The new firmware release introduces support for a proxy server client to connect to the AFC server. The proxy server client is available for AP/SM radio mode and for all diver modes (ePTP, WLR, TDD). The feature comes to resolve AFC server access issues when ISP infrastructure management is exempt from Internet access.
The proxy server client can be configured using all standard ePMP configuration methods.
E4600_4x4_99ee10>config set cambiumAfcProxyEnable 1
E4600_4x4_99ee10>config set cambiumAfcProxyIP 192.168.0.241
E4600_4x4_99ee10>config set cambiumAfcProxyPort 3128
E4600_4x4_99ee10>config set cambiumAfcProxyPass admin123
E4600_4x4_99ee10>config set cambiumAfcProxyUser test
E4600_4x4_99ee10>config commit
E4600_4x4_99ee10>reboot
cambiumAfcProxyEnable OBJECT-TYPE
SYNTAX Integer32 (0|1)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Enable Proxy for AFC
0 - Disable,
1 - Enable
Device Allocation: AP, SM"
DEFVAL { 0 }
::= { cambiumAFCStatus 7 }
cambiumAfcProxyIP OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Ip address of proxy server for connection with AFC.
Device Allocation: AP, SM"
::= { cambiumAFCStatus 8 }
cambiumAfcProxyPort OBJECT-TYPE
SYNTAX Integer32 (1..65535)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Port of proxy server for connection with AFC.
Device Allocation: AP, SM"
DEFVAL { 3128 }
::= { cambiumAFCStatus 9 }
cambiumAfcProxyUser OBJECT-TYPE
SYNTAX DisplayString (SIZE(0|1..64))
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"User of proxy server for connection with AFC.
Authentication is disabled when empty.
Device Allocation: AP, SM"
::= { cambiumAFCStatus 12 }
cambiumAfcProxyPass OBJECT-TYPE
SYNTAX DisplayString (SIZE(0|1..64))
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Password for proxy server for connection with AFC.
Authentication is disabled when empty.
Device Allocation: AP, SM"
::= { cambiumAFCStatus 13 }
AFC is only for radios set to FCC right now. So to use a ROW radio with AFC you have to set the country to USA. However if your country participates in the AFC system (currently USA and Canada) then the GPS coordinates will give you access to the correct system settings for your country, example is the extra unii band for canada.
could you tell me more about your use case? This feature was implemented for ISPs where equipment management networks have no connection to Internet. So everything happens internally.
Our use-case is for our SMs with private IPs to be able to reach the AFC over the internet.
We already have a proxy server setup that is used for this same purpose for Cambium CBRS, and we use the http://user:pass@proxyIP:port format. We require authentication so that it doesn’t get abused by people trying to use an open proxy, as it’s on a public IP (we use this proxy for multiple things, and do not want to try and just use an acl for our SM IP ranges).
Any luck on proxy authentication support, @aka ? We’re hoping for same functionality in ePMP that we currently use in Cambium CBRS which offers proxy authentication support.
proxy server client with authentication may be implemented in the future. Unfortunately, I can not provide any ETA at present moment. Our main priority now is TDD improvement and polishing basic AFC functionality.
I would suggest to use ACL instead of authentication.
We have implemented authentication for the client. Here is 5.8.0-RC24
I will really appreciate if you try it and tell me if it works for you!
SOCKS5 proxy is not supported.
Device agent will work as before. I believe you don’t use cloud Maestro.
Sounding may glitch in this build. So it is just for test purpose.
I’m curious - do any of the people that require proxy authentication require that you connect to the proxy over https? If so, do you use a self-signed certificate or a CA-signed one?
How is your proxy accessed?
Proxy is accessed via HTTP
Proxy is accessed via HTTPS with a self-signed certificate
Proxy is accessed via HTTPS with a CA-signed certificate
I use CA-signed on everything except the closed off portion of the network where management connections and services are held, for these I use self-signed since the devices can not check the chain of trust.