cnMaestro On-Premises, Option 15 or 43 with Mikrotik & ePMP

dshea · August 11, 2016, 2:28pm

Copied this to the cnMaestro forum from the ePMP forum...

So I got the new cnMaestro On-Premises edition, and I am liking it, but I'd want to configure for autoprovisioning using one of the DHCP Options. No luck there, but if I manually add the URL for the new cnMaestro system, it works perfectly.

I think I have my Mikrotik correctly configured to hand out both Option 15 and 43, and I've tried with f/w 2.6.2.1 and 3.0 (release versions only - is that the issue?)

Here's my Mikrotik config for DHCP Options, and both options are active on the relevant networks:

/ip dhcp-server option
add code=15 name=maestro value="'domain.com'"
add code=43 name=cnmaestro value="'https://cnmaestro.domain.com'"

Obviously, my domain is not 'domain.com', but I made sure to use the single-quotes around my string values, and the name does resolve (remember, if I explicitly give the full URL, as listed in Option 43, it does work).

Any brave, adventurous souls already figured it out?

Rob · August 11, 2016, 6:19pm

It looks like the Option 60 may be missing. The complete configuration for Option 43 would be the following. Note we tested on a cnPilot E400, so Option 60 will be different with ePMP (it would just be 'Cambium').

/ip dhcp-server option
add code=60 name=cambium60 value="'Cambium-WiFi-AP'"
add code=43 name=cambium43 value="'https://x.x.x.x'"

/ip dhcp-server network
add address=10.0.0.0/24 dhcp-option=cambium60,cambium43 \
dns-server=10.0.0.1,8.8.8.8 domain=company.com gateway=10.0.0.1 netmask=24 \
next-server=10.0.0.2

dshea · August 11, 2016, 7:39pm

Rob,

I did see another thread here in the forum which suggested that, so I added it in. This is the new option section, and these were added in the CLI in the Mikrotik (again, my real domain is in the actual config):

/ip dhcp-server option
add code=60 name=ePMP value="'Cambium'"
add code=43 name=cambium43 value="'https://cnmaestro.domain.com'"
add code=15 name=domain value="'domain.com'"

Still no luck. Here's the syslog dump from a STA running 3.0:

Sep 1 00:00:26 Carl_White#7522 DEVICE-AGENT[2288]: send_to_stats_server: connect() failed errno=2
Sep 1 00:00:27 Carl_White#7522 snmpd[2062]: DFS status: N/A
Sep 1 00:00:43 Carl_White#7522 DEVICE-AGENT[2288]: getaddrinfo failed with error_code=-2
Sep 1 00:00:43 Carl_White#7522 DEVICE-AGENT[2288]: Not able to resolve cloud.cambiumnetworks.com
Sep 1 00:00:43 Carl_White#7522 DEVICE-AGENT[2288]: Not able to resolve cloud.cambiumnetworks.com
Sep 1 00:00:43 Carl_White#7522 DEVICE-AGENT[2288]: OpenConnection to cloud.cambiumnetworks.com:443 failed
Sep 1 00:00:43 Carl_White#7522 DEVICE-AGENT[2288]: Unable to discover cnMaestro URL (re-discover in 74 seconds)
Aug 11 19:32:45 Carl_White#7522 DEVICE-AGENT[2288]: Required on-boarding credentials not configured, cannot attempt on-boarding.
Aug 11 19:32:45 Carl_White#7522 DEVICE-AGENT[2288]: Unable to discover cnMaestro URL (re-discover in 63 seconds)
Aug 11 19:33:50 Carl_White#7522 DEVICE-AGENT[2288]: Required on-boarding credentials not configured, cannot attempt on-boarding.
Aug 11 19:33:50 Carl_White#7522 DEVICE-AGENT[2288]: Unable to discover cnMaestro URL (re-discover in 75 seconds)
Aug 11 19:35:06 Carl_White#7522 DEVICE-AGENT[2288]: Required on-boarding credentials not configured, cannot attempt on-boarding.
Aug 11 19:35:06 Carl_White#7522 DEVICE-AGENT[2288]: Unable to discover cnMaestro URL (re-discover in 61 seconds)
Aug 11 19:36:09 Carl_White#7522 DEVICE-AGENT[2288]: Required on-boarding credentials not configured, cannot attempt on-boarding.
Aug 11 19:36:09 Carl_White#7522 DEVICE-AGENT[2288]: Unable to discover cnMaestro URL (re-discover in 68 seconds)

The STA is configured with Remote Management on, and all relevant fields are left blank.

Rob · August 11, 2016, 7:48pm

I just want to make sure you are also configuring the /ip dhcp-server network as well?

dshea · August 11, 2016, 7:59pm

Yes - here is the redacted network config:

/ip dhcp-server network
add address=10.xx.ya.0/24 dhcp-option=ePMP,cambium43,domain dns-server=fff.ggg.h.3,fff.ggg.h.2 gateway=\
10.xx.ya.1 ntp-server=10.x.v.w wins-server=""
add address=10.xx.yc.0/24 dhcp-option=ePMP,cambium43,domain dns-server=fff.ggg.h.3,fff.ggg.h.2 gateway=\
10.xx.yc.1 ntp-server=10.x.v.w wins-server=""
add address=10.xx.ye.0/24 dhcp-option=ePMP,cambium43,domain dns-server=fff.ggg.h.3,fff.ggg.h.2 gateway=\
10.xx.ye.1 ntp-server=10.x.v.w wins-server=""
add address=10.xx.yg.0/24 dhcp-option=ePMP,cambium43,domain dns-server=fff.ggg.h.3,fff.ggg.h.2 gateway=\
10.xx.yg.1 ntp-server=10.x.v.w wins-server=""

Robert_Haas · August 12, 2016, 2:00pm

I too am not able to get the SM's to pickup the cnmaestro URL from the dhcp options.

/ip dhcp-server option
add code=15 name=BPS value="'xxxx.com'"
add code=60 name=EPMP value="'Cambium'"
add code=43 name=CNMaestro value="'https://xxx.yyy.com'"
/ip dhcp-server option sets
add name=EPMP options=BPS,EPMP,CNMaestro
/ip dhcp-server network
add address=10.99.3.0/24 dhcp-option-set=EPMP dns-server=x.x.x.x,y.y.y.y domain=yyy.com gateway=10.99.3.1 ntp-server=x.x.x.x

Log from an SM running 3.0

Sep  1 23:06:28 xx DEVICE-AGENT[2396]: Timeout in select() - Cancelling!
Sep  1 23:06:28 xx DEVICE-AGENT[2396]: OpenConnection to cloud.cambiumnetworks.com:443 failed 
Sep  1 23:06:28 xx DEVICE-AGENT[2396]: Unable to discover cnMaestro URL (re-discover in 356 seconds)
Sep  1 23:06:28 xx DEVICE-AGENT[2396]: Attempting (re)connection in 5 minutes
Sep  1 23:12:41 xx DEVICE-AGENT[2396]: Timeout in select() - Cancelling!

Mikrotik version is 6.36

Cambium_Rupam · August 12, 2016, 2:02pm

Can you please follow this KB article and see if this helps?

http://community.cambiumnetworks.com/t5/cnMaestro-Configuration/Microtik-Routerboard-DHCP-configuration-for-onboarding-devices/m-p/56012#M26

Cambium_Rupam · August 12, 2016, 2:05pm

I am guessing the name ePMP defined in our article follows different pattern

add code=60 name="ePMP" value="'Cambium'"

Whereas i see your config file has EPMP mentioned in upper case

I am not sure on this though, if its a case sensitive (I can cross check with the team)

Regards,

Rupam

Robert_Haas · August 12, 2016, 2:32pm

Thanks,

The 'name=' portion in the mikrotik config should be irrelevant as it's used to identify the option within the mikrotik's config and not passed to the client.

I've changed it just to see but even in the article you linked you'll see they use name=cambium60 in the first example and name="ePMP" below that.

Robert_Haas · August 12, 2016, 2:42pm

I should also meantion I've tried a few different combinations.

Sending just option 43

Sending option 43 as IP instead of fqdn

Sending options 43 & 60

Sending optins 15, 43 & 60

--

Only thing that works is hard coding the URL in the SM.

I am turning up 8 tower sites into cnmeastro and I am unable to get the SM's to pick up cnmaestro URL via DHCP options at any of the sites.

Robert_Haas · August 16, 2016, 4:31pm

Here is the dhcp debug log from the router (forgot to post it)

Aug 12 16:50:36 10.100.254.44 dhcp,debug,packet DHCP: dhcp1 received request with id 1195890228 from 10.99.44.30
Aug 12 16:50:36 10.100.254.44 dhcp,debug,packet DHCP:     ciaddr = 10.99.44.30
Aug 12 16:50:36 10.100.254.44 dhcp,debug,packet DHCP:     chaddr = 00:04:56:C3:51:08
Aug 12 16:50:36 10.100.254.44 dhcp,debug,packet DHCP:     Msg-Type = request
Aug 12 16:50:36 10.100.254.44 dhcp,debug,packet DHCP:     Client-Id = 01-00-04-56-C3-51-08
Aug 12 16:50:36 10.100.254.44 dhcp,debug,packet DHCP:     Host-Name = "ePMP1000_c9a0a7"
Aug 12 16:50:36 10.100.254.44 dhcp,debug,packet DHCP:     Class-Id = "Cambium"
Aug 12 16:50:36 10.100.254.44 dhcp,debug,packet DHCP:     Parameter-List = Subnet-Mask,Router,Domain-Server,Host-Name,Domain-Name,Unknown(17),Broadcast-Address,NTP-Server,Vendor-Specific,Client-FQDN
Aug 12 16:50:36 10.100.254.44 dhcp,debug,packet DHCP: dhcp1 sending ack with id 1195890228 to 10.99.44.30
Aug 12 16:50:36 10.100.254.44 dhcp,debug,packet DHCP:     ciaddr = 10.99.44.30
Aug 12 16:50:36 10.100.254.44 dhcp,debug,packet DHCP:     yiaddr = 10.99.44.30
Aug 12 16:50:36 10.100.254.44 dhcp,debug,packet DHCP:     siaddr = 10.99.44.1
Aug 12 16:50:36 10.100.254.44 dhcp,debug,packet DHCP:     chaddr = 00:04:56:C3:51:08
Aug 12 16:50:36 10.100.254.44 dhcp,debug,packet DHCP:     Msg-Type = ack
Aug 12 16:50:36 10.100.254.44 dhcp,debug,packet DHCP:     Server-Id = 10.99.44.1
Aug 12 16:50:36 10.100.254.44 dhcp,debug,packet DHCP:     Address-Time = 1800
Aug 12 16:50:36 10.100.254.44 dhcp,debug,packet DHCP:     Subnet-Mask = 255.255.255.0
Aug 12 16:50:36 10.100.254.44 dhcp,debug,packet DHCP:     Router = 10.99.44.1
Aug 12 16:50:36 10.100.254.44 dhcp,debug,packet DHCP:     Domain-Server = x.x.x.x,y.y.y.y
Aug 12 16:50:36 10.100.254.44 dhcp,debug,packet DHCP:     Domain-Name = "mydomain.com"
Aug 12 16:50:36 10.100.254.44 dhcp,debug,packet DHCP:     NTP-Server = x.x.x.x
Aug 12 16:50:36 10.100.254.44 dhcp,debug,packet DHCP:     Vendor-Specific = 68-74-74-70-73-3A-2F-2F-63-6E-6D-61-65-73-74-72-6F-2E-62-70-73-6E-65-74-77-6F-72-6B-73-2E-63-6F-6D

Robert_Haas · September 11, 2017, 9:13pm

Has anyone gotten this to work? I'm revisiting our configs and trying to get this to work but the SM's are still not picking up the cnmaestro URL from the dhcp server - now using MT v6.38.7 and EPMP v3.5

--

/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=EPMP_MGMT lease-time=30m name=dhcp1
/ip dhcp-server option
add code=60 name=ePMP value="'Cambium'"
add code=43 name=cambium43 value="'https://10.100.15.13'"
/ip dhcp-server network
add address=10.99.94.0/24 dhcp-option=ePMP,cambium43 domain=bpsnetworks.com gateway=10.99.94.1 netmask=24 ntp-server=x.x.x.x

--

And the log from the router showing the options being sent:

--

16:01:09 dhcp,debug,packet dhcp1 received request with id 283692310 from 0.0.0.0
16:01:09 dhcp,debug,packet     ciaddr = 0.0.0.0
16:01:09 dhcp,debug,packet     chaddr = 00:04:56:EF:A6:8F
16:01:09 dhcp,debug,packet     Msg-Type = request
16:01:09 dhcp,debug,packet     Client-Id = 01-00-04-56-EF-A6-8F
16:01:09 dhcp,debug,packet     Host-Name = "Customer"
16:01:09 dhcp,debug,packet     Class-Id = "Cambium"
16:01:09 dhcp,debug,packet     Address-Request = 10.99.94.247
16:01:09 dhcp,debug,packet     Server-Id = 10.100.94.65
16:01:09 dhcp,debug,packet     Parameter-List = Subnet-Mask,Router,Domain-Server,Host-Name,Domain-Name,Unknown(17),Broadcast-Address,NTP-Server,Vendor-Specific,Class-Id,Client-FQDN
16:01:09 dhcp,info SYSTEM: dhcp1 assigned 10.99.94.247 to 00:04:56:EF:A6:8F
16:01:09 dhcp,debug,packet dhcp1 sending ack with id 283692310 to 10.99.94.247
16:01:09 dhcp,debug,packet     ciaddr = 0.0.0.0
16:01:09 dhcp,debug,packet     yiaddr = 10.99.94.247
16:01:09 dhcp,debug,packet     siaddr = 10.100.94.65
16:01:09 dhcp,debug,packet     chaddr = 00:04:56:EF:A6:8F
16:01:09 dhcp,debug,packet     Msg-Type = ack
16:01:09 dhcp,debug,packet     Server-Id = 10.100.94.65
16:01:09 dhcp,debug,packet     Address-Time = 1800
16:01:09 dhcp,debug,packet     Subnet-Mask = 255.255.255.0
16:01:09 dhcp,debug,packet     Router = 10.99.94.1
16:01:09 dhcp,debug,packet     Domain-Server = x.x.x.x,y.y.y.y
16:01:09 dhcp,debug,packet     Domain-Name = "bpsnetworks.com"
16:01:09 dhcp,debug,packet     NTP-Server = x.x.x.x
16:01:09 dhcp,debug,packet     Vendor-Specific = 68-74-74-70-73-3A-2F-2F-31-30-2E-31-30-30-2E-31-35-2E-31-33
16:01:09 dhcp,debug,packet     Class-Id = "Cambium"

--

Ryo_Haines · October 16, 2018, 3:39pm

Good morning everyone,

So giving this a shot, if it works then I can get away from CNS...

I've added everything I think I need, the 43 and the 60 under 'DHCP options' and DHCP options/domain under 'DHCP networks' on my Mikrotiks.
I can ping the url cnmaestro.domain.com from the device itself and I think everything is resolving as it should.

Getting the following error from the CPE, looks like it's talking. Is that a certificate error from my CnMaestro onprem?

Sep 1 00:00:30 109 santar loop snmpd[3008]: DFS status: N/A
Sep 1 00:00:38 109 santar loop DEVICE-AGENT[3879]: Attempting (re)connection in 5 seconds
Sep 1 00:00:45 109 santar loop DEVICE-AGENT[3879]: Server certificated validation failed errno = 9, err = certificate is not yet valid
Sep 1 00:00:45 109 santar loop DEVICE-AGENT[3879]: Certificate is not yet valid, check the certificate host name
Sep 1 00:00:49 109 santar loop DEVICE-AGENT[3879]: Error response: [{"error":{"level":"error","message":"Device Not Claimed","code":1011}}]
Sep 1 00:00:49 109 santar loop DEVICE-AGENT[3879]: Unable to discover cnMaestro URL (re-discover in 74 seconds)
Sep 1 00:00:49 109 santar loop DEVICE-AGENT[3879]: Attempting (re)connection in 74 seconds

Jordan · October 17, 2018, 4:06pm

On the device you're using to test this, is Validate Server Certificate enabled in the cnMaestro section of the UI?

kelmore · April 5, 2019, 3:24pm

Sorry to bring up this old post. We've had no luck getting this to work either.

Is there a special procedure that needs to be followed, in the event the ePMP station has previously been managed by cloud.cambiumnetworks.com?

When transitioning to On-prem, and all the DHCP options are set up as in the guide, we are still not able to get the ePMP to pick up the URL correctly automatically.

Some of the posts mention factory defaulting--I hope that is not the case. We are assuming the unit would pick up the DHCP option with its next DHCP lease, and replace the URL, and begin contacting our On-Prem immediately.

We've also verified using packet captures that the options are being passed to the AP at least. Next thing we could do is a tcpdump on the ePMP device itself.

kelmore · April 5, 2019, 3:53pm

Well we've attempted hijacking the dns for cloud.cambiumbetworks.com, but we're getting certificate errors in the ePMP system log:

DEVICE-AGENT[27555]: Server certificated validation failed errno = 20, err =  unable to get local issuer certificate
DEVICE-AGENT[27555]: server's cert didn't look good 20

The cnPilot line seems to disable the certificate check when they connect to Maestro, but it appears the ePMP's don't do this, so this probably won't work.

I've also tried running tcpdump on the ePMP station, using, but not seeing any traffic. Can anyone help formulate this so it works on the station?

tcpdump "-i ath0 -n port 67 and port 68"

nbctcp · April 8, 2019, 11:59pm

https://mypacketsgotframed.postach.io/post/configuring-dhcp-option-43-on-mikrotik-routerboard

What's happen if using hex for Option43

KR1 · April 9, 2019, 6:31am

Hi Kelmore,

In order for the DHCP option 43 or 15 to work, the cnmaestro url field in the ePMP Configuration->System page should be left blank.Then the microtik DHCP config should be done as outlined in the Microtik DHCP onboarding KB article. We tried this locally and it worked fine for us without any certificate errors.

The certificate validation will happen when the hostname of the cnmaestro server contains cloud.cambiumnetworks.com . So in your NOC server Hostname make sure that the hostname has no such entries.

Please let me know if you still need further information on this.

Thanks,

KR.

kelmore · April 9, 2019, 5:17pm

@nbctcp Thanks for the idea, but I don't know what the Option 43 static prefic for Cambium is, so I'm not sure which Wireless Controller Type to select in the link you sent. https://shimi.net/services/opt43/

kelmore · April 9, 2019, 5:26pm

KR,

Thanks for the information about leaving the field blank. When the options work correctly, should the "cnMaestro URL" field get populated automatically?

As for the certificate validation, what we attempted to do was redirect all DNS queries to "cnmaestro.cambiumnetworks.com" to our on-prem server's IP address. This way the units "think" they are talking to the cloud, when in fact they are talking to our OnPrem server, which I suppose is why the error is generated. The units are still trying to check the certificate in this scenario.

Lastly,

I have done numerous tcpdump dump "-i ath0" on the stations, but I am not seeing any DHCP information in the pcap file. Do I need to do something different to see the DHCP BootP packets? I'd really like to verify that the packets are reaching the radio properly.