I wanted to see if anyone had tried remote user authentication for the APs. I’ve got some users that I want to limit access to, but I don’t want to go out and touch each of my 100 and something APs every time I add or delete a user. I’ve been screwing around with radius so I can manage this all directly and I know it should work but I’m not sure how to setup the users part of the config file for a Cambium AP. Anybody Tired this?
Ok I figured it out after digging around.
Running on freeradius on Ubuntu
clients.conf entry:
client 172.16.32.81 {
secret = secret123
shortname = somesap1
nastype = Canopy
}
users entry:
tech Cleartext-Password := somepassword
Motorola-Canopy-Userlevel = 1
Then you just need to configure the AAA settings int the security tab of the ap as you would for doing Radius SM authentication. On a side note I will probably be submitting a feature request to have a read only account attribute added. As it stands accounts could be tech/ installer/ Administrator. I’d like to keep some level one guys out of the configuration tabs all together if it were possible.
For reference, that stuff first appears in the 11.0.1 release notes and is all included in the new manual, entitled PMP Solutions User Guide for software 11.2.
I just searched through all of the manuals I have here back to 7.3.6 and I don’t see any explanations as to what Installer and Technician actually are. I take it since you set the Motorola-Canopy-UserLevel to 1, the Technician privilege allows some configuration?
It does. It allows some configuration but not complete configuration of advanced network items such as vlans, security, etc. Which is a great start, but I’d like to keep some of my level one guys (third party tech support) out of the frequency settings and really remove the ability to do anything but view the sessions.
Yeah I’m a noob all around when it came to radius in general. So it took me some time to realize where to find the attributes. It didn’t dawn on me to find the info in the manual until this morning.
Ah, that’s annoying. Agreed, there should be an access level where you can’t break anything… everything under Configuration can break stuff.
I hear you on the RADIUS bit - took me a while to figure out how to set up MySQL for our SM authentication.
A read only account would definitely be useful.