3.2 Reference Campus Setup
3.2.1 Introduction
Campus networks vary widely in such things as topology, equipment used, software, and so on. In order to assist a campus administrator in setting up eduroam on their campus, this section presents the implementation of a typical setup. It is hoped that this will allow users of different topologies and/or equipment to understand the necessary steps to take. Furthermore, in the appendices the same setup will be expanded for a number of other common types of equipment and software. Lastly, we are planning to provide these and future example configurations on the website http://www.eduroam.org.
For the reference network we use a typical set of network equipment consisting of:
- A Cisco Catalyst 3550 (or similar) switch.
- A Cisco Aironet AP-1200 Access Point.
- A laptop with Windows XP.
- A Radiator RADIUS server.
The network topology is as follows:
Figure 3.1: Network Topology (NEED TO RE_CREATE DIAGRAM PAGE 23??)
In this setup, wireless users are separated in different VLANs: VLAN906 for administrative users and VLAN909 for normal eduroam users. The next table describes each VLAN used in this document:
VLAN ID |
Propose |
---|---|
901 |
VLAN for internet access – access to core routers |
902 |
The Administrative VLAN of the hotspot (AP's; RADIUS; etc.) |
903 |
VLAN with open SSID for giving information about the institute |
906 |
VLAN reserved for administrative users |
909 |
VLAN reserved for 'normal' eduroam users |
Table 3.1: VLAN description
The next table describes the IP configuration for the router sub-interfaces and what networks are configured for each VLAN:
Interface |
802.1Q Tag |
Interface IP Address |
DHCP Pool |
What is accessible in this network |
---|---|---|---|---|
FE0.901 |
901 |
Some public IP address |
N/A |
|
FE0.902 |
902 |
192.168.10.254 |
N/A |
AP's; RADIUS Server |
FE0.906 |
906 |
10.9.6.254 |
10.9.6.0/24 |
administrators |
FE0.909 |
909 |
10.9.9.254 |
10.9.9.0/24 |
eduroam clients |
Table 3.2: Router Configuration
3.2.2 Configuring the Ethernet switch for eduroam
In order to gain access to the Internet the configuration of the Ethernet switch needs to be changed. You must create a VLAN in which the Access Points will be placed, and provide it with the correct IP-address and gateway information. This can be done with the commands described below.
The next table describes the VLAN associated with each Port of the switch and what equipment will be connected to that specific port.
Port |
VLAN configuration |
What is connected to it |
---|---|---|
1 |
U (902) |
RADIUS Server |
2-47 |
U (902) T (909) |
Access Points |
48 |
U (901) T (902; 909) |
Central Ethernet Switch |
Table 3.3: Ethernet Switch Configuration
First configure the port where the RADIUS Server will be connected and put it on the Administrative VLAN:switch(config)#interface fastethernet0/1 switch(config-if)#description RADIUS Server switch(config-if)#switchport mode access switch(config-if)#switchport access vlan 902 switch(config-if)#spanning-tree portfastThen configure all switch-ports that will connect Access Points for the VLAN's that users and Access Points can have access to (in trunk mode). At a minimum configure the administrative VLAN and the VLAN where authenticated users will be placed:switch(config)#interface range fastethernet0/2 - 47 switch(config-if)#description eduroam Access Points switch(config-if)#switchport trunk encapsulation dot1q switch(config-if)#switchport trunk native vlan 902 switch(config-if)#switchport trunk allowed vlan 902, 909 switch(config-if)#switchport mode trunkThe uplink can be defined with:switch(config)#interface fastethernet0/48 switch(config-if)#switchport trunk encapsulation dot1q switch(config-if)#switchport trunk native vlan 901 switch(config-if)#switchport trunk allowed vlan 901, 902, 909 switch(config-if)#switchport mode trunk3.2.3 Setting up the RADIUS server