I'm running Radius authentication to pass the IP , Vlan and QOS settings but I was wondering whether there's a way to tell the AP not to pass any of that information when the SM is configured on Color code 0/ Installation color code?
Basically to drop the SM out of the network so the tech guys can log into it by using the default IP and not to worry about Vlans etc when they're doing maintenance like aligning the unit etc.
Now perhaps I've missed something but this feature found on the AP under security seems to be intented for just that but the SM still receives authentication information even when this is enabled.
"Disable Authentication for SM connected via ICC"
The AP I'm testing this on is running version 1.4.1.
Hi Steph, “Disable Authentication for SM connected via ICC” [default is disabled i.e. every SM will authenticate with RADIUS if Security is enabled] Now if you set this config to enabled, then ICC enabled SM will not authenticate to RADIUS and they will just be in session with AP , you will see a message in red saying SM connected via ICC , Bridging disabled. Hope it helps for you, Thanks, Chitrang
Disabled Authentication for SM connected via ICC: is set to enabled
But the SM still seems to be registering on the best AP since I'm unable to ping the default address after a min or two after rebooting. It basically becomes unaccesable from the LAN port through the default IP : 169.254.1.1 configured under Network settings on the SM.
However , I'm still able to log into the unit via the AP and I do see the RED text on the SM:
SM is registered via ICC - Bridging Disabled! It also shows when you go to the AP session page
IN SESSION (ICC)
Which Vlan will the Canopy inherrit when it joins the AP under ICC conditions ?
The ARP TAB under statistics shows the IP address as : 255.255.255.255 with a MAC of ff-ff-ff-ff-ff-ff. So something seems to be passing the IP I'm guessing since it's saying "Public IP is not enabled" before the SM registers.
IP Address Physical Address Interface Pending Create Time Last Time
Just FYI, if you're saying that the SM management stops responding on 169.254.1.1 when you're on the local/wired side after a few minutes of being registered to an AP via ICC, then I have seen this too. If someone logs into the AP and drops the session, then local access will work again for a few minutes. I haven't had a chance to debug it. But it has been happening for a very long time, like back to 11.2 when the ICC feature was introduced. Luckily the field techs rarely need to access the SM. The use case of ICC (for us) is to allow the tech to install a default SM on a sector and a NOC/office tech handles provisioning.
Hi George , that's spot on... Seems the AP is giveng the SM an IP of 255.255.255.255 the moment it registers. DHCP relay has been disabled on the AP and I'm blocking bootp for both client / server on the Access points under port filtering for both in / out. So the SM shouldn't be able to access any rogue DHCP servers out there if I'm not mistaken ?
Just wondering whether there's any aditional information regaring my question ?
My understanding around the Installation color code is that it should be used to make it easier for installers to allign the SM unit without worrying about configs getting passed by Radius like Vlan settings which will essentially issolate the SM from getting accessed directly over the LAN port? In short , allowing them basic access to the SM via LAN until the SM is alligned propperly after whcih they can throw it in operation mode?
I was not aware that the SM will silently enable the DHCP client when registering via ICC now. Is that something new with 13.4.1/14.1.x? If that's the case, then I'd imagine that it would fall back to 169.254.1.1 after a minute or two if it cannot obtain a DHCP lease. Hopefully.
Our installers mostly do tone alignment and then call into the office where a tech logs in via LUID proxy and verifies signal, link test, etc. and then does provisioning. So our installers don't normally need to log into the SM locally.
And with the newer releases, you can have an ICC connected SM bypass all authentication. You can also have the SM end up in the AP's management VLAN via ICC. I recommended this because out-of-box default SMs wouldn't have your RADIUS certs, pre-shared key, etc. which would put a roadblock in front of zero-touch.
Basically SM enables DHCP after registering with AP to get configuratin file URL using DHCP option 66.
Yes SM will fallback to default IP if no DHCP server found.
So essentially an ICC SM can bypass authentication and get configuration file (using DHCP option 66) .
This configuration file can contain radius certificate,username, shared secret,color code etc.
Configuration will be appied to SM and it reboot (SM can be rebooted when configuration file changes are applied, this can be controlled using configu file attribute "rebotIfRequired" set to true) .
Next time SM boots up, it wont bypass authentication and will get authenticated with RADIUS server, where administartor can further push few other configuration like MIR/CIR etc.
Note: For an ICC SM , DHCP will ONLY be enabled if IP address is default i.e. 169.254.1.1
@Steph: in your case problem seems to be ICC SM enabled DHCP and you dont have DHCP server , but after couple of minutes of timeout SM will fallback to 169.254.1.1 and you can access it.