

ends with case-insensitive substring match at end of string

4. Select a Value. The Value field states what is to be matched, in this case CN=Administrators to look for a specific group of which the user is a member.

5. Click the On Match drop-down list and select the action the system should take when there is a match. Your options here are to:

Do nothing makes no changes.

Assign fixed operator profile assigns the selected Operator Profile to the operator

Assign attributes value to operator field uses the value of the attribute as the value for an operator field. This option can be used to store operator configuration details in the directory.

Assign custom value to operator field uses a template to assign a value to a specific operator field.

Apply custom processing evaluates a template that may perform custom processing on the LDAP operator.

Remove attribute from operator removes the selected LDAP attribute from the operator.

6. Click the Operator Profile drop-down list and select the profile to be assigned if there is a rule match. In the example shown above, if the Administrator group is matched, the Administrator profile is to be assigned.

7. Select the Fallthrough check box if you want to use multiple translation rules. When you create multiple rules, you can build a complete logical structure to perform any type of processing on the LDAP attributes available in your directory.

8. Click Save Changes to save your rule settings.

The Administrator > Operator Logins > LDAP Translation Rules window shows a list of all configured translation rules.

126 | Operator Logins Amigopod 3.7 | Deployment Guide

Translation rules are processed in order, until a matching rule is found that does not have the Fallthrough field set.

To edit the matching rule list, select an entry in the table to display a menu that lets you perform the following actions:

 Edit changes the configuration of matching rule.

 Delete removes matching rule from the list.

 Duplicate creates a duplicate copy of an existing rule

 Disable temporarily disables the rule without deleting it from the rule list.

Enable reenables a disabled operator login

 Move Up moves the rule up to a higher priority on the rule list

 Move Down moves the rule down to a lower priority on the rule list

Custom LDAP Translation Processing When matching an LDAP translation rule, custom processing may be performed using a template.

The template variables available are listed in the table below.

For a Smarty template syntax description, See Smarty Template Syntax in the Reference chapter. These may be used to make programmatic decisions based on the LDAP attribute values available at login time.

Table 14 Template Variables

Variable Description

$attr The name of the LDAP attribute that was matched.

$user Contains settings for the operator, including all LDAP attributes returned from the server.

Amigopod 3.7 | Deployment Guide Operator Logins | 127

For example, to permit non-administrator users to access the system only between the hours of 8am and 6pm, you could define the following LDAP translation rule.

The Custom rule is:

{strip} {if stripos($user.memberof, "CN=Administrators")!==false} 1 {elseif date('H') >= 8 && date('H') < 18} 1 {else} 0 {/if} {/strip}

Explanation: The rule will always match on the memberof attribute that contains the users list of groups. The operator field enabled will determine if the user is permitted to log in or not. The custom template uses the {strip} block function to remove any whitespace, which makes the contents of the template easier to understand. The {if} statement first checks for membership of the Administrators group using the PHP stripos() function for case-insensitive substring matching; if matched, the operator will be enabled. Otherwise, the servers current time is checked to see if it is after 8am and before 6pm; if so, the operator will be enabled. If neither condition has matched, the enabled field will be set to 0 and login will not be permitted.

128 | Operator Logins Amigopod 3.7 | Deployment Guide

Operator Logins Configuration You are able to configure a message on the login screen that will be displayed to all operators. This must be written in HTML. You may also use template code to further customize the appearance and behavior of the login screen.

Options related to operator passwords may also be specified, including the complexity requirements to enforce for operator passwords.

Navigate to Administrator > Operator Logins and click the Operator Logins Configuration command link to modify these configuration parameters.

Custom Login Message

If you are deploying the Amigopod Visitor Management Appliance in a multi-lingual environment, you can specify different login messages depending on the currently selected language.

The following example from the Amigopod demo site uses Danish (da), Spanish (es) and the default language English, as highlighted in bold:

{if $current_language == 'da'}

Indtast brugernavn og password for at
f adgang til Amigopod

Amigopod 3.7 | Deployment Guide Operator Logins | 129

Para entrar en el web demo de Amigopod,
necesitas un nombre y contrasea.

130 | Operator Logins Amigopod 3.7 | Deployment Guide

Advanced Operator Login Options

The following options are available in the Logging drop-down list:

No logging

Log only failed operator login attempts

Log only Web logins

Log only XMLRPC access

Log all access

Log messages for operator logins, whether successful or unsuccessful, are shown in the application log.

Automatic Logout

The Logout After option in the Advanced Options section lets you to configure an idle time, after which an operators session will be ended.

The value for Logout After should be specified in hours. You can use fractional numbers for values less than an hour; for example, use 0.25 to specify a 15 minute idle timeout.

Amigopod 3.7 | Deployment Guide Operator Logins | 131

132 | Operator Logins Amigopod 3.7 | Deployment Guide

Amigopod 3.7 | Deployment Guide

Chapter 6

Guest Management

The ability to easily create and manage guest accounts is the primary function of the Amigopod Visitor Management Appliance.

Guest Manager provides complete control over the user account creation process. Using the built-in customization editor you can customize fields, forms and views as well as the forms for guest self- registration.

Accessing Guest Manager Use the Guest Manager command link on the Amigopod Visitor Management Appliance home page to access the guest management features

Alternatively, use the Guest Manager navigation menu to jump directly to any of the features within Guest Manager.

About Guest Management Processes There are two major ways to manage guest access either by your operators provisioning guest accounts, or by the guests self-provisioning their own accounts. Both of these processes are described in the next sections.

Guest Management | 133

Sponsored Guest Access The following figure shows the process of sponsored guest access. See Figure 17.

Figure 17 Sponsored guest access with guest created by operator

The operator creates the guest accounts and generates a receipt for the account.

The guest logs on to the Network Access Server (NAS) using the credentials provided on her receipt. The NAS authenticates and authorizes the guests login using the Amigopod Visitor Management Appliance. Once authorized, the guest is able to access the network.

Self Provisioned Guest Access Self-provisioned access is similar to sponsored guest access, but there is no need for an operator to create the account or to print the receipt. See Figure 18.

Figure 18 Guest access when guest is self-provisioned

The guest logs on to the Network Access Server (NAS), which captures the guest and redirects them to a captive portal login page. From the login page, guests without an account can browse to the guest self- registration page, where the guest creates a new account. At the conclusion of the registration process, the guest is automatically redirected to the NAS to log in.

The guest can print or download a receipt, or have the receipt information sent to her by SMS or email.

The NAS performs authentication and authorization for the guest using the Amigopod Visitor Management Appliance. Once authorized, the guest is then able to access the network.

134 | Guest Management Amigopod 3.7 | Deployment Guide

See Customizing Self Provisioned Access in this chapter for details on creating and managing self- registration pages.

Standard Guest Management Features Guest Manager provides a complete set of features for managing guest accounts, including:

Creating single guest accounts

Creating multiple guest accounts

Listing guest accounts and editing individual accounts

Editing multiple accounts

Viewing and managing active sessions

Importing new accounts from a text file

Exporting a list of accounts

Viewing MAC devices

Creating new MAC devices

Customizing Guest Manager settings, forms, and views

Customizing guest self-registration

Creating and editing print templates

Creating a Guest Account The New Visitor Account form is used to create a new visitor account.

This form (create_user) may be customized by adding new fields, or modifying or removing the existing fields. See Customizing Self Provisioned Access in this chapter for details about the customization process. The default settings for this form are described below.

Amigopod 3.7 | Deployment Guide Guest Management | 135

To complete the form, first enter the visitors details into the Sponsors Name, Visitor Name, Company

Name and Email Address fields. The visitors email address will become their username to log into the network.

You can specify the account activation and expiration times. The visitor account cannot be used before the activation time, or after the expiration time.

The Account Role specifies what type of account the visitor should have.

A random password is created for each visitor account. This is displayed on this form, but will also be available on the guest account receipt.

You must tick the Terms of Use check box in order to create the visitor account.

Click the  Create Account button after completing the form.

Creating a Guest Account Receipt Once a guest account has been created, the details for that account are displayed.

136 | Guest Management Amigopod 3.7 | Deployment Guide

To print a receipt for the visitor, select an appropriate template from the  Open print window using

template list. A new Web browser window will open and the browsers Print dialog box will be displayed.

Click the  Send SMS receipt link to send a guest account receipt via text message. Use the SMS

Receipt form to enter the mobile telephone number to which the receipt should be sent.

Sending SMS receipts requires the SMS Services plugin. If the administrator has enabled automatic SMS, and the visitors phone number was typed into the New Visitor Account form, an SMS message will be sent automatically. A message is displayed on the account receipt page after an SMS message has been sent.

Click the  Send email receipt link to send an email copy of the guest account receipt. Use the Email Receipt form to enter the email address to which the receipt should be sent. You can also specify the subject line for the email message. If the administrator has enabled automatic email for guest account receipts, and the visitors email address was typed into the New Visitor Account form, an email receipt will be sent automatically. A message is displayed on the account receipt page after an email has been sent.

Creating Multiple Guest Accounts The Create Guest Accounts form is used to create a group of visitor accounts.

This form (create_multi) may be customized by adding new fields, or modifying or removing the existing fields. See Customizing Self Provisioned Access in this chapter for details about the customization process. The default settings for this form are described below.

Amigopod 3.7 | Deployment Guide Guest Management | 137

To complete the form, you must enter the number of visitor accounts you want to create.

A random password will be created for each visitor account. This is not displayed on this form, but will be available on the guest account receipt.

You can specify the account activation and expiration times. The visitor accounts cannot be used before the activation time, or after the expiration time.

To create temporary scratch card accounts, you may specify a value for the Account Lifetime. This creates a visitor account with a timer that starts counting down once the visitor logs in for the first time. When the timer runs out, the account will expire.

The Account Role specifies what type of accounts to create.

Click the  Create Accounts button after completing the form.

Creating Multiple Guest Account Receipts Once a group of guest accounts has been created, the details for the accounts are displayed.

To print the receipts, select an appropriate template from the  Open print window using template list. A new Web browser window will open and the Print dialog box will be displayed.

To download a copy of the receipt information in CSV format, click the  Save list for scratch cards

(CSV file) link. The fields available in the CSV file are:

Number the sequential number of the visitor account, starting at one

Username the username for the visitor account

Password the password for the visitor account

Role the visitor accounts role

Activation Time the date and time at which the account will be activated, or N/A if there is no activation time

Expiration Time the date and time at which the account will expire, or N/A if there is no activation time

If more than one account expiration time is set (for example, an account lifetime and a fixed expiration time), then the account will expire at the earliest of the expiration times.

138 | Guest Management Amigopod 3.7 | Deployment Guide

Lifetime the account lifetime in minutes, or N/A if the account does not have a lifetime specified

Successful Yes if the account was created successfully, or No if there was an error creating the account

Managing Guest Accounts Use the Guest Manager Accounts list view to work with individual guest accounts. To open the Guest Manager Accounts list, go to Guests > List Guest Accounts.

This view (guest_users) may be customized by adding new fields or modifying or removing the existing fields. See Customization of Fields in this chapter for details about this customization process. The default settings for this view are described below.

The Username, Role, Status, and Expiration columns display information about the visitor accounts that have been created.

The value in the Expiration column is colored red if the account will expire within the next 24 hours. The expiration time is additionally highlighted in boldface if the account will expire within the next hour.

Amigopod 3.7 | Deployment Guide Guest Management | 139

You can use the Filter field to narrow the search parameters. You may enter a simple substring to match a portion of the username or any other fields that are configured for search, and you can include the following operators:

To restore the default view, click the Clear Filter link.

Use the paging control at the bottom of the list to jump forwards or backwards by one page, or to the first or last page of the list. You can also click an individual page number to jump directly to that page.

Use the  Create tab to create new visitor accounts using the New Visitor Account form. See Creating a Guest Account details about this form.

Use the  More Options tab for additional functions, including import and export of guest accounts and the ability to customize the view.

Click a user accounts row to select it. You can then select from one of these actions:

 Reset password Changes the password for a guest account. A new randomly generated password is displayed on the Reset Password form.

Table 15 Operators supported in filters

Operator Meaning Additional Information

= is equal to You may search for multiple values when using the equality (=) or inequality !=) operators. To specify multiple values, list them separated by the pipe character ( | ).

For example, specifying the filter "role_id=2|3, custom_field=Value" restricts the accounts displayed to those with role IDs 2 and 3 (Guest and Employee), and with the field named "custom_field" set to "Value".

!= is not equal to

> is greater than

>= is greater than or equal to

< is less than

<= is less than or equal to

~ matches the regular expression

!~ does not match the regular expression

When the list contains many thousands of user accounts, consider using the Filter field to speed up finding a specific user account.

140 | Guest Management Amigopod 3.7 | Deployment Guide

Click the  Update Account button to reset the guest accounts password. A new account receipt is then displayed, which allows you to print a receipt showing the updated account details.

 Change expiration Changes the expiration time for a guest account.

.

Select an option from the drop-down list to change the expiration time of the guest account.

Click the  Update Account button to set the new expiration time for the guest account. A new account receipt is then displayed, which allows you to print a receipt showing the updated account details.

 Remove Disables or deletes a guest account.

Select the appropriate Action radio button, and click the  Make Changes button to disable or delete the account.

 Activate Re-enables a disabled guest account, or specifies an activation time for the guest account.

Select an option from the drop-down list to change the activation time of the guest account. Choose Now to re-enable an account that has been disabled. Click the  Enable Account button to set the new activation time for the guest account. A new account receipt is then displayed, which allows you to print a receipt showing the updated account details.

 Edit Changes the properties of a guest account.

This form (change_expiration) may be customized by adding new fields, or modifying or removing the existing fields. Refer to the section of this chapter for details about this customization process

Amigopod 3.7 | Deployment Guide Guest Management | 141

Click the  Update Account button to update the properties of the guest account. A new account receipt is then displayed, which allows you to print a receipt showing the updated account details.

 Sessions Displays the active sessions for a guest account. See Active Sessions Management in this chapter for details about managing active sessions.

 Print Displays the guest accounts receipt and the delivery options for the receipt. For security reasons, the guests password is not displayed on this receipt. To recover a forgotten or lost guest account password, use the  Reset password link.

Managing Multiple Guest Accounts Use the Edit Accounts list view to work with multiple guest accounts. This view may be accessed by clicking the Edit Multiple Guest Accounts command link.

This view (guest_multi) may be customized by adding new fields or by modifying or removing the existing fields. See Customizing Self Provisioned Access in this chapter for details about this customization process. The default settings for this view are described below.

This form may be customized by adding new fields, or modifying or removing the existing fields. Refer to the section of this chapter for details about this customization process. This is the guest_edit form.

142 | Guest Management Amigopod 3.7 | Deployment Guide

You can use the Filter field to narrow the search parameters. You may enter a simple substring to match a portion of the username or any other fields that are configured for search, and you can include the following operators:

To restore the default view, click the  Clear Filter link.

Use the paging control at the bottom of the list to jump forwards or backwards by one page, or to the first or last page of the list. You can also click an individual page number to jump directly to that page.

To select guest accounts, click the accounts you want to work with.

You may click either the check box or the row to select a visitor account. To select or unselect all visible visitor accounts, click the check box in the header row of the table.

Table 16 Operators supported in filters

Operator Meaning Additional Information

= is equal to You may search for multiple values when using the equality (=) or inequality !=) operators. To specify multiple values, list them separated by the pipe character ( | ).

For example, specifying the filter "role_id=2|3, custom_field=Value" restricts the accounts displayed to those with role IDs 2 and 3 (Guest and Employee), and with the field named "custom_field" set to "Value".

!= is not equal to

> is greater than

>= is greater than or equal to

< is less than

<= is less than or equal to

~ matches the regular expression

!~ does not match the regular expression

Amigopod 3.7 | Deployment Guide Guest Management | 143

Use the selection row at the top of the table to work with the current set of selected accounts. The number of currently selected accounts is shown. When a filter is in effect, the All Matching link can be used to add all pages of the filtered result to the selection.

Use the  Create tab to create new visitor accounts using the Create Guest Accounts form. See Managing Multiple Guest Accounts in this chapter for details about this form.

Use the  Delete tab to delete the visitor accounts that you have selected. This option is not available if there are no visitor accounts selected.

Use the  Edit tab to make changes to multiple visitor accounts at once. This option is not available if there are no visitor accounts selected.

This form may be customized by adding new fields, or modifying or removing the existing fields. See Customizing Self Provisioned Access in this chapter for details about this customization process. This is the guest_multi_form form.

The  Results tab will be automatically selected after you have made changes to one or more guest accounts. You can create new guest account receipts or download the updated guest account information. See Creating Multiple Guest Account Receipts in this chapter for more information.

The  More Options tab includes the Choose Columns command link, which may be used to customize the view.

Importing Guest Accounts Guest accounts may be created from an existing list by uploading it to the Amigopod Visitor Management Appliance. Use the Import Guest Accounts command to start the process.

The Upload User List form provides you with different options for importing guest account data

144 | Guest Management Amigopod 3.7 | Deployment Guide

Amigopod 3.7 | Deployment Guide Guest Management | 145

In this example, the following data was used:

username,visitor_name,password,expire_time demo005,Demo five,secret005,2011-06-10 09:00 demo006,Demo six,secret006,2011-06-11 10:00 demo007,Demo seven,secret007,2011-06-12 11:00 demo008,Demo eight,secret008,2011-06-13 12:00 demo009,Demo nine,secret009,2011-06-13 12:00 demo010,Demo ten,secret010,2011-06-13 12:00 demo011,Demo eleven,secret011,2011-06-13 12:00

Because this data includes a header row that contains field names, the corresponding fields have been automatically detected in the data:

Use the Match Fields form to identify which guest account fields are present in the imported data. You can also specify the values to be used for fields that are not present in the data

.

To complete the Match Fields form, make a selection from each of the drop-down lists. Choose a column name to use the values from that column when importing guest accounts, or select one of the other available options to use a fixed value for each imported guest account.

146 | Guest Management Amigopod 3.7 | Deployment Guide

Click the  Next Step button to preview the final result.

Step 3 of 3 displays a preview of the import operation. The values of each guest account field are determined, and any conflicts with existing user accounts are displayed.

The icon displayed for each user account indicates if it is a new entry ( ) or if an existing user account will be updated ( ).

By default, this form shows ten entries per page. To view additional entries, click the arrow button at the bottom of the form to display the next page, or click the 10 rows per page drop-down list at the bottom of the form and select the number of entries that should appear on each page.

Click the check box by the account entries you want to create, or click one of the following options to select the desired accounts:

Click the This Page link to select all entries on the current page.

Click the All link to select all entries on all pages

Click the None link to deselect all entries

Click the New link to select all new entries

Click the   Existing link to select all existing user accounts in the list.

Click the  Create Accounts button to finish the import process. The selected items will be created or updated. You can then print new guest account receipts or download a list of the guest accounts. See Creating Multiple Guest Account Receipts in this chapter for more information.

Amigopod 3.7 | Deployment Guide Guest Management | 147

Exporting Guest Account Information Guest account information may be exported to a file in one of several different formats.

Click the appropriate command link to save a list of all guest accounts in comma-separated values (CSV), tab-separated values (TSV), or XML format.

This view (guest_export) may be customized by adding new fields, modifying or removing the existing fields. See Customizing Self Provisioned Access in this chapter for details about this customization process.

In CSV and TSV format, the following default fields are included in the export:

Number Sequential number of the guest account in the exported data

User ID Numeric user ID of the guest account

Username Username for the guest account

Role Role for the guest account

Activation Date and time at which the guest account will be activated, or N/A if there is no activation time

Expiration Date and time at which the guest account will expire, or N/A if there is no expiration time

Lifetime The guest accounts lifetime in minutes after login, or 0 if the account lifetime is not set

Expire Action Number specifying the action to take when the guest account expires (0 through 4)

The default XML format consists of a element containing a element for each exported guest account. The numeric ID of the guest account is provided as the id attribute of the element.

The values for both standard and custom fields for guest accounts are exported as the contents of an XML tag, where the tag has the same name as the guest account field.

An example XML export is given below.

demo@example.com Guest N/A 2009-06-10 10:59 0 4

Guest Manager Customization Guest Manager allows the entire guest account provisioning process to be customized. This is useful in many different situations, such as:

Self-registration Allow your guests to self-register and create their own temporary visitor accounts.

Visitor surveys Define custom fields to store data of interest to you, and collect this information from guests using customized forms.

Branded print receipts Add your own branding images and text to print receipts.

148 | Guest Management Amigopod 3.7 | Deployment Guide

SMS and email receipts Include a short text message with your guests username and password, or send HTML emails containing images.

Advanced customization The Amigopod Visitor Management Appliance is flexible and can be used to provide location sensitive content and advertising.

Default Settings for Account Creation The Guest Manager plugin configuration holds the default settings for account creation. These settings can be modified by navigating to Customize Guest Manager within the Guest Manager Customization screen.

Figure 19 Customize Guest Manager page (part 1)

Username Type The default method used to generate random account usernames (when creating groups of accounts). This may be overridden by using the random_username_method field.

Amigopod 3.7 | Deployment Guide Guest Management | 149

Username Length This field is displayed if the Username Type is set to Random digits, Random letters, Random letters and digits or Sequential numbering. The default length of random account usernames (when creating groups of accounts). This may be overridden by using the random_username_length field.

Username Format This field is displayed if the Username Type is set to Format picture. It sets the format of the username to be created. See Format Picture String Symbols in the Reference chapter for a list of the special characters that may be used in the format string. This may be overridden by using the random_username_picture field.

Random Password Type The default method used to generate random account passwords (when creating groups of accounts). This may be overridden by using the random_password_method field.

Random Password Length -- The default length of random account passwords (when creating groups of accounts). This may be overridden by using the random_password_length field

Password Format This field is displayed if the Password Type field is set to Format picture. It sets the format of the password to be created. See Format Picture String Symbols in the Reference chapter for a list of the special characters that may be used in the format string. This may be overridden by using the random_password_picture field.

Password Complexity The policy to enforce when guests change their account passwords using the guest self-service user interface. Different levels of password complexity can require guests to select passwords that contain different combinations of uppercase letters, lowercase letters, digits and symbols (!#$%&()*+,-./:;<=>?@[\\]^_{|}~,). The available options for this setting are:

No password complexity requirement

At least one uppercase and one lowercase letter

At least one digit

At least one letter and one digit

At least one of each: uppercase letter, lowercase letter, digit

At least one symbol

At least one of each: uppercase letter, lowercase letter, digit, and symbol

Minimum Password Length The minimum acceptable password length for guests changing their account passwords.

Disallowed Password Characters Special characters that should not be allowed in a guest password. Spaces are not allowed by default.

Disallowed Password Words Enter a comma- separated list of words that are disallowed and will not be created by the random words password generator.

150 | Guest Management Amigopod 3.7 | Deployment Guide

Figure 20 Customize Guest Manager page (part 2)continued

Expire Action Default action to take when the expiration time is reached. There are four options. A logout can only occur if the NAS is RFC-3576 compliant.

Account Retention Deleted user accounts are available for reporting purposes. The default value is 1 year after the user account is deleted. If you do not want to retain any data, set the value to 0. If you want to view deleted accounts in a list view or report, add the delete_time field to the output and deleted users will automatically be included in the results.

Session Warning Number of minutes prior to being logged out before warning the guest. Enter 0 to disable warnings.

Expiration Options Default values for relative account expiration times. These options are displayed as the values of the Expires After field when creating a user account.

Amigopod 3.7 | Deployment Guide Guest Management | 151

Figure 21 Customize Guest Manager page (part 3)continued

Lifetime Options Default values for account lifetimes. These options are displayed as the values of the Account Lifetime field when creating a user account.

Terms of Use URL URL of a terms and conditions page provided to sponsors. You may upload an HTML file describing the terms and conditions of use using the Content Manager ( See Content

Manager in the Administrator Tasks chapter). If this file is called terms.html then the Terms of Use URL should be public/terms.html.

Active Sessions Default maximum number of active sessions that should be allowed for a guest account. This may be overridden by using the simultaneous_use field when creating or editing a guest account.

Password Logging By default, the passwords for created guest accounts are logged in the application log and may be recovered from there. For increased security, you may prevent this password from being logged by unselecting this check box.

152 | Guest Management Amigopod 3.7 | Deployment Guide

Password Display Select the View guest account passwords to enable the display of visitor account passwords in the user list. To reveal passwords, the password field must be added to the guest_users or guest_edit view, and the operator profile in use must also have the View Passwords privilege.

Initial Sequence This field contains the next available sequence number for each username prefix that has been used. Automatic sequence numbering is used when the value of the multi_initial_sequence field is set to -1. The username prefix is taken from the multi_prefix field when usernames are automatically generated using the nwa_sequence method. You can edit the values stored here to change the next sequence numbers that will be used. This is an automatically managed field; in most situations there is no need to edit it.

Receipt Printing Select the Require click to print option to change the behavior of the receipt page.

When this option is not selected, the default behavior is to provide a drop-down list of print templates and to open a new window when one is selected:

When Require click to print is selected, the receipt page provides a drop-down list of print templates and a Print link that must be clicked to display the account receipt:

About Guest Network Access Allows the text displayed to operators on the Guest Manager start page to be customized, or removed (if a single hyphen - is entered).

About Fields, Forms, and Views A field is a named item of information.

A form is a group of fields that is used to collect information from an operator, whereas a view is a grouping of fields that is used to display information to an operator.

Business Logic for Account Creation When guest accounts are created, there are certain rules that must be followed in order to create a valid account. These rules apply to all accounts, regardless of how the account was created.

The business logic rules that control all guest account creation are described below.

Verification Properties

creator_accept_terms: This field must be set to 1, indicating the creator has accepted the terms of use for creating the account. If the field is not present or is not set to 1, the visitor account is not created.

password2: If this field is specified, its value must be equal to the password field, or else the visitor account is not created.

auto_update_account: If this field is present and set to a non-zero value, account creation will not fail if the username already exists any changes will be merged into the existing account using an update instead.

Basic User Properties

username: This field is the name for the visitor account and may be provided directly. If this field is not specified, then use the email address from the email field, and if that is also not specified, then randomly generate a username (according to the value of the random_username_method and random_username_length fields).

Amigopod 3.7 | Deployment Guide Guest Management | 153

modify_password: This field controls password modification for the visitor account. It may be set to one of these values:

reset to randomly generate a new password according to the values of the random_password_method and random_password_length fields

password to use the password specified in the password field

random_password to use the password specified in the random_password field

If blank or unset, the default password behavior is used, which is to use any available value from the random_password field and the password field, or assume that reset was specified otherwise.

password: This field is the password for the visitor account and may be provided directly. If this field is not specified, then randomly generate a password (according to the values of the random_password_method and random_password_length fields).

role_id: This field is the role to assign to the visitor account and may be specified directly. If this field is not specified, then determine the role ID from the role_name field. If no valid role ID is able to be determined, the visitor account is not created.

simultaneous_use: This field determines the maximum number of concurrent sessions allowed for the visitor account. If this field is not specified, the default value from the GuestManager configuration is used.

random_username_method The method used to generate a random account username. If not specified, the default value from the GuestManager configuration is used.

random_username_length The length in characters of random account usernames. If not specified, the default value from the GuestManager configuration is used.

random_password_method The method used to generate a random account password. If not specified, the default value from the GuestManager configuration is used.

random_password_length The length in characters of random account passwords. If not specified, the default value from the GuestManager configuration is used.

Visitor Account Activation Properties

enabled: This field determines if the account is enabled or disabled; if not specified, the default is 1 (account is enabled).

do_schedule, modify_schedule_time, schedule_after and schedule_time: These fields are used to determine the time at which the visitor account will be activated.

If modify_schedule_time is none, then the account is disabled and has no activation time set.

If modify_schedule_time is now, then the account is enabled and has no activation time set.

If modify_schedule_time is a value that specifies a relative time change, for example +1h, then the visitor accounts activation time is modified accordingly.

If modify_schedule_time is a value that specifies an absolute time, for example 2010-12-31 17:00, then the visitor accounts activation time is set to that value.

If modify_schedule_time is schedule_after or schedule_time, then the activation time is determined according to the schedule_after or schedule_time fields as explained below.

If schedule_after is set and not zero, then add that time in hours to the current time and use it as the activation time (setting do_schedule to 1); enabled will be set to zero.

Otherwise, if schedule_after is zero, negative or unset, and schedule_time has been specified, use that activation time (set do_schedule to 1 and enabled to 0). If the schedule_time specified is in the past, set do_schedule to 0 and enabled to 1.

Otherwise, if schedule_time if not specified, then the visitor account has no activation time and do_schedule will default to zero.

154 | Guest Management Amigopod 3.7 | Deployment Guide

Visitor Account Expiration Properties

do_expire, modify_expire_time, expire_after and expire_time: These fields are used to determine the time at which the visitor account will expire.

If modify_expire_time is none, then the account has no expiration time set.

If modify_expire_time is now, then the account is disabled and has no expiration time set.

If modify_expire_time is a value that specifies a relative time change, for example +1h, then the visitor accounts expiration time is modified accordingly.

If modify_expire_time is a value that specifies an absolute time, for example 2010-12-31 17:00, then the visitor accounts expiration time is set to that value.

If modify_expire_time is expire_after or expire_time, then the expiration time is determined according to the expire_after or expire_time fields as explained below.

If expire_after is set and not zero, then add that time in hours to the current time and use it as the expiration time (set do_expire to 4 if it has not otherwise been set).

Otherwise, if expire_after is zero, negative or unset, and expire_time has been specified, use that expiration time (and set do_expire to 4 if it has not otherwise been set). If the expire_time specified is in the past, set do_expire to 0 and ignore the specified expiration time.

Otherwise, if expire_time is not specified, then the expire_time is not set and do_expire will always be set to zero.

expire_postlogin: This field determines the amount of time after the initial login for which the visitor account will remain valid. If this field is not specified, the default value is 0 (account lifetime not set).

expire_usage: This field determines the total amount of login time permitted for the visitor account. If this field is not specified, the default value is 0 (account usage is unlimited).

Other Properties

All other properties specified at creation time are stored with the visitor account (for example, email, visitor_name, visitor_company, visitor_phone, sponsor_name as well as any custom fields that have been defined)

Account Expiration Types The do_expire field is used to specify what should happen to the guest account when the account expiration time is reached.

Disable indicates that the enabled field will be set to 0, which will prevent further authorizations using this account.

Table 17 Account Expiration Types

Value of do_expire Meaning

0 Account will not expire

1 Disable

2 Disable and logout

3 Delete

4 Delete and logout

Amigopod 3.7 | Deployment Guide Guest Management | 155

Logout indicates that a RADIUS Disconnect-Request will be used for all active sessions that have a username matching the account username. This option requires the NAS to support RFC 3576 dynamic authorization. See RFC 3576 Dynamic Authorization in this chapter for more information.

Standard Fields See Field, Form and View Reference in the Reference chapter for a listing of the standard fields shipped with the Amigopod Visitor Management Appliance.

Standard Forms and Views The figure below shows the standard forms and views in the Amigopod Visitor Management Appliance.

The table below lists all the forms and views used for visitor management.

Table 18 Visitor Management Forms and Views

Name Type Visitor Management Function Editable?

change_expiration Form Change Expiration Yes

create_multi Form Create Multiple Yes

create_user Form Create Account Yes

guest_edit Form Edit Account Yes

guest_export View Export Accounts Yes

guest_multi View Edit Multiple Accounts Yes

guest_multi_form Form Edit Multiple Accounts Yes

guest_receipt Form Print Receipt No

guest_register Form Guest Self-Registration Yes

guest_register_receipt Form Guest Self-Registration Receipt Yes

156 | Guest Management Amigopod 3.7 | Deployment Guide

These forms are accessed directly:

create_multi form multiple account creation

create_user form sponsored account creation

guest_register form guest self-registration form

These forms are accessed through the action row of the guest_users view:

change_expiration form change expiration time for a single account

guest_multi_form form editing multiple accounts

guest_edit form editing single account

reset_password form reset password for a single account

These forms are the standard self-registration forms:

guest_register form self-registration form

guest_register_receipt form self-registration receipt

These standard views are defined in Guest Manager:

guest_export view view used when exporting guest account information

guest_multi view displays a list of guest accounts optimized for working with multiple accounts

guest_sessions view displays a list of current or historical sessions ( See Active Sessions Management in this chapter.)

guest_users view displays a list of guest accounts optimized for working with individual accounts

Customization of Fields Custom fields are fields that you define yourself to cater for areas of interest to your organization. You are able to define custom fields for your guest accounts as well as edit the existing fields.

In addition you can delete and duplicate fields. For your convenience you are also able to list any forms or views that use a particular field.

A complete list of fields is displayed when you click the Fields command link on the Customize Guest

Manager page.

To display only the fields that you have been created, click the  Custom Fields Only link in the bottom row of the list view. To return to displaying all fields, click the  All Fields link.

guest_sessions View Active Sessions Yes

guest_users View List Accounts Yes

remove_account Form Remove Account No

reset_password Form Reset Password No

Table 18 Visitor Management Forms and Views (Continued)

Fields that have a lock symbol cannot be deleted.

Amigopod 3.7 | Deployment Guide Guest Management | 157

Creating a Custom Field To create a custom field click the  Create tab at the top of the window or the  Create a new field link at the bottom of the window. The Create Field form is displayed.

The Field Name is not permitted to have spaces but you can use underscores. Enter a description in the Description field. You can enter multiple-line descriptions which result in separate lines displayed on the form.

The Field Type can be one of String, Integer, Boolean or No data type. The No data type field would be used as a label, or a submit button.

You can specify the default properties to use when adding this field to a view. See View Field Editor in this chapter for a description of the view display fields, including the Column Type and Column Format fields.

You can specify the default properties to use when adding the field to a form. See View Field Editor in this chapter for a list of the available user interface types.

158 | Guest Management Amigopod 3.7 | Deployment Guide

You can specify the default validation rules that should be applied to this field when it is added to a form. See Form Validation Properties in this chapter for further information about form validation properties.

Select the Show advanced properties check box to reveal additional properties related to conversion, display and dynamic form behavior. See View Field Editor in this chapter for more information about advanced properties.

Click the  Save Changes button to complete the creation of a new field. The new field is added at the top of the field list. You can re-sort the list to change the position of this new field. Alternatively you can reload the page.

Duplicating a Field To duplicate a field, click the field to be duplicated, then click the Duplicate link. The field is copied and a number appended to the end of the field namefor example, if you were to duplicate the card_code field, the duplicated field would be card_code_1. To rename the field, click Edit.

Editing a Field You are able to alter the properties of the field by making changes to the Field Name, Field Type or Description when you click the  Edit link. This link is available when you click a field in the list view.

Click the  Save Changes button to have the changes made permanent.

Deleting a Field Fields that do not have a lock symbol can be deleted by clicking on the  Delete link. You will be asked to confirm the deletion. If you want the deletion to take place you are informed when the deletion has been completed. A field that is currently in use on a form or view may not be deleted.

Displaying Forms that Use a Field Click the  Show Forms link to see a list of forms that use the selected field.

The list displays the forms that use the selected field. It also allows you to edit the forms fields by clicking on the  Edit Fields link. Clicking on the  Use link opens the form using that field.

If the field is used on multiple forms, you are able to select which form you would like to view.

Displaying Views that Use a Field You are able to click the  Show Views link to see a list of views that use the selected field.

Amigopod 3.7 | Deployment Guide Guest Management | 159

The list displays the views that use the selected field. It also allows you to edit the views fields by clicking on the  Edit Fields link. Clicking on the  Use link displays the view.

If the field is used on multiple views, you are able to select which view you would like to see.

Customization of Forms and Views You are able to view a list of forms and views. From this list view, you can change the layout of forms or views, add new fields to a form or view, or alter the behavior of an existing field.

To view or customize forms and views, go to Customization > Forms & Views. The Customize Forms and Views page opens.

Editing Forms and Views Clicking on the  Use link opens the form or view for use in your Web browser.

An asterisk (*) shown next to a form or view indicates that the form or view has been modified from the defaults. Click the  Reset to Defaults link to remove your modifications and restore the original form.

Resetting a form or view is a destructive operation and cannot be undone. You will be prompted to confirm the form or view reset before it proceeds.

The  Edit icon link allows you to change the general properties of a form or view such as its title and description.

The Width field is only displayed for views. It specifies the total width of the list view in pixels. If blank, a default value is used.

Duplicating Forms and Views Click the  Duplicate link to make a copy of a form or view.

Use the Duplicate link to provide different forms and views to different operator profiles. See Role-Based Access Control for Multiple Operator Profiles in the Operator Logins chapter for a description. This enables you to provide different views of the underlying visitor accounts in the database depending on the operators profile.

160 | Guest Management Amigopod 3.7 | Deployment Guide

The duplicated form or view has a name derived from the original, which cannot be changed. Use the Title and Description properties of the duplicated item to describe the intended purpose for the form or view.

Click the  Show Usage link for a duplicated form or view to see the operator profiles that are referencing it.

Click the  Delete link for a duplicated form or view to remove the copy. A duplicated item cannot be removed if it is referenced by an operator login account or an operator profile.

Editing Forms To add a new field to a form, reorder the fields, or make changes to an existing field, go to Customization > Forms & Views, click the forms row in the Customize Forms & Views list, and then click the  Edit Fields link. This opens the Customize Form Fields editor.

Form fields have a rank number, which specifies the relative ordering of the fields when displaying the form. The Customize Form Fields editor always shows the fields in order by rank.

The type of each form field is displayed. This controls what kind of user interface element is used to interact with the user. The label and description displayed on the form is also shown in the list view.

Click a form field in the list view to select it.

Use the  Edit link to make changes to an existing field using the form field editor. Any changes made to the field using this editor will apply only to this field on this form.

Use the  Edit Base Field link to make changes to an existing field definition. Any changes made to the field using this editor will apply to all forms that are using this field (except where the form field has already been modified to be different from the underlying field definition).

The  Insert Before and  Insert After links can be used to add a new field to the form. Clicking one of these links will open a blank form field editor and automatically set the rank number of the new field.

Use the  Preview Form tab at the top of the list view to see what the form looks like. This preview form can be submitted to test the field validation rules you have defined. If all fields are able to be validated, the

Amigopod 3.7 | Deployment Guide Guest Management | 161

form submit is successful and a summary of the values submitted is displayed. This allows you to verify any data conversion and formatting rules you have set up.

Form Field Editor The form field editor is used to control both the data gathering aspects and user interface characteristics of a field.

Each field can only appear once on a form. The Field Name selects which underlying field is being represented on the form.

The remainder of the form field editor is split into three sections:

Form Display Properties

Form Validation Properties

Advanced Properties

Each of these sections is described in more detail below.

Form Display Properties

The form display properties control the user interface that this field will have. Different options are available in this section, depending on the selection you make in the User Interface drop-down list.

The available user interface elements are listed below, together with an example of each.

(Use default) The default user interface type defined for the field will be used.

No user interface The field does not have a user interface specified. Using this value will cause a diagnostic message to be displayed (Form element is missing the ui element) when using the form.

162 | Guest Management Amigopod 3.7 | Deployment Guide

CAPTCHA security code A distorted image of several characters is shown. The image may be regenerated, or played as an audio sample for visually impaired users. When using the recommended validator for this field (NwaCaptchaIsValid), the security code must be matched or the form submit will fail with an error.

Check box A check box is displayed for the field. The check box label can be specified using HTML. If the check box is selected, the field is submitted with its value set to the check box value (default and recommended value 1). If the check box is not selected, the field is not submitted with the form.

Checklist A list of check boxes is displayed. The text displayed for each check box is the value from the options list. Zero or more check boxes may be selected. This user interface type submits an array of values containing the option key values of each selected check box.

Amigopod 3.7 | Deployment Guide Guest Management | 163

Because an array value may not be stored directly in a custom field, you should use the conversion and value formatting facilities to convert the array value to and from a string when using this user interface type.

To store a comma-separated list of the selected values, enable the Advanced options, select NwaImplodeComma for Conversion, select NwaExplodeComma for Display Function and enter the fields name for Display Param.

The Vertical and Horizontal layout styles control whether the check boxes are organized in top-to- bottom or left-to-right order. The default is Vertical if not specified. When using these options, you may also specify the desired number of columns or rows to adjust the layout appropriately.

164 | Guest Management Amigopod 3.7 | Deployment Guide

How this works: Suppose the first two check boxes are selected (in this example, with keys one and two). The incoming value for the field will be an array containing 2 elements, which can be written as array("one", "two"). The NwaImplodeComma conversion is applied, which converts the array value into the string value one,two, which is then used as the value for the field. Finally, when the form is displayed and the value needs to be converted back from a string, the NwaExplodeComma display function is applied, which turns the one,two string value into an array value array("one", "two"), which is used by the checklist to mark the first two items as selected.

Date/time picker A text field is displayed with an attached button that displays a calendar and time chooser. A date may be typed directly into the text field, or selected using the calendar.

The text value typed is submitted with the form. If using a date/time picker, you should validate the field value to ensure it is a date.

Certain guest account fields, such as expire_time and schedule_time, require a date/time value to be provided as a UNIX time value. In this case, the conversion and display formatting options should be used to convert a human-readable date and time to the equivalent UNIX time and vice versa.

Drop-down list The field is displayed allowing a single choice from a drop-down list. The text displayed for each option is the value from the options list. When the form is submitted, the key of the selected value becomes the value of the field.

If the Hide when no options are selectable check box is selected, and there is only a single option in the drop-down list, it will be displayed as a static text item rather than as a list with only a single item in it.

Amigopod 3.7 | Deployment Guide Guest Management | 165

File upload Displays a file selection text field and dialog box (the exact appearance differs from browser to browser).

File uploads cannot be stored in a custom field. This user interface type requires special form implementation support and is not recommended for use in custom fields.

Hidden field If Hidden Field is selected in the User Interface drop-down list, the field is not displayed to the user, but is submitted with the form. This option is often used to force a specific value such as a users role or an expiration date. However, it is possible for someone to use browser tools to modify the intial value when the form is submitted. If the value should be forced, use the Force Value setting under Advanced Properties to ensure the value cannot be overridden. For more information, see Advanced Form Field Properties.

To set the value to submit for this field, use the Initial Value option in the form field editor.

166 | Guest Management Amigopod 3.7 | Deployment Guide

Password text field The field is displayed as a text field, with input from the user obscured. The text typed in this field is submitted as the value for the field.

Amigopod 3.7 | Deployment Guide Guest Management | 167

Radio buttons The field is displayed as a group of radio buttons, allowing one to be selected. The text displayed for each option is the value from the options list. When the form is submitted, the key of the selected value becomes the value of the field.

The Vertical and Horizontal layout styles control whether the radio buttons are organized in top-to- bottom or left-to-right order. The default is Vertical if not specified.

Static text The fields value is displayed as a non-editable text string. An icon image may optionally be displayed before the fields value. A hidden element is also included for the field, thereby including the fields value when the form is submitted.

To set the value of this field, use the Initial Value option in the form field editor.

If the Hide when no options are selectable check box is selected, the field will be hidden if its value is blank.

168 | Guest Management Amigopod 3.7 | Deployment Guide

Static text (Raw value) The fields value is displayed as a non-editable text string. HTML characters in the value are not escaped, which allows you to display HTML markup such as images, links and font formatting.

Use caution when using this type of user interface element, particularly if the fields value is collected from visitors. Allowing HTML from untrusted sources is a potential security risk.

To set the value of this field, use the Initial Value option in the form field editor.

If the Hide when no options are selectable option is selected, the field will be hidden if its value is blank.

Static text (Options lookup) The value of the field is assumed to be one of the keys from the fields option list. The value displayed is the corresponding value for the key, as a non-editable text string.

An icon image may optionally be displayed before the fields value. A hidden element is also included for the field, thereby including the fields value when the form is submitted.

To set the value of this field, use the Initial Value option in the form field editor.

If the Hide when no options are selectable check box is selected, the field will be hidden if its value is blank.

Amigopod 3.7 | Deployment Guide Guest Management | 169

Static group heading The label and description of the field is used to display a group heading on the form. The fields value is not used, and the field is not submitted with the form.

When using this user interface element, it is recommended that you use the nwaImportant CSS class to visually distinguish the group headings title.

Submit button The field is displayed as a clickable form submit button, with the label of the field the label of the button. The description is not used. The fields value is ignored, and will be set to NULL when the form is submitted. To place an image on the button, an icon may be specified.

To match the existing user interface conventions, you should ensure that the submit button has the highest rank number and is displayed at the bottom of the form.

170 | Guest Management Amigopod 3.7 | Deployment Guide

Text area The field is displayed as a multiple-line text box. The text typed in this box is submitted as the value for the field.

It is recommended that you specify the desired minimum dimensions of the text area, either with the Rows and Columns options, or by specifying a width in the CSS Style (for example, width: 460px; height: 100px; specifies a 460 x 100 pixel minimum area).

Text field The field is displayed as a single-line text box. The text typed in this box is submitted as the value for the field.

A short text label may be placed after the text box using the Label After option.

Amigopod 3.7 | Deployment Guide Guest Management | 171

Form Validation Properties The form validation properties control the validation of data entered into a form. By specifying appropriate validation rules, you can detect when users attempt to enter incorrect data and require them to correct their mistake.

The initial value for a form field may be specified. Use this option when a field value has a sensible default. The initial value should be expressed in the same way as the fields value. In particular, for drop-down list and radio button selections, the initial value should be the key of the desired default option. Likewise, for date/time fields that have a display function set, the initial value should be a value that can be passed to the display function.

Select the Field value must be supplied check box to mark the field as a required field. Required fields are marked with an asterisk:

An optional field may be left blank. In this case, the field is not validated as there is no value for the field. However, any value that is supplied for an optional field is subject to validation checks.

All values supplied for a required field are always validated, including blank values.

Validation errors are displayed to the user by highlighting the field(s) that are in error and displaying the validation error message with the field:

172 | Guest Management Amigopod 3.7 | Deployment Guide

All fields must be successfully validated before any form processing can take place. This ensures that the form processing always has user input that is known to be valid.

To validate a specific field, choose a validator from the drop-down list. See Form Field Validation Functions in the Reference chapter for a description of the built-in validators.

The Validator Param is the name of a field on the form, the value of which should be passed to the validator as its argument. This could be used to validate one field based on the contents of another. However, in most deployments this does not need to be set.

Set the Validator Param to its default value, (Use argument), to provide a fixed value as the argument to the validator.

The Validator Argument is used to provide further instructions to the selected validator. Not all validators require an argument; a validator such as IsValidEmail is entirely self-contained and will ignore the Validator Argument. Validators such as IsEqual, IsInRange and IsRegexMatch use the argument to perform validation.

Examples of Form field Validation Example 1 To create a form field that requires an integer value between 1 and 100 (inclusive) to be provided, use the following settings in the form field editor:

Use the PHP syntax array(1, 100) to specify the minimum and maximum values for the IsInRange validator. After saving changes on the form, this value will be internally converted to the equivalent code:

array ( 0 => 1, 1 => 100, )

With these validator settings, users that enter an invalid value will now receive a validation error message:

The form field will contain an integer value, so you should set the fields type to Integer when creating it.

Amigopod 3.7 | Deployment Guide Guest Management | 173

Furthermore, note that blank values, or non-numeric values, will result in a different error message:

The reason for this is that in this case, the validation has failed due to a type error the field is specified to have an integer type, and a blank or non-numeric value cannot be converted to an integer. To set the error message to display in this case, use the Type Error option under the Advanced Properties.

Example 2 To create a form field that accepts one of a small number of string values, use the following settings in the form field editor:

This example could be used for a string field named visitor_department. Because the values are known in advance, a drop-down list is the most suitable user interface. An initial value for the form field, as shown above, could be used if most visitors are in fact there to visit the sales team.

To match against a list of options used for a drop-down list or set of radio buttons, you can use the IsInOptionsList validator.

Example 3 To create a form field that validates U.S. social security numbers using a regular expression, use the following settings in the form field editor:

Note that the regular expression used here includes beginning and ending delimiters (in this case the / character), and ensures that the whole string matches by the start-of-string marker ^ and the end-of-string marker $. The construct \d is used to match a single digit. Many equivalent regular expressions could be written to perform this validation task. See Regular Expressions in the Reference chapter for more information about regular expressions.

174 | Guest Management Amigopod 3.7 | Deployment Guide

Advanced Form Field Properties