General scheme

Quickstart

1. Install SoftWLC and the Service Activator:
2. In the file /etc/eltex-wifi-sa/factory-fw.conf, adjust firmware versions for a version of the AP being installed to be consistent with them. Set the Downgrade parameter to false. Download AP firmware to the /var/lib/eltex-wifi-sa/firmware/ directory and rename it according to the name of the file specified in /etc/eltex-wifi-sa/factory-fw.conf. 
3. Download the Root certificate and the certificate of the Service Activator to the directory /etc/eltex-wifi-sa/.
4. Edit the names of the Root and the Service Activator certificates in the file /etc/eltex-wifi-sa/application.conf. Set the parameter CheckMAC to Yes. Restart the Service Activator: service eltex-wifi-sa restart.
5. Create a domain for ESR and a subdomain for OTT access points.
6. Create an initialization rule for the required AP model. TCP protocol should necessarily be specified as SNMP transport (see AP initialization).
7. Create an initialization rule link to an OTT access point. In the link, the "Connected" checkbox should be set (see AP initialization).
8. Create an OTT profile with IPsec parameters. The password specified in ESR configuration, for example, "testing 123", should be taken as the "IPsec password". The command CreateOttProfile should be run in NBI (see ESR OTT).
9. Add ESR to the EMS domain for OTT access points. Set OTT checkbox in the Access tab to ServiceProvider and enable the BRAS checkbox. Make sure that ESR is accessible from SoftWLC (see ESR OTT).
10. In the NAS table (the tab RADIUS - Access Points), edit a password for RADIUS ESR that is specified in its configuration, for example "testing123".
11. In the ESR tab of ESR configuration, specify ESR public IP and select an OTT profile. The command CreateOttStation should be run in NBI (see ESR OTT).
12. Create a SSID and link it to an OTT domain. In SSID parameters, specify the Location set in ESR configuration, for example, "testing2" (see AP initialization).
13. In the Admin Panel, in the "System" tab of Settings menu, enable the checkbox "Shaper settings at Domains tree", exit the Admin Panel and enter it again (see Shaper settings in the Admin Panel).
14. After that, enable the shaper on SSID in the "Domains tree" tab of the Settings menu (see Shaper settings in the Admin Panel).

General description

Service Activator

The Service Activator is a server based on x86 architecture and Ubuntu 14.04 operating system with a special software installed. Its task is to receive and process POST HTTPs requests from access points and to exchange information with SoftWLC. In terms of programming, the Service Activator is a WEB server. To get requests from access points, the Service Activator should have open port 8043 and a public IP address. As access points will refer to the Service Activator by its URL, it is necessary to provide a link between the Service Activator's public address and its domain name on DNS servers. Another network interface of the Service Activator should be linked to an EMS module, i.e., it should be put into a single address space of SoftWLC modules. To provide security, traffic between the Service Activator and EMS should pass through the firewall. To provide communication between the Service Activator and SoftWLC, port 8080 (HTTP) used by the Service Activator to request EMS, should be opened on the firewall.
The Service Activator can be located behind the proxy server (in relation to the Internet) and have a private IP address to communicate with access points. Therefore, the proxy server should send POST requests to the Service Activator with or without replacing a TCP port. In Service Activator configuration files, the number of a TCP port listened by the server can be specified.
Once an access point has sent an HTTPs request containing its data to the Service Activator, the last one checks the access point certificate. To do this, the Service Activator should have the Root certificate and the Service Activator certificate (containing Provider-ID) signed by it. Provider-ID – service provider identifier. It is used to make access points that belong to a certain provider connect only to this provider's Service Activator. The Service Activator can optionally check the consistency between an access point's MAC address specified in a certificate and its real MAC address. It protects a provider from certificate theft by one access point and its usage by another one. If certificate check, handshake and other procedures has been successful, the Service Activator proceeds to verification of AP firmware relevance. The correspondence between relevant firmware versions and models of access points is stored in the /etc/eltex-wifi-sa/factory-fw.conf configuration file. If the firmware version of the access point requesting the Service Activator differs from the version specified in this file, the Service Activator gives an access point an order to update its firmware. I.e., firmware files for access point models used should be placed on the Service Activator in advance.
If a firmware file is not placed on a server activator, or if an access point's firmware version corresponds to the current version specified on the Service Activator, it proceeds to searching for an initialization rule link in the database. If there are no links, the Service Activator puts the AP into a "sandbox" until a link is found.

Before linking an access point, 2 objects should be created in a system:

1. OTT profile. The profile contains a big number of IPsec settings according to which access points and ESR will create IPsec tunnels. IPsec parameters available in OTT profile are listed in Annex 1. In NBI, this profile can be created by using the CreateOttProfile command.
2. Linking OTT profile to ESR. Linking ESR public IP addresses to OTT profile created before. As a result, IPsec parameters from OTT profile are compared with ones specified by ESR. Then, when the Service Activator chooses ESR for an access point, it will send its public address and IPsec parameters to the AP. As a result, the same IPsec parameters will be guaranteed if a tunnel is established both on the access point and on ESR side. IPsec parameters set on ESR by profile linking, can be optionally adjusted in ESR configuration. In NBI, linking OTT profile to ESR can be created by using the CreateOttStation command.

To implement OTT profile linking to ESR and for the Service Activator to choose ESR for an access point, ESR devices should be added to EMS device tree in advance. OTT checkboxes should be enabled on ESR devices in the Service Provider mode to show their readiness to work with access points according to OTT model. In addition, public IP addresses should be configured on them. ESR devices should be put into the domains where they will be initialized according to OTT AP initialization rules links. Access points can also be initialized in subdomains of the domain where ESR is located.
After all objects has been created, it is necessary to perform MAC linking of the access point to the initialization rule. OTT checkbox in the Links menu should be set to Connected. A domain where ESR OTT is located or its lower-level subdomain should be selected as Node domain.
After the link to initialization rule has been created, the Service Activator selects ESR for the AP to establish an IPsec tunnel to using the following algorithm: the Service Activator starts searching for ESR with the OTT checkbox set in a domain where an AP is located according to the initialization rule link. If there is no such ESR devices in the current domain, the algorithm goes one level higher in a domain tree and continues to go up until OTT ESR is found. If OTT ESR is not found, the Service Activator will return error 4022. The Service Activator selects the ESR for which the load and the number of connected access points are lower at the moment. After that, the Service Activator generates a unique login and password for X-Auth Authorization and sends a resulting message including ESR public IP, IPsec parameters set in ESR configuration and credentials for X-Auth.

Automatic activation of the service with default settings

On the Service Activator, there is a possibility to add access points to default domains. This option is necessary if a default Wi-Fi service should be activated on an access point right after its installation without participation of an operator and links to initialization rules. To do this, create the "ott.root" domain in the system and add a link to initialization rule of "ott_default" key to the domain of the "ott.root" node. Link SSID to the domain. Link the portal that will be accessible to all users that connect to an access point put into the default domain to SSID. ESR devices with enabled OTT checkboxes and linked OTT profiles should be put into the domain.
After this sequence of operations has been performed, the connection algorithm will be as follows:

• After being installed, the access point will send a POST request containing its parameters to the Service Activator.
• If the Service Activator does not find a link to initialization rule by the AP's MAC address, it will put this access point into the default domain and start searching for an optimal ESR in that domain.
• A message containing parameters required for establishing an IPsec tunnel will be sent to an access point.
• An access point will establish tunnels and connect to SoftWLC. After that, an access point will be initialized, and SSID, linked to the default domain, will be enabled on it.

As a result, a default service will be enabled on the access point automatically, without operator intervention.

Service Activator performance chart

Configuration files

Service Activator configuration files are located in the "/etc/eltex-wifi-sa/" directory. To apply the changes to configuration files, restart the Service Activator using the following command: "service eltex-wifi-sa restart".
Description of the parameters set in configuration files:
Configuration file "application.conf".
This file contains most of Service Activator configuration.

Configuration file "factory-fw.conf"
The file contains settings for automatic AP firmware upgrade to current versions.

Configuration file /usr/lib/eltex-radius-nbi/conf/ott/ott.xml
This file contains information on the maximum number of OTT access points that can be connected to ESR of this model. When an AP requests to the Service Activator, it finds an ESR OTT device in a domain and checks the number of access points linked to it. If the number is equal or greater than the number specified in the file for this model of ESR, the Service Activator considers it as loaded to its maximum and starts to search a less busy ESR in this domain or in higher-level domains.

Minimum requirements for the server of the Service Activator.

• CPU 2 Core 
• RAM 8GB
• HDD 100GB (до 5000 ТД)

Installing the Service Activator

root@vagrant-ubuntu-trusty-64:/home/vagrant# echo "deb http://archive.eltex.org/ems 3.13 main" >> /etc/apt/sources.list.d/eltex.list
root@vagrant-ubuntu-trusty-64:/home/vagrant# add-apt-repository -y ppa:webupd8team/java
root@vagrant-ubuntu-trusty-64:/home/vagrant# apt-key adv --keyserver keyserver.ubuntu.com --recv F558A287
root@vagrant-ubuntu-trusty-64:/home/vagrant# apt-get update
root@vagrant-ubuntu-trusty-64:/home/vagrant# apt-get -y install oracle-java8-installer
root@vagrant-ubuntu-trusty-64:/home/vagrant# apt-get install eltex-wifi-sa
If the Service Activator is installed to a separate server, specify EMS server access parameters in the configuration file /etc/eltex-wifi-sa/application.conf and restart the Service Activator:

     ems {
     host = "localhost"
     port = 8080

ESR

To provide the OTT service, ESR should have 2 default gateways to send traffic to the Internet. The first gateway is specified as a standard Default Gateway in the routing table. ESR uses it to transmit IPsec packets. ESR should have an interface with a public IP address in this subnet. Access points will establish IPsec tunnels to this IP address, so ports 500 and 4500 should be opened. ESR uses the second gateway to send subscriber traffic extracted from tunnels. To prevent the problem of 2 default gateways within the same routing space, configure the option Next-Hop on the Bridge. The Bridge is a gateway for subscriber traffic that this traffic is routed through. The option allows routing all traffic from the Bridge via a gateway specified in the option Next-Hop bypassing the Default Gateway.
During establishing IPsec sessions, X-Auth authorization is performed. ESR receives unique login and password (generated by the Service Activator) from the AP and performs authorization by sending RADIUS requests to SoftWLC PCRF. When connected to MongoDB, PCRF informs ESR on match between login and password sent by the AP and ones stored in the database.

Redundancy

ESR redundancy is provided according to N+1 model. In the case of a failure in a domain of one of the ESR devices and IPsec session abort, access points send information regarding the need to get data for connecting to another ESR, to the Service Activator. The Service Activator sends information on other ESR devices taking failures and device loads into account. As a result, access points are connected to other ESR devices instead of the failed ESR. This redundancy scheme allows reducing the number of ESR devices in the network.  
When one of ESR devices fails, and its access points are connected to the Service Activator, it starts to search for a new ESR for these APs within the same domain. If there are no free ESR devices in this domain, or there are not any, the Service Activator goes one level higher in the domain tree and continues to search for ESR there. If there are no free ESR devices, the Service Activator goes one level higher and so on. Therefore, it would be useful to create several ESR groups and put them into different regional domains. Access points of these regions will be connected to their regional ESR devices. Thus, the way data move from an AP to ESR will be limited to a specific region. In this case, one more group can be put into the root of OTT branch. If all ESR devices in the region fail or become unavailable for some reason, access points will be able to switch to root ESR devices. The length of the route that packets travel will increase if root ESR devices and access points are located in different regions, but the service will be provided. Regional and root ESR devices can be linked to different OTT profiles with different IPsec parameters, and AP distribution will be correct, as an access point always gets from the Service Activator precisely those IPsec parameters that are confugured on the ESR the AP is connected to.

ESR connection scheme

1. One interface is physically used.
2. The interface bridge 1 is used to access the Internet. Traffic goes via this interface on the default route.
3. IPsec listens to inbound connections via bridge 1.
4. IPsec from an AP is unpacked on bridge 1. GRE packets are redirected to bridge 2.
5. Then packets from AP management VLAN are transferred to bridge 6.
6. Client traffic comes to bridge 7 and is sent to a neighbouring router according to the option route-map. Clients will access the Internet via that router.

ESR redundancy scheme

1. Routers ESR 1 and ESR 2 on which IPsec is terminated are connected to routers PE 1 and PE 2 respectively.
2. ESR 1 and ESR 2 announce management, client and IPsec gateway subnets to PE 1 and PE 2 respectively, using BGP.
3. PE 1 and PE 2 announce default routes and subnets necessary to provide communication with SoftWLC.
4. If one ESR fails, it becomes unavailable. When access points understand that IPsec connection cannot be established, they request the Service Activator that gets information on failure of one of ESR devices and sends parameters to access points for them to be able to connect the second ESR. Access points are connected to the new ESR.
5. Each ESR uses own IP address pools to control access points and Wi-Fi users.

ESR configuration example can be found in Annex 3. 

Access points

According to the OTT model, an access point should connect to the Service Activator, get IPsec parameters and authorization data before IPsec tunnel establishing. As connection method should be secure, HTTPs should be used. HTTPs requires certificates located both on the AP and on the Service Activator. To do this, specify URL of a Service Activator to which the AP will send a request. This can be done in two ways:
1) If a service provider entered into a contract with Eltex, a specially prepared certificate that contains unique parameter "Provider-ID" and Service Activator URL, which an AP will address to, can be embedded within access points' firmware at the manufacturing stage. Consequently, this URL should be agreed in advance between a vendor and a provider. As a result, a provider gets access points that will be automatically connected to the Service Activator using URLs from their certificates when installed. A service provider will be given the Service Activator certificate and the Root certificate. The Service Activator certificate also contains "Provider-ID" used by the Service Activator to check if a requesting access point belongs to a provider. If it does not, a request will be ignored. In this case, an installer does not need to configure anything to enable the service.
2) If a service provider has not entered into a contract with Eltex for manufacturing access points with unique Provider-ID, access points with default Provider ID = "eltex" and empty Service Activator URL are manufactured. As long as Service Activator's URL is empty, an access point operates as a standard AP (OTT is disabled). To enable OTT, specify Service Activator's URL via CLI or AP WEB interface. An AP will try to connect to the Service Activator. The Root and the Service Activator certificate with Provider-ID = "eltex" are given to a provider. All access points with this Provider-ID will be able to connect to the Service Activator if its URL is specified on them. If a link to an initialization rule is not created, the access point will be put into a "sandbox and will not reach the system. Due to this restriction, "alien" access points will not be able to get a provider's service.

All AP certificates contain MAC addresses of these access points. When the Service Activator gets a request from an access point, it can optionally check a MAC address specified in the certificate and an actual address of an access point. If they differ, the Service Activator will generate an error and will not let it pass to the next activation steps. This procedure protects a provider from certificate theft by one access point and its usage by another access point with another MAC.

If a failure occurs on ESR-1000, an access point will reset and request the Service Activator after the period:
(GRE_ping_counter x 10) + waite_timer,
where GRE_ping_counter is a parameter in OTT profile, waite_timer is a Service Activator parameter.
By default, this time is 3х10 + 180 = 210 seconds.

Use case

1) An installer sets an Eltex access point with firmware customized for a service provider at a client's. This firmware contains URL of provider's Service Activator by default. The Service Activator is installed to separate servers of a provider's data processing centre and is a part of SoftWLC. It has a public IP address for AP connection and a domain name specified on a provider's DNS.
2) The access point gets IP address (via DHCP), other network parameters and Internet access from local network. If the access point has received DHCP option 43, it is located in a provider's network, and IPsec establishment is not required. The access point will be guided by suboptions of option 43 and will not start OTT. If the access point has not received option 43, it will start OTT.
3) An access point connects to the Service Activator via HTPPs and transmits the following data:

• Serial number
• MAC address
• Firmware version
• HW version
• Provider-ID (in a certificate)
• MAC-address (in a certificate)

4) When the Service Activator gets a request from an access point, it connects to EMS via NBI, transmits the received data and requests for initialization rule links to this AP (in case if Provider-ID is consistent with AP MAC address specified in the certificate, and handshake is successful).
5) Several options are possible then:

• If the access point was linked to an initialization rule by an operator in advance, and the installer set this access point, initialization will start immediately.
• If the access point is not linked to an initialization rule at the time of its installation, and there is no link of an initialization rule to the default domain, EMS will put the AP to its "sandbox". The AP will be displayed like all other access points. At certain intervals, the access point will try to connect to the Service Activator, waiting for configuration in the system.
• If the access point is not linked to an initialization rule at the time of its installation, and there is a link of an initialization rule to the default OTT domain, the access point will be linked to the default OTT domain. It will be initialized similarly to the access point that has a link to an initialization rule by MAC (but within the OTT default domain and without definition of belonging to a client).
• The access point is added to the black list, so it will not get into the "sandbox".

6) For the access point to establish an IPsec tunnel, create a link of an iniatialization rule to its MAC address via EMS. The operator should enable the OTT connection indicator before including it to the network. Besides the checkbox, the AP domain is an important parameter. EMS sends the AP domain and the OTT indicator to the Service Activator in response to requests. If the default OTT domain is enabled in the system, this step can be skipped.
7) When EMS gets data on the access point, it performs the following actions:

• It finds a level where ESR-1000 pool is based in the domain chain. Therefore, ESR-1000 devices with their IP addresses should be specified in a special domain in EMS.
• EMS generates unique login and password for establishing an encrypted IPsec connection and adds them to the database (MongoDB ott.xauth).
• EMS sends the following parameters upon enquiry: public IP address of a chosen ESR device, login and password (x-auth), the default password (it is the same for ESR-1000 and all access points and is specified in a system only once, as it is necessary for IPsec session establishment), IPsec ESR parameters.
• The Service Activator sends the parameters to the access point.

8) After receiving necessary data, the access point starts establishing an IPsec tunnel to ESR-1000. During IPsec connection establishing, ESR-1000 receives unique login and password from the access point and checks them on SoftWLC PCRF server. PCRF connects to the ott database and checks if the table contains login and password received from the access point. If these login and password are in the table. RADIUS sends access-accept.
During IPsec installation, the access point gets a second IP address and other parameters within the IPsec session. This IP address is used by the access point to establish EoGRE tunnels (Management and Data) to ESR-1000 within an IPsec tunnel.

9) The access point communicates with SoftWLC via SNMP within the Management GRE and is initialized similarly to the current scheme.
10) Subscriber traffic passes through Data GRE to ESR-1000 and is routed to NAT. 

Message exchange diagram

Configuration

AP initialization

To initialize access points connected according OTT scheme, create the domain ott.root in the EMS tree.
Create an OTT rule in the tab Wireless/AP initialization rules manager/Rules. OTT initialization rule can be created manually for each type. Specify TCP as SNMP transport.

Create an initialization link with ott_default key, ott rule name and ott.root domain.

Special key ott_default can be obtained by pressing the button  

 
After the link is created, it will be displayed in the tab OTT links in Wireless/AP initialization rule manager.

Create a SSID with a link to the domain ott.root (Wireless/SSID Manager). In the field Bridge, Location specify the location corresponding to bridge settings on ESR.

 

ESR OTT

OTT parameter activation: in the Access tab, select the option ServiceProvider and enable BRAS by setting the checkbox BRAS service for ESR devices connected via OTT.

Set ESR parameters on ESR. To do this, create an OTT profile and a link to ESR.
To create an OTT profile, open the tab OTT profiles in Wireless/AP initialization rule manager. Create a profile with required parameters by clicking  .

After the profile has been created, it can be linked to ESR. To do this, select ESR in the EMS tree and select the tab OTT in Configuration.

Open the OTT edit window by clicking Edit. Select the OTT profile created before and specify ESR public IP address. Specify the address of the gateway that the access point will request to as IPsec remote gateway. OTT profile parameters should match the parameters of OTT on ESR.
 

Configuring IPsec on AP without the Service Activator

Open the menu Manage/OTT settings in the WEB interface of the access point

In brief menu, it will be sufficient to specify the address of a remote router with IPsec, XAUTH login and password (if passwords for XAUTH and IPsec are equal).

Extended IPsec parameters can be specified in Advanced Settings.

If the parameter Use ISAKMP Mode Config is set to On, the parameters GRE Over IPsec Mgmt and GRE Over IPsec Data are not taken into consideration. If the parameter Use ISAKMP Mode Config is set to Off, specify the parameters IKE Gateway, GRE Over IPsec Mgmt and GRE Over IPsec Data.

More about the parameters:

• IPsec Remote Gateway – Gateway IP address or domain name (xxx.xxx.xxx.xxx / Domain name).
• IPsec Operational Status – enabling IPsec.
• XAUTH User – name of XAUTH user, available if "Use ISAKMP Mode Config" is set to On (Range: 4-16 chars).
• XAUTH Password – password of XAUTH user, available if "Use ISAKMP Mode Config" is set to On (Range: 4-16 chars).
• IKE Authentication Algorithm –  hashing algorithms to check data integrity (md5, sha1). 
• IKE DH Group –group of  Diffie-Hellman algorithms for establishing a shared secret key over an insecure channel (1, 2, 5).
• IKE Encryption Algorithm – encryption algorithm for Phase 1 of IPsec connection (AES128, DES, 3DES).
• Use ISAKMP Mode Config – if the parameter is set to «On» – ignore «GRE Over IPsec Mgmt», «GRE Over IPsec Data», «IPsec Local Address», «IPsec Remote Network», «IPsec Remote Mask».
• IKE Lifetime – IKE SA (Phase 1 lifetime) before reauthentication. Should be the same for both ends of IKE/IPsec tunnel (Sec, Range): 180–86400).
• Use NAT-T – enable this checkbox if a client is behind the NAT.
• IPsec NAT Keepalive – time between NAT keepalive packets (Sec, Range: 1-300).
• IPsec Password – shared password for IKE/ISPEC connection (Range: 8-48 chars).
• IPsec Local Address – client address used as a local IKE network with subnet mask 255.255.255.255 (/ 32). The value is ignored if "Use ISAKMP Mode Config" is set to On (xxx.xxx.xxx.xxx).
• IPsec Remote Network – remote IKE network. The value is ignored if "Use ISAKMP Mode Config" is set to On (xxx.xxx.xxx.xxx).
• IPsec Remote Mask – remote IKE subnet mask. The value is ignored if "Use ISAKMP Mode Config" is set to On (xxx.xxx.xxx.xxx).
• Ipsec Authentication Algorithm –  hashing algorithms to check data integrity (md5, sha1).
• IPsec DH Group – Diffie-Hellman algorithms generate a shared secret key over an insecure channel. Value 0 allows using the secret key from IKE (0, 1, 2, 5).
• IPsec Encryption Algorithm – encryption algorithm for Phase 1 of IPsec connection (AES128, DES, 3DES).
• IPsec DPD Delay – time interval after which ESR will send packages to the access point to check its accessibility (range: 5-600)
• IPsec Child SA Lifetime – IPsec VPN SA lifetime (Phase 2 lifetime) before reauthentication. Should be the same for both ends of IKE/IPsec tunnel. The value should be less than IKE Lifetime (Sec, Range: 180-86400).
• IPsec Child SA Lifetime –  enable or disable GRE via IPsec. Is necessary because GRE local IP address uses IPsec local IP address.
• GRE Over IPsec Mgmt – GRE remote IP address for the Management tunnel (xxx.xxx.xxx.xxx).
• GRE Over IPsec Data – GRE remote IP address for the Management tunnel (xxx.xxx.xxx.xxx).
• GRE MTU Offset – device MTU. Calculated as MTU standard value - GRE MTU Offset.
• GRE Ping Counter – the number of gre-management-ip pings. If no response is sent, an IPsec connection will be re-established. gre-management-ip is pinged every 10 seconds. The parameter takes values from 3 to 60. Default value is 3.

OTT black list

OTT black list management can be carried out via GUI EMS.
Open Wireless/AP initialization rules manager/OTT black list

Click  , and a window for MAC address entering will be opened. Enter MAC address of an AP to add it to the black list.  

MAC address may contain any number of bytes. All MAC addresses that have the same beginning will be banned.
For example, if the string aa:bb:01 has been added to the black list, the addition of aa:bb:01:02:03:04 will be rejected with a message: "aa:bb:01 has been already added to the black list". If an access point has been added to the black list, it will not get into the "sandbox".

Deleting OTT link

Conditions under which OTT links are deleted:

• when an AP initialization link is deleted, an OTT link is deleted in EMS
• when an AP is replaced, an OTT link is deleted in EMS. It can be established again if necessary
• when ESR is deleted from EMS, all its OTT links are deleted too
• when ESR IP is changed in EMS, all its OTT links are deleted
• when ESR is deleted from EMS, its OTT station is deleted
• when ESR is put into another domain, all its OTT links should be deleted

Checking if an OTT station has been deleted:

$ mongo
> use ott;
> db.station.find({esr_ip: '<esr ip address>'}).pretty();

Checking if OTT links were deleted:

$ mongo
> use ott;
> db.xauth.find({esr_ip: '<esr ip address>'}).pretty();
> db.xauth.find({mac: '<AP mac address>'}).pretty();

Shaper settings via the Admin Panel 

In the Admin Panel, in the "System" tab of Settings menu, enable the checkbox "Shaper settings at Domains tree", exit the Admin Panel and enter it again.

Enable SSID shaper in the "Domain tree" tab of the Settings menu.

Click the button in the column "Merged shaper" and set the shaper parameters on SSID in the opened window.

NBI for OTT management 

To work with OTT a number of commands was created in NBI.
Relevant command documentation can be found in eltex-radius-nbi package. It becomes accessible after the package is downloaded via http://localhost:8080/eltex-radius-nbi/asciidoc/
Follow this link to get the WDSL file: http://localhost:8080/axis2/services/RadiusNbiService?wsdl
(replace localhost with the IP address of a server with NBI)

Annex 1. List of IPsec parameters in the OTT profile 

Description IKE authentication algorithm (md5, sha1), md5 by default
Name ipsec.auth-alg
Regex (md5|sha1)

Description IKE DH Group (1, 2, 5), 1 by default
Name ipsec.dh-group
Regex (1|2|5)

Description IPSEC DPD Delay (5..600), 60 by default
Name ipsec.dpd-delay
Regex ([5-9]|[1-9][0-9]|10[0-9]|1[1-9][0-9]|[2-5][0-9][0-9]|600)

Description IKE encryption algorithm (aes, des, 3des), aes by default
Name ipsec.encrypt-alg
Regex (aes|des|3des)

Description Force establish tunnel (UP, DOWN), UP by default
Name ipsec.force-establish
Regex (UP|DOWN)

Description Use GRE mode (UP, DOWN), UP by default
Name ipsec.gre-mode
Regex (UP|DOWN)

Description GRE mtu offset (0..220), 148 by default
Name ipsec.gre-mtu-offset
Regex ([0-9]|[1-9][0-9]|10[0-9]|1[1-9][0-9]|220|2[0-1][0-9])

Description IKE lifetime (180..86400), 86400 by default
Name ipsec.lifetime
Regex (18[0-9]|19[0-9]|[2-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|1000[0-9]|100[1-9][0-9]|10[1-9][0-9][0-9]|1[1-9][0-9][0-9][0-9]|[2-7][0-9][0-9][0-9][0-9]|86400|86[0-3][0-9][0-9]|8[0-5][0-9][0-9][0-9])

Description Use ISAKMP mode config (UP, DOWN), UP by default
Name ipsec.mode-cfg
Regex (UP|DOWN)

Description Use NAT-T (UP, DOWN), UP by default
Name ipsec.nat
Regex (UP|DOWN)

Description IPSEC NAT Keepalive (1..300), 30 by default
Name ipsec.nat-keepalive
Regex ([1-9]|[1-9][0-9]|10[0-9]|1[1-9][0-9]|2[0-9][0-9]|300)

Description IPSEC password (8-48 chars)
Name ipsec.password
Regex ([A-Za-z0-9]{8,48})

Description IPSEC DH Group (0, 1, 2, 5), 0 by default
Name ipsec.pfs-group
Regex (0|1|2|5)

Description IPSEC authentication algorithm (md5, sha1), md5 by default
Name ipsec.sa-auth-alg
Regex (md5|sha1)

Description IPSEC encryption algorithm (aes, des, 3des), aes by default
Name ipsec.sa-encrypt-alg
Regex (aes|des|3des)

Description IPSEC child SA lifetime (180..86400), 3600 by default
Name ipsec.sa-lifetime
Regex (18[0-9]|19[0-9]|[2-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|1000[0-9]|100[1-9][0-9]|10[1-9][0-9][0-9]|1[1-9][0-9][0-9][0-9]|[2-7][0-9][0-9][0-9][0-9]|86400|86[0-3][0-9][0-9]|8[0-5][0-9][0-9][0-9])

Description IPSEC operational status (UP, DOWN), UP by default
Name ipsec.status
Regex (UP|DOWN)

Description Use XAUTH password as IPSEC password (on/off) default off
Name ipsec.use-xauth-passwd
Regex (on|off)

Description XAUTH password (8-48 chars)
Name ipsec.xauth-password
Regex ([A-Za-z0-9]{8,48})

Description XAUTH user (4-16 chars)
Name ipsec.xauth-user
Regex ([A-Za-z0-9]{4,16})

Description IPSEC remote gateway (IP or URL)
Name ipsec.remote-gateway
<ax273:valueRegex xsi:nil="true"/>

Annex 2. Description of errors returned by the Service Activator to access points 

Annex 3. ESR configuration example 

Examples of ESR configuration on a test bench.
Example 1
The example is for the version 1.6.2 with BGP for ESR models without EoGRE tunnel support. The following addressing is used in the example:
1) gi1/0/1.4092: 10.12.20.4/28 - address directed to the Internet for IPsec termination;
2) gi1/0/1.212: 100.64.0.66/30 - seam address directed to VRF backbone for connection to SoftWLC, DHCP and DNS servers;
3) gi1/0/1.213: 100.64.0.70/30 - seam address directed to VRF nat for clients to access the Internet;
4) bridge 1: 192.168.200.49/28 и 192.168.200.50/28 - addresses to terminate EoGRE from access points for management and client traffic tunnels respectively;
5) bridge 3: 192.168.128.0/22 - subnetwork for AP management addresses. 192.168.128.1 is used as an address for managing ESR from SoftWLC;
6) bridge 10: 198.18.160.0/22 - subnetwork for AP clients. Default gateway for clients - 198.18.160.1, DNS 100.123.0.2;
7) 172.31.252.0/22 - subnetwork for addresses, assigned to access points via mode config and used to establish EoGRE on AP side;
8) 100.110.123.0/24 - management subnetwork. 100.123.0.2 - SoftWLC address, DHCP, DNS.
As the default gateway is directed to the Internet connection via gi1/0/1.4092, PBR rule named "users_map" in ESR configuration is used to direct client traffic via the interface gi1/0/1.213.

hostname esr-ipsec

object-group service dhcp_server
  port-range 67
exit
object-group service dhcp_client
  port-range 68
exit
object-group service ipsec_ports
  port-range 500
  port-range 4500
exit
object-group service dns
  port-range 53
exit

object-group network SoftWLC
  ip prefix 100.123.0.0/24
exit
object-group network ipsec_remote_address
  ip prefix 10.100.0.0/16
  ip prefix 172.31.252.0/22
exit
object-group network gre_termination
  ip prefix 192.168.200.48/28
exit
object-group network AP_mgmt
  ip prefix 192.168.128.0/22
  ip prefix 198.18.160.0/22
exit
object-group network AP_users
  ip prefix 198.18.160.0/22
exit

syslog console none

radius-server timeout 10
radius-server retransmit 5
radius-server host 100.123.0.2
  key ascii-text encrypted 88B11079B9014FAAF7B9
  timeout 11
  priority 20
  source-address 192.168.128.1
  auth-port 31812
  acct-port 31813
  retransmit 10
  dead-interval 10
exit
aaa radius-profile PCRF
  radius-server host 100.123.0.2
exit
das-server COA
  key ascii-text encrypted 88B11079B9014FAAF7B9
  port 3799
  clients object-group SoftWLC
exit
aaa das-profile COA
  das-server COA
exit

tech-support login enable
root login enable

vlan 3
  force-up
exit
vlan 10
  force-up
exit

security zone trusted
exit
security zone untrusted
exit
security zone ipsec
exit
security zone gre
exit
security zone users
exit

ip access-list extended users_pbr
  rule 10
    action deny
    match protocol udp
    match source-port 68
    match destination-port 67
    enable
  exit
  rule 11
    action deny
    match protocol udp
    match destination-port 53
    enable
  exit
  rule 20
    action permit
    enable
  exit
exit

route-map out_BGP_AP
  rule 10
    match ip address object-group AP_mgmt
    action permit
  exit
exit
route-map out_BGP_NAT
  rule 10
    match ip address object-group AP_users
    action permit
  exit
exit
route-map users_map
  rule 10
    match ip access-group users_pbr
    action set ip next-hop verify-availability 100.64.0.69 10
    action permit
  exit
exit
router bgp 64604
  address-family ipv4
    router-id 198.18.156.1
    redistribute connected
    neighbor 100.64.0.65
      remote-as 65001
      route-map out_BGP_AP out
      update-source 100.64.0.66
      enable
    exit
    neighbor 100.64.0.69
      remote-as 65001
      route-map out_BGP_NAT out
      update-source 100.64.0.70
      enable
    exit
    enable
  exit
exit

snmp-server
snmp-server system-shutdown
snmp-server community "private1" rw
snmp-server community "public11" ro

snmp-server host 100.123.0.2
exit

snmp-server enable traps
snmp-server enable traps config
snmp-server enable traps config commit
snmp-server enable traps config confirm
snmp-server enable traps environment
snmp-server enable traps environment fan
snmp-server enable traps environment fan-speed-changed
snmp-server enable traps environment fan-speed-high
snmp-server enable traps environment memory-flash-critical-low
snmp-server enable traps environment memory-flash-low
snmp-server enable traps environment memory-ram-critical-low
snmp-server enable traps environment memory-ram-low
snmp-server enable traps environment cpu-load
snmp-server enable traps environment cpu-critical-temp
snmp-server enable traps environment cpu-overheat-temp
snmp-server enable traps environment cpu-supercooling-temp
snmp-server enable traps environment board-overheat-temp
snmp-server enable traps environment board-supercooling-temp
snmp-server enable traps wifi
snmp-server enable traps wifi wifi-tunnels-number-in-bridge-high
snmp-server enable traps file-operations
snmp-server enable traps file-operations successful
snmp-server enable traps file-operations failed
snmp-server enable traps file-operations canceled
snmp-server enable traps interfaces
snmp-server enable traps interfaces rx-utilization-high
snmp-server enable traps interfaces tx-utilization-high
snmp-server enable traps interfaces number-high
snmp-server enable traps bras
snmp-server enable traps bras sessions-number-high
snmp-server enable traps screen
snmp-server enable traps screen dest-limit
snmp-server enable traps screen source-limit
snmp-server enable traps screen icmp-threshold
snmp-server enable traps screen udp-threshold
snmp-server enable traps screen syn-flood
snmp-server enable traps screen land
snmp-server enable traps screen winnuke
snmp-server enable traps screen icmp-frag
snmp-server enable traps screen udp-frag
snmp-server enable traps screen icmp-large
snmp-server enable traps screen syn-frag
snmp-server enable traps screen unknown-proto
snmp-server enable traps screen ip-frag
snmp-server enable traps screen port-scan
snmp-server enable traps screen ip-sweep
snmp-server enable traps screen syn-fin
snmp-server enable traps screen fin-no-ack
snmp-server enable traps screen no-flag
snmp-server enable traps screen spoofing
snmp-server enable traps screen reserved
snmp-server enable traps screen quench
snmp-server enable traps screen echo-request
snmp-server enable traps screen time-exceeded
snmp-server enable traps screen unreachable
snmp-server enable traps screen tcp-all-flags
snmp-server enable traps entity
snmp-server enable traps entity config-change
snmp-server enable traps entity-sensor
snmp-server enable traps entity-sensor threshold
snmp-server enable traps envmon
snmp-server enable traps envmon fan
snmp-server enable traps envmon shutdown
snmp-server enable traps envmon temperature
snmp-server enable traps flash
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps snmp
snmp-server enable traps snmp authentication
snmp-server enable traps snmp coldstart
snmp-server enable traps snmp linkdown
snmp-server enable traps snmp linkup
snmp-server enable traps syslog

bridge 1
  description "gre_termination"
  vlan 1
  security-zone gre
  ip address 192.168.200.49/28
  ip address 192.168.200.50/28
  enable
exit
bridge 3
  description "AP_mgmt"
  vlan 3
  security-zone trusted
  ip address 192.168.128.1/22
  ip helper-address 100.123.0.2
  ip tcp adjust-mss 1312
  enable
exit
bridge 10
  description "Users"
  vlan 10
  security-zone users
  ip address 198.18.160.1/22
  ip helper-address 100.123.0.2
  ip policy route-map users_map
  ip tcp adjust-mss 1312
  location data10
  enable
exit

interface gigabitethernet 1/0/1
  description "UpLink"
exit
interface gigabitethernet 1/0/1.212
  description "VRF_backbone"
  security-zone trusted
  ip address 100.64.0.66/30
  ip tcp adjust-mss 1312
exit
interface gigabitethernet 1/0/1.213
  description "VRF_nat"
  security-zone untrusted
  ip address 100.64.0.70/30
  ip tcp adjust-mss 1312
exit
interface gigabitethernet 1/0/1.1000
  description "adm_net"
  security-zone trusted
  ip address 100.110.0.133/23
exit
interface gigabitethernet 1/0/1.4092
  description "IPsec"
  security-zone ipsec
  ip address 10.12.20.4/28
exit
tunnel softgre 1
  description "mgmt"
  mode management
  local address 192.168.200.49
  default-profile
  enable
exit
tunnel softgre 1.1
  bridge-group 3
  enable
exit
tunnel softgre 2
  description "data"
  mode data
  local address 192.168.200.50
  default-profile
  enable
exit

security zone-pair trusted self
  rule 10
    action permit
    enable
  exit
exit
security zone-pair users self
  rule 10
    action permit
    match protocol udp
    match source-port dhcp_client
    match destination-port dhcp_server
    enable
  exit
exit
security zone-pair users untrusted
  rule 10
    action permit
    enable
  exit
exit
security zone-pair users trusted
  rule 10
    action permit
    match protocol udp
    match source-port dhcp_client
    match destination-port dhcp_server
    enable
  exit
  rule 20
    action permit
    match protocol udp
    match destination-port dns
    enable
  exit
exit
security zone-pair ipsec self
  rule 1
    action permit
    match protocol udp
    match destination-port ipsec_ports
    enable
  exit
  rule 2
    action permit
    match protocol esp
    enable
  exit
  rule 3
    action permit
    match protocol gre
    match source-address ipsec_remote_address
    match destination-address gre_termination
    enable
  exit
  rule 4
    action permit
    match protocol icmp
    enable
  exit
exit
security zone-pair trusted trusted
  rule 10
    action permit
    enable
  exit
exit

address-assignment pool ipsec_xauth_pool
  ip prefix 172.31.252.0/22
  data-tunnel address 192.168.200.50
  management-tunnel address 192.168.200.49
exit

security ike proposal dh1_md5_aes128
  authentication algorithm md5
  encryption algorithm aes128
exit

security ike policy psk_xauth
  lifetime seconds 86400
  pre-shared-key ascii-text testing123
  authentication method xauth-psk-key
  authentication mode radius
  proposal dh1_md5_aes128
exit

security ike gateway xauth_gw
  ike-policy psk_xauth
  local address 10.12.20.4
  local network 192.168.200.48/28
  remote address any
  remote network dynamic pool ipsec_xauth_pool
  mode policy-based
  dead-peer-detection action clear
  dead-peer-detection interval 60
  dead-peer-detection timeout 180
exit

security ipsec proposal md5_aes128_esp
  authentication algorithm md5
  encryption algorithm aes128
exit

security ipsec policy ipsec_pol
  proposal md5_aes128_esp
exit

security ipsec vpn xauth_ipsec
  mode ike
  ike establish-tunnel by-request
  ike gateway xauth_gw
  ike ipsec-policy ipsec_pol
  enable
exit

security passwords history 0
ip dhcp-relay

ip route 0.0.0.0/0 10.12.20.2

wireless-controller
  nas-ip-address 192.168.128.1
  resp-time 3
  failure-count 3
  data-tunnel configuration radius
  aaa das-profile COA
  aaa radius-profile PCRF
  enable
exit
ip telnet server
ip ssh server

clock timezone gmt +7

ntp enable
ntp server 100.123.0.2
exit

Example 2
The example given is for the version 1.4.0 with static routing (for ESR models without EoGRE tunnel support). The following addressing is used in the example:
1) bridge 1: 192.168.171/24 - address directed to the Internet and used for IPsec termination;
2) bridge 2: 192.168.110.0.37/24 - administrative subnetwork, the address is used for administrator access;
2) bridge 3: 101.0.0.171/24 - seam address to connect to SoftWLC, DHCP and DNS servers. Is used as a management address from SoftWLC side. SoftWLC address 101.0.0.24;
3) bridge 5: 192.168.7.1/30 and 192.168.7.2.30 - EoGRE termination address from AP, for management tunnels and client traffic respectively;
4) bridge 6: 172.31.239.1/26 - subnetwork for AP management addresses;
5) bridge 7: 172.31.239.65/26 - subnetwork for AP clients;
6) bridge 94: 10.12.12.1/30 - seam address to provide clients with Internet access;
7) 172.31.250.0/24 - subnetwork for addresses, assigned to access points via mode config and used to establish EoGRE on AP side;
As the default gateway is directed to the side of Internet connection via bridge 1, PBR rule named "clients_br7" in ESR configuration is used to direct client traffic via bridge 94.

hostname esr-ipsec

tech-support login enable
root login enable

syslog max-files 3
syslog file-size 512

object-group service telnet
  port-range 23
exit
object-group service ssh
  port-range 22
exit
object-group service dhcp_server
  port-range 67
exit
object-group service dhcp_client
  port-range 68
exit
object-group service ntp
  port-range 123
exit
object-group service ipsec_ports
  port-range 500
  port-range 4500
exit
object-group service snmp
  port-range 161-162
exit
object-group service COA
  port-range 3799
  port-range 31812-31813
  port-range 1812-1813
exit
object-group service redirect
  port-range 3128
  port-range 3129
exit

object-group network SoftWLC
  ip address-range 101.0.0.24
exit
object-group network ipsec_remote_address
  ip prefix 172.31.250.0/24
exit
object-group network gre_termination
  ip prefix 192.168.7.0/30
exit

object-group url defaultserv
  url http://eltex-co.ru
exit

#Configuring interaction with the RADIUS server for access points' data tunnel dynamic management.
radius-server timeout 10
radius-server retransmit 5
radius-server host 101.0.0.24
  key ascii-text testing123
  timeout 11
  priority 20
  source-address 101.0.0.171
  auth-port 31812
  acct-port 31813
  retransmit 10
  dead-interval 10
exit
aaa radius-profile PCRF
  radius-server host 101.0.0.24
exit

#Configuring ESR for the RADIUS server to communicate with it.
das-server COA
  key ascii-text testing123
  port 3799
  clients object-group SoftWLC
exit
aaa das-profile COA
  das-server COA
exit

vlan 2
  force-up
exit
vlan 7
  name "mgmt"
  force-up
exit
vlan 100
  name "user"
  force-up
exit
vlan 808
  name "GRE"
  force-up
exit
vlan 1001
  name "from_SoftWLC"
  force-up
exit
vlan 1108
  force-up
exit
vlan 4094
  force-up
exit

security zone trusted
exit
security zone user
exit
security zone mgmt
exit
security zone gre
exit
security zone ipsec
exit
security zone clients_inet
exit

#Configuring the subnetwork with client addresses that will be transferred to another router using policy-based routing.
ip access-list extended users_filter
  rule 1
    action permit
    match protocol any
    match source-address 172.31.239.64 255.255.255.192
    match destination-address any
    enable
  exit
exit

#DHCP request for client addresses extension should be passed to a DHCP server that has the same IP as SoftWLC.
ip access-list extended clients_dhcp
  rule 1
    action permit
    match protocol udp
    match source-address 172.31.239.64 255.255.255.192
    match destination-address 101.0.0.24 255.255.255.255
    match source-port 68
    match destination-port 67
    enable
  exit
exit

#Configuring route-map, specifying routers to which client traffic will be transferred.
route-map clients_br7
  rule 1 #Pass clients' DHCP request to the DHCP server.
    match ip access-group clients_dhcp
    action set ip next-hop verify-availability 101.0.0.24 10
    action permit
  exit
  rule 2 #Pass other traffic to a router used to provide client with Internet access.
    match ip access-group users_filter
    action set ip next-hop verify-availability 10.12.12.2 10
    action permit
  exit
exit

snmp-server
snmp-server system-shutdown #Permit ESR reset by running EMS SNMP command.
snmp-server community "private1" rw
snmp-server community "public11" ro

snmp-server host 101.0.0.24
exit

#The interface for the Internet terminates IPsec connections of access points.
bridge 1
  vlan 1108
  security-zone ipsec
  ip address 192.168.108.171/24
  enable
exit

#The interface of administrative management subnetwork is optional.
bridge 2
  vlan 2
  security-zone trusted
  ip address 192.168.110.37/24
  enable
exit

#The interface for interaction with SoftWLC.
bridge 3
  description "SoftWLC"
  vlan 1001
  security-zone mgmt
  ip address 101.0.0.171/24
  enable
exit

#The interface to terminate AP GRE connections.
bridge 5
  vlan 808
  security-zone gre
  ip address 192.168.7.1/30
  ip address 192.168.7.2/30
  enable
exit

#The interface for AP management.
bridge 6
  vlan 7
  security-zone mgmt
  ip address 172.31.239.1/26
  ip helper-address 101.0.0.24
  ip tcp adjust-mss 1312
  protected-ports
  protected-ports exclude vlan
  enable
exit

#The interface for AP clients.
bridge 7
  vlan 100
  security-zone user
  ip address 172.31.239.65/26
  ip helper-address 101.0.0.24
  ip policy route-map clients_br7 #Enabling policy-based routing on the interface.
  ip tcp adjust-mss 1312
  location testing2
  protected-ports
  protected-ports exclude vlan
  enable
exit

#The interface to access the router where AP clients' traffic will be directed to.
bridge 94
  vlan 4094
  security-zone clients_inet
  ip address 10.12.12.1/30
  ip tcp adjust-mss 1312
  enable
exit

interface port-channel 1
  switchport forbidden default-vlan
  switchport general acceptable-frame-type tagged-only
  switchport general allowed vlan add 2,1001,1108,4094 tagged
exit
interface gigabitethernet 1/0/1
  channel-group 1 mode auto
exit
interface gigabitethernet 1/0/2
  channel-group 1 mode auto
exit
interface gigabitethernet 1/0/3
  shutdown
  security-zone trusted
  ip firewall disable
exit
interface gigabitethernet 1/0/4
  shutdown
  security-zone trusted
  ip firewall disable
exit
interface tengigabitethernet 1/0/1
  shutdown
  ip firewall disable
  switchport forbidden default-vlan
exit
interface tengigabitethernet 1/0/2
  shutdown
  ip firewall disable
  switchport forbidden default-vlan
exit
exit
tunnel softgre 1
  description "mgmt"
  mode management
  local address 192.168.7.1
  default-profile
  enable
exit
tunnel softgre 1.1
  bridge-group 6
  enable
exit
tunnel softgre 2
  description "data"
  mode data
  local address 192.168.7.2
  default-profile
  enable
exit

security zone-pair trusted self
  rule 1
    action permit
    match protocol tcp
    match source-address any
    match destination-address any
    match source-port any
    match destination-port ssh
    enable
  exit
  rule 2
    action permit
    match protocol tcp
    match source-address any
    match destination-address any
    match source-port any
    match destination-port telnet
    enable
  exit
  rule 3
    action permit
    match protocol icmp
    match source-address SoftWLC
    match destination-address any
    enable
  exit
exit
security zone-pair user self
  rule 10
    action permit
    match protocol udp
    match source-address any
    match destination-address any
    match source-port dhcp_client
    match destination-port dhcp_server
    enable
  exit
  rule 20
    action permit
    match protocol tcp
    match source-address any
    match destination-address any
    match source-port any
    match destination-port redirect
    enable
  exit
exit
security zone-pair clients_inet self
  rule 10
    action permit
    match protocol any
    match source-address any
    match destination-address any
  exit
exit
security zone-pair user clients_inet
  rule 1
    action permit
    match protocol any
    match source-address any
    match destination-address any
    enable
  exit
exit
security zone-pair ipsec self
  rule 1
    action permit
    match protocol udp
    match source-address any
    match destination-address any
    match source-port ipsec_ports
    match destination-port ipsec_ports
    enable
  exit
  rule 2
    action permit
    match protocol esp
    match source-address any
    match destination-address any
    enable
  exit
  rule 3 #As GRE traffic will be obtained from IPsec packets, it will be considered to come from the same area as a parent packet.
    action permit
    match protocol gre
    match source-address ipsec_remote_address
    match destination-address gre_termination
    enable
  exit
  rule 4
    action permit
    match protocol icmp
    match source-address ipsec_remote_address
    match destination-address gre_termination
    enable
  exit
exit
security zone-pair mgmt self
  rule 1
    action permit
    match protocol tcp
    match source-address any
    match destination-address any
    match source-port any
    match destination-port ssh
    enable
  exit
  rule 2
    action permit
    match protocol tcp
    match source-address any
    match destination-address any
    match source-port any
    match destination-port telnet
    enable
  exit
  rule 3
    action permit
    match protocol icmp
    match source-address SoftWLC
    match destination-address any
    enable
  exit
  rule 4
    action permit
    match protocol udp
    match source-address SoftWLC
    match destination-address any
    match source-port any
    match destination-port snmp
    enable
  exit
  rule 5
    action permit
    match protocol udp
    match source-address SoftWLC
    match destination-address any
    match source-port any
    match destination-port COA
    enable
  exit
  rule 6
    action permit
    match protocol tcp
    match source-address SoftWLC
    match destination-address any
    match source-port any
    match destination-port COA
    enable
  exit
  rule 7
    action permit
    match protocol icmp
    match source-address any
    match destination-address any
    enable
  exit
  rule 10
    action permit
    match protocol udp
    match source-address any
    match destination-address any
    match source-port dhcp_client
    match destination-port dhcp_server
    enable
  exit
  rule 11
    action permit
    match protocol udp
    match source-address any
    match destination-address any
    match source-port dhcp_server
    match destination-port dhcp_server
    enable
  exit
exit
security zone-pair mgmt mgmt
  rule 1
    action permit
    match protocol icmp
    match source-address any
    match destination-address any
    enable
  exit
  rule 10
    action permit
    match protocol udp
    match source-address any
    match destination-address any
    match source-port dhcp_client
    match destination-port dhcp_server
    enable
  exit
  rule 20
    action permit
    match protocol udp
    match source-address SoftWLC
    match destination-address any
    match source-port any
    match destination-port snmp
    enable
  exit
  rule 21
    action permit
    match protocol udp
    match source-address any
    match destination-address SoftWLC
    match source-port any
    match destination-port snmp
    enable
  exit
  rule 22
    action permit
    match protocol tcp
    match source-address SoftWLC
    match destination-address any
    match source-port any
    match destination-port snmp
    enable
  exit
  rule 23
    action permit
    match protocol tcp
    match source-address any
    match destination-address SoftWLC
    match source-port any
    match destination-port snmp
  exit
  rule 30
    action permit
    match protocol tcp
    match source-address any
    match destination-address any
    match source-port any
    match destination-port telnet
    enable
  exit
  rule 31
    action permit
    match protocol tcp
    match source-address any
    match destination-address any
    match source-port any
    match destination-port ssh
    enable
  exit
  rule 49
    action permit
    match protocol udp
    match source-address any
    match destination-address SoftWLC
    match source-port any
    match destination-port ntp
    enable
  exit
  rule 50
    action permit
    match protocol udp
    match source-address any
    match destination-address SoftWLC
    match source-port any
    match destination-port COA
    enable
  exit
exit
security zone-pair mgmt user
  rule 10
    action permit
    match protocol udp
    match source-address SoftWLC
    match destination-address any
    match source-port dhcp_server
    match destination-port dhcp_server
    enable
  exit
exit
security zone-pair gre ipsec
  rule 1
    action permit
    match protocol any
    match source-address gre_termination
    match destination-address ipsec_remote_address
    enable
  exit
exit

#Configuring the pool of addresses that will be assigned to access points via mode config.
address-assignment pool ipsec_pool_1
  ip prefix 172.31.250.0/24             #The pool of addresses that will be assigned to access points 
                                        #and used as a local IP (tunnel IP) for GRE tunnels. 
                                        #Addresses should not overlap with other tunnel IP addresses in EMS.
  data-tunnel address 192.168.7.2       #The address to which an AP will establish a GRE data tunnel.
  management-tunnel address 192.168.7.1 #The address to which an AP will establish a GRE management tunnel.
exit

#Configuring IKE proposal: MD5 hashing algorithm, Diffie-Hellman group DH1, AES128 encryption algorithm.
security ike proposal dh1_md5_aes128
  authentication algorithm md5
  encryption algorithm aes128
exit

#Configuring IKE security policy.
security ike policy psk_xauth1
  lifetime seconds 86400               #Main connection lifetime (reauthorization will be carried out upon expiry).
  pre-shared-key ascii-text testing123 #Password
  authentication method xauth-psk-key  #Enabling XAUTH extended authorization.
  authentication mode radius           #Using RADIUS server for extended authorization.
  proposal dh1_md5_aes128              #Using the proposal configured above.
exit

#Configuring gateways and subnetworks.
security ike gateway ike1_from_inet
  ike-policy psk_xauth1                    #Using the IKE policy configured above.
  local address 192.168.108.171            #The address for IPsec clients.
  local network 192.168.7.0/30             #The local subnetwork, traffic of which will be encapsulated to IPsec packets.
  remote address any                       #The address of remote IPsec clients - permit connections with any addresses.
  remote network dynamic pool ipsec_pool_1 #To assign parameters to a client, use the pool configured above.
  mode policy-based                        #Using policy-based mode.
  dead-peer-detection action clear         #If an inaccessible IPsec client is detected, delete his connection.
  dead-peer-detection interval 60          #The interval between dead-peer-detection packets.
  dead-peer-detection interval 180         #Time interval, upon expiry of which a remote IPsec client will be considered as inaccessible, 
                                           #if no response to DPD packets is received.
exit

#Configuring IPsec proposal: MD5 hashing algorithm, AES128 encryption algorithm, ESP protocol.
security ipsec proposal md5_aes128_esp
  authentication algorithm md5
  encryption algorithm aes128
exit

#Configuring IPsec policy.
security ipsec policy vpn1_pol1
  lifetime seconds 3600   #IPsec child SA lifetime (reauthorization will be carried out upon expiry).
  proposal md5_aes128_esp #The IPsec proposal configured above.
exit

#Configuring IPsec VPN to which access point will connect.
security ipsec vpn for_INET_1
  mode ike                        #Using IKE.
  ike establish-tunnel by-request #IPsec connection is established upon request from the remote endpoint.
  ike gateway ike1_from_inet      #Using gateway and subnetwork settings configured in IKE. 
  ike ipsec-policy vpn1_pol1      #Using IPsec policy configured above.
  enable
exit

ip dhcp-relay

ip route 0.0.0.0/0 192.168.108.1 200 

wireless-controller
  nas-ip-address 101.0.0.171
  data-tunnel configuration radius #Using dynamic data tunnel establishment
  aaa das-profile COA
  aaa radius-profile PCRF
  enable
exit
ip telnet server
ip ssh server

clock timezone gmt +7

ntp enable
ntp server 101.0.0.24
  prefer
exit

If ESR 1200/1700 with version 1.4.1 or higher are used - configuration of a scheme with a loop through physical interfaces will be required to provide correct work of hardware EoGRE.

Troubleshooting

Service Activator logs

All Service Activator logs are keeped in the file /var/log/eltex-wifi-sa/wifi-sa-server.log. To obtain extended logs, set LogLevel = debug in the configuration file application.conf

Viewing OTT information on access points

Run the following commands in AP CLI:

Viewing parameters of Service Activator's client part on an AP:
WEP-12ac_rev_C# get ipsec-activator

Viewing IPsec parameters received by an AP from the Service Activator:
WEP-12ac_rev_C# get ipsec-dynamic

Viewing URL of the Service Activator embedded in an AP:
WEP-12ac_rev_C# sh

/mnt/root # cd /etc/cert/
/etc/cert # cat sa-host.txt
https://126.0.10.4:8043

Viewing provider-id and MAC address of an AP in a certificate:
WEP-12ac_rev_C# sh

/etc/cert # openssl x509 -in /etc/cert/cert.pem -text -noout
WARNING: can't open config file: /etc/pki/tls/openssl.cnf
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e0:d9:e3:70:1d:00:bc:2a:aa:28:54:ee:9f:27:5a:77
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=OTT Certification Root (Test), O=Eltex Enterprise Ltd., OU=Wi-Fi, C=RU, L=Novosibirsk
Validity
Not Before: Jan 1 00:00:00 1999 GMT
Not After : Jan 1 00:00:00 2100 GMT
Subject: CN=E0:D9:E3:70:1D:00, O=provider_eltex
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
........

where e0:d9:e3:70:1d:00 - AP MAC address,
provider_eltex - Provider-ID

Manual starting of the Service Activator's client part on an AP with debug enabled

service-activator https://<Service Activator URL>:8043 --msg-type register --timeout 300 -C /etc/cert/cert.pem -K /etc/cert/key.pem -A /etc/cert/ca.pem -d 15
Used to debug interaction of an AP with the Service Activator from an access point's side.