Installation Guide UCOPIA Express

Installation Guide
UCOPIA Express
Version 5.1
Installation Guide UCOPIA Express
Table of Contents
1. Introduction ............................................................................................................................ 11
2. Installation ............................................................................................................................. 12
3. Logging in to the UCOPIA administration tool .......................................................................... 14
4. UCOPIA license installation .................................................................................................... 18
4.1. Settings ........................................................................................................................... 18
4.2. Automatic installation ....................................................................................................... 19
4.3. Manual installation ........................................................................................................... 19
5. Configuring the UCOPIA controller ......................................................................................... 21
5.1. Network configuration ...................................................................................................... 22
5.1.1. Configuration of basic controller parameters ............................................................... 22
5.1.2. Configuring incoming networks .................................................................................. 24
5.1.3. Configuring outgoing sub-networks ............................................................................ 27
5.1.4. Configuring static output routes ................................................................................. 32
5.1.5. Time server configuration .......................................................................................... 33
5.1.6. DNS Server configuration .......................................................................................... 34
5.1.7. Filtering settings configuration ................................................................................... 38
5.2. Configuring authentication ................................................................................................ 40
5.2.1. The different authentication methods ......................................................................... 41
5.2.2. Configuring an external authentication directory .......................................................... 41
5.2.3. Configuring certificates .............................................................................................. 47
5.2.4. RADIUS configuration ............................................................................................... 50
5.2.5. Windows configuration .............................................................................................. 54
5.2.6. Shibboleth Configuration ........................................................................................... 54
5.3. Configuring “Zero configuration” ....................................................................................... 58
5.3.1. Configuring the “fixed IP” mechanism ......................................................................... 58
5.3.2. Configuring the “Web” service ................................................................................... 59
5.3.3. Configuring the redirection service to an email server ................................................. 61
5.3.4. Configuring the print server ....................................................................................... 63
5.4. Customization ................................................................................................................. 68
5.4.1. Customization of the UCOPIA portals ........................................................................ 68
5.4.2. Certificate configuration ........................................................................................... 123
5.4.3. Additional field configuration .................................................................................... 126
5.4.4. Customization of tickets ........................................................................................... 130
5.4.5. Configuring open-access URLs ................................................................................ 138
5.5. Configuring the logging mechanism ................................................................................ 140
5.5.1. Logging criteria ....................................................................................................... 141
5.5.2. Automatic export and deletion of log backups ........................................................... 141
5.6. Configuration in Out-Of-Band architecture ....................................................................... 142
5.6.1. Central controller configuration. ................................................................................ 143
5.7. Configuring external communication services .................................................................. 144
5.7.1. Configuring the SMS service ................................................................................... 145
5.7.2. Configuring the email server .................................................................................... 147
5.7.3. Configuring the FTP service .................................................................................... 151
2
5.7.4. PayPal service configuration .................................................................................... 153

5.7.5. Ingenico service configuration .................................................................................. 155
5.7.6. Configuring the PMS service ................................................................................... 157
5.7.7. Configuring the PPS service .................................................................................... 162
5.7.8. Configuring the DPSK service .................................................................................. 163
5.7.9. Configuring social networks ..................................................................................... 166
5.8. Configuring interfaces with the UCOPIA controller ........................................................... 168
5.8.1. SNMP Interface ...................................................................................................... 169
5.8.2. Syslog Interface ...................................................................................................... 171
6. Configuring active elements .................................................................................................. 175
6.1. Configuring Wi-Fi access points ..................................................................................... 175
6.2. Configuring switches ...................................................................................................... 175
7. What’s next ......................................................................................................................... 177
3
List of Figures
2.1. Installation diagram of UCOPIA in "US250" format: ............................................................... 12
2.2. Installation diagram of UCOPIA Express in "US2000" format: ................................................ 13
3.1. UPnP discovery under Windows XP .................................................................................... 15
3.2. UCOPIA Express administration tool authentication page ...................................................... 16
3.3. UCOPIA Express homepage with no license ........................................................................ 16
3.4. Downloading documentation ................................................................................................ 17
4.1. UCOPIA license installation ................................................................................................. 18
4.2. Filling license parameters .................................................................................................... 19
4.3. Manual license installation ................................................................................................... 19
4.4. License file generation ........................................................................................................ 20
4.5. Manual license installation ................................................................................................... 20
5.1. UCOPIA Express configuration homepage ........................................................................... 21
5.2. Network menu items ........................................................................................................... 22
5.3. Configuration of basic UCOPIA controller settings ................................................................ 23
5.4. Configuring incoming networks ............................................................................................ 24
5.5. Adding an incoming sub-network ......................................................................................... 25
5.6. Configuring example of an incoming sub-network ................................................................. 26
5.7. Adding a DHCP address range ........................................................................................... 26
5.8. The following form is displayed: ........................................................................................... 27
5.9. Adding a fixed lease ........................................................................................................... 27
5.10. Configuring outgoing subnetworks ...................................................................................... 28
5.11. Adding an outgoing sub-network ........................................................................................ 29
5.12. Example of creating an outgoing sub-network ..................................................................... 30
5.13. Default output policy for the native VLAN ........................................................................... 30
5.14. Adding an output policy ..................................................................................................... 31
5.15. Example of configuring additional outgoing VLANs .............................................................. 32
5.16. Example of output policies ................................................................................................. 32
5.17. Configuring static output routes .......................................................................................... 33
5.18. Adding a static route ......................................................................................................... 33
5.19. Example of static route configuration .................................................................................. 33
5.20. Time server configuration .................................................................................................. 34
5.21. DNS Server configuration .................................................................................................. 35
5.22. DNS server test ................................................................................................................ 35
5.23. DNS policy configuration ................................................................................................... 36
5.24. Adding a new DNS record ................................................................................................. 37
5.25. Example of DNS record configuration ................................................................................. 37
5.26. Configuring UCOPIA filtering options .................................................................................. 38
5.27. Defining a new access ...................................................................................................... 38
5.28. Adding a port opening ....................................................................................................... 39
5.29. Adding a port redirection ................................................................................................... 40
5.30. Items on the Authentication menu ...................................................................................... 41
5.31. Configuring authentication directories ................................................................................. 42
5.32. Configuring an authentication directory ............................................................................... 43
4
5.33. Configuring the general settings for an external directory ..................................................... 43

5.34. Configuring the connection settings for an external Active Directory ..................................... 44
5.35. Configuring the connection settings for an external LDAP directory ...................................... 44
5.36. Configuring profile search settings (Active Directory) ........................................................... 45
5.37. Configuring profile search settings (LDAP) ......................................................................... 45
5.38. Configuring delegation accounts associated with a directory ................................................ 46
5.39. Configuring directory cascades .......................................................................................... 47
5.40. Example of directory cascade configuration ........................................................................ 47
5.41. Certificate management ..................................................................................................... 48
5.42. Loading certificates ........................................................................................................... 49
5.43. Example: Displaying the content of a certificate .................................................................. 49
5.44. Configuring UCOPIA RADIUS ............................................................................................ 50
5.45. Example of NAS configuration ........................................................................................... 51
5.46. Default configuration of realms .......................................................................................... 52
5.47. Configuring the UCOPIA RADIUS in proxy mode ................................................................ 53
5.48. Configuring transparent Windows authentication ................................................................. 54
5.49. Example of registration in a Windows domain ..................................................................... 54
5.50. Shibboleth configuration home pages Adding a Shibboleth configuration .............................. 55
5.51. Creating a new Shibboleth configuration ............................................................................ 56
5.52. Example of rules for assigning Shibboleth profiles .............................................................. 57
5.53. Registration on the RENATER network .............................................................................. 58
5.54. Items on the Zero configuration menu ................................................................................ 58
5.55. Configuring “Fixed IP” mode .............................................................................................. 59
5.56. Configuring the “Web” service ............................................................................................ 59
5.57. Redirection configuration to parent proxy ............................................................................ 61
5.58. Redirection configuration to the ICAP service. .................................................................... 61
5.59. Configuring the redirection service to an email server ......................................................... 62
5.60. Selecting SMTP redirection configuration modes ................................................................ 62
5.61. SMTP relay mode ............................................................................................................. 62
5.62. Example of configuring SMTP redirection ........................................................................... 63
5.63. Printer configuration .......................................................................................................... 64
5.64. Choice of the protocol for a local or network printer ............................................................ 64
5.65. Entering the address of the printer ..................................................................................... 65
5.66. Description of the printer ................................................................................................... 65
5.67. Printer manufacturer choice ............................................................................................... 65
5.68. Printer model choice ......................................................................................................... 66
5.69. Setting printer options ....................................................................................................... 66
5.70. Displaying a configured printer ........................................................................................... 67
5.71. Displaying detailed information for a printer ........................................................................ 67
5.72. Items on the Customization menu ...................................................................................... 68
5.73. Configuring the UCOPIA portals ........................................................................................ 69
5.74. Associations table ............................................................................................................. 69
5.75. Configurations table .......................................................................................................... 70
5.76. Visual models table ........................................................................................................... 71
5
5.77. Adding an association ....................................................................................................... 72

5.78. Association configuration ................................................................................................... 72
5.79. Activation/deactivation of an association ............................................................................. 73
5.80. Added association ............................................................................................................. 73
5.81. Modifying an association ................................................................................................... 74
5.82. Captive portal with “One-Click Button” ................................................................................ 76
5.83. “welcome” captive portal with free registration .................................................................... 77
5.84. Free self-registration of a user on the captive portal ............................................................ 77
5.85. Captive portal with self-registration and ticket printing ......................................................... 78
5.86. Registration by ticket printing ............................................................................................. 79
5.87. “welcome” captive portal with SMS registration ................................................................... 80
5.88. Self-registration of a user by SMS on the captive portal ...................................................... 81
5.89. Captive portal with email registration .................................................................................. 82
5.90. Self-registration of a user by email on the captive portal ...................................................... 83
5.91. Captive portal with online payment via PayPal .................................................................... 84
5.92. Registering after paying online via PayPal .......................................................................... 85
5.93. Choosing a package before paying online with PayPal ........................................................ 85
5.94. Captive portal with online payment via Ingenico .................................................................. 86
5.95. Registering after paying online via Ingenico ........................................................................ 87
5.96. Choosing a package before paying online with Ingenico ...................................................... 87
5.97. Example of captive portal using packages (PMS) ................................................................ 88
5.98. Example of user feedback after choosing a package ........................................................... 89
5.99. Captive portal using a PPS ............................................................................................... 90
5.100. Captive portal with Shibboleth authentication .................................................................... 91
5.101. Example of user feedback after authentication .................................................................. 92
5.102. “welcome” captive portal with authentication by social networks ......................................... 93
5.103. Adding a captive portal configuration ................................................................................ 94
5.104. Example of a hosted portal configuration (with redirection) ................................................. 95
5.105. Example of an external portal configuration ...................................................................... 96
5.106. Selecting authentication methods ..................................................................................... 97
5.107. Example of configuration of various types of authentication for the captive portal ................. 97
5.108. Example of the captive portal configuration with authentication using credentials ................. 98
5.109. Example of the captive portal configuration with Shibboleth authentication .......................... 98
5.110. Example configuration of a captive portal using PMS software ........................................... 99
5.111. Configuration of the captive portal using pre-paid cards (PPS) ........................................... 99
5.112. Example of the captive portal configuration with authentication via social networks .............. 99
5.113. Authentification option .................................................................................................... 101
5.114. Selecting registration methods ....................................................................................... 102
5.115. Example of configuration of various types of registration for the captive portal ................... 103
5.116. Options for gathering user information. ........................................................................... 104
5.117. Example of the captive portal configuration with One-Click registration .............................. 104
5.118. Example of the captive portal configuration with free registration ...................................... 104
5.119. Example of the captive portal configuration with registration by SMS ................................ 105
5.120. Example of the captive portal configuration with registration by Email ............................... 106
6
5.121. Example of the captive portal configuration with ticket printing .......................................... 106
5.122. Example of captive portal configuration with online payment via PayPal ............................ 107
5.123. Example of Ingenico purchase summary ........................................................................ 108
5.124. Example of captive portal configuration with online payment via Ingenico .......................... 108
5.125. Input fields when registering .......................................................................................... 109
5.126. Global options configuration example ............................................................................. 110
5.127. Example of captive portal language configuration ............................................................ 111
5.128. Example of UCOPIA captive portal ................................................................................. 111
5.129. Example of UCOPIA captive portal connection ................................................................ 112
5.130. Editing a captive portal configuration .............................................................................. 112
5.131. Adding a configuration for a delegation portal ................................................................. 113
5.132. Example of user registration fields for the delegation portal .............................................. 114
5.133. Example of language configuration for the delegation portal ............................................. 114
5.134. Editing a delegate portal configuration ............................................................................ 115
5.135. Adding an automatic connection configuration ................................................................. 115
5.136. Configuration settings .................................................................................................... 116
5.137. Editing an automatic connection configuration ................................................................. 116
5.138. Adding a mobile application configuration ....................................................................... 117
5.139. Example of the application operation method .................................................................. 117
5.140. Editing a mobile application configuration ....................................................................... 118
5.141. Adding a visual model ................................................................................................... 118
5.142. Example of configuration of a new visual model .............................................................. 119
5.143. Example of addition of a new visual model ..................................................................... 119
5.144. Editing a visual model ................................................................................................... 119
5.145. Choice of the type of visual model to edit ....................................................................... 120
5.146. Portal visual model editor .............................................................................................. 120
5.147. Delegation portal visual model editor .............................................................................. 121
5.148. Mobile application visual model editor ............................................................................. 122
5.149. Changing a visual model ............................................................................................... 122
5.150. Exporting a visual model ................................................................................................ 123
5.151. Importing an external visual model ................................................................................. 123
5.152. Certificate configuration ................................................................................................. 124
5.153. Adding a certificate ........................................................................................................ 125
5.154. Text Certificate .............................................................................................................. 125
5.155. File Certificate ............................................................................................................... 125
5.156. URL Certificate .............................................................................................................. 126
5.157. Customising additional fields .......................................................................................... 127
5.158. Adding an additional field ............................................................................................... 128
5.159. Activating an additional field ........................................................................................... 129
5.160. Delegation portal with extra fields ................................................................................... 130
5.161. Tables of tickets ............................................................................................................ 131
5.162. Customization of connection tickets ................................................................................ 132
5.163. Customization of refill tickets .......................................................................................... 133
5.164. Example of configuring a refill ticket in A4 format ............................................................ 135
7
5.165. Example of refill ticket in A4 format ................................................................................ 136

5.166. Example of badge format connection ticket configuration ................................................. 137
5.167. Example of connection ticket in badge format ................................................................. 137
5.168. Configuring open-access URLs ...................................................................................... 138
5.169. Adding an open-access HTTP URL ................................................................................ 139
5.170. Example of an open-access URL ................................................................................... 139
5.171. Open-access HTTP URL ............................................................................................... 140
5.172. Adding an open-access HTTPS URL .............................................................................. 140
5.173. Logging configuration ..................................................................................................... 141
5.174. Example of the export configuration of log backups ......................................................... 142
5.175. Items on the Out-Of-Band menu .................................................................................... 143
5.176. Central controller configuration. ...................................................................................... 144
5.177. Items on the External services menu .............................................................................. 145
5.178. SMS accounts configuration ........................................................................................... 145
5.179. Adding an SMS Account ................................................................................................ 146
5.180. Example of configuring an SMS account ........................................................................ 147
5.181. Configuring email server accounts .................................................................................. 148
5.182. Adding an email server account ..................................................................................... 149
5.183. Example of email account configuration .......................................................................... 151
5.184. Configuring FTP accounts .............................................................................................. 152
5.185. Adding an FTP account ................................................................................................. 152
5.186. PayPal configuration ...................................................................................................... 153
5.187. Adding a PayPal account ............................................................................................... 154
5.188. Example of the PayPal system configuration ................................................................... 155
5.189. Ingenico configuration .................................................................................................... 156
5.190. Example of the Ingenico system configuration ................................................................. 157
5.191. Ingenico redirection test ................................................................................................. 157
5.192. Configuring the PMS interface ........................................................................................ 158
5.193. Configuring the PMS connection settings ........................................................................ 159
5.194. Example of a specific profile .......................................................................................... 161
5.195. PPS system configuration .............................................................................................. 162
5.196. Configuring the PPS connection settings ........................................................................ 163
5.197. DPSK service operation principles .................................................................................. 164
5.198. Configuring the DPSK service ........................................................................................ 165
5.199. Example of a Ruckus DPSK configuration ...................................................................... 165
5.200. List of DPSK configurations ........................................................................................... 166
5.201. List of social network configurations ............................................................................... 166
5.202. Social networks configuration example ........................................................................... 167
5.203. OpenID Connect configuration example .......................................................................... 168
5.204. Items on the UCOPIA Interfaces menu ........................................................................... 169
5.205. Configuring the SNMP interface ..................................................................................... 169
5.206. SNMP agent configuration ............................................................................................. 170
5.207. SNMP settings configuration .......................................................................................... 170
5.208. Syslog export ................................................................................................................ 171
8
5.209. Configuration of Syslog export ....................................................................................... 172
9
List of Tables
5.1. Summary of registration modes ........................................................................................... 74
5.2. Summary of authentication methods .................................................................................... 74
10
Introduction
1 Introduction
This guide is intended for system and/or network administrators responsible for installing and configuring
UCOPIA Express.
UCOPIA Express is a box (or Appliance) located between the users’ access network (Wi-Fi and/or wired)
and the company’s local network.
UCOPIA Express provides the following major functions:
• User authentication
• Management of access rights by user profile based on location and time
• Data confidentiality
• Zero configuration access for users
• Provision of accounts by delegation and/or self-registration
• Monitoring and logging
• Integration with legacy network
In this guide, we will be showing how to install and configure UCOPIA Express. For its administration,
see the “Administration Guide UCOPIA Express ".
Note
To refer to UCOPIA Express in this guide, we will use the terms " box " or " controller " interchange-
ably. The term “controller” is used in particular by the graphical interface of UCOPIAadministration
tools.
11
Installation
2 Installation
UCOPIA Express is installed at the logical (or physical) divide between the company LAN and the users’
access network (Wi-Fi and/or wired). All traffic to or from users must pass through the UCOPIA box. To
achieve this, the UCOPIA unit is fitted with two Ethernet cards, one being connected to the LAN, the
other to the access network.
Installation is carried out as follows :
• Connect one Ethernet cable from the eth0 interface of the UCOPIA box to the LAN.
• Connect one Ethernet cable from the eth1 interface of the UCOPIA box to the access Wi-Fi and/
or wired infrastructure (for example: the switch to which the access points are connected).
• Connect to 220 V or 110 V main power supply.
Here is the installation diagram of UCOPIA Express:
Figure 2.1. Installation diagram of UCOPIA in "US250" format:
12
Installation
Figure 2.2. Installation diagram of UCOPIA Express in "US2000" format:
The configuration of the administration port is carried out at the level of the Section 5.1.1, “Configuration
of basic controller parameters”.
Note
It is possible to connect wired user stations to the box, on the eth1 side.
Warning
If UCOPIA is directly connected to an ADSL modem on the eth0 side, the modem must provide router
features.
Warning
Make all connections before starting up the UCOPIA box.
13
Logging in to the UCOPIA administration tool
3 Logging in to the UCOPIA administration tool

Logging in to the administration console requires accessing the UCOPIA controller. The controller can be
found through the UPnP announcements that it broadcasts over the network at regular intervals across
all its network interfaces.
Note
The UPnP service can be disabled (no announcements are broadcast). The interval between an-
nouncement broadcasts can be changed. See Section 5.1.1, “Configuration of basic controller para-
meters”.
Warning
To benefit from this discovery mechanism, the administrator workstation must have an UPnP client
installed and enabled.
An administrator workstation can then easily gain access to the controller by browsing the peripherals
discovered by UPnP, as the screen image below shows:
14
Figure 3.1. UPnP discovery under Windows XP
Access to the controller may be achieved using the peripheral address supplied in the UPnP announce-
ment. This address being based on the controller’s IP address, this should always supply a valid address.
In the event that no DHCP server is found on the network to supply it with one, the controller will use
the auto-IP mechanism to carry out this task.
In the above example, the IP address of the controller will be 10.0.0.31. The administration tool will be
available at address https://10.0.0.31/admin.
Note
If however,the administrator workstation has no UPnP client, the administration tool can be accessed
by opening the following address on a web browser : https://controller.access.network/admin
You need to have connected your computer to the UCOPIA box beforehand, following one of the methods
described below:
1. Reconnect your computer to the eth1 (IN) interface on the UCOPIA box using a network cable.
2. Reconnect your computer to the switch to which the access points are connected, using a network
cable, right connector type, this switch itself being connected to the UCOPIA box.
15
3. Associate yourself with an access point connected to the UCOPIA box, using the SSID, which has
been configured for the purpose.
The authentication page is displayed:
Figure 3.2. UCOPIA Express administration tool authentication page
Enter your login and password to authenticate. Once authenticated, the welcome page is displayed. By
default, the login is admin and the password is UCOPIA.
Warning
The UCOPIA controller forces an administrator password change. See the “Administration Guide
UCOPIA Express ”, “Operation” section, for more information.
Figure 3.3. UCOPIA Express homepage with no license
Warning
The homepage indicates that the license must be installed beforehand (see next section).
16
Note
It is possible to restart or shut down the UCOPIA box at any time by clicking, respectively, on “
Restart " or " Stop ".
Documentation is available on line, by clicking on “Documentation” in the menu bar. The documentation
on offer can be downloaded in PDF format, in French and in English as shown in the screen image below.
Figure 3.4. Downloading documentation
Note
If the license is not installed yet, the entire documentation is offered (Express and Advance ranges).
17
UCOPIA license installation
4 UCOPIA license installation

Installing the UCOPIA license is essential to ensure that the UCOPIA box runs properly. The license
determines the range and model of theUCOPIA (Express 150, Express 250, etc.).
Note
At this stage, most functions in the administration tool are blocked. The only functions permitted being
those used to connect the UCOPIA controller to the network, and those to open the maintenance
tunnel and install the license.
Click on the “Operation” option in the menu bar, then on the “License” option in the left-hand menu.
The license update page is displayed:
Figure 4.1. UCOPIA license installation
4.1. Settings
To start, fill the fields corresponding to the contact details for the installation company and the end
customer, activate options, then click on “Confirm”
18
Figure 4.2. Filling license parameters
“Enable daily on-line verification of the license”. This option is used to update the license auto-
matically in case of a box update (for example, 150 updated to 250) or in case of a flexible or temporary
license.
Completion of these settings has to be made only once.
4.2. Automatic installation

In the “Online license installation” section, click on “Confirm”.
Warning
The UCOPIA controller must be configured in such a way that it is able to access the Internet and
therefore the platform that issues licences.
If successful, a message is displayed reporting that the licence is correctly installed.
Otherwise, carry out a manual installation.
4.3. Manual installation

To install a license manually, follow the steps below.
1. Open the manual license update panel by clicking on the “+” icon. The following page is displayed:
Figure 4.3. Manual license installation

2. In the manual license update panel click on the following link:
https://services-management-platform.com/gestion/license.php [https://services-management-plat-
form.com/gestion/licence.php]
The following page is displayed:
19
Figure 4.4. License file generation

3. Copy the string displayed in the captcha code. Enter the UCOPIA controller’s serial number and the
contact details of the installation company and the client company. Click on “Confirm”.
4. A “license.tgz” file is offered for download. Save this file to your workstation.
5. Import the file on the controller using the “Browse...” button or “Select a file”.
Figure 4.5. Manual license installation

6. Save the license by clicking on “Confirm”.
Once the license is saved, a confirmation message is displayed, and all menus are now enabled.
If however, the license is not valid, it is possible to restore the previous licence by clicking the “Restore
old license” button.
Note
If there are problems, email support@ucopia.com [mailto:support@ucopia.com] giving the controller's

serial number UCOPIA,contact details for the installation company and the client company, together
with the type of problems encountered.
20
Configuring the UCOPIA controller
5 Configuring the UCOPIA controller

UCOPIA Express is preconfigured so it can be quickly brought into service.
The LAN side eth0 interface is preconfigured in DHCP client mode.
A single incoming network is configured, it corresponds to the native VLAN. It is recommended to use
this native VLAN as the administration VLAN.
A set of services is typically preconfigured. However, no default profile or user is available.
To perform the set of configurations of the UCOPIA Express box, click on “Configuration” in the menu
bar. The following page is displayed:
Figure 5.1. UCOPIA Express configuration homepage
The configuration options are sorted into classes.
• Network
This category lets you configure all network parameters of the UCOPIA box: the name of the
controller, the incoming and outgoing subnetworks, the output static routes, the time server, etc.
• Authentication
This class deals solely with the configuration of authentication mechanisms, the corporate direc-
tory used for authentication, the RADIUS server embedded in the UCOPIA box, transparent Win-
dows authentication, etc.
21
• Zero configuration
This involves configuring the mechanisms enabling users to use their workstations and applica-
tions with no prior configuration: use of workstation with a fixed IP address, Web and email redi-
rection, virtual printer service.
• Customization
This category lets you configure the captive and delegation portals (formats, operation modes,
visual aspects, etc.), to add additional fields for the description of the user accounts, to customize
connection tickets delivered by the delegated administration tool, and also to define those URLs
that are accessible before authentication.
• Logging
This involves selecting the data to be logged (sessions, traffic, URLs), and the database purge cri-
teria (time or size criteria). It is also possible to configure automatic export of log backups through
the FTP protocol.
• External services
UCOPIA uses services such as SMS or email to send login information to users, for example.
This category lets you configure the various SMS, email or PayPal/Ingenico accounts, or social
networks, that can be used within the UCOPIA product.
• Interfaces with the controller
This category is used to configure communication interfaces with the UCOPIA controller. It has
an SNMP interface which can be used to supervise UCOPIA from any monitoring tool available
on the market. In addition, there is also the option to export information to a Syslog server.
5.1. Network configuration
Click on the “Network” item shown on the left-hand side of the window. The following sub-menu is
displayed with the options shown:
Figure 5.2. Network menu items
5.1.1. Configuration of basic controller parameters
Click on “Controller” item on the sub-menu.
22
Figure 5.3. Configuration of basic UCOPIA controller settings
• The panel “Controller name and domain name” is used to set the name of the controller and its
domain name on the incoming and outgoing subnetworks. The UCOPIA controller default name
is: controller and its domain: ucopia.mobile.
If you wish to register the UCOPIA controller in a Windows domain, you must fill in the Netbios
workgroup field. The default is UCOPIA.
• The “UPnP service” panel is used to enable or disable the UPnP service used to locate the
controller on the network. This service is enabled by default.
• The “Security” panel implements a mechanism allowing ARP poisoning attacks to be detected
and fixed. Such attacks can come from users found on the UCOPIA controller’s incoming VLAN.
• The “Type of networkof entry ” panel is used to configure the UCOPIA controller so that it is able
to adapt to different types of network architecture, and more specifically to the case of a multi-site
architecture with UCOPIA as the hub.
Where there is a centralised multi-site architecture, three scenarios may arise:
23
– Remote sites are connected to the main site in level 2 (“switched network”). In this case,
all UCOPIA functionalities are operational, in particular all those associated with the VLAN
(zones, multiple portals, etc.). This is the default configuration.
– Remote sites are connected to the main site in level 3 (“routed network”). In this case,
UCOPIA works while disregarding level 2 data with, however, some restrictions: (1) the
only possible authentication mode is by web portal, (2) client workstations on the remote
site need to be DHCP configured, (3) the authentication portal must be in “automatic re-
authentication” mode.
– Some sites have level 2 connections, others level 3 (“Switched and routed network”).
• The “Interface configuration” panel lets you do the following, for each interface:
– modify the packet size (in bytes) that can be transmitted at a time (without fragmentation)
for outgoing packets,
– choose the “auto-negotiation” mode, or not (selected by default),
– select the transmission speed. The controller’s current status as regards the actual line
speed and enabling of auto-negotiation is displayed.
• The “Output interface” panel is used to view the MTU and link speed configuration for eth0.
• The “Input interface” panel is used to view the MTU and link speed configuration for eth1.
5.1.2. Configuring incoming networks
Click on the “Incoming networks” item on the sub-menu. The page below is displayed. Only the native
VLAN is pre-configured by default.
Figure 5.4. Configuring incoming networks
A single VLAN is configured: VLAN 1 (native): It is recommended to use the native VLAN as the ad-
ministration VLAN.
Other incoming networks
It is recommended to add other incoming subnetworks to take into account users traffic.
24
-On each incoming network, the DHCP server can be active or not, as well as the administration tools.
A green dot indicates availability, a red dot indicates non availability.
Note
If in the columns “Administration access” » or “Delegation access” the link “Advanced filtering”
appears, it means that the access to the administration tools have been customized using the filtering
editor (see Section 5.1.7, “Filtering settings configuration”). Click on the link to open the filtering editor.
To add a new incoming network, click the “Add” button. The following page is displayed:
Figure 5.5. Adding an incoming sub-network
• "Network settings" panel
The label is the name of the subnetwork, followed by a comment field to give it a description
(“Label”). You must then specify the “Network address” of the UCOPIA box (address/mask) and
the input zone (“Input zone name”).
You must then choose whether it is a local network (in which case it will be convenient to fill the IP
address of the controller on this network), or if it's a remote network (in which case you will have
to create a static route in order to be able to access it).
Regarding the use of input zones, please refer to the« Manuel d’Administration UCOPIA Ex-
press » “Administering zones” section.
• The “Administration tools access” panel
It is then possible to allow a user connected to this sub-network to access the administration tools
(administration tool and/or delegated administration tool). Access is authorized by default on the
pre-configured sub-networks.
Access is given to an administration tool simply by selecting the corresponding checkbox. Incom-
ing sub-network configuration example
25
Figure 5.6. Configuring example of an incoming sub-network
Tip
For fine-grained control of access to the controller resources, including the administration tool, from
the VLAN or other network entities, see Section 5.1.7.1, “Access to the controller”.
• -Click the “Calculate DHCP settings” button to automatically define the mandatory fields. Address
ranges
You can define the IP address range(s) that will be assigned to DHCP clients. To do so, click on
the “Add a range” link.
Figure 5.7. Adding a DHCP address range
Fill the starting and ending addresses for the new range.
Address ranges. If you would like a machine with a known MAC address to always obtain the
same IP address, a fixed lease needs to be defined. To do this click on the "Add a fixed lease"
button. The following form is displayed:
26
Figure 5.8. The following form is displayed:
Enter the start address then the end address of the new range.
Fixed leases. Enter the machine’s MAC and IP address, for each machine concerned. To do
this click on the "Add a fixed lease" button. The following form is displayed:
Figure 5.9. Adding a fixed lease
Enter the MAC address and IP address of the machine for every concerned machine.
Click on "Confirm" to confirm the sub-network creation.
The subnets may be deleted or modified after their creation (as well as preconfigured sub-networks).
To do so, check the box corresponding to the subnet to delete or modify in the subnets table, and click
“Delete” or “Modify”.
5.1.3. Configuring outgoing sub-networks
UCOPIA Express offers the option of routing a user’s output traffic from the UCOPIA box to a particular
network. Redirection is done on the basis of the user’s profile (refer to the “ Administration Guide
UCOPIA Express” documentation, for more information on defining user profiles).
Click on the “Outgoing networks” item in the sub-menu shown on the left-hand side of the window.
27
Figure 5.10. Configuring outgoing subnetworks
A first VLAN is pre-configured, this is the native VLAN. The “Controller IP address” field is either the
IP address allocated by the company network’s DHCP service, or the fixed IP address specified in the
VLAN configuration. If the controller is not connected to the network, its address will be chosen from the
range 169.254.0.0./16. The “Addressing mode” field states whether DHCP mode is enabled or not for
this VLAN (displaying “DHCP” if enabled; “Fixed” otherwise).
Warning
The use of an IP address allocated by DHCP is enabled on just one outgoing VLAN. By default, DHCP
is enabled on the native VLAN.
The “Administration access” and “Delegation access” fields indicate whether access to the adminis-
tration tools is authorized from the VLAN (green: authorized, red: forbidden). Access to administration
tools from the native VLAN is authorized by default.
Note
If in the columns“ Administration Access » or « Delgation Access » the link « Advanced Filtering
appears, it means that access to the administration tools have been customized using the filtering
editor (see Section 5.1.7, “Filtering settings configuration”). Click on the link to open the filtering editor.
28
The “Default output” field indicates whether this VLAN is the default output of the UCOPIA box.
To add a new outgoing sub-network, click the “Add” button. The following page is displayed:
Figure 5.11. Adding an outgoing sub-network
You must first fill all networking information: the ID of the VLAN (" VLAN Number "), the IP address of
the UCOPIAbox (" controller IP address "), the sub-network mask (" sub-network mask "), and the
gateway address (" Gateway ").
The VLAN can be configured to be the default output. To do so, check the “Enable as default output”
box.
Warning
To be able to enable the “Default output” option, no DHCP server can be enabled on the output
interfaces, otherwise the interface on which DHCP is enabled will be the output interface. By default,
the eth0 interface is the one configured for DHCP.
You may then allow a user connected on this VLAN to access the administration tools (administration
tool and/or delegated administration tool).
29
Figure 5.12. Example of creating an outgoing sub-network
Tip
For fine-grained control of access to the controller resources, including the administration tool, from
the VLAN or other network entities, see Section 5.1.7.1, “Access to the controller”.
The VLANs can be deleted or modified after their creation. To do so, check the box corresponding to
the VLAN to delete or modify in the VLANs table, and click “Delete” or “Modify”.
Warning
The native VLAN cannot be removed.
5.1.3.1. Configuring local output policies
Each outgoing VLAN can have an output policy defined and associated with it, used to specify its network
addressing mode (NAT or routing). In addition, we reiterate that an output zone may be associated
with a user profile so that traffic for users with this profile is redirected into the appropriate VLAN (see
“ Administration Guide UCOPIA Express ”, section, “Administering user profiles”).
Output policies are local because they apply to one, and only one, controller: celui sur lequel elles sont
configurées.
By default, just one output policy is defined. It is associated with the output sub-network corresponding
to the native VLAN. This policy indicates that all users in all profiles are NATed using the IP address
of the native output VLAN interface.
Figure 5.13. Default output policy for the native VLAN
30
To create an output policy, click the “Add” button in the policy table. The following page is displayed:
Figure 5.14. Adding an output policy
First, the name associated with the output policy must be specified. Then the VLAN number, which will
be associated with this policy must be entered, plus the network addressing mode (Routing or NAT).
If the NAT mode is selected, it is possible either to use the corresponding interface addressing, or to
specify the NAT IP address chosen.
Next, the user profiles to which this output policy will apply must be selected. Select profiles by selecting
them from the list of available profiles, and add them using the “<<<Add” button in the list of relevant
profiles.
Lastly, it is possible to add further VLANs into the output policy. For some specific requirements, it may
be necessary to access several networks and VLANs. For example, a user redirected by default to a
network or VLAN for Internet access but who would like to access a specific server isolated on another
network or VLAN.
To add an extra network or VLAN, click on the “Additional accessible networks and VLANs by policy”
link to bring up the configuration screen.
The left-hand list displays the VLANs available to be added. It is possible to restrict access to a particular
IP address.
Example:
31
Figure 5.15. Example of configuring additional outgoing VLANs
We can see an example below where two output policies have been defined for two user populations:
The policy for Students is associated with the Educational zone, and the policy for Teachers with the
Laboratories zone.
Figure 5.16. Example of output policies
5.1.3.2. Default policy
You can choose the addressing policy (“NAT” or “Routing”) that will be applied to non-authenticated
traffic flows coming out of the controller.
5.1.4. Configuring static output routes
Static routes are typically used to make contact with a network resource located on a routed network
other than the LAN on which the UCOPIA controller is located.
Such a configuration is found for example in the following cases:
• If the UCOPIA controller is interfaced with an LDAP directory on a different LAN, then a static route
must be configured in order to indicate the gateway (a LAN equipment on which the controller is
found), which will be used to make contact with the remote network.
32
• If the administration (or delegated administration) workstation is on a remote network other than
the LAN on which the UCOPIA controller is located, then a static route must be configured in order
to indicate the gateway, which will be used by the controller to reach the administrator workstation.
To configure static routes, click on the “Static routes” item in the sub-menu on the left-hand side of the
window. The following page is displayed:
Figure 5.17. Configuring static output routes
To add a new static route, click on the "Add" button. The following page is displayed:
Figure 5.18. Adding a static route
Configure the network parameter settings, for example:
Figure 5.19. Example of static route configuration
5.1.5. Time server configuration
To configure the time server, click on the “Time server” item in the sub-menu on the left-hand side of
the window. The following page is displayed:
33
Figure 5.20. Time server configuration
You can choose the appropriate time zone (Europe/Paris by default), then set the date and time. The
date and time can either be set automatically using an NTP server, or set manually.
5.1.6. DNS Server configuration
UCOPIA has an embedded DNS (Domain Name System) server behaves like a DNS relay to its own
DNS servers. The DNS relay can be customized according to the user profile or the UCOPIA input
interface. It is possible to populate the table of DNS records to enable it to resolve additional addresses.
To configure the DNS server, click on the “DNS server” item in the sub-menu on the left-hand side of
the window. The following page is displayed:
34
Figure 5.21. DNS Server configuration
The first configuration step consists of defining the address of the primary DNS and perhaps that of the
secondary DNS.
The maximum packet size is customizable in order to be able to communicate with any DNS server. This
in particular facilitates packet transfer when the size is greater than 512 bytes. By default, the maximum
size is set at 1280 bytes. It can be raised up to 4096 bytes.
For each DNS (primary and secondary), it is possible to carry out a test to check that the DNS is correctly
configured. To do so, use the “Test” button corresponding to the DNS you wish to test.
The test displays the following window.
Figure 5.22. DNS server test
35
Enter the domain name and request type. Requests able to be tested are described in the table below.
The number despatches for each request can be specified.
DNS query type Meaning

A matches a host name with a 32-bit IPv4 address distributed over 4 bytes,
e.g. : 123.234.1.2
AAAA matches a host name with a 128-bit IPv6 address distributed over 16
bytes
MX defines the email servers for the domain
NS defines the domain’s DNS servers
SOA gives general data for the zone: primary server, contact email, various
durations including expiry deadline, zone serial number
SRV offers advanced features such as the load balancing rate for a given ser-
vice, standardized in RFC 2782 [http://tools.ietf.org/html/rfc2782] DNS
relay configuration by policy
5.1.6.1. If no policy is defined, only the primary and secondary DNS will be used.
The DNS relays can be configured by policy, either on the basis of the user’s profile, or according to
the UCOPIA controller input interface. If no policy is defined, only the primary and secondary DNS will
be used.
To configure a policy, click the “Add” button in the DNS policy table. The following page is displayed:
Figure 5.23. DNS policy configuration
Name the policy and enter the policy type (profile or incoming VLAN).
• Policy by incoming VLAN
Policy per incoming VLAN only applies after user authentication on the captive portal. If the DNS
servers for the UCOPIA controller are internal servers (e.g. a domain controller for resolving in-
house machines) it is then of benefit to apply different DNS policies to users on the basis of the
incoming VLAN. For a guest incoming VLAN, it will be advisable to address public DNS servers
so that users cannot resolve the names of in-house machines.
• Policy by profile
Policy by profile applies only once users are authenticated. On an insecure incoming VLAN,
UCOPIA can address public DNS servers before user authentication. Once the user belongs to
an “employee” profile, the controller will be able to address DNS servers in the internal domain.
36
5.1.6.2. Adding DNS records
It is possible to add new DNS records to the DNS server.
To add a DNS record, click the “Add” button in the DNS table. The following page is displayed:
Figure 5.24. Adding a new DNS record
For each DNS entry, It is possible to specify a machine’s DNS name (e.g.: fr.ucopia.org and IP address
for each DNS entry. It is also possible to automatically complete the domain name when sending the
DNS response, in both input and output mode.
For example, for a domain named “mobile.lan” and a Wi-Fi printer found listed eth1 having an IP address
of 192.168.100.1 and a name of “Printer”, it will be possible to perform automatic completion with the
domain name when sending the DNS response. The response will accordingly be “Printer.mobile.lan”.
Example:
Figure 5.25. Example of DNS record configuration
5.1.6.3. DNS usage recommendations
Users connecting via the UCOPIA portal can make DNS requests before authentication. This avoids the
problem of DNS cache pollution, which can be harmful to applications (and in particular, most browsers)
implementing a DNS cache and not observing the validity expiry date of DNS responses.
It is thereby possible under certain circumstances to convey data before authentication, at a very low
bandwidth.
It is therefore recommended for the sake of security to implement the following provisions:
• Configure the DNS server used by UCOPIA to a DNS server without Internet access, which avoids
the problem of recursive DNS requests. The use of a web proxy having Internet access through
using the web service is then recommended.
• Configure the DNS server used by UCOPIA to a DNS server that does not support recursive DNS
requests and/or having the ability to detect suspect DNS traffic.
37
5.1.7. Filtering settings configuration
UCOPIA offers several options relating to the UCOPIA filtering mechanism.
To use these options, click on the “Filtering” item in the sub-menu on the left side of the window. The
following page is displayed:
Figure 5.26. Configuring UCOPIA filtering options
5.1.7.1. Access to the controller
L'onglet “Access to the controller” tab lets you manage the influx of flows destined to the controller
services.
To add a new access, click on the “Add” button:
Figure 5.27. Defining a new access
Each table entry corresponds to a combination of a service and one ore more sources:
• Service
– Administration tools: access to UCOPIA administration tools.
– Delegation portals: access to delegation portals.
– LDAP directory: gives access to the internal LDAP directory of the UCOPIA controller.
This also allows third party tools to retrieve user data and profiles.
38
– SNMP agent: access SNMP information internal to the UCOPIA controller. See also Sec-
tion 5.8.1, “SNMP Interface”.
– CLI: direct remote access to the command line.
– CLI Web: remote access to the command line via the web interface.
– SQL database log files: access directly the SQL database for logs, for example, to auto-
mate the production of specific reports or to couple it with third party tools.
Important
Contact UCOPIA Communications to know the identifiers which will allow you to connect to the data-
base. SQL schema documentation will also be forwarded to you.
– All access: all of the above.
Note
Already present services are grayed out (non selectable).
• Sources
For the chosen service you can define one or more sources from which access to the service will
be authorized: zone, VLAN, subnetwork, or host.
To add a new source, click on the button “Add a source” :
5.1.7.2. Port opening
The tab “Port opening” allows “pass through” the controller with lifting of filtering.
To open a port, click on the button “Add” :
Example: port 2000 from the incoming zone by default to the outgoing zone by default, without autho-
rization.
Figure 5.28. Adding a port opening
• Source: the source from which port opening is allowed (incoming or outgoing VLAN, incoming or
outgoing zone, subnetwork or unique @IP (“host”).
• Log traffic from this opening: choose Yes to log all traffic in the connection logs.
39
• Open a predefined access: This option lets you choose a specific access instead of manually
defining the destination protocol and ports. For example “Service Unik” ensures compatibility with
Unik telephones. Once the option has been selected, UCOPIA allows traffic from such telephones
to pass.
• Destination : authorized destination.
• Protocols: authorized protocols (TCP/UDP, UDP, etc.).
• Source ports: authorized source ports.
• Destination ports: authorized destination ports.
5.1.7.3. Port redirection
The tab “Port redirection” allows “rebinding” , on the controller, traffic from the incoming interface to
the output interface, or vice-versa.
To do a port redirection, click on the “Add” :
Figure 5.29. Adding a port redirection
• Source: the source for which the forward request is emmited (incoming or outgoing zone, sub-
network or unique @IP (“host”).
• Initial destination: destination to reach before forwarding.
• Modified destination host : destination @IP after forwarding.
• Protocols: protocols used for redirection (TCP/UDP, UDP, etc.).
• Initial ports: ports before forwarding.
• Modified ports: ports after forwarding.
Important
Ports can only be filled if and only if the used protocols are TCP/UCP, TCP or UDP.
Example: reaching a Wi-Fi access point from the LAN.
5.2. Configuring authentication
Click on the “Authentication” item on the left-hand side of the window. A sub-menu is displayed with
the following options:
40
Figure 5.30. Items on the Authentication menu
5.2.1. The different authentication methods
UCOPIA offers two authentication families, one based on a captive web portal, and the other based on
a RADIUS server and the 802.1x/EAP protocol.
Captive portal
The captive portal is available in different modes, which go from a very simple to use portal: the “One-
Click Button” portal with a single connection button, up to a portal which demands authentication and
filling a form. The identifiers used for authentication can be delivered either by an administrator or dele-
gated administrator, or directly from the portal thanks to different methods of self registration (reception
of identifiers via SMS, email, printed ticket, etc.). The access to the portal can be free or paid. Paid ac-
cess can be done through UCOPIA connectors to payment solutions like PayPal, or to certain invoicing
tools (PMS, PPS).
The portal can also be coupled with the Shibboleth infrastructure used in universities (see Section 5.2.6,
“Shibboleth Configuration”). It can be also coupled to a DPSK mechanism offered by the Wi-Fi company
Ruckus in order to enhance security (see Section 5.7.8, “Configuring the DPSK service”).
RADIUS
RADIUS authentication is based on the 802.1x protocol, EAP supported methods are PEAP, TTLS and
TLS (only on UCOPIA Advance). See Section 5.2.4, “RADIUS configuration”.
In Advance version, the UCOPIA RADIUS server can be used in proxy mode to communicate with an
external RADIUS server.
These different authentication methods let you manage different sets of users, each one with different
needs in terms of security and ergonomics.
Automatic authentication by discovery of the user equipment. The captive web portal can be
used together with a mechanism of automatic discovery of the user equipment (MAC address). The idea
is to register the user equipment after its first authentication on the portal. During the next connections,
the equipment will be recognized and the portal will be able to either let the user connect in a transparent
fashion, or present him with a purely informative, possibly customized, portal. This mechanism can be
used together with all types of portal operation modes. It must be activated at the user profile level (see
section Adding a user profile of the Administration manual). The option that allows the display of
an informative portal will be defined in the portal configuration (see Section 5.4.1, “Customization of the
UCOPIA portals”).
5.2.2. Configuring an external authentication directory
Express has the ability to use one (and only one) directory to carry out user authentication. The directory
involved in authentication must comply with the LDAP standard (e.g. OpenLDAP, ActiveDirectory).
41
The internal UCOPIAdirectory, which is used to store user profiles, can also be used in the authentica-
tion process. Users created from the delegated administration tool (typically visitor-type users), are in
fact stored in the internal directory. It is therefore possible to set up a corporate directory and UCOPIA
directory cascade.
The directory cascade mechanism directories can be associated with one authentication method in par-
ticular. When specifying a directory cascade, the directories involved, the order in which the directories
are to be queried and lastly the authentication method (portal or 802.1x/EAP) for which the cascade
applies must all be given.
Click on the “Directories” item in the sub-menu shown on the left-hand side of the window. The following
page is displayed:
Figure 5.31. Configuring authentication directories
The table summarizes the configured directories available for use in the authentication processes. By
default, only the UCOPIA directory (termed “local”) is defined.
The “Directory search sequence” panel is used to define firstly the directory cascade for authentication
using the portal and 802.1x/EAP methods (see Section 5.2.2.1, “Configuring a cascade of a UCOPIA
directory and an external directory”), and secondly the directory cascade for authentication by delegate
administrators.
To define a new directory, click the “Add” button in the authentication directories table. The following
page is displayed:
42
Figure 5.32. Configuring an authentication directory
Follow the stages below to configure a directory:
1. The “General settings” panel. Configure the general parameters of the directory:
• Directory name: name of the directory. This name will be used to refer to the directory when
specifying the cascade mechanism.
• Directory type: the directory may be the internal UCOPIA directory, an Active Directory or
another LDAP standard directory (OpenLDAP, Apple OpenDirectory, etc.).
Example:
Figure 5.33. Configuring the general settings for an external directory
Note
The UCOPIA directory is configured by default. It corresponds to the internal directory embedded in
the UCOPIA box.
43
Warning
If the directory is an Active Directory one and if you wish to implement PEAP authentication, you have
to register the UCOPIA controller in the Windows domain. To do so, click on the link at the top of the
page (seeSection 5.2.5, “Windows configuration”).
2. The “Connection settings” panel. Configuring settings for connections to the directory:
• IP address: the IP address of the directory;
• Port: the port number for the directory depending on selected protocol (LDAP: 389, LDAPS:
636 as standard);
• Bind DN: this field represents the “Distinguished Name” of the directory administrator. Authen-
tication can be anonymous. To do so, check the “Anonymous” box.;
• Password: the directory administrator’s password.
Example 1:
Figure 5.34. Configuring the connection settings for an external Active Directory
Example 2:
Figure 5.35. Configuring the connection settings for an external LDAP directory
Warning
LDAP nomenclature must be observed when setting the “Bind DN”.
Note
You can use the “Test settings” button to check that the connection with the directory is established
properly.
3. The “Search settings ” panel. Set the profile search settings
The following fields are used to determine the user (or group) profile on the basis of the data found
in the external directory.
44
• Base DN: the “Distinguished Name” corresponding to the directory entry from which the search
is carried out.
• Search filter: LDAP filter used to search for the user.
• Profile attribute / Default profile: the first “Profile attribute” field is used to specify the name
of the LDAP attribute that gives the user profile. If this attribute is not specified or is empty in
the directory, the “Default profile” field will be used.
• Password attribute / Encoding: the name of the LDAP attribute specifying the user password
and its encoding type. This option is used in the event that an attribute other than the standard
attribute is used for the password. In particular, the use of another attribute is essential if there
is a need to use an LDAP directory other than Active Directory with PEAP authentication. The
password may be unencrypted (encoding = User-Password) or encrypted (encoding = NT-
password).
• Name attribute: attribute used to retrieve the user’s first name to store it in UCOPIA logs.
• First name attribute: attribute used to retrieve the user’s first name to store it in UCOPIA logs.
Warning
LDAP nomenclature must be observed when setting the “Base DN”.
Example 1:
Figure 5.36. Configuring profile search settings (Active Directory)
Example 2:
Figure 5.37. Configuring profile search settings (LDAP)
Note
You can use the “Test settings” button to check that the settings are correct.
4. If the directory is going to be used for authentication of delegate administrators, check the “Enable
access” checkbox.
45
Figure 5.38. Configuring delegation accounts associated with a directory
Choose the delegation account which will be used for delegate administrators who will authenticate
themselves from this directory.
5. Click on “ Confirm ”.
5.2.2.1. Configuring a cascade of a UCOPIA directory and an external directory
The second panel on the “Directory search sequence” page is used to describe three directory cas-
cades, associated respectively with the web portal authentication method, with the 802.1x/EAP mode,
and with delegate administrators authentication. For the first two cascades (portal and EAP), by default,
only the internal UCOPIA directory is defined (local). These cascades operate therefore by default with
this single directory. For the cascade associated with delegate administrator authentication, no directory
is defined by default.
Note
Locally defined delegate administrators automatically have access to the administration tool.
Warning
UCOPIA Express can only put two directories in cascade, namely the UCOPIA directory, and an
external directory.
To modify directory cascades, click the “Modify” button in the “Directory search sequence” panel.
For each of the two cascades, it is possible to select which directories are included in the cascade and
the directory query order.
Two directories are defined (Employee and local). The cascade for portal authentication includes both
directories, while the EAP cascade uses only the Employee directory. The cascade for delegate admin-
istrators involves theonly Employee directory.
The order of priority is specified using the “Up” and “Down” buttons as shown on the screen capture
below:
46
Figure 5.39. Configuring directory cascades
Once the cascades are specified, the directory configuration page is displayed as follows:
Figure 5.40. Example of directory cascade configuration
5.2.3. Configuring certificates
The UCOPIA controller uses its own certificates for both HTTPS web portal authentication and imple-
mentation of the EAP/PEAP or EAP/TTLS protocols by the RADIUS server loaded in the controller. This
section only allows you to seconfigure certificates for the captive portal. SeeSection 5.2.4, “RADIUS
configuration” to configure the RADIUS server certificate.
47
To manage certificates of the captive portal, click on the “Certificate” item in the sub-menu shown on
the left-hand side of the window. The following page:
Figure 5.41. Certificate management
• "Label given to certificate" means the name of the certificate.
• "Server name" means the name of the server associated with the certificate.
• The certificate is validity duration is indicated through the fields "Start of validity" and "End of
validity".
• "Alternative alias": alternative server associated with the certificate
• "Default certificate": sets the certificate as default account for the controller
• Button : Allows the preview of the certificate content
To add a new certificate on the UCOPIA controller, click the “Add” button. The following page is dis-
played:
48
Figure 5.42. Loading certificates
• Enter the name of the certificate in the field "Label given to certificate".
• For each type of certificate "Certificate from Certification Authority (CA)" and "Controller cer-
tificate" as well as for the "Private controller key", load certificates using the "Browse ..." button,
then click on "Confirm".
• Fill the private key password field in the "Password for the private key".
• Check the box "Default certificate" to use this default certificate for the captive portal.
A click on a link (example : " Controller certificate UCOPIA ") displays the certificate content in the “
Certificate contents ” panel. The certificate may also be downloaded.
Figure 5.43. Example: Displaying the content of a certificate
Note
By default, UCOPIA uses certificates signed by GlobalSign.
Note
The choice of the certificate is done through the SNI (Server Name Identification) protocol .
49
5.2.4. RADIUS configuration
UCOPIA has its own embedded RADIUS server. This may be used directly as an authentication server
or in proxy mode towards one or multiple external RADIUS servers.
Note
We reiterate that the RADIUS protocol is essentially based on a server (the RADIUS server), linked
to an identification database (database, LDAP directory, etc.) and a RADIUS client, named NAS
(Network Access Server), playing as an intermediary between the final user (named supplicant) and
the server. All transactions between the RADIUS client and the RADIUS server are encrypted and
authenticated with a shared secret.
To configure the UCOPIA RADIUS server, click on the " Radius " item on the sub-menu on the left-
hand side of the window. The following page is displayed:
Figure 5.44. Configuring UCOPIA RADIUS
• The “EAP settings” panel is used to configure the parameters for 802.1x/EAP 802 authentica-
tion. As regards the EAP re-authentication mechanism, it is possible to select from three scenar-
50
ios: (1) no re-authentication, (2) re-authentication that will be controlled by NAS (access point for
example), (3) re-authentication handled by UCOPIA RADIUS with re-authentication time config-
urable in seconds (by default, the time is set to 40 seconds)
• The “NAS configuration” panel is used to configure firstly the shared secret needed for encryption
and secondly the NAS administration VLAN (NAS will be the access points in case of a Wi-Fi
architecture). The default shared secret is testing123; the default administration VLAN is VLAN 1.
To configure a NAS, click the “Add” button.
Figure 5.45. Example of NAS configuration

• The frame "Import/display certificates for RADIUS server" allows to configure the import and
view of the Certificate of Certification Authority (CA) and the UCOPIA controller certificate:
Certificate from Certification Authority (CA)
Click on the Browse button to select a certificate.

Controller certificate
Click on the Browse button to select a certificate.

Controller's private key
Click on the Browse button to select the controller's private key.

Private key password
Enter the password of the controller's private key.
5.2.4.1. Configuring the UCOPIA RADIUS in proxy mode
Warning
RADIUS proxy configuration in the Express range may only be used in the case of a Cloud architec-
ture. In this case, a local controller will have to configure a proxy to the central controller's RADIUS
server. It will not be possible to perform a proxy configuration to a RADIUS server other than that
of a UCOPIA controller.
You can configure the UCOPIA RADIUS in proxy mode to search one or more external RADIUS servers.
Routing towards the external RADIUS operates by means of a “realm”. The “realm” determines which
RADIUS server the UCOPIA RADIUS server should send its request to.
There are three categories of realm:
• The named or remote realm
This refers to the part of the user ID found after the “@” symbol. For example, if the ID is
“ jsmith@somewhere.com [mailto:jdupond@truc.com] ”, the realm will be “somewhere.com”. The
51
request will then be sent to the somewhere.com domain’s RADIUS server. This server must, how-
ever, be correctly configured in the proxy mechanism.
• The empty (NULL) realm
Le realm n’est pas explicitement mentionné dans l’identifiant utilisateur (exemple : identifiant
« jdupond »). In this case, the request will be sent to a server specified during the proxy config-
uration.
• The default realm (DEFAULT)
The realm exists but the configuration does not recognise it. In this case, the request will be sent
to a server specified during the proxy configuration.
By default, the UCOPIA RADIUS will be used for both the NULL and the DEFAULT zones, as shown
by the default configuration below:
Figure 5.46. Default configuration of realms
Note
The UCOPIA RADIUS server is termed “LOCAL” in the proxy configuration.
To use the UCOPIA RADIUS as a proxy, click the " " Add " button on the “Realm and RADIUS proxy
server configuration” table. The following page is displayed:
52
Figure 5.47. Configuring the UCOPIA RADIUS in proxy mode
You must first specify the realm name, followed by the RADIUS on which the realm will operate.
• To use the UCOPIA RADIUS, click the " LOCAL RADIUS ".button.
• To use a remote RADIUS, click the “REMOTE RADIUS” button.
For billing (or accounting), the accounting port must be defined. Under these circumstances, the
standard RADIUS Accounting messages are sent to the remote RADIUS. These messages are,
for example, Acc-start (for successful authentication and session start), Acc-stop (for a logout and
session end) or a Session Timeout message where time credit is used. The standard accounting
port is port 1813.
You must also define the default user profile. The RADIUS proxy mechanism does not allow you
to search for the user profile in the remote directory. You may complete a second user profile in
the case of a non-existing profile on this controller.
Finally, it is possible to complete a principle and secondary server for each remote RADIUS.
Complete the data allowing identification of each authorised RADIUS server, the RADIUS server’s
IP address, the port number on which it is accessible and its secret..
For the secondary RADIUS server, you have two options :

– fail-over : the RADIUS server back-up is made via a system of switching from one server to
the other . A single RADIUS server is active and the second, which is thus passive, takes
over in the case of failure of the first.
– load-balancing : the RADIUS server back-up is made by load distribution. The two RADIUS
servers are thus active and the demands are distributed between the two of them.
53
5.2.5. Windows configuration
To register the UCOPIA controller on a Windows domain, click on the " Windows " item in the sub-menu
shown on the left-hand side of the window. The following page is displayed:
Figure 5.48. Configuring transparent Windows authentication
We remind you that this registration is not needed if you wish to interface with an Active Directory server
using the authentication protocol 802.1x/PEAP.
You must fill the fields in the “Registration in a Windows domain” panel.
Example:
Figure 5.49. Example of registration in a Windows domain
If other Windows servers are to be declared, to provide redundancy for example, use the “Declaration
of mirror Windows servers” panel, specifying their IP addresses.
5.2.6. Shibboleth Configuration
Shibboleth is a mechanism to propagate identities, developed by the Internet2 consortium, which groups
a great number of universities and research centers. The “Shibboleth” authentication allows to share
54
identity information among schools, universities, etc. This mechanism allows an institution to ask another
institution if it knows a particular user, and which is its profile.
A little vocabulary
IdP: Identity provider Identity provider
SP: Service provider Service provider
DS: Discovery Service Discovery service
Procedure 5.1. Flow Shibboleth authentication on the portal side
1. When a user wants to authenticate, he is redirected to a page listing all Universities of the community
(the DS). Once he's chosen his institution, he's redirected to the IdP of his institution.
In general, it's a page on which there is a form asking for a login/password and the logo of the
institution.
2. If authentication is successful, the user is re-directed to the portal. The IdP provides the controller
with a set of attributes containing the affiliation (or role). This attribute will be used to try to associate
this user with an UCOPIA profile. The controller will try to assign the user the most elevated profile
possible, considering the different affiliantions returned by the IdP, trying to match them, without
distinguishing between lower and uppercase letter. For example, if the affiliation attribute returned is
affiliation: member;student;manager, and the controller provides the profiles Student
and Manager, the user will have the privileges of the manager profile.
To configure Shibboleth authentication, click on the “Shibboleth” item in the sub-menu on the left-hand
side of the window.
Figure 5.50. Shibboleth configuration home pages Adding a Shibboleth configuration
Procedure 5.2. Adding a Shibboleth configuration
1.
To add a new configuration, click the “Add” or
2. Fill the required fields, and provide the certificate files.
55
Figure 5.51. Creating a new Shibboleth configuration
• Active configuration: Sets the current configuration as the active configuration for use in
captive portals. Only one configuration can be active at a time. Therefore, enabling this con-
figuration will disable all others.
• Configuration name: The name, internal to the UCOPIAbox, to refer to this setting, notably
in the configuration of the portal.
• Federation:: Sets the federation to which the controller belongs. In order to more easily con-
figure the controller, the meta data and the RENATER federation certificates are pre-filled. If
you choose another federation, you must provide its meta data URL and its certificate.
• Federation meta data:: Sets the URL of the meta data for the federation. The controller
checks this URL every hour to see if other IdPs have been added. If this is the case, filtering
rules are added, in order to allow access to these IdPs before authentication. This URL is
predefined for RENATER federations.
• Discovery service: Allows you to define the URL of the Shibboleth Discovery Service (DS).
In the case of RENATER federations, default values are suggested. However, the service is
not guaranteed. Users are asked to specify their own Discovery Service.
• Federation certificate: This certificate is provided by the federation. It will be used to encrypt
messages which originate at the controller. This certificate is predefined for RENATER fed-
erations.
• Entity identifier: URL to uniquely identify the controller within the federation. The URL need
not point to a server. However, we recommend you use a URL with a domain name that be-
longs to you. This same URL will subsequently be specified in the field 'Entity ID' found in the
federation membership form. It takes one to three hours for IdPs to take your membership (or
your changes) into account. Example: https://www.mondomaine.com/controleur1.
• Service certificate (x.509): This certificate is used to encrypt all messages issued by IdPs
and sent to the controller. It must be filled in as part of the federation membership form. It will
be included in the meta data and distributed to all the IdPs of the federation. If you leave this
field empty, the controller will generate a self-signed certificate automatically.
56
• Certificate service private key: This private key must only be known by the controller. It will
be used to decrypt messages intended for it. If necessary, it may be protected by a password
(below).
• Certificate service private key password: (Optional) Password for the private key of the
service's certificate
• URL of the Shibboleth service: To be specified in the corresponding field in the federation
membership form
• URL of the service AssertionConsumerService SAML 1.0: To be specified in the corre-
sponding field in the federation membership form
• URL of the service AssertionConsumerService SAML 2.0: To be specified in the corre-
sponding field in the federation membership form
• Assigning profiles: Is used to determine the profile "mapping" between the Shibboleth en-
vironment and UCOPIA. Shibboleth uses the notion of affiliation and home institution. The
home institution is used to distinguish, for instance, between two students from different uni-
versities.
To define the rules for assigning profiles, click the Add rule button.
You will then need to select the home institution(s) as well as the affiliation types, and then
assign them a type of profile.
Figure 5.52. Example of rules for assigning Shibboleth profiles

3. Click on the Confirm button.
4. Register yourself as a new service provider (Service Provider: SP) on the RENATER network
[https://services-federation.renater.fr/gestion?federation=test], by resuming the information provid-
ed in the form in the previous step.
57
Figure 5.53. Registration on the RENATER network
5.3. Configuring “Zero configuration”
“Zero configuration” enables users on a network controlled by UCOPIA to access the resources autho-
rised by their profile with no prior configuration of the workstation or applications.
Click the “Zero configuration” item shown on the left-hand side of the window. The following sub-menu
is displayed with the options shown:
Figure 5.54. Items on the Zero configuration menu
5.3.1. Configuring the “fixed IP” mechanism
The “Fixed IP” mode is used to enable the mechanism allowing a user to connect using any fixed IP
address. If the mechanism is disabled, the user will absolutely have to be in DHCP mode to be able to
connect. This mode is configurable on each incoming VLAN.
58
To enable “Fixed IP” mode, click on the “Fixed IP address” item in the sub-menu on the left-hand side
of the window. The following page is displayed:
Figure 5.55. Configuring “Fixed IP” mode
Select the VLAN on which “Fixed IP” will be enabled (checkbox) and then click the “Enable” button.
The status is displayed in green when this mode is enabled, otherwise in red. By default, this mode is
not enabled on any VLAN.
5.3.2. Configuring the “Web” service
This mode will enable users to use their Web browsers, irrespective of their proxy configuration.
Click on the “Web” item in the sub-menu shown on the left-hand side of the window. The following page
is displayed:
Figure 5.56. Configuring the “Web” service
59
• The first panel is used to specify the proxy ports of the client Web browser controlled by the
UCOPIA controller. Distinction is made between: ports controlled for redirection to the authenti-
cation portal (before authentication) and ports controlled after authentication.
The ports must be separated by “;”. By default, ports 8080 and 3128 are used. In case of activated
URL filtering, the port 80 is automatically added concerning the ports managed after authentica-
tion. In case of URL filtering in HTTPS protocol, the port 443 must be added.
Warning
The FTP (21) port is not handled by the controller’s “zero configuration” module.
• The second panel will be used in the event that HTTP user traffic is to be redirected to a web
gateway. By default, no redirection is configured. If you wish to enable the redirection service to
a Web proxy, you must check the box Enable redirection to a Web proxy for ports ».
This redirection can be made either by a parent proxy or by the ICAP service.
Proxy parent
You must check the « Proxy parent »box and complete the fields related to the Web proxy
to be used, the IP address of the proxy, as well as its listening port.
If the corporate proxy requires authentication, check the “Enable authentication to parent
proxy” box. Two options are then possible: authentication for a single account or authentica-
tion for each user account.
For a single account, the option must be selected and then the account identifiers must be
filled, that is the “Login” and “Password” fields.
For user accounts, it’s strongly recommended that you also enter the account identifiers that
will be used to authenticate the controller.
Note
Authentication by user account means that user-related data (login and password) can be sent to
the parent proxy. The proxy can then use this data to apply security policies per user or user profile
(URL filtering, for example).
60
Figure 5.57. Redirection configuration to parent proxy
ICAP Service
You must check the « ICAP Server »box and supply the service URL.
This option allows the use of an external URL filtering tool via the ICAP protocol, generic
interface for communication with Internet content filtering solutions.
Figure 5.58. Redirection configuration to the ICAP service.
• The last panel is used to automatically configure users' web browsers (web proxy clients) by
means of the WPAD (Web Proxy AutoDiscovery) protocol. This is done by downloading a wpad.dat
file onto the UCOPIA controller. In the event of an erroneous download, you can restore the pre-
vious file by using the Restore button.
Click on the “Confirm” button at each step.
5.3.3. Configuring the redirection service to an email server
If you would like users’ SMTP data traffic to be redirected to a corporate email server, then the email
server redirection service must be enabled. By default, no redirection is configured.
Click on the “Mailbox” item in the sub-menu shown on the left-hand side of the window. The following
page is displayed:
61
Figure 5.59. Configuring the redirection service to an email server
Check the “Enable” box. There are two methods, as shown in the following page:
Figure 5.60. Selecting SMTP redirection configuration modes
• Redirection Mode
Selecting SMTP redirection configuration modes Allows all SMTP traffic to be redirected to an
email server. Select redirection mode by checking the “Redirect SMTP traffic to a mail server”
box, and fill in the “IP address” field.
Example:
Figure 5.61. SMTP relay mode
62
Click the “Confirm” button.
• SMTP relay mode
Used to enable the UCOPIA SMTP relay to relay emails to an email account. To do so, select this
mode by selecting the "Use the controller SMTP relay" checkbox, and fill in the following fields:
– IP address or DNS: if an IP address is not supplied for the email server, a DNS name
can be specified;
– Account login: for example john.smith@ucopia.com ;
– Account password: the password for the account.
Example:
Figure 5.62. Example of configuring SMTP redirection
Warning
Example of SMTP relay configuration
– the email server blocks messages where the sender’s email address is not identical to that for
the specified account;
– the email server conceals senders’ email addresses.
The “Test settings” button can be used to verify the parameter settings before confirming them.
5.3.4. Configuring the print server
UCOPIA Express includes a mechanism allowing users to print without having to install the relevant
driver. Indeed, the print server of UCOPIA Express, thanks to its print server, allows the user to use its
printer driver transparently. To activate this service, you must specify to UCOPIA Express which are the
printers available in transparent mode to the user.
To configure printers, click on the “Printers” item in the sub-menu on the left-hand side of the window.
63
Figure 5.63. Printer configuration
By default, no printer is configured.
5.3.4.1. Add a printer
Depending on the configuration of the printer, the controller can detect it automatically by clicking on
“Discovery network printers”. If it's not automatically detected, you must do a manual installation.
Procedure 5.3. Automatic discovery
1. Click on “Discovery network printers”

2. Follow the procedure below.
Procedure 5.4. Manual installation
1. Click the “Add a printer”.

2. Choose the desired printer, if it's been automatically discovered, or else choose how the printer is
connected.
Figure 5.64. Choice of the protocol for a local or network printer
64
3. Fill the address to refer to this printer if it's a network printer.
Figure 5.65. Entering the address of the printer

4. Describe this printer so users can know which printer it is.
Figure 5.66. Description of the printer
Share this printer
Check this box to share this printer on the network using Samba (SMB/CIFS).
5. Select the printer's manufacturer, or choose a PPD file directly if the printer manufacturer provided
you with one.
Figure 5.67. Printer manufacturer choice
65
6. Select the printer model
Figure 5.68. Printer model choice

7. Choose the configuration options by default for this new printer.
Figure 5.69. Setting printer options
Note
These are the default printing options, that the user can redefine for each print job.
Once the printer has been added it will appear on the printer page.
66
Figure 5.70. Displaying a configured printer
5.3.4.2. Printers administration
To display more details about a printer, click on its name in the table.
Figure 5.71. Displaying detailed information for a printer
67
On this page, many actions are available to manage the printer:
• Maintenance: printer maintenance commands (test pages, cleaning, start/stop), and jobs man-
agement commands (reject, move, purge)
• Management
– Modify printer: lets you relaunch the configuration wizard: Section 5.3.4.1, “Add a printer”.
– Delete printer: permanently from the controller.
– Setting printer options: access the interface to define the printing default options: Fig-
ure 5.69, “Setting printer options”.
– Set as default: this will be the printer offered by default to the user.
• Jobs: displays the list of jobs submitted to this printer: the buttons let you switch between active
or finished jobs. Use the search field lets to filter jobs by displaying only the jobs whose names
contain the search string.
5.4. Customization
Click the “Customization” item on the left-hand side of the window. The following sub-menu is displayed
with the options shown:
Figure 5.72. Items on the Customization menu
5.4.1. Customization of the UCOPIA portals
This section concerns customization of the captive portals used for user authentication, customization
of UCOPIA mobile applications, and customization of the delegation portals used for the creation of user
accounts.
It is possible to set up as many portals and mobile applications as desired. Once a portal (or an appli-
cation) is created, it can be associated with one or more zones.
Each portal (or application) can be customized in the way it operates and the way it looks.
Click on the “Portals” item in the sub-menu shown on the left-hand side of the window. The following
page is displayed:
68
Figure 5.73. Configuring the UCOPIA portals
By default, four active associations are pre-configured:
• On the “Default” input zone a captive portal, a delegation portal, and a mobile application are
defined.
• On the “Default” output zone a delegation portal is defined.
The portal configuration table offers three tabs used to display, respectively, the associations, the con-
figurations, and the visual models.
1. Associations tab
Click on the “Associations” tab to display the associations table.
Figure 5.74. Associations table
The following columns are displayed in the associations table:

• Zone name: the name of the input or output zone to which the association applies.
• Configuration name: name of the configuration related to the association.
• Portal type: Captive portal or delegation portal.
• Visual model name: name of the visual model of the portal related to the association.
• Status: green means that the association is active, red means that the association is inactive.
69
• Actions: icons to modify or delete the association.
: modify the configuration
: delete the configuration

2. Configurations tab
Click on the “Configurations” tab to display the configurations table.
Figure 5.75. Configurations table
Default configurations are proposed: “default-portal” for the captive portal, “default-mobile-application”
for the mobile application, and “default-deleg” for the delegation portal.
The following columns are displayed in the configurations table:

• Configuration name: the name of the configuration, sorted by portal type.
• Formats: the different formats for which the portal is defined. Possible formats are: PC, Tablet,
Smartphone.
• Operation modes: the different portal operation modes. Possible modes are: Standard, Auto,
Free, SMS, Mail, PayPal, PMS and PPS.
• Hosted: green dot if the portal is hosted by the UCOPIA controller, gray dot otherwise.
• Zones: the number of zones to which the configuration applies.
• Models: the number of visual models to which the configuration applies.
• Actions: icons to modify or delete the configuration.
: modify the configuration
: delete the configuration

3. Visual models tab
Click on the “Visual Models” tab to display the visual models table.
70
Figure 5.76. Visual models table
There are two model categories, the factory-defined models, which are not directly modifiable, and
the models created by the administrator.
The factory-defined models are the following:

• welcome:a model with the UCOPIA design and colors.
• neutral: the same visual aspect as the welcome model, but using neutral colors. This way, it
can be easily adapted to a graphical charter constraint.
• classic: a basic portal for complete customization.
A default model is predefined; it can be used for the captive and delegation portals, it's named “default”
and is based on the factory-defined model “welcome”.
The following columns are displayed in the visual models table:

• Model name: the name of the visual model.
• Zones: the number of zones to which the visual model is applied.
• Configurations: the number of configurations to which the visual model applies.
• Edition: icons to preview the model or to launch a graphical model editor.
: preview the model
: model edition
• Actions: icons to export, modify, or delete the visual model.
: export of the HTML code for advanced customization
: modify the model
: delete the model
71
5.4.1.1. Associations
A portal (or an application) is configured by creating an “association”. An association relates a zone, a

portal operation mode (named “Configuration”) and a portal visual model (graphical aspect).
An association may be active or inactive.
5.4.1.1.1. Adding an association
To add a new association, click on the “Associations” tab in the portals table, then click on the “Add
an association” link. Use the link located near Input zones to create an association on an input zone.
Use the link located near Output zones to create an association to an output zone.
For example, the following page is displayed for a configuration of an association to an input zone.
Figure 5.77. Adding an association
You must choose the zone corresponding to the association, then the configuration of the captive, the
delegation, the mobile application or the automatic connection portals, and finally the visual model.
Check the “Active” box to activate the association
Figure 5.78. Association configuration
If you want to activate the association, and another active association exists on the same zone, a popup
asks you for confirmation on what to do. It’s possible to deactivate the existing association in favor of
the new one.
72
Figure 5.79. Activation/deactivation of an association
New associations appear in the associations table.
Figure 5.80. Added association
73
5.4.1.1.2. Modification
To modify an association, click on its corresponding modification icon.
For example, for an association providing an incoming zone and a captive portal, the following modifi-
cation page is shown.
Figure 5.81. Modifying an association
It’s then possible to modify the configuration and the visual model. The association can be activated
or deactivated.
5.4.1.2. Configuring the captive portal
The following section describes how the different modes of registration and authentication function.
Table 5.1. Summary of registration modes
Mode Operation Configuration

Section 5.4.1.2.1.3, ““One-Click Procedure 5.10, “Portal with
Button” registration” “One-Click Button””
Section 5.4.1.2.1.6, “Registration Procedure 5.12, “Portal with SMS

by SMS” registration”
Section 5.4.1.2.1.5, “Registration Procedure 5.14, “Portal with reg-

with the printing of a ticket” istration by ticket printing”
Section 5.4.1.2.1.4, “Open self- Procedure 5.11, “Portal with open

registration” registration”
Section 5.4.1.2.1.7, “Email regis- Procedure 5.13, “Portal with

tration” email registration”
Section 5.4.1.2.1.8, “Registration Procedure 5.15, “Portal with on-

with an online PayPal payment” line payment by PayPal”
Section 5.4.1.2.1.9, “Registration Procedure 5.16, “Portal with on-

with an online Ingenico payment” line payment by Ingenico”
Table 5.2. Summary of authentication methods

Section 5.4.1.2.1.1, “Authentica- Procedure 5.5, “Using creden-
tion using credentials” tials”
74

Section 5.4.1.2.1.12, “Shibboleth Procedure 5.6, “Shibboleth”
authentication”
Section 5.4.1.2.1.10, “Authentica- Procedure 5.7, “PMS”

tion via a billing software (PMS)”
Section 5.4.1.2.1.11, “Authentica- Procedure 5.8, “PPS”

tion using prepaid cards (PPS)”
Section 5.4.1.2.1.13, “Authentica- Procedure 5.9, “Social networks

tion by social networks” (Facebook / LinkedIn / Google /
Twitter / OpenID Connect)”
5.4.1.2.1. Operation of the captive portal according to different methods
5.4.1.2.1.1. Authentication using credentials
The user is authenticated with a login/password pair. His account must have been created beforehand.
The default mode.
5.4.1.2.1.2. Authentication with automatic connection
With this method, the user is redirected to the page specified in the “Automatic redirection URL” field.
Once the redirection is performed the user is authenticated.
Note
If the “Automatic redirection URL” field is left blank, the user is redirected to the web page he requested
originally.
Warning
This method creates a generic profile and user which are used to authenticate all users.
5.4.1.2.1.3. “One-Click Button” registration
The user benefits of a simplified, single click, access, however his activity is tracked from the knowledge
of his equipment. Filling personal information or accepting a charter can be also proposed, optionally.
75
Figure 5.82. Captive portal with “One-Click Button”
A single button appears, unless you have requested that mandatory fields be filled (see Figure 5.125,
“Input fields when registering”).
5.4.1.2.1.4. Open self-registration
Users register themselves on the UCOPIA captive portal by clicking on the “Receive your credentials
on this portal” button (see the screenshot below).
76
Figure 5.83. “welcome” captive portal with free registration
The user fills the “Login”, “Password”, “Name” and “First Name” fields (see the screenshot below). The
user can then be authenticated in a standard way on the portal with his credentials. The user account
is created automatically in the UCOPIA directory. The user profile will be the one specified during con-
figuration of the mode.
Figure 5.84. Free self-registration of a user on the captive portal
5.4.1.2.1.5. Registration with the printing of a ticket
This mode lets a user to self-register and he is issued a ticket with his connection identifiers.
77
Figure 5.85. Captive portal with self-registration and ticket printing
The user chooses either a password, or a login, the complementary credential (login or password, re-
spectively) will be automatically assigned. This mode forces the user to pass through a checkpoint
(homepage or other) to retrieve his full identifiers.
78
Figure 5.86. Registration by ticket printing
5.4.1.2.1.6. Registration by SMS
Users register themselves on the UCOPIA captive portal by clicking on the “ SMS ” button (see the
screenshot below).
79
Figure 5.87. “welcome” captive portal with SMS registration
The user fills the “Name”, “First Name” and “Telephone number” fields (see the screenshot below).
The password is sent by SMS over to the user’s mobile phone. The user can then be authenticated
in a standard way on the portal, his login will be his telephone number. The user account is created
automatically in the UCOPIA directory. The user profile will be the one specified during configuration
of the mode.
80
Figure 5.88. Self-registration of a user by SMS on the captive portal
Warning
This mode assumes the user has access to an SMS provider. Contact UCOPIA Communications for
more information.
5.4.1.2.1.7. Email registration
Users register themselves on the UCOPIA captive portal by clicking on the email button (see the screen-
shot below).
81
Figure 5.89. Captive portal with email registration
The user fills the “Name”, “First Name” and “Email address” fields (see the screenshot below). Cre-
dentials are sent by email to the specified address, and the user has a limited time to check his inbox
and retrieve the credentials. The user can then be authenticated in a standard way on the portal. The
user account is created automatically in the UCOPIA directory. The user profile will be the one specified
during configuration of the mode. The time limit for users to retrieve their credentials from their inboxes
is configurable, as well as the open protocols to read the message.
82
Figure 5.90. Self-registration of a user by email on the captive portal
5.4.1.2.1.8. Registration with an online PayPal payment
Users register themselves on the UCOPIA captive portal by making an online payment. This online
payment is associated with the purchase of a package to choose on the portal.
To register, users click on the Online Payment button in the portal (see the screenshot below).
83
Figure 5.91. Captive portal with online payment via PayPal
The user fills the “Login”, “Password”, “Name” and “First Name” fields (see the screenshot below).
Once the package is chosen, the user is redirected to the PayPal site on which he can pay for his
package, either by using his PayPal account, or by using his credit card. If the transaction is carried out
successfully, the user can connect on the portal using the credentials he has chosen.
If the controller configuration allows it, credentials can be sent to the user by SMS.
84
Figure 5.92. Registering after paying online via PayPal
Figure 5.93. Choosing a package before paying online with PayPal
85
Note
In order to ensure traceability of the connection, personal information about the user (Name, Last
Name) is always retrieved from PayPal and stored in the UCOPIA logs.
5.4.1.2.1.9. Registration with an online Ingenico payment
Users register themselves on the UCOPIA captive portal by making an online payment. This online
payment is associated with the purchase of a package to choose on the portal.
To register, users click on the Online Payment button in the portal (see the screenshot below).
Figure 5.94. Captive portal with online payment via Ingenico
The user fills the “Login”, “Password”, “Name” and “First Name” fields (see the screenshot below).
Once the package is chosen, the user is redirected to the Ingenico site on which he can pay for his
package, either by using his Ingenico account, or by using his credit card. If the transaction is carried
out successfully, the user can connect on the portal using the credentials he has chosen.
If the controller configuration allows it, credentials can be sent to the user by SMS.
86
Figure 5.95. Registering after paying online via Ingenico
Figure 5.96. Choosing a package before paying online with Ingenico
87
Note
In order to ensure traceability of the connection, personal information about the user (Name, Last
Name) is always retrieved from Ingenico and stored in the UCOPIA logs.
Before configuring this portal you must create a Ingenico account and configure UCOPIA with the infor-
mation about this account. To do so, go to the “External services" menu, "Ingenico" (seeSection 5.7.5,
“Ingenico service configuration”for more information).
The Ingenico portal works like that of a package. Packages are defined by the UCOPIA administrator.
They can be packages of 1hr, 3hr, “email” packages, “Every working day from 4 PM to 6 PM” packages,
etc. Users must choose the package they desire on the captive portal before paying (see the “ Admin-
istration Guide UCOPIA Express ", Section « ”, section “Package administration”)
5.4.1.2.1.10. Authentication via a billing software (PMS)
The UCOPIA/PMS (Property Management System) coupling works like a package. Packages are de-
fined by the UCOPIA administrator. They can be packages of 1hr, 3hr, “email” packages, “Every working
day from 4 PM to 6 PM” packages, etc. Users must choose the package they desire on the UCOPIA
portal before authentication.
The following screenshots show an example of captive portal with the choice of two packages, as well
as the feedback displayed once the choice has been made.
Figure 5.97. Example of captive portal using packages (PMS)
88
Figure 5.98. Example of user feedback after choosing a package
5.4.1.2.1.11. Authentication using prepaid cards (PPS)
The UCOPIA/PPS (Pre-Paid System) coupling works with pre-paid cards. Each card is associated with
a connection time. The user authenticates on the portal with the identifier of its card and a captcha code.
Time granted by the card and consumed time are displayed on the portal after authentication.
The following screenshot shows an example of an UCOPIA PPS portal.
89
Figure 5.99. Captive portal using a PPS
5.4.1.2.1.12. Shibboleth authentication
This mode allows for authentication of users referred by a third-party identity provider.
90
Figure 5.100. Captive portal with Shibboleth authentication
The user indicates his institution of origin and his identifiers, then he's authenticated by the third-party
service.
91
Figure 5.101. Example of user feedback after authentication
5.4.1.2.1.13. Authentication by social networks
Users register themselves on the UCOPIA captive portal by clicking on one of the buttons representing
the following social networks “ Facebook ”, “Google”, “ LinkedIn ”, or “ Twitter ”.
92
Figure 5.102. “welcome” captive portal with authentication by social networks
5.4.1.2.2. Adding a captive portal configuration
To add a new configuration, click on the “Configurations” tab in the portals table, then click on the “Add
a configuration” link. Use the link located on the "Captive portal" line.
93
Figure 5.103. Adding a captive portal configuration
First, you must name the configuration by filling the “Configuration settings field.”
You can optionally enhance portal security by adding a password to unlock the portal in order to use it (
“Security password” field). This function can be used together with the user auto-registration operating
mode (see the Free, SMS or Mail modes below) to prevent non-authorized people from registering on
the portal and obtain connection identifiers (logins).
Note
The portal security password will be the same for all portal users.
94
To configure the portal, proceed as follows.
5.4.1.2.2.1. Portal hosting
You must specify if it’s a portal hosted by the UCOPIA box, or an external portal hosted by another
server (for example, a corporate portal).
• Portal hosted by the controller:the portal is hosted by the UCOPIA controller, its operation mode
must be specified (seeSection 5.4.1.2.1, “Operation of the captive portal according to different
methods”).
It’s also possible to redirect the user to an external UCOPIA portal before he returns to the portal
hosted by UCOPIA. This feature can be useful to ask the user for particular information, etc. To
activate this mode check the Redirection to an external portal before the controller portal box,
and fill the external portal URL. This mode is compatible with the different operation modes of
the UCOPIA portal.
Figure 5.104. Example of a hosted portal configuration (with redirection)
Warning
The URL defining the access path to the external portal must be a publicly accessible URL, that does
not require authentication (see Section 5.4.5, “Configuring open-access URLs”).
On the external portal, you must create a hypertext link and use the following PHP code to be
able to return to the UCOPIA portal.
To return to the UCOPIA portal:
<a href=<?= $_GET['redirect']; ?>>Cliquez ici pour vous authentifier</a>
To return to the registration page of the UCOPIA portal (SMS, Mail or PayPal modes):
<a href='<?= redirectsub ?>'>Cliquez ici pour vous inscrire</a>
• External portal: in this case, the UCOPIA portal is disabled and only an external portal is used.
The user is automatically redirected to the portal having the address indicated in the.Redirection
URL field.
Warning
The URL defining the access path to the external portal must be a publicly accessible URL, that does
not require authentication (see Section 5.4.5, “Configuring open-access URLs”).
95
Figure 5.105. Example of an external portal configuration
Warning
If you use only an external portal, it’s required that this portal supports the UCOPIA authentication
functions. To do so, UCOPIA provides an API that allows you to perform authentication functions for
all operation modes (Standard, SMS, Mail, etc.).
Note
In the case of a local controller of an Out-Of-Band architecture (see Advanced Installation Manual,
section 5.8, "Section 5.6, “Configuration in Out-Of-Band architecture”"), the portal must be configured
with a redirection URL to an external portal (that of the Central controller). The URL must have the
following syntax : https://<DNS of controller in the cloud>/zone/<name of the zone in the cloud>.
The « Associate portal authentication with RADIUS »option must be enabled.
5.4.1.2.2.2. Portal format choice
The portal format lets you define a portal adapted to the user’s hardware. The following format types
are available:
• Laptop (PC): PC-type hardware will use this portal.
• Tablet: tablet-type hardware will use this portal. A suitable graphical environment must be de-
fined when customizing the portal (see Section 5.4.1.2.1.11, “Authentication using prepaid cards
(PPS)”).
• Smartphone: PDA-type and smartphone-type hardware will use this portal. A suitable graphical
environment must be defined when customizing the portal (see Section 5.4.1.6.1, “Graphical cus-
tomization and creation of visual models”).
• Degraded: the hardware connot be recognized, a minimal portal is proposed.
The UCOPIA controller automatically recognizes the hardware type, and applies the corresponding por-
tal.
5.4.1.2.2.3. Authentication
Click on the button to select one or more authentication methods.
96
Figure 5.106. Selecting authentication methods
Click on the desired authentication items for this portal and then close the window. The portal's config-
uration screen is then displayed as follows:
Figure 5.107. Example of configuration of various types of authentication for the captive portal
97
Note
Certain modes can be used together. For example, it’s possible to define a portal operating with
registration by SMS, or with registration by Mail.
Procedure 5.5. Using credentials
The user is authenticated with a login/password pair. The account must have been created beforehand.
1. Select the "Using credentials" mode
Figure 5.108. Example of the captive portal configuration with authentication using credentials
2. Couple the portal authentication with RADIUS: the RADIUS server is usually employed when
an authentication architecture is based on the 802.1x protocol. With UCOPIA you can use RADIUS
coupled with a web portal type authentication. In this type of coupling you benefit from, on the one
hand, the simplicity of authentication via portal (no prerequisite on the user workstation) and, on the
other hand, the RADIUS’ power and, particularly, the proxy mechanisms.
To implement this type of coupling, you need only to check the box.
Procedure 5.6. Shibboleth
This method allows for the delegation of the user authentication to identity providers of a community
of institutions.
Warning
This method assumes that the administrator has configured the authentication Shibboleth before-
hand, see Section 5.2.6, “Shibboleth Configuration”.
To configure this method:
1. Select the "Shibboleth" method

2. Check that the desired configuration is activated.
Figure 5.109. Example of the captive portal configuration with Shibboleth authentication
Procedure 5.7. PMS
This method is used in the case of interaction with a billing system (PMS).
1. Select the "Billing software (PMS)" method

2. Select the package(s) that will be available to the user on the portal.
98
Figure 5.110. Example configuration of a captive portal using PMS software
Warning
This method assumes that the administrator has defined packages beforehand (see the "Adminis-
tration manualUCOPIA Express, " section “Package administration”).
Warning
This method assumes that the administrator has configured the connection with the PMS billing soft-
ware beforehand, see Section 5.7.6, “Configuring the PMS service”.
3. Check the "Authorize users to modify their packages" box if you would like to allow users who
have chosen a package on the UCOPIA portal to exchange it for another.
Procedure 5.8. PPS
This method is used in the case of interaction with a pre-paid card system.
1. Select the "Pre-paid card system (PPS)" method

2. Define the profile associated to all users of the PPS method.
Figure 5.111. Configuration of the captive portal using pre-paid cards (PPS)
Warning
This method assumes that the administrator has configured the connection with the pre-paid cards
PPS billing software beforehand, see Section 5.7.7, “Configuring the PPS service”.
Procedure 5.9. Social networks (Facebook / LinkedIn / Google / Twitter / OpenID Connect)
To configure authentication via social networks, the steps are the same:
1. Select the “Facebook”, “LinkedIn”, “Google”, “Twitter” and/or “OpenID Connect” mode
2. Select the profile associated with the user.
3. Select one of the applications proposed.
Figure 5.112. Example of the captive portal configuration with authentication via social networks
99
Warning
This method assumes that the administrator has configured the authentication via social networks
beforehand, see Section 5.7.9, “Configuring social networks”.
Facebook
It is possible to post Likes on a web page: enter the URL of the page then select the usage policy
of Likes, Mandatory (a Like must be posted to connect) or Optional (the choice of user is stored in
the users logs in an additional field that is configurable).
Twitter
It is possible to follow a Twitter account: enter the Account name to be followed, then check one
of the subscription policies, Mandatory(you must be a follower to connect) or Optional(the choice of
user is stored in the users logs in an additional field that is configurable).
Note
The following information concerning the user is retrieved :
Mail Last name First name gender Date of language

birth
Facebook Yes Yes Yes Yes Yes Yes
Google+ Yes Yes Yes Yes Yes Yes
100
Mail Last name First name gender Date of language

birth
Twitter No Yes Yes No No Yes
LinkedIn Yes Yes Yes No No No
All this information is stored in user session logs and in the user directory.
5.4.1.2.2.3.1. Authentication options
Figure 5.113. Authentification option
• Display an information portal when the user equipment is recognized (MAC address)
In case that hardware discovery is enabled for a connection, an information page will be always
displayed to the user before his effective connection.
• Define a service usage policy:
In the case where a charter must be accepted by the user, it’s possible to add a checkbox on the
portal that must be checked in order for the user to be able to authenticate (see Section 5.4.2,
“Certificate configuration”).
• Redirect users once connected
In standard mode, once the user is authenticated, a “Click here to reach the requested page”
link is displayed in the captive portal. This option allows you to force the redirection to another
page specified in the “Redirection URL” field.
If you check the box “Redirect after a time delay”, you can then specify a redirection period
between 0 and 60 seconds. To do this, drag the timer with the mouse.
• Quarantine the equipment of a user who has entered the wrong password several times :
This is to suspend the equipment of a user who has entered the wrong password several time by
keeping him from connecting for a limited time. For this, supply the maximum number of erroneous
tries before being put into quarantine.
5.4.1.2.2.4. Registration
Click the button to select one or more registration method.
101
Figure 5.114. Selecting registration methods
Click on the desired registration items for this portal and then close the window. The portal's configuration
screen is then displayed as follows:
102
Figure 5.115. Example of configuration of various types of registration for the captive portal
103
Option
Figure 5.116. Options for gathering user information.
Several options may be selected in order to gather more information from the end user. For example,
his date of birth, gender, language and interests. These fields will appear on the captive portal in the
form of a calendar, a radio button and two drop-down lists.
This information will be stored in both the user session logs and the user directory.
Procedure 5.10. Portal with “One-Click Button”
Simple registration with a single click on a unique profile for all users.
To configure this mode, select “One-Click Button”, then:
1. Choose the profile the user will obtain in this mode from the available profiles.
2. Check the Associate a unique user account per device box to avoid creating a new random
account per user.
Figure 5.117. Example of the captive portal configuration with One-Click registration
Procedure 5.11. Portal with open registration
The user self-registers on the portal and receives their credentials directly on the portal.
To configure this method, select “Open”, then:
2. Check the Associate a unique user account per device box to avoid creating a new random ac-
count per user. Leave the box unchecked if you need to monitor the user consumption, for example.
Figure 5.118. Example of the captive portal configuration with free registration
104
Tip
The difference with the “One Click Button” portal resides in the fact that the free registration requires
the user to fill its connection identifiers.
Procedure 5.12. Portal with SMS registration
The user self-registers on the UCOPIA, portal and receives his or her password by SMS.
Before configuring this portal you must create an account that will be associated to an SMS platform
offered by the UCOPIAcontroller. To do so, open the "External services" menu, item "SMS" (see Sec-
tion 5.7.1, “Configuring the SMS service” for more information).
Once the account is created, select the “SMS” method, then:
2. Select the account associated to a platform to send SMS from those offered.
Figure 5.119. Example of the captive portal configuration with registration by SMS
Procedure 5.13. Portal with email registration
The user self-registers on the UCOPIA, portal and receives his or her credentials by email.
Before configuring this portal you must create an account that will be associated to an SMS platform
offered by the UCOPIA controller. To do so, open the "External services" menu, item "Email" (see Sec-
tion 5.7.2, “Configuring the email server” for more information).
Once the account is created, select the “Email” method, then:
3. Configure the temporary opening of the network access.
Configure the temporary network access opening. The network must remain open for enough time
to allow users to check their email to obtain their credentials.
The user will be connected with this profile. Connection time is configured with the advanced« Force
user disconnection »profile option
4. Optionally, associate a profile in function of the email domain of the user who registers on the portal.
Click on the Add button, then in the Access policy field, enter a domain; select Customise then
the desired profile. It is also possible to prohibit certain domains during the registration, in this case
the Block policy must be selected and others must be authorised, Authorise policy.
105
Figure 5.120. Example of the captive portal configuration with registration by Email
Procedure 5.14. Portal with registration by ticket printing
The user self-registers on the portal and prints a ticket with their connection credentials.
To configure this method, select “Ticket printing”, then:
2. Choose the printer for printing the tickets and also the printing format.
Figure 5.121. Example of the captive portal configuration with ticket printing
Note
For this portal, you must choose at least one auto-generation option (login or password). See panel
Section 5.4.1.2.2.4.1, “Registration options”
Procedure 5.15. Portal with online payment by PayPal
The user can buy connection time or time credit by paying online via PayPal.
Before configuring this portal you must create a PayPal account and configure UCOPIA with the infor-
mation about this account. To do so, go to the “ External services " menu, " PayPal " (seeSection 5.7.4,
“PayPal service configuration”for more information).
The PayPal portal works like that of a package. Packages are defined by the UCOPIA administrator.
Select the “PayPal”method, then:
1. Select the PayPal account associated with the payment.

2. Select the Provisioning modeby packages or by refill options.
3. Select a package available.
4. Check the box Use a temporary connection to access the payment site, then select the profile
with which the user will be temporarily connected to complete the payment.
5. Choose if the user credentials are to be sent by SMS. Possible options are “Never” or “On user
request”.
106
6. Select the SMS sending account. You must first interface the UCOPIA controller with an SMS plat-
form (see Section 5.7.1, “Configuring the SMS service”).
Figure 5.122. Example of captive portal configuration with online payment via PayPal
Warning
This method assumes that the administrator has defined packages or refill options beforehand (see
the "Administration manual UCOPIA Express", “Package administration” or "Refill options admin-
istration" Section).
Warning
This method assumes that the administrator of the UCOPIA solution (or their representative) has
created a PayPal account beforehand. This account must have the “Premier” or “Business” status.
Warning
The temporary profiles must be configured with a limited connection time (advanced options for the
profile).
Note
The temporary profiles allows managing "3D Secure" mechanisms by giving access to the Internet
prior to paying and therefore to sites in charge of these mechanisms.
Procedure 5.16. Portal with online payment by Ingenico
The user can buy connection time or time credit by paying online via Ingenico.
Before configuring this portal you must create a Ingenico account and configure UCOPIA with the infor-
mation about this account. To do so, go to the “External services" menu, "Ingenico" (seeSection 5.7.5,
“Ingenico service configuration”for more information).
The Ingenico portal works like that of a package. Packages are defined by the UCOPIA administrator.
Select the “Ingenico”method, then:
107
1. Select the associated Ingenico account.

2. Select the Provisioning modeby packages or by refill options.
3. Select a package available.
4. Check the box Use a temporary connection to access the payment site, then select the profile
with which the user will be temporarily connected to complete the payment.
5. Select the SMS sending account. You must first interface the UCOPIA controller with an SMS plat-
form (see Section 5.7.1, “Configuring the SMS service”).
6. Check the “Enable user to get their purchase summary” so that they can receive a receipt such
as:
Figure 5.123. Example of Ingenico purchase summary

7. Check the box “Enable user to extend their accounts” to enable the user of the portal to get
multiple connections associated with their package.
Figure 5.124. Example of captive portal configuration with online payment via Ingenico
Warning
This method assumes that the administrator has defined packages or refill options beforehand (see
the " Manuel d’administration UCOPIA Express, " “Package administration” or "Refill options ad-
ministration" Section).
108
Warning
created an Ingenico account beforehand.
Warning
The temporary profiles must be configured with a limited connection time (advanced options for the
profile).
Note
The temporary profiles allows managing "3D Secure" mechanisms by giving access to the Internet
prior to paying and therefore to sites in charge of these mechanisms.
5.4.1.2.2.4.1. Registration options
• Input fields
Figure 5.125. Input fields when registering
This table is used to define the fields that the user can (“Allow data entry”) or must (“Mandatory
filling”) fill performing an open self-registration or via SMS or email.
For the fields “Login” and “Password” :

– If only the “Allow data entry” box is selected, the user will be allowed to enter their user-
names and passwords.
– If nothing is checked, the latter will be generated automatically.
– If the “Required” box is selected, the user will be required to enter him or herself the user-
names and passwords that will never be self-generated.
Caution
These two fields are not compatible with the SMS and Email methods. The user's phone number or
email will be systematically requested to be used as an identifier.
The “Telephone” field is not compatible with the SMS mode.
109
The “Email address” field is not compatible with the Email mode.
• Define a charter governing the usage of personal information
This option displays a charter to be accepted (check box), in this case the user is requested to
provide personal information.
• Generating a unique key per equipment (Ruckus DPSK)
This option allows for generation of a single key for Ruckus DPSK authentication, no matter which
is the device connecting. It does not apply to the portals 'One Click Button', PMS, PPS, or Shib-
boleth.
5.4.1.2.2.5. User options
• Allows users to reset their passwords.
After the first authentication, a link appears on the portal giving users the possibility to modify the
initial password.
Warning
The link to change the password will only appear once, after the first successful user authentication.
• Authorize user to refill his account
This option enables the user to refill his account via a recharge code, a PayPal account or an
Ingenico account.
5.4.1.2.2.6. Global options
It is possible to define a charter that governs the use of personal information that may be collected (email,
tel, etc.). The charter may be optional and the choice of user (accepted or rejected) may be stored in a
field that may be selected from among the additional fields available.
The charter may be proposed for certain methods only (social media, for example).
Figure 5.126. Global options configuration example
5.4.1.2.2.7. Define languages
It’s possible to choose, on one hand, the language the portal uses by default, and on the other, the
languages that will be left for portal users to choose.
110
In the example below, English is used by default, and the choice is left to users to display the portal in
all available languages.
Figure 5.127. Example of captive portal language configuration
The following example shows a portal in “welcome” visual mode, PC format, with the default operating
mode. Different languages are left as a choice to the user.
Figure 5.128. Example of UCOPIA captive portal
111
Figure 5.129. Example of UCOPIA captive portal connection
5.4.1.2.3. Modifying a captive portal configuration
To modify a captive portal configuration, click on its corresponding modify icon in the configuration table.
Example:
Figure 5.130. Editing a captive portal configuration
The creation and modification pages are identical.
112
5.4.1.3. Configuring the delegation portal
5.4.1.3.1. Adding a delegation portal configuration
configuration” link. Use the link located near the Delegation portal line.
Figure 5.131. Adding a configuration for a delegation portal
First, you must name the configuration by filling the “Configuration name” field.
To configure the delegation portal, proceed as follows.
• Delegate administrator options

– The delegate administrator can change his password
After the first authentication, a link appears on the portal giving the delegate administrator
the possibility to modify the initial password.
Warning
The link to change the password will only appear once, after the first successful delegate administrator
authentication.
113
– Force the delegate administrator to change his password the first time he connects
This option requires that the delegate administrator change his password during the first
connection.
• User registration options
Besides the additional fields that can be added during the creation of a user account (from the
delegation portal and/or the administration tool), it is possible to add all fields predefined in the
captive portal on the delegation portal.
They will then be stored in the users journals under their respective name.
Figure 5.132. Example of user registration fields for the delegation portal
• Languages
It’s possible to choose, on one hand, the language the portal uses by default, and on the other,
the languages that will be left for portal users to choose.
Example:
Figure 5.133. Example of language configuration for the delegation portal
5.4.1.3.2. Modifying a delegate portal configuration
To modify a delegate portal configuration, click on its corresponding modify icon in the configuration table.
Example:
114
Figure 5.134. Editing a delegate portal configuration
5.4.1.4. Configuring an automatic connection
5.4.1.4.1. Adding an automatic connection configuration
configuration” link. Use the link located on the “Automatic connection” row.
This type of configuration will automatically and transparently connect any device which is on the net-
work and has an IP activity seen by the controller. The pieces of equipment will be connected in accor-
dance to the restrictions of the license. The connection will be made using a generic account that will
be automatically created once the configuration is validated. You can then manage this account and its
associated profile.
Figure 5.135. Adding an automatic connection configuration
Name the configuration in the "Configuration name" field, and then click on “Add”. Next associate a
zone to it.
115
Warning
Network elements using a Zeroconf IP address will not be connected automatically.
Automatic connection by MAC address and RADIUS protocol. The automatic connection can be
coupled with a RADIUS authorization by checking the “Enable RADIUS authorisation by MAC address”.
In fact, the automatic connection is based upon the IP address only when the RADIUS authorization
uses the MAC address.
Figure 5.136. Configuration settings
Check the « Choose a RADIUS realm »boxto select a RADIUS realm from the list or by supplying a
personalized name.
The personalized realm allows the definition of a series of characters that will be added to the MAC
address as a realm in the MAC queries. The personalized realm is offered in order to be able to complete
a configuration in which it is possible to use various RADIUS servers associated with portals in different
zones.
Note
This configuration should be used if you wish to connect by MAC address in Out-Of-Cloud architec-
ture.
5.4.1.4.2. Editing an automatic connection configuration
To edit an automatic connection configuration, click on its corresponding modify icon in the configuration
table.
Figure 5.137. Editing an automatic connection configuration
116
5.4.1.5. Configuring a mobile application
5.4.1.5.1. Adding a captive portal configuration
configuration” link. Use the link located near the “Mobile application” line.
Figure 5.138. Adding a mobile application configuration
First, you must name the configuration by filling the “Configuration name” field.
To configure the mobile application, proceed as follows.
• Functioning mode
– Standard portal
After initial authentication, the user is automatically authenticated by replaying his user
name and password. This method assumes that the user account has been created be-
forehand.
– Portal with open registration
The user can self-register by filling a form. By default, the name and last name of the user
must be filled. The user profile used with this registration mode must be filled. The user
account is created automatically.
Figure 5.139. Example of the application operation method
• Registration options
Registration options are associated to the method with free registration.

– Entering a telephone number at registration time
Asking for a telephone number with free registration Entering this field can be defined to
be mandatory or optional.
– Entering an email address at registration time
Asking for an email address with free registration. . Entering this field can be defined to be
mandatory or optional.
5.4.1.5.2. Editing a mobile application configuration
To edit a mobile application configuration, click on its corresponding modify icon in the configuration
table.
Example:
117
Figure 5.140. Editing a mobile application configuration
5.4.1.6. Visual models
5.4.1.6.1. Graphical customization and creation of visual models
Portals can be customized with the company colors with a graphical editor (except in the case of the
Automatic connection operation mode, where there’s no portal).
Before customization you must add (or modify) a visual model. To add a visual model click on the “Visual
models” tab on the portals table and then on the “Add a visual model” link. The following page is
displayed:
Figure 5.141. Adding a visual model
118
Define the name of the new visual model, then the model’s source (factory-defined, custom, external).
Available models will be offered according to the nature of the model.
For example, to create a new model based on the factory-defined model “basic”, configuration will be
as follows:
Figure 5.142. Example of configuration of a new visual model
The new model appears in the models table.
Figure 5.143. Example of addition of a new visual model
The new model “my-model” is now editable with a graphical editor.
To edit a model with a graphical editor, click on its corresponding edit icon.
Figure 5.144. Editing a visual model
A window offers to customize either the captive portal, or the delegation portal.
In the case of a captive portal, the different formats (PC, Tablet, Smartphone) are offered.
119
Figure 5.145. Choice of the type of visual model to edit
Once your choice is made, click on “Edit”.
The visual model editor in case of a captive portal is displayed as shown below.
Figure 5.146. Portal visual model editor
For a delegation portal, the editor is displayed as follows.
120
Figure 5.147. Delegation portal visual model editor
Note
Refer to the “Portal Editor's Usage Guide UCOPIA ” for more information on the use of theUCOPIA
portal editor usage.
Finally, for a mobile application, we get the following page:
121
Figure 5.148. Mobile application visual model editor
Only the logo of the application and its help page can be customized.
5.4.1.6.2. Visual model modification
To modify a portal visual model, click on its corresponding modify icon in the configuration table.
Figure 5.149. Changing a visual model
5.4.1.6.3. Advanced graphical customization
If you need advanced customization, it’s possible to modify the HTML code of the visual model.
122
To do so, click on the “Visual models” tab on the portals table and then click on the export icon corre-
sponding to the visual model to be modified.
Figure 5.150. Exporting a visual model
The code of the portal visual model is presented as a file to download. Once the code has been modified
and customized, it will be possible to import it back to the controller by using the modify visual model icon.
During the modification of the visual model you must select “external” as source of the model and import
the file describing the modified model by using the “Browse…” button.
Figure 5.151. Importing an external visual model
Warning
Once the HTML code of the modified portal has been imported in the controller, it’s not possible to
edit it using the graphic editor.
Note
Refer to the “ Advanced Personalization of the captive portal UCOPIA ” for more information on
advanced customization of a UCOPIA portal.
5.4.2. Certificate configuration
Certificates can be used on the captive portal for two purposes.
1. Require that users accept the certificate before being able to authenticate. For example, this certificate
can inform the user that his traffic will be traced.
2. Require that users accept the certificate when one asks them for personal information, such as the
email address or telephone number. For example, this certificate can ask if the provided information
can be used for marketing purposes.
123
Click on the “Certificates” sub-menu on the left-hand side of the window. The following page is displayed:
Figure 5.152. Certificate configuration
To add a package, click the “Add” button on the package table. The following page is displayed:
124
Figure 5.153. Adding a certificate
You must name the certificate in the field “Certificate name”, then choose the certificate type and the
languages in which the certificate will be displayed.
Select the certificate type. The different types are the following:
• Text: the certificate text is displayed directly on the portal
You must fill the text that will appear on the portal.
Figure 5.154. Text Certificate
• File: the certificate is in a file, stored by the controller.
You must fill the link text to display the certificate, this link will be displayed on the portal. Then
upload the file containing the certificate.
Figure 5.155. File Certificate
125
• URL: the certificate is accessible from a URL
You must fill the link text to show the certificate, this link will be displayed on the portal. Then
choose the URL from the list of publicly accessible URLs
Figure 5.156. URL Certificate
Warning
The URL to access the certificate must be a publicly-accessible URL.
Information related to the certificate must be filled for each desired language.
Otherwise, the language defined in the “Default language” field will be used.
New languages can be added by clicking on the “Add” button in the “Add language” field. A language
can be deleted by clicking on its “cross” icon.
5.4.3. Additional field configuration
During the creation of a user account, either from the administration tool, or from the delegation portal,
it’s possible to define additional fields to describe the user (company name, ID card number, etc.)
Additional fields will be added to the three mandatory fields: identifier, name and last name of the user.
For each field added, you must indicate whether the field is required, and also its label in each of the
available languages.
To add additional fields, click on the “Additional fields” sub-menu, on the left-hand side of the window.
126
Figure 5.157. Customising additional fields
Click on “ Add a field ”.
Example: Adding a "Room number" field.
127
Figure 5.158. Adding an additional field
Note
The language can be set by default. It’s required to fill the label of the field in all languages. Fields
not filled in will take the field value matching the default language.
Click on “Confirm”.
128
Figure 5.159. Activating an additional field
Note
Once a field is added, it is possible to activate it (it is not so by default). The activation signifies that
the field may be used in the portals (captive, delegation) and will be saved in the user session logs.
Important
You can activate only 3 fields at a time.
Click on to activate the "Room number" field.
For this example, the page of the administration tool used to fill information about users will display as
follows:
129
Figure 5.160. Delegation portal with extra fields
5.4.4. Customization of tickets
You can customize both connection tickets and refill tickets generated by the UCOPIA delegated ad-
ministration tool. In particular, you can personalize tickets according to the zone from which they were
issued or according to the profile of the user, replace the UCOPIA logo with that of the organization,
add text below the logo, choose the languages and, in the case of a ticket in badge format, choose the
data displayed.
Click on the “Tickets” item in the sub-menu shown on the left-hand side of the window. Two tables of
tickets are displayed.
130
Figure 5.161. Tables of tickets
Click on to modify the ticket by default, or on to define a new connection or refill ticket.
131
Figure 5.162. Customization of connection tickets
132
Figure 5.163. Customization of refill tickets
133
• The « Ticket configuration » panel allows personalization of the ticket according to the zone from
which it was issued or according to the user's profile.
Check the « Default ticket » box if there is no zone to or profile to define.
Customization by zone and by profile: The delegate can enjoy two levels of tickets customization .
The first customization is global and applies to the zone where he is located. The delegate can then
generate a ticket customized according to the visitor's profile. For example, a ticket customized
for VIP profile types, on which will be shown a particular SSID for login.
• The “Logo configuration” panel is used to modify the logo which appears in connection ticket
headers (A4 and badge format).
The logo currently in use is displayed in the panel. To replace it, click on “Select a file… ” to select
the new logo.
Click on “ Confirm ”.
Warning
Only JPEG and PNG formats are accepted for logos. The size of the logo cannot exceed 2 MB.
• The “A4 format settings” panel is used to add text to the ticket and choose the language.
Enter your text in the field provided for the purpose. This text will appear beneath the logo. The
language in which the text is written must be selected beforehand. If you wish to enter text in more
than one language, then for each language select the language, and enter the text in the text box.
If a given text is not to be entered for every language, select the default language to be used to
display untranslated text.
Customise the font size in by completing the "Font" field.
For customization of the tickets refill, it is important to specify the format of the ticket by selecting
the "Orientation" button, and select the information to be displayed.
• The “Badge format settings” panel is used to select the data which will be displayed on badge
format tickets. The badge format being by definition of limited size, it is not possible to display all
data on the ticket. The user’s last name, first name, password and profile may be displayed. If the
administrator has defined additional fields, they will also be offered for display.
It is possible to customize the badge, by completing "badge width", "badge heigth", and "Font".
Click the “Display the badge” button to obtain a print preview in badge format.
134
Figure 5.164. Example of configuring a refill ticket in A4 format
Display of this ticket in A4 format will be as follows:
135
Figure 5.165. Example of refill ticket in A4 format
136
Figure 5.166. Example of badge format connection ticket configuration
To obtain a preview of the display in badge format, click the “Display the badge” button. With the
example above, the following page is displayed:
Figure 5.167. Example of connection ticket in badge format
Click the “Confirm” button to confirm.
Note
The logo always appears top left in badge format.
Warning
The free text does not appear on badge format connection tickets.
137
5.4.5. Configuring open-access URLs
If you want users to be able to access certain URLs before authentication, they must be specified in
this section.
Click on the “Open-access URLs” item in the sub-menu shown on the left-hand side of the window.
Figure 5.168. Configuring open-access URLs
To add an HTTP URL, click the “Add” button on the first table. The following page is displayed: The
following page is displayed:
138
Figure 5.169. Adding an open-access HTTP URL
By specifying the full URL (e.g.:
1. By specifying the full URL (e.g.: www.ucopia.com). In this case, the entire tree-view is accessible.
2. By specifying patterns (e.g.: : www.ucopia.*;*.ucopia.*), which are used to filter tree-views for
a domain, either by specifying the domain name (in which case, the whole tree-view is seen), or by
specifying patterns used to filter domain tree-views.
The “Always available” checkbox is used to make the URL usable, even if it is not used by any authen-
tication portal.
Example:
Figure 5.170. Example of an open-access URL
139
Once the URL is specified, a status indicates whether the URL is being used by one of the UCOPIA
services (the UCOPIA portal, for example).
Figure 5.171. Open-access HTTP URL
To add an HTTPS URL, click on the “Add” button of the second table. The following page is displayed:
Figure 5.172. Adding an open-access HTTPS URL
As opposed to HTTP URLs, only complete URLs can be specified.
5.5. Configuring the logging mechanism
To access the management of the logging mechanism configuration, click on the “Logging” item on the
left-hand side of the window, then on the “Configuration” item in the sub-menu.
140
Figure 5.173. Logging configuration
5.5.1. Logging criteria
The “Logging enabled for” panel is used to partly enable logging, for instance, to enable logging for
sessions and disable URL logging. By default, logging is switched on for sessions, URLs and licit traffic
(TCP and UDP packets). Dropped packets are not logged.
Warning
If session logging is disabled, it will not be possible to display connected users in real time. This option
is also mandatory for logging of URLs and TCP and UDP packets.
5.5.2. Automatic export and deletion of log backups
after this they are deleted from the disk of the UCOPIA controller. You can configure this time period.
To automate export of log backup files, it is possible to transfer them to a third party machine over FTP.
Note
Configuring this mechanism is highly recommended to ensure that logs are backed up on a platform
other that the UCOPIA box.
An FTP server should be configured to export logs ; you can also configure the daily time for sending
the backups. During the backup, the files can be deleted from the UCOPIA controller to free up space.
141
Figure 5.174. Example of the export configuration of log backups
5.6. Configuration in Out-Of-Band architecture
In versions prior to version 5.0, the UCOPIA controller was essentially positioned cut-off from user traffic,
that is, between the hosting network (ex:
Wi-Fi infrastructure) and the organization's LAN. In a centralized Cloud architecture managing multiple
sites (UCOPIA as central), the user traffic flows must therefore go back up to the central site where the
Internet exit is located. This can be restrictive.
A new Cloud architecture known as Out-Of-Band is proposed with version 5.0 allowing you to only
centralize some UCOPIA services, namely authentication and the users' database. Each local site can
have a UCOPIA (Edge) controller that manages the user traffic or just a Wi-Fi equipment (Xirrus, Meraki,
Ruckus, Extreme, OneAccess). Internet access for user traffic is local to each site.
In this type of architecture, the on site equipment performs a portal redirection to the UCOPIA controller.
Authentication is based on the RADIUS protocol. The RADIUS client being found locally on the device
and the RADIUS server on the centralized UCOPIA controller.
To implement this Out-Of-Band architecture, the following configurations must be performed.
Central controller configuration.
1. In the case of an architecture with on site UCOPIA (Edge) controller, it is recommended that you
create an administrator with limited privileges on the central controller (see Chapter 4 of the admin-
istration manual, “Administration of Administrator Accounts”). This administrator will be used
by the on site controllers to identify themselves to the central controller.
2. The UCOPIA controllers are, by default, configured with a FQDN “controller.access.network”.
The central controller FQDN must be modified in order to differential the local on site controller from
the central controller. A new certificate must also be acquired and configured to be in phase with
the new FQDN(see Section 5.2.3, “Configuring certificates”).
3. The RADIUS NAS must be configured in portal Redirection mode. (see Section 5.2.4, “RADIUS
configuration”)
Note
The central controller must have a URL that can be determined by the end user on the remote site .
A DNS (FQDN) entry must thus be created on a DNS server (private or public) in order for the user
to connect with the central controller.
On site device configuration
Two possibilities apply:
142
• Site with only Wi-Fi devices.
Configuration of Wi-Fi devices depends upon the manufacturer. As a general rule, the WPR (Web
Portal Redirection) mode must be enabled in order to redirect to the central UCOPIA controller
portal.
• Site with a UCOPIA (Edge) controller and Wi-Fi devices.
The on site UCOPIA (Edge) controller takes over the portal redirection.
In this case, user profiles, services, zones, URL Categories and password policies are configured
only at the central controller level and replicated in the Edges in order to simplify the administration.
On the other hand, High Availability architectures are not available for Edges.
In any case, the following operations must be completed :

1. Configuration of a free access URL that will be used for portal redirection(see Section 5.4.5,
“Configuring open-access URLs”).
2. Configuration of Web portal(s) must achieve redirection towards an external portal (central)
by using the previously defined free URL. The portal must be associated with RADIUS. (see
Section 5.4.1, “Customization of the UCOPIA portals”)
3. Configuration of the local RADIUS server in proxy mode to the RADIUS of the central controller .
(see Section 5.2.4, “RADIUS configuration”)
In order for the controller to become an Edge controller, it must be configured accordingly (see
Section 5.6.1, “Central controller configuration.”). This will have the effect of implementing the
replication of the central controller towards the Edges and thus the creation/modification of user
profiles, services and zones operations will be read-only.
Automatic authentication by MAC address
To enable automatic authentication by MAC address in Out-Of-Band architecture, the auto-

matic connection mode with "RADIUS MAC authorisation" option (see Section 5.4.1.4.1,
“Adding an automatic connection configuration”).
URL traceability
Certain Wi-Fi vendors register in Syslog format the URLs consulted by users and/or packets
corresponding to the user traffic. In this case, the central UCOPIA controller is able to recu-
perate them and register them in user log database. This is done by configuring the Syslog
server on the central controller (seeSection 5.1.7, “Filtering settings configuration”).
Click the “Out-Of-Band” item on the left-hand side of the window. The following sub-menu is displayed
with the options shown:
Figure 5.175. Items on the Out-Of-Band menu
5.6.1. Central controller configuration.
The configuration page enables a controller to be associated with a central controller. The controller thus
becomes an Edge controller in an Out-of-Band architecture.
143
Figure 5.176. Central controller configuration.
The following fields need to be filled in:
• Set as a Edge of a central controller: checkbox to convert the controller into an Edge controller.
• Central controller: domain name (FQDN) or IP address of the central controller.
• LDAPS port : Connection to secure corporate directory on port 636
• HTTPS ports: Secure connection on port 443
• Remote login: identifier of the administrator defined on the central controller.
• Remote password: the administrator’s password defined on the central controller.
• Zone label: if the zone name and the domain name of the central controller are defined, the open
access URL used for portal redirection will be automatically created.
5.7. Configuring external communication services
The UCOPIA controller may need to use email or SMS services to communicate with users, to inform
them of their login information (login, password, etc.). It can also be connected to third-party tools such
as PMS or pre-paid card servers (PPS) or PayPal, in order to bill connections.
Messaging and SMS services could be used either from the UCOPIA web portal for sending passwords
to users (see Section 5.4.1.2.1.4, “Open self-registration” and Section 5.4.1.2.1.7, “Email registration”),
or from the delegated administration tool for sending login information to users (identifiers, permitted
time slots, etc.).
Billing services will give place to dedicated portals (see Section 5.4.1.2.1.10, “Authentication via a billing
software (PMS)”)
Click on the “External services” item shown to the left of the window. The following sub-menu is dis-
played with the options shown:
144
Figure 5.177. Items on the External services menu
5.7.1. Configuring the SMS service
Warning
This mode assumes the user has access to an SMS provider. Contact UCOPIA Communications for
more information.
To configure an SMS account, click on the “SMS” item on the sub-menu. The following page is displayed:
Figure 5.178. SMS accounts configuration
For each SMS account created, the table indicates the selected operator, the sending method (HTTP or
SMTP), the number of portals and the number of delegated administrator profiles using this account.
To add a new SMS account, click the “Add” button. The following page is displayed:
145
Figure 5.179. Adding an SMS Account
Firstly, the SMS platform must be chosen from those on offer. Then fill in the following fields:
• Account name: free-format identifier to name the account.
• SMS operator: this means selecting the SMS messaging platform from the options on offer. We
reiterate that registration with the selected platform is necessary in order to obtain login informa-
tion.
• Account login: login for the account associated with the SMS platform.
• Account password: password for the account associated with the SMS platform..
• Customer ID: client identifier (given by the SMS platform).
It is then possible to customize the SMS content on the basis of the use to which it is put. The SMS will
comprise a welcome message with different versions depending on available languages. The welcome
message will be built using a template. A template will comprise text and dynamic variables. The vari-
ables will be enclosed within “%” characters.
The possible dynamic variables are the user’s login (%login%), password (%password%), surname
(%lastname%), first name (%firstname%) and profile (%profile%). The login and the password are
mandatory.
146
Figure 5.180. Example of configuring an SMS account
The “Reinitialize templates” button is used to reset all templates to their default format.
Use the “Test settings” button in order to check the accuracy of the data entered.
Click the “Confirm” button to confirm the SMS account.
Note
The language can be set by default. It is therefore not necessary to enter the welcome message in
all languages. Fields not filled in will take the field value matching the default language.
5.7.2. Configuring the email server
To configure an email account, click on the “External services” item in the left-hand side of the window,
then on the “Email” item in the sub-menu. The following page is displayed:
147
Figure 5.181. Configuring email server accounts
The table indicates, for each account created, the number of portals and the number of delegated ad-
ministrator profiles using this account.
To add a new email account, click the “Add” button. The following page is displayed:
148
Figure 5.182. Adding an email server account

• IP address or DNS of the email server: this is used to specify either the IP address of the email
server, or the server’s DNS name.
• Port: port number on which communication with the email server is established.
• Use a secured connection: select the checkbox if you want a secure connection on ports 587
(TLS) or 465 (SSL).
• Account login: login for the email account.
• Account password: email account password.
• Account email address: email address, which will be used to send the message.
• Email reply address: email address used if a reply is needed.
• Type of email content: select between plain text or HTML for custom formatting.
• Mail templates in French : choice of languages between %. These patterns will be dynamically
replaced upon send.
• Subject : mandatory.
• Content : Mail content may be personalized according to the its purpose. Mail will comprise a
welcome message with different versions depending on available languages. The welcome mes-
149
sage will be built using a template. A template will comprise text and dynamic variables. The vari-
ables will be enclosed within “%” characters. The login and the password are mandatory.
You could specify :

– %login%: The user identifier
– %password%: password
– %profil% : Profile
– %lastname% : Surname
– %firstname% : First name
– %emailaddress% : Email address
– %phonenumber% : Phone number
– %organizationalunitname% : Company name
– %autofillink% : link to pre-fill user identifiers on the portal
– %autoconnectlink% : link to connect the user automatically to the portal
You can also specify additional fields in the form of :

– %customfieldlabel1% : Field 1 title
– %customfieldvalue1% : Field 1 value
• Default language : By default, the template fields not filled in will have the message associated
with that language.
Example:
150
Figure 5.183. Example of email account configuration
The “Reinitialize templates” button is used to reset all templates to their default format.
Use the “Test settings” button in order to check the accuracy of the data entered.
5.7.3. Configuring the FTP service
To automate the export of files, you can transfer them via FTP to a third party machine.
To configure an FTP account, click on the “ External services ” item on the left-hand side of the window,
then on the “ FTP ” item in the sub-menu. The following page is displayed:
151
Figure 5.184. Configuring FTP accounts
To add an account, click the “Create account” button. The following page is displayed:
Figure 5.185. Adding an FTP account
• FTP server (IP address or DNS name): this is used to specify either the IP address for the email
server, or the server’s DNS name.
152
• Activate the secured mode (FTP with explicit SSL encryption): select the checkbox if you
want a secure connection on ports 587 (TLS) or 465 (SSL).
• Account login: login for the email account.
• Port: port number on which communication with the FTP server is established.
• URI: means the directory where the backup files will be transferred (directory to use with filename
from the FTP server root directory).
• Mode: passive or active
• Enable anonymous authentication: two FTP server authentication methods are on offer: the
anonymous method which requires no login, and the method which does require a login and
password. If you uncheck the “Enable anonymous authentication” box, you then need to enter
the login and password.
5.7.4. PayPal service configuration
UCOPIA interfaces with PayPal so that users can buy connection time from the UCOPIA portal. Users
can use their PayPal account or credit card.
The PayPal/UCOPIA pairing works similar to a package. Packages are defined by the UCOPIA admin-
istrator. They can be packages of 1hr, 3hr, “email” packages, “Every working day from 4 PM to 6 PM”
packages, etc. Packages are offered for user selection on the UCOPIA portal.
Warning
This method assumes that the administrator of the UCOPIA solution (or their representative) has cre-
ated a PayPal account beforehand. This account needs to be “Premier” or “Business” and “Verified”.
To configure a PayPal account, click on the “External services” item in the left-hand side of the window,
then on the “PayPal” item in the sub-menu. The following page is displayed:
Figure 5.186. PayPal configuration
153
To add an account, click the “Create account” button. The following page is displayed:
Figure 5.187. Adding a PayPal account
The data relating to the PayPal account must be entered:
• Email address used as PayPal account login.
• PayPal certificate ID. To retrieve this identifier, (1) export the certificate by clicking on the “Certifi-
cate export” link, (2) upload the certificate onto the PayPal website, (3) take note of the identifier
provided by PayPal.
Click on the first “Test setting” button to verify that the entered information is correct.
Then data relating to the PayPal API must be entered.
• Enter the data that allows the PayPal API to be used (login, password and signature). This API
is intended to retrieve payment data.
• Check the "Sandbox test account" box to activate the test account to test the API exchanges
without modifying the configuration of existing accounts.
• Click the second “Test settings” button to test the connection to PayPal.
154
Figure 5.188. Example of the PayPal system configuration
5.7.5. Ingenico service configuration
UCOPIA interfaces with Ingenico so that users can buy connection time from the UCOPIA portal. Users
can use various payment solutions.
The Ingenico/UCOPIA pairing works with the concept of packages, in the same way as in the PayPal
configuration.
Warning
created an Ingenico account beforehand.
To implement the Ingenico interface, click the on item "Ingenico" of the sub-menu. The following page
is displayed:
155
Figure 5.189. Ingenico configuration
The data relating to the Ingenico account must be entered:
• Account name: internal name used to identify an Ingenico account.
• PSPID: unique identifier of the main Ingenico account.
• API USERID: identifier to be used for connecting to the Ingenico API. You can use it to obtain
information about the status of a transaction (paid, pending, amount, currency...).
• API USERID password: associated password.
• SHA-IN security key: in the context of payment exchanges, Ingenico needs to certify that the
transaction issued for the UCOPIA controller has not been altered. To do so, we must define a
shared secret element (security key) to be used by the two parties to sign their exchanges.
• Hash algorithm: the security key is used with a hash algorithm defined in the list (SHA1, SHA256,
SHA512) which allows you to have increasingly higher levels of security.
Click on the “Test parameters” button to verify that the entered information is correct.
156
Figure 5.190. Example of the Ingenico system configuration
The following window appears below:
Figure 5.191. Ingenico redirection test
You should enter the “price” , then select the desired “currency” and “language” desired.
Click the "Test" button to test the connection to Ingenico.
5.7.6. Configuring the PMS service
The UCOPIA controller interfaces with PMS products (Property Management System). PMS are cus-
tomer management products, most usually found in hotel or hospital environments. They are used for
checking in guests, billing, etc.
There is a UCOPIA portal mode dedicated to this role (see Section Section 5.4.1.2.1.10, “Authentication
via a billing software (PMS)”).
Warning
The interface with such products is based on the FIAS protocol. Consequently, only FIAS-compatible
PMS will be able to dialogue with UCOPIA. To use any other PMS not compatible with this protocol,
contact UCOPIA Communications.
The PMS/UCOPIA pairing works with the concept of packages. Packages are defined by the UCOPIA
administrator. They can be packages of 1hr, 3hr, “email” packages, “Every working day from 4 PM to 6
PM” packages, etc. Packages are offered for user selection on the UCOPIA portal.
The PMS/UCOPIA dialogue runs as follows:
157
1. First of all, synchronisation between the two products in order to create accounts in UCOPIA for
customers already present (in a hotel, for example).
2. PMS -> UCOPIA : sending a user account creation order when a new customer arrives. The account
is created in UCOPIA with identifiers generated automatically from data such as the user’s last name,
first name and room number, etc. (configurable).
3. Users will be able to change their password from the UCOPIA portal after their first authentication.
4. UCOPIA portal: user authentication and choice of package.
5. UCOPIA -> PMS: sending of package type selected by the user.
6. PMS ->UCOPIA : sending a user account closure order when the customer leaves.
To implement the PMS interface, click on the “PMS” item in the sub-menu. The following page is dis-
played:
Figure 5.192. Configuring the PMS interface
Before enabling the connection with a PMS, you must first create at least one package. Package con-
figuration is described in the “ Administration Guide UCOPIA Express ”, “Configuration of packages”
section.
Once one or more packages have been created, check the “Enable PMS" box. The following form is
displayed:
158
Figure 5.193. Configuring the PMS connection settings
159
• Access to the PMS server
• Server IP address: IP address for the server hosting the PMS.
• Server port: the port used to exchange data with the PMS.
• Sender ID: an identifier to be defined in agreement with the PMS.
• The “Status" indicator shows whether the connection with PMS is active or not.
• Accounts validity
Two actions are possible on receipt of a ‘check-out’ message. The user account is no longer
immediately valid (default) or the account is no longer valid from midday in N days, the number
of days being configurable.
• Account creation template
A template mechanism is used to define the user login format.
Templates are built from keys. The following keys are available:
%title% : the user’s title
%lastname% : the user surname
%firstname% : the user first name
%roomnumber% : the room number
%guestnumber% : the customer number
Example:
login = dupond123 (%lastname%%roomnunber)

mot de passe = jean (%firstname%)
Text can be placed between each key.
login = Chambre123 (Chambre%roomnunber)
• Password coding
The password may be encrypted or otherwise. An encrypted password equates to the first 8
characters of the SHA1 fingerprint for the password (first name or surname). No encryption by
default.
• Communication
It is possible to state the encoding type used by the PMS server: ISO-8859-1 (default), UTF-8
or CP850.
• Service billing
Billing information (POST CHARGE) will be sent every N seconds to the PMS. The time between
two checks is configurable.
• Users with no package choice
Users identified by the PMS as not having to select packages will be created using the selected
profile.
160
• Users with privileged status
Users with a specific profile related to fields A0-A9 sent by PMS. For example, the field values
allow you to specify the packages offered to clients PLATINIUM ou BASE :
Figure 5.194. Example of a specific profile
• Storing values from optional fields
Upon receipt of fields [A0-A9] and the VIP Guest [GV] field, enabling of this function allows storage
of the values of these fields in the user file and their transmission with the associated priority to
the captive portal.
• Deactivate automatic association of the defined profile
Deactivation of this automatic mode makes the choice of packages available from the captive
portal.
161
5.7.7. Configuring the PPS service
The UCOPIA controller interfaces with PPS (Pre-paid System) products. This type of product works with
cards that users buy (pre-paid cards). Each card is associated with a connection time.
There is a UCOPIA portal mode dedicated to this feature (see Section 5.4.1.6.1, “Graphical customization
and creation of visual models”).
Warning
PPS interface works with StreamWIDE servers. To use any other PPS, contact UCOPIA Communi-
cations.
The PPS/UCOPIA dialogue runs as follows:
1. The user authenticates to the UCOPIA portal by entering the card number and the captcha code
(picture displaying a word of 8 characters).
2. UCOPIA -> PPS : the card number is used to request time credits from the PPS server. The PPS allo-
cates time in renewable blocks of N seconds. The user’s account is automatically created in UCOPIA.
The user’s login will be the GUID number supplied by the PPS linked to the card number. The pass-
word will be the captcha code. The group will be that defined by default during portal configuration.
On the portal, users can see the connection time for the card and the amount of time used.
3. UCOPIA -> PPS : when users disconnect, UCOPIA sends to the PPS the connection time used by
the user. The user’s account is automatically deleted from the UCOPIA account database.
To implement the PPS interface, click on the “PPS” item in the sub-menu. The following page is dis-
played:
Figure 5.195. PPS system configuration
The parameters need to be set allowing a connection to be established with the PPS. To do so, check
the “Enable PPS” box. The following form is displayed:
162
Figure 5.196. Configuring the PPS connection settings
• PPS version: 1.3.6 and 1.5
• XMLRPC Interface URL: The URL points to the PHP file which contains the XMLRPC server that
handles requests (session start, request for time credit, session end, card validity, etc.).
Example: http://@IP/ppsxml/prepaid.xml_rpc.server.php
• APN Address: name of the Internet server that provides the service, e.g.: gprs.streamwide.com.
• Sub-traffic Label:Sub-traffic of DATA traffic. Takes the DATA value.
• IP: Trunk IP address used to initiate the connection with the PPS, 10.10.10.10 by default.
• Billing mode: read-only field corresponding to the billing method. This is billing by time (TIME).
Click on “Confirm”
5.7.8. Configuring the DPSK service
This module is to configure a UCOPIA portal with the DPSK (Dynamic Pre Share Key) feature from
Ruckus (Wi-Fi infrastructure solution).
163
Figure 5.197. DPSK service operation principles
To configure the Ruckus DPSK service, click on the “DPSK” item on the sub-menu. The following page
is displayed:
164
Figure 5.198. Configuring the DPSK service
Click the “Add” button to create a new DPSK configuration.
Figure 5.199. Example of a Ruckus DPSK configuration
• Configuration name: It's a simple label used in the DPSK configuration table.
• IP address or DNS name: IP address or name of the Ruckus ZoneDirector.
• Password: password previously entered in the terminal controller.
• Name of secured WLAN: Wi-Fi network name (SSID) of the Ruckus terminal.
• Secured portal VLAN number: the incoming VLAN on which the user will be connected.
• DPSK key length: between 8 and 62 characters, it must be long enough to ensure enough security
while allowing users to eventually enter it manually.
The list of configurations is displayed:
165
Figure 5.200. List of DPSK configurations
To edit or delete a row, use the icons:
5.7.9. Configuring social networks
To configure a social network account, click on the “Social network” item on the sub-menu.
Figure 5.201. List of social network configurations
Click the “Add” to create a new social networks configuration: Facebook, Google, LinkedIn, Twitter
or OpenID Connect.
166
Figure 5.202. Social networks configuration example
• Type of application: select the type of application to configure.
• Application name: internal name of the application enabling identification.
• Comment: facultatif
• Name of secured WLAN: secured Wi-Fi network name (SSID).
• Application key: public key specified when creating an application on a social network (in the
management pages of this application). They have different names depending on the social net-
work used.
• Secret key of the application:private key
• Redirection domain:name of the domain to which the user is redirected.
To create a OpenID Connect configuration, complete the additional fields:
167
Figure 5.203. OpenID Connect configuration example
• Resource URL: The OpenID Connect applications have meta data describing their configuration.
To simplify their implementations and increase flexibility, OpenID Connect enables the use of a
'Document Discovery', a JSON file sent by the resource URL of the application server containing
the key-value pairs that provide the details of the configuration of the OpenID Connect application,
particularly the authorisation URLs, access token, user information. Example: https://server.ex-
ample.com/.well-known/openid-configuration
• Authorisation URL: Indicates the URL of the authorisation server used to validate the access
token. Example: https://server.example.com/connect/authorize
• URL of the access token: Indicates the URL of the access token. Example: https://server.exam-
ple.com/connect/token
• URL of user information: Indicates the URL of the authorisation server used to extract the user
information. Example: https://server.example.com/connect/userinfo
• Scopes: List of scopes that this application manages. The application MUST manage at least
the [openid] scope. The values of scopes must be separated by spaces. Example: [openid profile
email address phone]
• Redirection domain:name of the domain to which the user is redirected.
5.8. Configuring interfaces with the UCOPIA controller
For supervision UCOPIA offers standard communication interfaces such as SNMP or Syslog.
Click on the “Interfaces with the controller” item shown on the left-hand side of the window. The
following sub-menu is displayed with the options shown:
168
Figure 5.204. Items on the UCOPIA Interfaces menu
5.8.1. SNMP Interface
UCOPIA controllers include an SNMP agent, which means they can be supervised from an SNMP-com-
patible monitoring tool (called SNMP Manager).
An MIB (Management Information Base) complying with the MIB-2 standard is offered to enable the
dialogue between the supervision tool and the UCOPIA agent.
To implement the SNMP interface, click the on item "SNMP" of the sub-menu. The following page is
displayed:
Figure 5.205. Configuring the SNMP interface
Note
To authorize access to the SNMP interface, refer to Section 5.1.7.1, “Access to the controller”.
Tip
The UCOPIA MIB is downloadable by clicking on the "Download controller’s MIB" link.
5.8.1.1. SNMP agent configuration
This panel lets you configure access to SNMP resources, according to the client's SNMP version.
169
Figure 5.206. SNMP agent configuration
You can choose to activate either version (V2 or V3), and for each of them the parameters for read only
and read/write access.
• SNMP version 2 settings
• SNMP version 3 settings
To configure settings for versions 1 and 2, check the respective boxes.
Figure 5.207. SNMP settings configuration
• Community name (version 2): an SNMP request contains a so-called community name, which
is used as a password. On many devices, the default value of the community is public or private.
For security reasons, you should change this value. A different community name can be defined
for reading and for writing rights.
• Security level (version 3) : with or without authentication, with or without encryption.
• Llimit access to OIDs: lets you block access to certain information accessible via SNMP.
5.8.1.2. Configuring SNMP alerts
UCOPIA alerts (“traps”) are used to monitor the controller's state, and the set of active services (web
server, LDAP directory, RADIUS server, etc.).
170
1. You must first define the SNMP receivers of these alerts: click on “Add receiver” and define its
SNMP version, IP address and protocol.
2. Then, choose the events occurring on the controller features that will trigger an alert:
• Network interfaces: a network interface changes status.
• Disk space: available disk space falls below a specified value.
• System load: system load rises above a defined level on one of the reference periods: 1
minute, 5 minutes, 15 minutes.
The values shown represent the multiplication factors that are to be applied depending on
the number of CPUs present on the controller. Therefore, if the controller has 4 CPUs, the
value will be multiplied by 4 so that the actual threshold value can be obtained.
• Swap space (SWAP): the size of swap space raises above a certain volume. This value must
stay at a minimum at all times on the controller.
3. You can then check the boxes corresponding to services to monitor.
5.8.2. Syslog Interface
Certain system events contained in the UCOPIA Syslog file can be exported to an external Syslog server.
To export Syslog events, click on the “Syslog” item in the sub-menu on the left-hand side of the window.
Figure 5.208. Syslog export
Check the “Activate the externalization of Syslog logs” box and fill the following fields:
171
Figure 5.209. Configuration of Syslog export
• Host: IP address of the Syslog server.
• Port: port number used to communicate with the Syslog server.
• Host name sent: the device name that will be visible in the syslog. It can be either the name of
the controller currently configured on the interface, or you can enter a specific name.
• Syslog template: allows you to specify the format of each line of the Syslog file using numerous
patterns.
Example:
Default template %$year% %timegenerated% %hostname%

%syslogtag%%msg%
Information %syslogpriority% %syslogfacility% %timegen-
erated% %hostname% %syslogtag%%msg%
Template that can be used for MySQL data- %iut% %msg:::UPPERCASE% %timegenerat-
bases ed:::date-mysql%
Template for the RFC 3164 format <%PRI%>%timestamp% %hostname% %sys-
logtag%%msg%
Then, select the types of events to export:
• Address server (DHCP)
• RADIUS server
• Automatic disconnection server
• Authentication server
• PMS Client
• Shibboleth
• Audit: all administration operations performed are logged in syslog format. These are the opera-
tions performed by the administrators and the delegate administrators. CLI operations carried out
are also logged.
172
Example 5.1. Sample Syslog logging: Admin
Jan 3 11:22:23 controller php[8306]: (/admin/index.php) ### AUDIT : START

----------------------------------------
Jan 3 11:22:23 controller php[8306]: (/admin/index.php) ### AUDIT : admin = admin
from remote_IP = 10.1.255.238 is making a [captive portal configuration] with
following parameters :
Jan 3 11:22:23 controller php[8306]: (/admin/index.php) ### AUDIT : [ajax] = [no]
Jan 3 11:22:23 controller php[8306]: (/admin/index.php) ### AUDIT : [action] =
[mod_config]
Jan 3 11:22:23 controller php[8306]: (/admin/index.php) ### AUDIT : [config_id] = [1]
Jan 3 11:22:23 controller php[8306]: (/admin/index.php) ### AUDIT : [config_type] =
[portal]
Jan 3 11:22:23 controller php[8306]: (/admin/index.php) ### AUDIT : [config_name] =
[default-portal]
Jan 3 11:22:23 controller php[8306]: (/admin/index.php) ### AUDIT : [portal_type] =
[internal]
Jan 3 11:22:23 controller php[8306]: (/admin/index.php) ### AUDIT : [format0] =
[laptop]
Jan 3 11:22:23 controller php[8306]: (/admin/index.php) ### AUDIT : [1] = [de]
Jan 3 11:22:23 controller php[8306]: (/admin/index.php) ### AUDIT : [2] = [en]
Jan 3 11:22:23 controller php[8306]: (/admin/index.php) ### AUDIT : [3] = [es]
Jan 3 11:22:23 controller php[8306]: (/admin/index.php) ### AUDIT : [modes0] =
[standard]
Jan 3 11:22:23 controller php[8306]: (/admin/index.php) ### AUDIT : [paypal_send_sms]
= [no]
Jan 3 11:22:23 controller php[8306]: (/admin/index.php) ### AUDIT : [default_lang] =
[fr]
Jan 3 11:22:23 controller php[8306]: (/admin/index.php) ### AUDIT : [display_lang0] =
[fr]
Jan 3 11:22:23 controller php[8306]: (/admin/index.php) ### AUDIT : [4] = [it]
Jan 3 11:22:23 controller php[8306]: (/admin/index.php) ### AUDIT : [5] = [nl]
Jan 3 11:22:23 controller php[8306]: (/admin/index.php) ### AUDIT : [6] = [pt]
Jan 3 11:22:23 controller php[8306]: (/admin/index.php) ### AUDIT : [7] = [pl]
Jan 3 11:22:23 controller php[8306]: (/admin/index.php) ### AUDIT : [8] = [zh_CN]
Jan 3 11:22:23 controller php[8306]: (/admin/index.php) ### AUDIT : [9] = [ar_LB]
Jan 3 11:22:23 controller php[8306]: (/admin/index.php) ### AUDIT : END
----------------------------------------
173
Example 5.2. Sample Syslog logging: Deleg
Jan 3 11:57:12 controller php[28550]: (/deleg/api_ajax.php) ### AUDIT : START

----------------------------------------
Jan 3 11:57:12 controller php[28550]: (/deleg/api_ajax.php) ### AUDIT : admin = admin
from remote_IP = 10.1.255.238 is making a [save_users] with following parameters :
Jan 3 11:57:12 controller php[28550]: (/deleg/api_ajax.php) ### AUDIT : [action] =
[save_users]
Jan 3 11:57:12 controller php[28550]: (/deleg/api_ajax.php) ### AUDIT : [login] =
[pp33]
Jan 3 11:57:12 controller php[28550]: (/deleg/api_ajax.php) ### AUDIT : [password] =
[******]
Jan 3 11:57:12 controller php[28550]: (/deleg/api_ajax.php) ### AUDIT : [lastname] =
[p]
Jan 3 11:57:12 controller php[28550]: (/deleg/api_ajax.php) ### AUDIT : [firstname] =
[p]
Jan 3 11:57:12 controller php[28550]: (/deleg/api_ajax.php) ### AUDIT : [profile] =
[profile_1]
Jan 3 11:57:12 controller php[28550]: (/deleg/api_ajax.php) ### AUDIT : [multidevice]
= [1]
Jan 3 11:57:12 controller php[28550]: (/deleg/api_ajax.php) ### AUDIT :
[validityvalidity_type] = [alwaysvalid]
Jan 3 11:57:12 controller php[28550]: (/deleg/api_ajax.php) ### AUDIT : [schedule] =
[L00-24*M00-24*R00-24*J00-24*V00-24*S00-24*D00-24]
Jan 3 11:57:12 controller php[28550]: (/deleg/api_ajax.php) ### AUDIT : [mode] =
[standard]
Jan 3 11:57:12 controller php[28550]: (/deleg/api_ajax.php) ### AUDIT : END
----------------------------------------
Example 5.3. Sample Syslog logging: Cli
Jan 3 11:33:38 controller clish: ### AUDIT : START

----------------------------------------
Jan 3 11:33:38 controller clish: ### AUDIT : Admin = admin from remote_IP =
10.1.255.237 is making a following configuration :
Jan 3 11:33:38 controller clish: ### AUDIT : Complete command = enableLogLevel pms
DEBUG
Jan 3 11:33:38 controller clish: ### AUDIT : With following parameters :
Jan 3 11:33:38 controller clish: ### AUDIT : [level] = DEBUG
Jan 3 11:33:38 controller clish: ### AUDIT : END
----------------------------------------
Click on “Confirm”.
174
Configuring active elements
6 Configuring active elements

The active elements mentioned in this section are either Wi-Fi access points or switches that user work-
stations are associated with or connected to.
6.1. Configuring Wi-Fi access points

Access points must be configured to fit with the network infrastructure of which they will form part.
Configuration further depends on the authentication methods selected and the encryption options.
The following are the appropriate configurations to be carried out:
For a “standalone” access point, allocate a fixed IP address to the access point (e.g.: 192.168.100.200).
Define one or more SSID
More than one SSID will be defined if more than one authentication method is to be implemented on
the same access point, one per SSID.
For example, it will be possible to define one SSID in open-access with portal authentication, and another
SSID with 802.1x/EAP authentication.
One VLAN is to be associated with each SSID.
Warning
The access point needs to support the multiple SSID/VLAN function.
• Configuration for 802.1x/EAP authentication.
The IP address for the RADIUS authentication server (e.g.: 192.168.100.254) and the shared
secret with this server must be configured.
• Standard wireless encryption configuration
Enable WEP or WPA/WPA2 PSK (TKIP or AES) or 802.11i
6.2. Configuring switches

During creation of the new Wi-Fi network, it is necessary to isolate user traffic in new VLANs, in order to
put the UCOPIA controller at the divide between the WLAN and the LAN/WAN network. We have seen
that for each SSID created on the access points there is one new VLAN which must be carried on each
of the active elements, connecting the access point to the eth1 (IN) interface of the UCOPIA controller.
Carrying VLANs occurs through declaring the VIDs on each switch in the sequence. These VIDs are
those that were created on the access points (e.g.: VID 2: prompt/portal, VID 3: administrators/802.1X
and VID 4: terminal administration).
Warning
The VID of eth0 (OUT) interface for the UCOPIA controller must be different from the VID of eth1
(IN) interface.
On these switches, several port types must be configured. If there are several switches in the sequence,
VIDs must be allocated to the STACK ports.
175
Configuring active elements
On the switch where the UCOPIA controller is connected, the ports to be configured are those where
the following are connected:
• The UCOPIA eth1 (IN) interface;
• “Standalone” access points or the OUT interface for the Wireless controller (thin AP).
The 802.1q encapsulation or TRUNK mode must be enabled for each of these physical ports, as must
the Wi-Fi VLAN and the terminal administration VLAN.
Example:
UCOPIA is connected to the existing LAN in output from the controller on VLAN 1. Incoming VLANs 2
and 3 have been declared on the controller, each corresponding to one SSID created on the access
point. We also want to isolate the RADIUS authentication traffic on the terminal administration VLAN. To
achieve this, we will declare VLANs 2, 3 and 4 in the database for each switch, then declare our trunks
in the following way on each physical port connecting access points, Wi-Fi controllers, and eth1 for the
UCOPIA controller and STACK port.
• UCOPIA ports and access points: VLAN 2: TAG, VLAN 3: TAG, VLAN 4: UNTAG
• Switch STACK ports: VLAN 2: TAG, VLAN 3: TAG, VLAN 4: TAG
176
What’s next
7 What’s next
Once UCOPIA Express and the active elements have been installed and configured, the user profiles
and users need to be created. See the “ Administration Guide UCOPIA Express ” f.. To complete Wi-
Fi (or wired) connections through UCOPIA, see the “Portal User Guide UCOPIA.
177

Installation Guide UCOPIA Express

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Installation Guide UCOPIA Express

Uploaded by

Copyright:

Available Formats

Installation Guide

5.7.4. PayPal service configuration .................................................................................... 153

5.33. Configuring the general settings for an external directory ..................................................... 43

5.77. Adding an association ....................................................................................................... 72

5.165. Example of refill ticket in A4 format ................................................................................ 136

5.209. Configuration of Syslog export ....................................................................................... 172

UCOPIA Express provides the following major functions:

• Management of access rights by user profile based on location and time

• Zero configuration access for users

• Provision of accounts by delegation and/or self-registration

• Monitoring and logging

• Integration with legacy network

Installation is carried out as follows :

Here is the installation diagram of UCOPIA Express:

Figure 2.1. Installation diagram of UCOPIA in "US250" format:

Figure 2.2. Installation diagram of UCOPIA Express in "US2000" format:

Make all connections before starting up the UCOPIA box.

3 Logging in to the UCOPIA administration tool

Figure 3.1. UPnP discovery under Windows XP

The authentication page is displayed:

Figure 3.2. UCOPIA Express administration tool authentication page

Figure 3.3. UCOPIA Express homepage with no license

Figure 3.4. Downloading documentation

4 UCOPIA license installation

The license update page is displayed:

Figure 4.1. UCOPIA license installation

Figure 4.2. Filling license parameters

Completion of these settings has to be made only once.

4.2. Automatic installation

If successful, a message is displayed reporting that the licence is correctly installed.

Otherwise, carry out a manual installation.

4.3. Manual installation

Figure 4.3. Manual license installation

The following page is displayed:

Figure 4.4. License file generation

Figure 4.5. Manual license installation

If there are problems, email support@ucopia.com [mailto:support@ucopia.com] giving the controller's

5 Configuring the UCOPIA controller

The LAN side eth0 interface is preconfigured in DHCP client mode.

A set of services is typically preconfigured. However, no default profile or user is available.

Figure 5.1. UCOPIA Express configuration homepage

The configuration options are sorted into classes.

• Interfaces with the controller

5.1. Network configuration

Figure 5.2. Network menu items

5.1.1. Configuration of basic controller parameters

Click on “Controller” item on the sub-menu.

Figure 5.3. Configuration of basic UCOPIA controller settings

Where there is a centralised multi-site architecture, three scenarios may arise:

5.1.2. Configuring incoming networks

Figure 5.4. Configuring incoming networks

Other incoming networks

Figure 5.5. Adding an incoming sub-network

• "Network settings" panel

Figure 5.6. Configuring example of an incoming sub-network

Figure 5.7. Adding a DHCP address range

Figure 5.8. The following form is displayed:

Figure 5.9. Adding a fixed lease

Click on "Confirm" to confirm the sub-network creation.

5.1.3. Configuring outgoing sub-networks

Figure 5.10. Configuring outgoing subnetworks

Figure 5.11. Adding an outgoing sub-network

Figure 5.12. Example of creating an outgoing sub-network

5.1.3.1. Configuring local output policies