Overview
Hotspot provides guest internet access with granular User Access Control and Security Enforcement. It allows enterprises or venue owners to offer flexible and customized internet access for Guests, VIP Members, or Public users.
The Hotspot sitting at the Internet Edge, RansNet Hotspot Gateway manages user’s internet access through a few key modules:
.
HotSpot Access Controller
Is a combination of DHCP server, Firewall, and Bandwidth control engines, granting Internet Access for users and enforces their respective Access Profile based on AAA/RADIUS client policies. It intercepts user’s initial browsing requests and redirects to a Captive Portal for Authentication credentials, accepting terms, and enforces the Authorization (client rights) returned by AAA/RADIUS server for each authenticated user.
NOTE
HotSpot Access Controller is not referring to the wireless access controller.
One Hotspot Gateway device can support multiple instances of HotSpot Access Controller. Each instance maps to a different VLAN or Network for different access controls (Eg: different Captive Portal pages, different bandwidth control policies), so that we can enforce different user experience for users coming from different networks.
HSG hotspot Access controller supports following features:
Multi-instance, multi-VLAN support.
Built-In DHCP server for client DHCP address assignment for each VLAN. Each instance of HotSpot Access controller (for each VLAN) can issue different subnets of DHCP addresses and redirects to the different captive portal login page.
MAC address bypass (eg. default pass-through for some devices), domain bypass, and URL bypass (eg. default pass-through for some destination domains or URLs).
Per-user, per session bandwidth control, based on username or user’s VLAN
Dynamic bandwidth allocation per user, dynamically re-allocating per user bandwidth by adapting to back-haul link utilization.
Dynamic VLAN steering builds Personal Area Network (PAN) to group devices with the same Access Rights to their dedicated Private VLAN/Network.
Scheduled Advertisment for Landing page.
.
Captive Portal
Its a built-in web server that prompts user to customizable web login page. It also interacts with Access Controller and AAA/RADIUS server to enable user credential inputs and integrates with RansNet cloud advertising server to stream landing page ads etc.
AAA / RADIUS server
AAA/RADIUS server validates user credentials, and passes user access policies (bandwidth per user, session time, volume/usage, etc.) to the Access Controller for enforcement.
There are a few commonly used interchangeable names, which are all referring to the same function that helps to authenticate user access, issues access policies for NAS/mbox to enforce and stores user access records, they are called differently at different places but all mean the same thing:
- UAM Server (User Access Manager)
- AAA Server (Authentication, Authorization, Accounting)
- RADIUS Servers (Remote Authentication Dial-In User Service)
NOTE
The word ‘RADIUS’ is used most of the technical documentation
MACC (Mobile Access Cloud Center)
MACC implements AP management, and also manages wireless control functions the same as those of the conventional hardware AC, such as automatic channel and power adjustment, optimized radio frequency (RF) management, and L2/L3 roaming, providing an actually available wireless network. <<Link to MACC topics>>
The cloud Wi-Fi management and control platform developed by Networks for chain stores, small and medium enterprises, enterprises with a headquarters-branch structure, operator networks, and lightweight scenarios.
Advertising Gateway
RansNet cloud advertising server centrally manage and stream Wi-Fi advertisement (image or video banners) to their target portals/locations, schedule ads push at different time/date with different weights, and report statistics on impressions and click-through rates etc. The ads push natively works with mbox captive portal as a pop-up prior to login page <<Link to Monetization>> ??
Understanding Workflow of HotSpot User Access
.
- The user’s device (Mobile/Computer) connects to the Local Area Network (LAN) through Wireless-open SSID (can be any wireless Infra with MAP or 3rd-party Access Point or to a normal switch port), and then the client device gets the IP address from DHCP server.
- User browses Internet using a standard browser, The browsing request hits the mbox LAN/VLAN interface and intercepted by HotSpot Access Controller.
- mbox HotSpot Access controller redirects the User’s device browser to a Captive Portal login page.
- The user entries the Login credentials In the Captive Portal login page, which is forwarded to HotSpot Access Controller, which then sends to the RADIUS server for validation.
- RADIUS server validates user credentials and returns Access/Reject result to HotSpot Access Controller, together with a set of authorized profiles access rights for the authenticated user.
- HSG HotSpot Access Controller grants users Internet access and enforces respective rights passed by RADIUS.
NOTE
One HSG support multiple MAP/HSA/UA. Sizing of HSG is based on 10 x no. of MAP/HSA/UA. Eg: to support up to 20 MAP/HSA/UA, use HSG-200; to support up to 80 MAP/HSA/UA, use HSG-800.
Different organizations need to have dedicated HSG since the RADIUS database can not be shared.
In Cloud model, the external HSG can run on a virtual machine since it will not function as a gateway, and only host’s RADIUS and Captive Portals for MAP/HSA/UA.