Untitled Document
BlueBill Walled Garden System

The BlueBill walled garden setup comprises of a soft-RAS, a RADIUS AAA serer, DHCP server and NAT. Clients are allowed to access the Intranet freely. Any access to the Internet is permitted only after authentication and access control checks. The RAS logs the information required for billing in the AAA server. This can be used by the companion BlueBill Realtime Billing System for prepaid and postpaid billing.

System Configuration
In the simplest configuration, all the services includes AAA, RAS and NAT run on one hardware server. In larger configurations, each of these could run on its own server. In all configurations, redundancy is supported with warm standby.


The AAA servers will have two Ethernet cards (Eth0 and Eth1) with private and public IPs respectively. The local interface will be connected to the clients via ULC. Each ULCs can connect a number of client PCs. The client will be assigned a private IP under the respective ULC IP subnet.


The detailed description of the above setup:

  • The client is assumed to be a DHCP enabled Windows/Linux PC/Laptop
  • The Server runs DHCP server, RADIUS client and RADIUS server, IPtables services.
  • The DHCP server maintains a single IP pool
  • The IPtables rules in the server will masquerade the Internet IP of the client with the Global IP of the Server and forward the request.
  • When a client connects the PC/Laptop to the network, DHCP service running in the server will assign an IP. All Intranet services can be availed by the client with this IP.
  • In order to avail Internet service, the client has to click on the "Internet Access" link available in the home page.
  • The Link to be created in the Home page is : http://<serverIP>/
  • An authentication window will pop up requiring the username and password as input.
  • When a successfull authentication is done, then the ôLogin" button is replaced with the "Logout" button in the authentication window.
  • The username and password will be captured by RADIUS client (Perl CGI software) and communicates with the RADIUS server (ICRADIUS software) which does the authentication. The RADIUS server will also do the accounting (log the session detail in a database (MySQL).
  • If the authentication is successfull, the RADIUS client will trigger a perl API to add an IPtables rule to masquerade and forward the Internet request. (The default IPtables policy is to deny all traffic to Internet. Access will be allowed explicitly by adding the IPtables rules)
  • Normally, to stop the Internet access, the client will have to explicitly click on the "Logout" button available in the authentication window. This will delete the corresponding IPtables rule which had allowed Internet access for the client.
  • If the client does not logout, but remains idle, then the session will only be disconnected when the session-timeout occurs (notified by BlueBill time based billing to RADIUS server to RADIUS client). 14. If the client disconnects from the network or switches-off, then Internet access for the client will be cut-off (if no IP renewal request) by removing the corresponding IPtables rule.


The AAA server can be configured with the Minnow system for administration of the services and to provide redundancy of the AAA services. Minnow monitors the health of the AAA server and in case of failure of one server enables switchover of AAA services to the other server.





Nilgiri Networks - Software Development | Billing Software | BlueBill AAA | Minnow | Redundancy software | ERP Solution | E-Commerce Solution | webdesigning | web development | Tea Estate Management System | Tea Estate Management Software