Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

This series of Access Points offers a wide range of features for a mid-range price. One of the outstanding features in its price class is the ability to use ARP sniffing to determine a client's IP address even if it changes during a user session. Activating this feature fulfils the requirement for MAC to IP correlation from the confederation policy and obsoletes logging of DHCP leases.

The following steps are needed to set up eduroam on a Lancom L-54 or L-300 series access point. It describes the setup via the web interface and is current as of LCOS Version 8.0. The starting point of this tutorial is a factory-reset device, i.e. it is not configured at all and set up to its defaults.

...

Initial provisioning

After connecting the device to mains power, it will boot with the Power LED on the front becoming steadily green. The LEDs on top flash green-yellow-blank to indicate that the device is unconfigured.

...

At step 8 of 9, you will encounter the first crucial setting for compliance with the eduroam policy: time synchronisation. The device suggests an NTP server (pool.ntp.org), which is a sane default setting. However, if you operate your own NTP server, you can select "Other..." and enter your own server name (see screenshot). TODO!

Image Added
If you changed the IP address of the Access Point with the wizard, re-connect to the Access Point on its new address after finishing the wizard.

...

Timezone setup

The Access point needs to be synchronised with a NTP or SNTP time server (which was set up using the wizard), which requires correct timezone settings. Click on "Configuration" -> "Date & Time" -> "General". and verify that the correct time zone and dayight saving time settings are set (see screenshot).

Image Modified

...

Logging

Another requirement in the eduroam policy is that the eduroam SP is required to maintain logs of the authentication and of MAC-address to IP address bindings. LANCOM devices can satisfy both by logging events via syslog. By default, the device keeps short-term logs by logging to "127.0.0.1". The logs can be viewed by navigating to the menu ""LCOS Menu Tree" > "Status" > "TCP-IP" > "syslog" > "Last Messages" and look like the following (prefixed with the exact timestamp, left out for readability reasons):

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="cbdaf548-c061-4788-8813-1c2ec278ac52"><ac:plain-text-body><![CDATA[

AUTH

Notice

[WLAN-1] Associated WLAN station 64:b9:e8:a0:2e:a4 []

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e84cdba6-8a96-4a97-b8f4-c00064e168bd"><ac:plain-text-body><![CDATA[

AUTH

Notice

[WLAN-1] WLAN station 64:b9:e8:a0:2e:a4 [] authenticated via 802.1x [user name is certuser-2010-001@restena.lu]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="bbbdd803-93b3-46e0-9848-c1da9b2d02b8"><ac:plain-text-body><![CDATA[

AUTH

Notice

[WLAN-1] Key handshake with peer 64:b9:e8:a0:2e:a4 successfully completed

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="09f9cefa-fe9b-4201-b0d9-9e9e6d9eb760"><ac:plain-text-body><![CDATA[

AUTH

Notice

[WLAN-1] Connected WLAN station 64:b9:e8:a0:2e:a4 []

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b42bdd56-cfdd-4eb4-88d3-c46ac0b12e0c"><ac:plain-text-body><![CDATA[

AUTH

Notice

[WLAN-1] Determined IPv4 address for station 64:b9:e8:a0:2e:a4 []: 158.64.3.24

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d81d6f61-f164-425f-a167-f2462e0b196e"><ac:plain-text-body><![CDATA[

AUTH

Notice

[WLAN-1] Determined IPv6 address for station 64:b9:e8:a0:2e:a4 []: 2001:0a18:0000:0403:66b9:e8ff:fea0:2ea4

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="fd731ef4-196f-428d-963d-6c638f597967"><ac:plain-text-body><![CDATA[

AUTH

Notice

[WLAN-1] Determined IPv6 address for station 64:b9:e8:a0:2e:a4 []: fe80:0000:0000:0000:66b9:e8ff:fea0:2ea4

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="04b9f563-0a5e-43bd-9120-10e95926e490"><ac:plain-text-body><![CDATA[

AUTH

Notice

[WLAN-1] Disassociated WLAN station 64:b9:e8:a0:2e:a4 [] due to station request (Disassociated because sending station is leaving BSS ]]></ac:plain-text-body></ac:structured-macro>

As you can see, the authentication itself and all MAC -> IP binding actions are logged, both for IPv4 and IPv6.

It is required to log these notices to an external syslog server, since the syslog buffer in the device fills quickly and the information would be lost otherwise. Add your syslog server by selecting the menu item "Configuration" > "Log &Trace" > "Syslog" and make sure the box "Send information..." is checked (it is by default) (see screenshot).

Image Added

Then click on "Syslog servers" and on the following page "Add".

...

for a comprehensive overview of events on the device.

Image Removed

The logs that are collected with the localhost setting will show up under
Expert Configuration>Status>TCP-IP>Syslog.

B.2.4 Configuring the SSID

...

Configuring the wireless LAN

The network name (SSID) for an eduroam SP is usually "eduroam", and the SSID needs to be broadcasted. Unfortunately, the network cannot be set up via the corresponding wizard, since the wizard only allows to configure WPA-Personal authentication, not eduroam's WPA-Enterprise. So, the necessary settings can only be found under "Configuration" > "Wireless LAN" > "General". (see screenshot)

Image Added

First, we need to enable the MAC to IP address logging. This is done by checking the box "ARP handling". You should also make sure that you enter the correct country on this page, since the country setting makes your device conformant to national regulations for radio usage.

We also suggest to check the box "Broken LAN link ..." as a safety feature: if the access point detects that the wired backhaul is disconnected, it will stop broadcasting the wireless network. This saves users from frustration if connecting to a defunct access point.

After these settings, go to the sub-menu "Logical WLAN setting – Network", see screenshot below.

Image Added

The device offers eight independent networks. Choose one you want to use for eduroam (for example: WLAN-1) and click on its entry. Now set the properties of this network as follows:

  • WLAN network enabled to On.

...

  • Network name (SSID) to eduroam.

...

  • Deselect the box labelled "Suppress SSID broadcast"

...

  • MAC filter enabled to Off.

...

  • Maximum count of clients to 0.

...

  • Client Bridge support to No.

...

When deploying your hotspot, you should also consider some non eduroam-specific guidelines for WLAN deployment. An incomplete list of things to consider is collected in chapter FOO.

Security settings

You need to make two security-relevant settings: configure the RADIUS server to use for authenticating users and configure the eduroam Wireless LAN to use RADIUS at all.

First, let's define a RADIUS server for authentication. As a pure eduroam SP, the RADIUS server in question is likely the one of your national federation. If you are both an eduroam IdP and an eduroam SP, the RADIUS is your own RADIUS server.

Select "Configuration" > "Wireless LAN" > "IEEE 802.1X" > "RADIUS server" and click on "Add". (see screenshot below).

Image Added
Then, fill in your RADIUS server details as negotiated with your eduroam IdP or federation operator.

In the second step, we'll

B.2.5 WPA Enterprise security

     1. Configure the RADIUS server to use: Select Configuration – Wireless LAN – IEEE 802.1X – RADIUS
         server.
     2. Click on add and enter your server details: Image Removed
You must now apply the RADIUS server and encryption scheme to the SSID eduroam:
     3. Select Configuration>Wireless LAN>802. To do that, go to the menu "Configuration" > "Wireless LAN" > "802.11i/WEP.
     4. Click on " > "WPA or Private WEP setting – 80211.i/WEP.     5. Click on the slot in which you previously configured the SSID eduroam and enter the following settings:
         Encryption Activated to Activated.
         settings". Then, click on the WLAN network which you chose for the "eduroam" SSID before (see screenshot).

Image Added

Set the following entries:

  • Encryption Activated to Activated
  • (Key 1/passphrase is irrelevant)
  • Method/Key 1 Length to 802.11i(WPA)-802.1x.

...

  • WPA Version to

...

  • WPA2.

...

  • (WPA1 Session Key Type

...

  • is irrelevant)
  • WPA2 Session Key Type to AES

Other settings are irrelevant with WPA-Enterprise: Image Removed

B.2.6 RADIUS accounting server (optional)

If RADIUS accounting for the eduroam SSID shall be enabled, you must configure a RADIUS server to receive
the accounting messages:

  • Select Expert Configuration>Setup – WLAN – RADIUS-Accounting and complete the server details:
  • Afterwards, activate the actual RADIUS Accounting reporting under Expert Configuration>Setup –
    Interfaces – WLAN – Network – RADIUS-Accounting Image Removed

...

  • (WPA rekeying cycle is at your discretion; the default value 0 is a sane default)
  • (Client EAP method is irrelevant)
  • (Authentication is irrelevant)
  • (Default key is irrelevant)

A recurring question is "Why is Client EAP method irrelevant?" The answer is: this setting refers to which authentication method the access point should use when it is in Client mode (i.e. it acts as a supplicant to connect to another access point). When in Access Point mode, its role is by design limited to transparently pass all authentication methods to a RADIUS server.

Using RADIUS/TLS instead of RADIUS (optional)

LANCOM devices have a RadSec RADIUS/TLS client built-in. It can be used instead of standard RADIUS for the uplink to an
IdP.IdP. Please note that most of the value of RADIUS/TLS plays out in long-haul connections, like from an eduroam IdP server to his federation. If your Access Point is located closely to your RADIUS server, using RADIUS is sufficient and you need not follow the steps below.

To use RADIUS/TLS in the eduroam contextTo use RadSec, you must have been given a issued an eduroam Service Provider X.509 certificate from your NROfederation operator. First,
upload this certificate

When you have your certificate, the private key, and the eduGAIN CA certificate (which can be downloaded athttp://sca.edugain.org/cacert/eduGAINCA.pem) via the device's "File Upload" menu: Image Removed
Then, go to Expert Configuration>Setup>IEEE802.1X>RADIUS Server certificate that issued you your certificate, you need to upload these via the device menu "File Management" > "Upload Certificate or File".

Upload them using the File Type "RADSEC ..." as in the screenshot below.

Image Added

Then, go to "LCOS Menu Tree" > "Setup" > "IEEE802.1X" > "RADIUS Server" and set the Protocol option to "RADSEC", as in the screenshot below. The shared secret is not security-relevant when using RADIUS/TLS, but it must be set nevertheless. eduroam uses the fixed string "radsec" for all RADIUS/TLS shared secrets.

Image Added
RADSEC: Image Removed
The same option is also present in the RADIUS Accounting server menu that was discussed above. When
RadSec is to be used, we strongly suggest to use it for both authentication and accounting.