Universal access method (UAM) has become a popular method for network service providers, particularly Wi-Fi service providers, to grant or deny access to more network resources to users connected to the wired or wireless networks they manage. UAM involves presenting a web page in a browser to the connected users, so that the users can login to access more network resources. 
UAM is also one of the authentication methods supported by the EWS  controller, besides other authentication methods such as 802.1X authentication and auto login by the controller based on the MAC addresses and/or IP addresses of the devices used. Furthermore, the EWS controller also supports customization to the behavior of UAM through a UAM filter and provides UAMD log. Please click here to know more.

Cross Gateway Roaming is a powerful feature on the Controller that allows an authenticated end user to roam seamlessly within a large network deployment where multiple WLAN controllers are in service at different locations. Note that "authenticated end user" here refers to an end user that has been authenticated by any of the internal/external authentication options on the Controller. 
Normally,  when  a  user  moves  from  an  edge  AP  managed  by  one  Controller  to  another  edge  AP managed by another Controller, the user would experience network disconnection and have to re-login. However, with Cross Gateway Roaming, the user can stay logged in to the network and continue to enjoy network access without interruption. 
Cross Gateway Roaming adopts a star topology that consists of one Master Node that sits at the center and multiple Slave Nodes that connect to it. One Master Node may connect with up to 15 Slave Nodes. A Controller can be in Master Mode or Slave Mode depending on its Cross Gateway Roaming settings. 
This technical guide aims to explain the setup flow of Cross Gateway Roaming on the Controller. Below are two exemplary network deployments that deploy Cross Gateway Roaming so that authenticated users could seamlessly roam within the larger network. Please Click here to know more.

With support for authentication, authorization, and accounting (AAA), the controller allows network administrators  to  effectively  manage  network  access,  control  network  usage  and  monitor  user activities. 
In this technical guide, the authentication flow on the controller is illustrated using a flowchart. With this flowchart, readers would be able to understand the order in which authentication methods are presented  on  the  controller, so they could better plan the authentication methods they'd like to leverage as well as better understand how they could troubleshoot if necessary. 
Furthermore, as will be seen from the flowchart, a variety of authentication methods are available on the controller for network access control, including web-based, 802.1X, WISPr and MAC authentication. How each authentication method works and where to configure its settings are also explained.   

Please click here to know more details.

Virtual private networks (VPNs) provide a way for secure connections to be established across the public network by tunneling the traffic. VPNs generally fall into two types — remote-access VPN and site-to-site VPN. Remote-access VPNs can be used to securely connect a host to a private network. For example, companies can allow staff to remotely access the file servers or other resources on the headquarters' intranet from an outside network using remote VPNs. With site-to-site VPNs, separate private networks could be joined for data sharing or other purposes. For example, private networks of different office branches of a company or even private networks of different companies can be joined.   
  • The Site-to-Site VPN feature on the controller is introduced, and guidance on how  to  build and configure an exemplary site-to-site VPN is provided through step-by-step explanations. Click here to know more details.
  • The Remote VPN feature on the controller is introduced, and guidance on how to setup and configure remote VPNs on the controller as well as on client devices is provided. Click here to know more details.

This technical guide provides information on where to find the log data, where to set up automatic notification, and how to view the logs for the EWS controller. 

There are multiple types of logs and reports in the Controller, as described in the following:
a.  CAPWAP Log
b.  Configuration Change Log 
c.  Local Monthly Usage 
d.  Local Web Log 
e.  Micros Opera Log 
f.  On-Demand Billing Report 
g.  RADIUS Server Log 
h.  SIP Call Usage Log 
i.  SMS API Log 
j.  System Log 
k.  UAMD Log 
l.  User Events 
For all the logs described above, “Notification” works as a central data processor to send log entries to configured external systems (including administrators’ email box, FTP servers, and SYSLOG servers) at certain timed intervals. Click here to know more details. 

MAC address-based access control grants or denies users' access to the network based on the MAC addresses of users' devices. On the controller, there are three types of MAC address-based access control available – MAC Authentication (by Service Zone), MAC Privilege List, and MAC Access Control List. 

In this guide, mechanisms of these different MAC address-based access control options are explained and a comparison between them is given. Possible scenarios for these MAC address-based access control options are also illustrated. Moreover, step-by-step configuration guides are provided to facilitate the configuration process. Click here to know more details. 

This article is aimed at explaining the practical setup flow of “User Bandwidth Throttling”, which is a new feature available in version 3.43 for all EWS series. The newly added feature allows network administrators to enforce double QoS policies on users, providing greater flexibility in traffic control especially for guest users. For all authentication options, especially Guest Authentication and Social Media Login for now, time-based bandwidth throttling feature as a part of the policy profile is the win-win solution for providing free Wi-Fi service in public areas. 

This technical guide should help network administrators to easily setup and configure bandwidth limitation for all users in the network. Click here to know how to setup the User Bandwidth Throttling. 

This technical guide is written for network managers who would like to integrate on-demand authentication on Controller with third-party property management systems (PMS) such as Micros Opera. 

For PMS other than Micros Opera, a table of attributes is provided in this guide for system integrators to achieve integration with the Controller. Implementation examples are also given to help system integrators plan and carry out integration. 

With such integration, the following can be achieved 
1. Check-in information entered into the PMS by the hotel receptionist can be used as Wi-Fi login credentials 
2.  Data usage of each logged-in guest can be monitored and managed from the Controller 
3.  The Controller can send billing plan rate the user chose to the PMS as part of the check-out information 
After reading this document, the reader should have a clear understanding of how user data from existing PMS can be used in authenticated Wi-Fi services and how to pragmatically set up the integration on the Controller. Click here to know more details for Third Party PMS Intergration.

Edgecore Gateway Controller series support SMS Gateway integration. The On-Demand account credentials can be sent to the users by SMS text messages. This technical document provides detailed configuration steps for integrating SMS services to SMS Gateway. Clink here to find more details for SMS Gateway integration setting.
This technical guide aims to explain the configuration flow for a powerful feature offered by Edgecore wireless controllers. From the Web Management Interface (WMI), administrators can easily upload their own images and HTML files for a personally branded login page. An HTML Sample File can be downloaded from the WMI for customization. In addition, controller also provides an instant preview of the currently configured Login Page. Clink here to know how to configure the login page customization.

User Policy, can be applied to network users to govern their network usage. User Policy consists of four parts – Firewall, Privilege, QoS and Specific Routes, each of which has multiple profiles available for setup, and a particular User Policy would take one profile from each of Firewall, Privilege, QoS and Specific Routes, as defined by the administrator. Click here to know how to configure the user policies!

This guide explains the setup of Edgecore Wireless Controller to act as a RADIUS server for different applications. In this guide, two scenarios will be illustrated: 

1. Using the Wireless Controller as an external RADIUS server (Local and/or On-Demand databases) for a remote gateway 

2. Using the Wireless Controller as a RADIUS server in 802.1X authentication (transparent login)

Note that for the first scenario, the remote gateway can be an Edgecore Wireless Controller or a third-party controller, and multiple remote gateways can be setup. Detailed configuration are shown in the following chapters.   

This technical guide provides the administrator with instructions on how to setup the scenarios above for different applications. Verification from the client side is also shown in the end of the document. Click here to download the Technical Guide!
Service Zones are virtual partitions of the physical LAN side of a Controller. Similar to VLANs, Service Zones can be separately managed and defined with their own user landing pages, network interface settings, DHCP servers, authentication options, policies, security settings, and so on. By associating Service Zones with a unique VLAN Tag (when using tag-based mode) and an SSID, administrator can flexibly separate wired and wireless networks with ease. Click here to download. 
Guest Authentication
The Guest Authentication option is specifically designed to provide users a quick and convenient way to access the network simply by entering a string of text as defined by the network administrator on the login page. This string of text can be, for example, user’s email or reservation number. Thus, this authentication option does not technically involve an account database or actual authentication. However, E-mail Verification can be configured so that users have to provide a valid E-mail address in order to activate their account.
Furthermore, usage constraints may be configured to control network usage of users authenticated by this authentication option.
  • Group: the Group that the clients will be assigned to after successful login, which will have a Policy profile mapping to the specific Service Zone applied
  • Guest Information: includes account email and answers to the questionnaire (if enabled), which can be viewed and downloaded for purposes such as network monitoring, data analysis or marketing. Entries will not be cleared automatically, but an email notification can be sent when there are 1000 entries remaining (11000/12000, maximum is 12000 entries)
          - Download: allows administrators to download guest information
          - Delete All: allows administrators to delete all the stored data; administrators can delete all entries after export to keep the list up-to-date.
  • Questionnaire: provides administrators an option to show questions on the login page, data collected from the questionnaire can be viewed in Guest Information
  • Guest Access Time: allows administrators to define a usage time constraint based on MAC addresses
          - Unlimited: there is no limitation about the allowance usage time
          - 1 Day Access: clients are enforced with a usage time constraint
          - Multi-Day Access: clients are enforced with a usage time constraint
  • Quota: the permitted duration and volume for each client
  • Reactivation (1 Day Access only): the time period after a session expires that the clients have to wait before they can request a new session
  • Access Limit (1 Day Access only): how many times a device can request for a free account per day
  • Email Verification: can be enabled to ensure that the entered email is a valid email address. Clients have to activate their account within the activation time to extend their usage time by clicking a link in the mail sent by the mail server. Note that the activation is merely a timer and does not add to the account’s Quota
  • SMTP Server Settings: to assign SMTP server for sending the mail for redeem clients. This SMTP is shared with Guest Email Verification. Please refer to “SMTP Setting paragraph below”. Taking Gmail as SMTP server, the configurations are
          - SMTP server address: smtp.gmail.com
          - SMTP port: 465
          - Encryption: SSL
          - Authentication: Login: Account Name: admin’s Gmail email address
          - Authentication: Login: Password: admin’s Gmail email’s password
          - Sender Email Address: admin’s Gmail email address
  • Sender Name: the Sender Name displayed in the client mail box.
  • Activation Email Subject: customizable email subject displays in the client mail box
  • Activation Email Content: customizable email content displays in the client mail box (max. 2000 characters)
  • Activation Link: the name with hyperlink to redeem the account in the client email content
  • Guest Quota List: displays how many allowances are remaining for the access-limited Guest accounts by MAC address and Email Address. (It would be automatically refreshed daily at the midnight, and the oldest entries are removed when reaching maximum).
  • Email Denial List: checks the email domains for login permission, if prevention of junk mailboxes is desired

The Sender Name, Email Subject, and Email Content (max. 2000 characters) are all customizable as soon as the SMTP server is ready. SMTP server configuration is done by clicking the “Assign SMTP Server” button.
SMTP Settings

Allows the configuration of 5 recipient E-mail addresses and necessary mail server settings where various user related logs will be sent to.
  • SMTP Server: enter the IP address of the sender’s SMTP server.
  • SMTP Port: the port number is 25 by default. Administrator can specify it to be another port number if the SMTP server runs SMTP over SSL.
  • Encryption: enable this option if your SMTP server runs SMTP over TLS or SSL.
  • Authentication: the system provides four authentication methods, Plain, Login, CRAM-MD5 and NTLMv1, or None to use none of the above. Depending on which authentication method is selected, enter the Account Name, Password and Domain.
          - Plain is a standardized authentication mechanism that uses UNIX login and password.
          - CRAM-MD5 is a standardized authentication mechanism. This is used by Pegasus although the method to be used cannot be configured.
          - Login is a Microsoft’s proprietary mechanism and uses UNIX login and password. Outlook and Outlook express use Login as default, although they can be set to use NTLMv1. It is used by Pegasus although the method to be used cannot be configured.
          - NTLMv1 is a Microsoft’s proprietary mechanism that is not currently available for general use.
  • Sender E-mail Address: the e-mail address of the administrator in charge of the monitoring. This will show up as the sender’s e-mail address.
  • Receiver E-mail Address (1 ~ 5): up to 5 E-mail addresses can be set up here to receive notifications.
  • Send Test E-mail: administrators can send a test email into the receivers’ mailbox following above configuration when setting up the SMTP server for the first time 
Taking Gmail as SMTP server as example, the configurations are
  • SMTP server address: smtp.gmail.com
  • SMTP port: 465
  • Encryption: SSL
  • Authentication: Login: Account Name: admin’s Gmail email address
  • Authentication: Login: Password: admin’s Gmail email’s password
  • Sender Email Address: admin’s Gmail email address
Social Media Authentication technical guide is aimed at explaining the practical setup flow of Social Media Authentication on the Controller. Using social media accounts for authentication has become an upcoming trend in public Wi-Fi networks.  The  Social  Media  Authentication  feature  on  the  Controller  allows  users  to  login  with  their existing  social  media  accounts  such  as  Facebook  for  Internet  access  without  having  to  provide  other credentials. With  this  technical  guide,  network  administrators  can  easily  setup  and  configure  for  Social  Media Authentication on the Controller for providing free Wi-Fi service to users. Click here to know more!


How to identify what kind of ''Failure Message''on Configuration Status of ECW7220-L/EWS4502 series and solve it, specific for country code?


1. After the AP managed by AC, but the configuration status still displayed 'Failure'.

System > WLAN > WLAN Configuration > Managed AP > Status > Summary

2. Users can check the reason of failure on the 'Detail!? page, the error is the setting about Country Code.

System > WLAN > WLAN Configuration > Managed AP > Status > Detail


3. Please changes to the correct country code.

System > WLAN > WLAN Configuration > Global > WLAN Switch


Check the country code of ECW7220-L.

Manage > Wireless Settings

*By default, if ECW7220-L has been managed by EWS4502 then web management interface will be disabling.

User may use following command to enable/disable the web interface via CLI.

ECW7220-L-7fa540# set web-server http-status up/down


4. After we change the correct country code, then the configuration will be provision to the AP successfully.

System > WLAN > WLAN Configuration > Managed AP > Status > Summary




1. Set the Wired Network Discovery VLAN ID to 10. Wired Network Discovery VLAN ID is the management VLAN that AP will using to communicate with AC controller after success managed by AC controller.

 (When the value not set to zero, means enabled VLAN classification at ALL AP that using this profile)


2. Modify the VLAN at corresponding VAP that want to enabled (default VLAN is 1)


3. Then apply the profile to take effect the configuration. (Remember need configure corresponding VLAN at the switch first before apply the profile.)

How to configure the AC cluster of EWS4502?
The EWS4502 with highest priority in the same cluster becomes the Cluster Controller.
If the priority is the same, the switch with lowest IP address will be the Cluster Controller.
And the highest cluster priority is 255.
AC cluster Scenario

How to configure the cluster priorty
Manage Page: System > WLAN > WLAN Configuration > Global
1. Configure the cluster priority of EWS4502-1 to 255.
*The highest cluster priority is 255, thus EWS4502-1 will become the Cluster Controller.

2. Configure the cluster priority of EWS4502-2 to 1.

How to check and ensure the cluster priority applied  
Manage Page: System > WLAN > Status/Statistics > Peer Switch
Users can know which AC is the current cluster controller and which AC will manage AP.
1. Peer switch status of Cluster Controller EWS4502-1