[New Feature - 5.7.1] Proxy Server client for AFC connection

Affected platforms: FCC locked 6 GHz AX platform
Affected versions: 5.7.1 and above

The new firmware release introduces support for a proxy server client to connect to the AFC server. The proxy server client is available for AP/SM radio mode and for all diver modes (ePTP, WLR, TDD). The feature comes to resolve AFC server access issues when ISP infrastructure management is exempt from Internet access.

The proxy server client can be configured using all standard ePMP configuration methods.

GUI >> Configuration >> Radio >> AFC

Configuration via CLI

E4600_4x4_99ee10>config set cambiumAfcProxyEnable 1
E4600_4x4_99ee10>config set cambiumAfcProxyIP 192.168.0.241
E4600_4x4_99ee10>config set cambiumAfcProxyPort 3128
E4600_4x4_99ee10>config set cambiumAfcProxyPass admin123
E4600_4x4_99ee10>config set cambiumAfcProxyUser test
E4600_4x4_99ee10>config commit 
E4600_4x4_99ee10>reboot

Configuration via CnMaestro template

{
    "device_props": {
        "cambiumAfcProxyEnable": "1",
        "cambiumAfcProxyIP": "192.168.0.241",
        "cambiumAfcProxyPort": "3128",
        "cambiumAfcProxyUser": "test",
        "cambiumAfcProxyPass": "admin123" 
    }
}

SNMP MIB objects:

cambiumAfcProxyEnable OBJECT-TYPE
	SYNTAX     Integer32 (0|1)
	MAX-ACCESS read-write
	STATUS     current
	DESCRIPTION
		"Enable Proxy for AFC
		 0 - Disable,
		 1 - Enable
		 Device Allocation: AP, SM"
	DEFVAL { 0 }
	::= { cambiumAFCStatus 7 }

cambiumAfcProxyIP OBJECT-TYPE
	SYNTAX     IpAddress
	MAX-ACCESS read-write
	STATUS     current
	DESCRIPTION
		"Ip address of proxy server for connection with AFC.
		 Device Allocation: AP, SM"
	::= { cambiumAFCStatus 8 }

cambiumAfcProxyPort OBJECT-TYPE
	SYNTAX     Integer32 (1..65535)
	MAX-ACCESS read-write
	STATUS     current
	DESCRIPTION
		"Port of proxy server for connection with AFC.
		 Device Allocation: AP, SM"
	DEFVAL { 3128 }
	::= { cambiumAFCStatus 9 }

cambiumAfcProxyUser OBJECT-TYPE
	SYNTAX     DisplayString (SIZE(0|1..64))
	MAX-ACCESS read-write
	STATUS     current
	DESCRIPTION
		"User of proxy server for connection with AFC.
		 Authentication is disabled when empty.
		 Device Allocation: AP, SM"
	::= { cambiumAFCStatus 12 }

cambiumAfcProxyPass OBJECT-TYPE
	SYNTAX     DisplayString (SIZE(0|1..64))
	MAX-ACCESS read-write
	STATUS     current
	DESCRIPTION
		"Password for proxy server for connection with AFC.
		 Authentication is disabled when empty.
		 Device Allocation: AP, SM"
	::= { cambiumAFCStatus 13 }

2 Likes

Is there an ETA for release of 5.7.1, or of a beta to test this functionality?

It’s coming in a couple days. Probably tomorrow.

Thanks

1 Like

Hi Fedor, this feature AFC is only available in USA? at least i see this in the LinkPlanner online. Should be available for ROW in a future? thanks!

When will the proxy server software be available?

AFC is only for radios set to FCC right now. So to use a ROW radio with AFC you have to set the country to USA. However if your country participates in the AFC system (currently USA and Canada) then the GPS coordinates will give you access to the correct system settings for your country, example is the extra unii band for canada.

2 Likes

I believe any HTTP proxy that supports the CONNECT method (such as Squid) should work.

2 Likes

5.7.1-RC9 (a beta release) has been released today.

https://community.cambiumnetworks.com/t/epmp-software-release-5-7-1-rc9-beta-is-now-available/99957

Thanks

Is there support for proxy authentication?

No, I’m afraid not, sorry.

could proxy authentication be added in future versions?

Hello @Arakasi,

could you tell me more about your use case? This feature was implemented for ISPs where equipment management networks have no connection to Internet. So everything happens internally.

Our use-case is for our SMs with private IPs to be able to reach the AFC over the internet.

We already have a proxy server setup that is used for this same purpose for Cambium CBRS, and we use the http://user:pass@proxyIP:port format. We require authentication so that it doesn’t get abused by people trying to use an open proxy, as it’s on a public IP (we use this proxy for multiple things, and do not want to try and just use an acl for our SM IP ranges).

1 Like

Any luck on proxy authentication support, @aka ? We’re hoping for same functionality in ePMP that we currently use in Cambium CBRS which offers proxy authentication support.

1 Like

Hello @cbl and @Arakasi,

proxy server client with authentication may be implemented in the future. Unfortunately, I can not provide any ETA at present moment. Our main priority now is TDD improvement and polishing basic AFC functionality.
I would suggest to use ACL instead of authentication.

1 Like

Acl is fine and all but for restricted access systems authentication is a must.

Hi @Douglas_Generous,

we are already working on it. Authentication for proxy client will be introduced in the next release.

Hello @cbl, @Arakasi, @Douglas_Generous and the rest of interested!

We have implemented authentication for the client. Here is 5.8.0-RC24
I will really appreciate if you try it and tell me if it works for you!

SOCKS5 proxy is not supported.
Device agent will work as before. I believe you don’t use cloud Maestro.
Sounding may glitch in this build. So it is just for test purpose.

3 Likes

I’m curious - do any of the people that require proxy authentication require that you connect to the proxy over https? If so, do you use a self-signed certificate or a CA-signed one?

How is your proxy accessed?
  • Proxy is accessed via HTTP
  • Proxy is accessed via HTTPS with a self-signed certificate
  • Proxy is accessed via HTTPS with a CA-signed certificate
0 voters
2 Likes

I use CA-signed on everything except the closed off portion of the network where management connections and services are held, for these I use self-signed since the devices can not check the chain of trust.