CnPilot

CONFIGURATION GUIDE

The purpose of the following manual is to describe the necessary configuration of Cambium Networks equipment using the cnPilot access point for integration with Octopus Platform.

1- Pre-requisites

  • If there is a firewall in the network that might block the traffic, you will need to allow access to some domains to enable user's authentication:

    • Radius Servers:

      • Primary: <IP_Radius_1> 1812 and 1813 UDP ports

      • Secondary: <IP_Radius_2> 1812 and 1813 UDP ports

    • Splash Portal server: 

      • Domain <captive_portal_domain> 80 and 443 TCP ports

  • For the operation of the Guest and Enterprise modules configuration, it will be necessary to previously contract the Octopus platform licenses with the respective modules.

2- Guest module configuration

2.1 Radius Server

Configuration of the Radius Server to which user authentication requests will be sent. It is necessary to create two Radius servers, adding the Authentication and Accounting servers.

  • Authentication Server

    • Host: <IP_Radius_1>

    • Secret: <Secret>

    • Port: 1812

    • Host: <IP_Radius_2>

    • Secret: <Secret>

    • Port: 1812

  • Accounting Server

    • Host: <IP_Radius_1>

    • Secret: <Secret>

    • Port: 1813

    • Host: <IP_Radius_2>

    • Secret: <Secret>

    • Port: 1813

    • Accounting Mode: Start-Interim-Stop

    • Interim Update Interval: 600

Once these changes are made, click on the Save button to save the configuration.

2.2 WLAN Setting


First, it is necessary to create a new SSID or modify an existing one. To do this, go to Configure > WLAN and click on the Add WLAN button and carry out the following detailed configuration:

  • Enable: Check this box to enable the SSID.

  • SSID: Configure the SSID that the AP will radiate.

  • VLAN: Set the corresponding vlan.

  • Security: Open

  • Inactivity Timeout: 900

Once these changes are made, click on the Save button to save the configuration.

 

2.3 Guest Access

Configuration of all parameters related to the external Captive Portal

  • Enable: Check this option to enable the captive portal.

  • Portal Mode: External Hotpost

  • Access Policy: Radius

  • AP Server Protocol: HTTP

  • External Page URL: http://<captive_portal_domain>/login/hotspot/cambium

  • External Portal Type: Standard

  • Success Action: Select the option Redirect User to Original URL to manage the redirection from the platform.

  • Inactivity Timeout: 900

Once these changes are made, click on the Save button to save the configuration.

 

2.4 Walled Garden

Within the configuration of the Wlan>Guest Access it is necessary to add the domains to which the user will have free access before validating in the network. To do this, access Whitelist and add the necessary domains.

If you wish to add extra domains (Social Networks, Paypal, etc...) they can be consulted from the following link.

2.5 Listado MACs Autorizadas

For user validation to work properly, it is necessary to determine which NAS will be able to make authentication requests to the Radius Server. In this case you must add the MAC address of the Access Point that will radiate the configured SSID.

In order to obtain the MAC address easily access Dashboard, where you can check the MAC address of the AP.

 

For information on how to add the MAC address of each AP as an authorized NAS on the platform, please refer to the following link Locations

3 - Enterprise module configuration

3.1  Captive portal + MAC Authentication configuration

To enable MAC authentication, you need to edit the created WLAN and enable this option. To do this, access WLANs and select the WLAN to be modified.

Once inside access the configuration and go to the Guest Access tab and enable the following option:

  • MAC Authentication Fallback: Use guest-access only as fallback for clients failing MAC authentication.

Then access the Access tab and configure the following parameters within MAC Authentication:

  • Policy: RADIUS

  • Delimiter: :

  • Password: Enable this option

3.2  MAC Authentication

To create an SSID dedicated to MAC Authentication validation only, go to Configure > WLAN and click on the Add WLAN button and perform the following detailed configuration:

  • Enable: Check this box to enable the SSID.

  • SSID: Configure the SSID for example Mac_Auth_Guest

  • VLAN: Configure the corresponding vlan.

  • Security: Open

  • nactivity Timeout: 900

Radius Server:

Link the radius servers created in point 2.1 of this guide

Guest Access:

Configuration of all parameters related to the external Captive Portal

  • Enable: Disable

  • Success Action: Select the Redirect User to Original URL option to manage the redirection from the platform.

  • Inactivity Timeout: 900

After making all the changes click on the Save button to save the configuration.

Access

  • Policy: RADIUS

  • Delimiter: :

  • Password: Disable

3.3 Configuration of Access Profiles

Through the Octopus platform it is possible to configure a series of reply attributes of the Access-Accept packages, grouped in the so-called Access Profile. These Access Profiles allow to activate a series of functionalities in the Cambium. Although the most common and proprietary Cambium radius dictionaries are available, below is a list of some of the most interesting ones:

Attribute

Description

Format

Attribute

Description

Format

Idle-Timeout

Maximum inactivity time. If the user does not transfer any data on the network during this time, the session will be terminated and the user will have to re-authenticate.

Seconds

Acct-Interim-Interval

Defines the time interval at which the NAS sends the accounting packet update with all the user's session information.

Seconds

WISPr-Bandwidth-Max-Down

Define Download speed limits.

Bytes

WISPr-Bandwidth-Max-Up

Define upload speed limits.

Bytes

CAMB-Traffic-Quota-Limit-Up

Defines the upstream traffic limit quota.

Bytes

CAMB-Traffic-Quota-Limit-Down

Defines the downstream traffic limit quota.

Bytes

Mikrotik-Group

Assignment of a Role Name/ Profile, previously created

 

Reply-Message

Useful for troubleshooting functions, as it allows to identify associated elements of the Octopus Wifi platform, such as an access profile, access method, location, ...

 

Example of an Access Profile configuration with the attributes explained above:

 

For more information on how to create an Access Profile in Octopus Platform go to Access profiles