PMP450, Radius, and Universal Admin account


In the User Guide under the "Web User Authentication" it says you can setup an admin user with fields in the "User Authentication" section of the Cambium web interface.

Is there a way to authenticate a universal management account via Radius to the SMs without having to touch each radio?   We would like to be able to login to any radio with one management account without having to configure each radio by hand.

If you want login each SM with single web user account via RADIUS, that is possible.

However to do that you have to make some config change like

- Set Auth type as 'Remote Then Local'

- Enable Fallback to local login [failsafe but not mandatory]

To avoid configuring this on each and every SM you can use zero-touch approach.You need a DHCP server and a TFTP server.Pack the above configuration in a config file and place in FTP/TFTP server path

When the ICC SM is registered  to AP, once it is registered, SM enables DHCP and gets option 66 [configure this in your DHCP server to point to TFTP URL of configuration file]

- SM receives this URL and applies the configuration

So now next time you can login with that single RADIUS account.

If you use cnMaestro server,you can avoid DHCP and TFTP. Once your SM is onboarded with cnMaestro cloud this config template will be pushed to SM.

On this page

Check Configure Device section , and apply the template.

One more way is to configure using SNMP, check the corresponding OID in MIB file.

When the SM registers via ICC, does the SM automatically enable DHCP immediately?

Can cnMaestro be configured to automatically push the config template to the SM when it is onboarded, so that it requires no manual template push?

It's super when the AP tells the SMs how to behave. For instance, it passes down cnmaestro connection details to each SM. Could these Radius settings also be pushed to the SM in a newer fw release?



Hi Chitrang,

Thanks for the reply and links.  We're stll having a bit of trouble getting an admin account to authenticate.

1.  We set the AP and SM to Remote Then Local.

2.  We setup the radio MAC in Radius (0a-00-3e-b8-c2-35).  This device authentication successfully connects and pushes settings from radius to the radio (lines 74 and 75 in the below radcheck table).  There are additional entries in radusergroup for this.

3.  When then setup an okpud admin user in radius (see lines 76,77,78,79 in the below radcheck table).  There are no radusergroup entries for this user.

radcheck table entries:

75 | 0a-00-3e-b8-c2-35 | Calling-Station-Id       | := | 0a-00-3e-b8-c2-35
74 | 0a-00-3e-b8-c2-35 | Cleartext-Password       | := | password
76 | okpud             | Cleartext-Password       | := | test123
77 | okpud             | Calling-Station-Id       | := | 0a-00-3e-b8-c2-35
78 | okpud             | Cambium-Canopy-UserLevel | := | 3
79 | okpud             | Cambium-Canopy-UserMode  | := | 0

4.  We can see successful okpud authentication in the radpostauth table:

476 | okpud                        | Chap-Password     | Access-Accept |                 |                  | 2017-07-13 13:46:30.152799-07
 477 | okpud                        | Chap-Password     | Access-Reject |                 |                  | 2017-07-13 13:51:01.459908-07
 478 | okpud                        | Chap-Password     | Access-Accept |                 |                  | 2017-07-13 13:53:28.691118-07
 479 | okpud                        | Chap-Password     | Access-Accept |                 |                  | 2017-07-13 13:54:29.385536-07

5.  However, when we try to login to the SM with the okpud user, it directs us to the "Unauthorized" page.

Attached is the radius server debug.  Do you see anything that would be preventing an admin user account from authorizing?

Please note that our SMs are on a different subnet from our AP and radius server.


I checked your debug log and there is a problem.

Check Access-Accept packet of okpad , I dont see this attribute

'Canopy-User-Level=3' in  Access-Accept response

That is the reason UI failed to login, because although authentication is successful but radio doesnt know which level to login (ADMIN/INSTALLER/TECH etc) that is the job of VSA atttribute.

So please debug  why this Atrribute is not getting picked.