So - one could simply use Option 66 and not have to use RADIUS at all, right?
Where do the values for the variables in the config actually come from (CUSTNAME, etc)? On Thu, Mar 7, 2019 at 12:38 PM Seth Mattinen <[email protected]> wrote: > On 3/7/19 8:42 AM, Joe Novak wrote: > > Are you using your billing system to build the configs? Can you kind of > > give a work flow of provisioning a customer, just as a example? > > > > > I don't have a billing system doing configs. To provision a SM I just > need the MAC of the SM to go out and it goes out blank. The only time > SMs get touched ahead of time is for pre-assembly, make sure it's not > DOA, and maybe to load whatever firmware version is being used. > > A RADIUS entry for a customer looks like this: > > dn: cn=00-00-00-00-00-00,ou=radusers,dc=rollernet,dc=us > cn: 00-00-00-00-00-00 > dialupAccess: true > objectClass: radiusObjectProfile > objectClass: top > objectClass: radiusprofile > uid: 00-00-00-00-00-00 > radiusFramedIPNetmask: 255.255.255.0 > userPassword: %RADIUSPASS% > radiusFramedIPAddress: 1.2.3.4 > description: %CUSTNAME% > radiusReplyItem: Cambium-Canopy-DLBR += "10000" > radiusReplyItem: Cambium-Canopy-DLBL += "10000" > radiusReplyItem: Cambium-Canopy-DLMB += "20000" > radiusReplyItem: Cambium-Canopy-ULBR += "4000" > radiusReplyItem: Cambium-Canopy-ULBL += "4000" > radiusReplyItem: Cambium-Canopy-ULMB += "8000" > radiusReplyItem: Cambium-Canopy-BCASTMIR += "128" > radiusReplyItem: Cambium-Canopy-HPENABLE += "0" > radiusReplyItem: Cambium-Canopy-HPULCIR += "200" > radiusReplyItem: Cambium-Canopy-HPDLCIR += "200" > radiusReplyItem: Cambium-Canopy-Gateway += "1.2.3.4" > radiusReplyItem: Cambium-Canopy-VLMGVID += "10" > radiusReplyItem: Cambium-Canopy-VLIGVID += "%SM_VLAN%" > radiusReplyItem: Cambium-Canopy-VLLEARNEN += "0" > radiusReplyItem: Cambium-Canopy-ConfigFileImportUrl += > "http://configs.example.com/pmp/"; > > Items in %xx% are variables, and 00-00-00-00-00-00 would be the real MAC > of the SM. I use a different password in RADIUS per customer, but that's > not mandatory. Descriptions for all the Cambium-Canopy-X attributes are > in the docs. But anything in RADIUS can also be set in the config file. > I set them ahead of time this way so that if the config file fails to > load for any reason at least the SM has an IP address (of course PMP has > the proxy thing too but it needs working IP somehow to load config > files). Set speeds to whatever you use, these are just random. > > No experience with NAT mode, I use QinQ and the SMs are just bridges. So > for example an AP or site may have outer VLAN 200 (also set in the SM > config below as providerVID) and all customers under it would have inner > VLAN 201, 202, 203, etc. where you'd set Cambium-Canopy-VLIGVID += > "201". That's a network design choice that everyone will have a > different opinion about, this is just how I do it because it works best > for me. > > Given this the SM will ask for the file > "http://configs.example.com/pmp/000000000000.cfg"; when it starts up. > > Or DHCP (cisco): > > ip dhcp pool pmp-icc > network 10.0.0.0 255.255.255.0 > default-router 10.0.0.1 > option 66 ascii "http://configs.example.com/pmp/"; > > As far as configs, I think someone else said just export the config from > an SM after setting it up the way you want it and trim it down. Anything > you don't explicitly specify in the config file will just be whatever > its default is. I also always have the SM reset to defaults every time > it boots so it's always pulling the central config. > > Like if you want to do multiple color codes I would recommend setting > them in a test SM and then exporting that config to get the format right > the first time. Any little mistake in the config file is failure, like > forgetting to have or not have a comma in the right place. > > A config file template looks like this (edited to remove info specific > to me with XXX for strings or 1.2.3.4 for IPs): > > { > "userParameters": { > "radioConfig": { > "installationColorCode": 1, > "factoryResetOnDefaultPlug": 1, > "regionCode": 25 > }, > "smRadioConfig": { > "apSelection": 0, > "colorCodeList": [ > { > "colorCode": 1, > "priority": 1 > } > ] > }, > "authenticationConfig": { > "whispWebUserAccessMode": 2, > "allowRejectThenLocal": 1, > "accounts": [ > { > "userName": "XXX", > "level": 3, > "readOnly": false, > "passwordEncrypted": "XXX" > } > ], > "authKeyOption": 0 > }, > "smAuthenticationConfig": { > "useRealm": 0, > "authOuterId": "anonymous", > "authenticationEnforce": 1, > "phase1": 0, > "phase2": 2, > "authUsername": "00-00-00-00-00-00", > "authPasswordEncrypted": "%RADIUSCRYPTPW%", > "certificates": [ > "XXX", > "XXX" > ] > }, > "smSpectrumAnalysisConfig": { > "spectrumAnalysisOnBoot": 0 > }, > "snmpConfig": { > "snmpPort": 161, > "commStringROnly": "XXX", > "snmpMibPerm": 0, > "commStringRW": "XXX", > "snmpTrapAddresses": [ > "1.2.3.4", > "0.0.0.0", > "0.0.0.0", > "0.0.0.0", > "0.0.0.0", > "0.0.0.0", > "0.0.0.0", > "0.0.0.0", > "0.0.0.0", > "0.0.0.0" > ], > "snmpTrapPort": 162, > "trapDomainNameAppend": 0, > "snmpv2cEnable": 1, > "snmpIpAccessFilter": [ > { > "address": "1.2.3.4", > "netmask": 32 > } > ] > }, > "smNetworkConfig": { > "networkAccess": 0, > "enable8023link": 1 > }, > "location": { > "siteName": "%CUSTIDENT%", > "siteLocation": "%CUSTNAME%", > "siteInfoViewable": 1, > "siteContact": "XXX", > "latitude": "%GEO_LAT%", > "longitude": "%GEO_LONG%", > "height": %GEO_AGL% > }, > "networkConfig": { > "tftpStatus": 1, > "telnetStatus": 1, > "sessionTimeout": 600, > "webAutoUpdate": 3, > "textSecurityBanner": "XXX", > "lldpBroadcastEnable": 0, > "enableSecurityBanner": 0, > "snmpStatus": 1, > "packetFilterSmb": 0, > "lanDhcpState": 0, > "dnsIpState": 1, > "dnsPrimaryMgmtIP": "1.2.3.4", > "dnsAlternateMgmtIP": "1.2.3.4", > "dnsMgmtDomainName": "XXX", > "webAccess": 0, > "ftpStatus": 1, > "acceptSecurityBanner": 1, > "lanIp": "169.254.1.1", > "lanMask": "255.255.0.0", > "lanGateway": "169.254.0.0" > }, > "rfSecurityConfig": { > "encryptionConfig": 1 > }, > "smSyslogConfig": { > "syslogServerApPreferred": 1, > "syslogSMXmitControl": 3 > }, > "smNetworkSecurityConfig": { > "ethAccessEnable": 1 > }, > "syslogConfig": { > "syslogMinLevelApPreferred": 1, > "syslogMinLevel": 6 > }, > "vlanConfig": { > "dynamicLearning": 0, > "vlanAcceptQinQFrames": 0, > "providerVID": 200, > "agingTimeout": 25, > "vlanPortType": 1, > "frameType": 0 > }, > "cnMaestroConfig": { > "cnMaestroUrl": "https://cnmaestro.example.com";, > "cnMaestroEnable": 1 > } > }, > "cfgFileString": "Canopy configuration file", > "cfgFileVersion": "1.0", > "configFileParameters": { > "rebootIfRequired": true, > "setToDefaults": true > } > } > > > The customer specific variables would get filled in and then saved as > 000000000000.cfg in the location where the SMs can read it from. > > That's basically it. Getting RADIUS EAP up and running can be hard, but > I already had that. If I didn't already have a RADIUS/LDAP > infrastructure I'd probably start with DHCP option 66. I think at some > point option 66 wasn't supported. > > You can make these into templates, manually fill them, process through > through sed, whatever floats your boat. I set all this up before > cnMaestro was a thing. I do use the on premise version now for graphs > and the pretty map, and to update firmware, but not for configs. > > Anyway that's what works for me and it's great because we never have to > touch SMs for provisioning, since I sub out installs they can just hang, > aim, and leave. > > > -- > AF mailing list > [email protected] > http://af.afmug.com/mailman/listinfo/af_af.afmug.com >
-- AF mailing list [email protected] http://af.afmug.com/mailman/listinfo/af_af.afmug.com
