Bypass Authentication for ICC SMs

So I've been testing the zero touch.  We've been unable to get it working properly in the system we currently have set up.  We are using pre-shared keys at the moment on all our AP's. 

So we do not have the ability to "ENABLE" the "Bypass Authentication for ICC SMs :" as it is greyed out. 

So I assume that zero touch configs will not work if you are using AP pre-shared keys? Or can someone help me out on this?

(Fyi we are using Powercode to do this.  It didn't work until we put the key into the radio)

Yeah it wont work becuase since Bypass is disabled i.e. every SM will have to do Authentication.

You can use DHCP way to get the config file which has pre-shared keys set. 

You have to set DHCP option 66 to send a tftp/ftp URL of config file.

Now when ICC enabled SM get registered to AP, DHCP will be enabled, TFTP URL will be sent to SM and SM will pull the config file apply and reboots and now your SM can autehticate with AP using pre-shared leys.

Hmm.  If we used another method such as radius etc would it be allowed to be turned on?

Currently at the moment there is no way to do any optioning in Powercode BMU's at all. 

But after it gets dhcp, the tftp file and the preshared key it should reboot and should get connected to the AP and programmed with the correct information after that correct?

I'm pretty sure it is well within their (Powercode) realm to make something like this happen in their routers. 

Yes even with RADIUS enabled , every SM has to do authentication and a bout-of-box SM wont have valid RADIUS credential configured. So either you disable authentication for ICC enabled SM , I guess you are logged with Installer or Technician account that’s why its greyed out, login with admin to change. Or configure DHCP/TFTP service to do 0-touch. Once SM gets valid credentials it will authenticate successfully and no problem thereafter.

Have been following this feed, interested in applying the zero touch of ePMP/APs.  Can someone help with the full procedures. Regards.

No we do log in as admin to the AP - and it is greyed out.  It seems you can't have ICC and Auth running at the same time for obvious reasons.  You wouldn't want anyone with a canopy to automatically connect.  My thought was that somehow Powercode or some other external force would have the MAC of the device asking to connect ahead of time and allow it without any form of authentication.  It would push it to the AP and the AP would allow it.  It would open it up to spoofing but that would get figured out quickly at a higher level. 

So we always need to enable auth on a radio before we do the actual automatic config in our particular situation.

Just so you know what I meanL

For example on the AP

On the Radio tab ICC is Enabled

On the Security Tab "Bypass Authentication for ICC SMs:" Disabled, greyed out and we can't enable it. 

It can't be enabled because your using preshared key, switch to radius and it works. We use AAA/Radius and the Disable Authentication for ICC enabled SM's is enabled so they can get on for zero touch and recieve their AAA/Radius configuration, not sure why cambium made it so it doesnt work with preshared key.

Hi,

Please use this SNMP OID disableAuthForICCSM  in whispApsConfig to enable it.

In future release we will add option to enable it via Web GUI.

That seemed to have worked.  It did register.  Now to just get Powercode's zero touch to work :) 

On a side note - when you reboot the AP it will revert the setting back to "disabled".  So this is at best a workaround for now. 

Settings should have saved , Did you did reboot after changing the settings to enabled ?

Actually no it stuck this time.  I retested it.   The issue now is getting Powercode to send the config to the AP and then getting the AP to actually update the SM.  Not working in this configuration. 

However when we modified an SM with the preshared key ahead of time there was a partial configuration that worked.  But that is up to Powercode's system. 

Unless having this greyed out but still (on) impacts the SM's ability to receive it in some way.. or the Ap's decision making process in sending..

How Powercode sends the file to SM ?

Generally for 0-touch to work, ICC SM aftger getting registered with AP , enables DHCP and DHCP server sends TFTP url via HDPC option 66 and hence SM can pull the config file.

Or possibly that.  The radio isn't getting the IP (or the dhcp server controlled by powercode isn't optioning correctly with the correct url either).  It never comes up with an IP but we can see it registered in the AP. 

Just thought I would update this post.

Scenerio:
AP with PSK Custom 128bit key
Color Code: 100
ICC Mode: On
Management VLAN: 50
cnMaestro: Valid connection and onboarded

SM: Factory Default

Zero-Touch should work this way:
SM registers in ICC
Unfortunately this does not work because of the security key. If you try to set “Bypass Auth for ICC” in the AP, you can’t because it’s greyed out for PSK

There were some comments about using SNMP and that works. However, with cnMaestro, you can push the following template to the AP. (Or load it directly into the AP as a config file)

The JSON code below sets the following

  1. Forces the “Bypass Auth for ICC”
  2. Ensures that ICC mode is turned on for the AP
  3. Sets the SM to use the Management VLAN for it’s DHCP request
{
  "userParameters": {
    "apAuthenticationConfig": {
      "disableAuthForICCSM": 1
    },
    "apVlanConfig": {
      "useAPManagementVIDForICCSM": 1
    },
    "radioConfig": {
      "installationColorCode": 1
    }
  },
  "cfgFileString": "Canopy configuration file",
  "cfgFileVersion": "1.0"
}

End result

  1. SM now registers in ICC
  2. Because it’s in ICC mode, it turns on DHCP and gets an IP using the AP’s Management VLAN
  3. Now uses the AP cnMaestro settings to connect to cnMaestro
  4. You can now onboard it using cnMaestro, push a template, upgrade etc.

Hope this helps

1 Like

I enabled ICC on AP. I also did this on AP:

snmpset -v 2c -c Canopy 169.254.1.1 .1.3.6.1.4.1.161.19.3.1.1.226.0 i 1

SM seems to connect every 30 minutes or so but does not stay on long enough to catch and program. I see this in log:

MAC : ************************* Auth Fail 02/04/2021 : 12:26:49 UTC : Status : 4 Flag : 0

The key is to turn on “DisableAuthForICCSM”
You are still showing an Auth Error

Without that setting changed on the AP, it will not work.