User Tools

Site Tools



All the modules related to external applications / tools / devices and interfaces.

Account printer

Account printers are three button printers to easily generate and print vouchers.


Make sure the printer is configured correctly and is able to contact the gateway. Enable the service, choose the correct (TCP) port and fill in the printer IP address. Add the printer IP address and port number (in TCP) to the firewall, otherwise communication will get blocked using defaults. If the printer is connected using a subscriber network you have to activate the printer first. (see Activate subscriber - because the printer cannot authenticate itself).

You can simply add or edit a printer by using the respective buttons in the printer overview. You need to configure the printer IP and how many times a voucher needs to be send to the printer. To configure functionality behind one of the three physical buttons, choose the respective button (A, B or C) and configure the details.


  • If the printer is in a subscriber network it needs to have a valid active account to communicate with the HSMX.
    • Activate the device as MAC subscriber
    • Create a voucher and activate the device (regular subscriber)
    • Configure the printer as Static device
  • If the printer is attached to a WAN-interface, make sure to check the firewall and open the port if necessary.
  • Zyxel SP300(e) is supported, the newer Zyxel SP350e is not! is a centralized authentication platform hosted in the cloud. By using this feature, the local portal and database will no longer be used to authenticate clients. Instead the gateway will redirect clients to the cloud before they are activated on the local gateway. also provides dynamic reports, marketing campaigns, an easy to use portal editor, a variety of authentication mechanisms, … See for more information.


Before configuring your gateway to use, make sure that you have a valid admin account and admin domain. Please contact your reseller if this isn't the case.

Enter your admin domain and credentials and press Next. The next step will show you what will be applied on your gateway. Additionally you can choose to add your gateway to the platform (will only be shown if the WAN MAC is not yet found on the platform). Press next to apply the configuration. New clients will now be redirected to the cloud platform for authentication.


To use the internal portal and database again, you need to remove the RADIUS profiles from the guest authentication module (Service → guest authentication) and the redirect portal (Layout → portal page → rules).

Client gateway


When the system is running in authentication or mixed mode you can let external guest networks join this gateway. This gateway will act as authentication server while client traffic is still handled by the external gateways. Make sure you configure the System → Settings to reflect to correct system state [todo: gateway/auth]


Add the IP address and login credentials of the gateway holding the guest networks you want to add. If the gateway is added and connection towards the device is successful you will see an additional icon to view all guest networks. Check the guest networks which should redirect clients to this gateway for authentication and press save. The joined guest network will now redirect all clients to the IP address which was used to reach the external gateway. This IP address can be viewed/changed by going to network→ network configuration → click edit on the guest network → virtual section on the external gateway.

Credit card settings

The gateway is compatible with a range of credit card clearing houses and PayPal, these services can be used to automatically charge for Internet access without any other user intervention. The client can buy a package for the price configured in the billing plan and will automatically be logged in afterwards.

Note: The credit card option will only be available on the portal page when credit card or PayPal is enabled in the payment section of the portal rules.

Credit card service

This feature is deprecated.

Credit card module

There is an option to enabled or disable the (optional) module. The option invoice allows the client to receive an invoice for the payment via e-mail. See general settings for more configuration options.

The gateway is compatible with several credit card clearing houses. Select the credit card clearing house from the drop down list. There will be several configuration option that need to be entered depending on the chosen clearing house. These details should have been supplied to you by the clearing house.


This facility is deprecated. Contact support for a PayPal implementation using the newer Custom Clearing House facility.

PayPal is a popular payment service, clients can buy packages with their PayPal account or also without PayPal account and just a credit card.

  • PayPal URL: URL that is being used to contact PayPal (
  • Merchant ID: Your PayPal e-mail address
  • External IP: The WAN IP of the device, without this PayPal cannot contact us and we cannot verify the purchase.
  • Return button: Text that will be displayed on the return button.
  • Currency

This requires adding to the Walled Garden in order to function.

Custom clearing house

Instead of using one of the predefined clearing houses you can add your own, an API of the clearing house is required to know the exact flow and variables. The following can be configured:

Submit fields

This is the form that will be sent to the clearing house (and also the customer redirection to the payment page). All values (operator applied!) are saved and can be used in the clearing house answer.

characters are used for variables generated by the system, these can be portal_url (example:, order_id, amount and currency


The answer is the status of the payment that is being sent from the clearing house to the gateway. This answer should be returned to https://[gateway public IP]/creditcard/cc_notification.php, it is possible this URL needs to be specified in the submit fields or in the clearing house settings, without this URL the HSMX gateway will never be informed of success or failure of payment.

Order identification An unique Id has to exists to match the submit fields (request) and answer, therefore the orderId has to be in the submit fields so the clearing house can return this value in the answer. Here you can specify in which variable the clearing house sends back the orderId.

Flow The flow is how the system will check the incoming answer and can be fully customized. An incorrect check however can lead to creation of accounts while payments were rejected. % characters are being used to indicate return variables from the clearing house, for example %amount% || characters are being used to use variables that were sent to the clearing house (the ones created in Submit fields including the operation), for example: ||amount||

LDAP settings

The LDAP (Lightweight Directory Access Protocol) module allows the system to connect to an external LDAP server to authenticate administrators and subscribers.

LDAP servers

In this section you can add / update and delete LDAP server connections.

Access control rules

This are the rules that will link a group profile to an external administrator. The rules are being read from top to bottom so the first rule that matches will be applied. You can change the order by dragging the number in the sort column.

  • Default: If enabled, this will become the default rule, a default rule will always be matched so it's recommended to add this as a final rule.
  • Attribute: This is the attribute that will be returned by the active directory so we can compare the value.
  • Match: If this value matches the attribute value, we apply the group that is linked to this rule.
  • Group: Group that will be used when this rule is applied.


  • Attribute: ou
  • Match: pos
  • Group: group1

If the returned attribute (ou) matches “pos” we will login the administrator with the rights of group1

LAN rules

This section is identical to Access control rules besides the fact it used to authenticate subscribers rather then administrators of the system. When a subscriber authenticates, depending on the rules, a package will be created with the configured billing plan.

PMS settings

The PMS module is an optional module of the system. It connects the gateway to a PMS (property management system), this way the gateway retrieves all guest details of the hotel and it can also charge the guest folio.


There are three basic access methods available for FIAS: Serial, IP and Agent. Each access method is available in basic or advanced mode. The difference between basic and advanced:

  • Basic (via Serial, TCP or Agent)
    • This enables our basic PMS interface
    • Guests can be authenticated on any field in the PMS
    • No support for sharing guests
  • FIAS advanced (via Serial, TCP or Agent)
    • This enables our advanced PMS interface
    • Guests can be authenticated on any field in the PMS
    • Support for sharing guests
    • View bill on the portal page (requires portal page support)
    • View text messages coming from the hotel staff (requires portal page support)
    • Check out on the portal page (requires portal page support)
  • OnQ
    OnQ interface (similar to FIAS IP BASIC)
  • Amadeus
    Uses Amadeus interface (Similar to FIAS IP BASIC)
  • UHLL
    Universal Hospitality Language Layer from comtrol

When the system is licensed for multiple PMS connections two additional options are shown:

  • Name
    In order to distinguish one PMS system from the other, provide it with a name.
  • Location
    Depending on the location of subscriber log-on requests, use this particular PMS entry. Keep in mind it's not valid to configure multiple PMS systems for a single location. The Default entry sets a PMS connection as the default fallback.

Logical settings

You can select the fields that the guest has to enter to authenticate. We have three sections, room known (and checked-in), room unknown, room shared.

  • room known
    This is only triggered when there is a VLAN per room and the system can identify what room the client is connecting from. If no extra fields are checked, the client can get online without any further authentication.
  • room unknown
    This is the most frequent scenario, the system doesn't know beforehand where what room the client connects from so the first mandatory field that is requested is room number. Check one or more fields to make the authentication more secure.
  • room shared
    When two or more people share a room, the gateway identifies these as separate guests that need to be individually charged and authenticated. Enter the fields that ensure the authentication is unique e.g. combination of first and last name.

User definable fields

User definable fields can contain any value that is available in the PMS to be used for identifying the guests (e.g. loyalty membership number).

Tip: to enable all ten user definable fields from the PMS specification, enable Show extra definable fields under No post options.

Checked out error

The error message shown when a subscriber tries to sign onto a checked-out guest account.

No post options

  • Ignore no post flag
    Allows no-post guests to post charges regardless of the fact they are explicitly marked so from doing.
  • Show free billing plans for no post users
    Show free billing-plans for no-post guests.
  • Show extra definable fields
    Enables all ten user definable fields that are available in the FIAS specification instead of the standard two.
  • Allow room account sharing

PMS field policies

Here you can specify how strict we check the input of the guest against the PMS database. This overcomes problems with input and difficult guest names or special characters causing problems. You can create multiple policies and you can assign a policy per PMS field and / or set a default policy for all fields.

For example if we mandate the first four characters of the name should match and we strip spaces, dashes and quotes. The PMS database contains O' Donald which becomes odonald. The subscriber logs-on with O'donnald processed becomes odonnald, the first four characters match so we assume it's the right user.


Depending on the selection in the first tab you will see different options here.

  • Send ACK
    • Only required for serial connections
    • Send acknowledge after every message received
    • Wait for acknowledge after every message sent
  • Send LRC
    • Only required for serial connections
    • Send a check-sum with every message sent
    • Check check-sum for every message received
  • Send LA
    Send link alive message every x minutes
  • Sanity check
    Only enable this option if your PMS system supports it. Enabling this setting will assume the PMS acknowledges link-alive probes. If there's no acknowledge HSMX assumes the link is dead.
  • Database swap
    • Every X minutes a database swap command will be sent, this is not recommended because a database swap can take a long time and during this swap no postings can be sent to the PMS.
    • Fixed hour: This is recommended.
    • On start: Start database synchronization after a certain period the connection has started (recommended).
  • Send billing name
    system will send CT field.
  • Fixed variable in charge
    custom entry can be added to charge
  • Buffer charges
    When a guest tries to charge his room he has to wait until we receive an acknowledge from the PMS before he is able to browse. Or if the PMS is down the client will get an error message that he cannot charge his room at this time. To bypass this behavior you can simply buffer the charges, this way clients don't have to wait and will go straight online. Our PMS interface will take care of all charges and will send them to the PMS system as soon as possible.
  • Charset
    Choose the character-set encoding used for transmission to/from the PMS system.

Tips: configure the FIAS warning setting to receive an alert when the PMS communication has been down for longer than a specified period. Set the source e-mail/name and recipient (multiple recipients should be comma seperated), the subject and text body. Don't forget to configure System SMTP Settings).


An agent can be configure to forward all incoming guest data to an external authentication system. There is a listener and a sender, the listener waits for requests while the sender sends updates whenever we receive an update from the PMS. Communication can be encrypted.

RADIUS profiles

Configuration of the different RADIUS profiles. The RADIUS profiles can be configured in the subscriber (LAN) network in the AAA section (see AAA)

Name: Name of the RADIUS server Type: (PAP - CHAP - MS-CHAPv1/2) Authentication server IP: IP address of the RADIUS server Authentication server port: Port used for the RADIUS authentication requests Accounting server port: Port used for the RADIUS authentication requests RADIUS secret: Secret for communication between this NAS and the RADIUS server. NAS identifier: Identifier to identify the connection of our subscribers on the RADIUS server Time-out: Amount of retries

Overwrite WAN IP (optional): This will disable the auto detection of the WAN IP in the RADIUS requests made. MAC (mandatory if Overwrite WAN IP option is used): MAC address of the system, can be found in Network configuration.

Supported RADIUS attributes

The HSMX gateway supports several standard RADIUS attributes to set connection specific parameters as well as several WISPR attributes.

Standard attributes

  • Session-Timeout: User is logged out after this amount of time (seconds).
  • Idle-Timeout: User is logged out after this amount of time (seconds) of inactivity (no traffic).
  • Acct-Interim-Interval: Rate at which accounting update packets are sent (in seconds).
  • Reply-Message: Message that is shown on the portal to give the client a reason for a reject.

Nomadix attributes

  • Bandwidth_Up: Sets the maximum upload rate in bits per second
  • Bandwidth_Down: Sets the maximum download rate in bits per second
  • Bytes_Up: User will be disconnected after having sent this amount of bytes
  • Bytes_Down: User will be disconnected after having received this amount of bytes

WISPR attributes

  • WISPr-Bandwidth-Max-Up: Sets the maximum upload rate in bits per second
  • WISPr-Bandwidth-Max-Down: Sets the maximum download rate in bits per second

fdXtended custom attributes

  • fdXtended-Bandwidth-Up: Sets the maximum upload rate in bits per second
  • fdXtended-Bandwidth-Down: Sets the maximum download rate in bits per second
  • fdXtended-PostAuthURL: User will be redirected to this page after authentication
  • fdXtended-One2onenat-IP: User will be source NAT'ed to this IP when available
  • fdXtended-ContentFilter: User will be forced through content filter. Can be of type string referring to the content-filter identifier attribute or integer referring to the content-filter unique_id.
  • fdXtended-NetworkPolicy: User will use specified network policy. Can be a string referring to the name of the Network Policy or Network-policy group or an integer ID referring to the policy ID.
  • fdXtended-BytesDown: User will be disconnected after having received this amount of bytes
  • fdXtended-BytesUp: User will be disconnected after having sent this amount of bytes
  • fdXtended-Expiration: User will be disconnected after this time (yyyy-mm-yy hh:mm:ss)
  • fdXtended-SessionTimeout: User is logged out after this amount of time (seconds).
  • fdXtended-Wan-Interface: User will use the specified WAN interface. Can be a string referring to the name of the Network Policy or Network-policy group or an integer ID referring to the policy ID.
  • fdXtended-Qos-Profile: Sets the QoS profile to be used with a subscriber. Value is of type integer and refers the QoS profile ID.


Enable SNMP when you want to retrieve certain OS values from the system. The gateway can send traps on certain system events, MIB for the SNMP traps is available in the web interface as download (see also: howto remote monitor HSMX using SNMP).


UMS or User Management System is a free Windows based program to create vouchers. You need to enable the UMS server here to make sure the program can contact the HSMX gateway. You can choose to allow all IP's or just a few. If specified only these IP addresses will then be able to use the UMS server, otherwise every source IP address is welcome to partake.

XML server

HSMX provides an XML interface which can be used to automate tasks. To make use of the XML-API make sure to enable the service first. Once enabled the service needs to be configured to accept requests from certain source IP addresses; enable Allow any IP or enter an IP address in XML server IP 1 (or 2, 3).

You can configure a radius server if you wish to override the regular configuration, which can be found at Guest Authentication under Service.

manual/periphery.txt · Last modified: 2021/06/03 14:40 (external edit)