Cisco ACS RADIUS Server Support

CISCO ACS Support

Cambium PMP radio can be configured to authenticate SM and users with a back-end AAA server.

We now support Cisco ACS AAA server as well.

This post explain various configuration to be done on Cisco ACS server as well as Cambium PMP. AP

Note that these configuration had been tested on CISCO ACS Version : 5.7.0.15

Adding RADIUS Client

Navigate to Network Resources ->Newtwork Devices and AAA Clients

Add the IP address of AP, this will mark the AP as trusted client in AAA server.

Creating Users

Create/Add users for authentication, these are the same users which SM sends in its authentication or for we user authentication.

Creating RADIUS instance

RADIUS protocols

4.png

Service selection

5.png

Adding Trusted CA

Cambium NAS client verifies the server certificate, hence it is important to install the same certificate which is installed on Cambium AP.First install the root CA.

Note that certificate has to be in DER form, so if you have in PEM format convert using openssl.

 openssl.exe x509 -in <path-to->/cacert_aaasvr.pem  -outform DER -out <path-to>/cacert_aaasvr.der

Installing Server Certificate

Configuring VSA

Once the authentication is successful , Cambium Vendor Specific Atributes can be configure to be pushed  to the SM.For a complete list of VSA please download the cambium dictionary from  here.

on ACS server, navigate to

System Administration >     Configuration >     Dictionaries >     Protocols >     RADIUS >     RADIUS VSA >     Motorola

If Motorola is not present you can create Vendor  with ID 161

Add all the VSA one by one

Using VSA for User Authentication

For Web user authentication, Cambium-Canopy-UserLevel VSA must be configured to appropraiet value for that user.

On ACS, navigate to

Access Policies >     Access Services >     Cambium ACS >     Authorization

    1. Change condition to User name
    2. Next click Create and then click Select see diagram below 
    3. Click Create  from the screen you get following screen

      Chose some name and then move to RADIUS Attributes tab

    4. Fill attribute which all you want for that particular user

Important: Click Add for each attribute and when done click Submit.

    1. Now you are ready to use this Authorization profile for the use Select and Press OK

  1. Finally press Save Changes and you are ready to use it.

SM Authentication

 Configuration to be done on PMP Device. Please also refer to user guide for details on other configuration parameters.

Web UI

There are no new configuration on AP.However on SM, user should select PEAP in following way.

Configuration → Security → AAA Authentication Settings → Phase 1, Select eappeap.

Note that as you select Phase 1 as EAP-PEAP, Phase 2 will change automatically to MSCHAPv2.Other Phase 2 protocols like PAP/CHAP will be disabled.

SNMP

User can configure existing OID in WHISP-SM-MIB

OID: .1.3.6.1.4.1.161.19.3.2.7.4.0 (phase1): Set this to 2 to use eappeap.

OID: .1.3.6.1.4.1.161.19.3.2.7.5.0 (phase2): Set this to 2 to use mschapv2.

User Authentication

There is no new configuration ,please refer to user guide for details.

Troubleshooting

  1. Make sure AP IP address is listed as a trusted client, otherwise all Access request wil be rejected.
  2. For SM authentication, RADIUS server and SM must have same certificate installed. SM validates the certificate which RADIUS server present, with the one SM is configured it.Demo certificate can be downloaded from this page.
  3. Use PEAP instead of TTLS in SM configuration.
  4. When doing User Authentication, make sure Canopy-Cambium-UserLevel VSA is configured for the user, otherwise login process will fail.
  5. In order to use Cambium VSA , make sure you have add all the VSA, refer to Cambium dictionary file for details and values.
  6. For more logs under ACS browse to Monitoring and Reports -> Launch Monitoring and Report Viewer

References

  • Microsoft RADIUS configuration guide can be found here
  • Change of Authorization and Disconnect messages (RFC 3576) are also supported,  Please refer this page for configuration
3 Likes