Showing results for 
Search instead for 
Did you mean: 

Device Administration using Cisco Identity Services Engine for Cambium Devices v1.0



This document describes a configuration example of Cisco Identity Services Engine (ISE) used for device administration of Cambium Devices using RADIUS protocol.




Cisco recommends that you have knowledge of these topics:

  1. Basic knowledge of Device Administration
  2. Fundamental knowledge of Radius Protocol
  3. Familiarity with Cambium Devices

Components Used

The information in this document is based on these software and hardware versions:

  1. Cisco Identity Services Engine (ISE)
  2. Cambium Networks Canopy PMP 450i Wireless Broadband Access Point


The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any configuration.




ISE Configuration

1. Add Cambium Device : with Radius secret key

Screenshot 2019-12-20 at 8.46.34 AM.png


2.  Add Cambium Vendor in Radius Dictionary :
Navigate to the path : Dictionary >> Radius >> Radius Vendors

Vendor ID.png


3. Add Cambium Vendor Attribute ID “Cambium-Canopy-UserLevel” ID : 50

Vendor attribute ID.png


4. Authorization Profile

Values for device administration are as follows:

Role Attribute Value
Installer 1
Technician 2
Admin 3

Authz Profile.png

5. Allowed Protocols:

Screenshot 2019-12-20 at 9.05.05 AM.png



6. Identity Sequence based on AD and Internal users

Screenshot 2019-12-20 at 8.52.06 AM.png


7. Policy Set

Screenshot 2019-12-18 at 4.00.52 PM.png


8. Authentication Policy


Screenshot 2019-12-18 at 3.41.30 PM.png


9. Authorization Policy

Screenshot 2019-12-18 at 3.42.35 PM.png


10. Cambium Device Configuration:


Cambium Config.png


Please note that if you are using AD for user authentication, then Cambium device cannot be configured for EAP-MD5 as AD doesn't support that protocol.

In such case, device administration fails with the following error:

22043 Current Identity Store does not support the authentication method; Skipping it

Resolution is to configure Cambium device for EAP-PEAP-MSCHAPv2 rather EAP-MD5


Working scenario should ideally show the below attributes being sent from ISE to Cambium device






Related information: