CISCO ACS Support
Cambium PMP radio can be configured to authenticate SM and users with a back-end AAA server.
We now support Cisco ACS AAA server as well.
This post explain various configuration to be done on Cisco ACS server as well as Cambium PMP. AP
Note that these configuration had been tested on CISCO ACS Version : 5.7.0.15
Adding RADIUS Client
Navigate to Network Resources ->Newtwork Devices and AAA Clients
Add the IP address of AP, this will mark the AP as trusted client in AAA server.
Creating Users
Create/Add users for authentication, these are the same users which SM sends in its authentication or for we user authentication.
Creating RADIUS instance
RADIUS protocols
Service selection
Adding Trusted CA
Cambium NAS client verifies the server certificate, hence it is important to install the same certificate which is installed on Cambium AP.First install the root CA.
Note that certificate has to be in DER form, so if you have in PEM format convert using openssl.
openssl.exe x509 -in <path-to->/cacert_aaasvr.pem -outform DER -out <path-to>/cacert_aaasvr.der
Installing Server Certificate
Configuring VSA
Once the authentication is successful , Cambium Vendor Specific Atributes can be configure to be pushed to the SM.For a complete list of VSA please download the cambium dictionary from here.
on ACS server, navigate to
System Administration > Configuration > Dictionaries > Protocols > RADIUS > RADIUS VSA > Motorola
If Motorola is not present you can create Vendor with ID 161
Add all the VSA one by one
Using VSA for User Authentication
For Web user authentication, Cambium-Canopy-UserLevel VSA must be configured to appropraiet value for that user.
On ACS, navigate to
Access Policies > Access Services > Cambium ACS > Authorization
- Change condition to User name
- Next click Create and then click Select see diagram below
- Click Create from the screen you get following screen
Chose some name and then move to RADIUS Attributes tab
- Fill attribute which all you want for that particular user
Important: Click Add for each attribute and when done click Submit.
- Now you are ready to use this Authorization profile for the use Select and Press OK
- Finally press Save Changes and you are ready to use it.
SM Authentication
Configuration to be done on PMP Device. Please also refer to user guide for details on other configuration parameters.
Web UI
There are no new configuration on AP.However on SM, user should select PEAP in following way.
Configuration → Security → AAA Authentication Settings → Phase 1, Select eappeap.
Note that as you select Phase 1 as EAP-PEAP, Phase 2 will change automatically to MSCHAPv2.Other Phase 2 protocols like PAP/CHAP will be disabled.
SNMP
User can configure existing OID in WHISP-SM-MIB
OID: .1.3.6.1.4.1.161.19.3.2.7.4.0 (phase1): Set this to 2 to use eappeap.
OID: .1.3.6.1.4.1.161.19.3.2.7.5.0 (phase2): Set this to 2 to use mschapv2.
User Authentication
There is no new configuration ,please refer to user guide for details.
Troubleshooting
- Make sure AP IP address is listed as a trusted client, otherwise all Access request wil be rejected.
- For SM authentication, RADIUS server and SM must have same certificate installed. SM validates the certificate which RADIUS server present, with the one SM is configured it.Demo certificate can be downloaded from this page.
- Use PEAP instead of TTLS in SM configuration.
- When doing User Authentication, make sure Canopy-Cambium-UserLevel VSA is configured for the user, otherwise login process will fail.
- In order to use Cambium VSA , make sure you have add all the VSA, refer to Cambium dictionary file for details and values.
- For more logs under ACS browse to Monitoring and Reports -> Launch Monitoring and Report Viewer
References