IEA Software, Inc.

Captive Portal - HotSpot Authentication Gateway - Air Marshal
Air Marshal v2

Captive Portal System

Wireless Hotspots * Wired Networks * Device Authentication

Now avaliable for the Linux platform

Captive portals provide a convenient method of controlling access to public and private networks leveraging existing web technologies. Users simply "plug-in" open their favorite browser and follow on-screen prompting to logon to the network.

The main benefits of this solution come from not requiring additional customer knowledge, software or special configuration. Clients are able to quickly and easily gain access to the network regardless of the type of device or operating system used.

While the captive portals primary purpose is authentication they provide additional benefits such as the ability to direct new users to begin a sign-up process, fund an existing account or provide complimentary limited access to select services such as a company web site or information related to a particular venue.

Air Marshal is uniquely suitable for a wide range of environments including hotels, ISPs, universities, Internet HotSpots and guest networks. Comprehensive standards based RADIUS AAA support enables Air Marshal to seamlessly integrate with existing standards based billing and management platforms such as Emerald.

Standard login UI screenshot


RADIUS Authentication of User credentials and Device/MAC address Compatibility with existing Authentication and Billing Systems, centralized management, participate in international roaming networks.
RADIUS Accounting - detailed logging of IP, MAC, time and data usage, disconnect reason, etc. Accounting data is useful for a wide array of tasks such as usage billing, enforcement of data and time limits, managing concurrent access, capacity planning, auditing and troubleshooting.
Interim Accounting status updates Provides scheduled session status updates to the central management system verifying the session and providing current data usage statistics for dynamic session management.
RFC3576 Mid-Session Disconnect Allows a central management system to disconnect active sessions when the session is no longer authorized to access network services.
Change of Authorization (CoA) Allows a central management system to dynamically change authorization parameters of an active user session such as a bandwidth allocation without the need to disconnect the user.
Periodic Session Reauthorization Enables Air Marshal to periodically check the authorization status of each session and disconnect sessions no longer allowed access.
Ascend Binary Data Filter VSAs Ascend filters provide IP filtering rules limiting the range of network access on a per session basis. Commonly used to filter SMTP traffic in roaming networks to curb abuse.
MAC based Device Pre-Authentication Authorized client devices can be authenticated automatically saving the user the need to manually enter an access login and password.
WISPr Location, Redirect, Bandwidth control and Session limiting VSAs Enables RADIUS authorization to control bandwidth allocation, data usage limits and customized redirect URLs
Startup device reboot indication Provides management system notifications when Air Marshal is started to properly recover from unexpected failures such as a power outage.
Support for Backup RADIUS authentication and accounting servers An unlimited number of backup servers are supported for Authentication and Accounting purposes to prevent RADIUS server failure from effecting network access.

TOS login UI screenshot

Network & Session Features

Layer 3 IP Routing This mode allows Air Marshal to control network access by routing managed IP subnets through it.
Private Address / NAT services NAT mode enables a single IP address to be used to provide network access to multiple clients.
NAT port range assignment Assign unique source port ranges to sessions allowing individual sessions behind single NAT IP to be uniquely identified by source port
Layer 2 transparent bridging Bridge mode allows Air Marshal to be seemlessly "plugged-in" to an existing network providing authentication services typically with no external configuration changes on the network.
TCP & UDP device authentication listeners Air Marshal is able to detect and authenticate server devices and non-web based WiFi enabled systems.
IP or network layer session tracking Prevents abuse, determine if and how long users are active. Air Marshal can be placed on the same physical network (recommended) or placed behind an IP router.
Multiple networks and interfaces A single Air Marshal server supports multiple managed subnets and network interfaces.

Air Marshal General Features

Single server supports thousands of concurrent sessions Optimize large scale deployments
Browser based password encryption Provides increased logon password security in addition to TLS encryption
SSL Encryption Industry standard for encryption and mutual authentication. Establishes identity, protects sensitive client information such as account passwords.
Configurable Web HTML interface Customize the look and feel, link to sign-up server, account management and advertising sites
User status display Allows users to view account statistics such as time and data used and remaining.
Integrated ADMIN interface Easy to use 100% web based configuration and local account management simplifies system configuration tasks.
Active session list See who's online including duration and real-time bandwidth usage. Enables disconnect of active sessions.
Setup a walled garden Provides complimentary limited access to select services such as new customer signup, account management, company web sites or information related to a particular venue.
Themes Offer customized login portals based on user location, language, browser and device type. Operate multiple specialized venues concurrently on single server instance.
Local account management Configure local access accounts with expiration date, time & data limits and maximum upload/download data rates. Useful for smaller installations or special administrative access.
Anonymous Access Provides guest access to the network with an optional set of limitations such as upload/download data rates and daily time and data usage restrictions. This is useful in situations where you may want to provide a certain level of free service such as one or two hours of service per day, offer advertising supported access or simply require users read and accept a terms of service agreement before gaining access to the network.
Client Data Mirroring Captures all network data sent or received on per user basis to industry standard capture files. Useful for diagnostic or intercept purposes.
Transparent web proxy Directs HTTP requests to local transparent proxy servers on a per user basis. Enables customer choice of acceleration and content filtering services.
Maximum prioritized UL/DL data rates per user Prevents single users from monopolizing network resources. Enables tiered service offerings.
Bandwidth pooling Restrict groups of users to common shared bandwidth allocations. Prevents single users from monopolizing network resources. Enables tiered service offerings.
Commercial session interruption Periodically force users to view a series of commercial messages. Advertising supported access. Tiered service offerings.
iPass smart client Roaming to iPass network via native smart client on PCs and mobile devices.

Configuration Menu

System Requirements

Downloading Instructions

Visit the evaluation center to obtain an evaluation license key with a 50 or unlimited concurrent session license to begin your evaluation.

A single Air Marshal server can be installed per organization with a maximum of 5 concurrent sessions at no charge. A license key is not required to use Air Marshal under these conditions.

Need a billing and customer care platform? Emerald HotSpot Edition includes an unlimited session Air Marshal license.

For information on our pricing and support offering please see our product pricing page.

Air Marshal downloads

Emerald RadiusNT Air Marshal Linux Penguin