The SM’s Security page is used to configure system security features including SM authentication and Layer2/Layer3 Firewall rules.
If a device firewall rule is added with Action set to Deny and Interface set to LAN or WAN and no other rule attribute are configured, the device will drop all Ethernet or wireless traffic, respectively. Ensure that all firewall rules are specific to the type of traffic which must be denied, and that no rules exist in the devices with only Action set to Deny and Interface set to LAN or WAN. To regain access to the device, perform a factory default. |
Attribute |
Meaning |
Security Options |
|
Wireless Security |
Select the type of authentication preferred, whether RADIUS, WPA2, Open or a combination of the three. |
WPA2 |
|
WPA2 Pre-shared Key |
Configure this key on the AP and then configure each of the network SMs with this key to complete the authentication configuration. This key must be between 8 to 128 symbols. |
RADIUS |
|
EAP-TTLS Username |
Configure the EAP-TTLS Username to match the credentials on the RADIUS server being used for the network. |
Use Ethernet MAC Address at EAP-TTLS Username |
The device MAC Address can be used as the EAP-TTLS Username in either “:” or “-“ delimited format. |
EAP-TTLS Password |
Configure the EAP-TTLS Password to match the credentials on the RADIUS server being used for the network. |
Authentication Identity String |
Configure this Identity string to match the credentials on the RADIUS server being used for the network. Default value for this parameter is “anonymous”. |
Authentication Identity Realm |
Configure this Identity string to match the credentials on the RADIUS server being used for the network. Default value for this parameter is “cambiumnetworks.com”. |
Default Root Certificate |
Default EAP-TTLS root certificate that must match the certificate on the RADIUS server. |
Canopy Root Certificate |
PMP 450 default EAP-TTLS root certificate to match the certificate on the RADIUS server used with current PMP 450 installations. |
User Provisioned Root Cert 1 |
Import a user certificate if a certificate different from the default certificates is needed. |
User Provisioned Root Cert 2 |
Import a second user certificate if a certificate different from the default or 1st user provisioned certificate is needed. |
Firewalls |
|
Layer 2 Firewall |
Enabled: Modifications to the Layer 2 Firewall Table are allowed and rules are enforced. Disabled: Modifications to the Layer 2 Firewall Table are not allowed and rules are not enforced. |
Firewall Rules |
The Layer 2 firewall table may be used to configure rules matching layer 2 (MAC layer) traffic which result in forwarding or dropping the traffic over the radio link or Ethernet interface. Note When the SM is in NAT mode, only the Src MAC filtering functionality is supported |
Layer 3 Firewall |
Disabled: Modifications to the Layer 3 Firewall Table are not allowed and rules are not enforced. Enabled: Modifications to the Layer 3 Firewall Table are allowed and rules are enforced. |
Firewall Rules |
The Layer 3 firewall table may be used to configure rules matching layer 3 (IP layer) traffic which result in forwarding or dropping the traffic over the radio link or Ethernet interface. |