eduroam along with commercial hotspot system

This chapter describes a sophisticated deployment of Wireless LAN that includes both eduroam access (as
service provider, not identity provider) and a commercial hotspot deployment that offers three distinct classes of
access and multiple billing models. The following access models are covered:

• Commercial web redirect login portal.
• Commercial WPA2-Enterprise secured access.
• WPA2-Enterprise access for institution staff (not eduroam-eligible).
• eduroam access for R&E users.

Every usage class is assigned a separate VLAN and allows isolation of users. Four SSIDs are in use, and are
named "ccrn-hotspot" (web redirect), "ccrn-wpa" (commercial WPA), a hidden SSID (staff access) and
"eduroam".

The billing models for the commercial access allow:

• Online-time based billing.
• Time window based billing.
• Volume based billing.

This mixture of a commercial system and eduroam access can be applied to any operator who is not in the
Research and Education community. The commercial system generates revenue while offering eduroam is a
competitive advantage against other providers. Several deployments of eduroam in non-R&E locations have
shown that eduroam attracts students to these places and by that may generate extra revenue – pubs are a
prime example for this business model.

The following instructions demonstrate how to set up such a hotspot solution with a single hardware server,
switches, Access Points and pure Open Source Software. This is a real-life scenario deployed in the city of
Luxembourg at the "Centre Culturel de Rencontre Abbaye de Neumünster" (CCRN).

These instructions assumes that a server with at least two network interfaces is present, where eth0 connects to
the outside internet, and eth1 is free for use with the hotspot system. It uses IP addresses in the 10.10.0.0/8
range within the system. The instructions attempt to be distribution-neutral. However, users should note that
this example was installed on an openSUSE 10.2 Linux operating system, and distribution-specific information
may be present.

Installation Instructions

1. Prepare a Linux server with a distribution of choice and install the following packages at a minimum:
   vconfig -> provides the VLAN configuration tool vconfig (separate download required:
         http://www.candelatech.com/~greear/vlan.html).
   chillispot -> provides the web-redirect portal binary, chilli (version 1.1.0 is on openSUSE 10.2
         installation media).
   iptables -> provides firewall manipulation tools iptables, ip6tables (version 1.3.6 is on openSUSE 10.2
         installation media).
   apache2 -> provides the web server for the web-redirect portal httpd (version 2.2.3 is on openSUSE
         10.2 installation media).
   MySQL -> provides the datastore for user accounts mysql (version 5.0.26 is on openSUSE 10.2
          installation media).
   apache2-mod-perl -> enables execution of perl CGIs (version 2.0.2 is on openSUSE 10.2 installation
          media).
   php5 -> provides php (version 5.2.0 is on openSUSE 10.2 installation media).
   phpmyprepaid -> provides user management web interface (separate download required:
          http://sourceforge.net/projects/phpmyprepaid, in this deployment version 0.3.3 is in use).
   freeradius -> provides the RADIUS server radiusd (version 1.1.3 is on openSUSE 10.2 installation
          media).
   ○ dhcp-server -> provides the DHCP server dhcpd (version 3.0.5 is on openSUSE 10.2 installation
          media).
2. Ensure the following configurations are met:
   Kernel: must support
          IEEE 802.1q VLANs
          tun/tap network interfaces
          netfilter
          must have routing capabilities
   Note: The openSUSE 10.2 kernel supports all of the above.

VLANs: add with
       vconfig add eth1 10
       vconfig add eth1 11
       vconfig add eth1 12
       vconfig add eth1 13
assign IP addresses to
       eth1: ifconfig eth1 10.10.0.1 netmask 255.255.255.0 up
       eth1.10: ifconfig eth1.10 10.10.10.1 netmask 255.255.255.0 up
       eth1.11: ifconfig eth1.11 10.10.11.1 netmask 255.255.255.0 up
       eth1.12: ifconfig eth1.12 10.10.12.1 netmask 255.255.255.0 up
       Do NOT assign an IP address to eth1.13 but make sure the interface is running (ifconfig eth1.13 up)
Make sure routing is turned on (cat /proc/sys/net/ipv4/ip_forward must give the result "1").
chillispot:
       INTIF is eth1.13
       EXTIF is eth0
       set uamsecret to an arbitrary value; the same value must be in CGI configuration below
       RADIUS server is localhost; use the shared secret for localhost (typically testing123)
       copy hotspotlogin.cgi into apache's cgi-bin store
       copy dictionary.chillispot into /etc/raddb
iptables:
       modify ruleset to allow RADIUS traffic in INPUT chain from eth1
       modify ruleset to allow DHCP requests in INPUT from eth1.10, eth1.11, eth1.12
       apply ruleset
MySQL: create database "radius" and user for access
Apache2:
       make sure CGI support for perl is active
       make sure PHP support is enabled
       request a certificate from a well-known authority that includes the TLS Web Server Authentication
               OID (for example, Thawte and Verisign include this OID)
       SSL support on port TCP/443 is mandatory: install the server cert
       phpmyprepaid:
       install somewhere in apache2 document root
       set database details in dbconnect.php
       point browser at installation path and follow instructions
       set up a "location" first, then billing models
       It is not necessary to define Access Points
dhcpd
       define DHCP ranges for subnets 10.10.10.1/24, 10.10.11.1/24, 10.10.12.1/24
       don't bind on interfaces eth0, eth1 and eth1.13
FreeRADIUS:
       use database "radius" on localhost as authentication source
       $INCLUDE dictionary.chillispot into file dictionary
       define a realm DEFAULT that points to the eduroam infrastructure
       realms NULL and LOCAL have auth source LOCAL
       tag incoming requests in "hints" file to match SSIDs and user auth sources
       allow EAP passthrough for eduroam users
       — install server cert for EAP sessions for own users (-wpa, -staff)

It is useful to put VLAN definitions, IP allocations, firewall ruleset application into an init script to automate theboot process, an example init script is provided at http://www.eduroam.org/downloads/docs/eduroamcookbook\-
scripts.zip.

     3.  Add dhcpd, mysql, apache2, freeradius, chilli (init script included) to default runlevel (init script from
          above should have precedence); under SUSE, runlevels are manipulated with "insserv":
          insserv chilli-init
          insserv dhcpd
          insserv mysql
          insserv apache2
          insserv freeradius
          insserv chilli
     4. Attached for convenience
         init script for VLANs, IP
         init script for chilli daemon
         chilli.conf (comments stripped)
         dhcpd.conf (comments stripped)
         modified iptables ruleset
         /etc/raddb files (comments stripped)
         sample Lancom AP config (shared secrets, IP info strippedI