After building a growing Canopy network some problems start to become apparent in the simplicity of the system that made it so easy to get up and runnning at first. Management of an ever-growing and already large network uses up more time and resources. Towards the end of making Canopy a enterprise level capable system I would like to advance the following ideas for future BAM implimentations:
1. BAM basic and BAM advanced - Impliment a system by which bam users could use bam as they currently do and a more advanced platform which is described later. This would require only a single attribute or response from BAM inside the current response that would (if required) tell the AP what kind of BAM it is dealing with.
2. BAM advanced - should have the following feature set at a minimuim.
a. Load all config data on registration - This is a great enhancement to security as you could deploy a unit with a default config with the exception of color code (and even that could be made optional if you think about it).
advantages -
security
If the user gains access to it they can’t get any usable info like SNMP community strings or anything else unless BAM loaded the default settings and that is up to an operator to change.
network
The also can’t remove filter settings permanently. The next time the unit reboots it would pull all info from BAM and everything the user set would be reset from BAM. Keeps your network cleaner and safer from even evil users.
lower installer requirements
No more requirement to program a unit before it leaves the field for an install. Less training = cheaper installers and a cheaper install.
consistency
Using a properly structured DB or RADIUS setup, an operator could gaurantee uniform deployment of all critical SM config parameters by central management and the use of config groupings. For instance, putting all the netmask and gateway info, filter settings, and so forth in a group would keep all SM’s in that group identical. Only a few variables like site name, location, IP number, NAT, and others would need to be set individually and those would be centrally managed as well.
management
The entire config of every SM is managed centrally in the BAM. In freeradius this would be very easy (as well as the db version) since you can use groups for all the common things like much of the network config (except mgmt ip and a few others). Think of the possabilities. A user has an SM go south. Instead of having to make all these changes to a replacement SM, you simply make one change in the BAM - change the MAC/ESN in the BAM. Now when the new SM is installed it gains all data the old one had including the user info, rates, IP, NAT, filters, etc… Now you have a system that actually helps you not only authorize and authenticate but manage your SM’s.
I cannot emphasize this management one enough. I view this as the key missing piece of the Canopy system. I know that there are other ways to do some of this (like programming the unit via snmp) but you still need to do some unit programming to get this to work. With the described system you could take a unit out of the box and stick it on the house and start using it with minimal setup at the BAM by you most trusted and experienced people. Instaed of depending on your lesser qualified (like installers) to do their job correctly. The unit would have the correct contact info, IP, etc.
I have forwarded your BAM suggestions to the proper team. Thank your for the detail and thorough explanations.