Installation color code..

Hi Everyone,

I'm running Radius authentication to pass the IP , Vlan and QOS settings but I was wondering whether there's a way to tell the AP not to pass any of that information when the SM is configured on Color code 0/ Installation color code?

Basically to drop the SM out of the network so the tech guys can log into it by using the default IP and not to worry about Vlans etc when they're doing maintenance like aligning the  unit etc. 

Now perhaps I've missed something but this feature found on the AP under security seems to be intented for just that but the SM still  receives authentication information even when this is enabled. 

"Disable Authentication for SM connected via ICC"

The AP I'm testing this on is running version 1.4.1.

thanks in advance,


Hi Steph, “Disable Authentication for SM connected via ICC” [default is disabled i.e. every SM will authenticate with RADIUS if Security is enabled] Now if you set this config to enabled, then ICC enabled SM will not authenticate to RADIUS and they will just be in session with AP , you will see a message in red saying SM connected via ICC , Bridging disabled. Hope it helps for you, Thanks, Chitrang

Hi Chitrang,

Disabled Authentication for SM connected via ICC: is set to enabled

But the SM still seems to be registering on the best AP since I'm unable to ping the default address after a  min or two after rebooting.  It basically becomes unaccesable from the LAN port through the default IP : configured under Network settings on the SM.

However , I'm still able to log into the unit via the AP and I do see the RED text on the SM: 

SM is registered via ICC - Bridging Disabled!  It also shows when you go to the AP session page 


Which Vlan will the Canopy inherrit when it joins the AP under ICC conditions ?  

Hi Steph,

Can you please check Network Interface tab of SM and check what is the IP of SM.?

SM with default static IP and connected over ICC, enables DHCP. This is done to facilitate zero touch configuration.

I am wondering if your SM got DHCP IP.

ICC SM just uses its configured VLAN. 14.1.2 has a feature where SM inherits AP's management VLAN but I believe you are not using that?

Hi Chitrang,

The network settings for the SM is basically set to Default. 


Network accessibility : Local

DHCP State: Disabled

I'm not running a DHCP server this side , was hoping the SM units default information would be used when the unit is flipped to ICC mode.  


The ARP TAB under statistics shows the IP address as : with a MAC of ff-ff-ff-ff-ff-ff. So something seems to be passing the IP I'm guessing since it's saying "Public IP is not enabled" before the SM registers.

IP Address Physical Address Interface Pending Create Time Last Time ff-ff-ff-ff-ff-ff et1 N 13:23:08 03/22/2016 SAST 13:32:03 03/22/2016 SAST

Just FYI, if you're saying that the SM management stops responding on when you're on the local/wired side after a few minutes of being registered to an AP via ICC, then I have seen this too. If someone logs into the AP and drops the session, then local access will work again for a few minutes. I haven't had a chance to debug it. But it has been happening for a very long time, like back to 11.2 when the ICC feature was introduced. Luckily the field techs rarely need to access the SM. The use case of ICC (for us) is to allow the tech to install a default SM on a sector and a NOC/office tech handles provisioning.

Hi George , that's spot on... Seems the AP is giveng the SM an IP of the moment it registers.  DHCP relay has been disabled on the AP and I'm blocking bootp for both client / server on the  Access points under port filtering for both in / out.  So the SM shouldn't be able to access any rogue DHCP servers out there if I'm not mistaken ?


Just wondering whether there's any aditional information regaring my question ? 

My understanding around the Installation color code is that it should be used to make it easier for installers to allign the SM unit without worrying about configs getting passed by Radius like Vlan settings which will  essentially issolate the SM from getting accessed directly over the LAN port?  In short , allowing them basic access to the SM via LAN until the SM is alligned propperly after whcih they can throw it in operation mode?  

Anyway , thanks in advance,


I was not aware that the SM will silently enable the DHCP client when registering via ICC now. Is that something new with 13.4.1/14.1.x? If that's the case, then I'd imagine that it would fall back to after a minute or two if it cannot obtain a DHCP lease. Hopefully.

Our installers mostly do tone alignment and then call into the office where a tech logs in via LUID proxy and verifies signal, link test, etc. and then does provisioning. So our installers don't normally need to log into the SM locally.

And with the newer releases, you can have an ICC connected SM bypass all authentication. You can also have the SM end up in the AP's management VLAN via ICC. I recommended this because out-of-box default SMs wouldn't have your RADIUS certs, pre-shared key, etc. which would put a roadblock in front of zero-touch.

SM enables DHCP with ICC , this is zero-touch configuration feature from 13.3 onward .

More details can be found at the following webinar

Basically SM enables DHCP after registering with AP to get configuratin file URL using DHCP option 66.

Yes SM will fallback to default IP if no DHCP server found.

So essentially an ICC SM can bypass authentication and get configuration file (using DHCP option 66) .

This configuration file can contain radius certificate,username, shared secret,color code etc.

Configuration will be appied to SM and it reboot (SM can be rebooted when configuration file changes are applied, this can be controlled using configu file attribute "rebotIfRequired" set to true) .

Next time SM boots up, it wont bypass authentication and will get authenticated with RADIUS server, where administartor can further push few other configuration like MIR/CIR etc.

Note: For an ICC SM , DHCP will ONLY be enabled if IP address is default i.e.

@Steph: in your case problem seems to be ICC SM enabled DHCP and you dont have DHCP server , but after couple of minutes of timeout SM will fallback to and you can access it.

1 Like

Hi Chitrang, thanks for the explanation ... I think I understnad things a little better now. 

Hi Steph,

Meanwhile you can setup your SM IP to (anything but not .1) in that case ICC SM wont start DHCP.

We are working on a fix where after retries SM will fallback to default IP.

For now,please use above workaround.