Hi Anand,
We have a PMP450i that is configured to authenticate with ISE for device administration.
From other Cambium documents, it appears that we need to use the following attribute:
Cambium-Canopy-UserLevel=3
Cambium-Canopy-UserMode=0
in the Authorization Profile under "Advanced Attributes Settings". This is as per
https://community.cambiumnetworks.com/t5/PMP-450/SM-ADMIN-User-privilege-level-for-radius-server-based/td-p/76145
Also, to be able to use the above attribute, it needs to be added to ISE Radius Vendor's dictionary at
Policy > Policy Elements > Dictionaries > System > Radius > RADIUS Vendors
Q1. What is the Vendor Attribute ID for "Cambium-Canopy-UserMode" and is it really required for device administration with Radius?
Q2. Cambium Vendor code seems 161 per below document
https://usermanual.wiki/Cambium-Networks/50450M.USER-MANUAL-PART-3/info
but above document says it is 17713.
Please confirm which one is correct.
Q3. When we use PAP method for authentication and just use "Cambium-Canopy-UserLevel=3" or "Canopy-User-Level=3" or even both as per
https://community.cambiumnetworks.com/t5/cnMaestro/Setting-up-Cisco-ISE-for-RADIUS-Services-to-Support-Cambium/td-p/91013
and
https://community.cambiumnetworks.com/t5/PMP-450/PMP450-Radius-and-Universal-Admin-account/td-p/75326
We see ISE shows succesful authentication and correct authorization result (ISE sending the required attributes) is pushed but we are not able to log into PMP450i.
Radius logs on PMP450i shows the following
11/21/2019 : 02:37:19 UTC : Radius Request sent with auth type as PAP
11/21/2019 : 02:37:19 UTC : PAP Start sent
11/21/2019 : 02:37:20 UTC : PAP: Access Accept received from radius server
11/21/2019 : 02:37:20 UTC : PAP: UserAccessError noinfo
Is this a known issue ?
Regards,
Dinesh