Huawei AC6005 New

The setup was tested using the following devices and FW revisions:

No.Model NumberQTYSoftware Version
1AC60051

V200R019C00SPC500

2Air Engine 5760-102V200R019C00SPC500


Prerequisite steps:

  1. Configure network interworking.
  2. Configure the AC and SwitchB to assign IP addresses to APs and STAs, respectively.
  3. Configure APs to go online.
  4. Configure WLAN service parameters.

Notice

Follow Huawei documentation for the configuration of Basic networking and Wireless services configuration on WLAN controller.


1.    Configure external Portal RADIUS authentication on the AC

We recommend to use this set of RADIUS servers:
 


 List of RADIUS according to your location:
 For North America

RADIUS Server 1

rad-1-use-1.socifi.com or IP address: 52.7.148.174, Radius shared secret: socifi

RADIUS Server 2

rad-2-use-1.socifi.com or IP address: 52.55.217.23, Radius shared secret: socifi

 For Europe and Africa

RADIUS Server 1

rad-1-euw-1.socifi.com or IP address: 52.209.184.212, Radius shared secret: socifi

RADIUS Server 2

rad-2-euw-1.socifi.com or IP address: 52.50.155.202, Radius shared secret: socifi

 For Asia-Pacific

RADIUS Server 1

rad-1-euw-1.socifi.com or IP address: 52.209.184.212, Radius shared secret: socifi

RADIUS Server 2

rad-2-euw-1.socifi.com or IP address: 52.50.155.202, Radius shared secret: socifi

In order to have the Radius communication working fine, the IP addresses (above) and the ports 1812 Auth and 1813 Acc must be accessible.



radius-server template SOCIFIWifi
 radius-server shared-key cipher <password>
 radius-server authentication 52.209.184.212 1812 weight 80
 radius-server authentication 52.50.155.202 1812 weight 80
 radius-server accounting 52.209.184.212 1813 weight 80
 radius-server accounting 52.50.155.202 1813 weight 80
radius-server template default
 radius-server shared-key cipher <password>
radius-server ip-address 52.209.184.212 shared-key cipher <password>
radius-server ip-address 52.50.155.202 shared-key cipher <password>
radius-server authorization 52.209.184.212 shared-key cipher <password>
radius-server authorization 52.50.155.202 shared-key cipher <password>

2.    Create an AAA scheme and set the authentication method to RADIUS.

aaa
 authentication-scheme Agile
  authentication-mode radius
 authentication-scheme SOCIFIWifi
  authentication-mode radius
 authentication-scheme default
 authentication-scheme radius
  authentication-mode radius
 authorization-scheme default
 authorization-scheme portal
  authorization-mode none
 accounting-scheme Agile
  accounting-mode radius
  accounting realtime 15
 accounting-scheme SOCIFIWifi
  accounting-mode radius
  accounting realtime 3
 accounting-scheme default
 domain default
  authentication-scheme Agile
  accounting-scheme Agile
  radius-server Agile
 domain default_admin
  authentication-scheme default


3.    Configure a Portal server profile

http secure-server ssl-policy default_policy
 http server enable
portal https-redirect enable
portal web-authen-server https ssl-policy default_policy port 8443
portal local-server ip 192.168.10.1
portal local-server redirect-url enable
 
url-template name urlTemplate_SOCIFIWifi
 url https://connect.socifi.com
 parameter start-mark #
 url-parameter ap-ip AC-IP ap-mac AC-MAC redirect-url redirect-url user-ipaddress user-ip user-mac user-mac device-ip device-ip device-mac device-mac ap-name ap-name ssid ssid login-url switch_url https://192.168.2.250:8445/login
 url-parameter mac-address format delimiter - normal
#
 
web-auth-server SOCIFIWifi
 server-ip 
 port 443
 shared-key cipher %^%#5@cw9v4y`*rP&kP=.p'7`[/{B`,Yn&k8Cs*;8]pH%^%#
 url-template urlTemplate_WAASWifi
 protocol http
 http get-method enable
 
portal-access-profile name portal_access_profile
 web-auth-server SOCIFIWifi direct
free-rule-template name SOCIFIWifi
 free-rule acl 6031
#
free-rule-template name default_free_rule
 free-rule 1 destination ip 8.8.8.8 mask 255.255.255.0

4.    Configure a Walledgarden and passthrough-Domain

Enter following Walled garden ranges:

If you are a customer with the White Label solution, please add your custom domain (for example *.mycustomdomain.com) to the Walled Garden list.

*.socifi.com
*.facebook.com
*.akamaihd.net
*.akamai.net
*.edgecastcdn.net
twitter.com
*.twitter.com
*.twimg.com
*.fastly.net
*.li-cdn.net
*.cloudfront.net
facebook.com
*.fbcdn.net
*.instagram.com
*.cdninstagram.com
instagram.com
*.linkedin.com
*.licdn.com
linkedin.com

facebook.com and twitter.com (Yes, twice. Once with and once without the asterisk)

 If you are you using Ruckus equipment, don't forget to set CDN IP ranges to the Walled Garden List.

 

Due to Ruckus firmware behavior end-user devices might not be able to reach some (mainly CDN and cloud) domains from walled garden list. This can cause wrong rendering of the captive portal.

The new IP ranges (indented in the list below) were added on April 2018.
Actual list of Amazon CloudFront (CDN) IPs is here: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html (direct link to IPs list in JSON format: https://ip-ranges.amazonaws.com/ip-ranges.json) 

As a workaround you have to add static IP's shown bellow to adjust firmware behavior and to be able to start monetizing your network immediately.

Work-around solution is to add the following IP ranges to the Walled Garden List:

13.32.0.0/15
13.35.0.0/16
13.54.63.128/26
13.59.250.0/26
34.195.252.0/24
35.162.63.192/26
52.15.127.128/26
52.46.0.0/18
52.52.191.128/26
52.57.254.0/24
52.66.194.128/26
52.78.247.128/26
52.84.0.0/15
52.199.127.192/26
52.212.248.0/26
52.220.191.0/26
52.222.128.0/17
54.182.0.0/16
54.192.0.0/16
54.230.0.0/16
54.233.255.128/26
54.239.128.0/18
54.239.192.0/19
54.240.128.0/18
70.132.0.0/18
71.152.0.0/17
99.84.0.0/16
143.204.0.0/16
204.246.164.0/22
204.246.168.0/22
204.246.174.0/23
204.246.176.0/20
205.251.192.0/19
205.251.249.0/24
205.251.250.0/23
205.251.252.0/23
205.251.254.0/24
216.137.32.0/19

 Want to Allow Google+ login?

The new Allow login through social networks does not include the Google login. The reason is that some Android based devices are not redirected to the Captive Portal when the user gets connected to WiFi network. In case you'd like to add it you need to do following:

  1. Check if your hotspot allows DNS names in the Walled garden. Some hotspots can use IP addresses only. See: Why DNS-based Walled Garden (and not IP-based)
  2. Allow Google+ login: Settings > Brand > Authentication > Allow login through social networks > Set on Allow Google login
  3. Add these walled garden domain into existing list:

Google+ Login DNS's

Please adopt same format your Walled garden is already using e.g. with or without the asterisk, separated by comma or space etc.

 For Cisco Meraki, Ruckus, Xirrus
*.googleapis.com
*.googleusercontent.com
*.gstatic.com
*.accounts.youtube.com
*.apis.google.com
*.accounts.google.com
*.l.google.com

The local accounts.google.XX domain must be added into the Walled Garden list. For example accounts.google.co.uk for United Kingdom, accounts.google.com.sg for Singapore, accounts.google.de for Germany etc. Google domains list you can find at https://ipfs.io/ipfs/QmXoypizjW3WknFiJnKLwHCnL72vedxjQkDDP1mXWo6uco/wiki/List_of_Google_domains.html

 For Open Mesh
googleapis.com,googleusercontent.com,gstatic.com,accounts.youtube.com,apis.google.com,accounts.google.com,l.google.com

The local accounts.google.XX domain must be added into the Walled Garden list. For example accounts.google.co.uk for United Kingdom, accounts.google.com.sg for Singapore, accounts.google.de for Germany etc. Google domains list you can find at https://ipfs.io/ipfs/QmXoypizjW3WknFiJnKLwHCnL72vedxjQkDDP1mXWo6uco/wiki/List_of_Google_domains.html

 For Mikrotik
/ip hotspot walled-garden
add dst-host=*.googleapis.com
add dst-host=*.googleusercontent.com
add dst-host=*.gstatic.com
add dst-host=*.accounts.youtube.com
add dst-host=*.apis.google.com
add dst-host=*.accounts.google.com
add dst-host=*.l.google.com
add dst-host=accounts.google.com

The local accounts.google.XX domain must be added into the Walled Garden list. For example accounts.google.co.uk for United Kingdom, accounts.google.com.sg for Singapore, accounts.google.de for Germany etc. Google domains list you can find at https://ipfs.io/ipfs/QmXoypizjW3WknFiJnKLwHCnL72vedxjQkDDP1mXWo6uco/wiki/List_of_Google_domains.html

 For DD-WRT
googleapis.com googleusercontent.com gstatic.com accounts.youtube.com apis.google.com accounts.google.com l.google.com

The local accounts.google.XX domain must be added into the Walled Garden list. For example accounts.google.co.uk for United Kingdom, accounts.google.com.sg for Singapore, accounts.google.de for Germany etc. Google domains list you can find at https://ipfs.io/ipfs/QmXoypizjW3WknFiJnKLwHCnL72vedxjQkDDP1mXWo6uco/wiki/List_of_Google_domains.html

Related pages:

The Splash Page is not triggered when Android devices connect to WiFi


Pages related to Walled Garden issues

#Captive Portal domain
passthrough-domain name socifi.com id 1
 
#Twitter Login domain
passthrough-domain name *.twitter.com id 3
passthrough-domain name *.edgecastcdn.net id 4
passthrough-domain name *.twimg.com id 5
 
#Google Login domain Optional
passthrough-domain name *.google.com id 10
passthrough-domain name *.gmail.com id 11
passthrough-domain name *.gstatic.com id 26
passthrough-domain name accounts.youtube.com id 27
 
#Facebook Login domain
passthrough-domain name *.facebook.com id 35
passthrough-domain name *.fbcdn.net id 36
passthrough-domain name atdmt.com id 8
passthrough-domain name fbsbx.com id 9
passthrough-domain name *.akamaihd.net id 2
 
#Linkedin Login
passthrough-domain name *.linkedin.com id 28
passthrough-domain name *.licdn.com id 29

acl name SOCIFIWifi-walledgarden 6031  
 rule 1 permit ip destination passthrough-domain socifi.com 
 rule 2 permit ip destination passthrough-domain akamaihd.net 
 rule 3 permit ip destination passthrough-domain *.edgecastcdn.net 
 rule 4 permit ip destination passthrough-domain *.facebook.com 
 rule 5 permit ip destination passthrough-domain *.fbcdn.net 
 rule 6 permit ip destination passthrough-domain *.twitter.com 
 rule 7 permit ip destination passthrough-domain *.twimg.com 
 rule 8 permit ip destination passthrough-domain atdmt.com 
 rule 9 permit ip destination passthrough-domain fbsbx.com 
 rule 10 permit ip destination passthrough-domain *.gmail.com 
 rule 11 permit ip destination passthrough-domain 21 
 rule 12 permit ip destination 192.168.2.0 0.0.0.255 
 rule 13 permit udp destination-port eq dns 
 rule 14 permit ip destination passthrough-domain *.google.com 
 rule 15 permit ip destination passthrough-domain cloudfront.net 
 rule 18 permit ip destination passthrough-domain *.gstatic.com 
 rule 22 permit ip destination passthrough-domain accounts.youtube.com 

5. Register your hotspot

Step 1: Login to SOCIFI Dashboard

Step 2: Click on the "Hotspots" tab on the left sidebar

Step 3: Click on the “Add a new hotspot” button located on the top right corner on the screen (pictured below)

Note: A pop-up window will appear (below)

Step 4: Select the Wi-Fi hardware manufacturer from the drop down menu

Step 5: Enter the serial number or MAC address (depending on the specific equipment manual) of your equipment. You can add multiple hotspots at once.

Step 6: Set your Network location (this step is essential for correct ad targeting)

Step 7: In the pop-up window type your location or just move the marker on the map and click on the save button to confirm the selection. This address is used for ad GEO targeting.

Step 7: Click Save

Note: Newly added hotspot are marked as  (Hotspot pending). After the first user connects to the hotspot via SOCIFI, the status will automatically change and appear as  (Active) within an hour. Get your first connections to test if it works properly.