Chapter 7: Configuration Configuring a RADIUS server SNMP HTTP and HTTPS – If enabled, the radio can be accessed via both http and https. This option allows to configure SNMP agent communication version. It can be selected from drop down list : SNMPv2c Only – Enables SNMP v2 community protocol. SNMPv3 Only – Enables SNMP v3 protocol. It is secured communication protocol. SNMPv2c and SNMPv3 – It enables both the protocols.
Chapter 7: Configuration Configuring a RADIUS server SM Authentication Mode – Require RADIUS or Follow AP If it is desired that a SM will only authenticate to an AP that is using RADIUS, on the SM’s Configuration Security tab set Enforce Authentication to AAA. With this enabled, SM does not register to an AP that has any Authentication Mode other than RADIUS AAA selected.
Chapter 7: Configuration Configuring a RADIUS server Attribute Meaning Authentication Key The authentication key is a 32-character hexadecimal string used when Authentication Mode is set to AP PreShared Key. By default, this key is set to 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF.
Chapter 7: Configuration Identity/Realm Configuring a RADIUS server If Realms are being used, select Enable Realm and configure an outer identity in the Identity field and a Realm in the Realm field. These must match the Phase 1/Outer Identity and Realm configured in the RADIUS server. The default Identity is “anonymous”. The Identity can be up to 128 non-special (no diacritical markings) alphanumeric characters. The default Realm is “canopy.net”.
Chapter 7: Configuration Configuring a RADIUS server Specify the type of airlink security to apply to this AP. The encryption setting must match the encryption setting of the SMs. None provides no encryption on the air link. Encryption Setting DES (Data Encryption Standard): An over-the-air link encryption option that uses secret 56-bit keys and 8 parity bits. DES performs a series of bit permutations, substitutions, and recombination operations on blocks of data.
Chapter 7: Configuration SNMP Configuring a RADIUS server HTTPS Only – provides a secured web access. The radio to be accessed via https://. HTTP and HTTPS – If enabled, the radio can be accessed via both http and https. This option allows to configure SNMP agent communication version. It can be selected from drop down list : SNMPv2c Only – Enables SNMP v2 community protocol. SNMPv3 Only – Enables SNMP v3 protocol. It is secured communication protocol.
Chapter 7: Configuration Configuring a RADIUS server Handling Certificates Managing SM Certificates via the SM GUI The default public Canopy certificates are loaded into SMs upon factory software installation. The default certificates are not secure and are intended for use during lab and field trials as part of gaining experience with the RADIUS functionalities or as an option during debug. For secure operation, an operator will want to create or procure their own certificates.
Chapter 7: Configuration Configuring a RADIUS server Figure 145 SM Certificate Management Configuring RADIUS servers for SM authentication Your RADIUS server must be configured to use the following: EAPTTLS or MSCHAPv2 as the Phase 1/Outer Identity protocol. If Enable Realm is selected on the SM’s Configuration > Security tab, then the same Realm appears there (or access to it).
Chapter 7: Configuration Configuring a RADIUS server A server private certificate, server key, and CA certificate that complement the public certificates distributed to the SMs, as well as the Canopy dictionary file that defines Vendor Specific Attributes (VSAa). Default certificate files and the dictionary file are available from the software site: https://support.cambiumnetworks.
Chapter 7: Configuration Configuring a RADIUS server Assigning SM management IP addressing via RADIUS Operators may use a RADIUS AAA server to assign management IP addressing to SM modules (framed IP address). SMs now interpret attributes Framed-IP-Address, Framed-IP-Netmask, and Cambium-Canopy-Gateway from RADIUS. The RADIUS dictionary file has been updated to include the Cambium-Canopy-Gateway attribute and is available on the Cambium Software Support website.
Chapter 7: Configuration Configuring a RADIUS server Note Beginning with System Release 12.0.2, two RADIUS dictionary files are available on the Cambium website – “RADIUS Dictionary file – Cambium” and “RADIUS Dictionary file – Motorola”. In addition to a renaming of attributes, the Cambium-branded dictionary file contains two new VSAs for controlling uplink and downlink Maximum Burst Data Rate (these VSAs are listed below in Table 172).
Chapter 7: Configuration Configuring a RADIUS server Configuration > Quality of Service > Sustained Uplink Data Rate dependent on radio feature set Cambium-Canopy-ULBL 0-2500000 kbps 26.161.7 integer N Configuration > Quality of Service > Uplink Burst Allocation dependent on radio feature set Cambium-Canopy-DLBR 0-100000 kbps 26.161.8 integer N Configuration > Quality of Service > Sustained Downlink Data Rate dependent on radio feature set Cambium-Canopy-DLBL 0-2500000 kbps 26.161.
Chapter 7: Configuration Cambium-Canopy-ULMB Configuring a RADIUS server 26.161.26 integer N 0-100000 kbps Configuration > Quality of Service > Max Burst Uplink Data Rate 0 Cambium-Canopy-DLMB 0-100000 kbps 26.161.27 integer N Configuration > Quality of Service > Max Burst Downlink Data Rate 0 Cambium-Canopy-UserLevel 1-Technician, 2Installer, 3Administrator 26.161.50 integer N Account > Add User > Level Cambium-Canopy-DHCPState 0 26.161.
Chapter 7: Configuration Configuring a RADIUS server Configuring RADIUS server for SM configuration using Zero Touch feature The RADIUS VSA (Vendor Specific Attributes) is updated for Zero Touch feature. This feature enables the ability for a SM to get its configuration via RADIUS VSA. The RADIUS VSA is updated for an URL which points to the configuration file of SM (see Table 172 for list of VSA). The RADIUS will push the vendor specific attribute to SM after successful authentication.
Chapter 7: Configuration Configuring a RADIUS server Using RADIUS for centralized AP and SM user name and password management AP – Technician/Installer/Administrator Authentication To control technician, installer, and administrator access to the AP from a centralized RADIUS server: Procedure 28 Centralized user name and password management for AP 1 Set Authentication Mode on the AP’s Configuration > Security tab to RADIUS AAA 2 Set User Authentication Mode on the AP’s Account > User Authentication tab
Chapter 7: Configuration Configuring a RADIUS server Table 173 AP User Authentication and Access Tracking attributes Attribute User Authentication Mode Meaning Local: The local SM is checked for accounts. No centralized RADIUS accounting (access control) is performed. Remote: Authentication by the centralized RADIUS server is required to gain access to the AP. For up to 2 minutes a test pattern is displayed until the server responds or times out.
Chapter 7: Configuration Configuring a RADIUS server User Authentication Method Remote then Local: Authentication using the centralized RADIUS server is attempted. If the server sends a reject message, then the setting of Allow Local Login after Reject from AAA determines if the local user database is checked or not. If the configured servers do not respond within 2 minutes, then the local user database is used. The successful login method is displayed in the navigation column of the AP.
Chapter 7: Configuration Configuring a RADIUS server SM – Technician/Installer/Administrator Authentication The centralized user name and password management for SM is same as AP. Follow AP – Technician/Installer/Administrator Authentication on page 7-236 procedure. Note Remote access control is enabled only after the SM registers to an AP that has Authentication Mode set to RADIUS AAA.
Chapter 7: Configuration Allow Local Login after Reject from AAA Configuring a RADIUS server Remote: Authentication by the centralized RADIUS server is required to gain access to the SM if the SM is registered to an AP that has RADIUS AAA Authentication Mode selected. For up to 2 minutes a test pattern is displayed until the server responds or times out. Remote then Local: Authentication using the centralized RADIUS server is attempted.
Chapter 7: Configuration Sender Message AccountingRequest AP Configuring a RADIUS server Attribute Value Description Acct-Session-Id Unique per AP session. Initial value is SM MAC, and increments after every start message sent of an in session SM. Event-Timestamp UTC time the event occurred on the AP This message is sent every time a SM registers with an AP, and after the SM stats are cleared. Acct-Status-Type 2 - Stop Acct-Session-Id Unique per AP session.
Chapter 7: Configuration Sender AP Message AccountingRequest Configuring a RADIUS server Attribute Value Acct-OutputPackets Sum of unicast and multicast packets that are sent from a particular SM over the regular data VC and the high priority data VC (if enabled). Acct-Session-Time Uptime of the SM session. Acct-TerminateCause Reason code for session termination Acct-Status-Type 3 - Interim-Update Acct-Session-Id Unique per AP session.
Chapter 7: Configuration Sender Message Configuring a RADIUS server Attribute Value Acct-Input-Packets Sum of unicast and multicast packets that are sent to a particular SM over the regular data VC and the high priority data VC (if enabled). It will not include broadcast. Acct-OutputPackets Sum of unicast and multicast packets that are sent from a particular SM over the regular data VC and the high priority data VC (if enabled).
Chapter 7: Configuration Configuring a RADIUS server RADIUS Device Re-authentication PMP 450 Platform systems include support for periodic SM re-authentication in a network without requiring the SM to re-register (and drop the session). The re-authentication may be configured to occur in the range of every 30 minutes to weekly. Figure 148 Device re-authentication configuration The re-authentication interval is only configurable on the AP.
Chapter 7: Configuration Configuring a RADIUS server RADIUS Change of Authorization and Disconnect Message Prior to this feature, SM will get configuration parameters from a RADIUS server during authentication process. This feature allows an administrator to control configuration parameters in the SM while SM is in session. The configuration changes in SM are done using RADIUS Change of Authorization method (RFC 3576) on the existing RADIUS authentication framework for AP and SM.
Chapter 7: Configuration Configuring a RADIUS server Microsoft RADIUS support This feature allows to configure Microsoft RADIUS (Network Policy and Access Services a.k.a NPS) as Authentication server for SM and User authentication. For SM Authentication, SM will user PEAP-MSCHAPv2 since NPS doesn't support TTLS protocol. For User Authentication, the Canopy software will use EAP-MD5 but the user has to do certain configuration in order to enable EAP-MD5 on NPS.
Chapter 7: Configuration Configuring a RADIUS server NPS Configuration (https://technet.microsoft.com/en-us/network/bb545879.aspx) Following items should be configured in NPS Console: RADIUS Client o Connection Request Policies o https://technet.microsoft.com/en-us/library/cc730866 o https://technet.microsoft.com/en-us/library/cc732929 Choose 'Wireless-Other' in NAS-Port-Type Network Policy o o https://technet.microsoft.com/en-us/library/cc755309 Choose 'Wireless-Other' in NAS-Port-Type.
Chapter 7: Configuration Configuring a RADIUS server Figure 152 Selecting MD5 from NPS console Next open 'Active Directory Users and Computers' and create user. Make sure user property is configured as shown below.
Chapter 7: Configuration Configuring a RADIUS server Before using VSA, the Cambium-Canopy-UserLevel(50) VSA must be configured with some access level say ADMIN(3). Follow below link for configuring VSA: https://technet.microsoft.com/en-us/library/cc731611 The Cambium’s vendor code is 161. Figure 154 RADIUS VSA configuration User can enable accounting in NPS under NPS Console > Accounting > Configure Accounting. For more details refer https://technet.microsoft.
Chapter 7: Configuration Configuring a RADIUS server Cisco ACS RADIUS Server Support This briefly explains how to configure CIsco ACS RADIUS server for PEAP-MSCHAPv2 authentication. The configuration had been tested on CISCO ACS Version : 5.7.0.
Chapter 7: Configuration Configuring a RADIUS server Creating RADIUS instance Figure 157 Creating RADIUS instance RADIUS protocols Figure 158 RADIUS protocols Page 7-251
Chapter 7: Configuration Configuring a RADIUS server Service selection Figure 159 Service selection Adding Trusted CA Figure 160 Adding Trusted CA Note that certificate has to be in DER form, so if you have in PEM format convert using openssl. openssl.exe x509 -in /cacert_aaasvr.pem -outform DER -out /cacert_aaasvr.der Installing Server Certificate After installing trusted CA, you need to add a server certificate which will be used for TLS tunnel.
Chapter 7: Configuration Configuring a RADIUS server Monitoring Logs Figure 162 Monitoring logs Configuring VSA Before using VSA , user has to add Cambium Vendor Specific Attribute Navigate to System Administration > Configuration > Dictionaries > Protocols > RADIUS > RADIUS VSA > Motorola If Motorola is not present you can create Vendor with ID 161 and add all the VSA one by one.
Chapter 7: Configuration Configuring a RADIUS server Figure 163 VSA list Using VSA for users Navigate to Access Policies > Access Services > Cambium ACS > Authorization 1.
Chapter 7: Configuration Configuring a RADIUS server 2. Next click Create and then click Select see diagram below 3. Click Create from the screen you get following screen Chose some name and then move to RADIUS Attributes tab 4. Fill attribute which all you want for that particular user Important: Click Add for each attribute and when done click Submit.
Chapter 7: Configuration Configuring a RADIUS server 5. Now you are ready to use this Authorization profile for the use Select and Press OK 6. Finally press Save Changes and you are ready to use it.
Chapter 8: Tools The AP and SM GUIs provide several tools to analyze the operating environment, system performance and networking, including: Using Spectrum Analyzer tool on page 8-2 Using the Alignment Tool on page 8-15 Using the Link Capacity Test tool on page 8-22 Using AP Evaluation tool on page 8-34 Using BHM Evaluation tool on page 8-38 Using the OFDM Frame Calculator tool on page 8-42 Using the Subscriber Configuration tool on page 8-47 Using the Link Status tool on pag
Chapter 8: Tools Using Spectrum Analyzer tool Using Spectrum Analyzer tool The integrated spectrum analyzer can be very useful as a tool for troubleshooting and RF planning, but is not intended to replicate the accuracy and programmability of a high-end spectrum analyzer, which sometime can be used for other purposes. The AP/BHM and SM/BHS perform spectrum analysis together in the Sector Spectrum Analyzer tool.
Chapter 8: Tools Using Spectrum Analyzer tool Temporarily deploy a SM/BHS for each frequency band range that need to monitor and access the Spectrum Analyzer tab in the Tools web page of the module.
Chapter 8: Tools 9 Using Spectrum Analyzer tool Repeat Steps 4 and 6 until the area has been adequately scanned and logged. As with any other data that pertains to your business, a decision today to put the data into a retrievable database may grow in value to you over time. Note Wherever the operator find the measured noise level is greater than the sensitivity of the radio that is plan to deploy, use the noise level (rather than the link budget) for your link feasibility calculations.
Chapter 8: Tools Using Spectrum Analyzer tool Table 176 Spectrum Analyzer page attributes - AP Attribute Meaning Display Data Path Both means that the vertical and horizontal paths are displayed or an individual path may be selected to display only a single-path reading. Data For ease of parsing data and to facilitate automation, the spectrum analyzer results may be saved as an XML file. To save the results in an XML formatted file, right-click the “SpectrumAnalysis.xml” link and save the file.
Chapter 8: Tools Using Spectrum Analyzer tool Registered SM Count This field displays the MAC address and Site Name of the registered SM. Maximum Count of Registered SMs This field displays the maximum number of registered SMs. SM Scanning Bandwidth This field allows to select SM’s scanning bandwidth. Duration This field allows operators to configure a specified time for which the spectrum is scanned.
Chapter 8: Tools Using Spectrum Analyzer tool Table 177 Spectrum Analyzer page attributes - SM Attribute Meaning Display Data Path Refer Table 176 on page 8-5 Data Refer Table 176 on page 8-5 Display Refer Table 176 on page 8-5 Min and Max Frequencies in KHz To scan min to max range of frequencies, enter min and max frequencies in KHz and press Set Min and Max to Full Scan button.
Chapter 8: Tools Using Spectrum Analyzer tool Spectrum Analyzer page of BHM The Spectrum Analyzer page of BHM is explained in Table 178.
Chapter 8: Tools Using Spectrum Analyzer tool Spectrum Analyzer page of BHS The Spectrum Analyzer page of BHS is explained in Table 179. Table 179 Spectrum Analyzer page attributes - BHS Attribute Meaning Data Refer Table 176 on page 8-5 Display Refer Table 176 on page 8-5 Session Status This field displays current session status and rates. The session states can be Scanning, Syncing, Registering or Registered.
Chapter 8: Tools Using Spectrum Analyzer tool Registered Backhaul This field displays MAC address of BHM and PTP model number Duration Refer Table 176 on page 8-5 Perform Spectrum Analysis on Boot Up for one scan This field allows to Enable or Disable to start Spectrum Analysis on boot up of module for one scan.
Chapter 8: Tools Using Spectrum Analyzer tool Spectrum Analyzer page result of PMP 450 SM Figure 165 Spectrum Analyzer page result – PMP 450 SM Page 8-11
Chapter 8: Tools Using Spectrum Analyzer tool Remote Spectrum Analyzer tool The Remote Spectrum Analyzer tool in the AP/BHM provides additional flexibility in the use of the spectrum analyzer in the SM/BHS. Set the duration of 10 to 1000 seconds, then click the Start Remote Spectrum Analysis button to launch the analysis from that SM/BHS. In PMP configuration, a SM has to be selected from the drop-down list before launching Start Remote Spectrum Analysis.
Chapter 8: Tools Using Spectrum Analyzer tool Table 180 Remote Spectrum Analyzer attributes - AP Attribute Meaning Registered SM Count This field displays the number of SMs that were registered to the AP before the SA was started. This helps the user know all the SMs reregistered after performing a SA. Maximum Count of Registered SMs This field displays the largest number of SMs that have been simultaneously registered in the AP since it was last rebooted.
Chapter 8: Tools Using Spectrum Analyzer tool Remote Spectrum Analyzer page of BHM The Remote Spectrum Analyzer page of BHM is explained in Table 181.
Chapter 8: Tools Using the Alignment Tool Using the Alignment Tool The SM’s or BHS’s Alignment Tool may be used to maximize Receive Power Level, Signal Strength Ratio and Signal to Noise Ratio to ensure a stable link. The Tool provides color coded readings to facilitate in judging link quality. Note To get best performance of the link, the user has to ensure the maximum Receive Power Level during alignment by pointing correctly. The proper alignment is important to prevent interference in other cells.
Chapter 8: Tools Using the Alignment Tool Aiming page and Diagnostic LED – SM/BHS The SM’s/BHS’s Alignment Tool (located in GUI Tools -> Aiming) may be used to configure the SM’s/BHS’s LED panel to indicate received signal strength and to display decoded beacon information/power levels. The SM/BHS LEDs provide different status based on the mode of the SM/BHS. A SM/BHS in “operating” mode will register and pass traffic normally.
Chapter 8: Tools Using the Alignment Tool Table 182 Aiming page attributes – SM Attribute Meaning Aiming Mode Single Frequency Only: scans only selected single frequency. Normal Frequency Scan List: scans: scans all frequency of scan list. Single Frequency Select a particular frequency from drop down menu for scanning. Scan Radio Frequency Only Mode Enabled: the radio is configured to “aiming” or “alignment” mode, wherein the LED panel displays an indication of receive power level.
Chapter 8: Tools Using the Alignment Tool Power: This field indicates the current receive power level (vertical channel) for the frequency configured in parameter Radio Frequency. Users: This field indicates the number of SMs currently registered to the AP which is transmitting the beacon information. ESN: This field indicates the MAC, or hardware address of the AP/BHM which is transmitting the beacon information.
Chapter 8: Tools Using the Alignment Tool Aiming page of BHS The Alignment page of BHS is explained in Table 183. Table 183 Aiming page attributes - BHS Attribute Meaning Refer Table 161 for Atributes details.
Chapter 8: Tools Using the Alignment Tool Alignment Tone For coarse alignment of the SM/BHS, use the Alignment Tool located at Tools -> Alignment Tool. Optionally, connect a headset alignment tone kit to the AUX/SYNC port of the SM/BHS and listen to the alignment tone, which indicates greater SM/BHS receive signal power by pitch. By adjusting the SM’s/BHS’s position until the highest frequency pitch is obtained operators and installers can be confident that the SM/BHS is properly positioned.
Chapter 8: Tools Using the Alignment Tool Table 184 Alignment Tool Headsets and Alignment tone adapter third party product details Reference Product description ACATHS-01A Alignment tool headset for the PMP/PTP 450 and 450i Series products BT-1277 Headset alignment cable (RJ-45) for the PMP/PTP 450i Series products BT-0674 Headset alignment cable (RJ-12) for the PMP/PTP 450 Series products.
Chapter 8: Tools Using the Link Capacity Test tool Using the Link Capacity Test tool The Link Capacity Test tab allows you to measure the throughput and efficiency of the RF link between two modules. Many factors, including packet length, affect throughput. The Link Capacity Test tool has following modes: Link Test with Multiple VCs: Tests radio-to-radio communication across selected or all registered VCs, but does not bridge traffic (PMP 450m Series AP only).
Chapter 8: Tools Using the Link Capacity Test tool Link Test with Multiple VCs Note The “Link Test with Multiple VCs” Link Capacity Test is supported for PMP 450m Series AP only.
Chapter 8: Tools Using the Link Capacity Test tool Procedure 31 Performing a Link Capacity Test - Link Test with Multiple VCs Link Test Configurations parameters 1 Access the Link Capacity Test tab in the Tools web page of the module.
Chapter 8: Tools Using the Link Capacity Test tool Figure 171 Link Test with Multiple VCs (1518-byte packet length) Page 8-25
Chapter 8: Tools Using the Link Capacity Test tool Page 8-26
Chapter 8: Tools Using the Link Capacity Test tool Link Test without Bridging, Link Test with Bridging or Link Test with Bridging and MIR Figure 172 Link Capacity Test – PMP 450/450i Series AP Refer Link Test with Multiple VCs on page 8-23 for Link Test procedure.
Chapter 8: Tools Using the Link Capacity Test tool Figure 173 Link Test without Bridging (1714-byte packet length) Page 8-28
Chapter 8: Tools Using the Link Capacity Test tool Performing Extrapolated Link Test The Extrapolated Link Test estimates the link capacity by sending few packets and measuring link quality. Once the test is initiated, the radio starts session at the lower modulation, 1X, as traffic is passed successfully across the link, the radio decides to try the next modulation, 2X. This process repeats until it find best throughput to estimate capacity of link.
Chapter 8: Tools Using the Link Capacity Test tool Figure 174 Extrapolated Link Test results Page 8-30
Chapter 8: Tools Using the Link Capacity Test tool Link Capacity Test page of AP The Link Capacity Test page of AP is explained in Table 185.
Chapter 8: Tools Using the Link Capacity Test tool Select Link Test Mode from drop down menu : Link Test Mode Link Test with Multiple VCs (PMP 450m Series AP only) Link Test without Bridging Link Test with Bridging Link Test with Bridging and MIR Extrapolated Link Test Signal to Noise Ratio Calculation during Link Test Enable this attribute to display Signal-to-Noise information for the downlink and uplink when running the link test.
Chapter 8: Tools Packet Length Using the Link Capacity Test tool The size of the packets in Bytes to send during the Link Capacity Test Link Capacity Test page of BHM/BHS/SM The Link Capacity Test page of BHM/BHS is explained in Table 186.
Chapter 8: Tools Using AP Evaluation tool Using AP Evaluation tool The AP Evaluation tab on Tools web page of the SM provides information about the AP that the SM sees. Note The data for this page may be suppressed by the SM Display of AP Evaluation Data setting in the Configuration > Security tab of the AP. The AP Eval results can be accessed via SNMP and config file. AP Evaluation page The AP Evaluation page of AP is explained in Table 187.
Chapter 8: Tools Using AP Evaluation tool Cyclic Prefix OFDM technology uses a cyclic prefix, where a portion of the end of a symbol (slot) is repeated at the beginning of the symbol to allow multipathing to settle before receiving the desired data. A 1/16 cyclic prefixes mean that for every 16 bits of throughput data transmitted, an additional bit is used. The Cyclic Prefix 1/16 only can be selected at this time. ESN This field displays the MAC address (electronic serial number) of the AP.