To simplify your IACBOX experience this documentation will explain a wide array of basic settings and suggestions step by step.
The IACBOX can be installed on
- any linux compatible x86 hardware (ARM64 in public beta)
- or virtual machine (VMware, KVM, HyperV).
Hardware and VM requirements can be found here. Virtual environments share the same requirements, but may require additional settings which will be explained in their own documentation pages later on.
Basic Network Integration
The basic IACBOX network consists of 2 networks, the Office-LAN and the Surf-LAN. The Office-LAN grants the connection to the front router or firewall which will be used for the basic internet access of both, the system itself and guest devices. On the other hand the Surf-LAN is the isolated network for guest devices. Traffic from the Surf-LAN will be managed by the IACBOX. Simplified this means that depending on the settings on the system a guest device can access the internet without further restrictions.
With or without Management-LAN
Sometimes existing network infrastructures do not permit to add additional management-devices like Access Points, Controllers, PMS Systems or Ticket Printers. For exactly this reason the IACBOX can make use of an optional third management interface called Management-LAN. So if the current network infrastructure does not allow you to add your ticket printers or PMS systems you can move them into the IACBOX Management-LAN network. Note that the Management-LAN network does require a third physical network card.
The Management-LAN can be activated with the first installation of the IACBOX or later on. The exact process is explained in the according documentation page here Management LAN.
Preparing the Installation
First the BIOS settings of the hardware, that is used for the IACBOX installation, should be checked and adjusted.
- The SATA controller must be set to AHCI
- All kinds of network boot options should be disabled
- Both UEFI and legacy BIOS mode are supported, however UEFI is preferred
- On HP servers ILO should be disabled
In virtual environments this step can be skipped, instead there are other recommended settings, depending on the used virtualization platform. Further details on virtualization and supported platforms can be found on the respective documentation page Virtualization.
In order to install the IACBOX on hardware or in virtual environments an installation medium is required. We do offer ISO and USB images for every new major release, which can be downloaded from our homepage. IACBOX partners and system builders may obtain the ISO or USB images via the my.IACBOX customer portal.
The ISO image can simply be burned on an empty CD. In order for USB sticks to work, it is required to mount the USB installation medium with a tool. A detailled description of the USB stick creation can be found here USB stick creation. After the USB stick was created it is also possible to modify or create new default installation profiles, which will be further described later on.
The installation medium can be used on the new server to install the IACBOX. Note that some systems, for example with existing operating systems, might not boot from the CD/USB stick. To do so manually press the according button to open the boot menu while the hardware is booting up. Usually this works with the F9 or F10 key, then select the USB stick or the CD-drive to boot from.
The exact installation process is explained in detail on the respective documentation page Installation.
The IACBOX configuration is available in the so called WebAdmin administration
user interface, which can be accessed with a current browser of your choice.
If the IACBOX was installed with a pre-defined unattended profile, the default
IP address after the installation will be
192.168.1.1 which means
the WebAdmin will be reachable with https://192.168.1.1.
First access to WebAdmin
- The WebAdmin can initially only be accessed from the Office-LAN side of the IACBOX. In the WebAdmin itself it is possible to enable access for Surf-LAN and Management-LAN.
- To access WebAdmin, open https://192.168.1.1 with a browser. Note that the leading https is important! Because of technical reasons there is no redirect from http to https.
- The default username and password for the WebAdmin login is sysop. The sysop password should be changed after the login. Right after the first login the page Users Settings will be shown for an easier change of the password.
After logging into the WebAdmin it is highly recommended to perform the basic network configuration and to apply the licensing information. Licensing information describes the registration number and registration password received from the IACBOX sales department.
- If no licensing information is being applied, the system will automatically shut down after 6 hours. In order to apply licensing information proceed with the network configuration, which is explained below, to grant access to the internet.
- This also applies if the system has no internet access to verify the license later on.
So before the licensing process, configure the basic network settings. Therefore navigate to the menu entry Network / Settings.
The DNS servers should preferable be the ones given by the internet service provider.
- Some public DNS servers like google's 220.127.116.11 and 18.104.22.168 use rate limiting which limits the DNS replies after a time. If DNS servers do not respond, guests can not use the internet access anymore.
- If the DNS servers are not reachable, WebAdmin and also the Login Page can be slow as many depending services will have timeouts because of a not working DNS service.
- Changing DNS servers will require a system restart, which can be done in the WebAdmin menu System / Services. If multiple changes require a restart then it is enough to restart only once at the end.
- The Hostname and Domainname are associated to the installed TLS certificate on the IACBOX.
- The range 172.17.0.0 - 172.17.127.255 is reserved for internal use and can not be used in any configuration.
The next step is to review the Office-LAN (eth1) configuration.
The Office-LAN interface acts as uplink, and therefore is the systems connecting to the internet. Therefore adapt the configuration according to the network at hand. The Default Gateway can either be a front router or a firewall and should not limit or block the connectivity for the IACBOX. If the system was installed with an unattended profile the IP address can also be changed on this page.
- After changing the IP address do not forget to update existing WebAdmin bookmarks.
- As for all network environments, overlapping network ranges or duplicated IP addresses are not permitted.
Click on the tab Surf-LAN (eth0) to review the Surf-LAN configuration.
- The default Surf-LAN configuration is set to what works best in most environments and does usually not have to be altered.
- By default the Surf-LAN uses the Protected range, which puts client devices into small supernets so they can not communicate with each other. This also avoids spoofing, so it is recommended to keep this setting enabled. If the unprotected range should be used, disable the Client/Client Protection in the WebAdmin menu Security / General.
- It is not recommended to enable WebAdmin access for the Surf-LAN, for the Management-LAN at the other hand it is common to do so.
An example of the Protected range Surf-LAN client subnet for the
172.29.15.254/20, which means that 4000 IP addresses are
used to create subnets for 1000 hosts:
After this is done and the system was restarted, the system should now be connected to the internet. To test the connectivity open the WebAdmin and navigate to Network / Tools. Select Ping and perform it on a public domain or IP address, for example 22.214.171.124, to check the internet connection. If the ping is successful proceed with the next step, otherwise review the network configuration or check the firewall gateway.
Now navigate to the WebAdmin menu System / License and fill out the required license fields at the top of the page:
- The registration number
- The associated registration password
- Your administrator email address
- The company name and location
These settings will then be associated to the license. Also the selected MAC address will be used to identify and bind the hardware onto this license.
In case the online registration failed, it may be due to one or more of the below reasons:
- The internet connection is down or not plugged in
- The configured DNS servers are not resolving properly
- Incorrect system time (and therefore failed certificate checks)
- Missing ethernet interfaces (the IACBOX must consist of at least 2 active network interfaces)
- In some cases, firewalls may block or try to intercept TLS/SSL encrypted traffic. The interception of SSL/TLS has to be disabled for the IACBOX to get a working licensing and update.
- If the network interface cards change, the license needs to be unlocked from the MAC address by hand. This must be done manually by the system reseller or the IACBOX support team.
- In case the licensing does not work, check your firewall. The IACBOX must have unrestricted access. Also firewalls can cause the online registration to fail because of TLS interception and other security mechanisms.
After the licensing process the system will require a system restart, which can be done in the WebAdmin menu System / Services. It is highly recommended to start the Online Update in the WebAdmin menu System / Online Update, but before doing so note the following hints.
- The Online Update will download, extract and install all available updates. The system automatically performs a restart if neccessary. Depending on the speed of the internet connection this process can take a considerable amount of time.
- The number of available updates depends on the Software Maintenance of this license.
- IACBOX will automatically search and install updates before the weekly restart.
Added in Version
Since v21.0 (p21280) there are more available settings to further control the online update:
- It is now possible to stop the online update at a specific version
- There are additional Settings to enable/disable the automatic updates
- It is now possible to select days and time-frames at which automatic online updates are allowed
More detailled information regarding the online update can be found in the respective documentation page Updates / Upgrades.
After the update process finished, continue with the basic configuration. Configure the SMTP server in the WebAdmin menu Network / Settings. The SMTP proxy should be avoided as it’s only needed for special cases. By using the Testmail function verify the settings and send an Email from within the WebAdmin. This setting is most important if it is required to send Emails, for example in the context of an Email authentication on the login page.
Navigate to the WebAdmin menu Settings / General. Fill out the Company Name, Website and Address.
Note that the Operation Mode should not be changed from Normal unless there are good reasons. The other available option Autologin will automatically generate Tickets for client devices and log them in. It is recommended to copy the configuration from within the screenshot, because later on it can be applied to pretty much all use-cases.
After the IACBOX is configured with the correct network settings, licensed and up to date, it is time to configure the Bandwidth Management. It is crucial to configure the Bandwidth Management which can be found under Network / Settings according to the available on-site bandwidth. To do so, test the bandwidth on-site on different times of the day in order to find the best values to use for Down- and Upload.
The IACBOX offers an incredible wide array of modules and interfaces to cover the most common requirements out-of-the-box. In order for guests to access the internet, a Surf-Ticket is always required. Surf-Tickets can be generated manually beforehand (WebAdmin) or by guests (for example with the Facebook Login). Existing Surf-Tickets will always be listed in the WebAdmin menu Users/Tickets / Overview. In this menu it is also possible to log off or revoke existing tickets.
The following list contains some basic authentication possibilities:
- Ticket Login with Username and Password or only with a Password
- Login with Facebook, Google, Microsoft Account , Twitter or LinkedIn
- Authentication with existing PMS Systems
- SMS Login
- Email Login
- Business Account Microsoft 365 (Azure AD)
- Buy tickets with PayPal or Klarna (Midtrans or Doku for Indonesia)
- Authentication with data from various SQL Databases, AD/LDAP and Radius
The most commonly used authentication method in smaller environments is the Ticket Login. This means that guests have to enter a combination of Username and Password - or only a Password (also referred to as PIN Login) on the Customer Login Page. Tickets can be manually created by administrators in the WebAdmin of the IACBOX using the WebAdmin menu Users/Tickets / Create ticket. By using Ticket Templates it is possible to create tickets based on pre-defined default values, so-called templates.
After creating the ticket, it can be printed and given to guests as a hand-out.
In the Surf-LAN network of the IACBOX guests can now log in by using the Username and Password or by scanning the QR-Code as shown above. Note that the customization possibilities of the Customer Login Page will be explained later on.
In order to review, add and edit Ticket Templates, navigate to the WebAdmin menu Users/Tickets / Templates. There is a list with pre-defined default ticket templates.
Besides regular restrictions, a template must be enabled for each module to use it with. For example to manually create tickets in the WebAdmin, the checkbox for WebAdmin needs to be activated.
The Social Login is probably the most popular authentication. It does allow guests to authenticate and create a Surf-Tickets by logging in with a social media account. The available options are:
In order to provide authentication for private Microsoft Accounts, you must obtain and install a custom Surf-LAN certificate on the IACBOX. The Microsoft authentication can only register a hostname to one single interface. This does not apply to Microsoft Business Accounts.
In a hotel environment often a PMS System is used to keep track of guest check-in's, check-out's and bookings. Property Management Systems or short PMS Systems save data like the arrival or departure date, the full name, room numbers or even the birthday of a guest. For guests this information can be used to authenticate.
While the Room Number is always required, it is possible to combine following data fields for the authentication:
- Name & Departure Date
- Name & Departure Date & PIN Code
- Name & Birthdate
- Name & Birthdate & PIN Code
- Name & Arrival Date
- Name & Arrival Date & PIN Code
- PIN Code
Guests then can choose between the available Ticket Templates which are configured for usage with the PMS Module. If ticket templates define a price, an according booking will be sent to the PMS system. This way guests can postpone paying tickets until checking out. The PMS manual can be found here.
The SMS Login enables guests to create a Surf-Ticket by using their mobile phone. In order to receive a SMS with the login credentials (Username and Password or just Password), the mobile phone number has to be entered on the Login Page*.
An external SMS service is required to send the actual SMS. The IACBOX offers a list of supported vendors and also provides generic interfacing via HTTP or email.
Further information can be found in the SMS configuration manual.
The Email Login enables guests to authenticate by using an email address. To receive the login credentials (Username and Password or just Password), an email address has to be entered on the Login Page, so an email can be sent to this address.
- After the email address was entered on the Login Page, guests will have free internet access for a configured amount of time. This enables guests to access Web-Mails like Gmail or Hotmail without any restriction. Guests then have to log in by using the confirmation link or the credentials in the email.
- Besides the ticket credentials the email will also contain a link which automatically authenticates the user with the attached credentials.
Further information can be found in the according Email configuration manual.
Guests can also buy tickets by using an external payment service provider. Supported payment providers are:
This module allows you to authenticate guests on the Surf-LAN side by using existing backends:
- Active Directory and LDAP
- SQL Databases: MS SQL, MySQL, PostgreSQL
For further explaination refer to the External Authentication manual page.
This module allows you to authenticate users on the Surf-LAN by using:
- Microsoft 365 (Azure AD), limiting access to specific Tenant IDs or general Microsoft 365 accounts types.
The Login Page
The login page is often referred to as “IACBOX Login Page” and lists all enabled and configured authentication methods for the Surf-LAN. With Version 21, a new easy-to-customize Login Page has been introduced. To check out the documentation on how easy it is to add, move and adjust new elements, the Login Page manual can be found here.