This article is intended to help you easily and quickly configure a basic Wi-Fi network on Eltex equipment, especially if this is your first time dealing with it and you haven't had time to read the entire documentation list. This article describes the step-by-step network setup from ESR configuration to SSID configuration on access points.
SoftWLC is a software Wi-Fi controller that provides a complex solution for organizing guest and service networks. SoftWLC software package combines Wi-Fi access points, access switches and routers manufactured by Eltex into a single product. The package allows configuring and maintaining networks and user services in accordance with a client's requirements.
Main modules of SoftWLC and their functions
- EMS server
- management and monitoring of other modules of the system
- receiving and processing of SNMP traps sent by system components
- device initialization and configuration
- performing group operations with devices
- notification on failures occurred
- scheduled activation of monitors controlling the proper operation of the system
- providing Graphical User Interface (GUI)
- monitoring with saving data to a Round-Robin Database (RRD)
- WEB portal
- an application providing a set of WEB portals for user authorization in Hotspot networks
- Portal Constructor
- a tool that allows creating and configuring virtual portals for user authorization in Hotspot networks
- B2B Admin Panel
- providing interface for new Wi-Fi users' accounts creation and basic service management operations
- Database
- MySQL
- MongoDB
- RADIUS server
- AAA operations
- WPA-Enterprise authorization
- DHCP server
assigning primary (external) IP addresses to access points with option 43 (suboptions 11 and 12) that allows creating GRE tunnels to ESR
- assigning secondary (management, tunnel) IP addresses to access points with option 43 (suboptions 10 and 13) for management, detection and automatic initialization of access points
- assigning IP addresses to Wi-Fi users connected to access points
- classification of DHCP customers by 82, 60 options and giAddr Field
- APB service
- roaming of users authorized via WEB portal
- configuration and transmission of public IP address lists for portal authorization
- Notification Gateway
- centralized interchange between platform elements and external systems (SMS gateways, Call centers and email servers) via SMTP, SMPP, HTTP, WebSocket
- PCRF
authorization and authentication of users connected via BRAS (a server which allows providing user service based on third-party vendors' access points)
accounting information collection for all authorization mechanisms and transferring it to a database
control of the number of Wi-Fi users' simultaneous sessions for all authorization mechanisms
deauthentication of Wi-Fi users authorized via WPA-enterprise modes and BRAS
- Airtune
management of access points radio resources
- NBI
connection between SoftWLC components via the SOAP protocol
service operation maintenance
- Customer Cab
- Portal Constructor
- PCRF
- generation of TLS authorization certificates
- Assigning ESR
If you want to add a new SSID to the APs in a separate VLAN, you have to configure that VLAN on all switches. If your network is large, this is quite difficult to do. To simplify networking, an ESR is used to build tunnels between the APs and the router that hide the MAC addresses of Wi-Fi customers and do not clog the tables of the network equipment through which the tunnels pass. With this setup, the switches do not know what VLANs are being used within the tunnel, hence you do not have to configure them.
Configuring ESR
Configuring ESR when connecting an AP via L2 access network (WiFi L2 diagram)
The architecture of the solution, when connecting APs via an L2 network, assumes that there will be VLANs allocated for the AP management subnet and VLANs allocated for the SSID user subnet. A new separate VLAN will be allocated for each additional SSID. All VLANs will be terminated on the ESR. This connection scheme is called WiFi L2.
Configuring ESR when connecting an AP via L2 access network (WiFi L3 diagram)
Allocating and configuring VLAN when connecting new APs can be not an easy task. It is also not always possible to provide L2 channel from AP to ESR. In this case, it is necessary to use the scheme of connecting APs via the L3 network of the operator. The architecture of the solution assumes that the operator's access network provides L3 connectivity between the ESR, SoftWLC and the primary address of the AP. In this case AP builds L2 GRE (EoGRE) tunnels, that eliminates the need to run VLAN via the operator's access network from AP to ESR. It is enough to terminate AP's VLAN on any router or L3 switch supporting DHCP-relay to give the AP a primary address with option 43 containing ESR addresses for building GRE tunnels. On the ESR side, the automatic building of counter tunnels function (wireless-controller) is configured. This connection scheme is called WiFi L3.
Reserving an ESR
An ESR is reserved by VRRP protocol, according to "Active-Standby” scheme;
to exclude the switch to which the ESR is connected as a single point of failure, connection of switches in the stack using channel aggregation is used. The physical ESR links used in the aggregated channel are connected into different switches in the stack.
Traffic is processed by ESR VRRP MASTER. If it fails, VRRP mastery passes to the ESR VRRP BACKUP.
Instructions for configuring ESR reservation can be found here.
BRAS/BRAS in vrf. L3 WiFi – setup guide with reservation
BRAS functions in L3 switching scheme are supported by Eltex ESR-100/200/1000/1200/1500/1700 service routers. This functions enable to identify Wi-Fi users connecting to access points manufactured by different manufacturers. In general, the following functions are required from BRAS:
- When receiving user traffic, it is needed to understand whether that Wi-Fi user is authorized in the system or not;
- If the Wi-Fi user is authorized, then let them access the Internet. If they are not authorized, then redirect them to the Authorization Portal, where they have to verify their identity (by SMS or call);
- Once the Wi-Fi user is authorized in the Portal, BRAS must learn about it by applying different access policies to the Wi-Fi user's traffic;
- While processing Wi-Fi user traffic, BRAS must read and forward statistics to a higher-level system for later analysis and storage.
BRAS is an executive mechanism that applies certain policies to Wi-Fi user traffic in accordance with directives transmitted to it from the upstream SoftWLC system which makes decisions based on the data transmitted by BRAS. As a part of SoftWLC, Eltex-PCRF module is responsible for interaction with BRAS. Using the RADIUS protocol, it transmits directives for operating with Wi-Fi users.
Configuring a DHCP server
Free ISC-DHCP-SERVER solution is used as a DHCP server (any other dhcp-server may be used). As applied to Eltex.SoftWLC project this software allows to accomplish the following objectives:
- assigning primary (external) IP addresses to access points with option 43 (suboptions 11 and 12) that allows creating GRE tunnels to ESR.
- assigning secondary (management, tunnel) IP addresses to access points with option 43 (suboptions 10 and 13) to manage, detect and automatically initialize APs.
- assigning IP addresses to Wi-Fi users connected to access points.
- classification of DHCP customers by 82, 60 options and giAddrField.
Instructions for configuring a DHCP server can be found here.
Configuring the option 43
Configuring the option 43 when configuring a DHCP server is necessary:
- in order to, when the access point appears in the network, it sends to the SoftWLC server the SNMP-detection trap (suboption 10);
- for building GRE tunnels (suboptions 11 and 12);
- for auto-configuration of APs (suboption 6);
- to specify that the access point belongs to a certain segment of the operator's network (suboption 13).
Before access points become active components of the network, they must detect the controller. The AP supports the following controller detection processes.
- The AP, when connected to a switch, performs a broadcast detection request (255.255.255.255.255) to find controllers in the same subnet/VLAN;
- Detection of the locally stored IP address of the controller. If the AP has previously been attached to a controller, the IP address of the controller is stored in the AP's non-volatile memory;
- DHCP server protocol detection. This function uses option 43 of the DHCP server protocol to give an IP address of the controller to the access points.
To learn how to configure option 43 on the DHCP server, see the link.
Preparing for installation
The first step is to install the SoftWLC controller on the server. Detailed instructions for installation can be found here.
To install SoftWLC in a minimal configuration, a server must have the following parameters:
RAM at least 8 GB
CPU >= 2200 MHz
Hard drive memory >= 35 GB
Internet connection
Ubuntu Server 18.04 LTS operating system
Read more about server requirements at the link.
Reserving a SoftWLC
Reservation of SoftWLC controllers is necessary to synchronize critical system files (settings, firmware files, data uploads), MySQL databases, MongoDB databases, and DHCP servers. This scheme ensures availability of service and up-to-date data on both controllers in case of one controller failure, network unavailability, or power supply problems.
Configuring SoftWLC controllers reservation consists of the following steps:
- Installing and configuring keepalived;
- Configuring rsync;
- Configuring MySQL replication;
- Configuring MongoDB replicaSet.
Documentation on configuring reservation can be found here.
Initializing an AP
To start working with the AP with the controller, the AP must be initialized in the EMS. In order for the device to come to initialization, perform the following:
- Connect the access point to the network according to the diagram. The access point will receive a DHCP address when it is turned on.
- In order for the point to notify the controller of its appearance on the network, you must configure option 43, suboption 10 of the DHCP, in which the IP SoftWLC will be transmitted.
- The access point will automatically appear in EMS in the Initialize Wi-Fi AP tab.
in the object tree area. When adding an object, you need to specify its unique name, type and IP address. When adding and editing device parameters it is necessary to specify a unique IP address. It is not allowed to duplicate object names within the whole network.Eltex AP initialization requires an AP initialization rule for the corresponding AP type and a AP initialization binding (link) that defines the node where the AP is to be initialized.
- AP initialization rule – a rule containing the type of the AP and the actions to be performed when initializing this AP.
- AP initialization binding – a rule that defines in which domain the AP should be placed when performing initialization.
- Key – a feature that determines whether the AP falls under this initialization binding.
- AP initialization – the process of adding an AP to EMS device tree according to the found initialization binding (adding to RADIUS table, assigning OTT feature, SNMP access parameters) and performing configuration according to the assigned template and SSID binding of the domain assigned to it.
This point is described in details in the following documentation: Quickstart, AP initialization.
Creating an SSID with Enterprise authorization
The key poin for configuring Enterprise authorization is to configure RADIUS. SoftWLC controller operates with FreeRADIUS implementation. To exchange data with the RADIUS server, the UDP (User Datagram Protocol) on a client-server basis is used. The client is an access point that requests the RADIUS server to verify credentials.
Procedure of interaction between AP and eltex-radius:
- The user connects a device (corporate laptop or any other). To do this, they call the corresponding configuration interface. A connection window opens, where the user enters their login and password.
- The access point receives this data and transmits it to the RADIUS server for authentication verification.
- RADIUS server checks the user and their password in the MySQL database, and, depending on the result, returns one of the values: Accepted or Rejected.
- When Accepted is received, individual encryption keys are exchanged between the client and the access point, valid only for the time set for that session.
To configure an SSID with Enterprise authorization, use the following instruction.
Eltex-radius has an option to proxy to a third-party server.
When a wireless client wants to connect to a Wi-Fi network, it sends an access request to the wireless access point. After the access point receives the user credentials, it sends this information to the eltex-radius server which will forward the connection request to the external radius server. The external radius server analyzes this request and allows or denies the credentials. If the credentials entered are correct, we will be able to connect to the wireless network without any problem, otherwise an authentication error will be returned.
Creating an SSID with Enterprise authorization
SoftWLC includes a WEB-portal with which the hotspot client authorization model is implemented. A user unknown to the system can freely (without obtaining a login and password in advance) connect to the access point, but when trying to access the Internet via a browser, the user is redirected to the WEB-portal page where they can optionally perform the authorization procedure or receive authorization data (for example, via SMS). During the authorization procedure, the subscriber can observe advertising messages in the form of banners customized according to the operator's requirements.
To customize the WEB portal, SoftWLC includes the Portal Constructor which allows users to customize work scenarios and the appearance of portals used during Hotspot authorization. Users can create and delete portals, select any background and content (text, images), set different modes and authorization scenarios for each portal. The Constructor itself doesn't perform any actions in the chain of service provisioning to a subscriber. It is a tool that serves only for configuration.
To configure portal authorization, you need to:
- Enable Captive Portal mode in the access point settings;
- Create a new SSID with the Hotspot authorization type;
- Add SSID binding to the AP;
- Add a tariff plan for RADIUS;
- Activate a tariff plan on the portal.
The step-by-step instruction for configuration can be found here.