UAG50 - Routeur VPN ZYXEL - Free user manual and instructions

USER MANUAL UAG50 ZYXEL

Copyright © 2014 ZyXEL Communications Corporation

Table of Contents Scenario 1 – How to Activate a Paid Access Hotspot 3 1.1 Application scenario 3 1.2 Login with ticket by Printer to get the access for Internet 4 1.3 Pay with PayPal payment service to get the access for Internet 6 Scenario 2 – How to Activate a Free Access Hotspot 13 2.1 Application Scenario 13 2.2 Configuration Guide 14 Scenario 3 - Use BWM to control trial user and billing user 23 3.1 Application scenario 23 3.2 Configuration Guide 23 Scenario 4 - Using Function of Layer 2 Isolation and White List 36 4.1 Application scenario 36 4.2 Configuration Guide 36 Scenario 5 – Sending the system log to a remote syslog server and the USB device 42 5.1 Application Scenario 42 5.2 Configuration Guide 42 Scenario 6 – Manage multiple APs by AP profile 49 6.1 Application scenario 49 6.2 Configuration Guide 49 Appendix 57

ZyXEL – UAG Application Note

Scenario 1 – How to Activate a Paid Access Hotspot 1.1 Application scenario In the hotspot, there are various customer need access Internet, we can use UAG to effective control the customer access for Internet. If we want customer use payment service to access Internet, there are two main ways can be used on UAG: one is use Printer, and another one is PayPal payment service. For Printer, customer can buy ticket from reception desk, which generated by thermal printer. And for PayPal payment service, customer can pay with their PayPal account to access Internet by browser on smart phone or laptop.

Method1: Login with ticket by Printer to get the access for Internet

Method2: Pay with PayPal payment service to get the access for Internet

Network conditions: SP350E: Default IP address (DHCP): 172.16.0.200/16 User Name: admin Password: 1234 Port Number: 9100 Goals to achieve: 1) Easier control customer access Internet with payment service. 2) Customer can pay with PayPal or buy ticket from reception, then they can get access for Internet promptly.

3 Back to Table of Content

ZyXEL – UAG Application Note

1.2 Login with ticket by Printer to get the access for Internet UAG configuration: Step 1: Setting Printer Manager GUI (1) Configuration > Printer Manager > check General > Edit Port with printer: 9100.

(2) Add a printer with the printer’s IP address in the GUI.

Step 2: Configuration > Monitor > Printer Status > check the Status with “ sync success “.

4 Back to Table of Content

ZyXEL – UAG Application Note

Step 3: Select Configuration > Printer Manager > check Printout Configuration > you can choose Use Customized Printout Configuration to upload a customized printout configuration. Then you can customize the ticket information by downloading the example and modifying the ticket.

5 Back to Table of Content

ZyXEL – UAG Application Note

Step 4: Configuration > Printer Manager > check Printout Configuration > you can choose Use Default or Customized Printout Configuration > Preview: press Printout Preview > pop out the Default printout configuration or the Customized printout configuration ticket format for preview.

1.3 Pay with PayPal payment service to get the access for Internet Create and Set test account on the PayPal server: About Register an account on the PayPal server, we have registered a test account for test the function on this, please refer to the Appendix part.

6 Back to Table of Content

ZyXEL – UAG Application Note

UAG configuration: Step 1: Configuration > Billing > Payment Service > Enable Payment Service > Enter the seller Account and Identity Token.

(1) You can use Seller account Login to www.sandbox.paypal.com and go to profile > Website payments preferences to check the identity token.

(2) Enter the Payment Gateway with - https://www.sandbox.paypal.com/cgi-bin/webscr Since it’s the test web site so the payment gateway should setup as https://www.sandbox.paypal.com/cgi-bin/webscr But not default https://www.paypal.com/cgi-bin/webscr

7 Back to Table of Content

ZyXEL – UAG Application Note

Step 2: Test the dynamic account to pay the bill by payment function (1) Open the Login page, after enable the payment function, then you will saw the link on the login page.

(2) Click the link on the screen > then the page will redirected to billing profile page.

8 Back to Table of Content

ZyXEL – UAG Application Note

(3) As the test, you can Select 3 hour billing profile > click ok > then the device will redirect to PayPal authentication page.

(4) After login to PayPal page, you can make sure your order.

9 Back to Table of Content

ZyXEL – UAG Application Note

(5) After click the Agree and Continue button > then you can click Pay Now button to pay the bill.

(6) After click Pay Now button > PayPal will pop out following web page > then redirect the login information to you after 10 seconds.

10 Back to Table of Content

ZyXEL – UAG Application Note

(7) You can see the login username and password on the screen.

(8) Then you can login device with the username and password in time period.

11 Back to Table of Content

ZyXEL – UAG Application Note

Step 3: Check the balance in buyer and seller account. (1) Login to Buyer account to check on sandbox web site.

(2) Login to Seller account to check on sandbox web site.

12 Back to Table of Content

ZyXEL – UAG Application Note

Scenario 2 – How to Activate a Free Access Hotspot 2.1 Application Scenario Some hotels need to provide free Internet services to hundreds of guests on a daily basis, and managing Internet access for so many people can be very complicated without the right equipment. With web authentication such as user agreement and web portal, hotel guests are redirected to the web-based authentication portal upon the first attempt to access the network. In some countries, the law requires to identify and track users who use public internet access. UAG can authenticate people by forcing them to receive an authentication code via SMS to their phone. In this way, UAG can authorize user Internet access via their mobile phone number and keep log on the device in case of illegal activities in the hotspot. Guests can get free access to the Internet in a matter of seconds simply by entering all required personal contact information and agreeing to the policy of user agreement without a guest account, or browse the Internet free of charge for a specified period of time by entering his or her mobile phone number to receive guest account information by SMS. (Note: UAG2100 SMS ticketing function is license optional.)

User Agreement Free Time

13 Back to Table of Content

ZyXEL – UAG Application Note

2.2 Configuration Guide Network conditions: WAN: 10.59.3.54 LAN 1: 172.16.0.1/255.255.0.0 User’s laptop: 172.16.2.0 Goals to achieve: (1) Users must fill in personal information and accept the service usage agreement before they can access the Internet. After the form is submitted, the advertisement web site is pop up in a new window. (2) Allow any user to get account information by SMS and use the Internet for a limited free time. USG configuration: Task 1. Configure User Agreement to let users access the Internet without a guest account by agreeing to the policy of user agreement. Add advertisement web page as the first page when an authenticated user is attempts to access the Internet. Step 1: Configuration > Web Authentication > check “User Agreement” (1) Enable Idle Detection. The default value of idle timeout is 3 minutes. (2) Select “Internal User Agreement” (3) Add authentication policy for every source.

14 Back to Table of Content

ZyXEL – UAG Application Note

Step 2: Configuration > Advertisement (1) Enable Advertisement (2) Add the URL of the website

15 Back to Table of Content

ZyXEL – UAG Application Note

Verification: 1. When the user opens the browser, he/she will be redirected to the user agreement page. Fill in all required information and click “Agree”.

2. Click “OK” and then the user can access the Internet.

16 Back to Table of Content

ZyXEL – UAG Application Note

3. The advertisement web page will be displayed in a new frame as the first page whenever the user connects to the Internet.

Task 2. Enable SMS service on UAG and select SMS as the delivery method in Free Time. Step 1: Get an account from ViaNett at http://www.vianett.com. You can register a trial account to test the SMS function.

17 Back to Table of Content

ZyXEL – UAG Application Note

Step 2: After ViaNett account is ready, go to Configuration > SMS (1) Enable SMS. (2) Fill in your local phone country code as the default country code. (3) Add authentication policy for every source.

Step 3: Configuration > Free Time (1) Enable Free Time and set up the free time period. By default, the Reset time will be at AM 00:00. You can also setup how many times a MAC address can access the internet. (2) Select “SMS” to deliver login information to the mobile phone.

Step 4: Configuration > Web Authentication > check “Web Portal” (1) Select Internal Web Portal

18 Back to Table of Content

ZyXEL – UAG Application Note

(2) Add authentication policy for every source.

19 Back to Table of Content

ZyXEL – UAG Application Note

Verification: 1. Users will be redirected to the login page before being permitted to access the Internet. Click on the link to get a free account.

2. Select the “Free Time” on the screen and submit your mobile phone number.

20 Back to Table of Content

ZyXEL – UAG Application Note

3. The account and password is sent to your mobile phone.

4. Check your account information.

21 Back to Table of Content

ZyXEL – UAG Application Note

5. Fill in the account information received on your mobile phone and click “Login”.

6. You can start to access the Internet.

22 Back to Table of Content

ZyXEL – UAG Application Note

Scenario 3 - Use BWM to control trial user and billing user 3.1 Application scenario In the hotel network hotspot applications, UAG can support different bandwidth control by different SSID, we can use this design like NXC, SSID mapping to a VLAN. Then VLAN can mapping to an IP address subnet. In this scenario, we add 2 SSIDs and enable Free Time function on the device, and also add the Billing profiles on the device. After add the policy to limit the user bandwidth via BWM function, we can login to device via trial-user or billing-user to check the speed controlled by UAG.

Speed: 1M Guest room

3.2 Configuration Guide Network conditions: UAG: WAN1: 10.59.3.54 LAN2: 172.17.0.1 Goal to achieve: UAG can support add the rules on the device to control different user type by BWM function for control the bandwidth with user account.

23 Back to Table of Content

ZyXEL – UAG Application Note

Task 1: Add the AP profiles on the device Step 1: Go to Configuration > Object > AP Profile > SSID > SSID list (1) Modify the default SSID name as “Free”.

Add the other SSID for Billing user

Go to Configuration > Object > AP Profile > Radio to Broadcast these two SSIDs in 2.4 G and 5 G Radios.

24 Back to Table of Content

ZyXEL – UAG Application Note

Go to Configuration > Wireless > AP Management to apply the AP profile to AP.

Task 2: Enable Free Time function on the device

25 Back to Table of Content

ZyXEL – UAG Application Note

Step 1: Go to Configuration > Free time page to enable the Free time function. (You can setup how long time and how many times that user can access for free.)

Task 3: Add the Billing profiles on the device Step 1: Go to Configuration > Billing > Billing profile page to add the billing profile. Ex: 1 hour = 1€, 2 hours = 2€, 3 hours= 3€

26 Back to Table of Content

ZyXEL – UAG Application Note

Step 2: Go to Configuration > Billing> General page to check the general setting in billing function. (1) Make sure the accounting method type, currency, setting is correct (2) Add the SSID profile in the general setting

Task 4: Configuring the Payment service page Make sure the Payment service already configured correct.

27 Back to Table of Content

ZyXEL – UAG Application Note

Task 5: Add the policy to limit the user bandwidth via BWM function Step 1: Go to Configuration > BWM > Add the policy to limit the Bandwidth by user type. (1)

User: Trail-Users, Inbound=1000Kbps, Out bound=1000Kbps, Priority =7

Billing-Users, Inbound=2000Kbps, Out bound=2000Kbps, Priority =1

28 Back to Table of Content

Enable BWM function.

Task 6: Enable the Web authentication policy on the device Go to Configuration > Web Authentication > Web Authentication > Web Portal. Enable Web authentication policy to force LAN2 user must authentication with device.

29 Back to Table of Content

ZyXEL – UAG Application Note

Task 7: Login to device via trial user Step 1: Click the link to get a dynamic user account.

Step 2: After click the link on the login page, the device will redirect the billing profile to you.

30 Back to Table of Content

ZyXEL – UAG Application Note

Then you can select the “Free Time” on the screen, and click “OK” Button.

31 Back to Table of Content

ZyXEL – UAG Application Note

Step 3: Then device will pop out the user name and password to you. Or you can click “Login Now” Button to login to device directly.

Step 4: Use browser to “http://www.speedtest.net/” to test the Speed. The test result is around 1 Mbps. It’s the same as our setup.

32 Back to Table of Content

ZyXEL – UAG Application Note

Task 7: Login to device via billing-user, and test the speed. Step 1: Click the link to get a dynamic account to access the internet.

Step 2: Select 1 hour profile to test this.

33 Back to Table of Content

ZyXEL – UAG Application Note

Step 3: Then device will pop out the PayPal page to you. Please enter the correct user name and password in the check box. And click “Log in” button on the browser.

And PayPal will help you balance your bill. Then you can click “Pay Now” button.

34 Back to Table of Content

ZyXEL – UAG Application Note

Step 4: After you click Pay Now button, the PayPal will redirected the user name and password to you. And you can click “Login now” to access the internet directly.

Step 5: Use browser to “http://www.speedtest.net/” to test the Speed. The test result is around 2 Mbps. It’s the same as our setup.

35 Back to Table of Content

ZyXEL – UAG Application Note

Scenario 4 - Using Function of Layer 2 Isolation and White List 4.1 Application scenario In the hotel network hotspot applications, if you want to easily control and manage that Clients will be unable to connect to each other, you can enable the Layer2 Isolation function to block which interface unable to connect to each other. In this scenario, we have set two Client laptops, and an online printer for Client use, after enable the Layer2 Isolation, we can control that Clients side can’t access each other laptop. And by using White list, we also can manage Client side also can access online printer.

Printer IP 172.16.1.1

4.2 Configuration Guide Network conditions: UAG: LAN 1: 172.16.0.1/255.255.0.0 Printer IP: 172.16.1.1 Client 1’s laptop: 172.16.1.2 Client 2’s laptop: 172.16.2.0 Goals to achieve: 1) With enable the Layer2 Isolation function, it can easily control and manage to block which interface unable to connect to each other. 2) Using White list, it can manage which server that Client side also can access.

36 Back to Table of Content

ZyXEL – UAG Application Note

USG configuration: Task 1. Using enable “Layer2 Isolation” function to manage internal unable to connect to each other. Step1: Connect Printer on UAG Lan1, and make sure the Client’s laptop is also in the same Lan1 subnet. Printer IP:

Client2’s laptop IP:

37 Back to Table of Content

ZyXEL – UAG Application Note

Step2: Since the Layer2 Isolation function only takes effect if the firewall is enabled, so you have to enable firewall first. Configuration > Network > Firewall > Enable Firewall

Step3. Configuration > Network > Layer 2 Isolation (1) Enable Layer 2 Isolation (2) Move the lan1 interface to the Member list to let all lan1 internal unable to connect to each other.

38 Back to Table of Content

ZyXEL – UAG Application Note

Verification: Client2’s laptop can’t connect to online printer (172.16.1.1), and Client1’s laptop (172.16.1.2).

39 Back to Table of Content

ZyXEL – UAG Application Note

Task 2. Using “White list” function to manage Client side also can access online printer. Step1. Using IP/MAC Binding to make sure the Printer IP is correct host. Configuration > Network > IP/MAC Binding > lan1 (1) Enable IP/MAC Binding (2) Insert the Printer IP binding with the correct MAC Address

Step2. Configuration > Network > Layer2 Isolation > White List (1) Enable White List (2) Add the White List Rule with Host IP Address: 172.16.1.1 to let Client’s laptop can connect to the Printer

40 Back to Table of Content

ZyXEL – UAG Application Note

Client2’s laptop can connect to online Printer (172.16.1.1) which in White List, but still can’t connect to Client1’s laptop (172.16.1.2).

41 Back to Table of Content

ZyXEL – UAG Application Note

Scenario 5 – Sending the system log to a remote syslog server and the USB device 5.1 Application Scenario For the management purposes, administrators can easily monitor events occurring on UAG by reading syslog. The syslog is very useful for administrators; especially, when the administrator receives complaints from the users regarding slow or unstable Internet connection. The administrator can use these reports as a troubleshooting reference. In this scenario, we are showing how the UAG exports system logs to a Kiwi syslog server and a USB device connected to UAG.

5.2 Configuration Guide Network conditions: WAN: 10.59.3.54 Kiwi Syslog Server: 172.16.2.0 Goals to achieve: The administrator will be able to see system logs on the Kiwi syslog server and a USB storage. USG configuration: Task 1. Install Kiwi syslog server on the PC and send log information to Kiwi syslog server. Step 1: Install Kiwi syslog server on the PC and connect this PC to LAN of UAG. Here is the website for Kiwi syslog server. http://www.kiwisyslog.com/products/kiwi-syslog-server/product-overview.aspx

42 Back to Table of Content

ZyXEL – UAG Application Note

43 Back to Table of Content

ZyXEL – UAG Application Note

Step 2: Configuration > Log & Report > Log Settings and click on “Remote Server 1” to edit log on Kiwi syslog server.

Step 3: Type the server name or the IP address of the Kiwi syslog server and check “Active” to send log information to the server. Select what information you want to log from each log category. You can simply enable normal logs to send all normal logs to Kiwi syslog server.

44 Back to Table of Content

ZyXEL – UAG Application Note

Verification: 1. Open Kiwi syslog server console and click Manage > Start the Sysogd service to start syslog service.

2. Go to File > Setup and click to “Log to file” to edit the path and file name of log file. In this example, we select “ISO Date (YYYY-MM-DD)” as the log file name. Select the log file format in the list.

45 Back to Table of Content

ZyXEL – UAG Application Note

3. Go to the path where you save the log file and view the log.

Task 2. Store the system log to the USB device. Step 1: Plug in an external USB storage device and activate USB storage service to store system log. USB storage devices with FAT16, FAT32, EXT2, or EXT3 file systems are supported for connection to the USB port of UAG. Also, you have to set a disk full warning limit once the storage space is less than this criterion.

Step 2: Check if the status of USB storage is ready at Monitor > USB Storage > Storage Information.

46 Back to Table of Content

ZyXEL – UAG Application Note

Step 3: Configuration > Log & Report > Log Settings and click on “USB storage” to edit log on USB storage setting.

Step 4: Check “Duplicate logs to USB storage” and select what information you want to log from each log category. You can simply enable normal logs to save all normal logs to USB device.

47 Back to Table of Content

ZyXEL – UAG Application Note

Verification: Go to Maintenance > Diagnostics > System Log and click “Download” to view the log.

48 Back to Table of Content

ZyXEL – UAG Application Note

Scenario 6 – Manage multiple APs by AP profile 6.1 Application scenario In the company, since there are several conference room might in different VLAN, and also far distance from each other, thus you can use AP profile to manage and control other APs in different VLAN. In this scenario, we use UAG to control and manage the AP of NWA3560N which connect to LAN2, and set up two SSID in different VLAN. By using function of AP profile, we can control and manage the AP to provide access Internet in different VLAN. Vlan10: 172.88.10.1/24 (VID:10)

SSID: VIP Internet NWA356-N IP: 172.17.1.1 WAN: 10.59.3.25 LAN 2: 172.17.0.1/255.255.0.0 SSID: Client Vlan20: 172.88.20.1/24 (VID:20)

6.2 Configuration Guide Network conditions: UAG: WAN: 10.59.3.25 LAN2: 172.17.0.1/255.255.0.0 NWA3560-N IP: 172.17.1.1 Vlan10 IP: 172.88.10.1/24 Vlan20 IP: 172.88.20.1/24 Goals to achieve:

49 Back to Table of Content

ZyXEL – UAG Application Note

1) Control multiple APs by AP profile

2) Manage the AP to provide access Internet in different VLAN USG configuration: Task 1. Configure VLAN interface to let two SSID can belong to different VLAN first. Step 1: Configuration > Network > Interface > VLAN

(1) Add internal VLAN base on lan2 port, and set VLAN ID: 10 (2) Set the VLAN interface IP Address with 172.88.10.1/24

50 Back to Table of Content

ZyXEL – UAG Application Note

(3) Set DHCP Server with IP Pool Start Address from 172.88.10.2

Step 2: Configuration > Network > Interface > VLAN (1) Add internal VLAN base on lan2 port, and set VLAN ID: 20 (2) Set the VLAN interface IP Address with 172.88.20.1/24

51 Back to Table of Content

ZyXEL – UAG Application Note

(3) Set DHCP Server with IP Pool Start Address from 172.88.20.2

Task 2. Control AP by AP Profile to provide SSID for access. Step 1: Configuration > Object > AP Profile > SSID > Add

(1) Add the SSID of VIP for VIP use (2) Select the VLAN ID: 10 to connect with VLAN10 (3) Choose VLAN Support with On

52 Back to Table of Content

ZyXEL – UAG Application Note

Step 2: Configuration > Object > AP Profile > SSID > Add another SSID (1) Add the SSID of Client for Client use (2) Select the VLAN ID: 20 to connect with VLAN20 (3) Choose VLAN Support with On

53 Back to Table of Content

ZyXEL – UAG Application Note

Step 3: Configuration > Object > AP Profile > Ratio > you can select default 2.4G or default2 5G by device ratio.

(1) Set SSID Profile with “for_VIP” which we configured AP Profile (2) Set SSID Profile with “for_client” which we configured AP Profile

54 Back to Table of Content

ZyXEL – UAG Application Note

Verification: 1. Connect NWA3560-N AP directly under UAG Lan2 and check Configuration > Wireless > AP Management (1) Check UAG has manage and control the model of NWA3560-N (2) And NWA3560-N AP has get the IP with 172.17.1.1 under Lan2

2. You can also double confirm Monitor > Wireless > AP Information (1) Check UAG has manage and control the model of NWA3560-N (2) And NWA3560-N AP has get the IP with 172.17.1.1 under Lan2

3. Connect laptop with SSID VIP, and you can get the IP Address of 172.88.10.3 under VLAN10 from AP.

4. Connect laptop with SSID Client, and you can get the IP Address of 172.88.20.3 under VLAN20 from AP.

55 Back to Table of Content

ZyXEL – UAG Application Note

56 Back to Table of Content

ZyXEL – UAG Application Note

Appendix Create and Set test account on the PayPal server: Step 1: Register a personal account on the PayPal server. (1) Go to https://www.paypal.com and Click “Sign up” button to start the registration process.

(2) Click Personal type to Get Started register a PayPal account.

57 Back to Table of Content

ZyXEL – UAG Application Note

(3) Register your account information in the check box and click “Agree and Create account”. And then enter the Security code in the check box and enter the Security question to submit the registration.

58 Back to Table of Content

ZyXEL – UAG Application Note

(4) Since we just register an account to test the PayPal function, so you can choose to ignore the Credit card information at this part.

59 Back to Table of Content

ZyXEL – UAG Application Note

Step 2: Login to PayPal and register the test account on developer web site, first create a Seller account in developer web site. (1) Access to https://developer.paypal.com web site and login the PayPal account.

(2) Click Applications> Sandbox accounts button to create the account on developer web site.

60 Back to Table of Content

ZyXEL – UAG Application Note

(3) Click Create Account button to create a “Seller” account on developer web site.

(4) Enter the Seller e-mail and password. And the account type should select as “Business”.

61 Back to Table of Content

ZyXEL – UAG Application Note

(5) Use Seller’s account to login to Sandbox web site to modified profile information. (https://www.sandbox.paypal.com/)

a. Go to Profile > Website payments preferences to enable Auto Return for Website Payments.

62 Back to Table of Content

ZyXEL – UAG Application Note

Notice that setting Website Payment Preferences with Turn on “Auto Return”, and Enter Return URL: http://1.1.1.1, and also Turn on “Payment Data Transfer”.

63 Back to Table of Content

ZyXEL – UAG Application Note

b. Go to Payment receiving preferences to modify allow different currency to my account.

64 Back to Table of Content

ZyXEL – UAG Application Note

Notice that to select “No, accept them and convert them to U.S. Dollars”.

65 Back to Table of Content

ZyXEL – UAG Application Note

Step 3: Login to PayPal and register the test account on developer web site, second create a Buyer account in developer web site. (1) Click Create Account button to create a “Buyer” account on developer web site.

66 Back to Table of Content

ZyXEL – UAG Application Note

(2) Enter the Buyer e-mail and password. And the account type should select as “Personal”, and also you can setup this user has 1000 USD in this account.

67 Back to Table of Content