Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Basic deployment considerations for wireless LANs

Administrative obligations of eduroam SPs

Set up of WiFi hotspots

An eduroam wireless network is a wireless network. This sounds trivial, but it is important to keep in mind that

  • a poorly managed Wireless LAN won't magically become better by naming it eduroam. Before diving into eduroam-specific configuration, make sure you understand how to manage
    • WiFi coverage
    • bandwidth requirements
    • enough DHCP addresses to accomodate all clients
  • by naming the network eduroam, you are becoming part of a world-wide recognised brand. Arriving users will think of this being an eduroam network, with a set of expectations for such networks. If your wireless network fails to deliver in the points mentioned above, users will consider this an eduroam failure and your installation will hurt the global brand eduroam, not only your own site and users.

This section provides general advice regarding eduroam deployment on a wireless LAN. It does not include information on general WLAN network planning and setup, it only covers topics essential to deploying eduroam on an already setup wireless LAN. 

Obligations of eduroam SPs

The basic requirement for and eduroam SP is that the underlaying WLAN must be able to support All of the solutions presented below support the basic requirements for an eduroam SP: support for IEEE 802.1X authentications, WPA2/AES support . When deploying eduroam, deployers often want to make use of additional features such as and, if you also want other networks, multi-SSID support, dynamic VLAN assignment and others. Every section contains a table with a short overview of their support of such additional useful features.

Cisco (controller-based solutions)

This section begs for community input.

I can provide input for this section before the middle of April 2011 (Wenche Backman)

Cisco (stand-alone APs with IOS)

Feature

supported?

multi-SSID

yes

VLANs

yes

dynamic VLAN assignment

partial

...

Aruba

This section begs for community input.

Meru

This section begs for community input.

Lancom

Feature

supported?

multi-SSID

yes

VLANs

yes

dynamic VLAN assignment

yes

...

Apple AirPort Express

Feature

supported?

multi-SSID

no

VLANs

no

dynamic VLAN assignment

no

Set up of switches for wired eduroam

. This is usually the case with today's network equipment. If you want to distinguish traffic beloning to the eduroam network from other traffic, you also need to deploy VLANs in your network.

For eduroam, you need to add information of the RADIUS server that you will be using to your WLAN controller (or stand-alone access point). As a pure eduroam SP, the RADIUS server in question is likely the one of your national federation. If you are both an eduroam IdP and an eduroam SP, the RADIUS is your own RADIUS server. You will need to add the IP address of the RADIUS server as well as the shared secret, which is basically a string of characters that has been agreed on by you and the operator of the RADIUS server. You may also have to add information about the ports to use, which are 1812 for authentication and 1813 for accounting.

Once you have added the RADIUS server you need to create the eduroam SSID. This must be a network with 802.1X and WPA2/AES enabled and the SSID must be eduroam and this SSID needs to be broadcasted. For this eduroam network, you still need to define that the RADIUS server defined previously need to be used. 

In this wiki it is not possible to keep up-to-date guidelines on how to set up eduroam on all wireless equipment on the market. The best way to set up eduroam on your network is to do the initial setup according to the manufacturer's guidelines and thereafter, check the same guidelines on how to apply the eduroam-spesific settings mentioned above. However, a few guidelines are available through the links below

In order to check which ports should be open for the eduroam end users, please check out the eduroam Policy Service Definition document, particularly Chapter 6.3.3.

 Proxy Settings

As an eduroam SP, you have a choice of not deploying a network-side proxy at all (pereferred!), or to deploy a transparent web content proxy. It is not acceptable and technically not possible to deploy a proxy that requires manual settings: doing so would require any incoming eduroam visitor to modify their device configutation with the manual proxy settings at hand.

Client devices can typically auto-detect proxy settings easily: the automatic WPAD discovery protocol allows the eduroam SP operator to point users to the proxy address if any, or to announce that no proxy is in use. eduroam installers configure client devices to look for such configuration information on the network.

As an eduroam SP, you shold always provide proxy configuration information, even if the information is limited to state "no proxy here". You can do so either (preferably) in DHCP responses or in specially crafted DNS Resource Records in your domain.

...

Set up of networking equipment in the network core

Since an eduroam hotspot always uses the RADIUS protocol to connect to a RADIUS authentication server, your network setup must allow this RADIUS communication. This includes opening firewalls for traffic from the WLAN equipment (AP/Controller) to UDP port 1812 (do not confuse this with TCP!). The RADIUS protocol can easily create UDP fragments, and will not function fully without UDP fragmentation support. Be sure to check your equipment whether forwarding of UDP fragments is supported and allowed. For accounting the UDP port 1813 also needs to be opened.

If you deploy your own RADIUS server for eduroam SP purposes (see below), also make sure that its own uplinks to your National Roaming Operator are open in the same way.

Set up of eduroam SP RADIUS servers

Include Page

...

freeradius-sp

...

freeradius-sp