CnPilot
CONFIGURATION GUIDE
The purpose of the following manual is to describe the necessary configuration of Cambium Networks equipment using the cnPilot access point for integration with Octopus Platform.
1- Pre-requisites
If there is a firewall in the network that might block the traffic, you will need to allow access to some domains to enable user's authentication:
Radius Servers:
Primary:Â <IP_Radius_1>Â 1812 and 1813 UDP ports
Secondary:Â <IP_Radius_2>Â 1812 and 1813 UDP ports
Splash Portal server:Â
Domain <captive_portal_domain>Â 80 and 443 TCP ports
For the operation of the Guest and Enterprise modules configuration, it will be necessary to previously contract the Octopus platform licenses with the respective modules.
2- Guest module configuration
2.1 Radius Server
Configuration of the Radius Server to which user authentication requests will be sent. It is necessary to create two Radius servers, adding the Authentication and Accounting servers.
Authentication Server
Host: <IP_Radius_1>
Secret: <Secret>
Port: 1812
Host: <IP_Radius_2>
Secret: <Secret>
Port: 1812
Accounting Server
Host: <IP_Radius_1>
Secret: <Secret>
Port: 1813
Host: <IP_Radius_2>
Secret: <Secret>
Port: 1813
Accounting Mode: Start-Interim-Stop
Interim Update Interval: 600
Once these changes are made, click on the Save button to save the configuration.
2.2 WLAN Setting
First, it is necessary to create a new SSID or modify an existing one. To do this, go to Configure > WLAN and click on the Add WLAN button and carry out the following detailed configuration:
Enable:Â Check this box to enable the SSID.
SSID: Configure the SSID that the AP will radiate.
VLAN: Set the corresponding vlan.
Security: Open
Inactivity Timeout: 900
Once these changes are made, click on the Save button to save the configuration.
Â
2.3Â Guest Access
Configuration of all parameters related to the external Captive Portal
Enable: Check this option to enable the captive portal.
Portal Mode: External Hotpost
Access Policy: Radius
AP Server Protocol: HTTP
External Page URL:Â http://<captive_portal_domain>/login/hotspot/cambium
External Portal Type: Standard
Success Action: Select the option Redirect User to Original URL to manage the redirection from the platform.
Inactivity Timeout: 900
Once these changes are made, click on the Save button to save the configuration.
Â
2.4 Walled Garden
Within the configuration of the Wlan>Guest Access it is necessary to add the domains to which the user will have free access before validating in the network. To do this, access Whitelist and add the necessary domains.
If you wish to add extra domains (Social Networks, Paypal, etc...) they can be consulted from the following link.
2.5 Listado MACs Autorizadas
For user validation to work properly, it is necessary to determine which NAS will be able to make authentication requests to the Radius Server. In this case you must add the MAC address of the Access Point that will radiate the configured SSID.
In order to obtain the MAC address easily access Dashboard, where you can check the MAC address of the AP.
Â
For information on how to add the MAC address of each AP as an authorized NAS on the platform, please refer to the following link Locations
3 - Enterprise module configuration
3.1 Â Captive portal + MAC Authentication configuration
To enable MAC authentication, you need to edit the created WLAN and enable this option. To do this, access WLANs and select the WLAN to be modified.
Once inside access the configuration and go to the Guest Access tab and enable the following option:
MAC Authentication Fallback: Use guest-access only as fallback for clients failing MAC authentication.
Then access the Access tab and configure the following parameters within MAC Authentication:
Policy: RADIUS
Delimiter: :
Password: Enable this option
3.2 Â MAC Authentication
To create an SSID dedicated to MAC Authentication validation only, go to Configure > WLAN and click on the Add WLAN button and perform the following detailed configuration:
Enable: Check this box to enable the SSID.
SSID: Configure the SSID for example Mac_Auth_Guest
VLAN: Configure the corresponding vlan.
Security: Open
nactivity Timeout: 900
Radius Server:
Link the radius servers created in point 2.1 of this guide
Guest Access:
Configuration of all parameters related to the external Captive Portal
Enable: Disable
Success Action: Select the Redirect User to Original URL option to manage the redirection from the platform.
Inactivity Timeout: 900
After making all the changes click on the Save button to save the configuration.
Access
Policy: RADIUS
Delimiter: :
Password: Disable
3.3 Configuration of Access Profiles
Through the Octopus platform it is possible to configure a series of reply attributes of the Access-Accept packages, grouped in the so-called Access Profile. These Access Profiles allow to activate a series of functionalities in the Cambium. Although the most common and proprietary Cambium radius dictionaries are available, below is a list of some of the most interesting ones:
Attribute | Description | Format |
---|---|---|
Idle-Timeout | Maximum inactivity time. If the user does not transfer any data on the network during this time, the session will be terminated and the user will have to re-authenticate. | Seconds |
Acct-Interim-Interval | Defines the time interval at which the NAS sends the accounting packet update with all the user's session information. | Seconds |
WISPr-Bandwidth-Max-Down | Define Download speed limits. | Bytes |
WISPr-Bandwidth-Max-Up | Define upload speed limits. | Bytes |
CAMB-Traffic-Quota-Limit-Up | Defines the upstream traffic limit quota. | Bytes |
CAMB-Traffic-Quota-Limit-Down | Defines the downstream traffic limit quota. | Bytes |
Mikrotik-Group | Assignment of a Role Name/ Profile, previously created | Â |
Reply-Message | Useful for troubleshooting functions, as it allows to identify associated elements of the Octopus Wifi platform, such as an access profile, access method, location, ... | Â |
Example of an Access Profile configuration with the attributes explained above:
Â
For more information on how to create an Access Profile in Octopus Platform go to Access profiles