In the User Guide under the "Web User Authentication" it says you can setup an admin user with fields in the "User Authentication" section of the Cambium web interface.
Is there a way to authenticate a universal management account via Radius to the SMs without having to touch each radio? We would like to be able to login to any radio with one management account without having to configure each radio by hand.
If you want login each SM with single web user account via RADIUS, that is possible.
However to do that you have to make some config change like
- Set Auth type as 'Remote Then Local'
- Enable Fallback to local login [failsafe but not mandatory]
To avoid configuring this on each and every SM you can use zero-touch approach.You need a DHCP server and a TFTP server.Pack the above configuration in a config file and place in FTP/TFTP server path
When the ICC SM is registered to AP, once it is registered, SM enables DHCP and gets option 66 [configure this in your DHCP server to point to TFTP URL of configuration file]
- SM receives this URL and applies the configuration
So now next time you can login with that single RADIUS account.
If you use cnMaestro server,you can avoid DHCP and TFTP. Once your SM is onboarded with cnMaestro cloud this config template will be pushed to SM.
When the SM registers via ICC, does the SM automatically enable DHCP immediately?
Can cnMaestro be configured to automatically push the config template to the SM when it is onboarded, so that it requires no manual template push?
It's super when the AP tells the SMs how to behave. For instance, it passes down cnmaestro connection details to each SM. Could these Radius settings also be pushed to the SM in a newer fw release?
Thanks for the reply and links. We're stll having a bit of trouble getting an admin account to authenticate.
1. We set the AP and SM to Remote Then Local.
2. We setup the radio MAC in Radius (0a-00-3e-b8-c2-35). This device authentication successfully connects and pushes settings from radius to the radio (lines 74 and 75 in the below radcheck table). There are additional entries in radusergroup for this.
3. When then setup an okpud admin user in radius (see lines 76,77,78,79 in the below radcheck table). There are no radusergroup entries for this user.
Check Access-Accept packet of okpad , I dont see this attribute
'Canopy-User-Level=3' in Access-Accept response
That is the reason UI failed to login, because although authentication is successful but radio doesnt know which level to login (ADMIN/INSTALLER/TECH etc) that is the job of VSA atttribute.
So please debug why this Atrribute is not getting picked.