Securepoint Network Access Controller (NAC - Downloads

Securepoint Network Access Controller (NAC)

Installation Guide Business Class Secure Mobility

Version 1

2 Securepoint NAC Installation Guide

1 Table of contents

1 Table of contents ............................................................................................................................. 2 2 Table of figures ................................................................................................................................ 4 3 Introduction ..................................................................................................................................... 8 4 Installation ....................................................................................................................................... 8 5 Logging in to the SECUREPOINT administration tool .................................................................... 11 6 SECUREPOINT license installation ................................................................................................. 14

6.1 Automatic installation .......................................................................................................... 14 6.2 Manual installation .............................................................................................................. 15

7 Configuring the SECUREPOINT controller ..................................................................................... 17 7.1 Network configuration ......................................................................................................... 19

7.1.1 Configuration of basic controller parameters ................................................................. 20 7.1.2 Configuring incoming VLANs ........................................................................................... 21 7.1.3 Configuration of outgoing VLANs .................................................................................... 24

7.1.3.1 Configuring local output policies ............................................................................ 26 7.1.4 Configuring static output routes ..................................................................................... 28 7.1.5 Time server configuration ............................................................................................... 31 7.1.6 Configuration of DNS records .......................................................................................... 31

7.1.6.1 DNS usage recommendations ................................................................................. 33 7.1.7 Configuring filtering options ............................................................................................ 34

7.2 Configuring authentication .................................................................................................. 35 7.2.1 Configuring an external authentication directory ........................................................... 35

7.2.1.1 Setting up an external directory and SECUREPOINT directory cascade ................. 40 7.2.2 Configuring certificates .................................................................................................... 42 7.2.3 RADIUS configuration ...................................................................................................... 43 7.2.4 Windows configuration ................................................................................................... 45

7.3 Configuring “Zero configuration”......................................................................................... 46 7.3.1 Configuring the “fixed IP” mechanism ............................................................................ 46 7.3.2 Configuring the “Web” service ........................................................................................ 47 7.3.3 Configuring the redirection service to an email server ................................................... 49

7.4 Customization ...................................................................................................................... 52 7.4.1 Customization of the SECUREPOINT captive portal ........................................................ 52

7.4.1.1 Adding a portal ........................................................................................................ 54 7.4.1.2 Changing a portal .................................................................................................... 58 7.4.1.3 SECUREPOINT portal operation depending on the various modes ........................ 58


7.4.1.4 Registration by SMS mode ...................................................................................... 59 7.4.1.5 Registration by email mode .................................................................................... 61 7.4.1.6 Time credit purchase mode via PayPal ................................................................... 63 7.4.1.7 Method with use of a PMS...................................................................................... 66 7.4.1.8 Mode with use of prepaid cards (PPS) .................................................................... 67 7.4.1.9 Graphics customization........................................................................................... 69

7.4.2 Customization of connection tickets ............................................................................... 70 7.4.3 Configuring open-access URLs ......................................................................................... 74

7.5 Configuring the logging mechanism .................................................................................... 76 7.5.1 Logging criteria ................................................................................................................ 76 7.5.2 Purging the log database ................................................................................................. 77

7.5.2.1 Generating backup files .......................................................................................... 77 7.5.2.2 Compressing backup files ....................................................................................... 78 7.5.2.3 Deleting backup files ............................................................................................... 78 7.5.2.4 Automatic export of backup files ............................................................................ 78

7.5.3 Access to the SQL log database ....................................................................................... 79 7.6 Configuring external communication services..................................................................... 80

7.6.1 Configuring SMS service .................................................................................................. 80 7.6.2 Configuring the email server ........................................................................................... 84

7.7 Configuring interfaces with the SECUREPOINT controller ................................................... 86 7.7.1 SNMP Interface ................................................................................................................ 86 7.7.2 PMS Interface .................................................................................................................. 88

7.7.2.1 Defining packages ................................................................................................... 90 7.7.2.2 PMS configuration .................................................................................................. 91

7.7.3 PPS Interface .................................................................................................................... 92 8 Configuring active elements .......................................................................................................... 94

8.1 Configuring Wi-Fi access points ........................................................................................... 94 8.2 Configuring switches ............................................................................................................ 94

9 What’s next ................................................................................................................................... 95 10 Appendix 1: SECUREPOINT MIB ................................................................................................ 96 11 Appendix 2: PMS/FIAS Protocol .............................................................................................. 109


2 Table of figures

Figure 1: Securepoint NAC installation diagram for “NAC 100” format .................................................. 9

Figure 2: Securepoint NAC installation diagram for “NAC 200” format .................................................. 9

Figure 3: Securepoint NAC installation diagram for “NAC 400” format ................................................ 10

Figure 4: UPnP discovery under Windows XP ....................................................................................... 11

Figure 5: Securepoint NAC administration tool authentication page ................................................... 12

Figure 6: Securepoint NAC homepage with no license ......................................................................... 13

Figure 7: Downloading documentation ................................................................................................. 13

Figure 8: SECUREPOINT license installation .......................................................................................... 14

Figure 9: Automatic license registration ............................................................................................... 15

Figure 10: Manual license installation ................................................................................................... 15

Figure 11: License file generation ......................................................................................................... 16

Figure 12: Manual license registration .................................................................................................. 16

Figure 13: Restoring license .................................................................................................................. 17

Figure 14: Securepoint NAC configuration homepage .......................................................................... 18

Figure 15: Network menu items ............................................................................................................ 19

Figure 16: Configuration of basic controller parameters ...................................................................... 20

Figure 17: Configuring incoming VLANs ................................................................................................ 21

Figure 18: Adding an incoming VLAN .................................................................................................... 22

Figure 19: Incoming VLAN configuration example ................................................................................ 23

Figure 20: DHCP parameter settings for an incoming VLAN ................................................................. 23

Figure 21: Adding a fixed lease .............................................................................................................. 23

Figure 22: Configuration of outgoing VLANs ......................................................................................... 24

Figure 23: Adding an outgoing VLAN ..................................................................................................... 25

Figure 24: Example of creating an outgoing VLAN ................................................................................ 26

Figure 25: Default output policy for the native VLAN ........................................................................... 26

Figure 26: Adding an output policy ....................................................................................................... 27

Figure 27: Example of configuring additional outgoing VLANs ............................................................. 28

Figure 28: Example of output policies ................................................................................................... 28

Figure 29: Configuring static output routes .......................................................................................... 29

Figure 30: Adding a static route ............................................................................................................ 30

Figure 31: Example of static route configuration .................................................................................. 30

Figure 32: Time server configuration .................................................................................................... 31

Figure 33: Configuration of DNS records ............................................................................................... 32


Figure 34: Adding a new DNS ................................................................................................................ 33

Figure 35: Example of DNS configuration ............................................................................................. 33

Figure 36: Configuring SECUREPOINT filtering options ......................................................................... 34

Figure 37: Items on the Authentication menu ...................................................................................... 35

Figure 38: Configuring authentication directories ................................................................................ 36

Figure 39: Configuring an authentication directory .............................................................................. 37

Figure 40: Configuring the general settings for an external directory .................................................. 37

Figure 41: Configuring the connection settings for an external Active Directory ................................. 38

Figure 42: Configuring the connection settings for an external LDAP directory ................................... 38

Figure 43: Configuring profile search parameters (Active Directory) ................................................... 39

Figure 44: Configuring profile search parameters (LDAP) ..................................................................... 40

Figure 45: Configuring directory cascades ............................................................................................ 41

Figure 46: Example of directory cascade configuration ........................................................................ 42

Figure 47: Loading certificates .............................................................................................................. 43

Figure 48: Displaying the content of a certificate ................................................................................. 43

Figure 49: Configuring SECUREPOINT RADIUS ...................................................................................... 44

Figure 50: Example of NAS configuration .............................................................................................. 45

Figure 51: Registration in a Windows domain ...................................................................................... 45

Figure 52: Example of registration in a Windows domain .................................................................... 46

Figure 53: Items on the Zero configuration menu ................................................................................ 46

Figure 54: Configuring “Fixed IP” mode ................................................................................................ 47

Figure 55: Configuring the “Web” service ............................................................................................. 48

Figure 56: Redirection configuration to parent proxy .......................................................................... 49

Figure 57: Configuring the redirection service to an email server ........................................................ 50

Figure 58: Selecting SMTP redirection configuration methods ............................................................ 51

Figure 59: Example of configuring SMTP redirection ............................................................................ 51

Figure 60: Example of SMTP relay configuration .................................................................................. 52

Figure 61: Items on the Customization menu ....................................................................................... 52

Figure 62: Configuring the SECUREPOINT portals ................................................................................. 53

Figure 63: Displaying the parameter settings for a SECUREPOINT portal ............................................. 53

Figure 64: Adding a new portal ............................................................................................................. 54

Figure 65: Example of configuring a SECUREPOINT portal (with redirection) ...................................... 55

Figure 66: Example of configuring an external portal ........................................................................... 56

Figure 67: Example of portal language configuration ........................................................................... 57

Figure 68: Example of configuring a charter for the portal ................................................................... 58

Figure 69: Example of a SECUREPOINT portal ....................................................................................... 58


Figure 70: SECUREPOINT portal with SMS registration ......................................................................... 60

Figure 71: User self-SMS registration from the SECUREPOINT portal .................................................. 60

Figure 72: Configuring the SECUREPOINT portal with SMS registration ............................................... 61

Figure 73: SECUREPOINT Portal with email registration ....................................................................... 62

Figure 74: User self-email registration from the SECUREPOINT portal ................................................ 62

Figure 75: Configuring the SECUREPOINT portal with on-line email registration ................................. 63

Figure 76: SECUREPOINT portal with online payment .......................................................................... 64

Figure 77: Login and password delivery during on-line payment ......................................................... 64

Figure 78: Configuring the SECUREPOINT portal with on-line payment ............................................... 65

Figure 79: Example of SECUREPOINT portal with package use (PMS) .................................................. 66

Figure 80: Example of user feedback after choosing a package ........................................................... 67

Figure 81: Configuring the SECUREPOINT portal with PMS use ............................................................ 67

Figure 82: SECUREPOINT portal with PPS use ....................................................................................... 68

Figure 83: Example of feedback for a SECUREPOINT PPS portal ........................................................... 68

Figure 84: Configuring the SECUREPOINT portal with use of prepaid cards (PPS) ............................... 69

Figure 85: SECUREPOINT portal editor .................................................................................................. 69

Figure 86: Customization of connection tickets .................................................................................... 71

Figure 87: Example of connection ticket configuration ........................................................................ 72

Figure 88: Example: connection ticket in A4 format ............................................................................. 73

Figure 89: Connection ticket editor (in badge format) ......................................................................... 74

Figure 90: Example: connection ticket in badge format ....................................................................... 74

Figure 91: Configuring open-access URLs ............................................................................................. 75

Figure 92: Adding an open-access URL ................................................................................................. 75

Figure 93: Open-access URL .................................................................................................................. 75

Figure 94: Logging configuration ........................................................................................................... 76

Figure 95: Example of configuring the log purge criteria ...................................................................... 77

Figure 96: Generating backup files ........................................................................................................ 77

Figure 97: Enabling log backup compression ........................................................................................ 78

Figure 98: Automatic deletion of backup files ...................................................................................... 78

Figure 99: Example of configuring FTP export of log files ..................................................................... 79

Figure 100: Example of configuration to allow access to the SQL log files ........................................... 80

Figure 101: Items on the External services menu ................................................................................. 80

Figure 102: SMS accounts configuration ............................................................................................... 81

Figure 103: Adding an SMS account ...................................................................................................... 82

Figure 104: Example of configuring an SMS account ............................................................................ 83

Figure 105: Configuring email server accounts ..................................................................................... 84


Figure 106: Adding an email server account ......................................................................................... 85

Figure 107: Example of configuring an email account .......................................................................... 86

Figure 108: Items on the Interfaces with the controller menu ............................................................. 86

Figure 109: Configuring the SNMP interface ......................................................................................... 87

Figure 110: Configuring the PMS interface ........................................................................................... 89

Figure 111: Configuring a package ........................................................................................................ 90

Figure 112: Package display .................................................................................................................. 91

Figure 113: Configuring the PMS connection settings .......................................................................... 91

Figure 114: PPS configuration ............................................................................................................... 93

Figure 115: Configuring the PPS connection settings ........................................................................... 93


3 Introduction

This guide is intended for system and/or network administrators responsible for installing and configuring Securepoint NAC.

Securepoint NAC is an appliance located between the users’ access infrastructure (Wi-Fi and/or wired) and the company’s local network.

Securepoint NAC provides the following major functions:

User authentication;

Management of access rights by user profile based on location and time;

Data confidentiality;

Zero configuration access for users;

Provision of accounts by delegation and/or self-registration;

Monitoring and logging;

Integration with legacy network.

We will be showing how to install and configure Securepoint NAC in this guide. For administration, see the “Securepoint NAC Administration Guide”.

Note: We will be using the terms “box” or “controller” indiscriminately in this guide to refer to Securepoint NAC. The term “controller” is in particular used by the graphical interface of SECUREPOINT administration tools.

4 Installation

Securepoint NAC is installed at the logical (or physical) divide between the company LAN and the users’ access network (Wi-Fi and/or wired). All traffic to or from users must pass through the SECUREPOINT box. To achieve this, the SECUREPOINT box is fitted with two Ethernet cards, one being connected to the LAN, the other to the access network.

Installation is carried out as follows:

1. Connect one Ethernet cable from the eth0 interface of the SECUREPOINT box to the LAN. 2. Connect one Ethernet cable from the eth1 interface of the SECUREPOINT box to the access

Wi-Fi and/or wired infrastructure (for example: the switch to which the access points are connected).

3. Connect to 220 V or 110 V main power supply.


Securepoint NAC installation diagrams depending on the hardware model are shown below:

Figure 1: Securepoint NAC installation diagram for “NAC 100” format




Note: It is possible to connect user workstations with wired connections to the eth1 side of the SECUREPOINT box.

Attention: If SECUREPOINT is directly connected to an ADSL modem on the eth0 side, the modem must provide the router function.

Attention: Complete all the connections before starting up the SECUREPOINT box.


5 Logging in to the SECUREPOINT administration tool

Logging in to the administration console requires access to the SECUREPOINT controller. The controller can be found through the UPnP announcements that it broadcasts over the network at regular intervals across all its network interfaces.

Note: The UPnP service can be disabled (no announcements are broadcast). The interval between announcement broadcasts can be changed. See Section 7.1.1

Attention: To find controllers in this way, the administrator workstation needs to have a UPnP client installed and enabled.

An administrator workstation can then easily gain access to the controller by browsing the peripherals discovered by UPnP, as the screen image below shows:

Figure 4: UPnP discovery under Windows XP

Access to the controller may be achieved using the peripheral address supplied in the UPnP announcement. This address being based on the controller’s IP address, this should always have a valid address. In the event that no DHCP server is found on the network to supply it with one, the controller will use the auto-IP mechanism to carry out this task.

In the above example, the IP address of the controller will be 10.0.0.133. The administration console will be available at:

https://10.0.0.133/admin


If however, the administrator workstation has no UPnP client, access to the administration console is achieved by opening the following address from an Internet browser on your computer:

https://controller.mobile.lan/admin

You need to have connected your computer to the SECUREPOINT box beforehand, following one of the methods described below:

1. Connect your computer to the eth1 (IN) interface on the SECUREPOINT box using a network cable.

2. Connect your computer to the switch to which the access points are connected, using a network cable, right connector type, this switch itself being connected to the SECUREPOINT box.

3. Associate yourself with an access point connected to the SECUREPOINT box, using the SSID, which has been configured for the purpose.

The authentication page is displayed:

Figure 5: Securepoint NAC administration tool authentication page

Note: In its multi-lingual version, SECUREPOINT offers dynamic language selection on every page.

Enter your login and password to authenticate. Once authenticated, the welcome page is displayed. By default, the login is admin and the password is insecure.

Attention: The SECUREPOINT controller forces an administrator password change. See the “Securepoint NAC Administration Guide”, “Operation” section, for this aspect.


Figure 6: Securepoint NAC homepage with no license

Attention: The homepage may indicate that the license must be installed beforehand (see next section).

Note: It is possible to restart or shut down the SECUREPOINT box at any time by clicking respectively on Restart or Shutdown in the menu bar.

Documentation is available on line, by clicking on Documentation in the menu bar.

The documentation on offer can be downloaded in PDF format, in English, German and French, as shown in the screen image below.

Figure 7: Downloading documentation


Note: If the license is not yet installed, all the documentation is offered (NAC 100 to NAC 400 ranges).

6 SECUREPOINT license installation

Installing the SECUREPOINT license is essential to ensure that the SECUREPOINT box runs properly. The license determines the range and model of the SECUREPOINT box (NAC 100, NAC 200, etc.).

Note: If the license is not yet installed, all the documentation is offered (NAC 100 to NAC 400 ranges).

Click on the Operations option in the menu bar, then on the License option in the left-hand menu.

The license update page is displayed:

Figure 8: SECUREPOINT license installation

6.1 Automatic installation

Enter the contact details of the installation company and the client company, then click the Install license button.


If the installation completes successfully, a confirmation message is displayed, for example:

Figure 9: Automatic license registration

Otherwise, carry out a manual installation.

6.2 Manual installation

To install a license manually, follow the steps below.

1. Open the manual license update panel by clicking on the “+” icon. The following page is displayed:

Figure 10: Manual license installation

2. Click on the link

https://maintenance.securepoint.com/gestion/licence.php

https://maintenance.securepoint.com/gestion/licence.php�


The following page is displayed:

Figure 11: License file generation

3. Copy the string displayed in the captcha code. Enter the SECUREPOINT controller’s serial number and the contact details of the installation company and the client company. Click on Confirm.

4. The user is prompted to download a “license.tgz” file. Save this file to your workstation. 5. Import the file on the controller using the Browse… button. 6. Save the license by clicking on Save.

Once the license is saved, a confirmation message is displayed, e.g.:

Figure 12: Manual license registration

The full set of functions can now be used.

If however, the license is not valid, it is possible to restore the previous licence by clicking the Restore old license button as shown in the screen image below.


Figure 13: Restoring license

Note: In the event of problems, email [email protected], giving the SECUREPOINT controller’s serial number, contact details for the installation company and the client company, together with type of problems encountered.

7 Configuring the SECUREPOINT controller

Securepoint NAC is preconfigured so it can be quickly brought into service.

The LAN side eth0 interface is preconfigured in DHCP client mode.

Three virtual network (VLAN) interfaces are preconfigured on eth1:

Native VLAN 192.168.100.0/24: this VLAN is used for the administration of active elements (e.g.: Wi-Fi access points);

VLAN 2 192.168.200.0/24: this VLAN may be associated with Web portal type authentication;

VLAN 3 192.168.250.0/24: this VLAN may be associated with802.1x/EAP type authentication.

A set of services is typically preconfigured. In addition, you will find two profiles (managers and guest) already created with one user for each (manager and guest1). The passwords associated with these users are xdr22nbv and insecure respectively.

Attention: The preconfigured user account passwords are obviously to be changed as quickly as possible.


To carry out the entire Securepoint NAC box configuration, click on Configuration in the menu bar. The following page is displayed:

Figure 14: Securepoint NAC configuration homepage

The configuration options are sorted into classes.

Network

This class allows all the network parameter settings of the SECUREPOINT box to be configured, i.e. the controller name, incoming and outgoing VLANs, output static routes, time server, etc.

Authentication

This class deals solely with the configuration of authentication mechanisms, the corporate directory used for authentication, the RADIUS server embedded in the SECUREPOINT box, certificates, etc.

Zero configuration

This involves configuring the mechanisms enabling users to use their workstations and applications with no prior configuration: use of workstation with a fixed IP address, Web and email redirection.

Customization

This class will be used to configure the SECUREPOINT portal (appearance, languages and service operation), connection tickets delivered by the delegated administration tool, and those URLs that are accessible before authentication.


Logging

This involves selecting the data to be logged (sessions, traffic, URLs), and the database purge criteria (time or size criteria). It is also possible to configure automatic export of log backups through the FTP protocol.

External services

SECUREPOINT uses services such as SMS or email to send login information to users, for example. This involves defining the various SMS and/or email accounts in this category that could be used within the SECUREPOINT product.

Interfaces with the controller

This category is used to configure communication interfaces with the SECUREPOINT controller. It has an SNMP interface which can be used to supervise SECUREPOINT from any monitoring tool available on the market. We also find an interface used to interface with PMS tools to meet service billing requirements. Lastly, there is an interface used to interface with a pre-paid card server (a PPS).

7.1 Network configuration

Click on the Network item shown on the left-hand side of the window. The following sub-menu is displayed with the options shown:

Figure 15: Network menu items


7.1.1 Configuration of basic controller parameters

Click on Controller item on the sub-menu. The following page is displayed:

Figure 16: Configuration of basic controller parameters

The first panel is used to set the name of the controller and its domain name on the incoming VLANs and outgoing VLANs. The SECUREPOINT controller default name is controller, and the domain is mobile.lan.

If you wish to register the SECUREPOINT controller in a Windows domain, you must fill in the Netbios workgroup field. The default is SECUREPOINT.

The UPnP service panel is used to enable or disable the UPnP service used to locate the controller on the network. This service is enabled by default.

The DNS and default output configuration panel displays the IP address of the eth0 interface for information only, plus the IP addresses of the default gateway and the DNS.


The eth0 address is either obtained by DHCP on the LAN (if a DHCP server is available), or it will be an address in the range 169.254.0.0/16 (auto IP mechanism).

The Interface configuration panel is used, for each interface, to change (1) the packet size (in bytes) that can be sent in one go (without fragmentation) outbound from the controller and (2) the transmission speed. The controller’s current status as regards the actual line speed and enabling of autonegotiation is displayed.

7.1.2 Configuring incoming VLANs

Click on the Incoming VLANs item on the sub-menu. The page below is displayed. Three VLANs are preconfigured by default:

Figure 17: Configuring incoming VLANs

VLAN 1 (native) 192.168.100.0/24: it is recommended to use this VLAN for administration of active elements.

VLAN 2 192.168.200.0/24: this VLAN may be associated with Web portal type authentication.

VLAN 3 192.168.250.0/24: this VLAN may be associated with 802.1x/EAP type authentication.

http://169.254.0.0/16�


To add a new incoming VLAN, click the Add button. The following page is displayed:

Figure 18: Adding an incoming VLAN

Network settings panel. This is firstly for entering network parameter settings: the VLAN (VLAN Number) ID, the SECUREPOINT box IP address (Controller IP address), the subnet mask (Subnet mask) and the input zone (Input zone).

Regarding use of input zones, please refer to the “Securepoint NAC Administration Guide”, “Administering zones” section.

Administration tools access panel. It is then possible to allow a user connected to this VLAN to access the administration tools (administration tool and/or delegated administration tool). Access is authorized by default on the preconfigured VLANs.

Access is given to an administration tool simply by selecting the corresponding checkbox.


Configuration example:

Figure 19: Incoming VLAN configuration example

DHCP Settings panel. If you wish the DHCP server to be enabled on this VLAN, select the Enable DHCP server for this VLAN checkbox and enter the relevant DHCP parameter settings.

Example:

Figure 20: DHCP parameter settings for an incoming VLAN

Click the Calculate DHCP settings button to automatically define these mandatory fields.

If you would like a machine with a known MAC address to always obtain the same IP address, a fixed lease needs to be defined. To do so, click the Add a fixed lease button. The following form is displayed:

Figure 21: Adding a fixed lease

Enter the machine’s MAC and IP address, for each machine concerned.


Click on Confirm to confirm the VLAN creation.

VLANs may be removed or modified after being created (as can the preconfigured VLANs), by selecting the VLAN to be removed or modified using the relevant checkbox in the VLAN table, and clicking on Delete or Modify.

7.1.3 Configuration of outgoing VLANs

Securepoint NAC offers the option of routing a user’s output traffic from the SECUREPOINT box to a particular VLAN. Redirection is carried out on the basis of the user’s profile (see “Securepoint NAC Administration Guide” documentation, on linking a VLAN to a user profile).

Click on the Outgoing VLANs item in the sub-menu shown on the left-hand side of the window. The following page is displayed:

Figure 22: Configuration of outgoing VLANs

VLAN 1 is preconfigured. This is the native VLAN. The Controller IP address field is either the IP address allocated by the company network’s DHCPservice, or the fixed IP address specified in the VLAN configuration. If the controller is not connected to the network, its address will be chosen from the range 169.254.0.0./16. The Addressing mode field states whether DHCP mode is enabled or not for this VLAN (displaying “DHCP” if enabled; “fixed” otherwise).

Attention: The use of an IP address allocated by DHCP is enabled on just one outgoing VLAN. By default, DHCP is enabled on the native VLAN.


The Administration access and Delegation access fields indicate whether access to the administration tools is authorized from the VLAN (green: authorized, red: denied). Access to administration tools from the native VLAN is authorized by default.

The Default output field indicates whether this VLAN is the default output of the SECUREPOINT box.

To add a new outgoing VLAN, click the Add button. The following page is displayed:

Figure 23: Adding an outgoing VLAN

You firstly need to enter the network information, i.e.: the VLAN ID (VLAN Number), the SECUREPOINT box IP address (Controller IP address), the subnet mask (Subnet mask), and the gateway (Gateway).

The VLAN can be configured to be the default output. To do so, select the Enable as default output checkbox.

Attention: To be able to enable the “Default output” option, no DHCP server can be enabled on the output interfaces, otherwise the interface on which DHCP is enabled will be the output interface. By default, the eth0 interface is the one configured for DHCP.

You may then allow a user connected on this VLAN to access the administration tools (administration tool and/or delegated administration tool).


Example:

Figure 24: Example of creating an outgoing VLAN

VLANs may be removed or modified after being created, by selecting the VLAN to be removed or modified using the relevant checkbox in the VLAN table, and clicking on “Delete” or “Modify”.

Attention: The native VLAN cannot be removed.

7.1.3.1 Configuring local output policies

Each outgoing VLAN can have an output policy defined and associated with it, used to specify which output zone is associated with the VLAN and its network addressing mode (NAT or routing). In addition, we reiterate that an output zone may be associated with a user profile in order that traffic for users with this profile is redirected into the appropriate zone (see “Securepoint NAC Administration Guide”, documentation, “Administering user profiles” section).

Output policies are local because they apply to one, and only one, controller the one on which they are configured.

By default, just one output policy is defined. It is associated with the native VLAN 1. This policy indicates that VLAN 1 is associated with the Default zone, and that all users in all profiles (both preconfigured profiles) are NATed using the IP address of the eth0 interface. The screen capture below describes the configuration of this default policy.

Figure 25: Default output policy for the native VLAN


To create an output policy, click the Add button in the policy table. The following page is displayed:

Figure 26: Adding an output policy

First, the zone associated with the policy must be specified. If no zone exists, it can be created directly from this form. Then the VLAN number, which will be associated with this policy must be entered, plus the network addressing mode (Routing or NAT).

If the NAT mode is selected, it is possible either to use the corresponding interface addressing, or to specify the NAT IP address chosen.

It is possible to define a DNS server which will then be used solely for outgoing data sent over the VLAN associated with the policy.

Next, the user profiles to which this output policy will apply must be selected. Select profiles by selecting them from the list of available profiles, and add them using the <<<Add button in the list of relevant profiles.

Lastly, it is possible to add further VLANs into the output policy. For some specific requirements, it may be necessary to access more than one separate VLAN. For example, a user redirected by default to a VLAN for Internet access but who would like to access a specific server on another VLAN.

To add an extra VLAN, click on the Additional accessible VLANs by policy link in order to bring up the configuration screen.

The left-hand list displays the VLANs available to be added. It is possible to restrict access to a particular IP address.


Example:

Figure 27: Example of configuring additional outgoing VLANs

We can see an example below where two output policies have been defined for two user populations – Students and Teachers. The policy for Students is associated with the Educational zone, and the policy for Teachers with the Laboratories zone. Students’ traffic uses NAT and is redirected out of SECUREPOINT into VLAN 1. Teachers’ SECUREPOINT output traffic is routed and redirected into VLAN 5.

Figure 28: Example of output policies

7.1.4 Configuring static output routes

Static routes are typically used to make contact with a network resource located on a routed network other than the LAN on which the SECUREPOINT controller is located.


Such a configuration is found for example in the following cases:

If the SECUREPOINT controller is interfaced with an LDAP directory on a different LAN, then a static route must be configured in order to indicate the gateway (a LAN equipment on which the controller is found), which will be used to make contact with the remote network.

If the administration (or delegated administration) workstation is on a remote network other than the LAN on which the SECUREPOINT controller is located, then a static route must be configured in order to indicate the gateway, which will be used by the controller to reach the administrator workstation.

To configure static routes, click on the Static routes option in the sub-menu on the left-hand side of the window. The following page is displayed:

Figure 29: Configuring static output routes


To add a new static route, click the Add button. The following page is displayed:

Figure 30: Adding a static route

Configure the network parameter settings, for example:

Figure 31: Example of static route configuration


7.1.5 Time server configuration

To configure the time server, click on the Time server item in the sub-menu on the left-hand side of the window. The following page is displayed:

Figure 32: Time server configuration

You can choose the appropriate time zone (Europe/Paris by default), then set the date and time. The date and time can either be set automatically using an NTP server, or set manually.

7.1.6 Configuration of DNS records

SECUREPOINT behaves like a DNS relay to its own DNS servers. It is possible to populate its table of DNS records to enable it to resolve additional addresses.


To do so, click on the DNS records item in the sub-menu shown on the left-hand side of the window. The following page is displayed:

Figure 33: Configuration of DNS records


To add a DNS, click the Add button in the DNS table. The following page is displayed:

Figure 34: Adding a new DNS

It is possible to specify a machine’s name and IP address for each DNS entry. It is also possible to automatically complete the domain name when sending the DNS response, in both input and output mode.

For example, for a domain named “mobile.lan” and a Wi-Fi printer found listed eth1 having an IP address of 192.168.100.1 and a name of “Printer”, it will be possible to perform automatic completion with the domain name when sending the DNS response. The response will accordingly be “Printer.mobile.lan”.

Example:

Figure 35: Example of DNS configuration

7.1.6.1 DNS usage recommendations

Users connecting via the SECUREPOINT portal can make DNS requests before authentication. This avoids the problem of DNS cache pollution, which can be harmful to applications (most browsers in particular) implementing a DNS cache and not observing the validity expiry date of DNS responses.


It is thereby possible under certain circumstances to convey data before authentication, at a very low bandwidth.

It is therefore recommended for the sake of security to implement the following provisions:

Configure the DNS server used by SECUREPOINT to a DNS server without Internet access, which avoids the problem of recursive DNS requests. The use of a web proxy having Internet access through using the web service is then recommended.

Configure the DNS server used by SECUREPOINT to a DNS server that does not support recursive DNS requests and/or having the ability to detect suspect DNS traffic.

7.1.7 Configuring filtering options

SECUREPOINT offers several options relating to the SECUREPOINT filtering mechanism.

To use these options, click on the Filtering item in the sub-menu on the left side of the window. The following page is displayed:

Figure 36: Configuring SECUREPOINT filtering options

The Unik compatibility option is used to provide compatibility with Unik telephones. Once the option has been selected, SECUREPOINT allows traffic from such telephones to pass.

The Security option implements a mechanism allowing ARP poisoning attacks to be detected and fixed. Such attacks can come from users found on the SECUREPOINT controller’s incoming VLAN.


The Controller’s LDAP directory access option, if enabled, gives access to the SECUREPOINT controller’s internal LDAP directory. This allows third party tools to retrieve user data and profiles.

The Network type option is used to configure the SECUREPOINT controller so that it is able to adapt to different types of network architecture and more specifically to the case of a multi-site architecture with SECUREPOINT as the hub.

Where there is a centralised multi-site architecture, three scenarios may arise:

Remote sites are connected to the main site in level 2 (“switched network”). In this case, all SECUREPOINT functionalities are operational, in particular all those associated with the VLAN (zones, multiple portals, etc.). This is the default configuration.

Remote sites are connected to the main site in level 3 (“routed network”). In this case, SECUREPOINT works disregarding level 2 data with, however, some restrictions: (1) the only possible authentication mode is by web portal, (2) client workstations on the remote site need to be DHCP configured, (3) the authentication portal must be in “automatic re-authentication” mode.

Some sites have level 2 connections, others level 3 (“Switched and routed network”).

7.2 Configuring authentication

Click on the Authentication option on the left-hand side of the window. A sub-menu is displayed with the following options:

Figure 37: Items on the Authentication menu

7.2.1 Configuring an external authentication directory

Securepoint NAC has the ability to use one (and only one) corporate directory to carry out user authentication. The directory involved in authentication must comply with the LDAP standard (e.g. OpenLDAP, ActiveDirectory).

The internal SECUREPOINT directory, which is used to store user profiles, can also be used in the authentication process. Users created from the delegated administration tool (typically visitor-type users), are in fact stored in the internal SECUREPOINT directory. It is therefore possible to set up a corporate directory and SECUREPOINT directory cascade.

The directory cascade mechanism, implementing a corporate and the SECUREPOINT directory, can be associated with one authentication method in particular. When specifying a directory cascade, the directories involved, the order in which the directories are to be queried and lastly the authentication method (portal or 802.1x/EAP) for which the cascade applies must all be given.


Click on the Directories item in the sub-menu shown on the left-hand side of the window. The following page is displayed:

Figure 38: Configuring authentication directories

The table summarizes the configured directories available for use in the authentication process.

The panel Sequence search for authentication is used to define the directory cascade for authentication using the portal and 802.1x/EAP methods (see Section 7.2.1.1).


To define a new directory, click the Add button in the declared directories table. The following page is displayed:

Figure 39: Configuring an authentication directory

Follow the stages below to configure a directory:

1. General settings panel. Configure the general parameter settings of the directory.

Directory name: name of the directory. This name will be used to refer to the directory when specifying the cascade mechanism.

Directory type: the directory may be the internal SECUREPOINT directory, an Active Directory, a Kwartz server or another LDAP standard directory (OpenLDAP, Apple OpenDirectory, etc.).

Example:

Figure 40: Configuring the general settings for an external directory


Note: The SECUREPOINT directory is configured by default. It corresponds to the internal directory embedded in the SECUREPOINT box.

Attention: If the directory is an Active Directory and if you wish to implement PEAP authentication, you have to register the SECUREPOINT controller in the Windows domain, which is done by clicking on the link at the top of the page (see Section 7.2.4).

2. Connection settings panel. Configure the parameters for connecting to the directory

IP address: IP address of the directory;

Port: port number for the directory depending on selected protocol (LDAP: 389, LDAPS: 636 as standard);

Bind DN: this field represents the “Distinguished Name” of the directory administrator;

Password: the directory administrator’s password

Example 1:

Figure 41: Configuring the connection settings for an external Active Directory

Example 2:

Figure 42: Configuring the connection settings for an external LDAP directory

Attention: LDAP nomenclature must be observed when setting the “Bind DN”.

Note: You can use the Test settings button to check that the connection with the directory is established properly.

3. Search parameters panel. Set the profile search parameters. The following fields are used to determine the user (or group) profile on the basis of the data found in the external directory.


Base DN: the “Distinguished Name” corresponding to the directory entry from which the search is carried out.

Search filter: LDAP filter used to search for the user.

Profile attribute / Default profile: the first “Profile attribute” field is used to specify the name of the LDAP attribute that gives the user profile. If this attribute is not specified or is empty in the directory, the “Default profile” field will be used.

Password attribute / Encoding: the name of the LDAP attribute specifying the user password and encoding type. This option is used in the event that an attribute other than the standard attribute is used for the password. In particular, the use of another attribute is essential if there is a need to use an LDAP directory other than Active Directory with PEAP authentication. The password may be unencrypted (encoding = User-Password) or encrypted (encoding = NT-password).

Name attribute: attribute used to retrieve the user’s surname to store it in SECUREPOINT logs.

First name attribute: attribute used to retrieve the user’s first name to store it in SECUREPOINT logs.

Attention: LDAP nomenclature must be observed when setting the “Base DN”.

Example 1:

Figure 43: Configuring profile search parameters (Active Directory)


Example 2:

Figure 44: Configuring profile search parameters (LDAP)

Note: You can use the Test settings button to check that the parameter settings are correct.

4. Click on Confirm.

7.2.1.1 Setting up an external directory and SECUREPOINT directory cascade

The second panel on the page headed Sequence search for authentication is used to describe two directory cascades, associated respectively with the Web portalauthentication method and the 802.1x/EAP method. By default, only the internal SECUREPOINT directory is defined. Cascades operate therefore by default with this single directory.

Attention: Securepoint NAC only allows two directories to be cascaded, the SECUREPOINT directory and one external directory.

To modify directory cascades, click the Modify button in the Sequence search for authentication panel.

For each of the two cascades, it is possible to select which directories are included in the cascade and the directory query order.


Example: two directories are defined (Employees and Securepoint). The cascade for portal authentication includes the two directories, while the EAP cascade uses only the Employees’ directory. The order of priority is specified using the Up and Down buttons as shown on the screen capture below:

Figure 45: Configuring directory cascades


Once the cascades are specified, the directory configuration page is displayed as follows:

Figure 46: Example of directory cascade configuration

7.2.2 Configuring certificates

The SECUREPOINT controller uses certificates for firstly Web portal HTTPS authentication, and secondly the RADIUS server embedded in the controller.


To load certificates into the SECUREPOINT controller, click on the Certificates item from the sub-menu shown at the left-hand side of the window. The following page is displayed:

Figure 47: Loading certificates

For each type of certificate, load certificates using the Browse… button then click on Confirm.

A click on a link (e.g.: SECUREPOINT controller certificate) displays the certificate content in the Certificate contents panel. The certificate may also be downloaded.

Example:

Figure 48: Displaying the content of a certificate

7.2.3 RADIUS configuration

SECUREPOINT has its own embedded RADIUS server.


Note: We reiterate that the RADIUS protocol is essentially based on a server (the RADIUS server), linked to an identification database (database, LDAP directory, etc.) and a RADIUS client, called NAS (Network Access Server), playing the role of intermediary between the end user (called supplicant) and the server. All transactions between the RADIUS client and the RADIUS server are encrypted and authenticated with a shared secret.

To configure the SECUREPOINT RADIUS server, click on the Radius item on the sub-menu on the left-hand side of the window. The following page is displayed:

Figure 49: Configuring SECUREPOINT RADIUS

The EAP settings panel is used to configure the parameters for 802.1x/EAP 802 authentication. Certificates for RADIUS can be downloaded by clicking on the RADIUS server certificates link. As regards the EAP re-authentication mechanism, it is possible to select from three scenarios: (1) no re-authentication, (2) re-authentication that will be controlled by NAS (access point for example), (3) re-authentication handled by SECUREPOINT RADIUS with re-authentication time configurable in seconds (by default, the time is set to 40 seconds).

The NAS configuration panel is used to configure firstly the shared secret needed for encryption and secondly the NAS administration VLAN (NAS will be the access points where Wi-Fi architecture is used). The default shared secret is testing123; the default administration VLAN is VLAN 1.

To configure a NAS, click the Add button.

Example:


Figure 50: Example of NAS configuration

Click on Confirm.

7.2.4 Windows configuration

To register the SECUREPOINT controller in a Windows domain, click on the Windows item in the sub-menu on the left-hand side of the window. The following page is displayed:

Figure 51: Registration in a Windows domain

We stress that registration is necessary if the intention is to interface with Active Directory and use the 802.1x/PEAP authentication protocol.

The fields in the Registration in a Windows domain panel need to be filled in.


Example:

Figure 52: Example of registration in a Windows domain

If other Windows servers are to be declared, to provide redundancy for example, use the Windows servers declaration panel, giving their IP addresses.

7.3 Configuring “Zero configuration”

“Zero configuration” enables users on a network controlled by SECUREPOINT to access the resources authorised by their profile with no prior configuration of the workstation or applications.

Click the Zero configuration item shown on the left-hand side of the window. The following sub-menu is displayed with the options shown:

Figure 53: Items on the Zero configuration menu

7.3.1 Configuring the “fixed IP” mechanism

Fixed IP mode is used to enable the mechanism allowing a user to connect using any fixed IP address. If the mechanism is disabled, the user will absolutely have to be in DHCP mode to be able to connect. This mode is configurable on each incoming VLAN.


To enable “Fixed IP” mode, click on the Fixed IP address item in the sub-menu on the left-hand side of the window. The following page is displayed:

Figure 54: Configuring “Fixed IP” mode

Select the VLAN on which “Fixed IP” will be enabled (checkbox) and then click the Enable button.

The status is displayed in green when this mode is enabled, otherwise in red. By default, this mode is not enabled on any VLAN.

7.3.2 Configuring the “Web” service

This mode will enable users to use their Web browsers, irrespective of their proxy configuration.


Click on the Web item in the sub-menu shown on the left-hand side of the window. The following page is displayed:

Figure 55: Configuring the “Web” service

The first panel is used to specify the proxy ports of the client Web browser controlled by the SECUREPOINT controller. Distinction is made between ports controlled for redirection to the authentication portal (before authentication) and ports controlled after authentication.

The ports must be separated by “;”. By default, only ports 8080 and 3128 are used.

The second panel will be used in the event that HTTP user traffic is to be redirected to a corporate Web proxy. By default, no redirection is configured. If you wish to enable the redirection service to a parent Web proxy, the “Enable redirection to parent proxy for ports” checkbox needs to be selected, and the fields about the Web proxy to be used filled in, along with the IP address of the proxy and its server port.

If the corporate proxy requires authentication, the Enable authentication to parent proxy checkbox needs to be selected. Two options are then possible: authentication for a single account or authentication for each user account.

For a single account, the option must be selected and then the account username entered, i.e. the Login and Password fields.

For user accounts, simply select the option.


Note: Authentication by user account means that user-related data (login and password) can be sent to the parent proxy. The proxy can then use this data to apply security policies per user or user profile (URL filtering, for example).

Figure 56: Redirection configuration to parent proxy

The third panel is used to enable URL filtering in situations where the SECUREPOINT controller is used in conjunction with the Olféo URL filtering product. To do so, select the Enable URLs filtering checkbox.

The last panel is used to automatically configure users’ web browsers (Web proxy clients) by means of the WPAD (Web Proxy AutoDiscovery) protocol. This is done by downloading a wpad.dat file onto the SECUREPOINT controller. In the event of an erroneous download, you can restore the previous file using the Restore button.

Click on Confirm at each step.

7.3.3 Configuring the redirection service to an email server

If you would like users’ SMTP data traffic to be redirected to a corporate email server, then the email server redirection service must be enabled. By default, no redirection is configured.


Click on the Mailbox item in the sub-menu shown on the left-hand side of the window. The following page is displayed:

Figure 57: Configuring the redirection service to an email server


Select the Enable checkbox. There are two methods, as shown in the following page:

Figure 58: Selecting SMTP redirection configuration methods

Redirection Mode: allows all SMTP traffic to be redirected to an email server. Select redirection mode by selecting the Redirect SMTP traffic to a mail server checkbox, and fill in the IP address field.

Example:

Figure 59: Example of configuring SMTP redirection

Click the Confirm button.

SMTP relay mode: used to enable the SECUREPOINT SMTP relay to relay emails to an email account. To do so, select this mode by selecting the Use the controller SMTP relay checkbox, and fill in the following fields:

o IP address or DNS: if an IP address is not supplied for the email server, a DNS name can be specified;

o Account login: for example [email protected];

o Account password: the password for the account.

mailto:[email protected]�


Example:

Figure 60: Example of SMTP relay configuration


Attention: SMTP relay mode will not work if:

- the email server blocks messages where the sender’s email address is not identical to that for the specified account;

- the mail server conceals senders’ email address.

The Test settings button can be used to check the parameter settings before confirming them.

7.4 Customization

Click the Customization option on the left-hand side of the window. The following sub-menu is displayed with the options shown:

Figure 61: Items on the Customization menu

7.4.1 Customization of the SECUREPOINT captive portal

It is possible to set up as many portals as desired. Once a portal is created, it can be associated with one or more zones.

Every portal can be customized in the way it operates and the way it looks.


Click on the Captive portal item in the sub-menu shown on the left-hand side of the window. The following page is displayed:

Figure 62: Configuring the SECUREPOINT portals

By default, two SECUREPOINT portals are offered: one portal called “portal” intended to be used from a PC, and another called “portal_mobile” intended to be used from a mobile terminal such as a PDA, smart phone, etc. Both these portals are associated with the “default” zone. They also have a default operating mode (i.e. by login and password).

To display the settings for a given portal, click on its name in the portal table. The parameter settings are displayed in a panel below the table.

Example:

Figure 63: Displaying the parameter settings for a SECUREPOINT portal


7.4.1.1 Adding a portal

To add a new portal, click the Add button. The following page is displayed:

Figure 64: Adding a new portal


Firstly, the portal must be given a name in the Portal name field.

Optionally, it is possible to strengthen the portal’s security by adding a password to unlock the portal when in use (the Portal security password field). This function can be used in conjunction with the user self-registration procedure (see the SMS or email methods below) in order to avoid unauthorised individuals from registering on the portal and obtaining logins.

Note: The portal security password will be the same for all portal users.

The portal then needs to be associated with one or more zones, by selecting the zone(s) from the Zones selection list.

Follow the steps below to configure the portal.

Choosing the portal type

The portal type is used to specify whether the portal is a SECUREPOINT portal, i.e. one hosted on the SECUREPOINT box, or an external portal (a corporate portal, for instance).

o SECUREPOINT portal: the SECUREPOINT portal is used and the operating mode must be specified (see Section 7.4.1.3).

It is also possible to redirect users to a portal external to SECUREPOINT before returning to the SECUREPOINT portal. This method may be useful for asking users for particular information, or requiring that they accept a certain usage policy, etc. To enable this mode, select the “Enable external portal” checkbox and enter the URL of the external portal. This mode is compatible with the various other operating modes used by the SECUREPOINT portal.

Example:

Figure 65: Example of configuring a SECUREPOINT portal (with redirection)

Attention: The URL defining the access path to the external portal must be declared as an open-access URL, i.e. accessible before authentication (see Section 7.4.3).

You need to create a hypertext link and use the following PHP code on the external portal in order to return to the SECUREPOINT portal.

To return to the SECUREPOINT portal:

<a href=<?= $_GET['redirect']; ?>>Click here to authenticate</a>

To return to the SECUREPOINT portal registration page (SMS, email or PayPal mode):

<a href='<?= redirectsub ?>'>Click here in order to register</a>


o External portal: in this case, the SECUREPOINT portal is disabled, and only an external portal is used. Users are automatically redirected to the portal with the address given in the “Redirection URL” field.

Attention: The URL defining the access path to the external portal must be declared as an open-access URL, i.e. accessible before authentication (see Section 7.4.3).

Example:

Figure 66: Example of configuring an external portal

Attention: Where only an external portal is used, this must be enhanced with the SECUREPOINT authentication functions. To achieve this, SECUREPOINT supplies an API which can be used to carry out authentication functions for all procedures (standard, SMS, email, etc.).

Choosing the portal format

The portal format will be used to define a portal suitable for the users’ hardware. Two types of format are offered:

o PC display: PC-type hardware will use this portal.

o PDA display: Hardware such as PDA, smart phones, etc., will be allocated to this portal. It will be necessary to define a suitable graphic design when this is customized (see Section 7.4.1.9).

The SECUREPOINT controller automatically recognizes the equipment type and applies the appropriate portal.

Selecting operating mode

The SECUREPOINT portal offers various operating modes:

o Standard portal: users are authenticated using a login and password combination. Accounts must be created beforehand.

o No authentication portal: in this mode, users are redirected to a Web page which may be specified. Once the redirection is carried out, users are authenticated.

o Portal with SMS registration: users self-register on the SECUREPOINT portal and receive their password by SMS.

o Portal with email registration: users self-register on the SECUREPOINT portal and receive their password by email.

o Portal with time credit purchase via PayPal: users can purchase connection time or time credit by making an on-line payment.


o Portal with use of a PMS: this method is used where there is interaction with a billing system (PMS). Users choose their package on the SECUREPOINT portal.

o Portal with use of prepaid cards: this method is used where there is interaction with a pre-paid card system.

Select the desired method. See the following sections to configure each method.

Note: Some methods can be used in combination. It is possible, for instance, to define a portal that works with registration by SMS or by email. In this case, both checkboxes associated with the two portal methods need to be selected.

Language selection

It is possible to choose firstly the portal’s default language, and secondly the languages that users will be able to choose from on the portal.

In the example below, French is used by default, and users can choose to display the portal in any available language.

Figure 67: Example of portal language configuration

Acceptance of a charter

Where users have to accept a charter, it is possible to add a checkbox to the portal which must be selected in order for users to be authenticated.

To use this, select the Define a service usage policy checkbox. A URL can be used so that users can see the charter. For this, select the Define a link to the charter checkbox and choose the URL from the drop-down list. The URL must have been defined beforehand as open-access (see Section 7.4.3). Enter the text to appear alongside the checkbox.

Example:


Figure 68: Example of configuring a charter for the portal

Password modification

The portal may offer users the option to change their password. To do so, select the Give users the option to change their password checkbox. A Change your password link will appear on the portal.

Attention: The password-changing link will only appear after the first successful user authentication.

The following example shows a SECUREPOINT portal in PC format running under a default configuration. The choice between available languages is left to the user.

Figure 69: Example of a SECUREPOINT portal

To save time, it is possible to create a portal starting from the configuration of an existing portal. To do so, click on the Copy button on the portal table.

7.4.1.2 Changing a portal

To change an existing portal, select the portal to be copied from the portal table and click the Change button.

See the previous Section to make the changes.

7.4.1.3 SECUREPOINT portal operation depending on the various modes

7.4.1.3.1 Standard mode


Users are authenticated using a login and password combination. Accounts must be created beforehand. This is the default mode.

7.4.1.3.2 Automatic mode

In this mode, users are redirected to the page specified in the Automatic redirection URL field. Once the redirection is carried out, users are authenticated.

Attention: This mode assumes that the generic accounts that will be used during user authentication have been created beforehand. To create these accounts, use the SECUREPOINT delegated administration tool in its multiple account creation function (see “Securepoint NAC Administration Guide” document, “Delegated administration” section).

Attention: This mode does not provide perfect traceability, since the user accounts are anonymous. Nonetheless, users’ MAC addresses are retained.

Note: If the automatic redirection URL field is empty, the user will be redirected to the Web page initially requested.

7.4.1.4 Registration by SMS mode

Users self-register on the SECUREPOINT portal by clicking on the Click here in order to register by SMS link, and filling in the Originating network country code, Phone number, Last name and First name fields (see screenshots below). The password is sent by SMS to the user’s mobile telephone. The user can then be authenticated in standard fashion on the portal, his login being the telephone number. The user’s account is automatically created in the SECUREPOINT directory, and the profile will be that specified at the time this mode is configured.


Figure 70: SECUREPOINT portal with SMS registration

Figure 71: User self-SMS registration from the SECUREPOINT portal


Attention: This mode assumes there is a contract with an SMS provider. For more information, contact SECUREPOINT Communications.

Before configuring this type of portal is possible, an account must be created, which will be associated with an SMS platform offered by the SECUREPOINT controller. To do so, go to the External services menu, SMS option (see Section 7.6.1 for more details).

Once the account has been created, select Portal with SMS registration, then:

From the available profiles, select the profile that users will obtain in this mode.

Select the account associated with an SMS messaging platform from those on offer.

Optionally, it is possible to ask users to enter their email addresses on the portal authentication page. In addition to the Email field, a checkbox will be added on the portal asking users to agree to their email addresses being used. Email addresses will be stored in the SECUREPOINT logs.

Example:

Figure 72: Configuring the SECUREPOINT portal with SMS registration

7.4.1.5 Registration by email mode

Users self-register on the SECUREPOINT portal by clicking on the Click here in order to register by mail link, and filling in the Email, Last name and First name fields (see screenshots below). The login information is sent by email to the address specified, and users have a limited time to read their email and find out their password. The user can then be authenticated in standard fashion on the portal. The user’s account is automatically created in the SECUREPOINT directory, and the profile will be that specified at the time this mode is configured. The time allowed to users to read their email as well as the protocols open allowing emails to be read are configurable options.


Figure 73: SECUREPOINT Portal with email registration

Figure 74: User self-email registration from the SECUREPOINT portal


Before configuration of this type of portal is possible, an account must be created, which will be associated with an email server offered by the SECUREPOINT controller. To achieve this, go to the External services menu, Email option (see section 7.6.2 for more details).

Once the account has been created, select Portal with email registration, then:

From the available profiles, select the profile that users will obtain in this mode.

Select the account associated with an email server from those on offer.

As users have to read their email to find out their password, the network must be open for long enough for emails to be read. The time it is open is expressed in minutes in the “Opening time” field.

Opening of the network can be restricted to certain protocols which can be selected in the “Open service” field.

Example:

Figure 75: Configuring the SECUREPOINT portal with on-line email registration

7.4.1.6 Time credit purchase mode via PayPal

Users can purchase connection time or time credit by making an on-line payment by clicking on the Click here in order to register via PayPal link found on the SECUREPOINT portal (see screenshots below). The user is redirected to the PayPal site, where payment can be made either using a PayPal account or with a credit card. Once the transaction is successfully completed, the user can connect to the SECUREPOINT portal with the login and password delivered by SECUREPOINT.


Figure 76: SECUREPOINT portal with online payment

Figure 77: Login and password delivery during on-line payment


Note: In order to be able to trace the connection, user’s personal data (first and last name) are retrieved from PayPal and recorded in the SECUREPOINT logs.

To configure this mode, Portal with time credit purchase via PayPal mode must be selected, then the price at which time credit will be sold defined, e.g. one hour of connection will cost 10 Euros. Next, the profile must be chosen that will be associated with all users using PayPal mode.

Then the data relating to the PayPal account must be entered:

1. Name the package in the “Name given to subscribed package” field. 2. Enter the PayPal account identifier. 3. Export the SECUREPOINT certificate by clicking on the Certificate export link. Save the file.

Delete the “.txt” extension if there is one. 4. Click the first Test settings button to check that the data entered is correct. 5. On PayPal, upload the exported certificate. 6. Enter the data that allows the PayPal API to be used (username, password and signature).

This API is intended to retrieve payment data. 7. Click the second Test settings button to test the connection to PayPal.

Example:

Figure 78: Configuring the SECUREPOINT portal with on-line payment

Attention: This mode assumes that the SECUREPOINT administrator (or his/her representative) has previously created a PayPal account, which needs to be “Premier” and “Verified”.


7.4.1.7 Method with use of a PMS

The SECUREPOINT/PMS (Property Management System) pairing works with the concept of packages. The package is defined by the SECUREPOINT administrator. This may be a 1 hour or 3 hour package, or an email package, or “All business days from 4 p.m. to 6 p.m.”, etc. Packages are offered for user selection on the SECUREPOINT portal after authentication.

The following two screen captures show an example of SECUREPOINT portal with a choice between two packages, then the feedback displayed once the choice is made.

Figure 79: Example of SECUREPOINT portal with package use (PMS)


Figure 80: Example of user feedback after choosing a package

To configure this mode, Portal with use of a billing software (PMS) mode must be selected.

See Section of the document showing configuration of PMS and packages.

Example:

Figure 81: Configuring the SECUREPOINT portal with PMS use

7.4.1.8 Mode with use of prepaid cards (PPS)

The SECUREPOINT/PPS (Pre-paid System) pairing works with prepaid cards. Each card has a given connection time. Users authenticate themselves on the portal with the username on the card and a captcha code. The time granted by the card and the time used are displayed on the portal after authentication.

The following two screen images show an example of a SECUREPOINT PPS portal with user feedback.


Figure 82: SECUREPOINT portal with PPS use

Figure 83: Example of feedback for a SECUREPOINT PPS portal


To configure this mode, Portal with use of prepaid cards (PPS) must be selected, then the profile must be chosen that will be associated with all users using PPS mode.

See Section 7.7.3 for PPS configuration.

Example:

Figure 84: Configuring the SECUREPOINT portal with use of prepaid cards (PPS)

7.4.1.9 Graphics customization

The SECUREPOINT portal can be customised in the corporate colours using a graphics editor (except where “Automatic” operation, with no portal, is chosen).

To do so, click on the “pencil” icon on the portal to be modified in the portal table. The portal editor is then displayed:

Figure 85: SECUREPOINT portal editor


Note: See the “SECUREPOINT Portal Editor User Guide” documentation on using the SECUREPOINT portal editor.

7.4.2 Customization of connection tickets

You can customize connection tickets generated by the SECUREPOINT delegated administration tool. In particular, you can replace the SECUREPOINT logo with your organization’s logo, and add free text underneath it.


Click on the Connection tickets option in the sub-menu shown on the left-hand side of the window. The following page is displayed:

Figure 86: Customization of connection tickets

Enter your text in the Adding a text on tickets field. This text will appear beneath the logo. The language in which the text is written must be selected beforehand. If you wish to enter text in more than one language, then for each language (1) select the language, (2) enter the text in the text box and (3) click the Save this language button. If the text is the same irrespective of the language, then select the For all languages checkbox before entering the text.


The logo currently in use is displayed in the window. To replace it, click on Browse… to select the new one.

Click on Confirm.

Attention: Only JPEG format is accepted for logos.

Example:

Figure 87: Example of connection ticket configuration


Display of this ticket in A4 format will be as follows:

Figure 88: Example: connection ticket in A4 format

As the SECUREPOINT delegated administration tool offers the option to print tickets in badge format, you are provided with an editor, which can be used to customize badge display. This editor is used to select the data, which will be displayed, and with the badge format being by definition of limited size, it is not possible to display all data on the ticket. The user’s last name, first name, login, password and profile may be displayed. If the administrator has defined additional fields, they will also be offered for display.


Example:

Figure 89: Connection ticket editor (in badge format)

To obtain a preview of the display in badge format, click the Display the badge button. With the example above, the following page is displayed:

Figure 90: Example: connection ticket in badge format

Click the Confirm button to confirm.

Note: The logo always appears top left in badge format.

Attention: The free text does not appear on badge format connection tickets.

7.4.3 Configuring open-access URLs

If you want users to be able to access certain URLs before authentication, they must be specified in this section.


Click on the Open-access URLs item in the sub-menu shown on the left-hand side of the window. The following page is displayed:

Figure 91: Configuring open-access URLs

To add a URL, click the Add button, enter the URL and click on Add.

Example:

Figure 92: Adding an open-access URL

Attention: Only HTTP protocol URLs can be used under open-access. HTTPS is not permitted.

Once the URL is specified, a status indicates whether the URL is being used by one of the SECUREPOINT services (SECUREPOINT portal for example).

Figure 93: Open-access URL


7.5 Configuring the logging mechanism

It is possible firstly to control what type of data is logged (sessions, URLs, etc.) and secondly to decide the criteria used as the basis for database flushing (in part or in full).

To access database management, click on the Logging option on the left-hand side of the window, then the Configuration item in the sub-menu.

The following page is displayed:

Figure 94: Logging configuration

7.5.1 Logging criteria

The Logging enabled for panel is used to partly enable logging, for instance, to enable logging for sessions and disable URL logging. By default, logging is switched on for sessions, URLs and licit traffic (TCP and UDP packets). Dropped packets are not logged.


Attention: If session logging is disabled, it will not be possible to display connected users in real time. This option is also mandatory for logging of URLs and TCP and UDP packets.

7.5.2 Purging the log database

The Log files purge panel is used to define the criteria, which will trigger a purge of the log database.

The following options are on offer:

Every n MB: the database is purged every n megabytes.

Every n sessions: the database is purged every n sessions.

Custom frequency: the database is purged periodically, every day, week or month. It is possible to specify the time or day, as appropriate.

Example:

Figure 95: Example of configuring the log purge criteria

Attention: Irrespective of the values set on this form, a log database purge will be forced if the size exceeds 1 GB.

7.5.2.1 Generating backup files

SECUREPOINT can automatically handle log backups. Every time the database is purged, a file is created. If this option is required, ensure the Run a backup of log files during purge checkbox is selected.

Figure 96: Generating backup files

Backup files are in “tar” format, and are generated with the following filename:

Securepoint_logs_<backup start date>-<time>_<backup end date>-<time>.tar

where <date> = yyyymmdd and <time> = hhmm


7.5.2.2 Compressing backup files

In order to optimise the space occupied by log backups on the SECUREPOINT appliance’s hard drive, users are prompted to compress them. By default, compression is enabled for backups more than 7 days old. This number of days is configurable.

Figure 97: Enabling log backup compression

To disable the compression mechanism, deselect the Enable backups auto compression checkbox.

Note: Compression/decompression of log backup files can be carried out manually on individual files. See the “Securepoint NAC Administration Guide”, “Log file management” section.

7.5.2.3 Deleting backup files

Backup files can be automatically deleted after a given period of time. By default, the retention period is one year. To deactivate automatic purge, deselect the Enable automatic purge of backups checkbox.

Figure 98: Automatic deletion of backup files

7.5.2.4 Automatic export of backup files

To automate export of log backup files, it is possible to transfer them to a third party machine over FTP.

Note: Configuring this mechanism is highly recommended to (1) ensure that logs are backed up on a platform other that the SECUREPOINT box and (2) avoid filling up the SECUREPOINT hard drive. In fact, if the hard drive becomes full, a file rotation mechanism is triggered, and the oldest logs are replaced by the most recent.


Attention: Backup files will be transferred every time the database is purged.

To enable export, select the Enable backup export checkbox, and fill in the fields relating to the FTP server (server name, port, login and password).

The URI field is the directory where the backup files will be transferred (directory to use with filename from the FTP server root directory).

If, for reasons of disk space optimization, you do not wish to keep backups on the SECUREPOINT controller once they have been transferred, select the Delete backups from the controller after a successful export checkbox.

Example:

Figure 99: Example of configuring FTP export of log files

The Test FTP settings button can be used to check the parameter settings before confirming them.

Note: Export and import of log backup files can be carried out manually on individual files. See the “Securepoint NAC Administration Guide”, “Log file management” section.

7.5.3 Access to the SQL log database

It is sometimes necessary to directly access the log files using SQL, for example, to automate the production of special reports or to connect up to a third party application. Read-only access to the log files through the SQL query language requires that access to be authorised. To do so, select the Authorize access to SQL log database checkbox and fill in the fields to determine which machine(s) is/are authorised to access the database.

Interface: all machines with an IP address within a specified range of addresses.

Other subnet: all machines with an IP address belonging to a particular subnet.


IP address: IP address of the authorized machine.

Example:

Figure 100: Example of configuration to allow access to the SQL log files

Attention: Contact SECUREPOINT Communications to find out the identifiers which will allow you to connect to the database. Data from the SQL schema will also be sent to you if you need it.

7.6 Configuring external communication services

The SECUREPOINT controller may need to use email or SMS services to communicate with users, to inform them of their login information (login, password, etc.) for example.

These services could be used either from the SECUREPOINT Web portal for sending passwords to users (see Sections 7.4.1.4 and 7.4.1.5) or from the delegated administration tool for sending login information to users (logins, permitted time slots, etc.).

Click on the External services item shown to the left of the window. The following sub-menu is displayed with the options shown:

Figure 101: Items on the External services menu

7.6.1 Configuring SMS service

Attention: This mode assumes there is a contract with an SMS provider. For more information, contact SECUREPOINT Communications.


To configure an SMS account, click on the SMS item on the sub-menu. The following page is displayed:

Figure 102: SMS accounts configuration

For each SMS account created, the table indicates the selected operator, the sending method (HTTP or SMTP), the number of portals and the number of delegated administrator profiles using this account.


To add a new SMS account, click the Add button. The following page is displayed:

Figure 103: Adding an SMS account

Firstly, the SMS platform must be chosen from those on offer. Then fill in the following fields:

Account name: free-format identifier to name the account.

SMS operator: this means selecting the SMS messaging platform from the options on offer. We reiterate that registration with the selected platform is necessary in order to obtain login information.

Account login: login for the account associated with the SMS platform..

Account password: password for the account associated with the SMS platform.

Customer ID: client identifier (given by the SMS platform).


Example:

Figure 104: Example of configuring an SMS account

Use the Test settings button in order to check the accuracy of the data entered.

It is then possible to customize the SMS content on the basis of the use to which it is put. The SMS will comprise a welcome message with different versions depending on available languages. The welcome message will be built from a template. A template will comprise text and dynamic variables. The variables will be enclosed within “%” characters.

The dynamic variables possible are the user’s login (%login%), password (%password%), surname (%lastname%), first name (%firstname%) and profile (%profile%). The login and the password are mandatory.

Example:

Welcome %firstname% %lastname%

Login: %login%

Password: %password%

Click the Confirm button to confirm the SMS account.


Note: The default language can be selected. It is therefore not necessary to enter the welcome message in all languages. Fields not filled in will take the field value matching the default language.

7.6.2 Configuring the email server

To configure an email account, click on the External services item in the left-hand side of the window, then on the Mail item in the sub-menu. The following page is displayed:

Figure 105: Configuring email server accounts

The table indicates, for each account created, the number of portals and the number of delegated administrator profiles using this account.


To add a new email account, click the Add button. The following page is displayed:

Figure 106: Adding an email server account

The following fields need to be filled in:

Account name: free-format identifier to name the account.

IP address or DNS of the mail server: this is used to specify either the IP address for the email server, or the server’s DNS name.

Account login: login for the email account.

Account password: email account password.

Account email address: email address, which will be used to send the message.

Email reply address: email address used if a reply is needed.

Message at the beginning of the mail: message which is always included at the start of every email sent.


Example:

Figure 107: Example of configuring an email account

Use the Test settings button in order to check the accuracy of the data entered.


7.7 Configuring interfaces with the SECUREPOINT controller

SECUREPOINT interfaces are designed to provide communication between a SECUREPOINT controller and a third-party product.

Click on the Interfaces with the controller item shown on the left-hand side of the window. The following sub-menu is displayed with the options shown:

Figure 108: Items on the Interfaces with the controller menu

7.7.1 SNMP Interface

SECUREPOINT controllers include an SNMP agent, which means they can be supervised from an SNMP-compatible monitoring tool (called SNMP Manager).

A SECUREPOINT MIB (Management Information Base) is offered to enable dialogue between the supervision tool and SECUREPOINT agent.


To implement the SNMP interface, click on the SNMP item in the sub-menu. The following page is displayed:

Figure 109: Configuring the SNMP interface

The SNMP Manager configuration panel is used to specify the settings for machines permitted to use the SECUREPOINT SNMP agent (such as a monitoring tool). It is possible to specify either an IP address, or a SECUREPOINT outgoing VLAN, or a subnet address.

As the SNMP protocol also defines a trap concept (event trigger), the settings must be configured for the only machine which will be able to receive traps (IP address and port number).

The SNMP Agent configuration panel is used to specify the settings for the SECUREPOINT SNMP agent such as the port on which it is available, the SNMP passwords and the available SECUREPOINT traps.

SECUREPOINT traps are used to supervise all active services on the SECUREPOINT controller (Web server, LDAP directory, RADIUS server, etc.).

Lastly, the SECUREPOINT MIB is downloadable by clicking on the Download controller’s MIB link (see Appendix 1).


7.7.2 PMS Interface

The SECUREPOINT controller interfaces with PMS products (Property Management System). PMS are customer management products, most usually found in hotel or hospital environments. They are used for checking in guests, billing, etc.

Attention: The interface with such products is based on the FIAS protocol. Consequently, only FIAS-compatible PMS will be able to dialogue with SECUREPOINT. To use any other PMS not compatible with this protocol, contact SECUREPOINT Communications.

The PMS/SECUREPOINT pairing works with the concept of packages. The package is defined by the SECUREPOINT administrator. This may be a 1 hour or 3 hour package, or an email package, or “All business days from 4 p.m. to 6 p.m.”, etc. Packages are offered for user selection on the SECUREPOINT portal.

The PMS/SECUREPOINT dialogue runs as follows:

1. First of all, synchronisation between the two products in order to create accounts in SECUREPOINT for customers already present (in a hotel, for example).

2. PMS -> SECUREPOINT: Sending a user account creation order when a new customer (or guest) arrives. The account is created in SECUREPOINT with identifiers generated automatically from the customer’s last name, first name and room number. login = <room number><customer’s name> password = <customer’s first name>

3. Users will be able to change their password from the SECUREPOINT portal after their first authentication.

4. SECUREPOINT portal: user authentication and package selection. 5. SECUREPOINT -> PMS: Sending of package type selected by the user. 6. PMS -> SECUREPOINT: Sending a user account closure order when the customer leaves.


To implement the PMS interface, click on the PMS item in the sub-menu. The following page is displayed:

Figure 110: Configuring the PMS interface


7.7.2.1 Defining packages

The first step is to define one or more packages. To do so, click the Add button on the packages table. The following page is displayed:

Figure 111: Configuring a package


Package name: this is an internal identifier for the administration tool.

Currency: free text describing the currency (Euros, dollars, etc.).

Price: the package price expressed in hundredths of the currency, e.g. enter 1000 for 10 euros.

Package description: free text describing the package, such as “1 hour package”. This text will appear on the SECUREPOINT portal. It can be expressed depending on the available languages.

Default language: the default language can be selected. It is therefore not necessary to enter the text describing the package in all languages. Fields not filled in will take the field value matching the default language.

Associated profile: user profile applied for this package.

Once a package is created, it appears in the package table.


Example:

Figure 112: Package display

7.7.2.2 PMS configuration

The second step is to configure the settings used to establish a connection with the PMS. To do so, select the Enable PMS checkbox. The following form is displayed:

Figure 113: Configuring the PMS connection settings



Access to the PMS server

o Server IP address: IP address for the server hosting the PMS.

o Server port: the port used to exchange data with the PMS.

o Sender ID: an identifier to be defined in agreement with the PMS.

Accounts validity

Two actions are possible on receipt of a ‘check-out’ message. The user account is no longer immediately valid (default) or the account is no longer valid from midday in N days, the number of days being configurable.

Account creation mode

There are two methods for selecting the user account login information. “Mode1” uses a login and password built as described above (default). “Mode2” uses a login built only from the room number, and a password which is the user’s surname.

Password coding

A coded password means the first 8 characters of the SHA1 fingerprint for the password (first name or surname). No encryption by default.

Communication

It is possible to state the encoding type used by the PMS server: ISO-8859-1 (default), UTF-8 or CP850.

Service billing

Billing information (POST CHARGE) will be sent every N seconds to the PMS. The time between two checks is configurable.

Users with no package choice

Users identified by the PMS as not having to select packages will be created using the selected profile.

Click on Confirm.

7.7.3 PPS Interface

The SECUREPOINT controller interfaces with PPS (Pre-paid System) products. This type of product works with cards that users buy (pre-paid cards). Each card has a given connection time.

Attention: PPS interface works with StreamWIDE servers. To use any other PPS, contact SECUREPOINT Communications.

The PPS/SECUREPOINT dialogue runs as follows:

1. Users authenticate themselves on the SECUREPOINT portal by entering the card number and the captcha code (image displaying an 8-character string).

2. SECUREPOINT -> PPS: the card number is used to request time credits from the PPS server. The PPS allocates time in renewable blocks of N seconds. The user’s account is automatically created in SECUREPOINT. The user’s login will be the GUID number supplied by the PPS linked to the card number. The password will be the captcha code. The group will be that


defined by default during portal configuration. On the portal, users can see the connection time for the card and the amount of time used.

3. SECUREPOINT -> PPS: when users disconnect, SECUREPOINT sends the connection time used by the user to the PPS. The user’s account is automatically deleted from the SECUREPOINT account database.

To implement the PMS interface, click on the “PMS” item in the sub-menu. The following page is displayed:

Figure 114: PPS configuration

The parameters need to be set allowing a connection to be established with the PPS. To do so, select the Enable PPS checkbox. The following form is displayed:

Figure 115: Configuring the PPS connection settings


XMLRPC interface URL: The URL points to the PHP file which contains the XMLRPC server that handles requests (session start, request for time credit, session end, card validity, etc.).

Example: http://@IP/ppsxml/prepaid.xml_rpc.server.php

IP: Trunk IP address used to initiate the connection with the PPS, 10.10.10.10 by default.

http://ip/ppsxml/prepaid.xml_rpc.server.php�


Billing mode: read-only field equating to the billing method. This is billing by time (TIME).

8 Configuring active elements

The active elements mentioned in this section are either Wi-Fi access points or switches that user workstations are associated with or connected to.

8.1 Configuring Wi-Fi access points

Access points must be configured to fit with the network infrastructure of which they will form part.

Configuration further depends on the authentication methods selected and the encryption options.

The following are the appropriate configurations to be carried out:

For a “thick” access point, allocate a fixed IP address to the access point (e.g.: 192.168.100.200).

Define one or more SSID

More than one SSID will be defined if more than one authentication method is to be implemented on the same access point, one per SSID.

For example, it will be possible to define one SSID in open-access with portal authentication, and another SSID with 802.1x/EAP authentication.

One VLAN is to be associated with each SSID.

Attention: The access point needs to support the multiple SSID/VLAN function.

Configuration for 802.1x/EAP authentication.

The IP address for the RADIUS authentication server (e.g.: 192.168.100.254) and the shared secret with this server must be configured.

Standard wireless encryption configuration

Enable WEP or WPA/WPA2 PSK (TKIP or AES) or 802.11i

8.2 Configuring switches

During creation of the new Wi-Fi network, it is necessary to isolate user traffic in new VLANs, in order to put the SECUREPOINT controller at the divide between the WLAN and the LAN/WAN network. We have seen that for each SSID created on the access points there is one new VLAN which must be carried on each of the active elements, connecting the access point to the eth1 (IN) interface of the SECUREPOINT controller.

Carrying VLANs occurs through declaring the VIDs on each switch in the sequence. These VIDs are those that were created on the access points (e.g.: VID 2: prompt/portal, VID 3: administrators/802.1X and VID 4: terminal administration).

Attention: The VID of eth0 (OUT) interface for the SECUREPOINT controller must be different from the VID of eth1 (IN) interface.


On these switches, several port types must be configured. If there are several switches in the sequence, VIDs must be allocated to the STACK ports.

On the switch where the SECUREPOINT controller is connected, the ports to be configured are those where the following are connected:

The SECUREPOINT eth1 (IN) interface;

“Thick” access points or the OUT interface for the Wireless controller (thin AP).

802.1q encapsulation or TRUNK mode must be enabled for each of these physical ports, as must the Wi-Fi VLAN and the terminal administration VLAN.

Example:

SECUREPOINT is connected to the existing LAN in output from the controller on VLAN 1. Incoming VLANs 2 and 3 have been declared on the controller, each corresponding to one SSID created on the access point. We also want to isolate the RADIUS authentication traffic on the terminal administration VLAN. To achieve this, we will declare VLANs 2, 3 and 4 in the database for each switch, then declare our trunks in the following way on each physical port connecting access points, Wi-Fi controllers, and eth1 for the SECUREPOINT controller and STACK port.

SECUREPOINT ports and access points: VLAN 2: TAG, VLAN 3: TAG, VLAN 4: UNTAG

Switch stack ports: VLAN 2: TAG, VLAN 3: TAG, VLAN 4: TAG

9 What’s next

Once Securepoint NAC and the active elements have been installed and configured, the user profiles and users need to be created. See the “Securepoint NAC Administration Guide” for this aspect. To complete Wi-Fi (or wired) connections through SECUREPOINT, see the “SECUREPOINT Portal User Guide”.


10 Appendix 1: SECUREPOINT MIB SECUREPOINT-MIB DEFINITIONS ::= BEGIN

IMPORTS

MODULE-IDENTITY, OBJECT-TYPE, Integer32, enterprises FROM SNMPv2-SMI

RowStatus, StorageType FROM SNMPv2-TC

InetAddressType, InetAddress FROM INET-ADDRESS-MIB

SnmpAdminString FROM SNMP-FRAMEWORK-MIB

RowStatus, StorageType FROM SNMPv2-TC

;

Securepoint MODULE-IDENTITY

LAST-UPDATED "200202060000Z"

ORGANIZATION "SECUREPOINT Communication"

CONTACT-INFO

"MIB SECUREPOINT

postal: Salzstraße 1

21335 Lüneburg

email: [email protected]"

DESCRIPTION

"MIB for remote control by SNMP for SECUREPOINT Box"

::= { enterprises 31218 }

system OBJECT IDENTIFIER ::= {Securepoint 1}

sysConnectedUsers OBJECT-TYPE

SYNTAX INTEGER

MAX-ACCESS read-only

STATUS current

DESCRIPTION "Number of connected users"

::= { system 1 }

sysUptime OBJECT-TYPE

SYNTAX OCTET STRING (SIZE(0..32))


STATUS current

DESCRIPTION "SECUREPOINT controller systemUptime"

::= { system 2 }


sysDate OBJECT-TYPE



STATUS current

DESCRIPTION "SECUREPOINT controller local date"

::= { system 3 }

sysDebugValue OBJECT-TYPE

SYNTAX INTEGER

MAX-ACCESS read-write

STATUS current

DESCRIPTION "Debug value"

::= { system 4 }

sysCPU OBJECT-TYPE



STATUS current

DESCRIPTION "CPU usage in percent"

::= { system 5 }

sysFreeMemory OBJECT-TYPE

SYNTAX KBytes


STATUS current

DESCRIPTION "Free memory in KBytes"

::= { system 6 }

sysLoad OBJECT-TYPE



STATUS current

DESCRIPTION "Load"

::= { system 7 }

servStatus OBJECT IDENTIFIER ::= {system 8}

httpdStatus OBJECT-TYPE




STATUS current

DESCRIPTION "Service httpd status"

::= {servStatus 1}

mysqlStatus OBJECT-TYPE



STATUS current

DESCRIPTION "Service mySql status"

::= {servStatus 2}

urlsnarfStatus OBJECT-TYPE



STATUS current

DESCRIPTION "Service urlsnarf status"

::= {servStatus 3}

privoxyStatus OBJECT-TYPE



STATUS current

DESCRIPTION "Service privoxy status"

::= {servStatus 4}

autodisconnectStatus OBJECT-TYPE



STATUS current

DESCRIPTION "Service autodisconnect status"

::= {servStatus 5}

cupsStatus OBJECT-TYPE



STATUS current

DESCRIPTION "Service cups status"

::= {servStatus 6}

dhcpdStatus OBJECT-TYPE




STATUS current

DESCRIPTION "Service dhcpd status"

::= {servStatus 7}

dnsmasqStatus OBJECT-TYPE



STATUS current

DESCRIPTION "Service dnsmasq status"

::= {servStatus 8}

ipstaticStatus OBJECT-TYPE



STATUS current

DESCRIPTION "Service ipstatic status"

::= {servStatus 9}

keepalivedStatus OBJECT-TYPE



STATUS current

DESCRIPTION "Service keepalived status"

::= {servStatus 10}

ldapStatus OBJECT-TYPE



STATUS current

DESCRIPTION "Service ldap status"

::= {servStatus 11}

ldapmonitorStatus OBJECT-TYPE



STATUS current

DESCRIPTION "Service ldapmonitor status"

::= {servStatus 12}


ntpdStatus OBJECT-TYPE



STATUS current

DESCRIPTION "Service ntpd status"

::= {servStatus 13}

radiusdStatus OBJECT-TYPE



STATUS current

DESCRIPTION "Service radiusd status"

::= {servStatus 14}

smbStatus OBJECT-TYPE



STATUS current

DESCRIPTION "Service smbs status"

::= {servStatus 15}

snmpdStatus OBJECT-TYPE



STATUS current

DESCRIPTION "Service snmpd status"

::= {servStatus 16}

sshdStatus OBJECT-TYPE



STATUS current

DESCRIPTION "Service sshd status"

::= {servStatus 17}

syslogngStatus OBJECT-TYPE



STATUS current

DESCRIPTION "Service syslog-ng status"

::= {servStatus 18}


ulogdStatus OBJECT-TYPE



STATUS current

DESCRIPTION "Service ulogd status"

::= {servStatus 19}

clientPMSStatus OBJECT-TYPE



STATUS current

DESCRIPTION "Service clientPMS status"

::= {servStatus 20}

traps OBJECT IDENTIFIER ::= {system 9}

datelastconnect NOTIFICATION-TYPE



STATUS current

DESCRIPTION "Last connection date"

::= {traps 1}

httpd NOTIFICATION-TYPE



STATUS current

DESCRIPTION "Service HTTPD"

::= {traps 2}

mysqld NOTIFICATION-TYPE



STATUS current

DESCRIPTION "Service mySQLd"

::= {traps 3}

urlsnarf NOTIFICATION-TYPE




STATUS current

DESCRIPTION "Service urlsnarf"

::= {traps 4}

privoxy NOTIFICATION-TYPE



STATUS current

DESCRIPTION "Service privoxy"

::= {traps 5}

autodisconnect NOTIFICATION-TYPE



STATUS current

DESCRIPTION "Service autodisconnect"

::= {traps 6}

cups NOTIFICATION-TYPE



STATUS current

DESCRIPTION "Service cups"

::= {traps 7}

dhcpd NOTIFICATION-TYPE



STATUS current

DESCRIPTION "Service dhcpd"

::= {traps 8}

dnsmasq NOTIFICATION-TYPE



STATUS current

DESCRIPTION "Service dnsmasq"

::= {traps 9}


ipstatic NOTIFICATION-TYPE



STATUS current

DESCRIPTION "Service ipstatic"

::= {traps 10}

keepalived NOTIFICATION-TYPE



STATUS current

DESCRIPTION "Service keepalived"

::= {traps 11}

ldap NOTIFICATION-TYPE



STATUS current

DESCRIPTION "Service ldap"

::= {traps 12}

ldapmonitor NOTIFICATION-TYPE



STATUS current

DESCRIPTION "Service ldapmonitor"

::= {traps 13}

ntpd NOTIFICATION-TYPE



STATUS current

DESCRIPTION "Service ntpd"

::= {traps 14}

radius NOTIFICATION-TYPE



STATUS current

DESCRIPTION "Service radius"


::= {traps 15}

snmpd NOTIFICATION-TYPE



STATUS current

DESCRIPTION "Service snmpd"

::= {traps 16}

smb NOTIFICATION-TYPE



STATUS current

DESCRIPTION "Service smb"

::= {traps 17}

sshd NOTIFICATION-TYPE



STATUS current

DESCRIPTION "Service sshd"

::= {traps 18}

syslog-ng NOTIFICATION-TYPE



STATUS current

DESCRIPTION "Service syslog-ng"

::= {traps 19}

ulogd NOTIFICATION-TYPE



STATUS current

DESCRIPTION "Service ulogd"

::= {traps 20}

clientpms NOTIFICATION-TYPE




STATUS current

DESCRIPTION "Service clientpms"

::= {traps 21}

toomanyusers NOTIFICATION-TYPE



STATUS current

DESCRIPTION "Number of connected users exceeds license users"

::= {traps 22}

interfaces OBJECT IDENTIFIER ::= {Securepoint 2}

ifUCPTable OBJECT-TYPE

SYNTAX SEQUENCE OF ifInfo

ACCESS not-accessible

STATUS mandatory

DESCRIPTION "A list of interface"

::= {interfaces 1}

ifInfo OBJECT-TYPE

SYNTAX ifInfo

ACCESS not-accessible

STATUS mandatory

DESCRIPTION ""

INDEX { ifIndex }

::= { ifUCPTable 1 }

Vlansequence::=

SEQUENCE {

ifIndex INTEGER,

ifDescr DisplayString,

ifRealAddr INTEGER,

ifNetMask INTEGER,

ifMACAddr DisplayString,

ifMTU INTEGER,

DHCPserver DisplayString,

AdminAccess DisplayString,

DelegAccess DisplayString,

ConnectedUsers INTEGER,

Download INTEGER,

Upload INTEGER,

}


ifIndex OBJECT-TYPE

SYNTAX INTEGER

ACCESS read-write

STATUS mandatory

DESCRIPTION ""

::= { ifInfo 1 }

ifDescr OBJECT-TYPE

SYNTAX DisplayString (SIZE (0..255))

ACCESS read-write

STATUS mandatory

DESCRIPTION "Interface's name"

::= { ifInfo 2 }

ifRealAddr OBJECT-TYPE

SYNTAX IpAddress

ACCESS read-write

STATUS mandatory

DESCRIPTION "Interface's real IP address"

::= { ifInfo 3 }

ifNetMask OBJECT-TYPE

SYNTAX IpAddress

ACCESS read-write

STATUS mandatory

DESCRIPTION "Interface's netmask"

::= { ifInfo 4 }

ifMACAddr OBJECT-TYPE


ACCESS read-write

STATUS mandatory

DESCRIPTION "Interface's MAC address"

::= { ifInfo 5 }

ifMTU OBJECT-TYPE

SYNTAX INTEGER

ACCESS read-write

STATUS mandatory


DESCRIPTION "Interface's MTU"

::= { ifInfo 6 }

DHCPserver OBJECT-TYPE

SYNTAX INTEGER

ACCESS read-write

STATUS mandatory

DESCRIPTION "DHCP server status"

::= { ifInfo 7 }

AdminAccess OBJECT-TYPE

SYNTAX INTEGER

ACCESS read-write

STATUS mandatory

DESCRIPTION "Admin access activation"

::= { ifInfo 8 }

DelegAccess OBJECT-TYPE


ACCESS read-write

STATUS mandatory

DESCRIPTION "Deleg access activation"

::= { ifInfo 9 }

ConnectedUsers OBJECT-TYPE

SYNTAX INTEGER

ACCESS read-write

STATUS mandatory

DESCRIPTION "Admin access activation"

::= { ifInfo 10 }

Download OBJECT-TYPE

SYNTAX INTEGER

ACCESS read-write

STATUS mandatory

DESCRIPTION "Throughput in Kbytes/s"

::= { ifInfo 11 }

Upload OBJECT-TYPE

SYNTAX INTEGER


ACCESS read-write

STATUS mandatory

DESCRIPTION "Throughput in Kbytes/s"

::= { ifInfo 12 }

END


11 Appendix 2: PMS/FIAS Protocol

The FIAS protocol primitives implemented by SECUREPOINT are as follows:

Synchronization

o LS, LA, LE, LD, DS, DE

Customer (Guest) transactions

o GI (Check-In) with the fields:

RN: room number

G#: unique guest number

GT: title

GF: first name

GN: last name

GO (Check-Out) with the fields:

RN: room number


GT: title

GF: first name

GN: last name

o GC (Guest-Change) with the fields:

RN: new room number

RO: old room number


GT: title

GF: first name

GN: last name

XL (Text message for guest) with the fields:


MI: message ID

MT: the text message

RN: room number

Billing

o PS (Post-Charge) with the fields:

RN: room number

PTC: direct charge

SO: sender ID


TA: charge amount

P#: request number

CT: description

PA (Post-Answer) with the fields:

AS: response status

CT: description

RN: room number

Documents

Securepoint Network Access Controller (NAC - Downloads