User Manual
Table Of Contents
- Cambium
- PMP 450 Planning Guide
- Accuracy
- Copyrights
- Restrictions
- License Agreements
- High Risk Materials
- Safety and regulatory information
- Contents
- List of Figures
- List of Tables
- About This Planning Guide
- PMP support website: http://www.cambiumnetworks.com/support
- Cambium main website: http://www.cambiumnetworks.com/
- Sales enquiries: solutions@cambiumnetworks.com
- Email support: support@cambiumnetworks.com
- Cambium Networks
- 3800 Golf Road, Suite 360
- Rolling Meadows, IL 60008
- Chapter 1: Product description
- Chapter 2: Planning considerations
- Regulatory planning
- Network migration planning
- Site planning
- Link planning
- Analyzing the RF Environment
- Selecting Sites for Network Elements
- Diagramming Network Layouts
- Grounding and lightning protection
- Configuration options for TDD synchronization
- Data network planning
- Security planning
- Isolating APs from the Internet
- Managing module access by passwords
- Filtering protocols and ports
- Port Lockdown
- Isolating SMs
- Filtering management through Ethernet
- Allowing management from only specified IP addresses
- Configuring management IP by DHCP
- Planning for airlink security
- Planning for RF Telnet Access Control
- Planning for RADIUS integration
- Planning for SNMP security
- Ordering components
- Chapter 3: Legal information
- Cambium Networks end user license agreement
- Acceptance of this agreement
- Definitions
- Grant of license
- Conditions of use
- Title and restrictions
- Confidentiality
- Right to use Cambium’s name
- Transfer
- Updates
- Maintenance
- Disclaimer
- Limitation of liability
- U.S. government
- Term of license
- Governing law
- Assignment
- Survival of provisions
- Entire agreement
- Third party software
- Hardware warranty
- Limit of liability
- Cambium Networks end user license agreement
- Chapter 4: Reference information
Security planning Planning considerations
2-60
pmp-0047 (December 2012)
Planning for RF Telnet Access Control
The RF Telnet Access feature restricts Telnet access to the AP from a device situated below a network SM
(downstream from the AP). This is a security enhancement to restrict RF-interface sourced AP access specifically
to the LAN1 IP address and LAN2 IP address (Radio Private Address, typically 192.168.101.[LUID]). This
restriction disallows unauthorized users from running Telnet commands on the AP that can change AP
configuration or modifying network-critical components such as routing and ARP tables.
Planning for RADIUS integration
PMP 450 modules include support for the RADIUS (Remote Authentication Dial In User Service) protocol
supporting Authentication, Authorization, and Accounting (AAA).
RADIUS
Functions
RADIUS protocol support provides the following functions:
• SM Authentication allows only known SMs onto the network (blocking “rogue” SMs), and can be
configured to ensure SMs are connecting to a known network (preventing SMs from connecting to “rogue”
APs). RADIUS authentication is used for SMs, but is not used for APs. Cambium modules support EAP-
TTLS and EAP-MSCHAPv2 authentication methods.
• SM Configuration: Configures authenticated SMs with MIR (Maximum Information Rate), CIR (Committed
Information Rate), High Priority, and VLAN (Virtual LAN) parameters from the RADIUS server when an SM
registers to an AP.
• SM Accounting provides support for RADIUS accounting messages for usage-based billing. This accounting
includes indications for subscriber session establishment, subscriber session disconnection, and bandwidth
usage per session for each SM that connects to the AP.
• Centralized AP and SM user name and password management allows AP and SM usernames and access
levels (Administrator, Installer, Technician) to be centrally administered in the RADIUS server instead of on
each radio and tracks access events (logon/logoff) for each username on the RADIUS server. This
accounting does not track and report specific configuration actions performed on radios or pull statistics
such as bit counts from the radios. Such f
unctions require an Element Management System (EMS) such as
Cambium Networks Wireless Manager. This accounting is not the ability to perform accounting functions on
the subscriber/end user/customer account.
•
Framed IP
allows operators to use a RADIUS server to assign management IP addressing to SM modules
(framed IP address).
Planning for SNMP security
Canopy modules provide the following Configuration web page parameters in the SNMP tab. These govern SNMP
access from the manager to the agent:
• Community String, which specifies the password for security between managers and the agent.
• Accessing Subnet, which specifies the subnet mask that allows managers to poll the agents.