Roaming with Multi-VLAN and Single SSID/Portal

Roaming – LAN Hotspot

This sample scenario represents a very large HSG deployment, where you want to offer a seamless user experience across the entire network. However, due to large size of the network, you may have a single SSID, but mapped to Multi-VLANs at different locations, all sharing the same Login portal.

  • Can use any type of AP at LAN side
  • Have dedicated management VLAN for AP management addressing (VLAN1)
  • Single SSID, but mapped to different VLANs at different locations
  • Same portal across all VLANs, and seamless user roaming experience across VLANs

Common use cases

Large Hotels | Large Shopping malls | Large Tourism places | Airports, stadiums, etc.

Deployment of Single SSID, Portal and Multi-VLAN for Roaming Using UI

Prerequisite
  1. Upgrade the Hotspot Gateway box firmware version 20210213-2300. See link Upgrade Firmware
  2. Connect the WAN Interface of HSG to ISP device (ONT or Modem)
    • Info The WAN port (eth0) of HSG is pre-configured to get dhcp IP from ISP ONT/modem (or upstream router).
  3. Connect ETH1 port of HSG to the LAN Switch.
    • Info– The ETH1 port (eth1) of HSG is pre-configured to release IP to LAN.
  4. Connect the AP to the LAN Switch
    • Use default VLAN1 as management VLAN for AP/WLC
      • Access Point will be receiving DHCP IP from HSG from network 192.168.8.0/22
      • Info– Reserved IP for WLC or other devices, range from 192.168.8.2 to 192.168.8.99.
    • Add all VLANs on the switch (VLAN10, 20, 30), configure all switch-ports to be in trunk mode, and permit all VLANs for each port (default)
    • Configure APs to broadcast the desired SSID and assign to Access point (Eg: at different locations) to pre-configured different VLANs, by sharing the same SSID.
  5. Connect ETH2 port to a PC for Management
    • Info– The ETH2 port (eth2) of HSG is pre-configured to release IP.
Procedure

Step 1 – Access to Hotspot Management UI

  1. Login to Hotspot Gateway UI
    • on-premises Hotspot Gateway – Use the Management PC and browse to http://10.10.10.1 and login with the Credentials.

Image 2 : Hotspot Gateway login screen

Step 2 – Create Entity, User Account, and Permission for the User Account

  1. Create Entity – See link Create Customer Entity
    • User can use the Company name as entity name
  2. Create and Configure Permission for the User Account
    • Navigate to ‘ADMIN > Permissions‘. Click on the button and configure the required permission.
    • Recommendation – Create the new User Account and in the Profile field select ‘Super admin’ for this Scenario.
  3. Create User Account – See link Create User Account

Step 3 – Create VLANs (10, 20 & 30) in eth1 interface

  1. Navigate to ‘NETWORK SETTINGS > Interfaces > VLAN‘ tab and click on the button, See link New VLAN interface
    • Configure three new VLANs, The example to VLAN-10 settings are shown below in Table 1, and also find the details for the three VLANs below.
      1. VLAN10 | IP – 172.16.10.1/24
      2. VLAN20 | IP – 172.16.20.1/24
      3. VLAN30 | IP – 172.16.30.1/24

NOTE

The below table is VLANID 10 config values, and the user can config the other VLAN accordingly

S/NSectionFieldValue
01New Interface VLAN
VLAN Namevlan10
Admin StatusEnabled
Physical Interfaceeth1
IP/Netmask (IP Address/Mask)172.16.10.1/24
02DHCP Server
DHCP Descriptionvlan10 dhcp pool
DNS ServersDefault
Client Default Gateway172.16.10.1
Lease TimeDefault
03Hotspot ServiceEnable
Table 1: New VLANs settings for Multi SSID Scenario

Step 4 – Create, Configure Captive Portal and Login Method

  1. Create three different Captive Portal and different portals. User can use the below portal name and the portal template. See link Create/Edit Captive portal.
    • Portal name – ‘Portal_Roam1’ | portal template – ‘Prestige’
  2. Configure Login Method (Email Registration method with few ‘Userinfo’ collection). Enable Login Methods as mentioned below. See link Login Method Types.
Portal Name: Portal_Roam1
Portal Template: Prestige
Entity: Customer’s Entity name
Login Method: Email Registration

Step 5 – Configure Hotspot Instance (VLAN10, VLAN20, VLAN30) Interface and Enable Seamless Roaming.

Upon first successful login by a user (from a specific device), the user can Relogin without prompting for the Captive portal login page again, during the account validity period. This feature offers seamless user experience, particularly important for hotel guests.

  1. Navigate to ‘Hotspot Settings > Hotspot Instances‘. Click on ‘vlan10′ below the interface column heading and configure the vlan10 all three sections of instance, as per the Table 2 settings below.

NOTE

The below table is VLANID 10 config values, and the user can config the other VLAN accordingly

S/NSectionFieldValue
01 Hotspot Instance Base Config
Hotspot Enableenable by ticking the option
Hotspot PortalSelect the Portal according to the VLAN interface.
Eg: http://captive.ransnet.com/pid/Portal_Roam1/login.php
02Hotspot Instance Optional Config
Client ParametersPermit External Client Network – 172.16.10.0
Permit External Client Netmask – 255.255.255.0
Redirect/Success URLhttp://www.ransnet.com
Bypass/Whitelist ByDestination Domain – .ransnet.com
Destination IP/URL – 2.1.2.1
Seamless Relogin (Sticky Client)Since First Login: 1

Roaming VLAN/Network: vlan10 | vlan20 | vlan30

Info : The Sticky Client Session data can be found in RADIUS database. ‘HOTSPOT USERS > User Sessions > Client Sticky Sessions
Enable/Disable ParametersIntercept DNS Requests – enable by ticking the option
Table 2: VLAN 10 Hotspot Instance settings

  • Step 5 Cont….
    • Configure the remaining VLANs (20 & 30) as per above Table.

NOTE

“Client sticky” only works for on-premise deployment design, having HSG as local gateway. (for Cloudx design, with HSA/UA as local Hotspot Controller, we must use “portal sticky” to achieve seamless relogin).

“Client sticky” is completely seamless so there’s no option to redirect user to external landing URL (marketing pages) upon seamless relogin.

For the “Client sticky”, when return user gets IP address and initiates a connection across HSG (can be web or non-web connection), HSG will lookup its “MAC <—> username” mapping in the “sticky session” table, and on-behalf of user to authenticate with RADIUS before captive portal kicks in (autologin at background). So this bypasses portal login process and appear to be “seamless” to users but there’s still an authentication process. RADIUS still tracks each connection/session info for analytics, and enforces the respective access policy (speed, time, and quota etc), eg. if the user account is expired, login will fail and user will be prompted back with the Captive portal page to login again.

Sometime when there are large amount of users connecting back to HSG (eg. after an outage of Wi-Fi network, when Wi-Fi recovers and all users are connecting back again, the autologin process may be “slower” to some users (the captive portal/splash page kicks in faster than autologin), then these users will still be prompted with portal login. To overcome this, we can use “client-sticky” in combination with “portal sticky” feature.

Step 6 – Configure Access Control

  1. Configure Email Registration profile (PortalRoam1) for Guest users.
    • Navigate to ‘HOTSPOT USERS > Access Profile‘ and locate for
    • Note To configure the Email Registration profile, the user has to first test the Captive portal Email Registration Authentication. After the first test is successful, the Email OTP auto-creates the profile in ‘Access Profile’ in the format of (RansNet_[Device Name]_[Interface Name]_[MAC Address, last 4 digits]_<<emailonepageotp??>>. Eg : RansNet_mbox_br-vlan10_96-19_emailonepageotp). User can click on the Profile name and configure the account info settings as per the user requirement.

NOTE

User should use UI to configure, Captive portal. Login Method and Access Profile.

-----------------------------------Default Configuration--------------------------
hostname HSG800-WT
!
interface eth0
 description "Default connection to WAN"
 enable
 ip address dhcp
!
interface eth1
 description "Default connection to LAN"
 enable
 ip address 192.168.8.1/22
 dhcp-server
  description "DHCP-ETH1 DHCP"
  lease-time 86400
  router 192.168.8.1
  dns 8.8.8.8 8.8.4.4
  range 192.168.8.100 192.168.11.254
!
interface eth2
 description "Default OOB-Mgmt"
 enable
 ip address 10.10.10.1/24
 dhcp-server
  lease-time 86400 86400
  router 10.10.10.1
  dns 8.8.8.8 8.8.4.4
  range 10.10.10.10 10.10.10.20
  enable
!
interface eth3
 description "Reserved network"
!
interface vlan 1 10
 description "Staff VLAN"
 enable
 ip address 172.16.10.1/24
dhcp-server
  lease-time 86400
  router 172.16.10.1
  dns 8.8.8.8 8.8.4.4
  range 172.16.10.2 172.16.10.254
  enable
!
interface vlan 1 20
 description "Guest VLAN"
 enable
 ip address 172.16.20.1/24
dhcp-server
  lease-time 86400
  router 172.16.20.1
  dns 8.8.8.8 8.8.4.4
  range 172.16.20.2 172.16.20.254
  enable
!
interface vlan 1 30
 description "Cafeteria VLAN"
 enable
 ip address 172.16.30.1/24
dhcp-server
  lease-time 86400
  router 172.16.30.1
  dns 8.8.8.8 8.8.4.4
  range 172.16.30.2 172.16.30.254
  enable
!
interface loopback
 enable
 ip address 2.1.2.1/32
!
ip name-server 8.8.8.8 8.8.4.4
!
ip ntp-server 203.211.159.1 62.201.225.9
!
ip host macc.ransnet.com 2.1.2.1 rewrite
ip host splash.ransnet.com 2.1.2.1 rewrite
!
firewall-input 10 permit all tcp dport 80 src 10.0.0.0/8 admin remark "WEB mgmt
from OOB"
firewall-input 11 permit all tcp dport 22 src 10.0.0.0/8 remark "SSH mgmt from O
OB"
!
firewall-access 10 permit outbound eth0
!
firewall-snat 10 overload outbound eth0
!
security radius-server
 client 2.1.2.1 key testing123 name HSG800WT
 start
-----------------------------------Default Configuration--------------------------
!
security hotspot vlan10
 hotspot-server 172.16.10.1 ports 5205 4029
 client-network 172.16.10.0 255.255.255.0
 client-static 172.16.10.0 255.255.255.0
 client-sticky start 1            
 client-sticky-vlanlist vlan10,vlan20,vlan30
 client-local-dns on
 redirect-url http://www.ransnet.com
 radius-server splash.ransnet.com testing123
 hotspot-portal https://captive.ransnet.com/RNSrilanka/Portal_Roam1/login.php
 start
!
security hotspot vlan20
 hotspot-server 172.16.20.1 ports 5549 4985
 client-network 172.16.20.0 255.255.255.0
 client-static 172.16.20.0 255.255.255.0
 client-sticky start 1
 client-sticky-vlanlist vlan10,vlna20,vlan30
 client-local-dns on
 redirect-url http://www.ransnet.com
 radius-server splash.ransnet.com testing123
 hotspot-portal https://captive.ransnet.com/RNSrilanka/Portal_Roam1/login.php
 start
!
security hotspot vlan30
 hotspot-server 172.16.30.1 ports 5780 5408
 client-network 172.16.30.0 255.255.255.0
 client-static 172.16.30.0 255.255.255.0
 client-sticky start 1
 client-sticky-vlanlist vlan10,vlan20,vlan30
 client-local-dns on
 redirect-url http://www.ransnet.com
 radius-server splash.ransnet.com testing123
 hotspot-portal https://captive.ransnet.com/RNSrilanka/Portal_Roam1/login.php
 start

NOTE

The below 2 commands need to be configured in the Hotspot Instances to active Seamless Roaming in the Hotspot gateway.

client-sticky start <no of days>: This command setting keeps the user session for <x days> by counting from upon first-time login.
client-sticky-vlanlist <VLANs x interfaces>: This command allows clients to roam across different VLANs without having to re-login again.

Deployment References Links (Videos/Demos)

NOTE

syslog server (user access logging) is enabled to collect DNS access logs and storing data up to last 5 days.

User access records are stored up to last 90 days

User info (username and profile data) is kept unlimited