Huawei AC6005

The compatibility of the Huawei controller with the SOCIFI platform was tested on the controller AC6005-8-PWR with two type of wifi AP devices (AP5010DN-AGN and AP6010DN-AGN). The version of tested firmware was AC6005V200R007C10SPC300.

Prior to starting of SOCIFI system configuration, the basic services (as VLAN subnet, DHCP, DNS, NTP ...etc) shall be set. This setup guide describes only the part of settings for the SOCIFI platform.


Security ACL - DNS-based WalledGarden

Enter following Walled garden ranges:

If you are a customer with the White Label solution, please add your custom domain (for example *.mycustomdomain.com) to the Walled Garden list.

*.socifi.com
*.facebook.com
*.akamaihd.net
*.akamai.net
*.edgecastcdn.net
twitter.com
*.twitter.com
*.twimg.com
*.fastly.net
*.li-cdn.net
*.cloudfront.net
facebook.com
*.fbcdn.net
*.instagram.com
*.cdninstagram.com
instagram.com
*.linkedin.com
*.licdn.com
linkedin.com

facebook.com and twitter.com (Yes, twice. Once with and once without the asterisk)

 If you are you using Ruckus equipment, don't forget to set CDN IP ranges to the Walled Garden List.

 

Due to Ruckus firmware behavior end-user devices might not be able to reach some (mainly CDN and cloud) domains from walled garden list. This can cause wrong rendering of the captive portal.

The new IP ranges (indented in the list below) were added on April 2018.
Actual list of Amazon CloudFront (CDN) IPs is here: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html (direct link to IPs list in JSON format: https://ip-ranges.amazonaws.com/ip-ranges.json) 

As a workaround you have to add static IP's shown bellow to adjust firmware behavior and to be able to start monetizing your network immediately.

Work-around solution is to add the following IP ranges to the Walled Garden List:

13.32.0.0/15
13.35.0.0/16
13.54.63.128/26
13.59.250.0/26
34.195.252.0/24
35.162.63.192/26
52.15.127.128/26
52.46.0.0/18
52.52.191.128/26
52.57.254.0/24
52.66.194.128/26
52.78.247.128/26
52.84.0.0/15
52.199.127.192/26
52.212.248.0/26
52.220.191.0/26
52.222.128.0/17
54.182.0.0/16
54.192.0.0/16
54.230.0.0/16
54.233.255.128/26
54.239.128.0/18
54.239.192.0/19
54.240.128.0/18
70.132.0.0/18
71.152.0.0/17
99.84.0.0/16
143.204.0.0/16
204.246.164.0/22
204.246.168.0/22
204.246.174.0/23
204.246.176.0/20
205.251.192.0/19
205.251.249.0/24
205.251.250.0/23
205.251.252.0/23
205.251.254.0/24
216.137.32.0/19

 Want to Allow Google+ login?

The new Allow login through social networks does not include the Google login. The reason is that some Android based devices are not redirected to the Captive Portal when the user gets connected to WiFi network. In case you'd like to add it you need to do following:

  1. Check if your hotspot allows DNS names in the Walled garden. Some hotspots can use IP addresses only. See: Why DNS-based Walled Garden (and not IP-based)
  2. Allow Google+ login: Settings > Brand > Authentication > Allow login through social networks > Set on Allow Google login
  3. Add these walled garden domain into existing list:

Google+ Login DNS's

Please adopt same format your Walled garden is already using e.g. with or without the asterisk, separated by comma or space etc.

 For Cisco Meraki, Ruckus, Xirrus
*.googleapis.com
*.googleusercontent.com
*.gstatic.com
*.accounts.youtube.com
*.apis.google.com
*.accounts.google.com
*.l.google.com

The local accounts.google.XX domain must be added into the Walled Garden list. For example accounts.google.co.uk for United Kingdom, accounts.google.com.sg for Singapore, accounts.google.de for Germany etc. Google domains list you can find at https://ipfs.io/ipfs/QmXoypizjW3WknFiJnKLwHCnL72vedxjQkDDP1mXWo6uco/wiki/List_of_Google_domains.html

 For Open Mesh
googleapis.com,googleusercontent.com,gstatic.com,accounts.youtube.com,apis.google.com,accounts.google.com,l.google.com

The local accounts.google.XX domain must be added into the Walled Garden list. For example accounts.google.co.uk for United Kingdom, accounts.google.com.sg for Singapore, accounts.google.de for Germany etc. Google domains list you can find at https://ipfs.io/ipfs/QmXoypizjW3WknFiJnKLwHCnL72vedxjQkDDP1mXWo6uco/wiki/List_of_Google_domains.html

 For Mikrotik
/ip hotspot walled-garden
add dst-host=*.googleapis.com
add dst-host=*.googleusercontent.com
add dst-host=*.gstatic.com
add dst-host=*.accounts.youtube.com
add dst-host=*.apis.google.com
add dst-host=*.accounts.google.com
add dst-host=*.l.google.com
add dst-host=accounts.google.com

The local accounts.google.XX domain must be added into the Walled Garden list. For example accounts.google.co.uk for United Kingdom, accounts.google.com.sg for Singapore, accounts.google.de for Germany etc. Google domains list you can find at https://ipfs.io/ipfs/QmXoypizjW3WknFiJnKLwHCnL72vedxjQkDDP1mXWo6uco/wiki/List_of_Google_domains.html

 For DD-WRT
googleapis.com googleusercontent.com gstatic.com accounts.youtube.com apis.google.com accounts.google.com l.google.com

The local accounts.google.XX domain must be added into the Walled Garden list. For example accounts.google.co.uk for United Kingdom, accounts.google.com.sg for Singapore, accounts.google.de for Germany etc. Google domains list you can find at https://ipfs.io/ipfs/QmXoypizjW3WknFiJnKLwHCnL72vedxjQkDDP1mXWo6uco/wiki/List_of_Google_domains.html

Related pages:

The Splash Page is not triggered when Android devices connect to WiFi


Pages related to Walled Garden issues

In the Security / ACL / Domain Name Configuration menu is necessary to create the records with the WalledGarden DNS names using the list and description above.

The next step is creating User ACL with the WalledGarden DNS records. This can be made in the  Security / ACL / User ACL Settings menu. Create a User ACL and add the rule for each WalledGarden DNS records based on TCP protocol, Action Permit. It is recommended to add the rule for enabling the ICMP protocol.

For example the User ACL with its rules:

The settings detail of the Rule ID = 2. In the Dest domain is set the record from the ACL - Domain Name Configuration

AAA - Radius settings

We recommend to use this set of RADIUS servers:
 


 List of RADIUS according to your location:
 For North America

RADIUS Server 1

rad-1-use-1.socifi.com or IP address: 52.7.148.174, Radius shared secret: socifi

RADIUS Server 2

rad-2-use-1.socifi.com or IP address: 52.55.217.23, Radius shared secret: socifi

 For Europe and Africa

RADIUS Server 1

rad-1-euw-1.socifi.com or IP address: 52.209.184.212, Radius shared secret: socifi

RADIUS Server 2

rad-2-euw-1.socifi.com or IP address: 52.50.155.202, Radius shared secret: socifi

 For Asia-Pacific

RADIUS Server 1

rad-1-euw-1.socifi.com or IP address: 52.209.184.212, Radius shared secret: socifi

RADIUS Server 2

rad-2-euw-1.socifi.com or IP address: 52.50.155.202, Radius shared secret: socifi

In order to have the Radius communication working fine, the IP addresses (above) and the ports 1812 Auth and 1813 Acc must be accessible.

For the RADIUS settings in the Security / AAA / RADIUS must be created the RADIUS Server Profile (f.e. SOCIFI_radius_server). Create records for Authentication and Accounting server in this profile. The settings are different only in the Port Number value. For the Authentication server the port 1812 shall be set. For the Accounting server the port 1813 shall be set. The secret Key ("socifi") is the same for both settings. The IP addresses of these servers are listed above.


Details of Authentication/Accounting settings


ID device - MAC address of the controller

SOCIFI uses MAC address of the controller as the identification code. You can found the MAC address in the Monitoring / AC menu under AC Basic Information.


External portal

Under the Security / AAA / External Portal Server menu create the external portal with these settings:

Server IP

52.251.110.178

52.51.203.246

54.232.124.137

52.44.151.156

URLhttp://connect.socifi.com
URL Option Settings
AC-IPAC-IP
User access URLredirect-url
User IPuser-ip
AP-IPAP-IP
AC-MACAC-MAC
User MACuser-mac
System name<HUW_xxxxxxxxxxxx>
AP-MACAP-MAC
MAC address formatnormal
Separator: (colon)

Note: The value of the System name consists of string "HUW_" and MAC address of controller (see above) without delimiters (e.g. mac address of controller is "8038-bc1a-c0df" then value of System name is "HUW_8038bc1ac0df")

Authentication profile

In the Security /  AAA / Authentication Profile menu shall be created separate Authentication Profile "SOCIFI_auth_profile" with following settings:

... Potal Profile ... create a new profile "SOCIFI_portal_access_profile" with the Active server properties set to "SOCIFI" (see above to the External Portal settings)

... Authentication-free Rule ... create a new profile "SOCIFI_free_rule" and set the control mode to the ACL value. ACL number is the number of the User ACL rule with the DNS Walled Garden rule (see above to the Security ACL - DNS-based WalledGarden settings) 

... Radius Server Profile ... select the "SOCIFI_radius_servers" as the RADIUS Server Profile

... finally, select the value "radius" as Authentication Scheme with the First authentication set on the RADIUS authentication property. 


Profile management

In the AP / Profile menu bind required SSID and the wifi properties with the SOCIFI external portal authentication properties. The SSID and the wifi properties are generally set according to user needs.

For SOCIFI system are important only authentication properties settings. Create the SOCIFI_VAP_profile in the VAP Profile properties. 

Under Authentication Profile select SOCIFI_auth_profile.

Finally select the "SOCIFI_VAP_Profile" for any AP group where the SOCIFI system use is intended.


Connecting your Huawei controller to SOCIFI Dashboard

When adding Huawei device into SOCIFI Dashboard, use the MAC address of the controller as described in the part of ID device - MAC address of controller

Step 1: Login to SOCIFI Dashboard

Step 2: Click on the "Hotspots" tab on the left sidebar

Step 3: Click on the “Add a new hotspot” button located on the top right corner on the screen (pictured below)

Note: A pop-up window will appear (below)

Step 4: Select the Wi-Fi hardware manufacturer from the drop down menu

Step 5: Enter the serial number or MAC address (depending on the specific equipment manual) of your equipment. You can add multiple hotspots at once.

Step 6: Set your Network location (this step is essential for correct ad targeting)

Step 7: In the pop-up window type your location or just move the marker on the map and click on the save button to confirm the selection. This address is used for ad GEO targeting.

Step 7: Click Save

Note: Newly added hotspot are marked as  (Hotspot pending). After the first user connects to the hotspot via SOCIFI, the status will automatically change and appear as  (Active) within an hour. Get your first connections to test if it works properly. 


Please pay attention to these important settings:

  • the value of the variable System name - "HUW_<mac_of_the_controller_without_delimiters>" in the External Portal settings

  • time synchronization
  • DNS WalledGarden -  used WhiteLabel domain shall be added to the WalledGarden.
  • the correct Server IP in the External Portal settings - There are usually set IPs of SOCIFI servers for the backward authentication communication by UDP protocol. If the controller is located in the local LAN without direct public IP address, wrong recognition of UDP communication source may occurs. In this case, the local IP of NAT service should be listed. For the best detection use CLI with the following commands: "terminal monitor", "terminal debugging" and "debugging the web all".
  • open the UDP communication with the destination port 2000 (on the controller side) on all firewalls or ACLs between the Huawei controller and the SOCIFI servers on the internet.