ACCESS GATEWAY
Introduction 19
applies associated attributes stored in that customer's profile, and logs their activity (including bytes
transferred, connect time, etc.). The NSE's RADIUS implementation also handles vendor specific
attributes (VSAs), required by WISPs that want to enable more advanced services and billing
schemes, such as a per device/per month connectivity fee.
RADIUS Proxy
The RADIUS Proxy feature relays authentication and accounting packets between the parties
performing the authentication process. Different realms can be set up to directly channel RADIUS
messages to the various RADIUS servers. This functionality can be effectively deployed to:
Support a wholesale WISP model directly from the edge without the need for any
centralized AAA proxyinfrastructure.
Support EAP authenticators (for example, WLAN APs) on the subscriber-side of the NSE
to transparently proxy all EAP types (TLS, SIM, etc.) and to allow for the distribution of
per-session keys to EAP authenticators and supplicants.
Realm-Based Routing
Realm-Based Routing provides advanced NAI (Network Access Identifier) routing capabilities, enabling
multiple service providers to share a HotSpot location, further supporting a Wi-Fi wholesale model. This
functionality allows users to interact only with their chosen provider in a seamless and transparent manner.
The Access Gateway can route RADIUS messages depending on the Network Access Identifier (NAI). Both
prefix-based (for example, ISP/username@ISP.net) and suffix-based (username@ISP.net) NAI routing
mechanisms are supported. Together, the RADIUS Proxy and Realm-Based Routing further support the
deployment of the Wholesale Wi-Fi™ model allowing multiple providers to service one location.
Remember Me and RADIUS Re-Authentication
The NSE’s Internal Web Server (IWS) stores encrypted login cookies in the browser to remember logins,
using usernames and passwords. This “Remember Me” functionality creates a more efficient and better user
experience in wireless networks.
RADIUS Re-Authentication allows the Access Gateway to store the RADIUS credentials of specific devices
for a configurable period of time. This helps devices to seamlessly leave and then reconnect to the guest
network and retain their RADIUS parameters without requiring another manual login. See also Defining the
RADIUS Client Settings {RADIUS Client} on page 124.
Secure Management
There are many different ways to configure, manage and monitor the performance and up-time of network
devices. SNMP, Telnet, HTTP and ICMP are all common protocols to accomplish network management
objectives. And within those objectives is the requirement to provide the highest level of security possible.
While several network protocols have evolved that offer some level of security and data encryption, the
preferred method for attaining maximum security across all network devices is to establish an IPSec tunnel
between the NOC (Network Operations Center) and the edge device (early VPN protocols such as PPTP have
been widely discredited as a secure tunneling method).
As part of Nomadix’ commitment to provide outstanding carrier-class network management capabilities to its
family of public access gateways, we offer secure management through the NSE’s standards-driven, peer-to-
peer IPSec tunneling with strong data encryption. Establishing the IPSec tunnel not only allows for the secure
management of the Nomadix gateway using any preferred management protocol, but also the secure
management of third party devices (for example, WLAN Access Points and 802.3 switches) on private
subnets on the subscriber side of the Nomadix gateway. See also Defining IPSec Tunnel Settings {IPSec} on
page 102.
To Next Page
Loading...
