Because OpenFlow is used to control WiFi traffic, you can dynamically filter, mirror, etc traffic as soon as it enters the network (rather than by the time it reaches a firewall), perhaps based on user ID - an external process can update and signal FAUCET to apply the appropriate policy.
At the moment, non-OpenFlow configuration is manually specified (eg, SSID). In the future, OpenConfig will be used.
LINK022 is based on Raspberry Pi 3. While the 3 does have onboard WiFi, it's suggested you use a separate WiFi adaptor (eg, you might want one with better/multiple antennas).
LINK022 requires a host switch that can provide PoE, and also runs OpenFlow (so both can be controlled by FAUCET).
The key software components of LINK022 are:
- hostapd (manages the WiFi radio, and implements 802.1x authentication via RADIUS)
- OVS (switches packets from WiFi, and implements security controls, like FAUCET ACLs)
- FAUCET (controls OVS, and the host wired switch - runs on a separate host)
To implement the eduroam use case, you will need to do the following (including obtain RADIUS credentials; if you don't have eduroam, you could use your own RADIUS server):
- Set up a host OpenFlow wired switch with controller/NFV host, as above, running FAUCET.
- Set up FAUCET config for the port, where you will connect LINK022.
- Set up FAUCET config to control LINK022 (OVS controls only the user traffic):
- On LINK022, set up wired interface to use VLAN 100 by default, and set up a Linux bridge with veth pair (for OVS to connect to the WiFi radio). This is accomplished by using the following for /etc/network/interfaces:
- Install OVS on the Pi (I used 2.6.1). The Pi isn't very powerful, so it will take a while to compile.
- Configure OVS to be controlled by FAUCET, and add eth0 and veth2 to br0. Your br0 should look like this:
- Install hostapd, with the following config as /etc/hostapd/hostapd.conf
That's it! From now on, if you have eduroam credentials, you will be able to authenticate and browse the network.
Some further reading:
- Configuring 802.1x using hostapd: https://w1.fi/hostapd/
- Using freeRADIUS with 802.1x: http://freeradius.org/enterprise-wifi.html