cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Device Administration using Cisco Identity Services Engine for Cambium Devices v1.0

909
Views
5
Helpful
0
Comments

Introduction

This document describes a configuration example of Cisco Identity Services Engine (ISE) used for device administration of Cambium Devices using RADIUS protocol.

Prerequisites

Requirements

 

Cisco recommends that you have knowledge of these topics:

  1. Basic knowledge of Device Administration
  2. Fundamental knowledge of Radius Protocol
  3. Familiarity with Cambium Devices

Components Used

The information in this document is based on these software and hardware versions:

  1. Cisco Identity Services Engine (ISE) 2.4.0.357
  2. Cambium Networks Canopy PMP 450i Wireless Broadband Access Point

 

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any configuration.

 

Configuration

 

ISE Configuration

1. Add Cambium Device : with Radius secret key

Screenshot 2019-12-20 at 8.46.34 AM.png

 


2.  Add Cambium Vendor in Radius Dictionary :
Navigate to the path : Dictionary >> Radius >> Radius Vendors

Vendor ID.png

 


3. Add Cambium Vendor Attribute ID “Cambium-Canopy-UserLevel” ID : 50


Vendor attribute ID.png

 

4. Authorization Profile

Values for device administration are as follows:

Role Attribute Value
Installer 1
Technician 2
Admin 3

Authz Profile.png

 
5. Allowed Protocols:

Screenshot 2019-12-20 at 9.05.05 AM.png

 


 


6. Identity Sequence based on AD and Internal users

Screenshot 2019-12-20 at 8.52.06 AM.png

 

7. Policy Set


Screenshot 2019-12-18 at 4.00.52 PM.png

 

8. Authentication Policy

 

Screenshot 2019-12-18 at 3.41.30 PM.png

 

9. Authorization Policy

Screenshot 2019-12-18 at 3.42.35 PM.png

 


10. Cambium Device Configuration:

 

Cambium Config.png

 


Please note that if you are using AD for user authentication, then Cambium device cannot be configured for EAP-MD5 as AD doesn't support that protocol.

In such case, device administration fails with the following error:

22043 Current Identity Store does not support the authentication method; Skipping it

Resolution is to configure Cambium device for EAP-PEAP-MSCHAPv2 rather EAP-MD5

Verify

Working scenario should ideally show the below attributes being sent from ISE to Cambium device

working.png

 


 

 

 

Related information:

https://community.cambiumnetworks.com/t5/cnMaestro/Setting-up-Cisco-ISE-for-RADIUS-Services-to-Support-Cambium/td-p/91013

http://community.cambiumnetworks.com/t5/PMP-Best-Practices-and-Examples/Using-RADIUS-Server-with-PMP-450/m-p/52305#M22

http://community.cambiumnetworks.com/t5/PMP-Best-Practices-and-Examples/Cisco-ACS-RADIUS-Server-Support/m-p/48627#U48627