The following sections provide detailed information for the two roles eduroam IdP and eduroam SP, respectively.
The eduroam IdP section explains the administrative obligations for an eduroam IdP, the set up of several popular RADIUS servers, and means to provision configuration details of supplicants to end users.
The eduroam SP section explains general basics of wireless LAN deployment, the administrative obligations for an eduroam SP, and the set up of several popular vendor WiFi environments for use in eduroam.
Campus networks vary widely in such things as topology, equipment used, software, and so on. In order to assist a campus administrator in setting up eduroam on their campus, this section presents the implementation of a typical setup. It is hoped that this will allow users of different topologies and/or equipment to understand the necessary steps to take. Furthermore, in the appendices the same setup will be expanded for a number of other common types of equipment and software. Lastly, we are planning to provide these and future example configurations on the website http://www.eduroam.org.
For the reference network we use a typical set of network equipment consisting of:
The network topology is as follows:
In this setup, wireless users are separated in different VLANs: VLAN906 for administrative users and VLAN909 for normal eduroam users. The next table describes each VLAN used in this document:
VLAN ID | Propose |
|---|---|
901 | VLAN for internet access – access to core routers |
902 | The Administrative VLAN of the hotspot (AP's; RADIUS; etc.) |
903 | VLAN with open SSID for giving information about the institute |
906 | VLAN reserved for administrative users |
909 | VLAN reserved for 'normal' eduroam users |
The next table describes the IP configuration for the router sub-interfaces and what networks are configured for each VLAN:
Interface | 802.1Q Tag | Interface IP Address | DHCP Pool | What is accessible in this network |
|---|---|---|---|---|
FE0.901 | 901 | Some public IP address | N/A | |
FE0.902 | 902 | 192.168.10.254 | N/A | AP's; RADIUS Server |
FE0.906 | 906 | 10.9.6.254 | 10.9.6.0/24 | administrators |
FE0.909 | 909 | 10.9.9.254 | 10.9.9.0/24 | eduroam clients |
In order to gain access to the Internet the configuration of the Ethernet switch needs to be changed. You must create a VLAN in which the Access Points will be placed, and provide it with the correct IP-address and gateway information. This can be done with the commands described below.
The next table describes the VLAN associated with each Port of the switch and what equipment will be connected to that specific port.
Port | VLAN configuration | What is connected to it |
|---|---|---|
1 | U (902) | RADIUS Server |
2-47 | U (902) T (909) | Access Points |
48 | U (901) T (902; 909) | Central Ethernet Switch |
First configure the port where the RADIUS Server will be connected and put it on the Administrative VLAN:
switch(config)#interface fastethernet0/1
switch(config-if)#description RADIUS Server
switch(config-if)#switchport mode access
switch(config-if)#switchport access vlan 902
switch(config-if)#spanning-tree portfast
Then configure all switch-ports that will connect Access Points for the VLAN's that users and Access Points can have access to (in trunk mode). At a minimum configure the administrative VLAN and the VLAN where authenticated users will be placed:
switch(config)#interface range fastethernet0/2 - 47
switch(config-if)#description eduroam Access Points
switch(config-if)#switchport trunk encapsulation dot1q
switch(config-if)#switchport trunk native vlan 902
switch(config-if)#switchport trunk allowed vlan 902, 909
switch(config-if)#switchport mode trunk
The uplink can be defined with:
switch(config)#interface fastethernet0/48
switch(config-if)#switchport trunk encapsulation dot1q
switch(config-if)#switchport trunk native vlan 901
switch(config-if)#switchport trunk allowed vlan 901, 902, 909
switch(config-if)#switchport mode trunk
.