| Оглавление |
|---|
General scheme
Quickstart
- Install SoftWLC and the Service Activator:
- In the file /etc/eltex-wifi-sa/factory-fw.conf, adjust firmware versions for a version of the AP being installed to be consistent with them. Set the Downgrade parameter to false. Download AP firmware to the /var/lib/eltex-wifi-sa/firmware/ directory and rename it according to the name of the file specified in /etc/eltex-wifi-sa/factory-fw.conf.
- Download the Root certificate and the certificate of the Service Activator to the directory /etc/eltex-wifi-sa/.
- Edit the names of the Root and the Service Activator certificates in the file /etc/eltex-wifi-sa/application.conf. Set the parameter CheckMAC to Yes. Restart the Service Activator: service eltex-wifi-sa restart.
- Create a domain for ESR and a subdomain for OTT access points.
- Create an initialization rule for the required AP model. TCP protocol should necessarily be specified as SNMP transport (see v1.14_OTT (EN)) AP initialization).
- Create an initialization rule link to an OTT access point. In the link, the "Connected" checkbox should be set (see v1.14_OTT (EN)) AP initialization).
- Create an OTT profile with IPsec parameters. The password specified in ESR configuration, for example, "testing 123", should be taken as the "IPsec password". The command CreateOttProfile should be run in NBI (see v1.14_OTT (EN)) ESR OTT).
- Add ESR to the EMS domain for OTT access points. Set OTT checkbox in the Access tab to ServiceProvider and enable the BRAS checkbox. Make sure that ESR is accessible from SoftWLC (see v1.14_OTT (EN)) ESR OTT).
- In the NAS table (the tab RADIUS - Access Points), edit a password for RADIUS ESR that is specified in its configuration, for example "testing123".
- In the ESR tab of ESR configuration, specify ESR public IP and select an OTT profile. The command CreateOttStation should be run in NBI (see v1.14_OTT (EN)) ESR OTT).
- Create a SSID and link it to an OTT domain. In SSID parameters, specify the Location set in ESR configuration, for example, "testing2" (see v1.14_OTT (EN)) AP initialization).
- In the Admin Panel, in the "System" tab of Settings menu, enable the checkbox "Shaper settings at Domains tree", exit the Admin Panel and enter it again (see Shaper settings in the Admin Panel).
- After that, enable the shaper on SSID in the "Domains tree" tab of the Settings menu (see Shaper settings in the Admin Panel).
General description
Service Activator
The Service Activator is a server based on x86 architecture and Ubuntu 14.04 operating system with a special software installed. Its task is to receive and process POST HTTPs requests from access points and to exchange information with SoftWLC. In terms of programming, the Service Activator is a WEB server. To get requests from access points, the Service Activator should have open port 8043 and a public IP address. As access points will refer to the Service Activator by its URL, it is necessary to provide a link between the Service Activator's public address and its domain name on DNS servers. Another network interface of the Service Activator should be linked to an EMS module, i.e., it should be put into a single address space of SoftWLC modules. To provide security, traffic between the Service Activator and EMS should pass through the firewall. To provide communication between the Service Activator and SoftWLC, port 8080 (HTTP) used by the Service Activator to request EMS, should be opened on the firewall.
The Service Activator can be located behind the proxy server (in relation to the Internet) and have a private IP address to communicate with access points. Therefore, the proxy server should send POST requests to the Service Activator with or without replacing a TCP port. In Service Activator configuration files, the number of a TCP port listened by the server can be specified.
Once an access point has sent an HTTPs request containing its data to the Service Activator, the last one checks the access point certificate. To do this, the Service Activator should have the Root certificate and the Service Activator certificate (containing Provider-ID) signed by it. Provider-ID – service provider identifier. It is used to make access points that belong to a certain provider connect only to this provider's Service Activator. The Service Activator can optionally check the consistency between an access point's MAC address specified in a certificate and its real MAC address. It protects a provider from certificate theft by one access point and its usage by another one. If certificate check, handshake and other procedures has been successful, the Service Activator proceeds to verification of AP firmware relevance. The correspondence between relevant firmware versions and models of access points is stored in the /etc/eltex-wifi-sa/factory-fw.conf configuration file. If the firmware version of the access point requesting the Service Activator differs from the version specified in this file, the Service Activator gives an access point an order to update its firmware. I.e., firmware files for access point models used should be placed on the Service Activator in advance.
If a firmware file is not placed on a server activator, or if an access point's firmware version corresponds to the current version specified on the Service Activator, it proceeds to searching for an initialization rule link in the database. If there are no links, the Service Activator puts the AP into a "sandbox" until a link is found.
...
- OTT profile. The profile contains a big number of IPsec settings according to which access points and ESR will create IPsec tunnels. IPsec parameters available in OTT profile are listed in v1.14_OTT (EN). Annex 1. In NBI, this profile can be created by using the CreateOttProfile command.
- Linking OTT profile to ESR. Linking ESR public IP addresses to OTT profile created before. As a result, IPsec parameters from OTT profile are compared with ones specified by ESR. Then, when the Service Activator chooses ESR for an access point, it will send its public address and IPsec parameters to the AP. As a result, the same IPsec parameters will be guaranteed if a tunnel is established both on the access point and on ESR side. IPsec parameters set on ESR by profile linking, can be optionally adjusted in ESR configuration. In NBI, linking OTT profile to ESR can be created by using the CreateOttStation command.
...
| Информация |
|---|
To provide seamless roaming between access points, connect them to the same ESR. According to the ESR selection algorithm, if an access point is put into a domain where other access points are already put, priority is given to the ESR to which those points are connected. |
Automatic activation of the service with default settings
On the Service Activator, there is a possibility to add access points to default domains. This option is necessary if a default Wi-Fi service should be activated on an access point right after its installation without participation of an operator and links to initialization rules. To do this, create the "ott.root" domain in the system and add a link to initialization rule of "ott_default" key to the domain of the "ott.root" node. Link SSID to the domain. Link the portal that will be accessible to all users that connect to an access point put into the default domain to SSID. ESR devices with enabled OTT checkboxes and linked OTT profiles should be put into the domain.
After this sequence of operations has been performed, the connection algorithm will be as follows:
...
| Информация |
|---|
When the defaul domain is used, all client access points for which links to initialization rules by MAC address are not set will be put into the default domain. Nevertheless, from a system perspective, there will be no identifiers that show that an access point belongs to a certain client. Consequently, all statistics and other information on the AP and users connected to it will not be identified by belonging to a client or filtered by client attribute. To link an AP to a certain client, it is necessary to create links of AP initialization rules by MAC to a client's domain, remove the AP from the default domain and initialize it again. When enabling the default domain, an operator takes the responsibility for control over access points and services within the default domain. |
Service Activator performance chart
| Drawio | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Configuration files
Service Activator configuration files are located in the "/etc/eltex-wifi-sa/" directory. To apply the changes to configuration files, restart the Service Activator using the following command: "service eltex-wifi-sa restart".
Description of the parameters set in configuration files:
Configuration file "application.conf".
This file contains most of Service Activator configuration.
...
Parameter | Values | Recommended value | Description |
subtype | 100, 200, 1000, 1200, 1700 | ESR model (ESR-100, ESR-200, ESR-1000, ESR-1200, ESR-1700) | |
max | The maximum number of OTT access points for the ESR | ||
param name, default, regex, description | Parameter's name, default value, regular expression and description of parameters available in OTT profile. |
Minimum requirements for the server of the Service Activator.
- CPU 2 Core
- RAM 8GB
- HDD 100GB (до 5000 ТД)
Installing the Service Activator
root@vagrant-ubuntu-trusty-64:/home/vagrant# echo "deb http://archive.eltex.org/ems 3.13 main" >> /etc/apt/sources.list.d/eltex.list root@vagrant-ubuntu-trusty-64:/home/vagrant# add-apt-repository -y ppa:webupd8team/java root@vagrant-ubuntu-trusty-64:/home/vagrant# apt-key adv --keyserver keyserver.ubuntu.com --recv F558A287 root@vagrant-ubuntu-trusty-64:/home/vagrant# apt-get update root@vagrant-ubuntu-trusty-64:/home/vagrant# apt-get -y install oracle-java8-installer root@vagrant-ubuntu-trusty-64:/home/vagrant# apt-get install eltex-wifi-sa If the Service Activator is installed to a separate server, specify EMS server access parameters in the configuration file /etc/eltex-wifi-sa/application.conf and restart the Service Activator:
ems { host = "localhost" port = 8080
ESR
To provide the OTT service, ESR should have 2 default gateways to send traffic to the Internet. The first gateway is specified as a standard Default Gateway in the routing table. ESR uses it to transmit IPsec packets. ESR should have an interface with a public IP address in this subnet. Access points will establish IPsec tunnels to this IP address, so ports 500 and 4500 should be opened. ESR uses the second gateway to send subscriber traffic extracted from tunnels. To prevent the problem of 2 default gateways within the same routing space, configure the option Next-Hop on the Bridge. The Bridge is a gateway for subscriber traffic that this traffic is routed through. The option allows routing all traffic from the Bridge via a gateway specified in the option Next-Hop bypassing the Default Gateway.
During establishing IPsec sessions, X-Auth authorization is performed. ESR receives unique login and password (generated by the Service Activator) from the AP and performs authorization by sending RADIUS requests to SoftWLC PCRF. When connected to MongoDB, PCRF informs ESR on match between login and password sent by the AP and ones stored in the database.
Redundancy
ESR redundancy is provided according to N+1 model. In the case of a failure in a domain of one of the ESR devices and IPsec session abort, access points send information regarding the need to get data for connecting to another ESR, to the Service Activator. The Service Activator sends information on other ESR devices taking failures and device loads into account. As a result, access points are connected to other ESR devices instead of the failed ESR. This redundancy scheme allows reducing the number of ESR devices in the network.
When one of ESR devices fails, and its access points are connected to the Service Activator, it starts to search for a new ESR for these APs within the same domain. If there are no free ESR devices in this domain, or there are not any, the Service Activator goes one level higher in the domain tree and continues to search for ESR there. If there are no free ESR devices, the Service Activator goes one level higher and so on. Therefore, it would be useful to create several ESR groups and put them into different regional domains. Access points of these regions will be connected to their regional ESR devices. Thus, the way data move from an AP to ESR will be limited to a specific region. In this case, one more group can be put into the root of OTT branch. If all ESR devices in the region fail or become unavailable for some reason, access points will be able to switch to root ESR devices. The length of the route that packets travel will increase if root ESR devices and access points are located in different regions, but the service will be provided. Regional and root ESR devices can be linked to different OTT profiles with different IPsec parameters, and AP distribution will be correct, as an access point always gets from the Service Activator precisely those IPsec parameters that are confugured on the ESR the AP is connected to.
ESR connection scheme
- One interface is physically used.
- The interface bridge 1 is used to access the Internet. Traffic goes via this interface on the default route.
- IPsec listens to inbound connections via bridge 1.
- IPsec from an AP is unpacked on bridge 1. GRE packets are redirected to bridge 2.
- Then packets from AP management VLAN are transferred to bridge 6.
- Client traffic comes to bridge 7 and is sent to a neighbouring router according to the option route-map. Clients will access the Internet via that router.
ESR redundancy scheme
- Routers ESR 1 and ESR 2 on which IPsec is terminated are connected to routers PE 1 and PE 2 respectively.
- ESR 1 and ESR 2 announce management, client and IPsec gateway subnets to PE 1 and PE 2 respectively, using BGP.
- PE 1 and PE 2 announce default routes and subnets necessary to provide communication with SoftWLC.
- If one ESR fails, it becomes unavailable. When access points understand that IPsec connection cannot be established, they request the Service Activator that gets information on failure of one of ESR devices and sends parameters to access points for them to be able to connect the second ESR. Access points are connected to the new ESR.
- Each ESR uses own IP address pools to control access points and Wi-Fi users.
ESR configuration example can be found in v1.14_OTT (EN). Annex 3.
Access points
According to the OTT model, an access point should connect to the Service Activator, get IPsec parameters and authorization data before IPsec tunnel establishing. As connection method should be secure, HTTPs should be used. HTTPs requires certificates located both on the AP and on the Service Activator. To do this, specify URL of a Service Activator to which the AP will send a request. This can be done in two ways:
1) If a service provider entered into a contract with Eltex, a specially prepared certificate that contains unique parameter "Provider-ID" and Service Activator URL, which an AP will address to, can be embedded within access points' firmware at the manufacturing stage. Consequently, this URL should be agreed in advance between a vendor and a provider. As a result, a provider gets access points that will be automatically connected to the Service Activator using URLs from their certificates when installed. A service provider will be given the Service Activator certificate and the Root certificate. The Service Activator certificate also contains "Provider-ID" used by the Service Activator to check if a requesting access point belongs to a provider. If it does not, a request will be ignored. In this case, an installer does not need to configure anything to enable the service.
2) If a service provider has not entered into a contract with Eltex for manufacturing access points with unique Provider-ID, access points with default Provider ID = "eltex" and empty Service Activator URL are manufactured. As long as Service Activator's URL is empty, an access point operates as a standard AP (OTT is disabled). To enable OTT, specify Service Activator's URL via CLI or AP WEB interface. An AP will try to connect to the Service Activator. The Root and the Service Activator certificate with Provider-ID = "eltex" are given to a provider. All access points with this Provider-ID will be able to connect to the Service Activator if its URL is specified on them. If a link to an initialization rule is not created, the access point will be put into a "sandbox and will not reach the system. Due to this restriction, "alien" access points will not be able to get a provider's service.
...
If a failure occurs on ESR-1000, an access point will reset and request the Service Activator after the period:(GRE_ping_counter x 10) + waite_timer,
where GRE_ping_counter is a parameter in OTT profile, waite_timer is a Service Activator parameter.
By default, this time is 3х10 + 180 = 210 seconds.
Use case
1) An installer sets an Eltex access point with firmware customized for a service provider at a client's. This firmware contains URL of provider's Service Activator by default. The Service Activator is installed to separate servers of a provider's data processing centre and is a part of SoftWLC. It has a public IP address for AP connection and a domain name specified on a provider's DNS.
2) The access point gets IP address (via DHCP), other network parameters and Internet access from local network. If the access point has received DHCP option 43, it is located in a provider's network, and IPsec establishment is not required. The access point will be guided by suboptions of option 43 and will not start OTT. If the access point has not received option 43, it will start OTT.
3) An access point connects to the Service Activator via HTPPs and transmits the following data:
...
9) The access point communicates with SoftWLC via SNMP within the Management GRE and is initialized similarly to the current scheme.
10) Subscriber traffic passes through Data GRE to ESR-1000 and is routed to NAT.
Message exchange diagram
| Якорь | ||||
|---|---|---|---|---|
|
Configuration
AP initialization
| Якорь | ||||
|---|---|---|---|---|
|
...
Create a SSID with a link to the domain ott.root (Wireless/SSID Manager). In the field Bridge, Location specify the location corresponding to bridge settings on ESR.
...
| Column | ||
|---|---|---|
| ||
|
ESR OTT
| Якорь | ||||
|---|---|---|---|---|
|
OTT parameter activation: in the Access tab, select the option ServiceProvider and enable BRAS by setting the checkbox BRAS service for ESR devices connected via OTT.
...
Open the OTT edit window by clicking Edit. Select the OTT profile created before and specify ESR public IP address. Specify the address of the gateway that the access point will request to as IPsec remote gateway. OTT profile parameters should match the parameters of OTT on ESR.
Configuring IPsec on AP without the Service Activator
Open the menu Manage/OTT settings in the WEB interface of the access point
In brief menu, it will be sufficient to specify the address of a remote router with IPsec, XAUTH login and password (if passwords for XAUTH and IPsec are equal).
...
| Предупреждение |
|---|
IPsec child SA lifetime value should be less than IKE lifetime value. Moreover, IKE lifetime should be a multiple of IPsec child SA lifetime. By default, IKE lifetime is set to 86400 (24 hours), and IPsec child SA lifetime is set to 3600 (an hour). Consequently, IPsec key will be changed 24 times per day, and IKE — one time. |
OTT black list
OTT black list management can be carried out via GUI EMS.
Open Wireless/AP initialization rules manager/OTT black list
...
MAC address may contain any number of bytes. All MAC addresses that have the same beginning will be banned.
For example, if the string aa:bb:01 has been added to the black list, the addition of aa:bb:01:02:03:04 will be rejected with a message: "aa:bb:01 has been already added to the black list". If an access point has been added to the black list, it will not get into the "sandbox".
Deleting OTT link
Conditions under which OTT links are deleted:
...
| Без форматирования |
|---|
$ mongo
> use ott;
> db.xauth.find({esr_ip: '<esr ip address>'}).pretty();
> db.xauth.find({mac: '<AP mac address>'}).pretty(); |
Shaper settings via the Admin Panel
| Якорь | ||||
|---|---|---|---|---|
|
In the Admin Panel, in the "System" tab of Settings menu, enable the checkbox "Shaper settings at Domains tree", exit the Admin Panel and enter it again.
Enable SSID shaper in the "Domain tree" tab of the Settings menu.
Click the button 
in the column "Merged shaper" and set the shaper parameters on SSID in the opened window.
NBI for OTT management
To work with OTT a number of commands was created in NBI.
Relevant command documentation can be found in eltex-radius-nbi package. It becomes accessible after the package is downloaded via http://localhost:8080/eltex-radius-nbi/asciidoc/
Follow this link to get the WDSL file: http://localhost:8080/axis2/services/RadiusNbiService?wsdl
(replace localhost with the IP address of a server with NBI)
Annex 1. List of IPsec parameters in the OTT profile
| Якорь | ||||
|---|---|---|---|---|
|
| Блок кода |
|---|
Description IKE authentication algorithm (md5, sha1), md5 by default
Name ipsec.auth-alg
Regex (md5|sha1)
Description IKE DH Group (1, 2, 5), 1 by default
Name ipsec.dh-group
Regex (1|2|5)
Description IPSEC DPD Delay (5..600), 60 by default
Name ipsec.dpd-delay
Regex ([5-9]|[1-9][0-9]|10[0-9]|1[1-9][0-9]|[2-5][0-9][0-9]|600)
Description IKE encryption algorithm (aes, des, 3des), aes by default
Name ipsec.encrypt-alg
Regex (aes|des|3des)
Description Force establish tunnel (UP, DOWN), UP by default
Name ipsec.force-establish
Regex (UP|DOWN)
Description Use GRE mode (UP, DOWN), UP by default
Name ipsec.gre-mode
Regex (UP|DOWN)
Description GRE mtu offset (0..220), 148 by default
Name ipsec.gre-mtu-offset
Regex ([0-9]|[1-9][0-9]|10[0-9]|1[1-9][0-9]|220|2[0-1][0-9])
Description IKE lifetime (180..86400), 86400 by default
Name ipsec.lifetime
Regex (18[0-9]|19[0-9]|[2-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|1000[0-9]|100[1-9][0-9]|10[1-9][0-9][0-9]|1[1-9][0-9][0-9][0-9]|[2-7][0-9][0-9][0-9][0-9]|86400|86[0-3][0-9][0-9]|8[0-5][0-9][0-9][0-9])
Description Use ISAKMP mode config (UP, DOWN), UP by default
Name ipsec.mode-cfg
Regex (UP|DOWN)
Description Use NAT-T (UP, DOWN), UP by default
Name ipsec.nat
Regex (UP|DOWN)
Description IPSEC NAT Keepalive (1..300), 30 by default
Name ipsec.nat-keepalive
Regex ([1-9]|[1-9][0-9]|10[0-9]|1[1-9][0-9]|2[0-9][0-9]|300)
Description IPSEC password (8-48 chars)
Name ipsec.password
Regex ([A-Za-z0-9]{8,48})
Description IPSEC DH Group (0, 1, 2, 5), 0 by default
Name ipsec.pfs-group
Regex (0|1|2|5)
Description IPSEC authentication algorithm (md5, sha1), md5 by default
Name ipsec.sa-auth-alg
Regex (md5|sha1)
Description IPSEC encryption algorithm (aes, des, 3des), aes by default
Name ipsec.sa-encrypt-alg
Regex (aes|des|3des)
Description IPSEC child SA lifetime (180..86400), 3600 by default
Name ipsec.sa-lifetime
Regex (18[0-9]|19[0-9]|[2-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|1000[0-9]|100[1-9][0-9]|10[1-9][0-9][0-9]|1[1-9][0-9][0-9][0-9]|[2-7][0-9][0-9][0-9][0-9]|86400|86[0-3][0-9][0-9]|8[0-5][0-9][0-9][0-9])
Description IPSEC operational status (UP, DOWN), UP by default
Name ipsec.status
Regex (UP|DOWN)
Description Use XAUTH password as IPSEC password (on/off) default off
Name ipsec.use-xauth-passwd
Regex (on|off)
Description XAUTH password (8-48 chars)
Name ipsec.xauth-password
Regex ([A-Za-z0-9]{8,48})
Description XAUTH user (4-16 chars)
Name ipsec.xauth-user
Regex ([A-Za-z0-9]{4,16})
Description IPSEC remote gateway (IP or URL)
Name ipsec.remote-gateway
<ax273:valueRegex xsi:nil="true"/> |
Annex 2. Description of errors returned by the Service Activator to access points
Message | |
Connection refused | The Service Activator is not installed, or port 8042 is blocked |
"code":4022, "msg":"No init link found" | No initialization rule links to the AP |
"code":1,"msg":"In request by key 'domain' value is empty or null" | There are no ESR devices with OTT enabled (OTT checkbox in the tab "Access") in the domain specified in the initialization rule link |
"code":4024, "msg":"No OTT station configured" | There are no ESR profiles with OTT profile linked to IP address of ESR device with OTT enabled, or such ESR devices are unavailable. |
"code":4023 | NB communication error |
"code": 4025, "msg": "/ott/upgrade/WOP-12ac-LR-RevB.tar.gz" | AP firmware is not relevant. Update is required |
Annex 3. ESR configuration example
| Якорь | ||
|---|---|---|
|
...
|
...
|
Examples of ESR configuration on a test bench.
Example 1
The example is for the version 1.6.2 with BGP for ESR models without EoGRE tunnel support. The following addressing is used in the example:
1) gi1/0/1.4092: 10.12.20.4/28 - address directed to the Internet for IPsec termination;
2) gi1/0/1.212: 100.64.0.66/30 - seam address directed to VRF backbone for connection to SoftWLC, DHCP and DNS servers;
3) gi1/0/1.213: 100.64.0.70/30 - seam address directed to VRF nat for clients to access the Internet;
4) bridge 1: 192.168.200.49/28 и 192.168.200.50/28 - addresses to terminate EoGRE from access points for management and client traffic tunnels respectively;
5) bridge 3: 192.168.128.0/22 - subnetwork for AP management addresses. 192.168.128.1 is used as an address for managing ESR from SoftWLC;
6) bridge 10: 198.18.160.0/22 - subnetwork for AP clients. Default gateway for clients - 198.18.160.1, DNS 100.123.0.2;
7) 172.31.252.0/22 - subnetwork for addresses, assigned to access points via mode config and used to establish EoGRE on AP side;
8) 100.110.123.0/24 - management subnetwork. 100.123.0.2 - SoftWLC address, DHCP, DNS.
As the default gateway is directed to the Internet connection via gi1/0/1.4092, PBR rule named "users_map" in ESR configuration is used to direct client traffic via the interface gi1/0/1.213.
| Блок кода | ||
|---|---|---|
| ||
hostname esr-ipsec
object-group service dhcp_server
port-range 67
exit
object-group service dhcp_client
port-range 68
exit
object-group service ipsec_ports
port-range 500
port-range 4500
exit
object-group service dns
port-range 53
exit
object-group network SoftWLC
ip prefix 100.123.0.0/24
exit
object-group network ipsec_remote_address
ip prefix 10.100.0.0/16
ip prefix 172.31.252.0/22
exit
object-group network gre_termination
ip prefix 192.168.200.48/28
exit
object-group network AP_mgmt
ip prefix 192.168.128.0/22
ip prefix 198.18.160.0/22
exit
object-group network AP_users
ip prefix 198.18.160.0/22
exit
syslog console none
radius-server timeout 10
radius-server retransmit 5
radius-server host 100.123.0.2
key ascii-text encrypted 88B11079B9014FAAF7B9
timeout 11
priority 20
source-address 192.168.128.1
auth-port 31812
acct-port 31813
retransmit 10
dead-interval 10
exit
aaa radius-profile PCRF
radius-server host 100.123.0.2
exit
das-server COA
key ascii-text encrypted 88B11079B9014FAAF7B9
port 3799
clients object-group SoftWLC
exit
aaa das-profile COA
das-server COA
exit
tech-support login enable
root login enable
vlan 3
force-up
exit
vlan 10
force-up
exit
security zone trusted
exit
security zone untrusted
exit
security zone ipsec
exit
security zone gre
exit
security zone users
exit
ip access-list extended users_pbr
rule 10
action deny
match protocol udp
match source-port 68
match destination-port 67
enable
exit
rule 11
action deny
match protocol udp
match destination-port 53
enable
exit
rule 20
action permit
enable
exit
exit
route-map out_BGP_AP
rule 10
match ip address object-group AP_mgmt
action permit
exit
exit
route-map out_BGP_NAT
rule 10
match ip address object-group AP_users
action permit
exit
exit
route-map users_map
rule 10
match ip access-group users_pbr
action set ip next-hop verify-availability 100.64.0.69 10
action permit
exit
exit
router bgp 64604
address-family ipv4
router-id 198.18.156.1
redistribute connected
neighbor 100.64.0.65
remote-as 1238965001
route-map out_BGP_AP out
update-source 100.64.0.66
enable
exit
neighbor 100.64.0.69
remote-as 1238965001
route-map out_BGP_NAT out
update-source 100.64.0.70
enable
exit
enable
exit
exit
snmp-server
snmp-server system-shutdown
snmp-server community "private1" rw
snmp-server community "public11" ro
snmp-server host 100.123.0.2
exit
snmp-server enable traps
snmp-server enable traps config
snmp-server enable traps config commit
snmp-server enable traps config confirm
snmp-server enable traps environment
snmp-server enable traps environment fan
snmp-server enable traps environment fan-speed-changed
snmp-server enable traps environment fan-speed-high
snmp-server enable traps environment memory-flash-critical-low
snmp-server enable traps environment memory-flash-low
snmp-server enable traps environment memory-ram-critical-low
snmp-server enable traps environment memory-ram-low
snmp-server enable traps environment cpu-load
snmp-server enable traps environment cpu-critical-temp
snmp-server enable traps environment cpu-overheat-temp
snmp-server enable traps environment cpu-supercooling-temp
snmp-server enable traps environment board-overheat-temp
snmp-server enable traps environment board-supercooling-temp
snmp-server enable traps wifi
snmp-server enable traps wifi wifi-tunnels-number-in-bridge-high
snmp-server enable traps file-operations
snmp-server enable traps file-operations successful
snmp-server enable traps file-operations failed
snmp-server enable traps file-operations canceled
snmp-server enable traps interfaces
snmp-server enable traps interfaces rx-utilization-high
snmp-server enable traps interfaces tx-utilization-high
snmp-server enable traps interfaces number-high
snmp-server enable traps bras
snmp-server enable traps bras sessions-number-high
snmp-server enable traps screen
snmp-server enable traps screen dest-limit
snmp-server enable traps screen source-limit
snmp-server enable traps screen icmp-threshold
snmp-server enable traps screen udp-threshold
snmp-server enable traps screen syn-flood
snmp-server enable traps screen land
snmp-server enable traps screen winnuke
snmp-server enable traps screen icmp-frag
snmp-server enable traps screen udp-frag
snmp-server enable traps screen icmp-large
snmp-server enable traps screen syn-frag
snmp-server enable traps screen unknown-proto
snmp-server enable traps screen ip-frag
snmp-server enable traps screen port-scan
snmp-server enable traps screen ip-sweep
snmp-server enable traps screen syn-fin
snmp-server enable traps screen fin-no-ack
snmp-server enable traps screen no-flag
snmp-server enable traps screen spoofing
snmp-server enable traps screen reserved
snmp-server enable traps screen quench
snmp-server enable traps screen echo-request
snmp-server enable traps screen time-exceeded
snmp-server enable traps screen unreachable
snmp-server enable traps screen tcp-all-flags
snmp-server enable traps entity
snmp-server enable traps entity config-change
snmp-server enable traps entity-sensor
snmp-server enable traps entity-sensor threshold
snmp-server enable traps envmon
snmp-server enable traps envmon fan
snmp-server enable traps envmon shutdown
snmp-server enable traps envmon temperature
snmp-server enable traps flash
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps snmp
snmp-server enable traps snmp authentication
snmp-server enable traps snmp coldstart
snmp-server enable traps snmp linkdown
snmp-server enable traps snmp linkup
snmp-server enable traps syslog
bridge 1
description "gre_termination"
vlan 1
security-zone gre
ip address 192.168.200.49/28
ip address 192.168.200.50/28
enable
exit
bridge 3
description "AP_mgmt"
vlan 3
security-zone trusted
ip address 192.168.128.1/22
ip helper-address 100.123.0.2
ip tcp adjust-mss 1312
enable
exit
bridge 10
description "Users"
vlan 10
security-zone users
ip address 198.18.160.1/22
ip helper-address 100.123.0.2
ip policy route-map users_map
ip tcp adjust-mss 1312
location data10
enable
exit
interface gigabitethernet 1/0/1
description "UpLink"
exit
interface gigabitethernet 1/0/1.212
description "VRF_backbone"
security-zone trusted
ip address 100.64.0.66/30
ip tcp adjust-mss 1312
exit
interface gigabitethernet 1/0/1.213
description "VRF_nat"
security-zone untrusted
ip address 100.64.0.70/30
ip tcp adjust-mss 1312
exit
interface gigabitethernet 1/0/1.1000
description "adm_net"
security-zone trusted
ip address 100.110.0.133/23
exit
interface gigabitethernet 1/0/1.4092
description "IPsec"
security-zone ipsec
ip address 10.12.20.4/28
exit
tunnel softgre 1
description "mgmt"
mode management
local address 192.168.200.49
default-profile
enable
exit
tunnel softgre 1.1
bridge-group 3
enable
exit
tunnel softgre 2
description "data"
mode data
local address 192.168.200.50
default-profile
enable
exit
security zone-pair trusted self
rule 10
action permit
enable
exit
exit
security zone-pair users self
rule 10
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
exit
security zone-pair users untrusted
rule 10
action permit
enable
exit
exit
security zone-pair users trusted
rule 10
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 20
action permit
match protocol udp
match destination-port dns
enable
exit
exit
security zone-pair ipsec self
rule 1
action permit
match protocol udp
match destination-port ipsec_ports
enable
exit
rule 2
action permit
match protocol esp
enable
exit
rule 3
action permit
match protocol gre
match source-address ipsec_remote_address
match destination-address gre_termination
enable
exit
rule 4
action permit
match protocol icmp
enable
exit
exit
security zone-pair trusted trusted
rule 10
action permit
enable
exit
exit
address-assignment pool ipsec_xauth_pool
ip prefix 172.31.252.0/22
data-tunnel address 192.168.200.50
management-tunnel address 192.168.200.49
exit
security ike proposal dh1_md5_aes128
authentication algorithm md5
encryption algorithm aes128
exit
security ike policy psk_xauth
lifetime seconds 86400
pre-shared-key ascii-text testing123
authentication method xauth-psk-key
authentication mode radius
proposal dh1_md5_aes128
exit
security ike gateway xauth_gw
ike-policy psk_xauth
local address 10.12.20.4
local network 192.168.200.48/28
remote address any
remote network dynamic pool ipsec_xauth_pool
mode policy-based
dead-peer-detection action clear
dead-peer-detection interval 60
dead-peer-detection timeout 180
exit
security ipsec proposal md5_aes128_esp
authentication algorithm md5
encryption algorithm aes128
exit
security ipsec policy ipsec_pol
proposal md5_aes128_esp
exit
security ipsec vpn xauth_ipsec
mode ike
ike establish-tunnel by-request
ike gateway xauth_gw
ike ipsec-policy ipsec_pol
enable
exit
security passwords history 0
ip dhcp-relay
ip route 0.0.0.0/0 10.12.20.2
wireless-controller
nas-ip-address 192.168.128.1
resp-time 3
failure-count 3
data-tunnel configuration radius
aaa das-profile COA
aaa radius-profile PCRF
enable
exit
ip telnet server
ip ssh server
clock timezone gmt +7
ntp enable
ntp server 100.123.0.2
exit
|
...
If ESR 1200/1700 with version 1.4.1 or higher are used - configuration of a scheme with a loop through physical interfaces will be required to provide correct work of hardware EoGRE.
Troubleshooting
Service Activator logs
All Service Activator logs are keeped in the file /var/log/eltex-wifi-sa/wifi-sa-server.log. To obtain extended logs, set LogLevel = debug in the configuration file application.conf
Viewing OTT information on access points
Run the following commands in AP CLI:
...
where e0:d9:e3:70:1d:00 - AP MAC address,provider_eltex - Provider-ID
Manual starting of the Service Activator's client part on an AP with debug enabled
service-activator https://<Service Activator URL>:8043 --msg-type register --timeout 300 -C /etc/cert/cert.pem -K /etc/cert/key.pem -A /etc/cert/ca.pem -d 15
Used to debug interaction of an AP with the Service Activator from an access point's side.