So I've been testing the zero touch. We've been unable to get it working properly in the system we currently have set up. We are using pre-shared keys at the moment on all our AP's.
So we do not have the ability to "ENABLE" the "Bypass Authentication for ICC SMs :" as it is greyed out.
So I assume that zero touch configs will not work if you are using AP pre-shared keys? Or can someone help me out on this?
(Fyi we are using Powercode to do this. It didn't work until we put the key into the radio)
Yeah it wont work becuase since Bypass is disabled i.e. every SM will have to do Authentication.
You can use DHCP way to get the config file which has pre-shared keys set.
You have to set DHCP option 66 to send a tftp/ftp URL of config file.
Now when ICC enabled SM get registered to AP, DHCP will be enabled, TFTP URL will be sent to SM and SM will pull the config file apply and reboots and now your SM can autehticate with AP using pre-shared leys.
Hmm. If we used another method such as radius etc would it be allowed to be turned on?
Currently at the moment there is no way to do any optioning in Powercode BMU's at all.
But after it gets dhcp, the tftp file and the preshared key it should reboot and should get connected to the AP and programmed with the correct information after that correct?
I'm pretty sure it is well within their (Powercode) realm to make something like this happen in their routers.
Yes even with RADIUS enabled , every SM has to do authentication and a bout-of-box SM wont have valid RADIUS credential configured. So either you disable authentication for ICC enabled SM , I guess you are logged with Installer or Technician account that’s why its greyed out, login with admin to change. Or configure DHCP/TFTP service to do 0-touch. Once SM gets valid credentials it will authenticate successfully and no problem thereafter.
No we do log in as admin to the AP - and it is greyed out. It seems you can't have ICC and Auth running at the same time for obvious reasons. You wouldn't want anyone with a canopy to automatically connect. My thought was that somehow Powercode or some other external force would have the MAC of the device asking to connect ahead of time and allow it without any form of authentication. It would push it to the AP and the AP would allow it. It would open it up to spoofing but that would get figured out quickly at a higher level.
So we always need to enable auth on a radio before we do the actual automatic config in our particular situation.
Just so you know what I meanL
For example on the AP
On the Radio tab ICC is Enabled
On the Security Tab "Bypass Authentication for ICC SMs:" Disabled, greyed out and we can't enable it.
It can't be enabled because your using preshared key, switch to radius and it works. We use AAA/Radius and the Disable Authentication for ICC enabled SM's is enabled so they can get on for zero touch and recieve their AAA/Radius configuration, not sure why cambium made it so it doesnt work with preshared key.
Actually no it stuck this time. I retested it. The issue now is getting Powercode to send the config to the AP and then getting the AP to actually update the SM. Not working in this configuration.
However when we modified an SM with the preshared key ahead of time there was a partial configuration that worked. But that is up to Powercode's system.
Unless having this greyed out but still (on) impacts the SM's ability to receive it in some way.. or the Ap's decision making process in sending..
Generally for 0-touch to work, ICC SM aftger getting registered with AP , enables DHCP and DHCP server sends TFTP url via HDPC option 66 and hence SM can pull the config file.
Or possibly that. The radio isn't getting the IP (or the dhcp server controlled by powercode isn't optioning correctly with the correct url either). It never comes up with an IP but we can see it registered in the AP.
Scenerio:
AP with PSK Custom 128bit key
Color Code: 100
ICC Mode: On
Management VLAN: 50
cnMaestro: Valid connection and onboarded
SM: Factory Default
Zero-Touch should work this way:
SM registers in ICC
Unfortunately this does not work because of the security key. If you try to set “Bypass Auth for ICC” in the AP, you can’t because it’s greyed out for PSK
There were some comments about using SNMP and that works. However, with cnMaestro, you can push the following template to the AP. (Or load it directly into the AP as a config file)
The JSON code below sets the following
Forces the “Bypass Auth for ICC”
Ensures that ICC mode is turned on for the AP
Sets the SM to use the Management VLAN for it’s DHCP request