Contents
This sample scenario focuses on HSG high availability (HA) deployment, to provide seamless failover in case of hardware failure. This is particularly important for on-premise deployment for large venues to ensure maximum service uptime.
- Can use any type of Access Point at LAN side
- Have dedicated management VLAN for AP management addressing (VLAN1)
- Multiple SSID and each SSID maps to its own specific VLAN
- Single SSID/VLAN Mapped to its landing page with Login Method
Common use cases
Large Hotels | Large Shopping malls | Tourism places | Airports, stadiums, etc.
Deployment of High Availability Wi-Fi Network
Prerequisite
- Upgrade Primary Hotspot Gateway box firmware version 20210213-2300. See link Upgrade Firmware
- Connect the WAN Interface of Primary HSG to ISP device (ONT or Modem)
- Info– The WAN port (eth0) of Primary HSG is pre-configured to get dhcp IP from ISP ONT/modem (or upstream router).
- Connect ETH1 port of Primary HSG to the respective LAN Switch.
- Info– The port ETH1 of Primary HSG is pre-configured to release IP to LAN Access Point.
- Connect the AP to the LAN Switch
- Use default VLAN1 as management VLAN for AP/WLC.
- Reserved IP for WLC or another device, range from 192.168.8.10 to 192.168.8.49
- Access Point connected to Primary POE Switch will be receiving DHCP IP from Primary HSG from the range 192.168.8.50 to 192.168.8.254.
- Add all VLANs on the switch (VLAN10, 20, 30), configure all switch-ports to be in trunk mode, and permit all VLANs for each port (default)
- Configure APs to broadcast the desired SSID and assign each SSID to pre-configured VLANs.
- Configure a separate SSID for the Management and assign the pre-configured VLAN.
- Connect ETH2 port to a LAN Switch for Management
- Info– The ETH2 port (eth2) of HSG is pre-configured to release IP.
Procedure
Step 1 – Access to Hotspot Management UI
- Login to Hotspot Gateway UI
- on-premises Hotspot Gateway – Use the Management PC and browse to http://10.10.10.1 and login with the Credentials.
Step 2 – Create Entity, User Account, and Permission for the User Account
- Create Entity – See link Create Customer Entity
- User can use the Company name as entity name
- Create and Configure Permission for the User Account
- Navigate to ‘ADMIN > Permissions‘. Click on the
button and configure the required permission. - Recommendation – Create the new User Account and in the Profile field select ‘Super admin’ for this Scenario.
- Navigate to ‘ADMIN > Permissions‘. Click on the
- Create User Account – See link Create User Account
Step 3 – Create VLANs (10, 20,30 & 40) in eth1 interface
- Navigate to ‘NETWORK SETTINGS > Interfaces > VLAN‘ tab and click on the
button, See link New VLAN interface- Configure three new VLANs, The example to VLAN-10 settings are shown below in Table 1, and also find the details for the VLANs below.
- VLAN10 | IP – 172.16.0.1/24
- VLAN20 | IP – 172.17.0.1/24
- VLAN30 | IP – 172.18.0.1/24
- VLAN40 | IP – 172.19.0.1/24
- Configure three new VLANs, The example to VLAN-10 settings are shown below in Table 1, and also find the details for the VLANs below.
NOTE
The below table is VLANID 10 config values, and user can config the other VLAN accordingly
| S/N | Section | Field | Value |
|---|---|---|---|
| 01 | New Interface VLAN | ||
| VLAN Name | vlan10 | ||
| Admin Status | Enabled | ||
| Physical Interface | eth1 | ||
| IP/Netmask (IP Address/Mask) | 172.16.0.1/24 | ||
| 02 | DHCP Server | ||
| DHCP Description | vlan10 dhcp pool | ||
| DNS Servers | Default | ||
| Client Default Gateway | 172.16.0.1 | ||
| Lease Time | Default | ||
| 03 | Hotspot Service | Enable |
Step 4 – Create, Configure Captive Portal and Login Method
- Create three different Captive Portal and different portals. User can use the below portal name and the portal template. See link Create/Edit Captive portal
- portal name – ‘Portalvlan10’ | portal template – ‘Central‘
- portal name – ‘Portalvlan20’ | portal template – ‘Prestige‘
- portal name – ‘Portalvlan30’ | portal template – ‘EasyVideo‘
- portal name – ‘Portalvlan40’ | portal template – ‘Central‘
- Configure Login Method (Enable Username Password and Email OTP methods). See link Login Method Types. Enable Login Methods as mentioned below.
 |  |  |  |
| Portal Name: Portalvlan10 Portal Template: Central Entity: Customer’s Entity name Login Method: Standard Login Option (Username & Password) | Portal Name: Portalvlan20 Portal Template: Prestige Entity: Customer’s Entity name Login Method: Email Registration | Portal Name: Portalvlan30 Portal Template: EasyVideo Entity: Customer’s Entity name Login Method: NA | Portal Name: Portalvlan40 Portal Template: Classic Entity: Customer’s Entity name Login Method: Pincode Login Option |
Step 5 – Configure VRRP, Hotspot Tracking and Hotspot Database Sync for High Availability (Active/Standby)
NOTE
User can use configure VRRP Group and Hotspot Tracking using Console (Command Line).
See Console Access To RansNet Appliance
To achieve HSG high availability (HA) with “Stateful” failover, we make use of the below key features are configured in HSG.
HA Key Features
- VRRP – The VRRP detects hardware “active/standby” status, and helps to route user traffic to the alive (active) unit.
- Provision a VLAN (on eth1) between the HA units for failover detection and data syncConfigure VRRP groups on all participating VLANs, set respective priorities for MASTER and SLAVE unitsVRRP will attach a virtual IP (VIP) to the active unit VLAN interface, and create a VRRP VIP host route on the MASTER/active unit.Configure interface tracking (usually track WAN interface) for VRRP to auto switch between gateways in case of failures.
!
interface eth1
description "Trunk to LAN switchport"
enable
ip address 192.168.8.9/22
-----------------------------------------------------------------|VRRP Group|-----------------------------------------------------------------
vrrp-group 10
description "AP mgmt default gateway"
priority 120
virtual_ipaddress 192.168.8.1
track eth0 host 8.8.8.8 2
start
-----------------------------------------------------------------|VRRP Group|-----------------------------------------------------------------
dhcp-server
description "AP mgmt IP. 1st half."
router 192.168.8.1
dns 8.8.8.8 8.8.4.4
range 192.168.8.50 192.168.9.254
!
interface vlan 1 99
description "HA sync VLAN"
enable
ip address 10.99.1.2/28
-----------------------------------------------------------------|VRRP Group|-----------------------------------------------------------------
vrrp-group 13
description "VIP for making vlan10/30 active"
priority 120
virtual_ipaddress 10.99.1.4
start
vrrp-group 24
description "VIP for making vlan20/40 active"
priority 80
virtual_ipaddress 10.99.1.5
vrrp-group 99
description "HA sync VIP"
priority 120
preempt no
virtual_ipaddress 10.99.1.1
start
-----------------------------------------------------------------|VRRP Group|-----------------------------------------------------------------
- HotSpot tracking – The hotspot tracking determines which unit should activate its hotspot service by checking its VRRP VIP host route. Since HSG can run multiple hotspot instances for multiple VLANs, we can provision one group of VLANs/hotspot instances active on the primary unit, and another group of VLANs active when configuring the secondary unit, therefore achieving load sharing/active-active HA deployment. Info: within each VLAN instance, the two units is still in active/standby mode.
- Both primary and secondary units should have identical hotspot config (eg. same set of “security hotspot xx” configs). Refer to page bottom to review config differences.
- Don’t enable dhcp-server on the hotspot VLAN interface (hotspot engine is already a DHCP server, or you may relay to upstream DHCP server).
- Don’t configure IP address for hotspot VLAN interfaces, instead, configure “hotspot-server VLAN / Interface Name” under each hotspot instance config.
- Configure “client-networks x.x.x.x” for client IP subnet, and optionally configure “client-dhcp xxx” ip scope.
- Configure “client-static x.x.x.x”. because the client may get IP from the active unit and after failover to standby unit, client device still holds the same IP given by the previous active unit, so to the “standby” (now active) unit, the client is having IP from the external DHCP server and this command authorizes these IPs.
- On the active unit, tracking will auto-activate the hotspot service for its VLAN, and the configured “hotspot-server IP” will become the default gateway for clients and answer to client dhcp requests. So user traffic will pass through active unit for this VLAN.
- On standby unit, tracking will turn off hotspot service for its VLAN. So the standby unit will not answer to any client DHCP requests and therefore not passing traffic.
- In case of failover, standby unit takes over VRRP VIP (therefore holds VIP host route) and hotspot tracking will activate hotspot service for standby unit, create tunnel interface taking over “hotspot-server IP”, so that client traffic will be routed to standby unit (now become active).
!
security hotspot vlan10
hotspot-server 172.16.0.1 ports 5011 5012
client-network 172.16.0.0 255.255.0.0
client-static 172.16.0.0 255.255.0.0
client-sticky start 1
client-sticky-vlanlist vlan10,vlan20,vlan30,vlan40
bypass-domain list
dn akamaihd.net
dn facebook.com
dn facebook.net
dn fbcdn.net
dn instagram.com
dn linkedin.com
dn login.sina.com.cn
dn static.licdn.com
dn twimg.com
dn twitter.com
dn weibo.cn
dn weibo.com
bypass-mac radius
radius-server splash.ransnet.com testing123
hotspot-portal https://splash.ransnet.com/pid/portal/login.php
--------------------------------Hotspot Tracking---------------------------------------------
track-route 10.99.1.4/32 2
--------------------------------Hotspot Tracking---------------------------------------------
!
security hotspot vlan20
hotspot-server 172.17.0.1 ports 5021 5022
client-network 172.17.0.0 255.255.0.0
client-static 172.17.0.0 255.255.0.0
client-sticky start 1
client-sticky-vlanlist vlan10,vlan20,vlan30,vlan40
bypass-domain list
dn akamaihd.net
dn facebook.com
dn facebook.net
dn fbcdn.net
dn instagram.com
dn linkedin.com
dn login.sina.com.cn
dn static.licdn.com
dn twimg.com
dn twitter.com
dn weibo.cn
dn weibo.com
bypass-mac radius
radius-server splash.ransnet.com testing123
hotspot-portal https://splash.ransnet.com/pid/portal/login.php
--------------------------------Hotspot Tracking---------------------------------------------
track-route 10.99.1.5/32 2
--------------------------------Hotspot Tracking---------------------------------------------
!
security hotspot vlan30
hotspot-server 172.18.0.1 ports 5031 5032
client-network 172.18.0.0 255.255.0.0
client-static 172.18.0.0 255.255.0.0
client-sticky start 1
client-sticky-vlanlist vlan10,vlan20,vlan30,vlan40
bypass-domain list
dn akamaihd.net
dn facebook.com
dn facebook.net
dn fbcdn.net
dn instagram.com
dn linkedin.com
dn login.sina.com.cn
dn static.licdn.com
dn twimg.com
dn twitter.com
dn weibo.cn
dn weibo.com
bypass-mac radius
radius-server splash.ransnet.com testing123
hotspot-portal https://splash.ransnet.com/pid/portal/login.php
--------------------------------Hotspot Tracking---------------------------------------------
track-route 10.99.1.4/32 2
--------------------------------Hotspot Tracking---------------------------------------------
!
security hotspot vlan40
hotspot-server 172.19.0.1 ports 5041 5042
client-network 172.19.0.0 255.255.0.0
client-static 172.19.0.0 255.255.0.0
client-sticky start 1
client-sticky-vlanlist vlan10,vlan20,vlan30,vlan40
bypass-domain list
dn akamaihd.net
dn facebook.com
dn facebook.net
dn fbcdn.net
dn instagram.com
dn linkedin.com
dn login.sina.com.cn
dn static.licdn.com
dn twimg.com
dn twitter.com
dn weibo.cn
dn weibo.com
bypass-mac radius
radius-server splash.ransnet.com testing123
hotspot-portal https://splash.ransnet.com/pid/portal/login.php
--------------------------------Hotspot Tracking---------------------------------------------
track-route 10.99.1.5/32 2
--------------------------------Hotspot Tracking---------------------------------------------
Step 6 – Configure Hotspot Instance (VLAN10, VLAN20, VLAN30 & VLAN40) interface.
- Navigate to ‘Hotspot Settings > Hotspot Instances‘. Click on ‘vlan10′ below the interface column heading and configure the vlan10 in all three sections of instance, as per the Table 2 settings below.
- Configure the VLAN interfaces as per below
NOTE
The below table is VLANID 10 config values, and user can config the other VLAN accordingly
| S/N | Section | Field | Values |
|---|---|---|---|
| 01 | Hotspot Instance Base Config | ||
| Hotspot LAN | VLAN10 | ||
| Hotspot Enable | enable by ticking the option | ||
| Hotspot Server IP / Ports | 172.16.0.1 / Default | ||
| Client Network / Netmask | 172.16.0.0 / 255.255.0.0 | ||
| Radius Server / Key | splash.ransnet.com / testing123 | ||
| Hotspot Portal | Select the Portal according to the VLAN interface. Eg: http://captive.ransnet.com/<Customer entity>/Portalvlan10/login.php | ||
| 02 | Hotspot Instance Optional Config | ||
| Client Parameters | Permit External Client Network – 172.16.0.0 Permit External Client Netmask – 255.255.0.0 | ||
| Redirect/Success URL | http://www.ransnet.com | ||
| Bypass/Whitelist By | Destination Domain – .ransnet.com Destination IP/URL – 2.1.2.1 Source MAC (Radius Settings) – ‘Enable the option’ | ||
| Seamless Relogin (Since first login) | Since First Login – 1 Roaming VLAN/Network – vlan10, vlan20, vlan30 & vlan40 | ||
| Enable/Disable Parameters | Intercept DNS Requests – enable by ticking the option |
With the above Table 2 reference, configure the remaining VLANs (vlan20, vlan30, vlan40) with the below settings
| S/N | VLANs | Settings |
|---|---|---|
| 01 | VLan20 | Hotspot Server IP / Ports – 172.17.0.1 / 5021 – 5022 |
| 02 | VLan30 | Hotspot Server IP / Ports – 172.18.0.1 / 5031- 5032 |
| 03 | VLan40 | Hotspot Server IP / Ports – 172.19.0.1 / 5041- 5042 |
Step 7 – Configure Access Control
- Configure ‘Username & Password‘ Access profile (Portalvlan10) for staff users.
- Navigate to ‘HOTSPOT USERS > Access Profile‘. Create a new Access Profile. See link New Access Profile
- Select ‘User Authentication‘ from User type and enter the Username and password
- Navigate to the ‘Account info’ tab on the ‘New User’ page and configure the relevant settings
- Configure Email Registration profile (Portalvlan20) for Guest users.
- Navigate to ‘HOTSPOT USERS > Access Profile‘ and locate for ’emailregistrationxxxVlan20xxx’
- info– To configure the Email Registration profile, the user has to first test the Captive portal Email Registration Authentication. After the first test is successful, the Email OTP auto-creates the profile in ‘Access Profile’ in the format of (RansNet_[Device Name]_[Interface Name]_[MAC Address, last 4 digits]_<<emailonepageotp>>. Eg : RansNet_mbox_br-vlan10_96-19_emailonepageotp). User can click on the Profile name and configure the account info settings as per the user requirement.
- Configure (Portalvlan20) for Promotion Wi-Fi.
- info– This portal is a standard portal with no backend settings. The purpose of this portal is to promote customer’s brand and grand access.
- Configure Pincode profile (Portalvlan40) for Visitor Access.
- Navigate to ‘HOTSPOT USERS > User Management‘, click on the ‘New User’ button, select ‘PIN Code Authentication‘ option and complete the Pincode form setting and save. User can use the Pincode details to log in and authenticate.
Deployment References Links (Videos/Demos)
- Create Captive portal and Configure Login Methods – https://youtu.be/yrjAkt8XkT8
NOTE
syslog server (user access logging) is enabled to collect DNS access logs and storing data up to last 5 days.
User access records are stored up to last 90 days
User info (username and profile data) is kept unlimited