High Availability Wi-Fi Networks

This sample scenario focuses on HSG high availability (HA) deployment, to provide seamless failover in case of hardware failure. This is particularly important for on-premise deployment for large venues to ensure maximum service uptime.

  • Can use any type of Access Point at LAN side
  • Have dedicated management VLAN for AP management addressing (VLAN1)
  • Multiple SSID and each SSID maps to its own specific VLAN
  • Single SSID/VLAN Mapped to its landing page with Login Method

Common use cases

Large Hotels | Large Shopping malls | Tourism places | Airports, stadiums, etc.

Deployment of High Availability Wi-Fi Network

Prerequisite
  1. Upgrade Primary Hotspot Gateway box firmware version 20210213-2300. See link Upgrade Firmware
  1. Connect the WAN Interface of Primary HSG to ISP device (ONT or Modem)
    • Info The WAN port (eth0) of Primary HSG is pre-configured to get dhcp IP from ISP ONT/modem (or upstream router).
  1. Connect ETH1 port of Primary HSG to the respective LAN Switch.
    • Info– The port ETH1 of Primary HSG is pre-configured to release IP to LAN Access Point.
  1. Connect the AP to the LAN Switch
    • Use default VLAN1 as management VLAN for AP/WLC.
    • Reserved IP for WLC or another device, range from 192.168.8.10 to 192.168.8.49
      • Access Point connected to Primary POE Switch will be receiving DHCP IP from Primary HSG from the range 192.168.8.50 to 192.168.8.254.
    • Add all VLANs on the switch (VLAN10, 20, 30), configure all switch-ports to be in trunk mode, and permit all VLANs for each port (default)
    • Configure APs to broadcast the desired SSID and assign each SSID to pre-configured VLANs.
    • Configure a separate SSID for the Management and assign the pre-configured VLAN.
  1. Connect ETH2 port to a LAN Switch for Management
    • Info– The ETH2 port (eth2) of HSG is pre-configured to release IP.

Procedure

Step 1 – Access to Hotspot Management UI

  1. Login to Hotspot Gateway UI
    • on-premises Hotspot Gateway – Use the Management PC and browse to http://10.10.10.1 and login with the Credentials.

Image 2 : Hotspot Gateway login screen

Step 2 – Create Entity, User Account, and Permission for the User Account

  1. Create Entity – See link Create Customer Entity
    • User can use the Company name as entity name
  1. Create and Configure Permission for the User Account
    • Navigate to ‘ADMIN > Permissions‘. Click on the button and configure the required permission.
    • Recommendation – Create the new User Account and in the Profile field select ‘Super admin’ for this Scenario.
  1. Create User Account – See link Create User Account

Step 3 – Create VLANs (10, 20,30 & 40) in eth1 interface

  1. Navigate to ‘NETWORK SETTINGS > Interfaces > VLAN‘ tab and click on the button, See link New VLAN interface
    • Configure three new VLANs, The example to VLAN-10 settings are shown below in Table 1, and also find the details for the VLANs below.
      1. VLAN10 | IP – 172.16.0.1/24
      2. VLAN20 | IP – 172.17.0.1/24
      3. VLAN30 | IP – 172.18.0.1/24
      4. VLAN40 | IP – 172.19.0.1/24

NOTE

The below table is VLANID 10 config values, and user can config the other VLAN accordingly

S/NSectionFieldValue
01New Interface VLAN
VLAN Namevlan10
Admin StatusEnabled
Physical Interfaceeth1
IP/Netmask (IP Address/Mask)172.16.0.1/24
02DHCP Server
DHCP Descriptionvlan10 dhcp pool
DNS ServersDefault
Client Default Gateway172.16.0.1
Lease TimeDefault
03Hotspot ServiceEnable
Table 1: New VLANs settings for Multi SSID Scenario

Step 4 – Create, Configure Captive Portal and Login Method

  1. Create three different Captive Portal and different portals. User can use the below portal name and the portal template. See link Create/Edit Captive portal
    • portal name – ‘Portalvlan10’ | portal template – ‘Central
    • portal name – ‘Portalvlan20’ | portal template – ‘Prestige
    • portal name – ‘Portalvlan30’ | portal template – ‘EasyVideo
    • portal name – ‘Portalvlan40’ | portal template – ‘Central
  1. Configure Login Method (Enable Username Password and Email OTP methods). See link Login Method Types. Enable Login Methods as mentioned below.
Portal Name: Portalvlan10
Portal Template: Central
Entity: Customer’s Entity name
Login Method: Standard Login Option
(Username & Password)
Portal Name: Portalvlan20
Portal Template: Prestige
Entity: Customer’s Entity name
Login Method: Email Registration
Portal Name: Portalvlan30
Portal Template: EasyVideo
Entity: Customer’s Entity name
Login Method: NA
Portal Name: Portalvlan40
Portal Template: Classic
Entity: Customer’s Entity name
Login Method: Pincode Login Option
Table 2 :

Step 5 – Configure VRRP, Hotspot Tracking and Hotspot Database Sync for High Availability (Active/Standby)

NOTE

User can use configure VRRP Group and Hotspot Tracking using Console (Command Line).
See Console Access To RansNet Appliance

To achieve HSG high availability (HA) with “Stateful” failover, we make use of the below key features are configured in HSG.

HA Key Features
  1. VRRP – The VRRP detects hardware “active/standby” status, and helps to route user traffic to the alive (active) unit.
    • Provision a VLAN (on eth1) between the HA units for failover detection and data syncConfigure VRRP groups on all participating VLANs, set respective priorities for MASTER and SLAVE unitsVRRP will attach a virtual IP (VIP) to the active unit VLAN interface, and create a VRRP VIP host route on the MASTER/active unit.Configure interface tracking (usually track WAN interface) for VRRP to auto switch between gateways in case of failures.
!
interface eth1
 description "Trunk to LAN switchport"
 enable
 ip address 192.168.8.9/22
-----------------------------------------------------------------|VRRP Group|-----------------------------------------------------------------
 vrrp-group 10
  description "AP mgmt default gateway"
  priority 120
  virtual_ipaddress 192.168.8.1
  track eth0 host 8.8.8.8 2
  start
-----------------------------------------------------------------|VRRP Group|-----------------------------------------------------------------
 dhcp-server
  description "AP mgmt IP. 1st half."
  router 192.168.8.1
  dns 8.8.8.8 8.8.4.4
  range 192.168.8.50 192.168.9.254
!
interface vlan 1 99
 description "HA sync VLAN"
 enable
 ip address 10.99.1.2/28
-----------------------------------------------------------------|VRRP Group|-----------------------------------------------------------------
 vrrp-group 13
  description "VIP for making vlan10/30 active"
  priority 120
  virtual_ipaddress 10.99.1.4
  start
 vrrp-group 24
  description "VIP for making vlan20/40 active"
  priority 80
  virtual_ipaddress 10.99.1.5
 vrrp-group 99
  description "HA sync VIP"
  priority 120
  preempt no
  virtual_ipaddress 10.99.1.1
  start
-----------------------------------------------------------------|VRRP Group|-----------------------------------------------------------------

  1. HotSpot tracking – The hotspot tracking determines which unit should activate its hotspot service by checking its VRRP VIP host route. Since HSG can run multiple hotspot instances for multiple VLANs, we can provision one group of VLANs/hotspot instances active on the primary unit, and another group of VLANs active when configuring the secondary unit, therefore achieving load sharing/active-active HA deployment. Info: within each VLAN instance, the two units is still in active/standby mode.
    • Both primary and secondary units should have identical hotspot config (eg. same set of “security hotspot xx” configs). Refer to page bottom to review config differences.
    • Don’t enable dhcp-server on the hotspot VLAN interface (hotspot engine is already a DHCP server, or you may relay to upstream DHCP server).
    • Don’t configure IP address for hotspot VLAN interfaces, instead, configure “hotspot-server VLAN / Interface Name” under each hotspot instance config.
    • Configure “client-networks x.x.x.x” for client IP subnet, and optionally configure “client-dhcp xxx” ip scope.
    • Configure “client-static x.x.x.x”. because the client may get IP from the active unit and after failover to standby unit, client device still holds the same IP given by the previous active unit, so to the “standby” (now active) unit, the client is having IP from the external DHCP server and this command authorizes these IPs.
    • On the active unit, tracking will auto-activate the hotspot service for its VLAN, and the configured “hotspot-server IP” will become the default gateway for clients and answer to client dhcp requests. So user traffic will pass through active unit for this VLAN.
    • On standby unit, tracking will turn off hotspot service for its VLAN. So the standby unit will not answer to any client DHCP requests and therefore not passing traffic.
    • In case of failover, standby unit takes over VRRP VIP (therefore holds VIP host route) and hotspot tracking will activate hotspot service for standby unit, create tunnel interface taking over “hotspot-server IP”, so that client traffic will be routed to standby unit (now become active).

!
security hotspot vlan10
hotspot-server 172.16.0.1 ports 5011 5012
client-network 172.16.0.0 255.255.0.0
client-static 172.16.0.0 255.255.0.0
client-sticky start 1
client-sticky-vlanlist vlan10,vlan20,vlan30,vlan40
bypass-domain list
dn akamaihd.net
dn facebook.com
dn facebook.net
dn fbcdn.net
dn instagram.com
dn linkedin.com
dn login.sina.com.cn
dn static.licdn.com
dn twimg.com
dn twitter.com
dn weibo.cn
dn weibo.com
bypass-mac radius
radius-server splash.ransnet.com testing123
hotspot-portal https://splash.ransnet.com/pid/portal/login.php
--------------------------------Hotspot Tracking---------------------------------------------
track-route 10.99.1.4/32 2
--------------------------------Hotspot Tracking---------------------------------------------

!
security hotspot vlan20
hotspot-server 172.17.0.1 ports 5021 5022
client-network 172.17.0.0 255.255.0.0
client-static 172.17.0.0 255.255.0.0
client-sticky start 1
client-sticky-vlanlist vlan10,vlan20,vlan30,vlan40
bypass-domain list
dn akamaihd.net
dn facebook.com
dn facebook.net
dn fbcdn.net
dn instagram.com
dn linkedin.com
dn login.sina.com.cn
dn static.licdn.com
dn twimg.com
dn twitter.com
dn weibo.cn
dn weibo.com
bypass-mac radius
radius-server splash.ransnet.com testing123
hotspot-portal https://splash.ransnet.com/pid/portal/login.php
--------------------------------Hotspot Tracking---------------------------------------------
track-route 10.99.1.5/32 2
--------------------------------Hotspot Tracking---------------------------------------------

!
security hotspot vlan30
hotspot-server 172.18.0.1 ports 5031 5032
client-network 172.18.0.0 255.255.0.0
client-static 172.18.0.0 255.255.0.0
client-sticky start 1
client-sticky-vlanlist vlan10,vlan20,vlan30,vlan40
bypass-domain list
dn akamaihd.net
dn facebook.com
dn facebook.net
dn fbcdn.net
dn instagram.com
dn linkedin.com
dn login.sina.com.cn
dn static.licdn.com
dn twimg.com
dn twitter.com
dn weibo.cn
dn weibo.com
bypass-mac radius
radius-server splash.ransnet.com testing123
hotspot-portal https://splash.ransnet.com/pid/portal/login.php
--------------------------------Hotspot Tracking---------------------------------------------
track-route 10.99.1.4/32 2
--------------------------------Hotspot Tracking---------------------------------------------

!
security hotspot vlan40
hotspot-server 172.19.0.1 ports 5041 5042
client-network 172.19.0.0 255.255.0.0
client-static 172.19.0.0 255.255.0.0
client-sticky start 1
client-sticky-vlanlist vlan10,vlan20,vlan30,vlan40
bypass-domain list
dn akamaihd.net
dn facebook.com
dn facebook.net
dn fbcdn.net
dn instagram.com
dn linkedin.com
dn login.sina.com.cn
dn static.licdn.com
dn twimg.com
dn twitter.com
dn weibo.cn
dn weibo.com
bypass-mac radius
radius-server splash.ransnet.com testing123
hotspot-portal https://splash.ransnet.com/pid/portal/login.php
--------------------------------Hotspot Tracking---------------------------------------------
track-route 10.99.1.5/32 2
--------------------------------Hotspot Tracking---------------------------------------------


Step 6 – Configure Hotspot Instance (VLAN10, VLAN20, VLAN30 & VLAN40) interface.

  1. Navigate to ‘Hotspot Settings > Hotspot Instances‘. Click on ‘vlan10′ below the interface column heading and configure the vlan10 in all three sections of instance, as per the Table 2 settings below.

NOTE

The below table is VLANID 10 config values, and user can config the other VLAN accordingly

S/NSectionFieldValues
01 Hotspot Instance Base Config
Hotspot LANVLAN10
Hotspot Enableenable by ticking the option
Hotspot Server IP / Ports172.16.0.1 / Default
Client Network / Netmask172.16.0.0 / 255.255.0.0
Radius Server / Keysplash.ransnet.com / testing123
Hotspot PortalSelect the Portal according to the VLAN interface.
Eg: http://captive.ransnet.com/<Customer entity>/Portalvlan10/login.php
02Hotspot Instance Optional Config
Client ParametersPermit External Client Network – 172.16.0.0
Permit External Client Netmask – 255.255.0.0
Redirect/Success URLhttp://www.ransnet.com
Bypass/Whitelist ByDestination Domain – .ransnet.com
Destination IP/URL – 2.1.2.1
Source MAC (Radius Settings) – ‘Enable the option’
Seamless Relogin (Since first login)Since First Login – 1
Roaming VLAN/Network – vlan10, vlan20, vlan30 & vlan40
Enable/Disable ParametersIntercept DNS Requests – enable by ticking the option
Table 2: VLAN 10 Hotspot Instance settings

With the above Table 2 reference, configure the remaining VLANs (vlan20, vlan30, vlan40) with the below settings

S/NVLANsSettings
01VLan20Hotspot Server IP / Ports – 172.17.0.1 / 5021 – 5022
02VLan30Hotspot Server IP / Ports – 172.18.0.1 / 5031- 5032
03VLan40 Hotspot Server IP / Ports – 172.19.0.1 / 5041- 5042

Step 7 – Configure Access Control

  1. Configure ‘Username & Password‘ Access profile (Portalvlan10) for staff users.
    • Navigate to ‘HOTSPOT USERS > Access Profile‘. Create a new Access Profile. See link New Access Profile
    • Select ‘User Authentication‘ from User type and enter the Username and password
    • Navigate to the ‘Account info’ tab on the ‘New User’ page and configure the relevant settings
  1. Configure Email Registration profile (Portalvlan20) for Guest users.
    1. Navigate to ‘HOTSPOT USERS > Access Profile‘ and locate for ’emailregistrationxxxVlan20xxx’
    2. info– To configure the Email Registration profile, the user has to first test the Captive portal Email Registration Authentication. After the first test is successful, the Email OTP auto-creates the profile in ‘Access Profile’ in the format of (RansNet_[Device Name]_[Interface Name]_[MAC Address, last 4 digits]_<<emailonepageotp>>. Eg : RansNet_mbox_br-vlan10_96-19_emailonepageotp). User can click on the Profile name and configure the account info settings as per the user requirement.
  1. Configure (Portalvlan20) for Promotion Wi-Fi.
    • info– This portal is a standard portal with no backend settings. The purpose of this portal is to promote customer’s brand and grand access.
  1. Configure Pincode profile (Portalvlan40) for Visitor Access.
    • Navigate to ‘HOTSPOT USERS > User Management‘, click on the ‘New User’ button, select ‘PIN Code Authentication‘ option and complete the Pincode form setting and save. User can use the Pincode details to log in and authenticate.

NOTE

User should use UI to configure, Captive portal. Login Method and Access Profile.

-----------------------------------Default Configuration--------------------------
hostname HSG800-WT
!
interface eth0
 description "Default connection to WAN"
 enable
 ip address dhcp
!
interface eth1
 description "Default connection to LAN"
 enable
 ip address 192.168.8.1/22
 dhcp-server
  description "DHCP-ETH1 DHCP"
  lease-time 86400
  router 192.168.8.1
  dns 8.8.8.8 8.8.4.4
  range 192.168.8.100 192.168.11.254
!
interface eth2
 description "Default OOB-Mgmt"
 enable
 ip address 10.10.10.1/24
 dhcp-server
  lease-time 86400 86400
  router 10.10.10.1
  dns 8.8.8.8 8.8.4.4
  range 10.10.10.10 10.10.10.20
  enable
!
interface eth3
 description "Reserved network"
!
interface vlan 1 10
 description "Staff VLAN"
 enable
 ip address 172.16.10.1/24
  dhcp-server
  description "Staff VLAN10 DHCP"
  lease-time 86400
  router 172.16.10.1
  dns 8.8.8.8 8.8.4.4
  range 172.16.10.2 172.16.10.254
  enable
!
interface vlan 1 20
 description "Guest VLAN"
 enable
 ip address 172.16.20.1/24
dhcp-server
  description "Guest VLAN20 DHCP"
  lease-time 86400
  router 172.16.20.1
  dns 8.8.8.8 8.8.4.4
  range 172.16.20.2 172.16.20.254
  enable
!
interface vlan 1 30
 description "Cafeteria VLAN"
 enable
 ip address 172.16.30.1/24
dhcp-server
  description "Cafeteria VLAN30 DHCP"
  lease-time 86400
  router 172.16.30.1
  dns 8.8.8.8 8.8.4.4
  range 172.16.30.2 172.16.30.254
  enable
!
interface loopback
 enable
 ip address 2.1.2.1/32
!
ip name-server 8.8.8.8 8.8.4.4
!
ip ntp-server 203.211.159.1 62.201.225.9
!
ip host macc.ransnet.com 2.1.2.1 rewrite
ip host splash.ransnet.com 2.1.2.1 rewrite
!
firewall-input 10 permit all tcp dport 80 src 10.0.0.0/8 admin remark "WEB mgmt
from OOB"
firewall-input 11 permit all tcp dport 22 src 10.0.0.0/8 remark "SSH mgmt from O
OB"
!
firewall-access 10 permit outbound eth0
!
firewall-snat 10 overload outbound eth0
!
security radius-server
 client 2.1.2.1 key testing123 name HSG800WT
 start
-----------------------------------Default Configuration--------------------------
!
security hotspot vlan10
 hotspot-server 172.16.10.1 ports 5205 4029
 client-network 172.16.10.0 255.255.255.0
 client-static 172.16.10.0 255.255.255.0
 client-local-dns on
 redirect-url http://www.ransnet.com
 radius-server splash.ransnet.com testing123
 hotspot-portal https://captive.ransnet.com/RNSrilanka/Portalvlan10/login.php
 start
!
security hotspot vlan20
 hotspot-server 172.16.20.1 ports 5549 4985
 client-network 172.16.20.0 255.255.255.0
 client-static 172.16.20.0 255.255.255.0
 client-local-dns on
 redirect-url http://www.ransnet.com
 radius-server splash.ransnet.com testing123
 hotspot-portal https://captive.ransnet.com/RNSrilanka/Portalvlan20/login.php
 start
!
security hotspot vlan30
 hotspot-server 172.16.30.1 ports 5780 5408
 client-network 172.16.30.0 255.255.255.0
 client-static 172.16.30.0 255.255.255.0
 client-local-dns on
 redirect-url http://www.ransnet.com
 radius-server splash.ransnet.com testing123
 hotspot-portal https://captive.ransnet.com/RNSrilanka/Portalvlan30/login.php
 start

Deployment References Links (Videos/Demos)

NOTE

syslog server (user access logging) is enabled to collect DNS access logs and storing data up to last 5 days.

User access records are stored up to last 90 days

User info (username and profile data) is kept unlimited