1. General description of BRAS operation.
BRAS functionality in L3 inclusion scheme is supported by Eltex ESR-100/200/1000/1200/1500/1700 service routers. This functionality allows to provide the ability to identify Wi-Fi users connecting to access points produced by different manufacturers. In general terms, the following functions are required from BRAS:
- When receiving user traffic, it is needed to understand whether this WiFi user is authorised in the system or not;
- If the WiFi user is authorised, then let the user into the Internet. If not authorised, then redirect him to the Authorisation Portal where he has to confirm his identity (via SMS, call or ESIA (ЕСИА) account);
- Once the WiFi user is authorised on the Portal, BRAS must learn about this by applying different access policies to the WiFi user's traffic;
- During the processing of WiFi user traffic, BRAS must read and forward statistics to a higher-level system for further analysis and storage.
BRAS является исполнительным механизмом, применяющим определенные политики к трафику пользователей WiFi в соответствии с директивами, которые передаются ему от вышестоящей системы SoftWLC, в которой как раз принимаются решения на основании данных, передаваемых BRAS. В составе SoftWLC с BRAS взаимодействуют и пересылают ему директивы по работе с пользователями WiFi модуль Eltex-PCRF.
1.1 Identification of system elements
In order to distinguish WiFi users from each other, the ESR BRAS requires an identifier that uniquely identifies it. This identifier is the MAC address of the WiFi user's device from which it makes the connection. Therefore, it is necessary for the BRAS to receive traffic with the MAC headers of the user's device. For this purpose, it is necessary to provide an L2 network between the WiFi user and BRAS, or to route WiFi user traffic to BRAS within the VPN through the operator's L3 infrastructure. To organise such a VPN, an ESR-10/20/100/200 router is installed in the customer's network, which raises GRE tunnels to ESR-100/200/1000/1200/1500/1700 operating in Wireless-Controller mode (more details about this mode can be found in Configuring ESR by connecting AP via L3 access network (WiFi L3 diagram). Eltex access points can also build GRE-tunnels, which makes it possible to connect them to BRAS via L3-infrastructure of the operator without additional installation of ESR-10/20/100/200. Figure 1.1.1 below shows the circuit diagram:
Fig. 1.1.1.
ESR functions:
- ESR BRAS, which performs GRE tunnel termination and BRAS functions - hereafter it will be referred to as "ESR BRAS L3".
- ESR, which is installed at the client, and which performs the function of the device, which will encapsulate traffic from client APs into GRE and pass it for further processing to ESR BRAS L3 - hereinafter such ESR will be called "ESR Client".
Table 1.1.1 below summarises the types of ESRs and their possible functions:
| ESR type | ESR BRAS L3 | ESR Client |
|---|---|---|
| ESR-10 | - | + |
| ESR-20 | - | + |
| ESR-100 | + | + |
| ESR-200 | + | + |
| ESR-1000 | + | + |
| ESR-1200 | + | + |
| ESR-1500 | + | + |
| ESR-1700 | + | + |
Table 1.1.1.
The following terminology will also apply hereinafter:
- Telecom operator providing WiFi authorisation and Internet access services: "ISP".
- The customer of the service requiring WiFi authorisation with whom the telecom operator enters into a contract is the - "Client".
- Third Party AP: "Generic AP".
- A customer connecting to WiFi using various devices: "WiFi user" or "User".
- Scheme for enabling generic AP over the operator's L3 infrastructure using ESR Client to encapsulate client traffic in GRE: "Interop".
1.2. Identification of generic APs that WiFi users connect to
In addition to authorising WiFi users on BRAS, it is also necessary to understand which SSID and which generic AP they connect to. To do this, it is necessary to identify these objects.
There are two ways to identify which generic AP the WiFi user connected to:
- Identification by vlan.
- Identification using option 82.
Identification by vlan
Each SSID of each generic AP is allocated a unique vlan. The scheme is shown below in Fig. 1.2.1 (for simplification, the GRE control tunnel is not shown).
Fig. 1.2.1.
As can be seen in Fig. 1.2.1, the generic AP to which a WiFi user makes a connection can be identified by the vlan in which its traffic arrives at the ESR BRAS.
The advantages of this scheme are:
1) simplicity of the enabling scheme with a small number of generic APs;
2) the possibility of using an unmanaged switch to connect generic APs.
Also this scheme has its disadvantages:
1) poor scalability - for each newly connected generic AP it is necessary to allocate a new vlan, in the figure for 2 SSIDs on three generic APs it was necessary to allocate 6 vlan. With a large number of APs this method becomes difficult to administer. There is also a limitation of SoftWLC complex, which does not allow to use more than 20 different vlans, passed inside GRE-tunnel from one ESR-client.
Identification by option 82
In this case, ESR BRAS performs enrichment of WiFi user accounts with information obtained from option82 added to their DHCP requests. It is assumed that one vlan will be allocated for each unique SSID, which will be used on all generic APs. On the switch to which the generic APs are connected, the functionality of adding option 82 to DHCP requests (DHCP snooping) is enabled. Thus, DHCP requests from WiFi users will contain option 82 with port/vlan information and the identifier of the switch to which the generic AP is connected. This allows unambiguous identification of the generic AP and the SSID to which the connection is made. BRAS enables the functionality of radius traffic enrichment with information from option 82 obtained from user DHCP requests (supported since ESR software version 1.11.2). Enrichment of radius traffic is performed in the format defined in RFC4679. The scheme is shown below, in Fig. 1.2.2.
Fig. 1.2.2.
The advantages of this scheme is:
1) ease of scaling when connecting new generic APs, as each SSID has its own vlan, which will be the same for all newly connected generic APs.
Also this scheme has its disadvantages:
1) the need to include all generic APs in a managed switch that supports the "DHCP snooping" functionality and to configure the corresponding functionality on it.
1.3 Interaction of system elements
Let us consider the interaction of WiFi user, genericAP, BRAS and SoftWLC (Fig. 1.3.1). This figure shows the diagram of authorisation of a new WiFi user.
Fig. 1.3.1.
BRAS is configured to allow DHCP traffic (udp port 67,68) and DNS requests (udp 53) without authorisation. This is necessary so that the user can obtain an address and perform DNS and HTTP request.
- WiFi user connecting to the generic AP sends a DHCP-discover.
- Depending on the chosen method of identifying the generic AP to which the user connects, option 82 may be enabled on the switch to which the generic AP is connected - port/vlan/switch information is added to the DHCP request.
- Then the request is transmitted through L2 access network to ESR client (not specified in the diagram, because its role is reduced to organising L2 channel to ESR BRAS L3), which performs encapsulation of the packet in GRE and sends it to ESR BRAS L3. ESR BRAS L3, parses the DHCP request for the presence of option 82 (if necessary), stores information about mac-address/option 82 (if any) and performing the function of DHCP-relay, redirects the request to the DHCP server, which gives the address to the WiFi user based on the data of the giaddr field. The gateway is the ESR address. After receiving the address, the WiFi user sends any IP packet to the router, which in turn creates a new "unauthorised session". An attempt is made to authorise the WiFi user by MAC address (since the user is new – authorisation fails).
All traffic of the WiFi user falls under the rules of the "default" service, usually in this mode the transmission of any traffic except DHCP and DNS is blocked.
- After the WiFi user opens a browser, the ESR BRAS L3 will receive an HTTP request, in response to which an HTTP 302 Redirect will be sent, with the parameters of connection to the portal. The user's browser will redirect its request to Eltex-Portal and in response the start page for authorisation will be loaded. The page is selected based on the nas-ip and L2-interface parameters. Based on these parameters, the portal recognises the page name and the name of the service domain belonging to this interface.
- After entering the phone number, the WiFi user clicks the "get password" button. The portal generates a password and creates an account in the database with login/password and tariff plan, linked to the service domain. SMS with the password will be sent via Notification GW (NGW) to the phone number specified by the user.
- The user enters the received password on the confirmation page of the portal, which sends the entered data to the PCRF, which in turn enters these data on the user in the database and sends the Account-Loggon command to the ESR BRAS L3. The router, having received this command, makes a second attempt to authorise the WiFi user's session by sending an access-request. Since the user's data is now in the database (login/password/service domain), the user's session is successfully authorised via the radius protocol on the PCRF. In response, PCRF returns a list of services to be assigned to the WiFi user. Next, ESR BRAS L3 requests the attributes of the services, which contain time/traffic quota data, filter URL name, applies them to the user session. The WiFi user is then granted access to the Internet according to the received connection parameters.
- For WiFi user's traffic can be filtered by URL, IP addresses.
- Periodically ESR sends accounting packets with data on statistics for the user session and the assigned service.
- If the WiFi user disconnects from the AP, the user session is deleted on the ESR BRAS L3 after idle-timeout, and an accounting stop is sent to the PCRF to record the client's uptime and the amount of transmitted/received traffic.
When authentication on the portal takes place, the WiFi user's HTTP requests are proxied to ESR BRAS L3 and the user's source address (USER IP) is replaced by the ESR BRAS L3 address (PROXY IP). Therefore, between ESR BRAS L3 and SoftWLC all HTTP(S) traffic will go with the IP address of ESR BRS L3 and not the user. All other traffic will go with the USER IP address.
If the service assigned to the WiFi user after authorisation has a list of URL filters - then all HTTP(S) traffic of the WiFi user is proxied to ESR BRAS L3 and the Source address (USER IP) of the user is replaced by the ESR BRAS L3 address (PROXY IP). Therefore, between the ESR and the NAT, all HTTP(S) traffic will go to the ESR BRAS L3 IP address, not the user's. All other traffic will go with the USER IP source address. When passing through NAT, a "White" NAT IP address will be set for user traffic.
Starting with ESR software version 1.11.2 and SOftWLC 1.18 BRAS operation in VRF is supported. The main feature of using BRAS in VRF is the presence of an additional BRAS instance in VRF, which has its own settings and the ability to listen for incoming CoA requests for BRAS in VRF in the default VRF. In this case, each BRAS instance will use its own dedicated CoA port.
2. Network architecture
2.1 General description
The overall enabling scheme is shown below, in Figure 2.1.1. Two BRAS L3 ESRs are used, operating in Active/Standby redundant mode. Each is connected to a separate last mile router (PE). Each ESR BRAS L3 has 4 eBGP junctions to the corresponding PE with the corresponding VRF:
- VRF Backbone - used for management and communication between system components;
- VRF AP - used to connect ESR Client, it carries GRE traffic to ESR BRAS L3;
- VRF NAT - used for WiFi users traffic exit from the Internet, from this VRF comes the default route;
- VRF DPI - designed to provide a junction to the non-default VRF ESR BRAS L3. This allows to receive the default route through a router different from the one used to reach the VRF NAT and direct user traffic to another route through the DPI equipment.
To ensure operability in case of failure of one of the PEs the iBGP junction between ESR BRAS L3 is used. This junction also provides redundancy for VRRP GRE termination addresses and default gateways used for ESR client management addresses and WiFi user subnets. For non-default VRF, a separate iBGP junction is used in this VRF.
Fig. 2.1.1.
2.2 ESR BRAS L3 enabling scheme and addressing plan
Let us consider the ESR enabling scheme on the example in Fig. 2.2.1:
Fig. 2.2.1.
The name "Alfa" will be used for ESR BRAS L3 VRRP MASTER and "Beta" for ESR BRAS L3 VRRP BACKUP.
The table of used addressing and assignment is given below in Table 2.2.1:
| AS 64603 | VRF | Alfa | Beta | |||
| description | interface / vlan | IP address | VRRP IP | interface / vlan | IP address | |
|---|---|---|---|---|---|---|
| junction with VRF AP (eBGP) | default | gi1/0/1.206 | 100.64.0.34/30 | n/a | gi1/0/1.207 | 100.64.0.38/30 |
| junction with VRF backbone (eBGP) | default | gi1/0/1.208 | 100.64.0.42/30 | n/a | gi1/0/1.209 | 100.64.0.46/30 |
| junction with VRF NAT (eBGP) | default | gi1/0/1.210 | 100.64.0.50/30 | n/a | gi1/0/1.211 | 100.64.0.54/30 |
| internal junction with VRF DPI | default | lt 1 | 10.200.200.1/30 | n/a | lt 1 | 10.200.200.5/30 |
| termination of GRE traffic from ESR-client | default | bridge 1 / 101 | 192.168.200.51/28 | 192.168.200.49/32 192.168.200.50/32 | bridge 1 / 101 | 192.168.200.52/28 |
| ESR-client management subnetwork termination | default | bridge 3 / 3 | 198.18.128.2/21 | 198.18.128.1/32 | bridge 3 / 3 | 198.18.128.3/21 |
| junction address with neighbouring ESR (iBGP) | default | bridge 9 / 9 | 100.64.0.57/30 | n/a | bridge 9 / 9 | 100.64.0.58/30 |
| termination of WiFi user subnets in default VRF | default | bridge 10 / 10 | 198.18.192.2/19 | 198.18.192.1/32 | bridge 10 / 10 | 198.18.192.3/19 |
| junction with VRF DPI (eBGP in VRF dpi) | dpi | lt 2 | 10.200.200.2/30 | n/a | lt 2 | 10.200.200.6/30 |
| internal junction with default VRF | dpi | gi1/0/1.214 | 100.64.0.74/30 | n/a | gi1/0/1.215 | 100.64.0.78/30 |
| termination of WiFi user subnets in a separate VRF (dpi) | dpi | bridge 12 / 12 | 198.19.0.2/19 | 198.19.0.1/32 | bridge 12 / 12 | 198.19.0.3/19 |
| junction address with neighbouring ESR (iBGP in VRF dpi) | dpi | bridge 92 / 92 | 100.64.0.97/30 | n/a | bridge 92 / 92 | 100.64.0.98/30 |
Table 2.2.1.
1. Access to the Internet in the default VRF is via the VRF NAT.
2. Access to the management network, where SoftWLC complex and DHCP server are located, is carried out through junctions with VRF backbone. ESR management is done through addresses configured on bridge 3.
3. ESR client receives the primary IP in the VRF AP and uses it as the local address for GRE tunnels. Interaction with this VRF is done through junctions to the VRF AP.
4. Internet access for WiFi users who are authorised in the VRF dpi and obtain an address from the bridge 12 address space is done through a junction with the VRF DPI.
5. Address obtaining via DHCP and redirect to the portal for WiFi users of VRF dpi is done via a junction with VRF backbone in the default VRF. To provide IP connectivity between VRFs, lt-tunnels are used to route this traffic.
3. Features of BRAS configuration in VRF
Configuring BRAS in VRFs has the following features:
- A different BRAS instance is configured for each VRF on the ESR.
- Each BRAS instance uses the same settings for interacting with the RADIUS server, this interaction is done from the default VRF.
- For each BRAS instance, a separate das-server configuration is configured in the default VRF so that the RADIUS server can distinguish which BRAS instance it is accessing when making CoA requests.
SoftWLC's Eltex-PCRF service is used as the RADIUS-server with which BRAS interacts directly. Eltex-PCRF uses the following default ports:
- UDP:31812 - for receiving access-request
- UDP:31813 - for receiving accounting-request
- UDP:3799 - to send CoA requests to BRAS in default VRF
To communicate with a BRAS instance in a non-default VRF, you must select a VRF name, CoA port different from the one used in the default VRF. The choice is:
- UDP:30799 - to send CoA requests to BRAS in VRF dpi
Let's summarise the VRF, CoA port used by ESR as Table 3.1 below:
| VRF name | CoA port | secret |
|---|---|---|
| 1 | 3799 | testing123 |
| dpi | 30799 | testing123 |
Table 3.1.
As you can see from the above information, it is assumed that all ESRs will use the same VRF settings and their corresponding das-server/secret.
Each BRAS instance on the ESR can use different settings to address the radius-server and das-server settings to handle CoA requests. Also these settings can be done in different VRFs than the one in which the BRAS instances are configured. But this approach significantly complicates both ESR configuration and interaction with SoftWLC complex, so its use is not recommended.
4. ESR BRAS L3 configuration.
4.1. General configuration of ESR BRAS L3.
To be able to configure ESR BRAS in L3 scheme, BRAS-WiFi licence is required. Check and install it on the ESR (to obtain the licence, please contact the commercial department of Eltex company).
All configuration commands are given for ESR software version 1.11.3.
Configuring ip-addresses, BGP, wirelees-controller.
If you are performing this configuration for the first time - it is recommended to disable firewall (ip firewall disable) on all ip-interfaces during initial configuration to simplify trabshooting and solve problems arising during configuration.
The following will immediately summarise the overall ESR configuration (without BRAS settings) and taking into account the interface settings we will need for the interactions in the VRF described in Table 3.1.
4.2. Setting up BRAS on ESR
BRAS configuration is described in detail in the BRAS. L2 WiFi - setup and quick start guide, so below will be the configuration with necessary explanations for new settings.
Interaction with RADIUS server and das-server parameters on the ESR default VRF was configured earlier in section 4.1, as it is necessary to interact with the SoftWLC complex when building softGRE data tunnels.
Using the data from table 3.1 we configure the das-server to interact with the BRAS instance in the VRF dpi. This setting will be the same on Alfa and Beta:
Configure the access-list to be used by the BRAS services. This setting is identical on both ESRs.
Next, add the necessary BRAS settings on the client interface:
The BRAS configuration specifies an object on the interface that lists the addresses that clients can receive, but excludes ESR, VRRP and broadcast addresses. This is to ensure interoperability between ESR interfaces and correct VRRP operation.
Next, we perform the BRAS configuration. The settings are identical on both ESRs except for the nas-ip-address and ip proxy source-address. First the Alfa address will be specified, in () the Beta address will be specified.
Note the settings:
1) vrrp-group 1 – to monitor the BRAS state of the VRRP ESR.
2) backup traffic-processing transparent – this setting allows traffic to pass through interfaces where BRAS authorisation is enabled in case when VRRP ESR is in BACKUP state. It is required for correct operation when traffic passes through a jumper.
4.3. Configuring BRAS in a non-default VRF
To operate in a non-default VRF, an additional BRAS instance is configured to operate in that VRF with the command: "subscriber-control vrf <VRF name>". As a result, two BRAS instances will be configured on each ESR.
Note, the BRAS instance settings in VRF differ only by using a different aaa das-profile setting - the profile that has been configured to interact with BRAS in VRF is specified.
Since BRAS proxies the user's address when redirecting to a portal or enabling URL filtering - when BRAS is running in VRF, the nearest en-route address within the VRF in which BRAS is running will be used as the source address. For the current configuration, when redirecting to the portal, this will be the address of the lt 2 tunnel that links the VRF dpi to the default VRF.
4.3. Configuring option 82 learning
When using option 82 to identify the genericp AP from which WiFi users connect for each BRAS instance, let us configure this functionality.
Options to configure learning option 82:
- subscriber-control peer-address <IP-адрес> - address of the neighbouring router with which the learned option 82 will be synchronised
- dhcp-option-82-include enable - enable learning option 82 from WiFi users' DHCP packets
- dhcp-option-82-include lease-time - storage time of learned option 82 in seconds, range of values 60-86400, default value is 3600. This parameter should coincide with the address lease-time settings on the DHCP server.
- dhcp-option-82-include accept-time - storage time of unconfirmed option 82 in seconds, value range 10-3600, default value 60. The option is considered unconfirmed if no DHCP-ack is received during address acquisition by the user.
- dhcp-option-82-include size - table size of learnt option 82, default value is equal to double the value of the maximum number of BRAS sessions that can be raised on this ESR type.
4.4. Configuring a firewall on an ESR
When using multiple VRFs on an ESR, each VRF is treated as a separate device for firewall configuration purposes. This requires that for each security-zone the VRF to which it belongs is specified. Using a bunch of zones from different VRFs in firewall rules is not allowed. The object-group settings are not connected to a VRF and can be used in firewall settings for any VRF. The firewall settings are identical for ESR Alfa/Beta, except for BGP neighbour addresses.
The security-zones have already been previously created in the configuration:
Let's create an object-group to be used in the firewall rules. They will be the same, except for BGP neighbour addresses. The network cross object-group will be listed, indicating whether the configuration is for Alfa or Beta.
Create firewall rule settings for the default VRF.
Next, let's create firewall settings for VRF dpi.
5. ESR client configuration
5.1. General description
ESR client is a device installed at the client, the main task of which is to encapsulate the traffic from the client AP to GRE in the appropriate VLANs and transmit it to ESR BRAS L3 using the provider's transport network. Below, Fig. 5.1.1 shows the scheme of ESR client switching on.
Figure 5.5.1.
The ESR is delivered with the configuration pre-installed at factory release. To build GRE tunnels, the device must be configured. Performing configuration beforehand when connecting each new client is a time-consuming task. Therefore it is supposed to form a universal configuration, place it on a tftp-server and with the help of DHCP give information for its loading when receiving the primary address when connecting ESR client. This will allow to automatically download and apply the desired configuration on the ESR client when connecting and if necessary to easily make changes to it and spread to all ESR client.
5.2. Configuration description
Allocate the primary address subnet for ESR-client 192.168.250.0/24. You can use different subnets for different ESR-client groups. It must be announced on Alfa / Beta via a junction with the VRF AP.
The following is the ESR-client configuration using ESR-10 software version 1.11.0 or higher as an example:
1) In this configuration gi 1/0/1 (copper) and gi1/0/6 (optical) ports act as an uplink, which allows to use both optical and wired connection.
2) Ports gi1/0/2 and gi1/0/5 are configured to receive traffic with a vlan tag and its subsequent encapsulation with this tag into GRE packets, which allows transmitting traffic with any vlan tag through these ports. Untagged traffic will be discarded.
3) Ports gi1/0/3 and gi1/0/4 are configured to receive traffic without vlan tag, it will be assigned depending on the port configuration, for gi1/0/3 - 10, for gi1/0/4 - 11. This will allow tagging of client traffic and transmission of it with vlan tag inside GRE packets, if the client sends untagged traffic. Tagged traffic will be discarded.
4) The ip dhcp client ignore router configuration is done on bridge 1. This setting allows the default gateway not to be requested in DHCP requests. This is required so that the management address (bridge 3) received inside the GRE management tunnel can receive the default gateway. Since bridge 1 receives the primary address - to ensure connectivity with GRE termination addresses on ESR BRAS L3 and the possibility of downloading the configuration from tftp-server – issue route information is used by option 121.
Also it should be taken into account:
1) This configuration is given for ESR-10, which has 6 interfaces. ESR-20/100/200 differ in the number of interfaces, so to issue them the configuration should be adjusted to take this into account.
2) The configuration that has errors when loading will not be applied.
3) The configuration file specifies a version "#18" which means the minimum version of ESR firmware for which it is designed (#18 means version 1.11). If an ESR client with an earlier version of the device is installed - the configuration will not be able to be loaded by it. It is possible to configure the DHCP server to issue a configuration based on the ESR client firmware version.
Below are the DHCP server settings for the ESR client primary address pool using ISC-DHCP-server as an example:
As you can see from the above configuration, the ESR10conf-1.11.txt file with ESR configuration must be located on the tftp server 192.168.250.2.
The configuration may differ in terms of object-group addresses, for different primary address subnets, because ESR client connection can be made to different ESR BRAS L3.
6. Configuring interaction with SoftWLC
SoftWLC complex settings can be divided into global settings, which are performed once or when each new ESR BRAS is added; universal settings, which can be configured for an individual customer of the authorisation service, or used in the settings of several or all; and individual settings, which are usually configured when each new customer is connected.
6.1. Global settings
Global settings can be divided into several steps:
1) Configuring the interaction with BRAS in the Portal Builder;
2) Setting up the interaction with BRAS in VRF in the Personal Account;
3) Creating two mandatory URL filtering lists - welcome and gosuslugi in the Personal Account;
4) Creating of mandatory WELCOME service in Personal Account;
5) Adding ESR BRAS to EMS and setting up interaction with it.
The first four items are performed once during initial deployment and customisation, the fifth item is performed when adding each new ESR BRAS.
Portal
It is necessary to enable the flag "Interaction with BRAS" Fig. 6.1.1
Fig. 6.1.1.
- and click the "Save" button. Starting from SoftWLC version 1.18, the Portal does not interact with ESR BRAS directly - only through calls to the PCRF service.
For SoftWLC versions 1.17 and below, in the Portal Designer you need to configure port CoA passwords for interaction with ESR BRAS:
If PCRF works on another host - it is necessary to specify its address (Fig 6.1.2):
Fig. 6.1.2.
specify PCRF IP address in localhost.
Personal Account
Open "Personal Account" and go to "PCRF Settings" → "BRAS VRF". Click the "Add" button (Fig. 6.1.3):
Fig. 6.1.3.
Add the BRAS interaction parameters to the VRF, previously defined in Table 3.1 and click the "Save" button. Note that the default settings for interaction with BRAS in the default VRF are already set.
As a result, we can see (Fig. 6.1.4) that we have settings for interaction with BRAS in VRF dpi.
Fig. 6.1.4.
If necessary, you can check the BRAS communication setting in VRF and click on the "Edit" button. Only the Port and Secret settings can be changed. You cannot change the VRF name, you can only delete it.
If the default VRF with name "1" is deleted, it will be created again when PCRF is restarted.
In the "Settings" section, "Integration" tab it is necessary to correctly specify the PCRF URL (by default it is localhost with port 7070). This is necessary for correct interaction between PCRF and Personal Area (Fig. 6.1.5):
Fig. 6.1.5.
Then in the Personal Account go to "PCRF Settings" → "URL Lists" and click the "Add" button (Fig. 6.1.6):
Fig. 6.1.6.
Configure:
- "Name" - welcome;
- "Domain" - root;
- "Type" - white;
- "URL" - add with the button
a string and write "http://<ip address of portal>:8080/eltex_portal".
Click double "Save" to save the string and the list.
Similarly, we add the gosuslugi filter list (Figure 6.1.7), which is used in the BRAS filter-name remote gosuslugi settings:
Fig. 6.1.7.
Click "Save".
Setting up SoftWLC integration with ESIA is not considered in this document.
Go to the "Services and Tariffs" section of account, select the "PCRF Services" tab and click the "Add" button (Fig. 6.1.8):
Fig. 6.1.8.
In the window configure the following:
- "Service's name" - WELCOME;
- "Domain" - root;
- "Traffic's class" - WELCOME.
This name must be the same as the extended WELCOME ip access-list configured on the ESR, including the character case, because this is the access-list that the ESR will use when assigning this service. A name/register mismatch will cause BRAS to work incorrectly when assigning this service;
- "Account interim interval, s" - 600;
- "Priority" - 4;
- "Abilitytransition of IP flows" - Allow IP streaming in both directions;
- "Default Action" - redirect;
- "Default URL" - http://<ip address of portal>:8080/eltex_portal/welcome;
- "Name of filter" - select welcome from the dropdown menu (this is the previously configured filter list);
- "Action" - permit;
- Press the "Add" button - the filter should appear in the "Selected Filters" window.
Press the "Save" button. This service is a special, it is necessary for correct work of the "Welcome" page and it cannot be used in tariff settings.
EMS
Open EMS, create domain r54 (the principles of setting up domains and nodes are not considered in this document), select the required node and add (by pressing the 
button) ESR to the object tree (Fig. 6.1.9):
Fig. 6.1.9.
Specify:
- "Object name" - Alfa (any name can be specified);
- "Object" - select the required type of device, in the given example it is ESR1000;
- "IP address" - specify the IP address of the device that will be used for interaction with SoftWLC.
Click the "Add" button.
After the ESR appears in the object tree (to do this, click the button 
in the upper left corner of the EMS window), stand on it and open the "Access" tab on the right, and in it click "Edit" (Fig. 6.1.10):
Fig. 6.1.10.
In the tab that opens, specify:
- "File protocol" - FTP;
- "Read community / User v3" - public11;
- "Write community / Password v3" - private1;
- "Getting VRRP status" - check the box;
- "BRAS service" - check the box.
When adding ESR-100/200, the value of the "ESR mode" field will be "StationCE".
In this case it is necessary to change the field value to "Station", otherwise such ESR will not be used to build data tunnels for AP.
Save the rest of the settings unchanged and press the "Accept" button.
Next, in EMS it is necessary to specify the radius password for interaction with ESR from SoftWLC complex. To do this, open the menu "RADIUS" → "Access Point Management", find the ESR (if there are many addresses in the table, you can filter by IP address) and double-click on it to open the parameter editing window (Fig. 6.1.11):
Fig. 6.1.11.
Correct the "Key" to testing123 and click the "Accept" button, then close the "Access Point Management on RADIUS Server" window.
Add the second ESR (Beta) in the same way, its management address will be 198.18.128.3.
6.2. Standard settings
The standard settings include the client's tariff settings. As a rule, if you need to provide standard Internet access service, you can use the same tariff for all clients. But if necessary it is possible to adjust the tariff individually for a separate customer.
In the example below we consider setting up a tariff for access to the Internet without restrictions. Setting up the tariff includes setting up the PCRF service (the same service can be used in different tariffs), which will be used in the tariff and setting up the tariff itself.
Open account and go to "Services and tariffs" → "PCRF services" and click the add button - the "Create new service" window will open (Fig. 6.2.1):
Fig. 6.2.1.
Configure the following:
- "Service name" - INTERNET (can be any, in English letters, numbers and the symbol "_");
- "Domain" - root;
- "Traffic class" - INTERNET.
This name must be the same as the extended INTERNET ip access-list configured on the ESR, including character case, because this is the access-list that the ESR will use when assigning this service. A name/register mismatch will cause BRAS to work incorrectly when assigning this service;
- "Interval of account sending, sec" - 300;
- "Priority" - 10;
- "Allow IP streams" - Allow IP stream in both directions;
- "Default Action" - permit;
- Do not add any URL filtering lists.
Click the "Save" button.
Open "Services and tariffs" → "Tariffs" in the Personal Account and select the filter "PCRF/BRAS", thus proceeding to the configuration of BRAS tariffs (Fig. 6.2.2):
Fig. 6.2.2.
and press the "Add" button - the "Create new tariff" window will open (Fig. 6.2.3):
Fig. 6.2.3.
We configure:
- "Name" - internet (can be any, in English letters, numbers and "_");
- "Tafiff's code" - internet (can be any, in English letters, numbers and "_");
- "Domain" - root;
- "Session lifetime" - 12h. This is the maximum lifetime of a user's session if he remains active all the time. After this time his session will be closed on BRAS and a new one will be created, the new session will undergo mac authorisation transparently for the client;
- "Session lifetime at user inactivity" - 15 min;
- "Services" - select the previously configured service "INTERNET".
Do not select the "WELCOME" service! If it is also selected, it will lead to incorrect operation of BRAS after authorisation of the user and assignment of this tariff.
Click the "Save" button.
6.3. Custom settings performed for each client
Custom settings include configuring the portal, configuring and binding the SSID, and initialising the ESR client. It is possible to use a single portal for multiple clients, but this is rarely practiced. SSID configuration is usually unique for each geographic location of the connection. Within a single client, it is common to use the same portal in different SSIDs or geographic connection locations. In general, the configuration order for each new client is as follows:
1) creating a portal (if you plan to use an existing portal, this step is skipped);
2) creation and binding of SSID in EMS;
3) installation of ESR client, connection of generic AP to it and its initialisation in the object tree.
Portal
Open http://<ip address of portal>:8080/epadmin and click '"Create a new virtual portal".
Fig. 6.3.1.
Afterwards configure:
- "Virtual portal name" - r54;
- "Domain" - r54.root.
Click "Save". The transition to the created portal will be made automatically.
Note that in the portal constructor for the above created portal "eltex" in the tab "Rates" there is a tariff "default", designed to work with AP (Fig. 6.3.2):
Fig. 6.3.2.
This tariff is not suitable for work with BRAS, but if you add a tariff like "Work via BRAS" - the portal can determine what type of authorisation the user needs and will set the appropriate tariff. If you do not intend to use this portal for authorisation of Eltex AP clients, you can click "Delete" and delete the tariff intended for AP.
Click the "Add" button (Fig. 6.3.3)
Fig. 6.3.3.
in the tariff selection window that opens, click the "internet" tariff that was set up earlier and click "Add". Note that it belongs to the group of tariffs "Work via BRAS".
Click the "Save" button (Fig. 6.3.4):
Fig. 6.3.4.
This completes the portal configuration. The current document assumes that demo mode will be used for client authorisation. More details about the settings of interaction with SMS-gateways, call centres and e-mail servers can be found in the SoftWLC Notification GW documentation section of the current release.
EMS
Next, you need to configure SSID in accordance with the selected scheme of generic AP identification - by vlan or using option 82.
Configuring SSID for identification by vlan
Table 6.3.1 below shows the scheme of SSID identification by vlan, according to Fig. 1.2.1.
| generic AP | имя SSID | vlan |
|---|---|---|
| generic AP 1 | SSID1 | 10 |
| generic AP 1 | SSID2 | 11 |
| generic AP 2 | SSID1 | 12 |
| generic AP 2 | SSID2 | 13 |
| generic AP 3 | SSID1 | 14 |
| generic AP 4 | SSID2 | 15 |
Table 6.3.1.
Open in EMS and open the menu "Wireless" → "SSID Manager" and in the tab "SSID Base" click the button "Add SSID" - the SSID creation window will open (Fig. 6.3.5):
Fig. 6.3.5.
configure:
- "TYPE" - Hotspot;
- "Name" - SSID1;
- "Domain" - r54.root;
- "Bridge, Location" - data10 - must correspond to the location configured on the client ESR bridge;
- "VRF" - leave default value 1, because traffic of this SSID will be terminated in default VRF.
- "vlan-ID" - 10,12,14 (list all the vlan of this SSID that you specified in Table 6.3.1);
- "Virtual portal name" - r54 - select the portal we previously configured.
Click "Accept".
Since the scheme to be configured assumes the presence of two SSIDs, configure the second SSID in the same way (Fig. 6.3.6):
Fig. 6.3.6.
This SSID is configured in the same way, taking into account its vlan. Since it will be terminated in the ESR ridge, which works in VRF - it is necessary to select it in the SSID settings: "VRF" - dpi.
Configuring SSID for identification by option 82
When identifying the generic AP to which the WiFi user connects, one vlan will be allocated for each SSID, which will be used on all generic APs. Below, Table 6.3.2 summarises the vlan/SSID correspondences according to Figure 1.2.2.
| generic AP | имя SSID | vlan |
|---|---|---|
| generic AP 1, 2, 3 | SSID1 | 10 |
| generic AP 1, 2, 3 | SSID2 | 11 |
Table 6.3.2.
Open the menu "Wireless" → "SSID Manager" and in the "SSID Base" tab click the "Add SSID" button - the SSID creation window will open (Fig. 6.3.7):
Fig. 6.3.7.
configure:
- "Type" - Hotspot;
- "Name" - SSID1;
- "Domain" - r54.root;
- "Bridge, Location" - data10 - must match the location configured on the ESR client bridge;
- "Require Opt82" - enables checking if option 82 is present in the WiFi user account;
- "vlan-ID" - 10 (vlan of this SSID, which is specified in Table 6.3.2);
- "Virtual portal name" - к54 - select the portal we have previously configured.
Click the "Accept" button.
In the same way configure the second SSID, Fig. 6.3.8:
Fig. 6.3.8.
This SSID is configured in the same way, taking into account its vlan. Since it will be terminated in ESR bridge, which works in VRF - it is necessary to select it in SSID settings: "VRF" - dpi.
Важно!
If "Require opt82" is checked in the SSID settings - WiFi users whose DHCP requests do not contain option 82 will be denied authorisation.
Create Eltex domain in the r54 domain (the name is used for example, because usually a separate domain is created for the client).
Let us perform SSID binding - to do this, select SSID1 and SSID2 that we created earlier and click the "Add SSID binding" button in the opened window (Fig. 6.3.9):
Fig. 6.3.9.
select "Key" - DOMAIN, and select the node "EMS → r54 → Eltex ", to which you want to bind SSID and click "Create Binding". After that the "Accept" button will become available - click on it.
When the "Fix SSID bindings" question is displayed click "No", as it works only for Eltex AP, and close the SSID manager.
Next, configure the initialisation rule for ESR client. To do this, open the menu "wireless" → "AP initialisation rule manager" → "Rules" and click on the "Add" button (Fig. 6.3.10):
Fig. 6.3.10.
Configure:
- "Device Type" - select ESR-10 (you can select any necessary ESR type that is designed to work in ESR client mode);
- "Rule Name" - any name of the rule "esr-10-client";
- "Rule Domain" - root;
- "Firmware Download Protocol" - FTP;
- "SNMP transport" - "UDP";
- "SNMP Community (read only)" - public11 (according to ESR client configuration settings);
- "SNMP Community (read/write)" - private1 (according to ESR client configuration settings);
- "ESR mode" - "Client";
- "BRAS service" - leave empty.
After making the settings, click "Accept" button.
For another type of ESR it will be necessary to create a new rule, in which you must select the type of this ESR.
Further it is possible either to create a binding of ESR client initialisation manually, but most often the mac-address of the device is unknown before connection and becomes known only after switching on. Uninitialised devices appear in the "sandbox" - the "AP Wi-Fi Initialisation" tab, which becomes available only if you stand on the root domain "EMS" in the EMS objects tree.
Connect ESR client. After receiving and applying the configuration from the tftp server (provided that there is no initialisation binding for it), it will appear on the "AP Wi-Fi Initialisation" tab (Fig. 6.3.11):
Fig. 6.3.11.
Select the required device (ESR-10) and right-click on it, in the opened menu select "Add initialisation binding", a window will open (Fig. 6.3.1):
Fig. 6.3.12.
Configure:
- "Key" - leave "MAC";
- "Rule Name" - click
and select the previously created initialisation rule "esr-10-client"; - "Rule Domain" - will be set automatically;
- "Node Domaun" - click
and select the node to which to initialise the device.
Fill in the geo-coordinates (not necessary if not configured in EMS).
Click "Accept".
Then select ESR-10, right-click on it and select "Initialise" in the menu that opens (Fig. 6.3.13.):
Fig. 6.3.13.
After the initialisation process is complete, you must reread the object tree using the button
on the top left of the EMS. The initialisation task will appear at the bottom of the EMS window, in the "Tasks" section. After that the initialised device will be displayed in the object tree (Fig. 6.3.14):
Fig. 6.3.14.
In the scheme with generic AP identification by vlan, this is the end of SoftWLC configuration for working with BRAS, then it is necessary to connect to the previously configured vlan and make sure that there is a redirect to the portal, the ability to pass the authorisation in demo mode and access the Internet after authorisation. Trableshooting when connecting BRAS clients is considered in the link: BRAS. Troubleshooting Guide
For correct operation of generic AP identification using option 82 it is necessary to initialise them. The necessary settings for this are described below.
7. Settings for initialising generic APs when using identification using option 82
7.1. General description
The identification of generic APs from which WiFi users connect requires their presence in the system for SORM to work correctly. Each generic AP will have a unique option 82 assigned on the switch port to which it is connected.
Below, Fig. 7.1.1. shows the general scheme of interaction of the system components:
Fig. 7.1.1.
- As WiFi users connect to the BRAS, it will send an account to the PCRF containing information about option 82.
- The PCRF will process and accumulate this information, periodically uploading it to EMS
- EMS, depending on the availability of initialisation bindings for such APs, will either initialise them and place them in the corresponding node, or accumulate them in the "sandbox" - the "Third-party AP Initialisation" tab.
For this functionality to work correctly, it is required to enable "Require Opt82" in the SSID settings, as shown in Figs. 6.3.7 и 6.3.8.
On access switches to which generic APs are connected, the functionality of adding option 82 to WiFi users' vlan must be enabled.
When adding option 82, it is inadmissible to perform dhcp-relay of WiFi user requests - this will result in replacing the source IP address and source MAC address of the WiFi user with the corresponding relay values and impossibility to correctly perform parsing of such a request.
If this option is not present in the user's dhcp-requests - its authorisation will be denied, when trying to authorise the message will appear "SSID - access denied, requires option 82" (Fig. 7.1.2):
Fig. 7.1.2
7.2. Configuring PCRF
If PCRF is not running on the same host as EMS - it is required to configure the interaction for sending information about generic AP. Open the PCRF configuration file /etc/eltex-pcrf/eltex-pcrf.json, find the section "generic.ap.registrar" and configure:
"generic.ap.registrar": {
"max_aps_in_queue": 30,
"ap_register_interval_ms": 600000,
"added_ap_cache_ttl_ms": 600000,
"host": "localhost",
"port": 8080,
"worker_pool_size": 8
}
Parameters:
- "max_aps_in_queue" - the maximum number of new generic APs in the registration queue, once reached, this information will start to be sent to EMS (by default – 30);
- "ap_register_interval_ms" - the interval after which information about new generic APs is uploaded to EMS regardless of their number in the queue (ms, by default – 600000);
- "added_ap_cache_ttl_ms" - time for storing information about generic APs, information about which was uploaded to EMS (ms, by default – 600000);
- "host" - IP address of the host on which the EMS server is running;
- "port" - port on which the EMS server is running;
- "worker_pool_size" - number of stream handlers involved (by default – 8).
After making changes to the configuration file, restart PCRF with sudo systemctl restart eltex-pcrf. If a PCRF cluster is used, it is necessary to perform the configuration on each node.
7.3. Configuring generic AP initialisation
Enter "Wireless" → "AP Initialisation Rule Manager" → "Rules" and click "Add" button. In the opened window (Fig. 7.3.1) configure:
Fig. 7.3.1.
- "Device Type" - select "Generic Ap";
- "Rule Name" - set any rule name "GenericAP";
- "Rule Domain" - set "root";
- "Description" - this field is optional, you can add any description.
Click the "Accept" button.
The generic AP initialisation binding is always created using the "Domain" key, which requires to allow this type of key to be used in EMS. Open "Administration" → "Server Configuration" → "System Modules" → "WirelessCommon" (Fig. 7.3.2):
Fig. 7.3.2.
Check that the "Location" checkbox is enabled for "Initialisation binding keys". If it is not, switch it on and click accept.
Next, you can create an initialisation binding from the "sandbox" - tab "Initialisation of third-party APs" (Fig. 7.3.3):
Fig. 7.3.3.
In the regular way: by right-clicking on the generic AP, creating an initialisation binding and running the initialisation.
Or you can create an initialisation binding in advance, because the domain of the generic AP will always coincide with the domain to which the ESR client was initialised. To do this, go to "AP Initialisation Rule Manager" → "Bindings" and click "Add". In the opened window (Fig. 7.3.4) configure:
Fig. 7.3.4.
- "Key" - "eltex.r54.root" domain;
- "Rule Name" - choose "GenericAP";
- "Rule Domain" - the domain of the initialisation rule will be automatically selected;
Also, manually or by clicking the "Fill location" button, fill in the location and click the "Accept" button.
Then, as the WiFi users connect via different generic APs, they will be initialised to the domain specified in the binding (Fig. 7.3.5).
Fig. 7.3.5.
7.4. Possible actions with generic AP
After initialising the generic AP, you can view its parameters on the "Access" tab (Fig. 7.4.1).
Fig. 7.4.1.
The "Generic Ap parameters" section displays the main parameters of AP of this type, their editing is prohibited:
- "Cell" - unique identifier of AP, defined by the value of option 82 and l2location;
- "NAS MAC" - NAS MAC ESR BRAS, on which there was traffic of WiFi users who connected through this generic AP. There can be several of them (since two ESR BRAS can process traffic - Alfa and Beta);
- "Hex" - the value is "option 82".
In the "Hex" field, the option 82 value can be provided in different formats, depending on which representation method is selected on the right, in the drop-down menu:
- the 1st suboption is decoded to ASCII, the 2nd is left unchanged:
(default display)
- the 1st and 2nd sub-options are provided in their original form: 
- the 1st suboption is provided in original form, the 2nd is decoded to ASCII: 
- the 1st and 2nd sub-options are decoded to ASCII: 
This functionality is designed to allow to see the value of option 82 in text form, which will allow to determine the name, port and vlan of the switch to which the generic AP is connected. Also note that the option 82 view is determined by the switch settings and may have a different format.
The details of the generic AP connected to a particular switch port are provided by the client, based on which you can edit and fill in the location.
It is not possible to move a generic AP initialised by the initialisation rule using option 82.
It is also not possible to reinitialise a generic AP.
Важно!
The number of generic APs that can be registered in EMS is determined by the licence, for its extension please contact the sales department of Eltex company.
8. Summary
The above documentation describes how to configure ESR BRAS in an L3 scheme for two ways to identify the generic APs from which WiFi users make connections.