FAQs for eduroam System Administrators and Implementation Techs - Part 2

Download as PDFDownload as PDF

This page lists the most common frequently asked questions about eduroam in the UK. The table of contents summarises the questions asked; please scroll down to the relevant section for the answer. See part 1 is your question is not addressed here.

Last Updated 30/05/19

Contents

1) eduroam(UK) Support Server / ORPS-related Questions

  • What category of RADIUS client to use for a server acting as proxy to the NRPS but not from the NRPS (to act as gateway to a 3rd party associate organisation)?
  • IP address of ORPS displayed on Configuration page of eduroam(UK) Support server still shows old address some time after making the change in DNS.
  • How often is the sites information entered in the Support server uploaded to the eduroam locations map http://monitor.eduroam.org/gmap/country.php?country=uk?
  • Making a change to the IP address of an ORPS

2) eduroam(UK) Support Server Tests and Testing

  • Facility for stopping production traffic going to an ORPS during testing and routing only test traffic to ORPS under test
  • Support server EAP-TTLS(PAP) test use of null outer id causing errors to be logged
  • 'PEAP-MSCHAPv2 authentication failed: IPv4, RFC realm name' Detected Issue error message on Status Summary and ORPS config pages on Support server
  • Simulated visitor test fails but remote authentication test works/authentication for visitors fails but our users can roam ok
  • How can we test our implementation of CUI; does the simulated visitor test enable CUI to be tested?
  • Remote authentication test fails but simulated visitor test works
  • Why is the Support Server test system only testing access to one of our multiple ORPS?
  • Why are we getting errors logged every 5 minutes after having changed our eduroam(UK) configuration on the Support server
  • What does the error condition 'HTTP CRITICAL - pattern not found' mean in the Nagios LG monitor for our site?
  • Why do I get only "Re-sending Access-Request" when testing authentication via the support server?
  • I'm trying to test my ORPS, but I get Reply-Message = "Misconfigured client: unknown AC.UK site from janetroaming.net. Rejected by <eduroam UK>." when I run the PAP auth test

3) Upgrading FreeRADIUS from v 1.1.x to v2.0.x

  • Guidance on upgrading to FreeRADIUS 2.0.x

4) Visiting User Authentication Problems / Firewall configuration

  • Why do I get "re-sending Access-Request" when testing remote authentication?
  • Why do we appear to not be getting any response from the eduroam NRPSs when visitors try to authenticate?

5) Wired Networks

  • How do you configure a Cisco Catalyst switch to operate with 802.1X?

6) Wireless Networks

  • How many SSIDs should be implement?
  • Solving/mitigating the 'Overlapping eduroam Visitor service Problem' (aka the 'Russell Square' Problem)
  • Do we have to support eduroam on 2.4GHz?
  • Hints for Multi-floor Wi-Fi deployments
  • Must we broadcast eduroam SSID rather than having it as a hidden SSID?
  • Do we have to deploy a RADIUS server; can't we just peer our WLC with the NRPSs?
  • How do you configure a Cisco 1200 Series Wireless Access Point for eduroam SSID?
  • Can Cisco fat WAPs be used with multiple broadcast SSIDs and dynamic VLANs?
  • Convertion of 'fat' Cisco WAPs into 'thin' ones
  • WPA2 / WPA fallback for clients and APs - archived content

7) Roadmap for Implementing eduroam

  • Do you have a step by step process we can follow for implementing eduroam?

8) Supporting Users

  • What sort of support for the users to we need to provide?
  • How do I get access to the eduroam CAT (Configuration Assistance Tool) web site?

1) eduroam(UK) Support Server

What category of RADIUS client to use for a server acting as proxy to the NRPS but not from the NRPS (to act as gateway to a 3rd party associate organisation)?

Q. "We are setting up a new RADIUS server to act as a proxy for the eduroam installations (at halls of residence) we are implementing with third parties. Instead of the new RADIUS server acting as a normal ORPS and therefore routing all the student authentications from the accommodation blocks via  the NRPS (subjecting them to the heavy load which should be handled internally), we want to configure the accommodation block management company (acting as a 'Visited site') to use a local proxy server beloinging to us so that we can forward local users to our RADIUS auth servers and filter out any junk auth requests before sending legitimate requests to the NRPS.

So how can we register our new RADIUS server on the Support website?"

A. 'Client only' is the setting to use. This results in the enabling of auth requests to be received by the NRPS, but no RADIUS packets will be sent to the RADIUS server you set as 'client only'.

Making a change to the IP address of an ORPS

We are going to change the public IP address of our ORPS. Apart from changing our DNS settings is there anything we need to do in eduroam(UK) Support?

No. Just change the DNS entry, the eduroam(UK) Support server will pick up the new IP and the NRPS will be reconfigured to use that when the configuration with the new IP gets pushed (on the hour).

IP address of ORPS displayed on Configuration page of eduroam(UK) Support server still shows old address some time after making the change in DNS.

Q. I changed the IP address of my ORPS server and updated DNS to reflect this yesterday, however the IP address displayed on the Configuration page on eduroam(UK) Support server still shows the old address, why is this?

A. This will be due to a too large TTL value associated with the record. E.g. a TTL of 172800 seconds applied to this record will mean it can be cached for up to 48 hours. 

How often is the sites information entered in the Support server uploaded to the eduroam locations map http://monitor.eduroam.org/gmap/country.php?country=uk?

"The new sites/changed information about the eduroam service we provide at the site has not appeared on the eduroam map yet"

The UK sites location map is generated by eduroam Europe from information held in the European eduroam database. Sites data for eduroam(UK) participants providing compliant operational services is added to the European eduroam database by an automated script which polls the UK Support server (and all other federation members) every 4 hours. The data is made available to Europe via an XML file derived from the UK sites database. Then twice a day, the eduroam maps are generated through the build of KML files. Therefore it may take a while for a new site or updated data to appear on the eduroam maps after it has been added to the eduroam(UK) Support server, but it should never be more than a day before you see the changes.

2) eduroam Support Test System and Testing

We want to peer an ORPS with the NRPS and carry out tests without it becoming part of the production infrastructure and being sent production traffic, can this be accomplished?

Yes - see ORPS role designation features on Janet Roaming Support Server. In fact in order to facilitate testing, we have configured NRPS realm handling such that only traffic with your realm name prefixed with 'test' will be sent to your test/development server (see document).

Are there any test systems available to verify our system works/help with problem investigation? Where would I find these tests and are there any instructions on their use?

Yes - see section 12 on: Test Facilities on eduroam Support Server

Using the remote authentication test facility on eduroam Support web site for EAP-TTLS with PAP inner authentication results in errors in our FreeRadius log due to use of null value outer user name by the eduroam Test. Why is this and what's the solution?

The log error is due to the eduroam Support server using an outer user name comprising just the realm name for the Test. This conforms to the correct RFC format for anonymous outer identity, in accordance with RFC 4282:

"Omitting the username part is RECOMMENDED over using a fixed username part, such as "anonymous", since it provides an unambiguous way to determine whether the username is intended to uniquely identify a single user."

The eduroam test used to use anonymous@realm, however feedback from several organisations lead us to adopt the correct RFC format.

ORPS shouldn't be acting on the outer identity unless you really need to - this value is easily set to be whatever value you want and therefore must not be used to authorise. The solution is to add a simple command to the sql.conf which will remove this from logging etc. The inner ID should still be accounted and logged.

We're seeing a 'warning' issue detected on Support server: 'PEAP-MSCHAPv2 authentication failed: IPv4, RFC realm name'
What does this mean and how can we correct it? We have Microsoft NPS as our ORP
S.

The Support server test system has detected that your ORPS is rejecting users with anonymous outer userIDs. (Anonymous outer IDs such as [blank]@camford.ac.uk are permitted under RFC 4282).

NPS sites: To fix this you should edit your NPS connection request policies (for both your own roaming users and for visiting users):

  • Enable "Override network policy authentication settings"
  • Add in "Microsoft:Protected EAP (PEAP)"
  • Untick the less secure authentication methods if any are enabled

Once you have applied these updates you can check that anonymous outer userIDs are being handled by running a 'roaming authentication test' via the Tests panel on your Troubleshoot page on Support server having first ticked the 'RFC' box.

The visitor simulation test is failing but the remote authentication test works for our site (indicating that shared secrets are fine). Why is this?

Our logs show 'remote server did not process authentication request'; packet sniffing shows that the ORPS keeps repeating the request and the eduroam test system repeats the challenge. Our firewall settings seem fine.

NRPS logs show 'incorrect login' authentication results, so the problem could be:

i) the wrong password is being used for the simulated visitor test; you must use the password you configured for the test user account on the eduroam Support server (not e.g. the password you use for login to your eduroam Support account)

ii) one of the shared secrets configured on your ORPS is incorrect - remember these are employed in both client and proxy areas of the ORPS configuration and are utilised independently; an error could mean that remote authentications are successful whilst visitor authentications fail.

Remote authentication tests from the eduroam Support web site fails but the simulated visitor test works. Why is this?

See above answer (ii)!

How can we test our implementation of CUI; does the simulated visitor test enable CUI to be tested?

The simulated visitor test supports the Chargeable User Identity (CUI) attribute and if your ORPS sends Operator-Name and CUI with the value 'nul' in the Access-Request, the Support server will return a CUI for that user in the Access-Accept.

The NRPS are only testing one of our ORPSs using the test account configured on the Support server, why is this?

eduroam has set up a system to monitor the RADIUS request handling status of Home organisations, ie. that an ORPS is operational. This is done using the test user account that participating organisations set up on the eduroam Support server.

In your RADIUS logs you are seeing a single NRPS using the eduroam Support test account to check the service status on just one of your ORPS. The reason for this is that the RADIUS check is being launched from the support site and goes via the NRPS. So a NRPS that can handle the request will only pass the request through to the first working ORPS at your site. This validates that your site is currently able to handle eduroam RADIUS requests but does not check that ALL of your ORPS are alive.

The servers can be checked for network connectivity by PING but the only way to check RADIUS would be to allow a direct Support Server to ORPS RADIUS link. This is deemed unacceptable and would invalidate the eduroam check - as we really need to monitor how the NRPS see the ORPS. Monitoring of the status of the ORPS system (be they load balanced, failover or round-robin constructed) is down to the individual organisations.

Having just made changes to our config on the eduroam Support web site, errors are being recorded in our logs every five minutes - why?

Any changes to the test username/password and realm made on the eduroam Support web site are instantly put into the eduroam database. The on-demand tests on your test page on the eduroam web site are therefore instantly accessible.

There is however a background service availability monitor test powered by NAGIOS that is run from the eduroam Support server via one of the NRPS (usually roaming1). This runs a test authentication using the test account you have created in your user database and configured on the eduroam Support site. The NAGIOS probe configuration is however NOT updated/generated instantly and therefore there may a short period when test proble authentications fail and errors are logged on your ORPS. Once any config. changes have filtered through to the NAGIOS system, the test will run successfully and log error entires will cease.

What does the error condition 'HTTP CRITICAL - pattern not found' mean in the Nagios LG monitor for our site?

The web page, the URL for which you have registered in the Support server system, for your eduroam service information page doesn't have a link to http://www.eduroam.org as is required in the eduroam(UK) Technical Specification. It is important for a number of reasons that users at all organisation participating in the federated eduroam service throughout Europe can easily find the parent eduroam confederation web site. It is a way of publicly asserting that your organisation is a member of the eduroam federation and subscribes to the federation policies. Nb. you are also required to exhibit the edroam logo on your service information web page.

Why do I get only "Re-sending Access-Request" when testing authentication via the support server?

Ensure that your firewall is configured to permit UDP ports 1812, 1813 and 1814. RADIUS does not use TCP!

You should also check that your firewall is not discarding UDP fragments. If it is then the configuration should be changed to allow UDP fragments to pass. [Specifically for ipf firewall users, (to be found on Solaris systems) the config script can be changed to PASS fragments using the keep frag keyword].

Rationale - with certain EAP communications, eg EAP-TLS, the RADIUS packet sizes can get much bigger than the usual MTU of 1500. This means that the RADIUS packets get fragmented in transit. Many firewalls are configured to drop UDP fragments (as security against DoS attacks), however this will, of course, break such RADIUS communications. If your firewall is doing such dropping then it will need to be configured to ALLOW such traffic from NRPS<->ORPS. This will affect more sites as people migrate to full 802.1X implementations and use eg EAP-TLS or other EAP methods which use larger packets.

I'm trying to test my ORPS, but I get Reply-Message = "Misconfigured client: unknown AC.UK site from janetroaming.net. Rejected by <eduroam UK>." when I run the PAP auth test

If you have configured your OPRS into the Support server config page correctly, the above error is returned because you have set your ORPS as 'Test/Development'. This is resulting in preventing the NRPS from sending any auth traffic, including test traffic to you realm (only traffic with the 'test.' realm prefix will be sent). Refer to  ORPS role designation features on JANET Roaming Support Server.

3) Upgrading FreeRADIUS from v 1.1.x to v2.0.x

Do you have any guidance for upgrading our system to FreeRADIUS v 2.0.x?

Whilst the upgrade to FreeRADIUS may at first seem daunting due to the change of structure and the new features, it is actually a very short task to migrate a live 1.1.x systems across to 2.0.x.

FreeRADIUS 2.0.x is a great improvement over 1.1.x and it is well worth making the effort to upgrade. 2.0.4 and upwards featured an 'inner-tunnel' method which means that eg EAP only hits your LDAP or SQL once...not the 3 or 4 times experienced previously. The current release is now 2.0.5 which has a lot of stats available via a simple query to the server and there will be new features going into 2.0.6 that will make it even more desirable, not least of which will be working SNMP and highly configurable logging capabilities.

Recommended approach to upgrading:

1) Examine the 1.x config to see what you have configured

2) Take the vanilla 2.0.x configuration and then edit it to add in the bits you did in 1.x this should be involve just the following:

a) edit sites-enabled/DEFAULT to match your authen/author/account fromt he old radiusd.conf

b) edit clients.conf and proxy.conf - exactly like 1.x initially

c) check out the other sites-available/* file to see what new functionality you want and then enable those modules (eg inner-tunnel) by copying or softlinking them like the DEFAULT file entry (rename DEFAULT to 'university_of_foo' or whatever if you want)
- if you want to enable inner-tunnel, then edit eap.conf to use the inner-tunnel virtual server (highly recommended!)

d) after some local rad_check stuff, use the eduroam support server to ensure remote and home access is working.

We would then recommend setting up a proper proxy eduroam pool using the unlang (contact us for more advice etc on this aspect..some of it is covered on the support site FAQ)

4) Firewall Configuration

Why do I get only "Re-sending Access-Request" when testing authentication?

Ensure that your firewall is configured to permit UDP ports 1812 and 1813. RADIUS does not use TCP!

You should also check that your firewall is not discarding UDP fragments. If it is then the configuration should be changed to allow UDP fragments to pass. [Specifically for ipf firewall users, (to be found on Solaris systems) the config script can be changed to PASS fragments using the keep frag keyword].

Rationale - with certain EAP communications, eg EAP-TLS, the RADIUS packet sizes can get much bigger than the usual MTU of 1500. This means that the RADIUS packets get fragmented in transit. Many firewalls are configured to drop UDP fragments (as security against DoS attacks), however this will, of course, break such RADIUS communications. If your firewall is doing such dropping then it will need to be configured to ALLOW such traffic from NRPS<->ORPS. This will affect more sites as people migrate to full 802.1x implementations and use eg EAP-TLS or other EAP methods which use larger packets.

Why do we appear to not be getting any response from the eduroam NRPSs when visitors try to authenticate? Authentication requests are being sent from our ORPS but we get no response from the NRPSs. We have also tried authenticating with our eduroam test id ([our realm]@eduroam.ac.uk and [our_realm]@roaming.ja.net) and again get no response. This looks like a routing issue.

Troubleshooting - from the eduroam Support site tests:

a) the ping test shows that routing from the NRPS to your ORPS works and your ORPS responds

b) remote authetication tests PAP and the relevant EAP test results in success so your essential authentication system is correctly set up

c) since the problem is with outgoing authentication, this points towards a firewall configuration problem.

Problem resolution - whilst the firewall had been configured to allow incoming UDP 1812/13 from the NRPS to the ORPS and subsequent responses (ie outside authenication worked), there was no permission set to allow outgoing UDP to the NRPSs originating from the ORPS.

5) Wired Networks

How do you configure a Cisco Catalyst switch to operate with 802.1x?

Information on Cisco configuration can be found within the technical paper:

Configuring 802.1X Port-Based Authentication

6) Wireless Networks

How many SSIDs should be implement?

The answer to this is enitrely dependent on your needs and policy.

Obviously you'll need the eduroam SSID. By using dynamic VLAN assignment the one SSID can handle many groups of users and devices (e.g. staff, students, eduroam guests, other, 'machines'). This may meet the majority of your requirements.

Then you will probably want a setup/provisioning/remedial SSID (e.g. open, captive portal, access to installer utilities/CA certificate, OS patches)

In addition you may want an SSID for a non-eduroam guest service (e.g. for public access and either with a separate ISP feed or a tunnelled link through Janet to the contracted WISP service provider). But consider if eduroam Visitor Access could reduce the scale or need for expensive public access services.

If you have residences you may want an SSID for non-802.1X devices (e.g. multimedia devices, gaming, TV etc.).

http://www.revolutionwifi.net/revolutionwifi/p/ssid-overhead-calculator.html useful for determining how many SSIDs you can handle. The old rule of thumb about no more than 4 SSIDs is based around broadcasting beacons at the old 802.11b 1Mbps rate. If you raise your minimum speed you can handle far more SSIDs with the trade-off of losing client connectivity at the margins. It could be argued that provision of a responsive service over a more limitied footprint (or one requiring a greater denisty of APs) is preferable to providing a poor data rate service that could lead to user dissatisfaction.

And you may need several SSIDs for WPA2-PSK services for specific purposes in specific limited locations. But consider implementing a single 'things' PSK wireless network.

How can we solve the overlapping eduroam service ('the Russell Square') problem? We would like to set up eduroam Wi-Fi but in a number of our buildings we get eduroam Wi-Fi from a neighbouring organisation. Some of our buildings are very close and the overlapping signal is very strong. We've been advised by our Wi-Fi supplier that any overlap would cause roaming issues for users. What are the possible solutions?

There are several solutions, however at the current time the best one is a technical method after political agreement (see below)

Technical method 1: use 802.11u (aka Hotspot 2.0/ HS20/passpoint) to identify the APs as being 'eduroam' but also belonging to your organisation. Compatible clients can then be configured to prefer the eduroam provided by your organisation. This is the ideal solution, however current client support is lacking (and when it is present it is fairly poor)

Technical method 2: conduct wireless surveys and liaise with your neighbouring organisation to ensure that wireless overlap is minimal, eg. turn down power of APs near the 'border zone' so that the correct APs are chosen by client devices when in the buildings in the overlap zone. This solution is complex and sometimes not possible due to wireless coverage patterns and required coverage areas from those bordering APs. This may also incurr additional cost due to the possible need to deploy additional APs to cover new dead spots and repositioning of APs.

Technical method 3 - don't provide the eduroam SSID where this service is provided through overlap from your neighbour - simply make use their eduroam wireless service in those areas. This obviously will mean that if you implement a single (eduroam) SSID network service with dynamic VLAN allocation for your own users, this will not be available at such locations. So you'll have a non-homogeneous/mixed service for your own users. Offsite (e.g. internet) resources will be accessible, but resources only available on a local user VLAN will be more difficult to access - although access could possibly be gained through a VPN. Visitors won't be affected, other than being unaware that the eduroam service they will be using will actually be being provided by your neighbour (potentially leading to support issues).

Political method - share layer2 VLANS between the 2 sites. You could feed your staff/student/visitor networks into each other's wireless domains and have RADIUS policy that states if the realm is that of your roaming L2 partner then allow agreed VLANs to be returned via their remote RADIUS server. For this to be viable you will need to have the transit mechanism, ie be neighbouring sites and connected to same NREN kit or have a direct link to your neighbour. This solution is the most satisfactory method for achieving inter-organisation roaming and ensures that when the staff/student/visitor client devices roam to the other location, they are still able to authenticate and drop onto the network as if they were on an AP in your own building.

This solution requires good, strong technical knowledge and the ability to share layer 2 networks between organisations (eg feed an 802.1Q trunk between sites). It needs to be done bilaterally (and can become very complicated when more than two organisations are involved) and with strict agreements/protection that you won't drop any other people onto such VLANS provided by you.

This is the preferred solution until hotspot2.0/802.11u becomes ubiquitous and method 1 becomes practicable (your wireless vendor's kit will need to support it and allow configuration of such beacon attributes).

Do we have to support eduroam on 2.4GHz?

No you do not have to support 2.4GHz eduroam. Indeed a 5GHz service could perform better in many situations. Have a look at the Optimize you WLANs for Phones and Tablets presentation (scroll to the near the bottom of the page) : https://www.jisc.ac.uk/events/wireless-mobility-event-27-feb-2019

Do have any advice on Wi-Fi deployment for multi-floor buildings?

To improve handling of a multi-floor situation, consider rotating the antennas 90 degrees so they provide a smaller horizontal footprint but penetrate multiple floors more effectively, and then stagger APs between floors (if you are wanting a single eduroam instance to span the entire building), or you can dial down the power (or choose a cutting edge standard like 802.11ax that has less range) so that APs don’t penetrate between floors at all (this would even facilitate separate eduroam instances on different floors to support different departments for which for instance you might want to implement different filtering policies for staff/your own FE students/HE students).

Hint: Dialling down the power of APs is as important and dialling up the power to ensure coverage. You would dial down the power to a) match the power *from* laptops/phones since it is essential the AP can receive signals from devices and not simply shout at them! b) you need to ensure a clear transition boundary between the converage cells of adjacent APs to help devices to associate with specific APS without having to continually re-scan - which is time consuming for the device.

This presentation contains further hints and tips and is well worth a read: Optimise your WLANs for smartphones and tablets

Is it essential for an institution to broadcast the eduroam SSID, as opposed to having it hidden? And would failure to broadcast eduroam mean an institution couldn't join eduroam?

Yes to both questions. Broadcasting the eduroam SSID is required by eduroam confederation policy and is an eduroam technical requirement. This is because firstly, it's a way of advertising the presence of the service. Secondly, the native WinXP SP2 supplicant cannot do 802.1x against a hidden SSID (see below).

Do we have to deploy a RADIUS server; can't we just peer our WLC with the NRPSs?

Draft: Whilst it is technically possible to configure WLCs as clients of remote RADIUS servers and you could make an IP address of a port on your WLC publicly visible.. so you could set the WLC as your 'ORPS' in the eduroam(UK) Support server portal, however, this is strongly deprecated. The deployment model on which eduroam is based is that of a RADIUS server being peered to the NRPSs with the member organisation's APs/WLCs providing the Wi-Fi service and pointed to the RADIUS server for authentication

How do you configure a Cisco 1200 Series Wireless Access Point for eduroam SSID?

Details of the precise (largely web-based) steps used to configure the eduroam SSID on a Cisco® 1200 series WAP can be found in Appendix 2 of the case study Complying with the Janet eduroam Service Technical Specification.

Can Cisco fat WAPs be used with multiple broadcast SSIDs and dynamic VLANs?

There is a known problem with Cisco 'fat' WAPs with regard to multiple BSSIDs and dynamic VLAN assignment (RADIUS-assigned VLANs) which unfortunately affects a lot of institutions. The problem was that Cisco 'fat' IOS driven APs until recently only supported a single primary (guest) SSID broadcast in the beacons (the BSSID). Furthermore, it was not possible to achieve assignment of VLANs via RADIUS. This limitation does not apply to Cisco's 'thin' architecture, so the problem could hitherto only be circumvented by adopting this technology.

This issue only affected the autonomous Cisco APs. There never was any difficulty with lightweight APs (including upgraded autonomous ones) in supporting RADIUS-assigned VLANs and multiple broadcast SSIDs. (Certainly 1131 and 1232 APs in non-autonomous LWAPP thin client mode with WiSM controllers have always worked fine).

With release 12.3.8-JEC(GD) of the Cisco IOS firmware, this issue has been resolved - certainly multiple BSSIDs with RADIUS assigned VLANs have been successfully setup with AP1231 and other 1200 series access points.

Although the issue has been resolved in the IOS, you may find that some AP radios do not support multiple BSSIDs. To find out if a particular radio will support multiple BSSIDs:

Run a 'show controllers' radio_interface command to check how many BSSIDs an AP will support. Look for the line which states - "Number of supported simultaneous BSSID on Dot11Radio0: 8", or something similar.

To set up multiple BSSIDs on the AP you can log into the web interface and select Security > SSID Manager. The page displayed will show the current VLANs configured and indicate which are being broadcast.

Alternatively from the IOS command line, enter SSID configuration interface and use the command mbssid. You'll also have to use mbssid from the configuration terminal interface to enable multiple basic SSIDs on an access point radio interface. This command was introduced in IOS release 12.3(4)JA.

See: Cisco IOS mbssid command

[NB. The validity of following advice with regard to latest release of IOS is unknown - it certainly applied to pre-12.3.8 releases]. The Cisco WAP beacon can by default advertise only one broadcast SSID, nevertheless it is possible to alert client devices of additional SSIDs although this did not remove the limitation that RADIUS-assignment of VLAN was not possible. You can achieve client alerting of multiple SSIDs as follows; use the SSID list information elements (SSIDL IEs) in the access point beacon to alert client devices of additional SSIDs on the access point. When you designate an SSID to be included in an SSIDL IE, client devices detect that the SSID is available, and they also detect the security settings required to associate using that SSID.

See: Cisco AP Configuration Guide - Configuring Multiple SSIDs.

The AP configuration needs to use the command: information-element ssidl [advertisement] [wps](Microsoft Wireless Provisioning Services) in the radio interface configuration / specific SSID configuration section.

For WinXP users the following download must be installed. This update enhances Windows XP support for Wi-Fi Protected Access 2 (WPA2) options in Wireless Group Policy (WGP), and helps prevent the Windows wireless client from advertising the wireless networks in its preferred networks list.

WinXP Update:

Using this update, the 'hidden' SSIDs become visible in a Cisco 'fat' AP environment - the subsequent SSIDs use the extension made available through 802.11i.

Can you expand on what is necessary to convert 'fat' Cisco WAPs into 'thin' ones? (Is it just an IOS upgrade and does it cost anything? What device(s) do you use to control them? Do you lose any functionality in converting to thin?)

Changing to thin is a straightforward job. Either use the IOS command line (archive download-sw tftp://.........), the windows-based upgrade tool or a WLSE (Wireless LAN Solution Engine). The upgrade tool and software image can be downloaded free from Cisco, and the tool pushes the image to the APs you tell it to, which converts them to lightweight. They then get their configuration from the controller rather than it being stored locally.

To control these thin APs you need a central controller, which incurs a cost. Lightweight wireless means all the clever stuff (authentication, key management, channel and power management) is done by a central box. This could be the Wireless Services Module (WiSM) for the Cisco Catalyst 6500 switch (controls upto 300 APs), the standalone Wireless Control System (WCS) or theCatalyst 3750G Integrated Wireless LAN Controller (can only control about 32 APs). There's a fair amount of configuration to do so the controller knows about your VLANs, SSIDs, RADIUS servers etc.

You gain a great deal of functionality and management facilities - such as reporting, accounting, configuring WLANs, mobility etc. You manage the APs bia a web interface on either the controller or a PC running Cisco's WCS software, which co-ordinates multiple controllers and does RF planning etc. Adding a new access point is a straightfoward task of connecting it to a switch and then using the software to put the switch port in the right VLAN.

Summary:

  • WAPs must have IOS 12.3(7)JA or higher
  • Thin IOS must then be loaded via WinXP program (available on Cisco web) or via CLI
  • The WAPs must be 1240AG/1130AG/1200 series [1210,1220,1230,1235]
  • (1200 series radios must be one of following models only: MP21G/MP31G/RM21A/RM22A)
  • Wireless controller module (WiSM) of some description necessary [WiSM for Catalyst 6500 (will need a free slot), WCS or Catalyst 3750G IWLC]
  • Catalyst 6500 requirements: free slot for WiSM, Supervisor Engine 720 WS-SUP720 needed and to run a SUP720 you need the higher rated PSU
  • For large deployments of three or more WiSM, a WCS is recommended

There is a guide to the process on the Cisco web site: Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode

To get the upgrade tool and Cisco IOS release:

  • Browse to the wireless downloads page:http://www.cisco.com/en/US/products/hw/wireless/index.html
  • Click Access Points.
  • Click the type of access point that you want to upgrade. When you click the access point type, the access point folder expands.
  • Click the access point that you want to upgrade in the expanded list. The Select a Software Type list appears.
  • For the upgrade tool, click the Autonomous to Lightweight Mode Upgrade Tool link.
  • For the software image, click the Autonomous to Lightweight Mode Upgrade Image link.

Will a client configured for WPA2 fallback to WPA in a WPA-only environment?

Solving/mitirating the Overlapping eduroam Visitor service Problem (the 'Russell Square' Problem)

The overlapping eduroam service scenario is a well-known issue in eduroam. In the UK the way to address this is for organisations sharing the same locale to talk to each other and co-operate to minimise the overlapping Wi-Fi zones. This can be achieved by careful positioning of APs, reducing radio power and using non-omnidirectional antennae.

Other solutions require even closer co-operation and involve partial integration of networks (for instance the bigger organisation could provide Wi-Fi service across both campuses, providing an eduroam Visited service for both, and establish local RADIUS peering with the co-located organisation).

Archive Questions:

Will an AP configured for WPA2 fallback to WPA if a WPA-only client tries to associate?

The native Windows XP supplicant software requires the user to make an explicit choice between WPA and WPA2 when performing the configuration. If a user with a device configured for WPA2 visits a site where the guest WLAN has been configured to utilise WPA, will they be denied service, or does the client fall back to WPA? Similarly if the guest WLAN has been configured for WPA2 and a visitor arrives with a device configured for WPA will the APs fall back to support WAP or will the user experience problems?

It will probably be the case that a client set up to use WPA2 will not work at a WPA location - this depends on the supplicant and the configuration. Generally a client needs to have the correct specific cipher methods configured. Likewise a client configured to use WPA will not work in a WPA2-only location.

Some clients can handle both WPA and WPA2 versions of the same SSID... and some clients (eg Vista) can even have different profiles pointing to the same SSID. See Workstation/Laptop Setup above.

However, since the vast majority of clients only support WPA at present, we advise that JRS3 WPA2 sites should still provide WPA connectivity and JRS2 sites must provide WPA (and they may also provide WPA2). This advice will stand until we see a wholesale migration to WPA2 (which is expected in a few years time).

Our Cisco 1200 autonomous-mode APs have been configured using the 'cipher' option of 'AES CCMP + TKIP'. Does this mean that our WLAN is effectively supporting both?

Yes, it should support both - you can determine this by using a wireless card or probe that tells you what ciphers it can detect, eg. the 'airport' utility in MacOSX.

We recommend that the cipher mix is kept to the standards - eg WPA/TKIP and WPA2/AES.- Whilst WPA/AES exists it is very exotic and WPA2/TKIP is just wrong.

Another reason to implement WPA2/AES (alongside WPA/TKIP) is that only with AES can true 802.11n speeds be obtained (apart from in a wide open wi-fi scenario) - so anyone looking at 802.11n kit needs to keep this in mind.

Useful links:

7) Roadmap for Implementing eduroam

Do you have a step by step process we can follow for implementing eduroam?

Yes, see: https://community.ja.net/library/janet-services-documentation/implementing-eduroam-roadmap   

8) Supporting Users

What sort of support for users to we need to provide?

We would expect organisations providing eduroam services to provide their users with adequate support; as a minimum, in addition to the organisation's eduroam service information web pages which must provide help on how to use eduroam and device set up instructions, the organisation's IT helpdesk should have the capability to:

  • provide guidance on the set up of users' devices for operation with eduroam
  • check the status of a user's account to ensure that they are eligible to use eduroam
  • check RADIUS logs to see if authentication requests are being received for the user's authenitcation attempts and the outcome of those attempts

PS We have published a supporting users troubleshooting flowchart, designed for help desks which may be of some help:
https://community.ja.net/groups/eduroam/document/eduroam-user-troublesho...

How do I get access to the eduroam CAT (Configuration Assistance Tool) web site?

To use the eduroam CAT tool (developed through the Geant eduroam confederation), you need to have a compliant Home service and an invite token. To get a invite token go to your eduroam(UK) Support server main configuration page and click on the eduroam CAT invite button. A token will be sent to the e-mail address you have registered as the primary technical contact on the web site. The token expires after 24 hours, so must be used before then. (Nb. If you have only just changed your compliance assertion on eduroam(UK) Support server you will have to wait until the update replicates through to the European database for your organisation to be listed on CAT).

For more information see: https://community.ja.net/blogs/eduroam/document/configuration-assistant-tool-cat-now-available