...
Another requirement in the eduroam policy is that the eduroam SP is required to maintain logs of the authentication and of MAC-address to IP address bindings. LANCOM devices can satisfy both by logging events via syslog. By default, the device keeps short-term logs by logging to "127.0.0.1". The logs can be viewed by navigating to the menu ""LCOS Menu Tree" > "Status" > "TCP-IP" > "syslog" > "Last Messages" and look like the following (prefixed with the exact timestamp, left out for readability reasons):
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b94548545fea403d-1cf97c16-4f264689-8280b25f-cb1a979241d2adec20c1456b"><ac:plain-text-body><![CDATA[ | AUTH | Notice | [WLAN-1] Associated WLAN station 64:b9:e8:a0:2e:a4 [] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="bdad149b4f334493-2eef61d1-459c4c04-b0918e7a-e7ac2f635fabccf0ab9fb6b7"><ac:plain-text-body><![CDATA[ | AUTH | Notice | [WLAN-1] WLAN station 64:b9:e8:a0:2e:a4 [] authenticated via 802.1x [user name is certuser-2010-001@restena.lu] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b6b9dab39e0e9144-2c4c468c-42c147e9-9158ba74-bb7d260f711a1f92482bb4d7"><ac:plain-text-body><![CDATA[ | AUTH | Notice | [WLAN-1] Key handshake with peer 64:b9:e8:a0:2e:a4 successfully completed | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e4145f5b8c1a32c2-f72e843f-4b1c41b7-b478ab36-c7ad28811d55a9d958e69001"><ac:plain-text-body><![CDATA[ | AUTH | Notice | [WLAN-1] Connected WLAN station 64:b9:e8:a0:2e:a4 [] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5d02c5dc61a6a191-20d3d279-40494f6c-9928b4ac-6eb9108a3c3f0bceb147074d"><ac:plain-text-body><![CDATA[ | AUTH | Notice | [WLAN-1] Determined IPv4 address for station 64:b9:e8:a0:2e:a4 []: 158.64.3.24 | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="74a0f7f3125c66af-110e1cc8-49ba412f-aee5b0df-566d75a6bee5d4a67dd6425c"><ac:plain-text-body><![CDATA[ | AUTH | Notice | [WLAN-1] Determined IPv6 address for station 64:b9:e8:a0:2e:a4 []: 2001:0a18:0000:0403:66b9:e8ff:fea0:2ea4 | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="4268f57f7261b3a9-48a3f669-40a642d6-9d8982e6-bb0bdffe97267078b8052b5f"><ac:plain-text-body><![CDATA[ | AUTH | Notice | [WLAN-1] Determined IPv6 address for station 64:b9:e8:a0:2e:a4 []: fe80:0000:0000:0000:66b9:e8ff:fea0:2ea4 | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="17e1b78f17bd4563-4a0a9c25-4aea4820-899c86e7-aab2f5c7c24797ad43507546"><ac:plain-text-body><![CDATA[ | AUTH | Notice | [WLAN-1] Disassociated WLAN station 64:b9:e8:a0:2e:a4 [] due to station request (Disassociated because sending station is leaving BSS | ]]></ac:plain-text-body></ac:structured-macro> |
...
It is required to log these notices to an external syslog server, since the syslog buffer in the device fills quickly and the information would be lost otherwise. Add your syslog server by selecting the menu item "Configuration" > "Log &Trace" > "Syslog" and make sure the box "Send information..." is checked (it is by default). (screenshot TODO). Then click on "Syslog servers" and on the following page "Add".
...
for a comprehensive overview of events on the device.
The logs that are collected with the localhost setting will show up under
Expert Configuration>Status>TCP-IP>Syslog.
B.2.4 Configuring the SSID
...
B.2.4 Configuring the wireless LAN
The network name (SSID) for an eduroam SP is usually "eduroam", and the SSID needs to be broadcasted. Unfortunately, the network cannot be set up via the corresponding wizard, since the wizard only allows to configure WPA-Personal authentication, not eduroam's WPA-Enterprise. So, the necessary settings can only be found under "Configuration" > "Wireless LAN" > "General". (see screenshot)
First, we need to enable the MAC to IP address logging. This is done by checking the box "ARP handling". You should also make sure that you enter the correct country on this page, since the country setting makes your device conformant to national regulations for radio usage.
We also suggest to check the box "Broken LAN link ..." as a safety feature: if the access point detects that the wired backhaul is disconnected, it will stop broadcasting the wireless network. This saves users from frustration if connecting to a defunct access point.
After these settings, go to the sub-menu "Logical WLAN setting – Network", see screenshot below.
The device offers eight independent networks. Choose one you want to use for eduroam (for example: WLAN-1) and click on its entry. Now set the properties of this network as follows:
- WLAN network enabled to On.
...
- Network name (SSID) to eduroam.
...
- Deselect the box labelled "Suppress SSID broadcast"
...
- MAC filter enabled to Off.
...
- Maximum count of clients to 0.
...
- Client Bridge support to No.
When deploying your hotspot, you should also consider some non eduroam-specific guidelines for WLAN deployment. An incomplete list of things to consider is collected in chapter FOO.
B.2.5
...
Security settings
1. Configure the RADIUS server to use: Select Configuration – Wireless LAN – IEEE 802.1X – RADIUS
server.
2. Click on add and enter your server details:
You must now apply the RADIUS server and encryption scheme to the SSID eduroam:
3. Select Configuration>Wireless LAN>802.11i/WEP.
4. Click on WPA or Private WEP setting – 80211.i/WEP.
...