B.2.1 Initial provisioning
After connecting the device to mains power, it will boot with the Power LED on the front becoming steadily green. The LEDs on top flash green-yellow-blank to indicate that the device is unconfigured.
The Access Point defaults to being a DHCP server on a private subnet. For configuration access, simply connect a PC with a cross-over cable and make the PC a DHCP client. After connecting, the client will have an IP address in the 172.23.56.0/24 network. For configuration access, point your PC's browser to https://172.23.56.254
A wizard will ask you basic questions about your intended configuration which are non eduroam-specific. Please complete the wizard by answering all the questions.
Pay special attention to step 6, where you configure the IP address. Remember to check the box "Configure default gateway" since the access point needs to talk to RADIUS, NTP and syslog servers, which may lie in a different subnet!
At step 8 of 9, you will encounter the first crucial setting for compliance with the eduroam policy: time synchronisation. The device suggests an NTP server (pool.ntp.org), which is a sane default setting. However, if you operate your own NTP server, you can select "Other..." and enter your own server name (see screenshot). TODO!
If you changed the IP address of the Access Point with the wizard, re-connect to the Access Point on its new address after finishing the wizard.
B.2.2 Timezone setup
The Access point needs to be synchronised with a NTP or SNTP time server (which was set up using the wizard), which requires correct timezone settings. Click on "Configuration" -> "Date & Time" -> "General". and verify that the correct time zone and dayight saving time settings are set (see screenshot).
B.2.3 Logging
Another requirement in the eduroam policy is that the eduroam SP is required to maintain logs of the authentication and of MAC-address to IP address bindings. LANCOM devices can satisfy both by logging events via syslog. By default, the device keeps short-term logs by logging to "127.0.0.1". The logs look like the following (prefixed with the exact timestamp, left out for readability reasons):
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="4324be45-3a2c-4f5c-90cb-04b852129a03"><ac:plain-text-body><![CDATA[ |
AUTH |
Notice |
[WLAN-1] Associated WLAN station 64:b9:e8:a0:2e:a4 [] |
]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e9e9eefd-d678-41c8-945c-6b586c44b785"><ac:plain-text-body><![CDATA[ |
AUTH |
Notice |
[WLAN-1] WLAN station 64:b9:e8:a0:2e:a4 [] authenticated via 802.1x [user name is certuser-2010-001@restena.lu] |
]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="4a937c5e-cca0-4ddb-ad55-6027b707ab44"><ac:plain-text-body><![CDATA[ |
AUTH |
Notice |
[WLAN-1] Key handshake with peer 64:b9:e8:a0:2e:a4 successfully completed |
]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5d1c7cb5-8843-4414-8907-67743cf5046c"><ac:plain-text-body><![CDATA[ |
AUTH |
Notice |
[WLAN-1] Connected WLAN station 64:b9:e8:a0:2e:a4 [] |
]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="1c57cc74-90b0-45a7-b074-1927da778c99"><ac:plain-text-body><![CDATA[ |
AUTH |
Notice |
[WLAN-1] Determined IPv4 address for station 64:b9:e8:a0:2e:a4 []: 158.64.3.24 |
]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="35ee60b0-13a2-4822-a117-ac8fc3a3b65d"><ac:plain-text-body><![CDATA[ |
AUTH |
Notice |
[WLAN-1] Determined IPv6 address for station 64:b9:e8:a0:2e:a4 []: 2001:0a18:0000:0403:66b9:e8ff:fea0:2ea4 |
]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="4302789b-aa4b-4803-8011-af61b8ff5daa"><ac:plain-text-body><![CDATA[ |
AUTH |
Notice |
[WLAN-1] Determined IPv6 address for station 64:b9:e8:a0:2e:a4 []: fe80:0000:0000:0000:66b9:e8ff:fea0:2ea4 |
]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="60c795f1-fdd4-4d82-adfa-b72077d170c0"><ac:plain-text-body><![CDATA[ |
AUTH |
Notice |
[WLAN-1] Disassociated WLAN station 64:b9:e8:a0:2e:a4 [] due to station request (Disassociated because sending station is leaving BSS |
]]></ac:plain-text-body></ac:structured-macro> |
As you can see, the authentication itself and all MAC -> IP binding actions are logged, both for IPv4 and IPv6.
It is required to log these notices to an external syslog server, since the syslog buffer in the device fills quickly and the information would be lost otherwise. Add your syslog server by selecting the menu item "Configuration" > "Log &Trace" > "Syslog" and make sure the box "Send information..." is checked (it is by default). Then click on "Syslog servers" and on the following page "Add".
Then enter the IP address of your syslog server, and choose the events that shall be logged. We suggest to select at least the sources
- System
- Login
- System time
- Console Login
- Connections
- Administration
and the levels
- Alert
- Error
- Warning
- Information
for a comprehensive overview of events on the device.
The logs that are collected with the localhost setting will show up under
Expert Configuration>Status>TCP-IP>Syslog.
B.2.4 Configuring the SSID
1. Select Configuration>Wireless LAN>Logical WLAN setting – Network.
2. Click on one of the available slots, then set the following options as described:
WLAN network enabled to On.
Network name (SSID) to eduroam.
Deselect the box labelled "Suppress SSID broadcast"
MAC filter enabled to Off.
Maximum count of clients to 0.
Client Bridge support to No.
B.2.5 WPA Enterprise security
1. Configure the RADIUS server to use: Select Configuration – Wireless LAN – IEEE 802.1X – RADIUS
server.
2. Click on add and enter your server details:
You must now apply the RADIUS server and encryption scheme to the SSID eduroam:
3. Select Configuration>Wireless LAN>802.11i/WEP.
4. Click on WPA or Private WEP setting – 80211.i/WEP.
5. Click on the slot in which you previously configured the SSID eduroam and enter the following settings:
Encryption Activated to Activated.
Method/Key 1 Length to 802.11i(WPA)-802.1x.
WPA Version to WPA1/2.
WPA1 Session Key Type to TKIP
○ WPA2 Session Key Type to AES
Other settings are irrelevant with WPA-Enterprise:
B.2.6 RADIUS accounting server (optional)
If RADIUS accounting for the eduroam SSID shall be enabled, you must configure a RADIUS server to receive
the accounting messages:
- Select Expert Configuration>Setup – WLAN – RADIUS-Accounting and complete the server details:
- Afterwards, activate the actual RADIUS Accounting reporting under Expert Configuration>Setup –
Interfaces – WLAN – Network – RADIUS-Accounting
B.2.7 Using RadSec instead of RADIUS (optional)
LANCOM devices have a RadSec client built-in. It can be used instead of standard RADIUS for the uplink to an
IdP.
To use RadSec, you must have been given a eduroam Service Provider X.509 certificate from your NRO. First,
upload this certificate and the eduGAIN CA certificate (which can be downloaded athttp://sca.edugain.org/cacert/eduGAINCA.pem) via the device's "File Upload" menu:
Then, go to Expert Configuration>Setup>IEEE802.1X>RADIUS Server and set the Protocol option to
RADSEC:
The same option is also present in the RADIUS Accounting server menu that was discussed above. When
RadSec is to be used, we strongly suggest to use it for both authentication and accounting.