cnMaestro

Owned by Adrián Macarro (Unlicensed)
Last updated: Oct 19, 2021 by Pedro Doroshenko
5 min read

CONFIGURATION GUIDE

The purpose of the following manual is to describe the necessary configuration of Cambium Networks equipment using the cnPilot access point for integration with Octopus Platform.

1- Pre-requisites

  • If there is a firewall in the network that might block the traffic, you will need to allow access to some domains to enable user's authentication:

    • Radius Servers:

      • Primary: <IP_Radius_1> 1812 and 1813 UDP ports

      • Secondary: <IP_Radius_2> 1812 and 1813 UDP ports

    • Splash Portal server: 

      • Domain <captive_portal_domain> 80 and 443 TCP ports

  • For the operation of the Guest and Enterprise modules configuration, it will be necessary to previously contract the Octopus platform licenses with the respective modules.

2- Guest module configuration

2.1 Radius Servers

First, you must configure the Radius Server to which users' authentication requests will be sent. This will require the creation of two Radius servers. Within the AAA Servers tab in the WLAN configuration, the Authentication and Accounting servers must be added, for which the following parameters must be configured.

  • Authentication Server

    • Host: <IP_Radius_1>

    • Secret: <Secret>

    • Port: 1812

    • Host: <IP_Radius_2>

    • Secret: <Secret>

    • Port: 1812

  • Accounting Server

    • Host: <IP_Radius_1>

    • Secret: <Secret>

    • Port: 1813

    • Host: <IP_Radius_2>

    • Secret: <Secret>

    • Port: 1813

    • Accounting Mode: Start-Interim-Stop

    • Interim Update Interval: 600

 

2.2 Captive Portal

To configure all parameters related to the external Captive Portal access to Guest Access tab and set the following configuration:

Basic Settings

  • Enable: Check this box to enable the captive portal.

  • Portal Mode: External Hotpost

  • Access Policy: RADIUS

  • Redirect Mode: HTTP/HTTPS (choose an option depending on the type of captive portal validation)

  • External Page URL: 

    • http option: http://<captive_portal_domain>/login/hotspot/cambium

    • https option: https://<captive_portal_domain>/login/hotspot/cambium

  • External Portal Type: Standard

  • Success Action:Seleccionar the option Redirect User to Original URL to be able to manage the redirection from the WIFI platform.

Advanced Settings

  • Inactivity Timeout: 900

2.3 Walled Garden

Finally to finish the WLAN configuration it is necessary to add the domains that the users will be able to visit without being authenticated in the captive portal. To do this, access Guest Access > Whitelist and add the necessary domains.

If you wish to add extra domains (Social Networks, Paypal, etc...) they can be consulted from the following link.

After making all the changes detailed above click on Save button to save all the configuration made and create the configured WLAN.

2.4 WLAN configuration

The first step is to create a new SSID or modify an existing one. To do that, access WLANs and click on the New WLAN button and set the following configuration:

  • Basic Information

    • Name: Identifying name of the WiFi network

  • Basic Settings

    • SSID: configure the SSID that APs will radiate.

    • Enable: check this box to enable the SSID.

    • VLAN: configure the corresponding vlan.

  • Advanced Settings

    • Inactivity Timeout: 900

2.5 AP Groups

When the captive portal configuration is done it is necessary to associate the WLAN to the AP Group that the access points belong to. So access to AP Groups and open the AP Group configuration. In the Configuration > Basic tab add the new WLAN created. In order to do it click on Add WLAN button and select the WLAN in the popup window.

After having added the WLAN to the AP Group, click on the Save button to apply all the changes made.

2.6 Authorized MAC Addresses

For user validation to work correctly, it is necessary to determine the NAS that will be able to make authentication requests to the Radius Server. In this case, all the MAC addresses of the Access Points that will radiate the configured SSID must be added. To obtain these MAC addresses easily access Ap Groups and select the AP Group to which the Access Points of the installation belong. Once inside, go to the APs tab where the MAC address of each of the APs can be consulted.

For information on how to add the MAC address of each AP as an authorized NAS on the platform, please refer to the following link Locations

3- Enterprise module configuration

In order to integrate the configurations of this module with the platform, it is necessary to contract the Octopus Platform Enterprise Module.

3.1 Captive portal + MAC Authentication configuration

To enable MAC Authentication, it is necessary to edit the WLAN created. To be able to perform this change, access to WLANs and select the WLAN you need to edit. Once the configuration page is displayed, access to Guest Access and enable the following setting in the Advanced Settings section:

  • MAC Authentication Fallback: Use guest-access only as fallback for clients failing MAC authentication.

3.2 MAC Authentication

To create an SSID dedicated only to MAC Authentication validation, go to WLANs and click on the New WLAN button and perform the following configuration:

  • Basic Information

    • Name: Identifying name of the WiFi network

  • Basic Settings

    • SSID: configure the network name or SSID e.g. Mac_Auth_Guest

    • Enable: check this box to enable the SSID.

    • VLAN: configure the corresponding vlan.

  • Advanced Settings

    • Inactivity Timeout: 900

Guest Access:

  • Disable: Disable the captive portal.

  • Success Action: Select the Redirect User to Original URL option to manage the redirection from the platform.

Advanced Settings

  • Inactivity Timeout: 900

Access control:

  • Policy: RADIUS

  • Delimiter: :

  • Password: disable

3.2 Configuration of Access Profiles

Through the Octopus platform it is possible to configure a series of reply attributes of the Access-Accept packages, grouped in the so-called Access Profile. These Access Profiles allow to activate a series of functionalities in the Cambium. Although the most common and proprietary Cambium radius dictionaries are available, below is a list of some of the most interesting ones:

Attribute

Description

Format

Attribute

Description

Format

Idle-Timeout

Maximum inactivity time. If the user does not transfer any data on the network during this time, the session will be terminated and the user will have to re-authenticate.

Seconds

Acct-Interim-Interval

Defines the time interval at which the NAS sends the accounting packet update with all the user's session information.

Seconds

WISPr-Bandwidth-Max-Down

Define Download speed limits.

Bytes

WISPr-Bandwidth-Max-Up

Define upload speed limits.

Bytes

CAMB-Traffic-Quota-Limit-Up

Defines the upstream traffic limit quota.

Bytes

CAMB-Traffic-Quota-Limit-Down

Defines the downstream traffic limit quota.

Bytes

Mikrotik-Group

Assignment of a Role Name/ Profile, previously created

 

Reply-Message

Useful for troubleshooting functions, as it allows to identify associated elements of the Octopus Wifi platform, such as an access profile, access method, location, ...

 



Example of an Access Profile configuration with the attributes explained above:

 

For more information on how to create an Access Profile in Octopus Platform go to Access profiles