On 3/7/19 8:42 AM, Joe Novak wrote:
Are you using your billing system to build the configs? Can you kind of
give a work flow of provisioning a customer, just as a example?
I don't have a billing system doing configs. To provision a SM I just
need the MAC of the SM to go out and it goes out blank. The only time
SMs get touched ahead of time is for pre-assembly, make sure it's not
DOA, and maybe to load whatever firmware version is being used.
A RADIUS entry for a customer looks like this:
dn: cn=00-00-00-00-00-00,ou=radusers,dc=rollernet,dc=us
cn: 00-00-00-00-00-00
dialupAccess: true
objectClass: radiusObjectProfile
objectClass: top
objectClass: radiusprofile
uid: 00-00-00-00-00-00
radiusFramedIPNetmask: 255.255.255.0
userPassword: %RADIUSPASS%
radiusFramedIPAddress: 1.2.3.4
description: %CUSTNAME%
radiusReplyItem: Cambium-Canopy-DLBR += "10000"
radiusReplyItem: Cambium-Canopy-DLBL += "10000"
radiusReplyItem: Cambium-Canopy-DLMB += "20000"
radiusReplyItem: Cambium-Canopy-ULBR += "4000"
radiusReplyItem: Cambium-Canopy-ULBL += "4000"
radiusReplyItem: Cambium-Canopy-ULMB += "8000"
radiusReplyItem: Cambium-Canopy-BCASTMIR += "128"
radiusReplyItem: Cambium-Canopy-HPENABLE += "0"
radiusReplyItem: Cambium-Canopy-HPULCIR += "200"
radiusReplyItem: Cambium-Canopy-HPDLCIR += "200"
radiusReplyItem: Cambium-Canopy-Gateway += "1.2.3.4"
radiusReplyItem: Cambium-Canopy-VLMGVID += "10"
radiusReplyItem: Cambium-Canopy-VLIGVID += "%SM_VLAN%"
radiusReplyItem: Cambium-Canopy-VLLEARNEN += "0"
radiusReplyItem: Cambium-Canopy-ConfigFileImportUrl +=
"http://configs.example.com/pmp/";
Items in %xx% are variables, and 00-00-00-00-00-00 would be the real MAC
of the SM. I use a different password in RADIUS per customer, but that's
not mandatory. Descriptions for all the Cambium-Canopy-X attributes are
in the docs. But anything in RADIUS can also be set in the config file.
I set them ahead of time this way so that if the config file fails to
load for any reason at least the SM has an IP address (of course PMP has
the proxy thing too but it needs working IP somehow to load config
files). Set speeds to whatever you use, these are just random.
No experience with NAT mode, I use QinQ and the SMs are just bridges. So
for example an AP or site may have outer VLAN 200 (also set in the SM
config below as providerVID) and all customers under it would have inner
VLAN 201, 202, 203, etc. where you'd set Cambium-Canopy-VLIGVID +=
"201". That's a network design choice that everyone will have a
different opinion about, this is just how I do it because it works best
for me.
Given this the SM will ask for the file
"http://configs.example.com/pmp/000000000000.cfg"; when it starts up.
Or DHCP (cisco):
ip dhcp pool pmp-icc
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1
option 66 ascii "http://configs.example.com/pmp/";
As far as configs, I think someone else said just export the config from
an SM after setting it up the way you want it and trim it down. Anything
you don't explicitly specify in the config file will just be whatever
its default is. I also always have the SM reset to defaults every time
it boots so it's always pulling the central config.
Like if you want to do multiple color codes I would recommend setting
them in a test SM and then exporting that config to get the format right
the first time. Any little mistake in the config file is failure, like
forgetting to have or not have a comma in the right place.
A config file template looks like this (edited to remove info specific
to me with XXX for strings or 1.2.3.4 for IPs):
{
"userParameters": {
"radioConfig": {
"installationColorCode": 1,
"factoryResetOnDefaultPlug": 1,
"regionCode": 25
},
"smRadioConfig": {
"apSelection": 0,
"colorCodeList": [
{
"colorCode": 1,
"priority": 1
}
]
},
"authenticationConfig": {
"whispWebUserAccessMode": 2,
"allowRejectThenLocal": 1,
"accounts": [
{
"userName": "XXX",
"level": 3,
"readOnly": false,
"passwordEncrypted": "XXX"
}
],
"authKeyOption": 0
},
"smAuthenticationConfig": {
"useRealm": 0,
"authOuterId": "anonymous",
"authenticationEnforce": 1,
"phase1": 0,
"phase2": 2,
"authUsername": "00-00-00-00-00-00",
"authPasswordEncrypted": "%RADIUSCRYPTPW%",
"certificates": [
"XXX",
"XXX"
]
},
"smSpectrumAnalysisConfig": {
"spectrumAnalysisOnBoot": 0
},
"snmpConfig": {
"snmpPort": 161,
"commStringROnly": "XXX",
"snmpMibPerm": 0,
"commStringRW": "XXX",
"snmpTrapAddresses": [
"1.2.3.4",
"0.0.0.0",
"0.0.0.0",
"0.0.0.0",
"0.0.0.0",
"0.0.0.0",
"0.0.0.0",
"0.0.0.0",
"0.0.0.0",
"0.0.0.0"
],
"snmpTrapPort": 162,
"trapDomainNameAppend": 0,
"snmpv2cEnable": 1,
"snmpIpAccessFilter": [
{
"address": "1.2.3.4",
"netmask": 32
}
]
},
"smNetworkConfig": {
"networkAccess": 0,
"enable8023link": 1
},
"location": {
"siteName": "%CUSTIDENT%",
"siteLocation": "%CUSTNAME%",
"siteInfoViewable": 1,
"siteContact": "XXX",
"latitude": "%GEO_LAT%",
"longitude": "%GEO_LONG%",
"height": %GEO_AGL%
},
"networkConfig": {
"tftpStatus": 1,
"telnetStatus": 1,
"sessionTimeout": 600,
"webAutoUpdate": 3,
"textSecurityBanner": "XXX",
"lldpBroadcastEnable": 0,
"enableSecurityBanner": 0,
"snmpStatus": 1,
"packetFilterSmb": 0,
"lanDhcpState": 0,
"dnsIpState": 1,
"dnsPrimaryMgmtIP": "1.2.3.4",
"dnsAlternateMgmtIP": "1.2.3.4",
"dnsMgmtDomainName": "XXX",
"webAccess": 0,
"ftpStatus": 1,
"acceptSecurityBanner": 1,
"lanIp": "169.254.1.1",
"lanMask": "255.255.0.0",
"lanGateway": "169.254.0.0"
},
"rfSecurityConfig": {
"encryptionConfig": 1
},
"smSyslogConfig": {
"syslogServerApPreferred": 1,
"syslogSMXmitControl": 3
},
"smNetworkSecurityConfig": {
"ethAccessEnable": 1
},
"syslogConfig": {
"syslogMinLevelApPreferred": 1,
"syslogMinLevel": 6
},
"vlanConfig": {
"dynamicLearning": 0,
"vlanAcceptQinQFrames": 0,
"providerVID": 200,
"agingTimeout": 25,
"vlanPortType": 1,
"frameType": 0
},
"cnMaestroConfig": {
"cnMaestroUrl": "https://cnmaestro.example.com";,
"cnMaestroEnable": 1
}
},
"cfgFileString": "Canopy configuration file",
"cfgFileVersion": "1.0",
"configFileParameters": {
"rebootIfRequired": true,
"setToDefaults": true
}
}
The customer specific variables would get filled in and then saved as
000000000000.cfg in the location where the SMs can read it from.
That's basically it. Getting RADIUS EAP up and running can be hard, but
I already had that. If I didn't already have a RADIUS/LDAP
infrastructure I'd probably start with DHCP option 66. I think at some
point option 66 wasn't supported.
You can make these into templates, manually fill them, process through
through sed, whatever floats your boat. I set all this up before
cnMaestro was a thing. I do use the on premise version now for graphs
and the pretty map, and to update firmware, but not for configs.
Anyway that's what works for me and it's great because we never have to
touch SMs for provisioning, since I sub out installs they can just hang,
aim, and leave.
--
AF mailing list
[email protected]
http://af.afmug.com/mailman/listinfo/af_af.afmug.com
