CnMaestro 3.0.4 On-Premises User Guide
CnMaestro 3.0.4 On-Premises User Guide
CnMaestro 3.0.4 On-Premises User Guide
cnMaestro On-Premises
Accuracy
While reasonable efforts have been made to assure the accuracy of this document, Cambium Networks assumes no liability
resulting from any inaccuracies or omissions in this document, or from use of the information obtained herein. Cambium
reserves the right to make changes to any products described herein to improve reliability, function, or design, and reserves
the right to revise this document and to make changes from time to time in content hereof with no obligation to notify any
person of revisions or changes. Cambium does not assume any liability arising out of the application or use of any product,
software, or circuit described herein; neither does it convey license under its patent rights or the rights of others. It is possible
that this publication may contain references to, or information about Cambium products (machines and programs),
programming, or services that are not announced in your country. Such references or information must not be construed to
mean that Cambium intends to announce such Cambium products, programming, or services in your country.
Copyrights
This document, Cambium products, and 3rd Party software products described in this document may include or describe
copyrighted Cambium and other 3rd Party supplied computer programs stored in semiconductor memories or other media.
Laws in the United States and other countries preserve for Cambium, its licensors, and other 3rd Party supplied software
certain exclusive rights for copyrighted material, including the exclusive right to copy, reproduce in any form, distribute and
make derivative works of the copyrighted material. Accordingly, any copyrighted material of Cambium, its licensors, or the 3rd
Party software supplied material contained in the Cambium products described in this document may not be copied,
reproduced, reverse engineered, distributed, merged or modified in any manner without the express written permission of
Cambium. Furthermore, the purchase of Cambium products shall not be deemed to grant either directly or by implication,
estoppel, or otherwise, any license under the copyrights, patents or patent applications of Cambium or other 3rd Party
supplied software, except for the normal non-exclusive, royalty free license to use that arises by operation of law in the sale of
a product.
Restrictions
Software and documentation are copyrighted materials. Making unauthorized copies is prohibited by law. No part of the
software or documentation may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any
language or computer language, in any form or by any means, without prior written permission of Cambium.
License Agreements
The software described in this document is the property of Cambium and its licensors. It is furnished by express license
agreement only and may be used only in accordance with the terms of such an agreement.
This product is not restricted in the EU. Any High Risk is unauthorized, is made at your own risk and you shall be responsible for
any and all losses, damage or claims arising out of any High-Risk Use.
Contents 3
Introduction 14
Overview 14
Supported Browsers 17
Supported Virtualization Infrastructures 17
Device Software 18
Software Download 21
Differences with cnMaestro Cloud 22
Quick Start 24
Installation 24
Virtualization 24
Desktop Virtualization 24
Bare Metal Hypervisor 24
cnMaestro Deployment 24
Device Software 34
PMP Configuration Prerequisites 41
DHCP Options (Linux) 42
UI Navigation 46
Basic 46
Account View 46
Access and Backhaul Account 47
Enterprise Account 47
Industrial Internet Account 48
Home Page 48
Page Structure 48
Page Navigation 49
Menu 49
Header 49
Access and Backhaul Account 49
Overview 49
Device Tree Navigation 49
Enterprise Account 55
Overview 55
System 55
Devices 56
AP Groups and WLANs 56
Sites 57
Side Menu 57
Section Tabs 58
System Status 59
Logout 59
Architecture 60
Overview 60
Networking 60
Device Onboarding 62
Overview 62
60 GHz cnWave Onboarding 62
Pre-Configuration and Approval of Devices (Optional) 66
Device/Agent Authentication (Optional) 66
Claiming the Wi-Fi Devices from AP Group 67
Claiming the Wi-Fi Devices from Site Dashboard 68
High Availability (HA) 70
Overview 70
Primary vs Secondary 70
Shared (Floating) IP Address 70
Network Ports 70
Recommendations 71
Dual Interfaces 71
Add eth1 Network Adapter 71
HA Cluster Setup 73
Bootstrap (Primary) 73
Accept (Primary) 73
Join (Secondary) 73
Basic HA Cluster Creation Flow 74
Secondary Server 76
HA Menus 77
High Availability Cluster Menu (pre-Bootstrap) 77
High Availability Menu (post-Bootstrap) 77
New Cluster 78
Accept Join Requests 78
Join Existing Cluster 79
Validate SSH Fingerprints 79
HA Cluster Status 79
Delete Node 81
Leave Cluster 82
Information 82
Behaviour of cnMaestro features When HA is Enabled 82
Monitoring 84
Network Monitoring 84
Dashboard 84
KPI (Key Performance Indicators) 84
Device Health 85
Connection Health 85
Charts and Graphs 86
Notifications 86
Overview 86
Events 87
Alarms 89
Statistics and Details 92
Performance 100
Maps 111
Map Navigation 114
Mode 114
Tools 116
60 GHz cnWave Tools 116
cnMatrix Tools 116
cnPilot Home Tools 118
cnRanger Tools 120
cnReach Tools 120
cnVision Tools 121
Enterprise Wi-Fi Tools 123
ePMP Tools 126
Machfu 129
PMP Tools 130
Tower-to-Edge View 132
WIDS 133
Detecting Rogue APs 133
cnPilot Dashboards 137
Device Dashboard 137
Overview 137
Clients 137
Network Info 140
Mesh Peers 142
Neighbors 142
Site Dashboard 143
Wi-Fi Devices Availability (Total and Offline) 143
Wireless 144
Throughput 144
RF Quality 144
AP Types 144
Top Wi-Fi APs 144
Channel Distribution by Band 145
Radio/WLAN Distribution by Band 145
Clients by SNR 145
Clients by Performance 146
Clients Graph 146
Throughput Graph 146
Statistics 147
Wireless Clients 147
Floor Plan 148
Inventory 149
Inventory Export 149
Bulk Delete 149
Bulk Reboot 150
Schedule Reboot 151
CSV Configuration Import 151
Sample Configuration File 152
Sample Configuration File (60 GHz cnWave) 152
Uploading a Configuration File 153
Reports 156
Generating Reports 156
Device Report 156
Performance Report 161
Active Alarms Report 166
Alarms History Report 166
Events Report 166
Clients Report 167
Mesh Peers Report 167
Remote Upload 168
Report Jobs 169
Provisioning 170
Software Update 170
Software Update Overview 170
Create Software Update Job 171
Software Update while Onboarding 173
Software Update through Managed Devices 174
Viewing Running Jobs in Header 178
cnReach Bulk Software Upgrade 178
Fixed Wireless Configuration 180
Overview 180
Configuration Templates 180
Configuration Variables 181
Macros 181
Variable Caching 182
Device Type-Specific Configurations 182
Variable Validation 182
Sample Templates 182
Template File Creation 182
Template 182
Configuration Update 184
Device Selection 184
Device Type 184
Device Table 184
Configuration Update Steps 186
Configuration Backup 186
Jobs 190
Configuration Update 190
Wireless LAN Configuration 191
cnPilot Home and Enterprise Wi-Fi 191
Configure cnPilot using cnMaestro 191
WLAN 192
Pre-Defined Overrides 221
User-Defined Overrides 221
User-Defined Variables 222
Synchronize (Sync) Configuration 222
Configuration Job Status 223
Factory Reset 224
Association ACL 225
Overview 225
Configuring Association ACL 225
cnMatrix Switches 227
Switch Groups Configuration 227
Synchronize (Sync) Configuration 235
Policy Based Automation(PBA) 237
Switches 240
Switch Ports 244
Device Details 252
60 GHz cnWave Network Configuration 255
Managing E2E Network 255
Site Configuration 293
Node Configuration 296
PoP Node 304
DN/CN Node 324
Auto-Provisioning 334
Creating Auto-Provisioning Rule 334
Services 336
Managed Service Provider (MSP) 336
Overview 336
Managed Accounts 336
Managed Service 337
Managed Service Provider (MSP) 338
Managed Service Users (Administrators) 339
Configuring Managed Services 341
Enable Managed Service Provider (MSP) 341
Create Managed Services 342
Create Managed Account 344
Validate Managed Account Administrators 345
Managed Services Administration 348
Overview 348
System Dashboard 349
Managed Account Administration 350
Device Management 351
Disabling Managed Service Provider Feature 353
API Client 354
Overview 354
API Clients 354
RESTful API Specification 356
Authentication 356
Swagger API 362
Introduction 362
Sample Swagger UI Screenshot 362
Client ID and Client Secret Generation 362
cnMaestro User Interface 362
API Session 364
Introduction 364
Retrieve Access Token 364
Access Resources 365
API Details 365
HTTP Protocol 365
REST Protocol 366
Parameters 368
Access API 373
Token (basic request) 373
Token (alternate request) 374
Validate Token 375
Selected APIs 376
Overview 376
cnMaestro v2 API 376
Devices API Response (v2 Format) 377
Statistics API Response (v2 Format) 379
Performance API Response (v2 Format) 390
cnPilot Guest Access 399
Configuration 399
Create the Guest Access Portal in cnMaestro 399
Mapping the Device to Guest Access Portal in cnMaestro 409
Access Types 411
Guest Access using Social Login 411
SMS Authentication 422
Generic SMS Gateway Configuration 422
cnPilot GRE Tunnels 429
Overview 429
Typical Deployment Model (Two Port Solution) 429
Multicast/Broadcast Handling with Multiple APs on Tunnel Concentrator 430
Inter AP Wireless Client Communication (through Concentrator) 430
Configuring L2GRE/EoGRE Tunnel Concentrator 430
Logs and Statistics 431
Access Control List (ACL) Configuration 431
MAC Layer ACL 432
IP Layer ACL 432
Transport Layer ACL 433
SNMP 434
Overview 434
Enable SNMP 434
Configure SNMP Parameters 434
cnMaestro MIB (Management Information Base) 435
RADIUS Proxy 436
Overview 436
Minimum cnMaestro On-Premises Version Requirements 436
RADIUS Proxy Configuration 436
Citizen Broadband Radio Service (CBRS) 438
Enabling CBRS in Cloud 438
Enabling CBRS in On-Premises 444
Synchronize CBRS Configuration to the On-Premises Instance 445
CBRS HTTP Proxy Configuration Options 445
Management Tool 448
Using a HTTP Proxy Server for CBRS Connectivity 470
Proxy Suggestions for CBRS Connectivity 470
External Proxy Requirements 470
Squid as External Proxy 470
HA for Squid external proxy 470
LTE 471
Adding SIM Cards 471
Administration 473
User Management 473
Authentication 473
Local Users 473
Creating Users and Configuring User Roles 478
Changing Password 479
Authentication Servers 480
Session Management 489
Server Management 490
Monitoring 490
Settings 490
Operations 496
Update cnMaestro Software 497
System Backup 497
In-System Upgrade 500
Diagnostics 501
SSL Certificate 503
Certificate Management 503
Manage Software Images 506
Webhooks 511
Integrations 511
Limits 512
cnMaestro Webhooks Configuration 512
Types of Variables 515
Error and Retransmission 516
Viewing Configured Webhooks 516
Status Check 517
Custom Template Examples 517
Audit Logs 532
Syslog 535
Cloud Connectivity 539
Overview 539
Connecting cnMaestro On-Premises to Anchor Account 540
Software Images 541
cnMaestro System Update 542
Appendix 544
Maintenance 544
Command Line Alternatives 544
Export cnMaestro Data 544
Import cnMaestro Data 544
Technical Support Dump 545
Apply OVA Upgrade 545
Apply Package Update 545
SSH Access 545
Enabling SSH Access 545
Data Backup 548
Overview 548
Virtualization System Specific 548
Account Recovery 549
Virtual Machine (Console) Account Recovery 549
cnMaestro Application Account Recovery 551
Configure Network Time Protocol (NTP) 551
Disabling NTP Support 551
Extending the Data Disk 552
VMware Workstation Disk Expansion 552
VirtualBox Disk Expansion 553
Partition and File System Updates 553
Application Account Recovery 554
Statistics API Response (v1 Format) 555
Performance API Response (v1 Format) 567
Deployments 576
VMware ESXi Installation 576
cnMaestro VM Deployment 576
Oracle VirtualBox 5 Installation 579
VMWare Workstation 580
KVM Installation 582
Deployment 582
Windows DHCP 586
Configuring Option 60 586
Windows DHCP Server Configuration 586
Configuring Option 43 587
Windows DHCP Server Configuration 587
Configuring Option 15 588
Windows DHCP Server Configuration 588
Configuring Vendor Class Identifiers 589
Configuring the Policies at the SCOPE Level 589
Network Requirements 594
Inbound Ports 594
Outbound Ports 594
Custom Network Scripts 595
Contact Cambium Networks 596
Introduction
This section includes the following topics:
l Overview
l Quick Start
l UI Navigation
l Architecture
l Device Onboarding
l High Avaliability
Overview
cnMaestro On-Premises is a standalone version of cnMaestro Cloud that can be installed in a customer's data
center. Its functionality is nearly identical to Cloud – though compacted into a single package and executed on
a virtual machine. The primary features of both On-Premises and Cloud includes:
Advanced Display tower-to-edge status in a single graphic; view Wi-Fi client details and health;
Troubleshooting and troubleshoot client connectivity directly on the AP.
AP Groups AP Groups supports configuration of all Enterprise Wi-Fiand cnPilot Home devices.
Configuration
Specify a time for configuration of AP Groups.
Bulk Image Schedule software image upgrades across sectors or device groups.
Upgrade
CBRS Manage Citizen Broadband Radio Service subscription for the CBRS-compliant
devices in 3.6 GHz band (3550 MHz to 3700 MHz).
Configuration Store configuration from all Fixed Wireless devices (cnVision, PMP and ePMP) and
Backup
cnReach devices which are currently online.
Cloud Connectivity Allows you to do many synchronization things in On-Premises instances, similar to
Cloud will have the inventory stats from instances.
Data Reports Export device, performance, alarm, and event statistics in CSV format.
Device Inventory Group device inventory at a System, Network, Tower, Sector, or Site level, and export
in PDF/CSV.
Guest Access Allow Wi-Fi Clients to connect to wireless service using a free model or purchasing
Portal vouchers.
Hierarchical Visualize your devices from tower to edge with customized dashboards for each
Dashboards device type.
High Availability Enable Layer 2 High Availability through an Active-Standby (1+1) architecture.
(HA)
Managed Server Allow cnMaestro account owners to partition their installation into separate Managed
Provider (MSP) Accounts – each with its own independent administration and configuration.
Maps and Map Leverage maps to position your devices and visualize their health and connectivity.
Modes Change the map mode to graphically display various wireless key performance
indicators.
l 60 GHz cnWave
l cnMatrix
l cnPilot Home (cnPilot R-Series)
l cnRanger
l cnVision
l ePMP
l Enterprise Wi-Fi (E-Series and XV-Series) and cnPilot Enterprise
(ePMP 1000 Hotspot)
l PMP
l PTP
l Enterprise View (which includes Enterprise Wi-Fi (E-Series and XV-Series) and
cnPilot Enterprise (ePMP 1000 Hotspot) and cnMatrix)
l Industrial Internet View which manage Fixed Wireless, Wi-Fi and IIoT deployments
including:
l 60 GHz cnWave
l cnMatrix
l cnRanger
l cnReach
l cnPilot Home (cnPilot R-Series)
l cnVision
l Enterprise Wi-Fi (E-Series and XV-Series) and cnPilot Enterprise
(ePMP 1000 Hotspot)
l ePMP
l Machfu
l PMP
l PTP
Notifications View immediate status with stateful alarms, and Events and troubleshoot customer
issues by filtering on alarm history.
Role-Based Access Assigns Super Administrator, Administrator, Operator, Monitor, or CBRS CPI Roles to
Users.
Software Defined Allows to enable software defined third radio on XV-3-8 device.
Radio (SDR)
Syslog Forward audit logs and event logs to a configured external Syslog server.
Template-Based Schedule configuration to single devices or groups of devices across your network
Configuration
using templates. (cnPilot Home Series, cnMatrix, cnReach, cnVision, ePMP, and PMP
devices only).
Zero Touch cnVision Client, PMP SMs, and ePMP SMs to automatically appear in the onboarding
Onboarding queue, provided parent AP is already onboarded.
Supported Browsers
cnMaestro On-Premises supports the following browsers:
NOTE:
cnMaestro On-Premises is also available as an Amazon Machine Image (AMI) that can be accessed
through the AWS Marketplace. The details can be accessed here:
https://aws.amazon.com/marketplace/pp/Cambium-Networks-Ltd-cnMaestro-Wireless-Network-
Ma/B07RJCL6MF.
NOTE:
The virtual hardware is different than the physical hardware. Virtual hardware executes the
cnMaestro application; physical hardware executes the VMware virtualization infrastructure in
addition to the cnMaestro application (and possibly other independent applications).
NOTE:
l For best performance, servers with recent generation Intel Core i7 or Xeon CPUs are
recommended. Older quad-core CPUs may not scale sufficiently. A Geek bench Multi-Core score
of 4,500 should be sufficient for 100 devices, 8,000 for 4,000 devices, and 13,400 for 10,000
devices.
l If RADIUS Proxy through cnMaestro feature is enabled, then system resources especially vCPUs
and RAM should be increased to 2 times of Hardware Requirements as specified in the below
mentioned table.
l If NBI APIs and multiple Performance reports are enabled, then the System resources especially
vCPUs and RAM should be increased to 1.5 times of Hardware Requirements as specified in the
below mentioned table.
l Cambium Networks recommends using an SSD drive to improve performance.
1 to 100 Up to 1500 2 4 80
Device Software
NOTE:
To onboard devices into cnMaestro On-Premises, the devices must at least be running the software
version displayed in Table 5.
For a particular on-premise release, the minimum Device Software version is already embedded within cnMaestro. It
can be downloaded to your local computer using the steps described in Software Download.
Newer device software may also be available from the Cambium website at
https://support.cambiumnetworks.com/files.
cnMatrix 2.0.4-r1
Machfu 7.1.2-1.1.0.5
PMP 15.0.1
Software Download
NOTE:
l By default, Cambium do not provide any device build during OVA or package upgrade, user can
upload device build by clicking Add image button.
l Once uploaded user can use download icon to download the available images or by two options
on add image by clicking local and download from cloud.
l New device software releases need to be manually added.
Device software can be accessed from the cnMaestro UI. The software is located at: Administration > Server >
Software Images. Select your device type to display the available images, and then click the download icon ( ).
Device software can also be accessed from the download page of Cambium Networks Support site.
(https://support.cambiumnetworks.com/files).
Account Recovery Locally resolve password issues with cnMaestro On-Premises system account
and Web UI.
Auto-Provisioning Allow new cnPilot, cnVision, ePMP, and PMP devices to be provisioned and
approved automatically using the subnet of the device.
Certificate Management SSL certificate management for administration of UI and Guest Access Portal.
Configuration Backup Configuration Backup pulls and stores configuration from all Fixed Wireless
devices (cnVision, PMP and ePMP) and cnReach devices which are currently
online.
Deployment The Cloud version is fully hosted and maintained by Cambium Networks at
cloud.cambiumnetworks.com. The On-Premises version is released as an OVA
(Open Virtualization Archive) file that needs to be installed on either VMware
or VirtualBox.
Device Connectivity In the Cloud version, all devices access cloud.cambiumnetworks.com. In the
On-Premises version, devices contact the local cnMaestro server instead. This
means they need to be configured to access the server before they can be
managed. This can be accomplished on the device using the device UI or
SNMP. Alternatively, DHCP options can be configured to provide the
cnMaestro URL when the device boots up.
Device Image Management In the Cloud, device images are automatically available. In the On-Premises
version, new images need to be downloaded from support center and added
to the cnMaestro server.
Local and Support for local administrators (with a user name and password maintained
Authentication Server by cnMaestro) or authentication services (including TACACS+ or Active
Administrators Directory) for administration access
Onboarding In the Cloud, devices are onboarded using either the device Manufacturer
Serial Number (MSN) or through the Cambium ID (entered on the device).
In On-Premises, all devices contacting cnMaestro are added to the onboarding
queue, where they can be approved and managed.
On-Premises Console Simple CLI, available through the virtual machine console, which allows one to
configure networking parameters and update the system password.
RESTful API HTTPS RESTful API for inventory, monitoring, performance, notification, and
basic provisioning.
Server Management Virtual machine performance parameters such as disk, memory, and CPU
utilization.
Wireless LAN Speed Test Speed test between wireless LAN APs and cnMaestro.
Installation
The default passwords for cnMaestro are:
NOTE:
Please change your passwords after logging in the first time.
Virtualization
There are two types of Virtualization architecture cnMaestro On-Premises supports: Desktop Virtualization
and Bare-Metal Hypervisor.
Desktop Virtualization
Desktop Virtualization executes a virtual machine within an existing operating system environment (Windows,
Mac, or Linux). The administrator installs virtualization software, such as VMware workstation or an Oracle
virtualbox, and it executes in tandem with other desktop applications. cnMaestro can then be installed within
one of these platforms.
The desktop environment is the easiest way to get cnMaestro up-and-running quickly. You can download a
trial version of VMware workstation.
cnMaestro Deployment
This document presents cnMaestro deployment using VMware workstation player. Directions for VMware
vSphere ESXi and VirtualBox are found in the appendix. VMware workstation player (and Oracle virtualbox)
tend to be the easiest to install and evaluate, though ESXi is preferred for production.
cnMaestro by default is configured to use 2 CPUs, 4 GB memory, and NAT. To change these parameters, you
should stop the virtual machine, update the virtual machine settings in VMware, and then restart. Click Edit Virtual
Machine Settings from the VMware home screen. From there you can update the virtual hardware.
NOTE:
If you are evaluating more than 100 devices, we recommend to use 4 GB of memory and 4
processors.
Information Page
The On-Premises Information page presents the high-level runtime network status for eth0 interface.
You can validate your update by navigating back to the Information page and viewing the current network
configuration.
cnMaestro UI Access
1. Access the UI through virtual machine by providing the IP Address.
NOTE:
The browser will display an untrusted certificate error when you access cnMaestro On-Premises.
This is because it uses a self-signed certificate.
NOTE:
In future cnMaestro releases, customers will be required to connect their On-Premises installation
to the Cloud using an Anchor account, which is a special cnMaestro Cloud Account that
communicates with On-Premises instances. This step is optional in this release, but Cambium
Networks recommends customers do it now in preparation. To know more about the Anchor
Account refer to Cloud Connectivity.
3. Navigate to Administration > Server to monitor and operate the virtual machine instance.
Device Software
NOTE:
l By default, Cambium do not provide any device build during OVA or package upgrade, user
can upload device build by clicking Add image button.
l Once uploaded user can use download icon to download the available images or by two
options on dd image by clicking local and download from cloud.
l New device software releases need to be manually added.
Devices must have the correct beta software installed in order to access cnMaestro. These images are hosted on
the Cambium Networks website, and they can also be downloaded directly from cnMaestro On-Premises.
Navigate to Administration > Server > Software Images. Select your device type to display the available images,
Once the device has been updated with the correct software version, it can be onboarded.
In order to access cnMaestro, devices need to be configured with the cnMaestro URL. There are currently three
ways to do this (listed in priority order)
If none of these are present, the default action is to access the cnMaestro Cloud URL:
https://cloud.cambiumnetworks.com
Static URL
If a static URL is configured in the device UI, the device will always try to connect using it.
cnMatrix
1. Navigate to System > cnMaestro tab.
2. Enter static URL.
cnPilot Enterprise
1. Navigate to Configure > System > Management.
cnRanger
cnReach
1. Navigate to cnMaestro > Management Settings page > Settings.
cnVision Client
In the cnVision Client device UI,
cnVision Hub
In the cnVision Hub device UI,
Machfu
In the Machfu device UI,
PMP
1. Navigate to Configuration > cnMaestro tab.
4. To check the cnMaestro connection status, navigate to Configuration > cnMaestro tab > check Connection
Status.
SM using NAT
AP
PTP
1. Navigate to Installation and click run Installation wizard button.
2. In the Management Configuration window, under cnMaestro, select Enabled.
The following configuration is for Linux-based systems. Refer Appendix: Windows DHCP Options Configuration
for configuring DHCP options for windows.
The priority order for determining the cnMaestro URL is the following:
NOTE:
cnRanger, cnReach, PTP 650, PTP 670, and PTP 700 do not support DHCP Options for
onboarding.
cnMatrix Cambium-cnMatrix-EX2K
cnPilot e425H/e505
cnPilot e500/e501S/e502S/e510
cnPilot e700/e600
ePMP cambium
Typically, Option 43 is the preferred mechanism to configure the cnMaestro URL. Example configuration for the
ISC DHCP Server is presented below (from the /etc/dhcp/dhcpd.conf file).
Sample configuration for the ISC DHCP Server is presented below (from the /etc/dhcp/dhcpd.conf file).
l Basic
l Account View
l Home Page
l Page Structure
l UI Navigation
l Access and Backhaul Account
l Enterprise Account
l Side Menu
l Section Tabs
l System Status
l Logout
Basic
cnMaestro supports the Time Zone of all countries, which can be selected based upon the composition during
devices installed.
NOTE:
l Only Super Administrator and Administrator can change the Time Zone.
l The Time Zone setting is applicable only for Email Notifications, Webhooks, and RESTful APIs
only.
Account View
cnMaestro supports three separate account view, based upon the composition of devices installed. The type is
set when the UI is first accessed, but it can be changed later through the Administration > Settings page.
Enterprise Account
The Enterprise account supports the Enterprise Wi-Fi deployments, which includes the cnMatrix, Enterprise Wi-Fi
(E-Series and XV-Series) and cnPilot Enterprise (ePMP 1000 Hotspot). It provides a simplified UI that only displays
Wi-Fi components (hiding fixed wireless features such as Towers).
The account type can be changed at any time, with the following restriction: to select the Enterprise view, all
devices other than cnMatrix, Enterprise Wi-Fi (E-Series and XV-Series) and cnPilot Enterprise (ePMP 1000
Hotspot)need to be removed from the account.
Home Page
The Home Page is the first page displayed when the user logs into cnMaestro On-Premises. It provides links to the
core functional areas in the UI, as well as Cambium Networks support center, community, and documentation. It can
be accessed from any page in the UI by clicking the Home tab.
Page Structure
Most of the cnMaestro On-Premises pages follow a standard structure, which consists of a left-side menu and a
content area. In many pages, tabs provide navigation through the content for a particular section.
Page Navigation
The cnMaestro On-Premises pages include tabs such as Configuration, Statistics, Report, Software Update, Map,
Clients, Mesh Peers, Tools, Dashboard, Notifications, Software Update, and Tools. The content of a page differs
depending upon its context. For example, a Dashboard page will be different at the
System/Network/Tower/Site/Device level. The context, or level in the hierarchy, is selected in the device tree,
which is defined below.
Menu
The Menu provides basic navigation to all the pages in the UI. The menu is different between the Access and
Backhaul view and the fixed wireless view.
Header
The page header supports basic counters for alarms, onboarded devices, pending jobs, MSP global filter if MSP is
enabled, and out-of-sync devices.
The user can navigate the nodes by single-clicking a row to select it, thereby updating the content area to display
the data from the node. Selecting an arrow icon opens the node and displays the next level of hierarchy. Note
NOTE:
l Opening the node does not automatically select a node in the new hierarchy, instead the desired
node needs to be clicked.
l Japanese characters name is supported in Network, Tower, and Site.
60 GHz cnWave 60 GHz cnWave devices are located within a Network deployed
Onboard E2E Network through the Onboard E2E controller.
60 GHz cnWave 60 GHz cnWave devices are located within a Network deployed
External E2E Network through the external E2E controller.
60 GHz cnWave PoP PoP is mapped to a Site in E2E Network and deployed through the
External E2E controller.
60 GHz cnWave PoP PoP is mapped to a Site in E2E Network and deployed through the
Onboard E2E Network Onboard E2E controller.
60 GHz cnWave Site Sites are located within E2E Networks. A site maps to a single area and
represents a location on a map that has 60 GHz cnWave devices.
cnMatrix cnMatrix devices are located within a Network. Optionally they can
also be mapped standalone to a Tower or to a Site.
cnRanger RRH cnRanger RRH access points are located in a Network and are mapped
to a BBU.
cnRanger Sierra 800 cnRanger Sierra 800 are located in a Network and are optionally
mapped to a Tower.
cnReach cnReach device which could have zero, one, or two radios and support
one or two roles, including Point-to-Point (PTP), Point-to-Multipoint
(AP or EP) (PTMP), or IO Expander.
cnPilot Home Wi-Fi devices are generally matched to a local SM and inherits its
Network. They can also be mapped standalone to a Network or to a
Site.
cnVision Client cnVision Client Subscriber Modules are located in a Network (if they
are standalone, which is only used for bootstrapping) or they are
associated with an AP. The SM will inherit the Network and Tower of
the AP to which it is associated.
cnVision Hub cnVision Hub are located in a Network and are optionally mapped to a
Tower.
Enterprise Wi-Fi Enterprise Wi-Fi devices are generally matched to a local SM and
inherits its Network. They can also be mapped standalone to a
Network or to a Site.
Machfu Machfu devices are located within a Network. Optionally they can also
be mapped standalone to a Network or to a Tower.
Network All devices are placed within Networks. Networks represents the
geographical regions or collections of devices with a shared
responsibility. Accounts can have one network or many networks.
Networks allow one to provide structure to accounts with many
devices and also provides aggregation buckets for cnMaestro On-
Premises statistics (essentially the system pre-calculates statistics, so
they are displayed quickly.)
PTP Master PTP Master device located in a network and optionally mapped to a
Tower.
PTP Slave PTP Slave device located in a network and optionally mapped to a
Tower.
Site Sites are located within networks and hold wireless access points. A
site maps to a single area and represents a location on a map that has
APs or a building.
System The System node is at the top-level of the hierarchy, though it does
not have an explicit node in the tree. It's pages are displayed when the
user logs in for the first time, when one selects the System button in
the hierarchical tree (displayed when Networks are show), or selects
the System node in the breadcrumbs. The System level aggregates
data from all devices within the account.
Tower Towers are located within networks and hold cnRanger, PTP devices
or Point-to-Multipoint APs. All the devices on a Tower are mapped to
the same Network, and all their children devices such as Subscriber
Modules or Home APs are also mapped to the same network.
Default Network
cnMaestro On-Premises has a default network into which unmapped devices will be placed. These can remain in the
default network or moved to a named network. The default network cannot be deleted, but it can be renamed.
Tree Menu
Each node in the device tree has a menu icon ( ) that supports node-specific actions. For example, the system
node lets you add a Network or launch the Software Update page, while individual devices allow you to edit their
cnMaestro settings, reboot, or even delete the device from management (so it can be transferred to another
account) and the devices like 60 GHz cnWave. The actions supported across the tree include the following:
All Devices
Add Network System Add a new Network as a child to the System node.
Add Site Network Add a new Site as a child to the Network node.
Add Tower Network Add a new Tower as a child to the Network node.
Delete Most Nodes Delete a node from the tree. This is available for all nodes except System and
the default network. Deleted devices will be removed entirely from the
management system (along with their historical statistics). In order to delete a
container, such as Network or Site, all nodes inside the container must be
deleted first.
Edit Most Nodes Edit the cnMaestro settings, including node name and location. This is available
for all nodes except System.
For 60 GHz cnWave, edit option applies for E2E Network and nodes. Node
name can be edited.
Flash LEDs Enterprise The LEDs of the device enables to identify and locate the device.
Wi-Fi
Refresh All Refresh the node in the tree. This refreshes the node and its children only, not
the entire tree.
Add Node Network and Add a new Node as a child to the Site.
Site
Hide or Show It allows to hide or show sites in E2E Controller Network tree menu.
Site
Replace Node CN/DN Replace Node by changing the MAC address of th faulty node.
Nodes
Update Network and Allows the user to update the 60 GHz cnWave nodes software.
Software Nodes
Map Navigation
Maps are presented in dashboard screens as well as a dedicated map display. Maps often show Tower, Site, and
Devices located in proximity. Map nodes can also be double-clicked to navigate to the selected Device, Site, or
Tower. By selecting a node in the map, the Device Tree gets updated to reflect that node.
Table Navigation
Some tables display Networks, Towers, Site or Devices and allow the user to click the node and navigate to the
location of the node in the tree.
Node Search
Administrators can search for nodes within the device tree using the Search box. It allows the user to search based
upon IP Address, Serial Number, Device Name and MAC Address. Once the node is found and selected, one can
jump to it in the hierarchical tree.
Enterprise Account
Overview
The Enterprise account differs from Access and Backhaul in that it is largely table-driven. It does not have the quick
buttons or the Device Tree, instead it has direct navigation for APs, AP Groups, WLANs, and Sites. Each of these are
presented in tabular form, and clicking on the row entry will launch the management page.
System
The System Dashboard and global functionality is presented in the System menu. It aggregates data across the
entire installation.
Figure 9 AP Groups
Sites
Sites are similar to AP Groups in that they aggregate statistics from many APs. The difference is a site represents
APs installed at a single physical location (and mapped to a Floor Plan). Sites also have their own dashboard and
aggregation pages.
Side Menu
The side menu provides high-level navigation through the cnMaestro UI. Click pin icon at the top to
expand/collapse.
The side menu for the Access and Backhaul View and Industrial Internet and Enterprise View is:
Section Tabs
All management sections are displayed in context of the managed item, including System, AP, AP Group, and Site.
The options vary depends upon the items selected. A breakdown is below:
Site Dashboard | Notifications | Configuration | Statistics | Report | Floor Plan | APs | Clients | WIDS
| Mesh Peers
System Dashboard | Notifications | Configuration | Statistics | Report | Software Update | Clients| Map |
Mesh Peers
Wi-Fi Dashboard | Notifications | Configuration | Statistics | Report | APs | Clients | Mesh Peers
AP Group
System Status
The UI header has a number of system status icons that provide a single point to view selected global statistics and
operations parameters. Their meanings are highlighted below:
Active Software The number of devices in the onboarding queue that are registered to the
Upgrade Jobs account but which need to be manually accepted prior to completing their
onboarding.
Cloud Connectivity It notifies that cnMaestro Cloud is Synced or not with the On-Premises.
Status
Critical Alarms The count of critical alarms currently raised in the system (if no critical
alarms are raised, then the major alarm count will be displayed)
Devices Waiting for The count of jobs in the queue. It includes both running and pending jobs.
Approval
Major Alarms The count of major alarms currently raised in the system.
Clicking the icons directs the user to the appropriate UI page for management.
Logout
The user icon in the upper right corner allows the user to logout of cnMaestro On-Premises.
Figure 11 Logout
Overview
The cnMaestro On-Premises architecture is similar to cnMaestro Cloud: devices connect to cnMaestro over HTTP,
with Cloud, the devices access cloud.cambiumnetworks.com. With On-Premises, the devices must be configured
with the IP Address/URL of the cnMaestro instance.
The management connection to cnMaestro is initiated by the devices and remains persistent. Traffic flows in both
directions: devices forward events and statistics to the cnMaestro server, and cnMaestro applies configuration,
updates software, and executes operations on the devices.
Networking
Devices to contact cnMaestro, they must be configured with its IP address or hostname. This is accomplished using
the device UI or SNMP. Alternatively, the URL can be configured on the DHCP server and propagated to the device
through DHCP options (when the device retrieves its IP address). Customers who own their DHCP infrastructure
generally prefer this method.
Overview
By default, all devices contacting cnMaestro On-Premises will be placed in the onboarding queue, where they
persist until approved (after which they become Managed). The onboarding queue (Onboard > Devices) is shown
below.
NOTE:
Onboarding devices is different between Cloud and On-Premises. With On-Premises, when a device
is configured with the cnMaestro URL, it is placed in the onboarding queue by default, from which it
can be approved into the account. In contrast, with Cloud one needs to enter the serial number of
the device to claim it through the cnMaestro UI, or enter the Cambium ID and the onboarding key to
claim it through the Device UI.
NOTE:
If Auto Generate IPv6 Addresses is enabled, E2E Controller fetches the IPv6 addresses
automatically.
1. Navigate to Manage > Network > select 60 GHz cnWave E2E Controller
2. Click Approve and 60 GHz cnWave – Network Onboard window pops-up.
5. Click Apply.
6. Wait for a while till network onboard is successful.
7. Once it is successfully onboarded, the E2E Network UI shows the Dashboard of the network as shown below:
1. Navigate to Manage > Network > select 60 GHz cnWave E2E Network.
2. Click Approve and 60 GHz cnWave-Network Onboard window appears and provides option to Edit Network
name.
4. After the successful Onboard E2E Network, it can be managed through cnMaestro.
If PoP Node is running the Onboard E2E Controller then the PoP icon will be indicated with icon as shown
below:
If this step is not configured, the devices would automatically show up in the onboarding queue, where they can be
approved.
NOTE:
If the device gets struck in the onboarding page, the Force Onboard button automatically enable.
Click the Force Onboard for the device to be onboarded.
NOTE:
In Network and Site the SEARCH option is enabled.
3. Specify the MAC Address of the devices line-by-line or comma-separated, or click Import .csv option to import
the device MAC addresses from a file.
4. Click Claim Devices to add to the selected AP Group with the configuration applied.
NOTE:
In cnMaestro On-Premises the procedure is same as Cloud, but instead of MSN, the user should use
MAC address of the device .
4. Specify the MAC number of the devices line-by-line or comma-separated, or use the Import .csv option to import
the MAC of the devices from a file.
5. Click Claim Devices to add the devices to the selected AP Group and click Apply Configuration.
NOTE:
In cnMaestro On-Premises the procedure is the same as Cloud, but instead of MSN the user should
use the MAC address of the device.
l Overview
l HA Cluster Setup
l HA Menus
Overview
cnMaestro On-Premises supports Layer 2 HA through an active-standby (1+1) architecture. The default HA
installation has a single management interface (eth0) and a shared (floating) management IP address. The basic
deployment is highlighted below:
Primary vs Secondary
The Primary server always has up-to-date configuration and data, and it hosts the cnMaestro application. The
Secondary replicates data from the Primary and enters standby state when fully synchronized.
Network Ports
The following ports/protocols must be accessible between the two systems.
Dual Interfaces
cnMaestro can be configured with two interfaces, eth0 and eth1, on VMware workstation and ESXi. These allows
traffic to be segmented into Management/Cluster and device, though strict separation is not currently enforced (so
the UI can still be launched from the Device IP). The implementation allows deployments with separate
management and control subnets to integrate more easily with cnMaestro.
VMware Workstation
In VMware Workstation, edit the configuration file (ending in .vmx) in the virtual machine home directory. After
shutting down the VM, change the following two entries, so the eth0 PCI number is lower than eth1.
ethernet0.pciSlotNumber = "33"
ethernet1.pciSlotNumber = "34"
Bootstrap (Primary)
The first step is to enable high availability on a cnMaestro instance – effectively creating a HA cluster and initializing
high availability processes. The bootstrapped instance is called the Primary, and it hosts the shared IP address.
Accept (Primary)
The Primary server then configures a shared secret to allow a Secondary system to join the cluster. The secret is
used for authentication, and it is valid for 30 minutes.
Join (Secondary)
The Secondary joins the Primary using the shared secret, and extends the Cluster. At this point, the Secondary
begins replicating data (which could take many minutes). Once fully replicated, the Secondary becomes standby
and is able to fail over.
NOTE:
The Join process uses SSH (port 22) to connect to the Primary. It is important to review the
fingerprint displayed during the Accept and Join operations, to make sure they are the same (and
protect against man-in-the-middle attacks).
WARNING:
All data on the Secondary will be overwritten during the Join.
Primary Server
1. After logging into cnMestro console, from Operations tab, select HA and click OK.
2. From High Availability Cluster tab, select Bootstrap and click OK.
4. When the L2 High Availability Cluster is created, success window pops-up as shown below:
5. Primary Bootstrap is successfully completed now. Click OK, which redirects to Accept/Join requests page to
create the Password (shared secret) used to Join a second system.
6. The password is used by the Secondary to authenticate and join the Cluster. It is valid for 30 minutes.
Secondary Server
1. On the Secondary cnMaestro server, from the High Availability Cluster menu, select Join and click OK.
2. The Join existing Cluster window appears. Enter the Primary server eth0 IP and the Join Password, click OK.
3. A pop-up displays the fingerprint of the Primary server. Validate the fingerprint shown on the Secondary exactly
matches the fingerprint of the Primary (when it is accessed directly). If they are different, the Primary server is
incorrect, and the Join should be cancelled.
HA Menus
This section walks through the different HA tabs available in the console.
New Cluster
An HA Cluster requires the eth0 interface be configured with a static IP address. Once the Cluster is created, the IP
address cannot be changed without dissolving the Cluster. During the bootstrap process, a shared IP address is
configured in the same subnet as eth0. This address floats between the active cnMaestro system, and should be
used for cnMaestro access.
HA Cluster Status
The HA Cluster Status tab details the current HA state, including the replication status. After a cluster operation, it
may take a few minutes for the page to show full details.
Failover Failover to the current Standby node. This is not visible while standalone.
Force Forcibly Reset HA configuration. This causes a non-graceful reset of the current node,
and it does not delete the node from the Peer. This operation should only be used if the
Leave operation fails.
Leave Leave the Cluster. This deletes all HA configuration and puts the device into a default
state.
Statistics Status of statistics data replication (this tends to take the longest).
NOTE:
There may be discrepancy in the Primary and Secondary lag value it may display the results in bytes
or seconds.
Delete Node
Delete from Cluster
Deleting removes the peer node from the cluster. Navigate to Operations > HA, select Delete and click Ok.
Use the spacebar to select the Node and select delete and click Enter.
Deleting a Node Resets the HA configuration of the node and removes it from the Cluster (as long as the node is still
online). If the node is down, or unresponsive, it needs to be manually removed by accessing the node itself and
selecting Leave.
Leave Cluster
Leaving removes the current node from the cluster. It first tries to delete the node from the peer; then it resets to
current node to default. If the delete fails (for example, if there is no network connectivity), it needs to be
performed manually through the peer Console.
Information
The Information page provides global status for the system at initial login. It has a High Availability section at the
bottom.
l Network Monitoring
l cnPilot Dashboard
l Inventory
l Reports
Network Monitoring
The Monitoring tab displays the monitoring panel for cnMaestro On-Premises. This section includes the following:
l Dashboard
l Notifications
l Statistics and Details
l Performance
l Maps
l Tools
l WIDS
Dashboard
Dashboard pages are customized for each device type and aggregation level (such as System, Network, Tower, and
Site). Pages representing devices provide information on location, significant configuration parameters, and
performance. System, Network, Tower, and Site nodes aggregate dashboard data for the devices they contain.
Connection Health
Connection Health displays the health of the devices connected to the network.
Notifications
Overview
Notifications consist of Events, Alarm History, and Alarms. They are asynchronous messages that provide real-time
system status.
Alarms Alarms have state and persist as long as the problematic activity continues; they reflect
the current health of the devices in the network.
NOTE:
After every server reboot or restart alarm displays as shown below:
Alarm History Expired Alarms are added to the Alarm History. The Alarm History displays historical
active alarm counts.
Events Events are stateless, transient messages that occur in response to an input or action,
such as if the CPU exceeds a threshold or a device association fails. Events are fire-and-
forget; they are stored in an Event Table and provide a history of device activity.
Event/Alarm Source
Identity of the source device affected by the event or alarm.
Aggregation
Notifications are visible at every level of the device tree. Higher levels consolidate notifications for all devices at
lower levels in the hierarchy. For example, the network level displays the events and alarms for all devices within
that network. This aggregation is only available for Networks, Towers, and Sites. When a device is selected, such as
an AP, the notifications will only be presented for it, and not its associated SMs (even though they are lower in the
tree).
Storage
Events and Alarms are stored in cnMaestro for an extended period. They will be removed when the total count of
each surpasses 1,000 multiplied by the number of devices in the account. The oldest entries will be cleared first.
Events
The Event Table stores a history of the most recent events for the selected node.
Event Severity
Event Severity is mapped to the following levels:
Major Issue that greatly degrades the product/feature, but it is still usable.
Notify Message used primarily for notification which includes type of reboot of cnPilot Wi-Fi
devices.
Event Export
The event data in a table can be exported in a CSV or PDF file format.
Each and every system event can be categorized under one type.
The following table describes the different types of system event categories and their descriptions.
Other Events which are not related to above categories listed under the others.
Source: Devices
Security Events related to logging into the devices, establishing secure links, and potentially
recognizing scans and security breaches in the future.
Source: cnMaestro, Devices, Clients
Services Events related to additional services that may be added to the product in the future.
There may not be any services events in the first release.
Source: cnMaestro and Devices
Wireless Events related to issues/notifications with the PTP/PMP radio connectivity, Wi-Fi
Clients, etc.
Source: Devices
Alarms
Alarm Life Cycle
Acknowledged Active alarms can be acknowledged, which signifies they are known and being handled.
Once Acknowledged it will not display in the total count.
Active The alarm remains active until the combination of inputs that generated is cleared.
Inactive Inactive alarms remain visible in the active Alarm Table for 10 minutes, before they are
moved to Alarm History. An alarm becomes inactive when the inputs that generated it are
no longer present. An Inactive alarm can be pulled back to the Active/Acknowledged states
if a new event reactivates the alarm.
Major Significant issue that greatly degrades the product/feature, but it is still usable.
Alarm Types
Status Tracks when connectivity between cnMaestro On-Premises and a device is lost.
Alarm Acknowledgment
Active alarms can be acknowledged in the Alarm Table. This is for convenience – acknowledgment makes the alarm
less visible in the table, and the administrator can further add a note describing how the alarm is being resolved.
Once acknowledged alarm counts will not be displayed at the page or the system level.
User can able to filter the Acknowledged and UnAcknowledged devices as shown below:
NOTE:
Instantaneous Offline Alarm is supported only for cnMaestro X features.
You can use Instantaneous Offline Alarm to get the alarm notification with a minute instead of getting it after five
minutes.
NOTE:
Cambium Networks does not recommends to enable this option as it might generate false alarms. If
the network connectivity is slow or flaky from the device to cnMaestro.
The table below highlights the type of information that is generally found in cnMaestro Statistics and Details
sections (separated by Device Type).
GPS
l Fix Type
l Height
l Latitude
l Longitude
l Satellites Tracked
cnMatrix General
l Device
l IP Address
l Product Name
l Serial Number
l Status
Traffic
l Throughput (Rx)
l Throughput (DL)
cnRanger SM General
l Device
l IP Address
l IMSI
l Serial Number
l Status
Traffic
l Throughput (DL)
l Throughput (UL)
Wireless
l Bandwidth
l Frequency
l MCS (DL)
l MCS (UL)
l RSSI
l RSRP
l RSRQ
cnReach General
l Device
l IP Address
l Neighbors
l Radio
l Role
l Status
Radio
l Average Noise
l Radio Temperature
l RSSI
l SNR
l Tx Power
Traffic
l Throughput (DL)
l Device
l DFS Status
l Distance
l IP Address
l Status
l Serial Number
l Session Time
Network
l LAN Interface
l LAN Interface 2
l WAN IP Address
Traffic
Wireless
l Antenna Gain
l Connected AP
l MCS (UL)
l MCS (DL)
l QualityCapacity
l RSSI (DL)
l RSSI (UL)
l SSID
l Tx Power
l Wireless MAC
l Device
Network
l LAN Interface
l LAN Interface 2
Traffic
l Throughput (DL)
l Throughput (UL)
Wireless
l Antenna Gain
l Bandwidth
l DL/UL Ratio
l Max Range
l Frequency
l SSID
l Tx Power
ePMP AP General
l Device
l DFS Status
l IP Address
l Reregistration Count
l Registered SM Count
l Serial Number
l Status
Network
l LAN Interface
l LAN Interface 2
Traffic
l Throughput (DL)
ePMP SM General
l Device
l Distance
l DFS Status
l IP Address
l Status
l Session Time
l Serial Number
Network
l LAN Interface
l LAN Interface 2
l WAN IP Address
Traffic
l Retransmission Rate (DL)
l Retransmission Rate (UL)
l Throughput (DL)
l Throughput (UL)
Wireless
l Antenna Gain
l Capacity
l Connected AP
l MCS (DL)
l MCS (UL)
l Quality
l RSSI (DL)
l RSSI (UL)
l SSID
l Tx Power
l Wireless MAC
Machfu Cell
l Cell Enabled
l Cell ICCID
l Cell IMEI
l Cell IMSI
l Cell IP
l Cell Link
l Cell Manufacturer
Ethernet
l Ethernet
l Ethernet Enabled
l Ethernet MAC
l Ethernet Link
l Ethernet Link Speed
l Ethernet IP Address
l Ethernet Gateway
l Ethernet Mask
l Ethernet Tx Rate
l Ethernet Rx Rate
l Ethernet Mode
General
l Device
l Status
l IP Address
GPS
l GPS Altitude
l GPS Time
l GPS Satellites in use
l GPS Status
l GPS Accuracy
l GPS Fix Time
VPN
l VPN Type
l VPN Link
l VPN Server
l VPN IP
Wireless Client
l WC Enabled
l WC SSID
l WC Link
l WC RSSI
l WAP Enabled
l WAP SSID
l WAP Link
l WAP MAC
l WAP IP
l WAP Mask
l WAP Mode
l WAP Tx Rate
l WAP Rx Rate
PMP AP General
l Device
l DFS Status
l IP Address
l Registered SM Count
l Reregistration Count
l Serial Number
l Status
Network
l LAN Interface
Traffic
l Busy Index (DL)
l Busy Index (UL)
l Frame Utilization (DL)
l Frame Utilization (UL)
l Throughput (DL)
l Throughput (UL)
Wireless
l Antenna Gain
l Bandwidth
l Color code
l DL/UL Ratio
l Frequency
l Maximum Range
l Tx Power
PMP SM General
l Device
PTP General :
l Device
l IP Address
l Product Name
l Status
Network :
l Aux Interface
l Main PSU Interface
l SFP Interface
Wireless :
l Antenna Gain
l Bandwidth
l Errored Seconds
l Licensed Country
l Maximum Transmit Power
l Receive Frequency
l Severely Errored Seconds
l Transmit Frequency
l Unavailable Seconds
The following images represents the sample performance graphs for 60 GHz cnWave, cnMatrix, cnRanger, cnPilot
Enterprise, cnPilot Home, cnReach, ePMP AP, ePMP SM, PMP AP, PMP SM, and PTP.
l CPU
l Packet Error
l Rx Packets
l Throughput
l Tx Packets
l CPU
l Clients
l Throughput
l Throughput - Radio 1(2.4 GHz)
l Throughput - Radio 2(5 GHz)
l Noise
l Neighbors
l RSSI
l Throughput
l Transmit Power
l CPU
l Die Temperature
l Frame Utilization
l SMs Registered
l Throughput
l Available Memory
l CPU
l MCS
l RSRP
l RSSI
l RSRQ
l SINR
l Throughput
l CPU
l Frame Utilization
l Retransmission
l SMs Registered
l Throughput
l Interference
l Noise Floor
l Packet Rate
l Throughput
l Throughput - Radio 1 (2.4 GHz)
l Throughput - Radio 2 (5 GHz)
l CPU
l Frame Utilization
l Retransmission
l SMs Registered
l Throughput
l CPU
l MCS
l Retransmission
l RSSI
l Session Drops
l SNR
l Throughput
l Cellular Throughput
l Cellular RSSI
l CPU Load
l Disk Storage
l Ethernet 1 Throughput
l Ethernet 2 Throughput
l Flash Memory
l Wi-Fi Client Throughput
l Wi-Fi Client RSSI
l Wi-Fi Access Point Throughput
l CPU
l Frame Utilization
l SMs Registered
l Throughput
l CPU
l DL RSSI Imbalance
l LQI (Link Quality Indicator)
l Modulation
l RSSI
l Session Drops
l SNR (Horizontal)
l SNR (Vertical)
l Throughput
l Packet Error
l PCB Temperature
l Receive Vector Error
l Receive Power
l Receive Signal Strength Ratio
l SFP Throughput
l Throughput
l Transmit Power
Maps
Maps provide a visualization for Towers, Sites, and Devices. They display proximity to other devices, connectivity
between devices, device health, and selectable status parameters. An example map is presented below.
Two views are supported in system maps and Network/Tower dashboard maps:
l Street view
l Satellite view
NOTE:
Custom Map Server is supported only for cnMaestro X features.
Geolocation Map Settings allows you to custom the Map using a Web Map Service (WMS) map server. Map can be
customized using the WMS map server URL and the Layer Name provided by the service provider.
For example: If you are using the URL http://ows.mundialis.de/services/service? in the WMS Map server, then enter
the layer Name TOPO-WMS or TOPO-OSM-WMS provided by the map service provider.
If you enable the Geolocation Map Settings, it displays the custom tile map in all features as shown:
Double Click If the user double-clicks on the following items on the Map, the UI should auto-
navigate to the Dashboard of that item:
l ePMP SM
l Site
l Tower
Hover Hovering over a tower or device will pop-up a tool tip that provides basic status
information. Hovering over an RF link will display status on the link.
Single Click If the user single-clicks on the following items on the Map, auto-select the same item
in the tree:
l ePMP SM
l Tower
Standard Components In the upper-left corner are generic map navigation components that allow one to
zoom in and out. One can also use the mouse to drag and reposition the view as well
as turn on satellite display.
Mode
The map can be placed in a number of different modes for the devices of PMP/ePMP SMs only, which define how
the device status is presented.
Alarm Status Highlights devices based upon alarm count (critical, major, minor).
Average MCS (ePMP Displays the uplink or downlink average MCS per device.
only)
Link Quality Indicator Displays the uplink or downlink average indicator per device.
(PMP only)
Reregistration Count Displays the nodes based upon the number of re-registrations in the last 24 hours.
The more reregistration, the larger the node will display.
Retransmission Displays the percentage of packets retransmitted between ePMP SM and AP on the
Percentage (ePMP only) wireless link.
Embedded Maps
Maps are embedded into some additional UI views (most notably, the dashboard). These embedded maps to do not
provide the full feature set of the Map view.
Sector Visualization
cnMaestro is able to present a basic sector View for ePMP and PMP fixed wireless devices. This requires
configuration of Height, Azimuth, Elevation and Beam Width under ePMP/PMP AP configuration. This configured
data is used to generate the sector view: the presentation is not based upon link planning or geographic topology.
A new option for Sector Visualization is available in side tab map view. By enabling Show Sector option, the
following map is displayed:
In addition to Sector Visualization, a new option is available to show/hide Subscriber Modules. This is present at
System, Network, Tower, and AP levels. You can also choose to set the color of SMs based upon frequency or
online/offline state.
NOTE:
The default settings to show subscriber modules is No.
Tools
This section provides the following details:
In Nodes Tools tab you can view the status and Debug of the device. Refer to Node Tools.
cnMatrix Tools
In Status tab you can view the status of the device either Online or Offline and you can reboot the device.
Remote CLI Remote CLI mode is enabled for super admin and admin users only. But only show
commands can be executed by operator.
The user can provide the CLI command in the Command textbox. The output will be
displayed in the output window.
In Tools > Remote CLI, when you select a command type and click Run, the following output is displayed:
Wi-Fi Performance Wi-Fi performance measures the backhaul speed across devices with respect to
cnMaestro.
cnRanger SM
In Status tab you can view the status of the device either Online or Offline, allows to download Tech Support File,
displays the wired connectivity status, and can reboot the device.
cnReach Tools
The Tools page for cnReach devices consolidates a number of operations into a single troubleshooting interface.
RF Ping RF reachability test between local radios that provides details on signal quality.
RF Throughput RF throughput test between local radios that provides details on throughput.
cnVision Tools
The Tools page for cnVision devices consolidates a number of operations into a single troubleshooting interface.
Subscriber Displays the SM linked to the Hub and allows to reboot and download the tech support file.
Modules
Link Test The Link Capacity Test measures the throughput of the RF link between two cnVision modules.
cnVision link test only utilizes the spare sector capacity for this test, therefore, sector traffic will
not be disrupted. For the most accurate wireless link test results, it is best to run this test when
there is no or very little customer data traffic being sent for the duration of the test..
Displays the link related test result with respect to Throughput. Link Test can be performed on
the cnVision Hub and its SM link. In order to run this operation, select the device and then the
Tools tab..
l If an cnVisiosn Hub is selected you can choose the SM from the list and start the test.
l Packet Size: Choose the Packet Size to use for the throughput test.
l Duration: Choose the time duration in seconds to use for the throughput test.
l If an cnVision Client is selected, click Start Test to run the link test.
l Packet Size: Choose the Packet Size to use for the throughput test.
l Duration: Choose the time duration in seconds to use for the throughput test.
Flash LEDs (Only for E The LEDs of the device enables to identify and locate the device.
Series Device)
Remote CLI Remote CLI mode is enabled for super admin and admin users only. But only show
commands can be executed by operator.
The user can provide the CLI command in the Command textbox. The output will be
displayed in the output window.
Wi-Fi Performance Wi-Fi performance measures the backhaul speed across devices with respect to
(wifiperf) cnMaestro.
Wi-FiPerf Endpoint can be either the cnMaestro instance or a locally installed speed test server.
l cnMaestro Instance : To enable Wi-Fi performance test, navigate to Administration > Settings > Advanced
Features page and enable WiFiPerf Daemon option.
l Locally installed Wi-Fi Performance Server : Wifiperf performance interoperates with the open source
zapwireless tool.
(https://code.google.com/archive/p/zapwireless/). So install zap on the local host on the site. This is especially
helpful in the scenarios to troubleshoot connectivity/performance issues related to Wi-Fi AP/Client in a site.
To configure locally installed site level speed test server on cnMaestro, navigate to Site > Configuration > WiFiPerf
Server page.
NOTE:
For more details on Wi-Fi performance (wifiperf) feature, refer here.
To run the Wi-Fi performance test, navigate to Tools > Wi-Fi Performance page.
It can be used to measure the following parameters with intervals of 10, 20 and 30 seconds:
Traffic Types
l TCP
l UDP
Traffic Direction
l Downlink
l Uplink
WiFiPerf Endpoint
l cnMaestro
l WiFi Perf Local Host
ePMP Tools
The Tools page for ePMP devices consolidates a number of operations into a single troubleshooting interface.
Link Test The Link Capacity Test measures the throughput of the RF link between two ePMP modules.
ePMP’s link test only utilizes the spare sector capacity for this test, therefore, sector traffic will
not be disrupted. For the most accurate wireless link test results, it is best to run this test when
there is no or very little customer data traffic being sent for the duration of the test..
Displays the link related test result with respect to Throughput. Link Test can be performed on
the ePMP AP and its SM link. In order to run this operation, select the device and then the Tools
tab.
l If an ePMP AP is selected you can choose the SM from the list and start the test.
l Packet Size: Choose the packet size to use for the throughput test.
l Duration: Choose the time duration in seconds to use for the throughput test:
l Packet Size: Choose the Packet Size to use for the throughput test.
l Duration: Choose the time duration in seconds to use for the throughput test.
eDetect eDetect is supported on the ePMP AP or SM. It is also launched from the Tools tab.
The eDetect tool (not available in ePMP Master/Slave mode) is used to measure the 802.11
interference at the ePMP radio or system when run from the AP or the SM, on the current
operating channel. When the tool is run, the ePMP device processes all frames received from
devices not connected to the ePMP system and collects the interfering frame’s information such
as MAC Address, RSSI, and MCS.
Machfu
In Status tab you can view the status of the device either Online or Offline, allows to download Tech Support File
and can reboot the device.
Subscriber Lists all the SMs connected to the selected AP. This is available for PMP APs only.
Modules
Link Test The Link Capacity Test measures the throughput and efficiency of the RF link between two
PMP modules. Many factors, including packet length, affect throughput. Packets are added to
one or more queues in the AP in order to fill the frame. Throughput and efficiency are then
calculated during the test
• Link Test without Bridging - Tests radio-to-radio communication, but does not bridge traffic.
• Link Test with Bridging - Bridges traffic to “simulated” Ethernet ports, providing a status of
the bridged link.
• Link Test with Bridging and MIR - Bridges the traffic during test and also adheres to any MIR
(Maximum Information Rate) settings for the link.
• Extrapolated Link Test: Estimates the link capacity by sending few packets and measuring
link quality.
Displays the link related test result with respect to Throughput and Interference. Link Test can
be performed on the PMP AP and its SM link. In order to run this operation, select the device
and then the Tools tab.
l If a PMP AP is selected you can choose the SM from the list and start the test.
Tower-to-Edge View
This component displays the network from the Point-to-Multipoint AP to the edge Enterprises devices.
WIDS
This section provides details on Rogue APs.
Configuring Rogue AP
To enable Rogue AP feature:
1. Navigate to AP Groups > Configuration > Radio (Available on both radio 2.4 GHz and 5 GHz) page.
2. Select the Enable OCS check box under OCS tab.
The whitelisted Rogue AP WLAN will be grayed out in Rogue AP list and it will be removed after 24 hours.
You can view list of Rogue APs at the Site level in the Monitor page:
You can search for a specific Rogue AP based on the MAC, SSID, Channel, and the Manufacturer by using the search
option.
NOTE:
1. OCS (on both 2.4 GHz and 5 GHz) and Rogue AP detection should be enabled for WIDS option to
work at site and device level in cnMaestro.
Device Dashboard
The Device Dashboard page displays details of all the Wi-Fi devices in cnMaestro. It mainly focuses on the
following parameters:
l Overview
l Clients
l Network Info
l Mesh Peers
l Neighbors
Overview
The overview section displays the radio Details, Clients, Throughput, Channels, Top Alarms, Clients by SNR,
Clients by Performance, Clients by Radio, Top Clients by Usage, and Top WLANs by Throughput.
Clients
The Clients section displays the details of all the wireless and wired clients.
l Band
l Download
l Host Name
l IP Address
l MAC
l Manufacturer
l RSSI
l WLAN
l Upload
l Actions
l Authentication
l Band
l Client Type
l Download
l Download Quota
l Download Quota Balance
l GA Mode
l Guest Access Type
l Host Name
l IP Address
l MAC
l Authentication
l Auth Status
l Client Type
l Download
l Download Quota
l Download Quota Balance
l Guest Access Type
l Host Name
l IP Address
l MAC
l Manufacturer
l OS
l Portal Mode
l Total Quota
l Total Quota Balance
l User
l Upload
l Upload Quota
l Upload Quota Balance
l VLAN
Network Info
The Network Info section displays the details of the Network.
l Ethernet Ports
n Type
n Tx Bytes
n Rx Bytes
n Tx Packets
n Rx Packets
n Tx Error Bytes
n Rx Error Bytes
l FXS Ports
n Type
n SIP Account Status
n Phone Number
n Hook State
l VLAN
l Routes
l DNS Server(s)
l Domain Name
l Ethernet Ports
l Tunnels
IPv6 Routes
DNS Servers
l Port
l Tx Octets
l Rx Octets
l Tx Frames
l Rx Frames
l Rx Frames with Error
l Tx Broadcasts
l Rx Broadcasts
l Rx Frames Undersize
l Rx Frames Oversize
You can also perform the Wi-Fi performance test by clicking the icon in the Action field.
Neighbors
Displays the BSSID, SSID, Channel, RSSI details of neighboring 2.4 GHz and 5 GHz radios.
l AP Types
l Channel Distribution by Band
l Clients by SNR
l Clients by Performance
l Floor Plan
l RF Quality
l Radio/WLAN Distribution by Band
l Throughput
l Top Wi-Fi APs
l Throughput Graph
l Wi-Fi Devices Availability (Total and Offline)
l Clients Graph
l Statistics
l Wireless Clients
Throughput
Displays aggregated throughput for all the clients.
RF Quality
AP Types
Clients by SNR
Clients Graph
Clients Graph displays clients that are connected in 2.4 GHz and 5 GHz for the last week.
Throughput Graph
Throughput Graph displays client traffic for the last week.
l Device
l Managed Account
l Product Name
l IP Address
l Status
l Type
l Channel
l Power
l Throughput (DL)
l Throughput (UL)
Wireless Clients
Wireless Clients displays following parameters:
l Auth Status
l Authentication Type
l Band
l Client Type
l Host Name
l IP Address
l MAC
l Manufacturer
l Mode
l OS
l Portal Mode
Floor Plan
Floor Plan is used to locate all APs on the map (and present device status, connected clients, and Tx power). This is
done by uploading the map in Site > Floor Plan > Edit > Upload or floor map can be uploaded when site is created.
Placing the APs on the floor map is done by clicking full-screen option and then click edit; then place the APs on the
map and click Save.
NOTE:
While uploading the floor plan follow the recommended specifications such as:
l Resolution: 1024 px X 800 px
l Supported file types: jpeg, jpg, png & gif
l File size: not more than 5 mb.
Inventory displays a list of devices under the selected node. It presents health and maintenance information
that can be toggled through a button bar at the top. It aggregates children devices and provides a tabular view
that allows for sorting and filtering. When selected for a single device, it presents a detailed page tailored to
that device.
Navigate to Inventory.
Inventory Export
The inventory can be exported in either CSV or PDF format. The values exported will match those in the
selected table columns. You can customize the health and maintenance views to add or delete columns.
Bulk Delete
The Bulk Delete is available in the inventory page of System/Network/Tower/Site in cnMaestro On-Premises.
This feature helps the users in bulk deletion of devices from System/Network/Tower/Site.
NOTE:
In Wi-Fi view, Bulk Delete can also delete the devices that are in waiting for approval state.
Bulk Reboot
The Bulk Reboot is available in the inventory page of Network/Tower/Site in cnMaestro On-Premises.
When the devices are moved using the Bulk Reboot option, all the Network/Tower/Site Dashboards, Graphs,
Clients, Reports, and Mesh Peers will also get updated accordingly.
After creating a scheduled reboot job, you can view the status in the Administration > Jobs > Actions page.
NOTE:
The Import Device configuration is supported only for the Access and Backhaul account and is
applicable only on ePMP/PMP AP and SM devices.
The following parameters are supported for ePMP/PMP AP in the CSV file:
l Azimuth
l Beam Width
l Elevation
l Height
l Latitude
l Longitude
The following parameters are supported for ePMP/PMP SM is in the CSV file:
l Latitude
l Longitude
While importing the file it automatically validates the data as shown below.
If any invalid fields are found while validating it pops-up an error window as shown below:
1. Download Sample Template or prepare a sheet in CSV file format with necessary column details.
2. Upload a configuration file (CSV) as per the format specified in the sample template.
NOTE:
You must know the MAC address of the device to push the configuration.
3. Click Import.
5. You can view the completed status of import device (s) configuration in the Managed Account page.
Error1: This error is displayed if the uploaded CSV file contains invalid MAC Address.
Error: {Count of
Devices} Device(s)
with invalid MAC
Error2: This error is displayed if the uploaded CSV file contains invalid Data or data not relevant
{Count of Devices} for Latitude, Longitude, Azimuth, Height and Elevation.
Device(s) skipped
due to invalid data
Error3: This error message is displayed if the devices were not found with supplied MAC address
Devices were not in the CSV file.
found for supplied
MAC Address
Error4: This error is displayed when the latitude and longitude values are tried to push on to
Info: 1 Devices(s) ePMP AP or PMP AP which are under a Tower.
accepted without
latitude/longitude
values
This section provides details on how to schedule and generate different types of data reports in cnMaestro On-
Premises.
l Generating Reports
l Remote Upload
l Report Jobs
Generating Reports
The following reports can be generated such as:
l Device Report
l Reports
l Active Alarms Report
l Alarms History Report
l Events Report
l Clients Report
l Mesh Peers Report
Device Report
To generate device reports:
Based on the device type selection the Data Export parameters will change.
l If Device Type is selected as 60 GHz cnWave with Mode as CN or DN or both, then Basic, Radio, GPS, and
Ethernet Data of CN or DN will be exported.
l If cnMatrix is selected as the Device Type, then Basic data will be exported.
l If cnPilot Home (R-Series) is selected as the Device Type, then Basic, Network and Radio Data will be exported.
l If cnReach XIO is selected as the Device Type, then Basic, Radio and Network Data will be exported.
l If cnRanger is selected as the Device Type, then Basic, Radio, Location, CBRS, and Network Data will be
exported.
l If cnVision is selected as the Device Type, then Basic, Network, Location and Radio Data will be exported.
l If ePMP is selected as the Device Type, then Basic, Network, Location and Radio data will be exported. User can
select to generate the report for either AP or SM or both. Based on the AP or SM selection, the data related to AP
or SM will be exported.
l If PMP is selected as the Device Type, then Basic, Network, Location and Radio data will be exported. User can
select to generate the report for either AP or SM or both. Based on the AP or SM selection, the data related to
AP or SM will be exported.
NOTE:
The data will be exported for the devices which are under the System/Managed
Account/Network/Tower/Site/AP Group based on the selection made by the user in the LHS Tree.
Performance Report
To generate performance reports:
This report will export the data for the Alarms which are currently active at the report generation time.
This report will export the data for the Alarms which are currently active at the report generation time and the
historical alarms for the specified time period and interval.
Events Report
To generate the Events reports:
The Events report will export the data for the events for the specified Time Period and Interval.
Clients Report
NOTE:
Clients Data is available for Last day or last 24 Hrs only.
1. Navigate to Report > Clients tab and select the Data Export tab.
2. Select the Time Interval based on which the report can be generated Now, Daily or Weekly.
3. Click Start Job or Schedule based the selected Export (Now, Daily, Weekly, or Monthly).
The Clients report exports the data for the clients for the specified Time Period and Interval.
1. Navigate to Administration > Settings page and enable Detailed Mesh Statistics check box under Advanced
Features. The Mesh Peers tab appears in Reports page.
2. Select the Data Export tab under Mesh Peers tab.
3. Click Start Job or Schedule based the Selected Export (Now, Daily, Weekly, or Monthly). The Mesh Report for
the last 24 hours will be generated.
NOTE:
1. Every report page has a View Report Jobs link that directs the user to the Report Jobs page under
Administration > Jobs > Reports.
2. To schedule a report Now, click Start Job under the respective report section. cnMaestro
downloads the report immediately for the current system time.
Daily report will generate reports on a daily basis depending upon the start and the end time. The
weekly report generates report on seven days interval depending upon the start and the end time.
Click Schedule button and configure start and end time to schedule daily or weekly reports under
the respective Reports section.
3. Export now option helps the user to create no of export jobs and these will be stored under
Administration > Jobs> Report tab in the export page and can be downloaded with in seven days
from the day of generation. This saves user's local memory from downloading each and every
export report.
Remote Upload
Reports scheduled for Now, Daily or Weekly can be downloaded directly through the UI, or from an FTP or SFTP
server.
1. Navigate to Administration > Settings page and select Optional Features tab.
2. Select the Report Scheduler check box to enable scheduling feature for data reports.
3. Select Remote Upload check box to upload the generated reports to the configured file server by FTP or SFTP.
4. Enter the Remote Host.
5. Enter the Port Number.
6. Enter the Username.
7. Enter the Password.
8. Enter the File Path.
9. Click Save.
Report Jobs
Displays the list of scheduled report job created by different users.
l Edit: Visible only for the active Jobs which are not yet run once. With this option, you can reschedule a job.
l Terminate: Stop the active Jobs.
l Show History: Display the detailed status of the generated reports and the file transfer status.
l Delete: Delete active and completed Jobs.
l Instant Download: User can instantly download the latest report directly once the download is complete without
checking the show history.
l Software Update
l Fixed Wireless Configuration
l Wireless LAN Configuration
l Auto-Provisioning
Software Update
The Software Update tab displays the device update details for cnMaestro On-Premises. This section includes the
following:
When a Job finishes, it is placed in the completed Jobs table, where it remains for a week before it is deleted.
Device Type
Software Updates are executed on one device-type at a time. The type includes the specific hardware (Backhaul
and Wi-Fi devices).
NOTE:
Update both partition option is available at System/Managed Account/Network/Site/Device levels.
If the Update both partition is enabled/disabled. In the device level of the software update will be displayed as
follows:
l Enable: The selected target image will be upgraded in both active and inactive portions of device.
l Disable: The selected target image will be upgraded in only active portion of device.
If perform sequential updates with in a Site is enabled the image upgrade will happen only on one device at a time
in that particular site or upgrade will happen on all the device.
Disable Auto Reboot option disables reboot after applying the new software image. User has to manually reboot
the switch to complete the software update and boot with new version.
You can view the status of software update job in Administration > Jobs > Software Update>Manual or Auto page.
Once the Setting is applied user can view the Jobs in Administration > Jobs > Software Update> Auto page.
NOTE
Device Table
Select the devices to upgrade in the Devices Table.
The following parameters are visible (though some are only available for certain device types).
Current Version The version of the active software image running on the device.
Devices The names of available devices in a system. The list is pre-filtered based upon the node
selected in the Device Tree.
Selected SMs If the AP is selected, the corresponding SMs will also be selected.
Status The status of a particular device in a system. Devices that are not connected and cannot
have images pushed to them.
If the software update job was skipped for a device as it was offline, an icon ( ) appears next to the active
software version of the device. This indicates that the software update for the device will be done with the Target
device version in the Job, whenever it reconnects to cnMaestro.
If the software update job was skipped while upgrading with the same version as the device active version, then the
icon will not be displayed and the device will not update when it reconnects.
NOTE:
The device which undergoes Retry Software Update, does not create a new Job.
Options
Stop Updates on Critical Error
If one of the updates fails, then do not start any additional updates and instead pause the update job. All existing,
concurrent updates will be allowed to proceed until completion. The administrator will be able to continue the
update where it left off, if desired.
NOTE:
Device updates occurs sector-by-sector. One sector needs to complete before a second sector is
started.
Parallel Upgrades
Specify how many device upgrades to perform in parallel to complete the upgrade faster. However if the job is
configured to halt on an error, all concurrent sessions will still be allowed to complete.
Upgrade Steps
To upgrade an ePMP (Sectors) device:
1. Navigate to System or Network or Tower or Device level. From the list, select the system or network or tower or
device to which the device belongs.
2. Navigate to Manage > Software Update > Select Devices page.
3. Select ePMP (Sectors) from the following Select Device Type drop-down list:
a. 60 GHz cnWave
b. cnMatrix
c. cnReach
d. cnRanger
e. cnPilot Home (R-Series)
f. cnPilot Enterprise (ePMP Hotspot)
g. cnVision
h. Enterprise Wi-Fi (E-Series)
i. Enterprise Wi-Fi (XV-Series)
j. ePMP (Sectors)
k. Machfu
l. PMP (Sectors)
m. PTP
4. Select the software image to update from the Select Image Version drop-down list.
5. Select the devices to update by clicking the tick icon.
6. Set desired Job Options.
7. Click Add Software Job button.
The following table displays the list of parameters displayed in the Software Update Jobs tab:
Details Count of devices and date and time the upgrade process is initiated.
Image Type Displays the type of image selected for the device.
Occurrence Displays the occurrence of the update like now, scheduled, etc.
The user can filter the jobs based on the running status. The user can also filter the devices in a particular job based
on the parameters mentioned in the above table.
NOTE:
1. Devices which are already completed display as Completed with a message update complete
along with the status as Completed.
2. Devices which are ongoing display as Aborted with a message Manually Aborted with the status
as Aborted.
3. Devices which have not yet started display as "skipped" with a message "job was aborted" with
the status as Skipped.
4. Software update jobs can be scheduled in parallel irrespective of other running Jobs as PRO
account supports Parallel Jobs also If same devcie is used for config/ software job at a time only
one operation will be done as the Job locks the device until it finishes.
Click the icon at the top right corner of the UI. This directs you to the Jobs page of the Software Update tab.
For more information, see Software Update Parameters.
The Bulk Software Upgrade is optional, and meant to be used for efficiency. One can still use the standard Software
Update mechanism to transfer images to cnReach devices one-at-a-time, though the distribution could be many
hours or days.
Bulk Upgrade
The Bulk Upgrade tab is accessed by selecting a cnReach AP then Software Update > Bulk Upgrade. The
Motherboard (OS) or Radio software is available, and the distribution started and stopped. Once started, the
distribution continues until stopped, so be sure to manually stop the process when complete.
Upgrade Tracking
The following page is displayed when an AP is actively distributing software. One can view other devices in the
VLAN (and their current software versions), and the distribution status. Distribution can be stopped at any time, and
images can be applied directly to the devices in the list.
l Overview
l Configuration Templates
l Configuration Variables
l Configuration Update
Overview
Template configuration is supported for cnMatrix, cnPilot Home, ePMP, PMP, Machfu, cnVision and cnReach
devices. Templates are textual representations of device settings that contain a full configuration or partial
configuration. When a template is applied to a device, the only parameters changed are those in the template.
Configuration Templates
Templates can be pushed to a device manually through a configuration job. This is accomplished in the
configuration management page. Templates can also be applied prior to onboarding, in which they would be
provisioned in the Onboarding queue.
Some sample templates are listed below. The ellipses (…) represents additional content that has been excised
from the example to limit the size of the text.
Configuration Variables
Administrators can embed variables into templates that will be replaced when the template is applied to a device.
This allows one to leverage a shared, generic template, but to tailor it to individual devices when it is pushed.
Template variables are added to a configuration file by replacing an existing parameter with a customer-defined
string of the format ${VARIABLE}. An example configuration line with a single variable replacement is shown
below:
The above variable is named IP_ADDRESS. When the template is pushed to a device, this variable will be replaced
with a value specific to the device. This value needs to be set for the device prior to the template application, else
the configuration will not be pushed. Default values can also be specified for variables, as shown below:
The default value is "10.1.1.254". In this case if the variable is not set for a device, the default value is used.
Variable Usage
The figure below highlights how Templates and Variables are merged to create the final configuration that is
pushed to the device.
Macros
Macros can be used in templates similar to configuration variables except they automatically take values provided
by the device itself.
Variable Validation
All variables for a selected template must be mapped to a value in order to create a configuration job. If any
variables are not mapped, an error will be generated. Variables that have default settings will not cause an error if
they are unset.
Sample Templates
A number of sample templates are provided for each device type. These are not meant to be applied directly, but
rather serve as an example of the configuration data format accepted by the device. See the documentation for
your devices for full details.
1. On a test device configure the parameters you are interested in pushing to devices with values that will be easy
to search for. This can be done directly on the device web UI .
2. Export the device configuration. Via cnMaestro this is done by navigating to Configuration > Templates,
selecting the device in the left-hand tree and then clicking the View Device Configuration link. This can also be
done via the device GUI, typically in the Administration or Operations section where there will be an Export for
configuration.
3. View the configuration file in a text editor like Notepad++ and search for the values you entered in step 1. You
can also search for the parameter name to try to find the correct lines.
4. Copy and paste the relevant lines into a new file.
5. Optionally replace values with replacement variable text. This will allow you to set the value per device.
6. Once you have this partial template it can be copied into the template creation text field and saved.
Template
To create a configuration template:
NOTE:
When you navigate to the Template default template type filter will be custom. User needs to select
All or Default in order to view other templates.
Configuration Update
Device Selection
First navigate to the Configuration Update tab, then navigate the Device Tree to the appropriate level for device
selection. For example, selecting an AP will enable selection of the AP and all its SMs.
Device Type
Configuration jobs are created for a single device type. The type includes the specific hardware (ePMP, PMP) as
well as the mode of the device (cnVision, PMP or PTP mode for ePMP for example).
Device Table
Select the devices to upgrade in the Devices Table. The following parameters are visible in the table:
Devices The names of available devices in a system. The list is pre-filtered based upon the node
selected in the Device Tree.
Network/Tower The network and the tower on which the device is located.
Status The status of a particular device in a system. Devices that are Down cannot have
images pushed to them.
NOTE:
You can save and download the existing device configuration as template by clicking View Device
Configuration link.
Options
Stop all Configuration on a Critical Error
If one of the configuration updates fails, then do not start any additional updates and instead pause the update job.
All existing, concurrent updates will be allowed to proceed until completion. The administrator will be able to
continue the update where it left off.
Parallel Upgrades
Define how many configuration updates to perform in parallel.
Update Ordering
Allows you to specify update ordering within a sector. Options are SMs first and then AP or AP first and then SMs.
Abort Configuration
Abort operation will skip devices that are waiting for update to begin. Devices already that are being updated may
continue but cnMaestro will stop tracking their progress. Aborting a Configuration Job puts the device into a
complete state that cannot be manually restarted by the user. The pending devices will not begin their updates.
2. Devices which are ongoing display as Aborted with a message Manually Aborted with the status
as Aborted.
3. Devices which have not yet started display as skipped with a message job was aborted with the
status as Skipped.
1. Navigate to Manage > Configuration > Device Details in the main menu.
2. Navigate to System > Network in the Device Tree. From the list of available networks, select a network in which
the device belongs.
3. Select ePMP (Sectors) from the following Device Type drop-down list:
a. cnMatrix
b. cnPilot Enterprise (ePMP Hotspot)
c. cnPilot Home (R-Series)
d. cnReach
e. cnVision
f. Enterprise Wi-Fi (E-Series, XV-Series)
g. ePMP (Sectors )
h. Machfu
i. PMP (Sectors)
j. PTP
4. Select the configuration template to upgrade from the Template drop-down list.
5. Select the device(s) to upgrade by clicking the tick icon.
6. Set any variables that are required for selected devices by clicking the gear icon under the "Configure" column
on the right side of the table. The configuration upgrade cannot proceed until all required variables (those
without default parameters) are set. If you attempt to create a configuration job without setting required
variables, the gear icon will turn red for any devices not meeting this requirement.
7. Click Apply Configuration.
NOTE:
You can save and download the existing device configuration as template by clicking View Device
Configuration link.
Configuration Backup
Configuration Backup pulls and stores configuration from Fixed Wireless devices (PMP and ePMP) and cnReach
devices which are currently online.
n System level
n Device level
4. Last backup displays in the Log from Last Execution tab with the date and time.
5. Click Export to export the backup in .json format.
Device Level
1. Navigate to Manage > System > select cnReach/cnVision/PMP/ePMP Network in the Device Tree.
2. Navigate to Configuration > Configuration Backup click Backup Now.
1. Navigate to Manage > Configuration > Device Details in the main menu.
2. Select cnReach/cnVision/PMP/ePMP (Sectors) from the following Device Type drop-down list:
3. In Global cnReach/cnVision/PMP/ePMP Configuration Backup, click Select File in import tab.
n System level
System Level
Perform as follows to restore the configuration backup of the device.
1. Navigate to Manage > select System/Managed Account/ Networ/Tower > Configuration in the main menu.
2. Select cnReach/cnVision/PMP/ePMP (Sectors) from the following Device Type drop-down list:
3. Enable the Restore from Backup.
4. Select the Device from the list.
5. Click Apply Configuration to devices.
Device Level
1. Navigate to Manage > System > select cnReach/cnVision/PMP/ePMP Network in the Device Tree.
2. Navigate to Configuration > Device Configuration > click Restore from Backup.
3. Click Apply Configuration to devices.
The following table displays the list of parameters in the Jobs tab:
Action Use the Start or Delete button to manage the upgrade process. After upgrade has
started, the Pause button will stop new upgrades from beginning. If the upgrade process
fails or the upgrade has been paused, you can restart the process by clicking the Resume
button.
Details Count of devices and date and time the upgrade process is initiated.
Stop on Error Stop the job, if any device in middle finds any error.
Sector Priority For ePMP/PMP, cnVision Client/Hub, the priority of AP/SM to start.
By selecting the Show More icon, you can view the following parameters:
Configuration Update
Administrators can apply configuration to devices during the onboarding process: prior to approving the device in
the Onboarding queue, the configuration template and variables can be specified.These will then be pushed to the
device during onboarding. For more details on onboarding, see Device Onboarding.
Wi-Fi configuration is handled through AP Groups (Fixed Wireless devices, such as cnMatrix, ePMP and PMP,
use Templates).
1. Enterprise Wi-Fi by Enterprise Wi-Fi (E-Series), Enterprise Wi-Fi (XV-Series) and cnPilot Enterprise (ePMP
hotspot)
Each WLAN or AP Group, prior to creation, is mapped to one of these device categories and can only be used
with supported device types. Two categories are required, because the features available in Enterprise and
Home are different.
Auto Synchronization
AP Groups can automatically synchronize device configuration whenever the AP Group or associated WLANs
are updated. This is done by enabling Auto Sync in the AP Group configuration page.
Manual Synchronization
When a device is mapped to an AP Group without Auto Sync turned on, the device will be placed in an
unsynchronized state until it is manually synchronized. This can be done by navigating to the device
Configuration page and clicking the Sync Now button, or by navigating to the Sync Configuration page
(Administration > Sync Configuration).
NOTE:
The Wireless LAN view supports cnPilot Enterprise devices, so the cnPilot Home device type is not
available.
4. Assign WLANs to the AP Group (you may want to update WLAN SSID and security parameters during this step).
5. Map devices to an AP Group by selecting the AP Group in the device Configuration tab.
AP Groups support all Wi-Fi devices, including: cnPilot R190/200/201, cnPilot E400/E410/E500, and ePMP 1000
Hotspot.
WLAN
WLANs are separated into two types cnPilot Home (R-Series) and Enterprise Wi-Fi.
Creating WLAN
To create a WLAN
l WLAN
l Scheduled Access
l Security Access
WLAN
In WLAN you can configure the Basic Information, Radio, and Shared Configuration.
1. In Basic Information:
NOTE:
The special characters can be used to create AP Group and WLAN names (Eg: a-zA-
Z0-9_-*&%#@!<>.()[]^~`$). The user can also rename them if required.
b. Enter Name.
c. Enter Description.
Scheduled Access
In Scheduled Access you can configure Scheduled Wi-Fi, Scheduled Reboot, and Scheduled PPPOE.
2. In Scheduled Reboot:
Security Access
In Security Access you can configure Traffic Filtering Rules and Content Filtering Rules.
a. Enable filtering.
a. Enable filtering.
3. Click Save.
l WLAN
l AAA Servers
l Guest Access
l Access Control
l Passpoint
l ePsk
WLAN
In WLAN you can configure the Basic Information, Basic Settings, and Advanced Settings.
NOTE:
The special characters can be used to create AP Group and WLAN names (Eg: a-zA-
Z0-9_-*&%#@!<>.()[]^~`$). The user can also rename them if required.
b. Enter Name.
c. Enter Description.
2. In Basic Settings:
a. Enable SSID.
b. Enter SSID of the WLAN.
c. Select the appropriate Mesh from drop-down.
d. Enter VLAN.
e. Select the appropriate Security from drop-down.
f. Select the appropriate Radios from drop-down.
g. Select the appropriate Client Isolation from drop-down.
3. In Advanced Settings:
4. Click Save.
AAA Servers
In AAA Servers you can configure the Authentication Server, Accounting Server, and Advanced Settings.
In Guest Access you can configure the Basic Settings, Advanced Settings, Whitelist, and Captive Portal Bypass User
Agent.
1. In Basic Settings:
2. In Advanced Settings:
3. In Whitelist:
5. Click Save.
Access Control
In Access Control you can configure the ACL, MAC Authentication, DNS ACL, Scheduled Access, and Usage Limits.
a. Select Policy.
b. Click Add New.
MAC Authentication appears.
Passpoint
In Passpoint you can configure Basic Settings, Roaming Consortium, and ANQP (Access Network Query Protocol).
To add ePSK:
5. In Bulk Mode, Count and User Name Prefix are mandatory fields.
6. Enter the Count and User Name Prefix.
Import ePSK
3. When you click Download Sample File, you can see Sample ePSK excel sheet.
Export ePSK
3. When you click Download Sample File, you can see Sample ePSK excel sheet.
Delete ePSK
NOTE:
l You can group select or individually select ePSK entry and delete the same.
l ePSK feature is supported in cnPilot from System Release 3.11.1 onwards.
Create an AP Group
To create an AP Group,
l Basic
l Management
l Radio
l Network
l Security
l Services
l User-Defined Overrides
Note:
l The special characters can be used to create AP Group and WLAN Password (Eg: a-zA-Z_-*&%#@!<>.()
[]^~`$1234567890). The user can also rename them if required.
l By default password will not be configured. User has to configure the password for AP Groups.
Basic
In the Basic page, user needs to configure the following details such as:
Management
Management allows the user to add the Administrator Access.
Configuring Radio
Radio page allows the user to enable or disable the software defined radio operations.
1. Navigate to Configuration > AP Groups and WLANs > AP Group tab > click New.
2. Select Radio.
3. In the status tab Enable the radio.
4. Select the Auto value in the Channel drop-down.
NOTE:
Only Auto value is allowed. Configure static channel under the Advanced Settings section available on the
Access Point level configuration page.
NOTE:
Maximum of 16 WLAN policies are supported for E-Series and XV-Series devices and 8 WLAN
policies are supported for ePMP 1000 Hotspot and Only one WLAN for cnPilot Home AP Group.
3. Click Save.
When a configuration change is made on the device via its UI or CLI, cnMaestro detects the change as Device's
configuration changed outside of cnMaestro and the device is marked as Not In Sync. In this scenario, an Auto-Sync
job is triggered automatically by cnMaestro to revert back the changes.
The Auto-Sync job can be viewed in Administration > Jobs > Configuration Update page.
Retry Configure
When the user tries to apply any AP Group on the device and if the job was skipped for the device as it was offline,
the reason for the skip will be displayed as "Device was offline", in the Jobs page. In this case, when device comes
up and connects to cnMaestro, then cnMaestro will create an Auto-sync job for that device and pushes the AP
group. (It will not apply the AP group if the Auto-Sync was disabled in the AP group).
Default password: admin of cnPilot R-series should be changed before upgrading to the build 4.6-RX.
Once after the upgradation of build 4.6-RX, default password; admin becomes invalid and password needs to be
reset through the WAN.
NOTE:
Default User Name: admin can be used after the upgradation.
IPv6 Support
IPv6 enables the next generation of large-scale IP networks by supporting addresses that are 128 bits long.
NOTE:
l In the current release, IPv6 functionality is supported only for cnPilot Enterprise devices.
l IPv6 functionality is supported on cnPilot from system release 4.0.
Configuring IPv6
To configure IPv6 feature:
By default the priority of IPv6 gateway precedence will be Static and then Auto-config/DHCPv6.
Services
In Services user can configure the LDAP, NAT Logging, DHCP Option 82, Speed Test, Wi-Fi API, Bluetooth API,
Stanley -AeroScout, and Bonjour.
Stanley-AeroScout
The Stanley-AeroScout delivers an accurate and reliable location data for assets and customers with the STANLEY
Healthcare Wi-Fi tags. It is an integral component of STANLEY Healthcare's Stanley-AeroScout RTLS solutions. The
Stanley-AeroScout determines a location using signal strength measurements (RSSI) which are collected by the
Cambium Wi-Fi Access Points. These Wi-Fi Access Points can simultaneously serve location sensors and provides
network access. Stanley-AeroScout utilizes a location engine to determine the position of Wi-Fi tags.
1. Navigate to Shared Settings > AP Groups and WLANs page > WLAN or AP Group tab (according to the choice).
2. Click Export.
NOTE:
l The AP Groups and WLANs should be exported separately as the associated WLANs are not
exported while exporting an AP Group.
l The AP Groups and WLANs will be exported with proper name and time stamp.
1. Navigate to Shared Settings > AP Groups and WLANs page > WLAN or AP Group tab (according to the choice).
2. Click Import WLAN.
NOTE:
l To import an AP Group, ensure that all the associated WLANs in that AP Group are already
imported. If the WLAN associated with the AP Group is unavailable, an error message will be
displayed during AP Group import.
l If the name is not provided for WLAN or AP Group while importing, it will take the name of the
file that is to be imported, automatically.
l If the name provided for the AP Group/WLAN while importing matches with the existing list of
WLAN or AP Group in the system, an error " The specified policy name already exists" will be
displayed.
l Importing WLAN and AP group type R-series are not allowed in Wi-Fi mode.
You can then choose/change different values from AP Group to be overridden. The icon to the left of a field must
be selected first to override that parameter. After specifying override parameters, select Apply Configuration on
the bottom right to save your changes to the server and create a job to push the new values to the device. This
option is also applicable for Onboarding process queue.
By default, Enterprise Wi-Fi devices will have Auto-set from device enabled. This option reads several network
related configuration fields from the device and uses those as override values to prevent overwriting values that
would disconnect the device.
User-Defined Overrides
User-Defined Overrides can be entered into the end of an AP Group configuration. They will be merged into or
appended to the AP Groups before the configuration is applied to the device. This allows setting configuration
parameters which are not supported by GUI, and they are considered as advanced operation that should rarely be
used. The format of the commands would be same as with the device CLI.
For example, if a new version of the software had a feature unsupported in cnMaestro, it could can be pushed to the
device using CLI commands through the User-Defined Override mechanism
This can be explained with the following example, in which country-code and hostname are appended to the end of
the configuration, and will override any settings in the UI
hostname Wi-Fi_Device
User-Defined Variables
Override configuration also supports a programmatic concept called user-defined variables (which are also used
with Fixed Wireless templates). User-Defined Variables can be embedded into the User-Defined Override text area.
They require a value to be set for each device mapped to the AP Group before the configuration can be applied.
This is either through a default value, or an explicit setting in the device configuration.
The syntax for user-defined variables is shown in the following example: the VariableName maps to an identifier set
by each Device. If the value is not set, the optional DefaultValue will be used.
Parametername ${VariableName=DefaultValue}
NOTE:
You can also configure the user-defined variables in the Onboarding process queue page. They are
mapped individually to each device.
Other Examples
Enterprise Wi-Fi (E-Series and XV-Series) and cnPilot Enterprise (ePMP hotspot)
Parametername ${varaibleName=someDefaultValue}
Example
CountryCode=${countryName=IE}
RTDEV_CountryCode=${5GHz_CountryName=IE}
wan_ipaddr=${wan_ip=10.110.68.10}
Macros can be used in Advanced Configuration similar to User-Defined Overrides except they automatically take
values provided by the device itself.
1. Enterprise Wi-Fi AP Groups by default synchronize automatically (so any change of AP Group or WLAN,
followed by a Save, will immediately push configuration to the devices without manual intervention).
2. cnPilot Home AP Groups by default synchronize manually. Updates to them (or the WLANs to which they map)
need manual synchronization to push configuration to the devices.
Manual Synchronization
Manual configuration synchronization allows the user to synchronize any devices with a single action rather than
updating each device separately. Navigate to Administration > Sync Configuration.
Sync Configuration only displays devices currently out-of-sync with a mapped AP Group .
NOTE:
Sync configuration can only be used if a AP Group is already mapped to the device.
Software update jobs can be scheduled in parallel irrespective of other running Jobs as PRO
account supports Parallel Jobs also If same devcie is used for config/ software job at a time only
one operation will be done as the Job locks the device until it finishes.
Factory Reset
A factory reset erases all the data on the device. Factory reset is supported for two device models, Enterprise Wi-Fi
with greater than 3.10-R6 version and cnMatrix with greater than 4.0 version.
The following window pops-up if you click Yes, Factory reset option.
If the user does Factory Reset on an offline device it displays error as shown below:
Association ACL
This section describes how cnMaestro replies to AP's request to allow or disallow client associations. This feature
allows you to configure MAC association list on the controller.
Overview
When a client requests to get connected to an AP,
1. The AP sends MAC authentication request along with the MAC Address of client and the Customer ID (CID) to the
Controller. This is optional and occurs only if MAC ACL is configured for the WLAN on the AP and the policy for the
MAC ACL is cnMaestro.
2. Controller checks and responds with an action to allow or deny the request.
3. AP allows or denies the client’s request based on the response of the Controller.
4. Once the MAC is successfully configured, a pop-up Association ACL default action is saved successfully is
displayed and lists the configured MAC in Shared Settings > Association ACL tab.
The Association ACL is shared among all Enterprise WLANs, but it must be explicitly mapped to each Enterprise
Wireless LAN that uses it (at Access Control > MAC Authentication)
cnMatrix Switches
cnMatrix switches simplify the network deployment and operation. cnMaestro provides management, configuration
and control, and security services for cnMatrix with deployment options such as policy-based automation (PBA) to
streamline core operations and improve network security. Central to cnMaestro's orchestration of cnMatrix devices
is the concept of Switch Groups.
l Configuration changes are synchronized and applied for all the switches in a Switch Group.
l A subset of configuration attributes can be overruled for an individual switch.
l Switch ports across all physical switches are associated with a Switch Group and can be simultaneously bulk
edited.
From the Switch Groups tab, the administrator can navigate to the Switches and the Switch Ports tabs for
configuration. The Dashboard tab is used to monitor the health condition of the virtual stack.
NOTE:
To Edit the Configuration of existing Switch group, click Edit icon > navigates to Configuration page.
Basic
The Basic tab provides options to the user to configure the device name as well as other standard values used to
identify a switch.
Note:
The special characters can be used to create names of Switch Groups (Eg: a-zA-Z_-*&%#@!<>.()
[]^~`$1234567890).
3. Click Save.
Management
1. Navigate to Management page.
3. Click Add New to add Administrator Access, enter the details and click Add.
5. Click Save.
Note:
From release 3.0.4 cnMatrix Switches supports MSTP Mode and Path Cost Method in Spanning Tree.
1. Navigate to Network, enter the details of VLANs, Policy Based Automation, IP route, and Spanning Tree.
5. Click Save.
Security
In Security page user can configure RADIUS and Access Control List (ACL) details.
To configure Security:
6. Click Save.
User-Defined Overrides
NOTE:
The minimum device software version required for this feature is 4.0.
User-Defined Overrides allows you to apply configuration in cnMatrix switches. If there are conflicts, the below
settings will take precedence. The format used is the same as a configuration file exported from the device via its
web UI or the "View Device Configuration" link in the device level configuration page.
3. When you click Download Sample File, you can see Sample excel sheet.
4. Click Import
NOTE:
The config update (auto-sync) will happen only when the "Auto-Sync" option was enabled in the
Switch Groups page. If the device was skipped/failed because of any other reason other than the
"Device was offline", then the device will not be updated.
Manual Synchronization
Manual configuration synchronization allows the user to synchronize any devices with a single action rather than
updating each device separately. The page is located at Administration > SyncConfiguration.
l Device (Hostname)
l Type
l Status (Online/Offline)
l Network (Network in which device is present)
l Site (Site under which device is present)
l AP Group/Switch Group (AP Group/Switch Group to which device is mapped)
l Sync Status (Sync status will tell whether job is completed or failed )
2. Automatically it navigates to Administration > Sync Configuration and select devices to synchronize.
NOTE:
Dynamic PBA updates are indicated by asterisk * on the Switch Dashboard and on the Switch Ports
pages.
1. Navigate to Switch Groups > Configuration > Network > Policy Based Automation.
2. Navigate to Rules tab.
4. Click Add.
5. Navigate to Actions tab.
7. Click Add.
8. Navigate to Policies.
In cnMatrix dashboard page, user can navigate to the following pages using Action drop-down menu in Port Status
l Port Configuration
l Port Statistics
l Topology
l Remote CLI
Switches
The Switches page is accessed by selecting the Switch Groups > Switches tab lists all of the physical switches
assigned to the Switch Group. The switch dashboard and switch override configurations settings are accessible
through this page.
Switch overrides allow certain attributes for each switch to be configured individually.
NOTE:
For configuration, a switch must belong to a Switch Group.
l Navigate to Switch Groups > select the switch from the list and click Switches page to view and edit the
onboarded switches.
l Device, Health, Onboarding Status, Serial Number, IP Address, Switch Group, Type, Site and Action tab.
Action column can be used to edit or delete any device of the Switches.
User can click on top bar to include additional fields in Switches Detail view.
Action
Action column can be used to edit or delete any device of the Switches.
Switch Configuration
To edit or configure the switches, click the Edit or Configuration from the Action drop-down.
Device Configuration
Device Configuration allows the customer to configure the Configuration Method as Switch Group.
Enable the Switch Group and select a device from the Switch Group drop-down.
Vlan Interface
VLAN Interface allows the user to edit/Add the VLAN details such as Vlan ID, IGMP Snooping, IGMP Querier, Querier
IP Address, DHCP Client, IP Address, and Subnet Mask.
1. Click Advanced Settings in Configuration page and navigate toVlan Interface tab.
Certain configurations are different for each Switch, and these are highlighted within cnMaestro as overrides.
NOTE:
If Spanning Tree is disabled the overrides feature will be disabled on the Switch configuration.
IP Routes
Default gateway IP will override the all IP's of the Switch Groups.
Switch Ports
Switch Ports tab displays the list of the Ports and the port channel assigned to the specific switch.
The Switch Ports tab allows the administrators to configure the port settings by port ID for all ports within the
switch group. By default, a port ID identifies the switch (by switch name) and port number, example., EX2028P-
EC9541: 1.
It supports bulk editing of switch port settings across all physical switches.
To view the Switch Ports, navigate to Shared Settings > Switch Groups > Switch Ports.
Ports
cnMaestro Switch Ports Configuration tab allows the user to configure the following parameters:
l General
l Physical
l Network
l Security
l Port, Tags, Description, Interface, Administrative State, Operational State, PoE Capable, and Edit.
User can click on top bar to include additional fields in Ports General Detail view.
1. Click Edit icon or Port device in the list to edit the Ports Configuration General tab details.
2. Navigates to Switch Groups > Switches > Port Configuration.
Physical Tab
The Ports Physical details view displays following fields by default:
l Port, Tags, Operational State, PoE State, PoE Priority, Speed, Duplex, MTU, and Edit.
User can click on top bar to include additional fields in Ports Physical Detail view.
Network Tab
The Ports Network details view displays following fields by default:
l Port, Tags, Type, VLANs, Native VLAN, Channel ID, PBA Policy, PBA State, STP State, STP Priority, and Edit.
1. Click Edit icon or Port device in the list to edit the Ports Configuration Network tab details.
Security Tab
The Ports Security details view displays following fields by default:
l Port, Tags, QoS Trust, User Priority, Dot1x port-control, Protected Port, DHCP Snooping Trust, ACL Name,
and Edit.
User can click on top bar to include additional fields in Ports Network Detail view.
2. Enter 802.1xPort Control, DHCP Snooping Trusted State, QoS, Protected Port, Access Control List details.
3. Click Save.
Port Channel
1. To create a Port Channel, select a Port from the list under the specific parameters and click Create Port Channel.
2. Create Port Channel window pops-up, enter details.
3. Click Create.
l Channel ID, Switch, Tags, Description, VLANs, Native VLAN, Type, Administrative State, Mode, Ports, STP State,
and STP Priority.
User can click on top bar to include additional fields in Port Channel Detail view.
Statistics
The Statistics page displays the latest data and statistics of each Port. Port statistics match the Client statistics and
generate the Client View.
To view the Switch Ports Statics navigate to Shared Settings > Switch Groups > Switch Ports > Statistics.
User can click on top bar to include additional fields in Statistics Detail view.
Details Overview
To view the details of the overview page, navigate to the Details > Overview tab.
Port Statistics
To view the details of the Port Statistics page, navigate to the Details > Port Statistics tab.
60 GHz cnWave operates with Cambium Networks cnMaestro management system. cnMaestro simplifies device
management by offering full network visibility and zero-touch provisioning. Using cnMaestro, user can view
network status and perform a full suite of wireless network management functions in real time including optimizing
system availability, maximizing throughput, and meeting the emerging needs of business and residential customers.
l Dashboard
l Notifications
l Configuration
l Links
l Statistics
l Software Update
l Reports
l Map
l Tools
Dashboard
Dashboard pages are customized for each device type and aggregation level (such as E2E Network, Node, and
Site). The dashboard section displays the Nodes, Links, Wireless Throughput of PoP(s), Wired Throughput of PoP
(s), Alarms, E2E Controller Details, Top Alarms, Map, Top Links by MCS, Top Links by RSSI, Top Links by SNR, Top
Node(s) Top PoP(s), Top DN(s), and Top CN(s).
255 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
Auto Manage IPv6 Routes (E2E Controller↔ Node)
The E2E Controller Network dashboard page displays the Auto Manage IPv6 Routes (E2E Controller ↔ Node) tab, if
you enable Auto Manage Routes in the Tools > Settings page of External E2E Network.
This feature automates IPv6 routes for DNs and CNs based on status of the topology and PoP nodes. It is applicable
only if PoP nodes and E2E Controller are in the same Network or containing the same prefix length.
256 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
E2E Controller Details
E2E Controller Details displays the details such as Version, Management Address, IPv6 Address, IPv6 Gateway,
Sites, Deployment, Layer 2 Bridge, Country, Prefix Allocation, Topology Sync, and System Clock
l If Onboard E2E controller is enabled in device and managed by cnMaestro, it displays deployment as Running
Onboard.
257 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
Dashboard Maps
In the dashboard map, when user selects the particular PoP, DN or CN it pops-up the Node details.
l Dotted line displays the Backup CN link between the DN and CN.
258 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
l Continuous line displays the link between the wireless network.
l Continuous line with Wired tag displays the link between the wired network.
259 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
To navigate to the Maps page click the Map view .
Notifications
Notifications are same as shown above for other devices, refer Notification for more details.
Configuration
Configure the following after onboarding the 60 GHz cnWave E2E controller:
l Basic
l Management
l Security
l Advanced
l E2E Controller
260 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
NOTE:
Once user selects the Auto-assign IPv6 Addresses while configuring E2E Controller and PoP node.
Uses the same IPv6 during the prefix allocation.
Basic Configuration
1. Navigate to Configuration > Basic to configure basic settings of E2E Controller.
NOTE:
Prefix allocation automatically gets updated, when E2E Controller is managed by cnMaestro.
2. In the Prefix Allocation, select Centralized or Deterministic to allocate the IP for the nodes.
261 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
4. Enabling Layer 2 Bridge is optional.
Enabling this option will enable Layer 2 network bridging (via automatically created tunnels) connected across
all nodes and facilitates bridging of IPv4 traffic across the wireless networks. It also enables the configuration of
VLAN Management and Ports on all PoP, DN, and CN Nodes.
If Layer 2 Bridge is enabled configure as shown below:
l Select the Tunnel Concentrator as Best PoP or Static.
262 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
NOTE:
IPv6 Layer3 CPE Address can be enabled when E2E Controller is running 1.1 verison and Layer 2
Bridge is disabled.
263 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
NOTE:
l By default Country is Other, user can configure it.
l By default Enabled Radio Channels is 2, user can configure channel if
required.
l Enter the Hostnames or IP address of NTP server
NOTE:
By default Wireless Scans will be disabled.
11. In Wireless Scans enable the Scheduled Beam Adjustment and configure Scan Interval as required.
264 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
Management
Management configuration allows user to configure and manage the credentials of the administrator and it allows
enable SNMP.
1. Navigate to Configuration > Management to set the Device GUI Passwords and to enable the SNMP.
2. Click Save.
Security
Security page allows the user to enable the wireless security PSK or 802.1x. Disabling option unscure the devices.
To Enable PSK :
265 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
3. Enter the Passphrase.
NOTE:
If passphrase is left blank, default psk key will be used.
4. Click Save.
To Enable 802.1x
Advanced
Advanced tab allows the advanced user to edit the settings of the Table and JSON format of the E2E Controller.
266 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
Table
In the Table advanced user can able to view, add, and edit Field Name and Value.
To add a field:
4. Click Save.
JSON
JSON allows Adavanced user can view and edit json format.
267 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
To view or edit the JSON file:
NOTE:
Enabling the Device Logs is supported only for External E2E Controller devices and it allows the Support
team can view the logs.
E2E Controller
E2E Controller allows the advanced user to set the Table and download the JSON file.
Table
In E2E Controller Table user can view, edit and add Field Name and Value.
To Add Field:
268 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
2. Click Add New.
4. Click Save.
JSON
269 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
Links
NOTE:
Backup CN Link option gets enabled when E2E controller is running on Version 1.1.
Links provide the details about the link established between the nodes and also provides the option to create a new
wireless, wired and CN backup link.
l List
l Statistics
l Events
List
To add a link:
1. Navigate to the E2E Network tree menu click icon and click Add Link from the drop-down or navigate to
Network > Links > List > Add New.
270 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
2. Add Link window pops-up.
3. Select Link Type Wireless or Wired.
Figure 94 Wireless
271 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
Figure 95 Wired
NOTE:
In Wired Link Type Sector will be disabled
272 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
5. Select the Sector of the node from the drop-down in A-Node Sector.
273 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
6. Select the Node from the drop-down in Z-Node.
274 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
7. Select the Sector of the node from the drop-down in Z-Node Sector.
275 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
8. Enable the Backup CN Link.
n If the link between PoP or DN and CN gets disconnected. This Backup CN link provides the backup
connectivity from DN or PoP to particular CN.
276 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
9. Click Save.
10. Once the link is successful it displays the Alive status as yes.
l Send Assoc
l Send Dissoc
l Enable Ignition
l Disable Ignition
277 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
Delete Links
In Links tab you can delete the each individual links by clicking delete icon or multiple links can be deleted by
selecting the links and click delete.
3. Click Delete.
Import Links
In Links tab you can import the E2E Controller Network Links.
Export Links
In Links tab you can export the E2E Controller Network Links.
278 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
2. It exports .csv file format as shown below.
Statistics
Links Statistics pages provides details of Name, Direction, A-Node Sector MAC, Z-Node Sector MAC, Alive, Link
Time, RSSI, Tx Power Index, A-node, Z-node, Type, Distance, Azimuth, Rx MCS, Tx MCS, Rx PER, Tx PER, Rx SNR, Rx
Beam Index, Tx Beam Index, EIRP, Rx Errors, Tx Errors, Rx Frames, Tx Frames on a single link of the node, generally
in a page format.
Export Statistics
279 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
Events
Events provides the details of links availability and health from last 1 hour to 7 Days Distance.
It also calculates the Availability percentage per link, including the duration when E2E Controller was offline in
cnMaestro.
Statistics
E2E Controller Statistics provides the following details:
l Nodes
l BGP
Nodes Statistics
Nodes provide a tabular aggregation of data, including General information on the nodes monitored, as well as
Wireless, Network, and Traffic metrics. Node Statistics pages provide information of Device, IPv6 Address, Mode,
Model, Status, Status Time, Site, Radio channel, Main Aux SFP, PoP Node, Software Version, Serial Number, Sync
Mode, Zone, Fix Type, Satellites Tracked, Latitude, Longitude, and Height on a single device, generally in a page
format.
280 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
Figure 97 Nodes Statistics
BGP
NOTE:
BGP statistics displays only if BGP option is enabled in Routing in PoP configuration.
BGP provides the details of Advertised Routes, Received Routes, and Details of IPv6 Address.
Figure 98 BGP
Reports
Reports page provides details on how to schedule and generate different types of data reports such as Devices,
Active Alarms, Alarm History and Events. For further details refer to Reports.
Software Update
Allows the user to update with the latest device software.
281 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
l Enter Download Retry Limit.
l Enter Download Timeout.
l Select the Download Protocol as HTTPS or Torrent.
NOTE:
If E2E Controller version is 1.2 or above, Https or torrent options will be available.
NOTE:
Onboard E2E controller will support only one synced image. If user needs to sync another image,
select the image from Versions drop down and click Sync Image.
282 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
1. Navigate to the Administration > Jobs > Software Update.
Map
Map provide a visualization for nodes like Site, PoP, DN, and CN. They display links connectivity between nodes. An
example map is presented below:
283 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
The user can perform the following actions in the Map tab:
l Click the Node or Link displayed on the map to view the details section (right side).
l Click the dashboard icon in the Details section, which directs to the respective Dashboard page.
Map View
When the user enables Show Name, the names of the Nodes will be displayed as shown below:
When the user enables Show Sectors, the names of the Nodes will be displayed as shown below:
284 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
When the user enables Show PrefixZones, the names of the Nodes will be displayed as shown below:
NOTE:
Show Prefix Zones gets enabled only if Prefix Allocation is set to Deterministic..
Tools
In Tools page it allows the user to perform the following actions:
l Operations
l Diagnostics
l Debug
l Remote Command
l Services
l Settings
285 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
Operations
If the nodes are deployed through External E2E Controller it displays the operations page as follows:
If the nodes are running Onboard E2E Controller it displays the operations page as follows:
286 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
Diagnostics
Diagnostics page allows the user to gather Technical Support Dump and can be downloaded and sent to cambium
support team.
All the events information of E2E controller can be viewed under E2E Events. In E2E Events tab user can view the
Event ID, Time, Device, Level, Source and Reason of the E2E Network.
Figure 99 Diagnostics
Debug
In Debug tab user can able to view or download the Node logs by executing the following log:
l bridging
l pop_config
l e2e_minion
l openr
l exabgp
287 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
l Click the download icon to download the generated output.
Remote Command
In Remote command tab user can able to view or download Command logs by executing the following command:
l Show Interfaces
l Show Routes
l Show OpenR Adjacencies
l Show OpenR Prefixes
288 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
l Click the download icon to download the generated output.
Services
In Services page user can view the services running in E2E Controller.
Settings
NOTE:
E2E Settings are not applicable for Onboard E2E Controller deployment.
In External E2E Controller settings page you can configure the Network Configuration, Remote SSH Management,
and NTP Server.
289 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
Remote SSH Management allows the user to Enable and Disable Remote SSH Management.
In Network Configuration user can configure the IPv6 Interface E2E Controller and IPv6 Routes.
NOTE:
Auto Manage Routes supports only for the cnMaestro X feature.
User can also enable the Auto Manage Routes. This automates IPv6 Routes to DNs and CNs based on the topology
and PoP nodes status. It is applicable only if PoP nodes and E2E Controller are in same Network/Prefix length.
290 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
3. Click Save.
4. Please Wait Window pops-up.
If IPv6 routes is managed through auto manage routes in type it displays as Auto.
If cnMaestro X account is downgraded to Essential or if Auto Manage Routes is disabled. User can retain auto-
managed routes of IPv6.
Once the Auto Manage Routes is disabled, IPv6 routes can be managed through static routes and in type it displays
as Static.
291 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
5. Enter the IPv6 Interface.
6. Click Save.
The user can configure the NTP Settings to configure the time configuration of the server with hostname or IP
address.
292 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
Site Configuration
Sites are located within the networks and wireless access points attached to it.
To Add a Site
293 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
5. Click Save. Once the Site is configured it gets added under the E2E Network.
294 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
1. Navigate to Network > Site > Configuration.
2. Edit the details and click Save.
Site Dashboard
Dashboard pages are customized for each device type and aggregation level. The Site dashboard section displays
the Nodes, Links, Wireless Throughput, Wired Throughput, Alarms, Top Alarms, Top Links by MCS, Top Links by
RSSI, Top Links by SNR, Top Node(s), Top PoP(s), Top DN(s), and Top CN(s).
295 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
Node Configuration
Node can be configured through the Site Menu option by clicking the icon in Site Network tree menu or through
Network > Site > Nodes and click Add.
To Add a Node:
2. Add Node window pops-up once the user clicks Add new.
296 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
Adding the Node allows the user to create the different Nodes as shown below:
l PoP Node
l DN
l CN
297 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
3. Add Node window pops-up.
NOTE:
Once the PoP Node is enabled user needs to select the Routing and Interface details.
6. Enter the MAC Address and select the device Model from the drop-down.
7. Enter the Azimuth and Elevation.
8. In the PoP Configuration select BGP or Static Routing.
9. In Interface select Aux or Main or SFP or Disabled.
298 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
10. Enter the IPv6 and Gateway Addresses.
11. In IPv4 Management, enter the IPv4 Address, Subnet Mask and Gateway Address.
12. Click Save.
NOTE:
Once the PoP Node is configured, PoP(s) Onboarding Config.json file gets downloaded
automatically, which can be used to import and configure in the PoP Node UI.
Once the PoP node is configured it get listed under the Site.
299 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
DN/CN Node configuration
To add DN/CN node:
300 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
4. Enter the Node Name, select the Mode DN or CN.
5. Enter the MAC Address and select the device Model from the drop-down.
6. Enter the Azimuth and Elevation.
301 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
7. In IPv4 Management enter the IPv4 Address, Subnet Mask and Gateway Address.
8. Click Save.
9. Once the DN/CN node is configured, it gets listed under the Site.
302 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
Replace Node
Replace Node allows to replace the existing faulty nodes with new nodes along with the configuration and links of
existing faulty nodes.
NOTE:
New node should be replaced with same model as existing node.
To replace Node:
303 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
2. Click icon and Select Replace Node from the drop-down.
3. Replace MAC window pops-up.
PoP Node
Once the PoP node is configured it displays the monitoring panel of the PoP node.
Dashboard
Dashboard pages can be customized for each device type and aggregation level. The PoP node dashboard section
displays the Status, Links, Channels, Throughput (sector1), Throughput (sector2), Throughput (Main), Throughput
(AUX), Throughput (SFP), Alarms, Top Alarms, Links MCS, Links DN, Links PoP, Device Info, Sectors, and Ethernet.
304 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
NOTE:
l Throughput (sector1) for V3000 and V1000.
l Throughput (sector1 and sector2) for V5000.
l Throughput graph with Main for V1000.
l Other throughput graph with Main, Aux, SFP for V5000 and
V3000.
Configuration
Basic
In Basic page you can able to view and edit the details of PoP node such as Name, Description, MAC Address,
Azimuth, and Elevation.
305 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
Figure 103 Basic
Radio
It allows the user to configure the EIRP, Adaptive Modulation, Sectors (channels, Polarity and Link(s) Golay), and
GPS.
306 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
Network
Network tab allows the user for the PoP configuration, E2E Controller Configuration, BGP Configuration, IPv6 Layer
3 CPE, IPv4 Management, OOB, Other Settings (Multi-PoP or Relay Port, Enable Aux port power) and Ethernet
Ports.
307 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
5. In IPv6 Layer 3 CPE
l Select IPv6 CPE interface as Aux, Main, or SFP.
l Enter IPv6 CPE Prefix.
6. In IPv4 Management:
l Disable Broadcast Broadcast packets (except DHCP Offer and DHCP Ack) in the downlink direction
including client to client packets will be dropped.
l Disable Unknown Unicast Flood
l Disable IPv6
l Monitor PoP Interface Layer 2 tunnels will failover to next best PoP when the backhaul interface of
this PoP is down.
NOTE:
The configuration is applicable only when static routing is used and IPv4 gateway is configured..
308 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
9. In Other Settings.
10. In OOB Interface enable the appropriate option Main or Aux or SFP.
NOTE:
Once the configuration is updated successfully in cnMaestro, the same parameters needs to be
entered in the UI of the PoP Node GUI.
VLAN
NOTE:
From Software Update Version 1.1 of all nodes, supports configuration of the VLAN Management
and Ports.
Virtual Local Area Networks (VLANs) is a broadcast domain in a Layer 2 network. A broadcast domain is the set of
all devices that will receive broadcast frames originating from any device within the set and traffic will be tagged
when transporting over wireless.
309 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
NOTE:
Only PoP node Management VLAN can be configured, if Layer 2 Bridge is not enabled in E2E
Network > Configuration > Basic page.
l When Layer2 bridge is disable, Only PoP node Management VLAN ID can be configured.
l When Layer2 bridge is enable, all nodes Management VLAN ID can be configured.
l When Layer2 bridge is disable, Only PoP node Management VLAN ID, Priority with Outer Tag can
be configured.
l When Layer2 bridge is enable, all node management VLAN and ports can be configured.
310 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
5. Enter S-VLAN ID.
6. Enter S-VLAN Priority.
7. Enter QinQ EtherType.
8. Click Save.
If Layer 2 Bridge is enabled in 60 GHz cnWave Network > Configuration > Basic page. User can configure
Management VLAN and Ports of PoP node, DN and CN.
NOTE:
VLAN settings are not applicable if Relay Port, SFP Port, or Aux Port is enabled on Network page.
To add a VLAN:
311 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
3. Enter the VLAN ID and VLAN Priority.
4. Enable Add Outer Tag.
312 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
5. Enter S-VLAN ID.
6. Enter S-VLAN Priority.
7. Enter QinQ EtherType.
NOTE:
VLAN settings configuration of Main Port, SFP Port, or Aux Port is similar.
313 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
l Enter Ingress VLAN and Remark VLAN.
l Click Save.
n Click Save.
b. If user selects QinQ type perform as follows:
314 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
n In Untagged Packets select Allow or Drop.
n In Single Tagged Packets select Allow or Drop.
n Enter Native C-VLAN ID.
n Enter Native C-VLAN Priority.
n Enter Native S-VLAN ID.
n Enter Native S-VLAN Priority.
n Enter Allowed VLANs.
n Enter QinQ EtherType.
n To add new VLAN Remarking.
315 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
l Enter Ingress VLAN and Remark VLAN.
l Click Save.
n Click Save.
Security
Security tab allows to reset the identity and password of the Radius user.
316 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
Figure 106 Security
Advanced
Advanced tab allows the advanced user to edit the settings of the Table and JSON format of the PoP Nodes.
Table
In the Table user can able to view and edit Field Name and Value.
To add a field:
4. Click Save.
JSON
317 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
To download the file:
4. Click Download.
Links
Links provide the details about the links between nodes, status and also provides the option to create a new link.
User can delete the links in bulk by selecting the particular devices.
318 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
List
List provide the details about the links of the node and also provides the option to create a new link. User can delete
the links in bulk by selecting the particular links.
NOTE:
Once the PoP node is configured successfully user needs to create a Site and DN to link the PoP as
shown in the DN/CN Node link.
Export list allow the user to export the PoP links list.
Statistics
Links Statistics pages provides details of Name, Direction, A-Node Sector MAC, Z-Node Sector MAC, Alive, Link
Time, RSSI, Tx Power Index, A-node, Z-node, Type, Distance, Azimuth, Rx MCS, Tx MCS, Rx PER, Tx PER, Rx SNR, Rx
Beam Index, Tx Beam Index, EIRP, Rx Errors, Tx Errors, Rx Frames, Tx Frames on a single device, generally in a page
format.
Export Statistics
Export list allow the user to export the PoP links Statistics.
319 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
2. It exports .csv file format as shown below.
Events
Events provides the details of the links from last 1 hour to 7 Days Distance.
It also calculates the Availability percentage per link, including the duration when E2E Controller was offline in
cnMaestro.
Details
Details page provides the following device information:
l Overview
l Network
Overview
Overview page provides the device details and it also details of the last 3 software update history.
320 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
Figure 109 Details Overview Page
Network
Network page provides the Ethernet details of Main, Aux, and SFP.
Tools
In Tools page user can able to view the Status, Debug, and Remote Command of the device.
Status
In Status tab you can view the status of the device:
l Critical alarms
l Download Tech Support File
l Online or Offline
l Reboot the device.
l Restart Minion
321 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
Debug
In Debug tab user view or download the PoP logs by executing the following log commands:
l Bridging
l pop-config
l e2e_minion
l openr
l exabgp
322 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
l Click icon to download the generated output.
Remote Command
In Remote command tab user view or download Command logs by executing the following commands:
l Show Interfaces
l Show Routes
l Show OpenR Adjacencies
l Show OpenR Prefixes
323 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
l Click the download icon to download the generated output.
DN/CN Node
To create a new site, refer to Site.
Dashboard
Dashboard pages are customized for each device type and aggregation level. The DN/CN node dashboard section
displays the Status, Links, Channels, Throughput (Sector 1), Throughput (Sector 2), Throughput (Main), Throughput
(Aux), Throughput (SFP), Alarms, Top Alarms, Links MCS, Device Info, Sectors, and Ethernet.
Configuration
Configuration page allows the user to configure the following details of CN/DN:
l Basic
l Radio
l Network
l VLAN
l Security
l Adavanced
Basic
It allows to configure and reset the basic details of DN/CN node such as Description, Azimuth, and Elevation.
324 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
Figure 112 Basic
Radio
NOTE:
GPS option is not enable for v1000.
It allows the user to configure the EIRP, Adaptive Modulation, Sectors (Channels and Golay), and GPS.
325 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
Figure 113 Radio
Network
Network tab allows the user to edit the Layer 3 CPE, IPv4 Management, Ethernet Ports, and Other Settings.
VLAN
VLAN configuration of CN/DN is same as PoP Node VLAN as shown above.
326 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
NOTE:
Enable Layer 2 Bridge in 60 GHz cnWave > Configuration > Basic page to configure the CN/DN
VLAN.
Security
Security tab allows to reset the identity and password of the Radius user.
Advanced
Advanced tab allows the advanced user to edit the settings of the Table and JSON format of the PoP Nodes.
Table
In the Table user can able to view, add, and edit Field Name and Value.
To add a field:
327 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
3. Enter the Field Name and Value.
4. Click Save.
JSON
328 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
To download the file:
329 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
4. Click Download.
Links
Links provide the details about links of the node and also provides the option to create a new link. User can delete
the links in bulk by selecting the particular devices.
List
List provide the details about the links of the node and also provides the option to create a new link. User can delete
the links in bulk by selecting the particular link.
Statistics
Links Statistics pages provides details of Name, Direction, A-Node Sector MAC, Z-Node Sector MAC, Alive, Link
Time, RSSI, Tx Power Index, A-node, Z-node, Type, Distance, Azimuth, Rx MCS, Tx MCS, Rx PER, Tx PER, Rx SNR, Rx
Beam Index, Tx Beam Index, EIRP, Rx Errors, Tx Errors, Rx Frames, Tx Frames on a single device, generally in a page
format.
Events
Events provides the details of the links from last 1 hour to 7 Days, Ignition Attempts and Distance.
330 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
Figure 117 Events
It also calculates the Availability percentage per link, including the duration when E2E Controller was offline in
cnMaestro.
Tools
In Tools page user can able to view the Status, Debug and Remote Command of the device.
Status
In Status tab you can view the status of the device:
l Critical alarms
l Download Tech Support File
l Online or Offline
l Reboot the device.
l Restart Minion
l Factory reset
Debug
In Debug tab user can able to view or download the DN or CN logs by executing the following log commands:
331 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
l Bridging
l e2e_minion
l openr
Remote Command
In Remote command tab user can able to view or download Command logs by executing the following commands:
l Show Interfaces
l Show Routes
l Show OpenR Adjacencies
l Show OpenR Prefixes
332 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
l Click the download icon to download the generated output.
333 | 60 GHz cnWave Network Configuration Cambium cnMaestro On-Premises | User Guide
Auto-Provisioning
cnMaestro On-Premises supports Auto-Provisioning for Wireless LAN devices (cnVision, Wi-Fi, and ePMP 1000
Hotspot) and fixed devices (PMP and ePMP). It is enabled at Shared Settings > Auto-Provisioning, and it allows
one to automatically configure and approve devices based upon IP address.
NOTE:
Auto-Provisioning is supported only for cnMaestro On-Premises.
l Overview
l Configuring Managed Services
l Managed Services Administration
Overview
Managed Service Provider (MSP) allows a cnMaestro account owner to partition their installation into separate
Managed Accounts – each with its own independent administration and configuration. This feature is for managed
service providers who want to provision a full cnMaestro infrastructure for their customers but still maintain control
over the individual deployments.
Managed Accounts
Managed Accounts group cnMaestro devices and configuration objects (such as AP Groups, WLANs, and Sites) into
administration domains within a single cnMaestro instance. Managed Accounts are independent, and the devices
added to them are configured using the objects in the Managed Account.
336 | Managed Service Provider (MSP) Cambium cnMaestro On-Premises | User Guide
Scope
An account with MSP enabled has three scopes:
1. Global Scope for entities (Devices, Networks, Sites, etc.) that exist outside of Managed Accounts and are only
available to Global cnMaestro Administrators.
2. Managed Account Scope for entities in Managed Accounts and accessible to Global Administrators and
Managed Account Administrators.
3. Shared Scope applies to management objects such as AP Groups, WLANs, and Switch Groups. Shared Scope
objects can be used across all Managed Accounts but not modified by them, though they can be copied into the
Managed Account and then changed.
Access Points
Access Points exist in the global cnMaestro application, or they can be added to a single Managed Account.
NOTE:
The Managed Service Provider feature supports all device types available within cnMaestro.
Managed Service
A Managed Service creates customized version of the cnMaestro UI and assigns Managed Accounts. Each Managed
Service can be mapped to many Managed Accounts.
337 | Managed Service Provider (MSP) Cambium cnMaestro On-Premises | User Guide
Support Details
Administrator Each Managed Service has its own independent database of users who can be assigned
Database to multiple Managed Accounts.
Custom Login URL The path of the Login URL used by Managed Service Administration can be tailored to
represent the Managed Service. The path must be unique across all cnMaestro.
Managed Account UI The Managed Account UI is customized for the Managed Service through graphics,
colors, and text.
Managed Account UI
The Managed Account UI can be customized to represent the brand. A sample Managed Account UI is shown
below:
338 | Managed Service Provider (MSP) Cambium cnMaestro On-Premises | User Guide
Managed Service Users (Administrators)
Managed Service Users are assigned to Managed Accounts. They access nearly all the same features as the Global
cnMaestro Administrators, except they are only allowed to manage the subset of devices and objects (AP Groups,
WLAN, Sites, etc.) in their account.
l Administrator
l Monitor
l Operator
The authorizations for each role are listed in the table below:
(Global cnMaestro
Administrator only)
(Global cnMaestro
Administrator only)
339 | Managed Service Provider (MSP) Cambium cnMaestro On-Premises | User Guide
Table 33: Tenant Administrator Roles
Feature Description Administrator Operator Monitor
Administrator only)
(Sessions)
340 | Managed Service Provider (MSP) Cambium cnMaestro On-Premises | User Guide
Configuring Managed Services
This section provides the following configuration details for Managed Services:
To enable MSP:
l The Header adds a select box that allows the global administrator to enter the context of Managed Accounts
341 | Managed Service Provider (MSP) Cambium cnMaestro On-Premises | User Guide
Figure 128 Dashboard > Managed Accounts
1. Select Managed Service Providers in the side-menu and select the Managed Services tab.
342 | Managed Service Provider (MSP) Cambium cnMaestro On-Premises | User Guide
Figure 132 Add New Managed Service Window
Name Name of the service. This name is visible to Managed Account Administrators.
Login Path Managed Account Administrators log into cnMaestro using a standard URL with an
additional Path that defines the Managed Service.
Note:
l The Path name must be unique across all Managed Service accounts when cnMaestro
is hosted in the Cambium Cloud.
l A maximum of 16 characters are supported for the path.
4. Click Add.
343 | Managed Service Provider (MSP) Cambium cnMaestro On-Premises | User Guide
Create Managed Account
Perform the following steps to create a Managed Account:
1. Select Managed Service Providers in the side-menu and select the Managed Account tab.
2. Click New Account.
Name Name of the Managed Account. This is sent in the invitation email when Managed
Account Administrators are invited to the account.
Friendly Name The Friendly Name will be sent in the invitation email.
Status Determines whether the account is enabled or disabled. When an account is disabled, all
Managed Account Administrators are logged out.
344 | Managed Service Provider (MSP) Cambium cnMaestro On-Premises | User Guide
Table 35: Managed Account Parameters
Parameter Description
Managed Service The Managed Service used for Managed Account Administrator.
Email The email address of the first Managed Account Administrator. You can add more Users
after the account has been created.
Role The role of the Managed Account Administrator (Administrator, Operator, Monitor).
4. Click Add.
NOTE:
Users are allowed to edit the existing name of the Managed Account before validating the account.
345 | Managed Service Provider (MSP) Cambium cnMaestro On-Premises | User Guide
Figure 135 Sample Email Invitation
346 | Managed Service Provider (MSP) Cambium cnMaestro On-Premises | User Guide
Figure 136 Checking Managed Account Administrator User Email
NOTE:
If a user already has an account in the Managed Service, they can use their existing email login to
accept the invite for the new account. Switching between accounts is accomplished using the choice
box in the UI header (upper-right).
347 | Managed Service Provider (MSP) Cambium cnMaestro On-Premises | User Guide
Managed Services Administration
Overview
Once Managed Services is enabled, there are three ways for administrator to Managed Accounts.
l System View
l Managed Account View
l Managed Account Administrator (User) View
NOTE:
l When a device is moved from one Managed Account to other, it goes offline for one minute
before appearing online. Only active alarms are moved to the new account and other data is
retained in the old account.
l The Managed Service Provider feature can be disabled only if all devices in Managed Accounts
are deleted or moved to Base Infrastructure account.
l Administrators of any Managed Accounts do not have access to the settings page of the On-
Premises server to change the account type.
l When Global Super Administrators trigger Configure/Software/Reports Jobs, the Managed
Account users cannot view them in any of the Managed Accounts.
l When Managed Account users trigger Configure/Software/Reports Jobs, they are reflected
under the Global Super Administrator view along with respective Job IDs enrolled in the
respective Managed Accounts.
l The devices that have not started Software/Configure Jobs cannot be moved across Managed
Accounts.
l The Global Super Administrator and the Managed Account Administrator cannot trigger a
Software or Configure Job simultaneously on the same device.
l The Lock AP configuration can be enabled only by the Global Super Administrator. But whenever
a device configuration is changed outside of cnMaestro by either a Global Super Administrator or
a Managed Account Administrator, the Auto Synchronization Job starts automatically with the
configuration job ID as in Managed Account and reflects in both the Global Super Administrator
and Managed Account Administrator accounts.
System View
At the System level, one can view APs, AP Groups, or Sites across all Managed Services in a single, unified table.
This allows one to review the status of all accounts in context to each another. The following figure displays the AP
table, and specifies which APs are mapped to the Managed Accounts.
348 | Managed Service Provider (MSP) Cambium cnMaestro On-Premises | User Guide
Managed Account View
The Managed Accounts page allows you to select the Managed Account, which launches the Managed Account
View. This provides full status and configuration for all components of the Managed Account, including Dashboard,
Notifications, Configuration, Software Update, Reports, Clients, etc.
System Dashboard
The System Dashboard integrates Managed Accounts into the global health component. It ranks the top Managed
Accounts based upon device count.
349 | Managed Service Provider (MSP) Cambium cnMaestro On-Premises | User Guide
Figure 141 System Dashboard
Base Infrastructure The object is only available for the Global account.
Shared The object is shared among all Managed Accounts. It can be mapped to devices in the
Managed Account, but it cannot be modified. To change the configuration, it needs to
be copied into the Managed Account and then update.
350 | Managed Service Provider (MSP) Cambium cnMaestro On-Premises | User Guide
NOTE:
Once the scope has been configured on an object it cannot be changed.
Device Management
Devices are added at the global System level or within Managed Accounts. Devices added at the System level can
be moved into Managed Accounts at a later time.
System Onboarding
Onboarding at the global System level supports both MSN and Cambium ID. In the example below, a Managed
Account can be selected for all devices onboarded in the MSN batch.
NOTE:
cnMaestro supports onboarding through either MSN or Cambium ID. Within Managed Accounts,
only MSN onboarding is supported.
351 | Managed Service Provider (MSP) Cambium cnMaestro On-Premises | User Guide
Figure 143 Moving a Device Between Managed Accounts
In Enterprise View, the device can be moved between Managed Accounts using a Managed Account icon in the
Inventory tab.
NOTE:
All devices must be removed from the Managed Account before deleting it.
To delete a Managed Account, navigate to Managed Services page and click the delete icon.
352 | Managed Service Provider (MSP) Cambium cnMaestro On-Premises | User Guide
Disabling Managed Service Provider Feature
The Managed Service Provider feature can be disabled within the system only after all the devices are deleted or
moved to the Global context. By disabling Managed Services, the Managed Account field will be disabled across all
the tables such as Clients, Notifications, Inventory etc.
NOTE:
In the current release, only the global administrator of On-Premises account has control on the
following features:
l Association ACL
l Auto-Provisioning
l Scheduled Backup
l Server Settings
l SMTP Server
l SNMP Configuration
353 | Managed Service Provider (MSP) Cambium cnMaestro On-Premises | User Guide
API Client
Overview
cnMaestro supports a RESTful API as part of its On-Premises deployment. This API allows customers to read
data and perform operations programmatically using their own client applications. The API is supported over
HTTPS, and messages are exchanged in JSON format. Modern programming languages have rich support for
RESTful interfaces.
API Clients
API Clients are external applications that access the RESTful API over HTTPS using OAuth 2.0 Authentication.
They require a Client ID and Client Secret for access, both of which are detailed later in this section. They are
configured by navigating to Services > API Clients.
3. Enter Name.
4. Enter Description.
5. Enter Expiration Time.
6. Enter Token Renewal Time.
7. Click Save.
Once the API Clients is added you can able to view or download credentials shown in the OAuth 2.0 Access
Credentials.
NOTE:
The cnMaestro API is changing to v2 in the 3.0 Release. v1 continues to be supported through 3.1.x.
Cambium Networks recommends using v2 on any new API applications and updating from v1 as
soon as possible. The changes to the v2 API are limited and described later in this chapter.
Authentication
API Authentication uses OAuth2. The client retrieves an Access Token to start the session. It then sends API
requests until the Access Token times out, at which point the token can be regenerated.
Establish Session
A session is created by sending the Client ID and Client Secret to the cnMaestro server. These are generated in the
cnMaestro UI and stored with the application. The Client ID defines the cnMaestro account and application, and the
Client Secret is a private string mapped to the specific application. The Client Secret should be stored securely.
If the session is established successfully, an Access Token is returned along with an expiration string. The Access
Token is used to authenticate the session. The expiration is the interval, in seconds, in which the Access Token
remains valid. If the Access Token expires, a new session needs to be created.
API Access
With the Access Token, the application can make cnMaestro API calls. The token is sent in an Authentication header
on each API request. Details are provided later in this document.
Rate Limiter
The Rate Limiter API request helps in improving the availability of API based services by avoiding resource
starvation.
This API calculates the rate limit per customer based on various factors such as system configuration, number of
devices onboarded, Network, Towers, Sites, etc.
The API limits the number of NBI API calls to a single cnMaestro account per minute. Once the limit is reached, the
API receives a standard HTTP Response Status code such as 429 or 503.
HTTP
Response
Response Explanation Action to be taken
Headers
Status Code
503 Retry-After Number of seconds If the value of Retry-After is greater than 0, then the
during which users client application waits for the number of seconds to
wait before retrying Retry-After before sending the next subsequent API
requests
The following table below displays the approximate limit calculated by the system on a On-Premises instance.
import requests
import json
import base64
import time
HOST = # host here
CLIENT_ID = # client id here
CLIENT_SECRET = # client secret here
TOKEN_URL = # token url here
# Retrieve access parameters (url, access_token, and expires_in).
def get_access_parameters(token_url, client_id, client_secret):
"""
Authenticates to API.
Parameters:
`token_url` - Endpoint to authenticate to\n
`client_id` – Auth client id\n
`client_secret` – Auth client secret\n
Returns:
`(access_token, expiry)`
"""
data = "%s:%s" % (client_id, client_secret)
encoded_credentials = base64.b64encode(data.encode('ascii')).decode('ascii')
headers = {
"Authorization":"Basic %s" % encoded_credentials,
"Content-Type":"application/x-www-form-urlencoded"
}
body = "grant_type=client_credentials"
r = requests.post(token_url, body, headers=headers, verify=False)
print ("Status Code: %s" % r.status_code)
return r.json()['access_token'], r.json()['expires_in']
def call_api(method, host, path, access_token):
"""
Parameters:
`method` -
method for the new Request object: GET, OPTIONS, HEAD, POST, PUT, PATCH, or DELETE\n
`host` – host for the url\n
`path` – path for the url\n
`access_token` – a valid access token for header
Returns:
`(response_status_code, headers, body)`
"""
api_url = "https://%s%s" % (host, path)
headers = {
"Authorization":"Bearer %s" % access_token,
}
response = requests.request(method=method, url=api_url, headers=headers, verify=False)
headers = response.headers
body = response.json()
response_status_code = int(response.status_code)
return response_status_code, headers, body
def main():
try:
# Getting the access token using client id and client secret
access_token, expires_in = get_access_parameters(TOKEN_URL, CLIENT_ID, CLIENT_
SECRET)
# For the purpose of the example, let's send 100 requests back to back
for i in range(100):
# Calling the endpoint with GET method
status_code, header, body = call_api
('GET', HOST, '/api/v2/devices/statistics', access_token)
# identifying any client or server side error codes
client_errors = (status_code - status_code%100) == 400
server_errors = (status_code - status_code%100) == 500
if client_errors or server_errors: # check for all 400 and 500 responses
print("Failure: [%s]-[%s]" %(status_code, (json.dumps(body, indent=2))))
# For 429, wait until `RateLimit-Reset` seconds
if (status_code == 429):
sleep_time = 10 # default wait time
# try block prevents any dict value exception
try:
# Reading the header
sleep_time = int(header["RateLimit-Reset"])
except: pass
# if sleep_time is not greater than 0, defaulting to 10 seconds
sleep_time = sleep_time if sleep_time > 0 else 10
print("Sleeping for %d seconds" % sleep_time)
# sleeping the main thread
time.sleep(sleep_time)
if (status_code == 503):
sleep_time = 10 # default wait time
# try block prevents any dict value exception
try:
# Reading the header
sleep_time = int(header["Retry-After"])
except: pass
# if sleep_time is not greater than 0, defaulting to 10 seconds
sleep_time = sleep_time if sleep_time > 0 else 10
print("Sleeping for %d seconds" % sleep_time)
# sleeping the main thread
time.sleep(sleep_time)
else:
# process response
print("Success: [%s]" %(json.dumps(body, indent=2)))
except Exception as E:
print("Failure: [%s]"%E)
sys.exit()
main()
Swagger API
Introduction
The RESTful API documentation is now supported through Swagger. Swagger UI allows visualization and
interaction with the API resources. You can access Swagger by navigating to Services > API Clients grid and
clicking on <Swagger API documentation>.
NOTE:
The steps below are for the On-Premises release of cnMaestro.
In the body of the POST the parameter grant_type must be set to client_credentials.
grant_type=client_credentials
Alternatively, instead of using the Authorization header, the credentials can be passed within the body of the POST:
grant_type=client_credentials&client_id=s6BhdRkqt3&client_secret=7Fjfp0ZBr1KtDRbnfVdmIw
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"bearer",
"expires_in":3600
}
Message Details
unauthorized_client The client is not authorized to use the grant type sent.
Access Resources
Once the access_token is retrieved, API requests are sent to cnMaestro server using the format below. The access_
token is sent within the HTTP Authorization header.
GET /api/v2/devices
Accept: application/json
Authorization: Bearer ACCESS_TOKEN
API Details
HTTP Protocol
HTTP Response Codes
The following response codes are supported in cnMaestro and may be returned through the HTTP protocol.
502 Bad Gateway Internal server error that may require a reboot.
500 Internal Server Error A server-side error happened during processing the request.
405 Method Not Allowed A method (GET, PUT, POST) is not supported for the resource.
404 Not Found Server could not locate the requested resource.
413 Payload Too Large The request is larger than the server is willing to handle
431 Request Header Fields Too Large The header fields are too large to be processed.
503 Service Unavailable Internal server error that may require a reboot.
429 Too Many Requests The client has sent too many requests in a given interval.
422 Unprocessable Entity The server understands the request but cannot process it.
Header Details
Authorization Used in every API request to send the Access Token. Example: Authorization: Bearer
<Access-Token>
REST Protocol
Resource URLs
The format for cnMaestro path and parameters are the following:
/api/{version}/{resource}?{parameter}={value}&{parameter}={value}
/api/{version}/{resource}/{resource_id}?{parameter}={value}&{parameter}={value}
/api/{version}/{resource}/{sub-resource}?{parameter}={value}&{parameter}={value}
/api/v2/devices/statistics?fields=mac,type,ip_wan
Version
The version is equal to v2 in this release.
Resource
Resources are the basic objects in the system
Context Details
Sub-Resources
Sub-Resources apply to top-level resources. They provide a different view of the resource data, or a filtered
collection based upon the resource. They include:
Context Details
{
"paging": {
"offset": 0,
"limit": 5,
"total": 540
},
"data": [
{
"mac": "C1:00:0C:00:00:21",
"type": "wifi-home"
},
{
"mac": "C1:00:0C:00:00:18",
"type": "wifi-home"
},
{
"mac": "C1:00:0C:00:00:12",
"type": "wifi-home"
},
{
"mac": "C1:00:0C:00:00:15",
"type": "wifi-home"
},
{
"mac": "C1:00:0C:00:00:06",
"type": "wifi-home"
}
]
}
Error Response
Error responses return a message and an error cause. If the start_time and stop_time are mandatory query
parameters and someone missed to provide them in the url will give the following error response with message and
cause.
{
"error": {
"message": "Missing required property: stop_time \n Missing required property: start_time",
"cause": "InvalidInputError"
}
}
Parameters
Most APIs can be modified to filter the data and limit the number of entries returned. The parameter options are
listed below. The specific fields, and the appropriate values, vary for each API.
Parameter Details
fields Define exactly what fields should be returned in a request. The names are provided as a comma-
separated list.
Example: To retrieve name, type and location information for all devices.
Request:
/api/v2/devices?fields=mac,type
Response:
{
"paging": {
"total": 3,
"limit": 100,
"offset": 0
},
"data": [
{
"mac": "00:44:E6:34:89:48",
"type": "wifi-enterprise"
},
{
"mac": "00:44:16:E5:33:E4",
"type": "wifi-enterprise"
},
{
"mac": "00:44:26:46:32:22",
"type": "wifi-enterprise"
}
]
}
Filtering
A subset of fields support filtering. These are defined as query parameters for a particular resource, and they are
listed along with the API specification. Some of the standard filtering parameters are below:
Field Details
severity (Alarms, Events) Alarm or Event severity (critical, major, minor, notice).
type (Devices) Device type [60ghz-cnwave, cnreach, cnmatrix, epmp, pmp, wifi-enterprise, wifi-home,
wifi, ptp] (wifi includes wifi-home and wifi-enterprise).
Request:
/api/v2/devices?type=wifi&status=online
Response:
{
"paging": {
"total": 1,
"limit": 100,
"offset": 0
},
"data": [
{
"ip": "233.187.212.38",
"location": {
"type": "Point",
"coordinates": [
77.55310127974755,
12.952351523837196
]
},
"mac": "C1:00:0C:00:00:24",
"msn": "SN-C1:00:0C:00:00:24",
"name": "Hattie",
"network": "Bangalore",
"product": "cnPilot R201",
"registration_date": "2017-05-23T21:28:37+05:30",
"status": "online",
"site": "Bangalore_Industrial",
"type": "wifi-home",
"hardware_version": "V1.1",
"software_version": "2.4.4",
"status_time": 1495560086
}
]
}
Time Filtering
Events, Alarms, and Performance data can be filtered by date and time using ISO 8601 format.
The parameters are below. If they are not specified, then the start or stop times will be open-ended.
Sorting
Sorting is supported on a selected subset of fields within certain requests. sort is used to specify sorting columns.
The sort order is ascending unless the path name is prefixed with a ‘-‘, in which case it would be descending.
Parameter Details
sort Used to get the records in the order of the given attribute.
Request:
/api/v2/devices?sort=name
Request:
/api/v2/devices?sort=-mac
Pagination
The limit and offset query parameters are used to paginate responses.
Parameter Details
Request:
/api/v2/devices?offset=3&limit=1
Response:
{
"paging": {
"total": 6,
"limit": 1,
"offset": 3
},
"data": [
{
"status": "online",
"product": "cnPilot E400",
"network": "Mumbai",
"software_version": "3.3-b14",
"registration_date": "2017-04-28T08:57:33+00:00",
"site": "Central",
"hardware_version": "Force 200",
"status_time": "3498",
"msn": "W8SF0759MBDH",
"mac": "00:04:36:46:34:AA",
"location": {
"type": "Point",
"coordinates": [
0,
0
]
},
"type": "wifi-enterprise",
"name": "E400-4634AA"
}
]
}
Request:
/api/v2/devices
Response:
{
data: {devices: [ {name: ‘ePMP_5566’, type:’ePMP’, location:’blr’} , {….}… ] },
paging:{
"limit":25,
"offset":50,
"total":100
}
}
offset Starting index for the records returned in the response (begins at 0).
Access API
Token (basic request)
POST
/api/v2/access/token
Generate an Access Token using the Client ID and Client Password created in the cnMaestro UI. The token can be
leveraged for API calls through the expiration time. Only one token is supported for each Client ID at any given time.
Request
Headers
Header Value
Content-Type application/x-www-form-urlencoded
The client_id and client_secret are encoded and sent in the Authorization header. The encoding is:
BASE64(client_id:client_secret)
Body
Response
The response returns credentials for API access.
Body
expires_in Time in seconds that the API session will remain active.
{
"access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"bearer",
"expires_in":3600
}
Example
Request
curl https://10.110.134.12/api/v2/access/token \
-X POST -k \
-u 8YKCxq72qpjnYmXQ:pcX5BmdJ2f4QLM5RfgsS4jOtxAdTRF \
-d grant_type=client_credentials
Response
{"access_token":"d587538f445d30eb2d48e1b7f7a6c9657d32068e","token_type":" bearer","expires_
in":86400}
POST
/api/v2/access/token
An alternative form is supported in which the client_ID and client_secret are sent in the body, rather than the
Authorization header.
Request
Headers
Header Value
Content-Type application/x-www-form-urlencoded
Body
grant_type=client_credentials&client_id=s6BhdRkqt3&client_secret=7Fjfp0ZBr1KtDRbnfVdmIw
Response
The response to both forms is the same.
Name Details
expires_in Time in seconds that the API session will remain active.
{
"access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"bearer",
"expires_in":3600
}
Example
Request
curl https://10.110.134.12/api/v2/access/token \
-X POST -k \
-d grant_type=client_credentials \
-d client_id=8YKCxq72qpjnYmXQ \
-d client_secret=pcX5BmdJ2f4QLM5RfgsS4jOtxAdTRF
Response
{"access_token":"ee4e077cf457196eb4d27cf6f02686dc07763059","token_type":" bearer","expires_
in":86400}
Validate Token
GET
/api/v2/access/validate_token
Verify an Access Token is valid and return the time remaining before it expires.
Request
HTTP Headers
Header Value
Response
Body
expires_in Time in seconds that the API session will remain active.
{
'expires_in': 86399
}
Example
Request
curl https://10.110.134.12/api/v2/access/validate_token \
-X GET -k \
-H "Authorization: Beareree4e077cf457196eb4d27cf6f02686dc07763059"
Response
{"expires_in":85643}
Selected APIs
Overview
cnMaestro APIs are defined within the Swagger specification, accessed here
https://docs.cloud.cambiumnetworks.com/api/3.0.0/index.html#/. This section only presents additional details for
the Device, Statistics and Performance APIs, which have unique responses based upon Device Type, and are
difficult to present within Swagger.
cnMaestro v2 API
Beginning with cnMaestro 3.0.0, the API version changes from v1 to v2. The v1 version will be supported through
3.1.0, but Cambium recommends updating existing API code to use v2. For most commands, swapping v1 in the URL
with v2 should be sufficient. However, the following APIs may need to be rewritten while moving to v2.
l AP Groups
l Devices
l Statistics
l Performance
l Mesh Peers
l Operations
ap_group AP Group X
config.sync_ Configuration X
reason synchronization X X X X X X
reason
config.sync_ Configuration X
status synchronization X X X X X X
status
config.variabl Device is X
es mapped to
X X X X X X
configuration
variables
config.version Current X
configuration X X X X X X
version
country Country X X X X
country_code Regulatory
X
band
description Description X X X X X X X X
hardware_ Hardware X
X X X X X X X
version version
inactive_ Inactive X
software_ software X X X X X X
version version
ip IP address X X X X X X X X
ipv6 IPv6 X X X X
location Location X X X X X X X X
managed_ Managed X
X X X X X X X
account account name
msn Manufacturer X
X X X X X X X
serial number
network Network X X X X X X X X
registration_ Registration X
X X X X X X X
date date
role X
site Site X X X
status_time Uptime/downti X
me time interval X X X X X X X
(sec)
tower Tower X X X X X X
l 60 GHz cnWave
l cnMatrix
l cnReach
l Fixed Wireless
l PTP
l Wi-Fi
60 GHz cnWave
General
Networks
cnMatrix
General
Name Details
network Network
Networks
Name Details
ip IP address
cnReach
General
ip IP address All
ap_mac AP MAC SM SM SM
last_sync Last synchronization (UTC Unix time milliseconds) AP/SM AP/SM AP/SM
Radios
PMP […]
PMP […]
Networks
ip IP address All
Radios
PMP: […]
Wi-Fi
NOTE:
Mode is Enterprise, Home, or All.
General
Networks
ip IP address All
l 60 GHz cnWave
l cnMatrix
l cnReach
l Fixed Wireless
l PTP
l Wi-Fi
cnMatrix
General
Name Details
network Network
site Site
timestamp Timestamp
tower Tower
Switch
Name Details
cnReach
General
sm_count Connected SM AP AP AP
count
radio.dl_modulation Downlink SM
modulation
PTP
General
Ethernet
NOTE:
The specification for the equivalent v1 APIs is available in the Appendix.
This section describes how to configure Guest Access using cnMaestro. This feature allows the clients to
connect through Free Tier, Buying Vouchers or Paid Access types.
The Guest Access feature creates a separate network for guests by providing Internet access to guest wireless
devices (mobiles, laptops, etc).
NOTE:
The Guest Access feature is supported on cnPilot E-series Enterprise devices.
Configuration
l Create the Guest Access Portal in cnMaestro
l Map the device to cnMaestro
NOTE:
The Floating Managemnt IP should be used to access the Guest Access Portal. This means DNS
should be mapped to the Floating Management IP, and not to one of the unique IP addresses of
the cnMaestro instances.
2. Click Add Portal. A maximum of four portals can be created per account.
3. Enter Name and Description.
Basic Details
The Basic Details page contains the Managed Account Type Name and Description.
NOTE:
A name once created for the Portal cannot be changed.
Access Portal
The Access Portal tab has three different access types:
l Free
l Paid
l Vouchers
Free access type contains session validity, renewable frequency, client rate limits, and social login configurable
parameters.
You can select authentication using Google, Facebook, Twitter, and Office 365, or all. Enter the App ID of your
social login app. If you enable Facebook login you will also need to enter your Facebook App secret.
Add Whitelist It contains options for configuring the IP address or the domain name.
Client Rate Limit It contains options for configuring downlink and uplink parameters in kbps to limit the
data transfer rate to or from the client. If a client rate limit parameter is blank, no limits
are applied.
Client Quota Limit The data quota limit feature has been added for RADIUS-based as well as for controller-
based guest portals. For controller-based, it is either directional or total data quota
limit. Once the client logins as a guest, the data quota limit is enforced and the values
are sent to the accent point to which the client is connected. The access point keeps
track of the data limits Access Point also sends client statistics to the controller every
thirty minutes. In case of multiple devices allowed for a given policy then the data
quota limits enforcement has some limitations and works with the latency of thirty
minutes during which the cumulative data quota limits of the devices can be exceeded
beyond the configured data quota limits.
The similar behavior is supported through RADIUS attributes for RADIUS-based
onboard guest access clients.
RADIUS_VENDOR_ID_CAMBIUM 9 (17713)
RADIUS_VENDOR_ATTR_CAMBIUM_WIFI_QUOTA_UP (151)
RADIUS_VENDOR_ATTR_CAMBIUM_WIFI_QUOTA_DOWN (152)
RADIUS_VENDOR_ATTR_CAMBIUM_WIFI_QUOTA_UP_GIGWORDS (153)
RADIUS_VENDOR_ATTR_CAMBIUM_WIFI_QUOTA_DOWN_GIGWORDS (154)
RADIUS_VENDOR_ATTR_CAMBIUM_WIFI_QUOTA_TOTAL (155)
RADIUS_VENDOR_ATTR_CAMBIUM_WIFI_QUOTA_TOTAL_GIGWORDS (156)
The gigwords attributes are used for supporting data quota limits above 4GB when
required.
Renewable Once the session duration for the client expires, the client needs to wait for the period
Frequency specified by renewal frequency before logging in again.
Session Duration The duration for which the client is provided access.
SMS Authentication SMS OTP supports Twilio, SMS Country, and SMS Gupshup SMS gateway providers.
Any one of the gateway providers can be used to support the SMS OTP to be delivered
to the cell phone of the end user. Once OTP is received the client can enter the OTP to
get Internet access.
NOTE:
l Renewal frequency should be greater than session expiration.
l Client will get Social login options only when enabled in Access Control page in portal.
l If Social login is enabled, it is mandatory in free access method for client to login through
Google/Facebook/Twitter/Office 365.
1. Create a plan
a. Navigate to Services > Access Control Portal page and select Access Control tab.
b. Enable Vouchers
c. Click Add New Plan. The window with general and design parameters for the plan is displayed.
Design l Color: There are options to modify colors for the title, message, code, and
background.
l Background Image: You can browse and select a background image for this page.
l Title: The tiltle of the voucher plan.
l Message: Detailed information about the plan.
l Access Code Message: 8 digit access code will be provided to use the voucher.
With all the above parameters, administrators can create their own design for the card
with text, color and message to be displayed on card.
a. Select a plan
b. Add Vouchers
NOTE:
The modified values in the Access Portal page reflectes on the splash page only when the splash
page is saved after making the changes.
Splash Page
The Splash page refers to the page to which a wireless client is redirected when it connects to the guest portal.
Administrators can create their own splash page by modifying the default logo, background, and text to be
displayed in the splash page with different colors and fonts.
l If Free is selected in Access Portal, the client only sees free access related parameters.
l If Voucher is selected in Access Portal, the client only sees Voucher related parameters with a text box to enter
the Voucher code.
l If both Free and Voucher are enabled, then the client sees both Free and Voucher related parameters.
Advanced Expand Advanced option. Browse and select the advanced fields.
Background Browse and select the image that needs to be appear as the background.
Background Placement Choose the option from the drop-down list for placing the background image in the
splash page.
Custom Fields Expand Custom Field option. The user can customize the fields in the Splash page by
choosing the Custom Field option in the Guest Access Portal page and clicking Add
New button.
Enter Voucher Code Enter the text to appear in Voucher Code Message.
Message
Free Label Enter the text that should appear on the free label.
Footer Enter the text to appear as the footer of the page. You can choose the font style and
size for the footer.
Logo Browse and select the logo the needs to be appear on the splash page.
Login Button Enter the text that should appear on the window to submit.
Message Text to appear as the welcome text. You can choose the font style and size for the
welcome text.
On Success Redirect to Enter the URL to be redirected to the page like Google, Twitter, and Facebook, etc.
URL
Page Title Text to appear as the title of the page. You can choose the font style and size for the
title.
Repeat Background Enable the check box if you want the background image to be repeated.
Server Error Message Text to appear if there is an error while contacting server.
Select Plans Label Enter the text to appear in the label to select plan.
Text Design Choose the appropriate colors for the background, logo in the background, content
area, and for the text.
Voucher Code Enter the text to appear in Voucher Code, Voucher Label, Enter Voucher Code
Message, and Voucher Code Error Message.
Voucher Code Error Enter the text to appear in Voucher Code Error Message.
Message
WIFI4EU WiFi4EU provides free, high-quality Internet access only across the European Union
WIFI4EU
WiFi4EU provides the free, high-quality Internet access across the European Union. Administrator can enable the
WiFi4EU checkbox to provide access to the free Internet.
General l Network UUID: Universally Unique Identifier (UUID) that the EC attribute is
generated when the network installation is created in the Installation.
l Language: Allows to select the preferred language.
l Enable Self Test Mode: Allows the browsers background script verification.
l Show Logo: Displays the WiFi4EU logo provided by the European union.
Sessions
Sessions tab contains Client MAC address, Access Point MAC address, Access Type as Free (Google or Facebook)
or Voucher, WLAN-SSID of client connected AP, Remaining time and Disconnect option.
Administrator can check how many clients are connected, Access Type (Free/Voucher) of the client, and can
disconnect the clients.
Remaining Time The time left for the client to access the Internet. It depends upon the session duration
configured in the Access Portal.
NOTE:
For Free Access method, the client MAC address is displayed even after the free session duration
expires. Delete the MAC address of the client after the Renewable Frequency completes.
NOTE:
The client gets the fully configured splash page for login only if the Access Point is onboarded into
the server.
Google
1. Login to Google Account and navigate to https://console.developers.google.com.
2. Click Select a Project and then click New Project.
11. Copy the Client ID and paste it to the cnMaestro enabling Google under Social Logins and click Save.
Twitter
1. Login to Twitter Account and access https://developer.twitter.com/en/apps, and click Create an App.
Facebook
1. Login to Facebook Account and access https://developers.facebook.com/apps/, and click Add a New App.
2. Enter App Display Name, Contact Email and click Create App ID.
5. Navigate to Settings > Basic and copy App ID and App Secret.
1. Copy Application ID and paste it to cnMaestro Guest Access page under Office 365.
2. Click Generate New Password.
3. Copy reply URL from cnMaestro and paste it under Redirect URLs.
4. Add my.centrify.com to the Whitelist on the cnMaestro.
Sample Template
Sample client login page is displayed below:
Twilio, SMS Country, and SMS Gupshup are the SMS gateway providers that support the SMS OTP. Also, there is a
generic SMS gateway option that provides flexibility to configure any preferred SMS gateway by cnMaestro users.
Configuring SMS Gateway through this generic SMS gateway does require a little more involvement by cnMaestro
user to go through the Integration specifications of the given SMS gateway. Follow the guideline as mentioned on
the Generic SMS Gateway Configuration section.
Apart from that many API have specific tokens that need to be passed into the request along with the
authentication part. To start off one has to first go through the SMS API document of the given SMS provider and
understand what all components does it need to be provided in the HTTP request and try to build the
corresponding cnMaestro configuration.
In general, all SMS API documents show some example curl commands which can be used to create an SMS request
with the server. Curl examples clearly show the required components in the request and will help to find the right
configuration for the cnMaestro guest portal Generic SMS API.
The cnMaestro Generic SMS API configuration has been split into multiple components which makes it easy to
configure the static and the dynamic part of the SMS API request. It also provides a way to handle the SMS API
response and validate the API success or failure case. How to handle the reply can be found under the Advanced
options.
https://smsapiserver.com/service/sms/send?user=xxx&password=yyyyy&message=”Your OTP is
ABCD”&mobileNumber=123456789&dnd=yes&sid=SenderID&v=1.1&messagType=N
https://smsapiserver.com/service/sms/send
If the SMS Gateway is using an authorization token, then below example curl request shows how the
“Authorization” field is added into a HTTP header.
curl -v -H "Authorization: Bearer nZYIoU7QoUxfD03ct1CC2YvInqI7DmUAH6RYz01K1" \
"https://smsapiserver.com/service/sms/send?\
from=Test&\
to=123456789&\
message=’Your OTP for Internet access is QW123’&\
format=json"
Static Components
API URL
Based on our above curl request example the URL will be configured as
“https://smsapiserver.com/service/sms/send” where the request needs to be sent.
So what we have done here is removed the message and mobile number query strings from that URL and
configured rest all. This is what a static component is for a given SMS API so identify what all options are required
for the SMS API request and add it here in this given format of “key1=value1&key2=value2…”.
Dynamic Components
Message Parameter Name
From the example curl request or the SMS gateway provider the parameter name used for the message key
component where the OTP is added. It could be something like “message”|”text”|”msg” or whatever custom
parameter name is used for sending the message component.
In our example curl request, we have used “message” and this is what we will configure here based on the example
curl request.
In our example curl request, we have used “mobile number” and this is what we will configure here based on the
example curl request.
Advanced Options
If you care for adding functionality for parsing the SMS API response on the cnMaestro and find if the request was
successful or if the server returned an error. Then one can use this advanced configuration to let cnMaestro parse
the SMS API reply.
The usual HTTP response code is anyway handled by default and this advanced config will parse the reply content is
configured. This should be configured by advanced users only and in case if there is any failure seen in SMS
functionality then disable this and report the issue to cambium support.
Reply Type
The SMS gateway API sends back a response to let the client know about the request results, this result could be in
text format or in json/xml format. So based on the SMS API document please select the reply type here as “ TEXT”.
Success
Configure the text to match the success case as follows:
• Typically, servers may respond with a text message in reply like “success” or “sent”, then configure the exact
message which should be matched in the response.
Error
Configure the text which matches the failure case as follows:
• Typically, servers may respond with a text message in reply like “Error” or “failure”, then configure the exact
message which should be matched in the response.
• If a server response is like “ERROR, failed to send SMS to xxxxx, out of credit”, then configure just “ERROR”
which will be matched in the reply to mark it as an error.
cnMaestro guest portal generic SMS supports nested JSON too and one has to configure the complete path for the
given result key which contains the SMS message sent status. An example of JSON responses used for the
configuration is given below:
Example 1
{
"messages": {
"to": "123456789",
"status": {
"id": 0,
"groupId": 0,
"groupName": "ACCEPTED",
"result": [
{
"status": "MESSAGE_ACCEPTED"
}
],
"description": "Message accepted"
},
"smsCount": 1,
"messageId": "2250be2d4219-3af1-78856-aabe-1362af1edfd2"
}
}
Example 2
{
"count": 1,
"list": [
{
"id": "1460978572913968440",
"points": 0.16,
"number": "48500500500",
"date_sent": 1460978579,
"submitted_number": "48500500500",
"status": "QUEUE"
}
]
}
Success Key Name to be configured based on the above example list [0]. Status.
Based on our examples the status or the result field can be mapped to multiple values like as follows:
• Sent
• Queued
• Success
• Message Accepted
So in this configuration one can add multiple such values that should be matched for the success case for the value
as received for the “JSON Reply Success Key Name” field.
cnMaestro guest portal generic SMS supports nested JSON. You must configure the complete path for the given
result key that contains the SMS message sent failure field.
Example
{
"invalid_numbers": [
{
"number": "456456456",
"submitted_number": "456456456",
"message": "Invalid phone number"
}
],
"error": 13,
"message": "No correct phone numbers"
}
JSON Reply Failure Key Name to be configured based on the above example is error.
Based on our examples the error can be mapped to multiple values like 13|12|-1 etc. So, you can add multiple such
values in this configuration. These values must be matched for the failure case with the value, as received for the
JSON Reply Failure Key Name field.
cnMaestro guest portal generic SMS supports nested XML. You must configure the complete path for the given
result element which contains the SMS message sent status.
Example 1
<items>
<item id="0001" type="result">
<status>Success</status>
</item>
</items>
Example 2
<?xml version="1.0" encoding="utf-8"?>
<int xmlns="http://tempuri.org/">-11</int>
Based on our examples the status or the result field can be mapped to multiple values like as follows:
• Sent
• Queued
• Success
• Message Accepted
So in this configuration one can add multiple such values that should be matched for the success case for the value
as received for the “XML Reply Success Element” field.
cnMaestro guest portal generic SMS supports nested XML. You must configure the complete path for the given
result key which contains the sms message sent failure field.
Example 1
<items>
<item id="0001" type="result">
<error>-12</status>
</item>
</items>
XML Reply Failure Key Name to be configured based on the above example is items/item/error.
Example 2
XML Reply Failure Key Name to be configured based on the above example is items/item/status.
Example 3
<?xml version="1.0" encoding="utf-8"?>
<int xmlns="http://tempuri.org/">-11</int>
XML Reply Failure Key Name to be configured based on the above example is int.
Based on our examples the error can be mapped to multiple values like 13|12|-1 etc so in this configuration, one can
add multiple such values which should be matched for the failure case for the value as received for the “XML Reply
Failure Element” field.
l Overview
l Typical Deployment Model (Two Port Solution)
l Configuring L2GRE/EoGRE Tunnel Concentrator
l Access Control List (ACL) Configuration
NOTE:
GRE Tunnels feature is deprecated in release 3.0.0 and will be removed in a future release 3.1.0.
Overview
While deploying access points, the ability to tunnel wireless traffic from the APs to a tunnel concentrator
(L2GRE/EoGRE) often plays a key role. By using the tunnel feature, the following can be avoided:
The APs support L2GRE tunnel feature starting with release 3.1.1-r16. The cnMaestro On-Premises accepts
tunneled traffic from the APs. With end to end tunnel solution from Cambium Networks, it is easy to get up the
network fast and in reliable way.
l Primary Ethernet port (eth0) is configured with cnMaestro IP address and all the communication between
the APs and the cnMaestro On-Premises takes place at this port.
l In Aux/bridge port (eth1), all the wireless clients traffic received from the APs will be transferred after
removing the tunnel headers. This port comes up as a trunk port with allowed VLANs and other relevant
configurable parameters from the cnMaestro UI.
Tunnel Concentrator is equipped with ACL feature which allows to restrict such traffic. There are many different
ways by which ACL can drop the traffic. Each restriction is defined by an ACL rule. Refer ACL Configuration section
for detailed information.
NOTE:
Default rules in the ACL prevents the unnecessary broadcast and multicast to go out towards the
APs.
NOTE:
Ensure that Promiscuous mode is enabled on the virtual interface that is mapped to Auxiliary/bridge
port of GRE.
Allowed VLANs Represents list of VLANs allowed through the tunnel. This list is used for allowed VLANs
on aux/bridge port and also serve as a filtering list for inter AP packet forwarding.
Bridged Port Configures Aux/Bridged port. Using this configuration, tunnel concentrator is configured
either for two port solution or single port solution.
ACL comes up with default rules that prevent unnecessary broadcast and multicast to go out towards APs. With
these rules, the inter AP communication is blocked.
Following are the screenshots for the different ACL rule categories:
IP Layer ACL
Figure 152 IP Layer ACL
l Overview
l Enable SNMP
l Configure SNMP Parameters
l cnMaestro MIB (Management Information Base)
Overview
Currently, cnMaestro On-Premises supports SNMPv2c for basic monitoring data and online/offline traps and is a
cnMaestro X feature.
NOTE:
SNMP uses UDP port 161 for GET requests and UDP port 162 for TRAPs.
Enable SNMP
To enable SNMPv2c, navigate to Administration > Settings > Optional Features and enable SNMP management.
This turns on SNMP functionality within the UI; however, the server itself will not start until the
SNMP Configuration is completed.
NOTE:
SNMP Services will not start until a valid configuration exists.
1. Click Save.
1. Navigate to Services > SNMP Configuration (this tab is only visible if SNMP is enabled)
NOTE:
The user can configure the desired Trap Community string value in the cnMaestro SNMP
configuration page.
4. Enter the SNMPv2c Trap Community string name (maximum limit is 64 characters).
5. Click Save.
NOTE:
If there are thousands of devices in your cnMaestro account, you should set your MIB browser or
snmpget command to use a minimum timeout of 20 minutes.
By default, the following OIDs are supported when SNMPv2 is enabled in cnMaestro On-Premises:
l .1.3.6.1.2.1 (mib-2)
l .1.3.6.1.4.1.2021 (UCD)
l .1.3.6.1.6.3.1.1 (snmpV2 - snmpMIB)
l .1.3.6.1.6.3.1.2 (snmpV2 - snmpMIBConformance)
l .1.3.6.1.4.1.17713.23 (CAMBIUM - cnMaestro)
Overview
cnMaestro On-Premises can act as a proxy server to authenticate RADIUS requests for cnPilot Wi-Fi devices. In
this scenario, cnMaestro acts as Network Access Server (NAS) for the RADIUS server.
In the below scenario, the Access Point sends RADIUS packets to cnMaestro On-Premises, and cnMaestro sends
them to the RADIUS server. cnMaestro can act as a proxy for either authentication or accounting messages.
NOTE:
This feature is not available on the Cloud version of cnMaestro.
Citizen Broadband Radio Service subscription for CBRS-compliant devices in 3.6 GHz band (3550 MHz to 3700
MHz).
NOTE:
User must have an account in cnMaestro Cloud prior to enabling CBRS services in On-Premises.
4. Click I accept the CAMBIUM NETWORKS, LTD. "CBRS" TERMS OF SERVICES/I accept the CBRS Service
payment terms to activate Enable.
5. Click Enable.
6. Billing Information window pop-ups; enter the below input/sections:
Business Contact
l First Name
l Last Name
l Email
l Phone
l Street Address
l Zip Code
l Country
l State
Technical Contact
l First Name
l Last Name
l Email
SAS Portal Contact
438 | Citizen Broadband Radio Service (CBRS) Cambium cnMaestro On-Premises | User Guide
Cambium Networks sets up the SAS portal account on behalf of the operator. Please
select whether you want to use a Business Contact, Technical Contact, or Other.
n Click Save.
l Token
l Status
l Total Devices
l SAS
l Contact Details
l Payment Details
439 | Citizen Broadband Radio Service (CBRS) Cambium cnMaestro On-Premises | User Guide
a. Token:
The Token is used for authenticated communication with the SAS through Cambium Domain Proxy. It
is generated automatically once CBRS is enabled for the Cloud account.
b. Status:
l Displays the account status.
1. Account Creation: Once the CBRS account is enabled, it displays the status as Created. Refer to
Step f for entering contact information and enabling account.
2. Payment Method: After adding the Payment Details with verification, displays the status as
Verified. Refer to Step g to add payment method after enabling account.
440 | Citizen Broadband Radio Service (CBRS) Cambium cnMaestro On-Premises | User Guide
3. SAS-ID: Once the payment details are verified, the SAS ID is allocated automatically and
displays the status as Allocated.
NOTE
When the SAS ID allocation is pending or unavailable in the server, even after the
payment details are configured and verified, it may take 1 day to get the SAS ID.
4. Effective:
n Grey - Indicates the pending status.
n Green - Indicates success.
n Red - Indicates the account has been deactivated.
c. Total Devices: Displays the count of Total Devices registered with the SAS using the Token ID, and Usage
History provides the list of devices registered with Month and Year.
NOTE
NOTE
441 | Citizen Broadband Radio Service (CBRS) Cambium cnMaestro On-Premises | User Guide
l Zip Code/Postal Code - Enter the valid zip/postal code.
l State - Select the state from the drop-down.
l Country - Select the country from the drop-down.
Technical Contact
Cambium Networks communicates with the Technical Contact for all technical aspects of the CBRS
Service, such as software updates, publication of release notes, learning guides, technical issues,
etc.
l First Name - Enter the authorized prime technical contact's first name.
l Last Name - Enter the authorized prime technical contact's last name.
l Email - Enter the authorized prime technical contact's email address.
Cambium Networks sets up the SAS portal account on behalf of the operator. Please select whether
you want us to use the Business Contact, Technical Contact, or Other.
NOTE
l Click Update.
442 | Citizen Broadband Radio Service (CBRS) Cambium cnMaestro On-Premises | User Guide
NOTE
Once you click update, the Account Page will be overwritten by the current entries.
g. Payment Details
Select one of the payment methods below:
n Add Card Details
n Add ACH Payment Method
n Checking
443 | Citizen Broadband Radio Service (CBRS) Cambium cnMaestro On-Premises | User Guide
n Saving
n Business Checking
l Click submit.
1. On successful activation of the CBRS service in the Cloud Anchor account, cnMaestro generates a Token.
2. Onboard the On-Premises to Anchor account.
3. User can Sync the CBRS token from On-premises or Anchor account
a. In On-Premises CBRS accounts page click Sync From Cloud to synchronize the CBRS token
b. Navigate to the Anchor account > Manage Instances > On-Premises Instances and click sync Now on CBRS
sync status
4. Select HTTP Proxy mode for SAS communication (refer to CBRS HTTP Proxy Configuration Options).
5. Click Save token. CBRS service will be enabled.
444 | Citizen Broadband Radio Service (CBRS) Cambium cnMaestro On-Premises | User Guide
6. Click Domain Proxy Test to test Domain Proxy connectivity. If the test is successful, it will display the following
message:
Once On-Premises is connected to the Anchor account and the link is established between the Anchor account and
cnMaestro On-Premises, the user can synchronize the CBRS details (Token, SAS ID) to the cnMaestro On-Premises
instance to register CBRS devices.
l If user tries to Sync with the same SAS ID and with different CBRS token, during synchronization it pushes the
new token to the existing CBRS devices without any heartbeat loss or deregistration of devices.
l If the user tries to synchronize through Cloud with different SAS ID and CBRS token, it displays an error that the
devices should be derigistered from On-Premises and needs to push the token.
445 | Citizen Broadband Radio Service (CBRS) Cambium cnMaestro On-Premises | User Guide
No HTTP Proxy
NOTE:
The On-Premises server and CBRS devices must have Internet access to communicate directly to
the Cambium Domain Proxy.
Warning:
Cambium recommends using External HTTP Proxy for a highly available deployment, because
cnMaestro software updates may take a few minutes to complete, during which time
communication with SAS through the Domain Proxy will be affected.
446 | Citizen Broadband Radio Service (CBRS) Cambium cnMaestro On-Premises | User Guide
l CBRS-compliant devices communicate with the Cambium Domain Proxy through the local cnMaestro On-
Premises HTTP Proxy.
NOTE:
cnMaestro On-Premises must have Internet access.
CBRS-compliant devices can communicate with the Cambium Domain Proxy through an External HTTP Proxy such
as HA Proxy. Cambium recommends configuring High Availability on the HTTP Proxy.
NOTE
The External HTTP Proxy method is preferred, because upgrades to cnMaestro could result in proxy
downtime and lost CBRS connectivity.
l Configure the external HTTP Proxy to access the SAS Server through the Domain Proxy.
l Set the External HTTP Proxy as http://proxy-ip:port number.
Example: http://11.110.0.101:9090
For more details, refer Using a Domain Proxy for CBRS connectivity.
447 | Citizen Broadband Radio Service (CBRS) Cambium cnMaestro On-Premises | User Guide
Management Tool
The Management Tool helps run the CBRS procedure before physically connecting CBRS-complaint devices to the
network. The following Cambium CBRS-compliant devices operate in 3.6 GHz band frequency, ranging from 3550
to 3700 MHz:
NOTE
cnMaestro release 3.0.2 supports CBRS Multi-Grant feature. PMP devices require release 20.2
software to support Multi-Grant feature.
The CBRS procedure can be started and managed by an authorized CPI (Certified Professional Installer). CPIs are
required to enter necessary credentials to run and modify the CBRS parameters.
Generate Report
The Generate Report allows the user to download multiple device reports in a .CSV format.
448 | Citizen Broadband Radio Service (CBRS) Cambium cnMaestro On-Premises | User Guide
Relinquish Grant
The Relinquish Grant relinquishes all grants of selected sector. This will make devices to go to Registered state. The
device will start Multi-Grant procedure if Multi-Grant feature is enabled on device.
NOTE
l Relinquish Grant can be performed only for the Config_Synced devices which are running in
Single Grant.
l PMP devices should be upgraded to release 20.2, which supports the Multi-Grant feature.
Add AP/BHM
1. Navigate to Services > CBRS > Management Tools and click Add AP/BHM/RRH.
2. Enter all parameters under the following categories when the user selects the Mode as AP/BHM:
l Common Parameters: Device Name, Mode, Device Type, MAC Address, and MSN.
l Location Related Parameters: Latitude, Longitude, Height and Height Type, Horizontal Accuracy and Vertical
Accuracy.
l Antenna Related Parameters: External Antenna Gain, Beamwidth, Azimuth and Down Tilt.
l Co-Existence Related Parameters: Sector ID and Spectrum Reuse ID.
l Add CPI Certificate: Certificate File, File Password, CPIR Name.
449 | Citizen Broadband Radio Service (CBRS) Cambium cnMaestro On-Premises | User Guide
l Click Add to add a sector.
NOTE:
Refer to CBRS Device Parameters for additional details.
Add RRH
1. Navigate to Services > CBRS > Management Tools and click Add AP/BHM/RRH.
2. Enter all parameters under the following categories when the user selects the Mode as RRH:
l Common Parameters: Device Name, Mode, Device Type, MAC Address, and MSN.
l Location Related Parameters: Latitude, Longitude, Height and Height Type, Horizontal Accuracy and Vertical
Accuracy.
l Antenna Related Parameters: External Antenna Gain, Beamwidth, Azimuth and Down Tilt.
l ECGI Related Parameters: PLMN ID, ECI (eNode ID + PCI) and ECGI.
l Co-Existence Related Parameters: Sector ID and Spectrum Reuse ID.
450 | Citizen Broadband Radio Service (CBRS) Cambium cnMaestro On-Premises | User Guide
l Add CPI Certificate: Certificate File, File Password, CPIR Name.
Import Sector
To import a sector:
1. Navigate to Services > CBRS > Management Tool and click Import Sector.
451 | Citizen Broadband Radio Service (CBRS) Cambium cnMaestro On-Premises | User Guide
2. Click Download Template if user does not have Import Sector template. Users can download two different
template formats: PMP Excel or PMP ODS.
3. Click Import Excel to select Import Sector template file. File must be Microsoft Excel format (.xlsx) or
OpenDocument Spreadsheet (ods) formats.
4. Enter CPI credentials:
a. Upload CPI Certificate File by clicking Import Certificate.
b. Enter CPI File Password.
c. Enter CPI Registered Name.
5. Click Import once the file is selected.
6. Import status is displayed as Success, Info, and Invalid.
452 | Citizen Broadband Radio Service (CBRS) Cambium cnMaestro On-Premises | User Guide
8. If the device is already claimed, it can be onboarded by clicking the onboard link.
NOTE:
Refer to the CBRS State Diagram for additional details.
453 | Citizen Broadband Radio Service (CBRS) Cambium cnMaestro On-Premises | User Guide
3. Enter text in search box to display filtered records.
NOTE:
l If an AP device is entered in the search option, it displays both AP devices and the related SM
device.
l If an SM device is entered in the search option, it displays only the SM devices.
Sector View
1. Click a sector from the Sector AP column to get the list of devices.
l SM can be added in the sector by manually entering all parameters using the Add SM button or uploading a file
containing SM details using the Import SMs button.
l Action column can edit or delete any device in the sector. Edit and Delete buttons will available depending of
device state. Refer to Edit Device and Delete Device for more details.
454 | Citizen Broadband Radio Service (CBRS) Cambium cnMaestro On-Premises | User Guide
l Use the following buttons to control CBRS procedure:
l Once the sector is authorized (enters the AUTHORIZED state), button transfers grant details from
Management Tool to real devices.
455 | Citizen Broadband Radio Service (CBRS) Cambium cnMaestro On-Premises | User Guide
Add SM/BHS
1. Navigate to Services > CBRS > Management Tool and select a sector.
2. Click Add SM/BHS button to add SM in a sector.
3. Enter all parameters under following categories:
a. Common: Device Name, Device Type, MAC Address, and MSN.
b. Location: Latitude, Longitude, Height and Height Type, Horizontal Accuracy and Vertical Accuracy.
c. Antenna Parameters: Integrated Antenna Gain, External Antenna Gain, Beam width, Azimuth and Down Tilt.
d. Add Certificate: Certificate File, File Password and CPIR Name.
4. Click Add to add an SM.
Import SMs
1. Navigate to Services > CBRS > Management Tool and select a sector.
2. Click Import SMs button to import SMs in a sector.
3. Enable the Re-Import Devices to overwrite the previous imported data and deregister all existing devices.
456 | Citizen Broadband Radio Service (CBRS) Cambium cnMaestro On-Premises | User Guide
4. Click Download Template if user does not have Import Sector template. Users can download two different
template formats: PMP Excel or PMP ODS.
5. Click Import Excel to select Import Sector template file. File must be Microsoft Excel format (.xlsx) or
OpenDocument Spreadsheet (ods) formats.
6. Enter CPI Credentials:
l Upload CPI Certificate File by clicking Import Certificate button.
l Enter CPI File Password.
l Enter CPI Registered Name.
7. Click Import button once the file is selected.
8. Import status is displayed under Success, Info and Invalid sections.
10. If the device is already claimed, it can be onboarded by clicking onboard link.
457 | Citizen Broadband Radio Service (CBRS) Cambium cnMaestro On-Premises | User Guide
11. Once the user clicks Import, a job will be scheduled and updated once complete.
Export Sector
1. Navigate to Services > CBRS > Management Tool and then select a sector.
2. Click Export button to export the sector and pop-up a window as xlsx.
3. Once the user clicks as xlsx, a job will be scheduled and will update once complete.
4. The Requested EIRP column of the exported spreadsheet is the most recent configuration value known to the
tool, not the most recent value updated from the device via the LIVE status feature, even though the tool
displays the updated value from the device on the GUI. Take, for example, an operator who originally loaded a
spreadsheet into the tool with an AP requested EIRP of 35 dBm. The operator pushes that configuration/grant
to the device, but weeks later they decide to relinquish that grant and request for a new grant for 37 EIRP. Let's
assume the relinquish and new grant request was done directly on the AP.
5. The AP would live update cnMaestro with the new EIRP value of 37, which would be displayed on the CBRS
Management Tool UI. However, an export from the tool would populate the newly created spreadsheet with the
tool database value of 35 EIRP.
6. Once the Job status is Completed, click Download to download the Sector xlxs.
NOTE:
Download button is enabled only for two hours from the time of export job status is completed.
After two hours, the user needs to schedule the export job to download the latest xlxs file.
7. User can use the downloaded .xlxs file for importing into the sector. To import, save the file as shown in the
below figure.
458 | Citizen Broadband Radio Service (CBRS) Cambium cnMaestro On-Premises | User Guide
Edit Device
1. Navigate to Services > CBRS > Management Tool and select a sector.
2. Click Stop button if the CBRS procedure is running.
3. Click Edit button to edit device parameters.
4. Enter CPI credentials:
n Upload CPI Certificate File by clicking Import Certificate button.
n Enter CPI File Password.
n Enter CPI Registered Name.
5. Click Save.
Delete Device
1. Navigate to Services > CBRS > Management Tool and select a sector.
2. Click Stop button if the CBRS procedure is running (the CBRS procedure is running if the START procedure
described below has been invoked, and if all devices in AUTHORIZED state).
3. Deleting SM:
459 | Citizen Broadband Radio Service (CBRS) Cambium cnMaestro On-Premises | User Guide
l Select SM to de-register if it is not in UNREGISTERED state (refer to CBRS State Diagram).
4. Once the SM is selected, click Delete to display All or Selected. Click Selected.
n All - Delete the complete registered SM devices.
n Selected - Delete the selected device.
6. Once the user clicks Yes, a job will be scheduled and update once complete.
7. Deleting an AP:
l All SMs of the sector must be deregistered before deleting an AP. Refer to Deregistration procedure to
deregister all SM devices.
l Select AP of the sector to delete. Start CBRS procedure.
l Click Delete.
1. Navigate to Services > CBRS > Management Tool and select a sector.
2. Click Start to start CBRS procedure of a sector.
3. Once the user clicks start, the Spectrum Inquiry window pops-up.
460 | Citizen Broadband Radio Service (CBRS) Cambium cnMaestro On-Premises | User Guide
NOTE:
Multi-Grant is enabled by default.
4. User can disable the Multi-Grant feature by disabling the checkbox This feature will enable multi grant on the
tool to create Wide-Grant. To create Multiple Grant, refer Multiple Grant.
5. Click Edit to edit Co-Existence Configuration and EIRP Computation.
l Spectrum Reuse ID Statistics displays the devices running on different sector, channels, and
bandwidth based on the Spectrum Reuse ID.
461 | Citizen Broadband Radio Service (CBRS) Cambium cnMaestro On-Premises | User Guide
NOTE:
l If the device is already synced with the Management Tool, the CBRS Start and Stop procedures
are not applicable for all the synced devices.
l If user does not see the Start button, it means the CBRS procedure is already running.
l If all devices of the sector are in AUTHORIZED or HALT status and the user tries to start the
CBRS procedure, the Start button will go to Stop state (as CBRS procedure is completed for all
devices).
Multi-Grant
Multi-Grant feature divides selected channel bandwidth in multiple of 10 MHz channel. If the selected channel
bandwidth is 5 MHz or low or high frequency contains 5 MHz raster, the slice would be in 5 MHz channel. Each slice
will initiate a separate Grant procedure and status will be updated accordingly.
1. Navigate to Services > CBRS > Management Tool and select a sector.
2. Click Start to start CBRS procedure of a sector.
3. Once the user clicks start, the Spectrum Inquiry window pops-up.
462 | Citizen Broadband Radio Service (CBRS) Cambium cnMaestro On-Premises | User Guide
NOTE:
Multi-Grant is enabled by default.
NOTE:
SAS may take upto 7 to 8 hours to fully process the Co-Existence parameters.
Once the Sector is created with Multiple Grants will be displayed as shown below:
To view the Grant Status click the info icon displays as shown below:
Relinquish Grant
The Relinquish Grant relinquishes all grants of selected sector. This will make devices to go to Registered state. The
device will start Multi-Grant procedure if Multi-Grant feature is enabled on device.
1. Navigate to Services > CBRS > Management Tool and select a sector with Single Grant.
2. Once the SM is selected, click Relinquish Grant to display All or Selected. Click Selected.
463 | Citizen Broadband Radio Service (CBRS) Cambium cnMaestro On-Premises | User Guide
l Selected - Relinquish the selected device.
NOTE:
Live update information may take upto several minutes to display the changes of reflected
relinquish status.
Once the user clicks Yes, Wider Grant gets converted to the Multiple Grants as shown below:
1. Navigate to Services > CBRS > Management Tool and select a sector.
2. Click Stop button to stop CBRS procedure of a sector.
NOTE:
l If the device is already synced with the Management Tool, the CBRS Start and Stop procedures
are not applicable to the synced devices.
l If user does not see the Stop button, it means the CBRS procedure is already in stopped state,
Start and Stop are toggles.
l If all devices of the sector are in AUTHORIZED state, the CBRS procedure will automatically stop.
464 | Citizen Broadband Radio Service (CBRS) Cambium cnMaestro On-Premises | User Guide
Reinitialize CBRS Procedure
The Reinitialize button allows the user to start the CBRS procedure for a sector and reinitialize selected devices
(Reinitialize = Start of sector + Reinitialization of user selected devices). At least one device must be selected in
order to enable Reinitialize button. On click of Reinitialize the selected devices are reinitialized to UNREGISTERED
(irrespective of previous CBRS state).
1. Navigate to Services > CBRS > Management Tool and select a sector.
2. Click Stop if the CBRS procedure is already running.
3. Select one or more devices to be reinitialized.
NOTE:
You might notice some delay in enabling Reinitialize button after pressing Stop button. It is due to a
delay in properly stopping the CBRS procedure.
NOTE:
l Synced devices cannot be reinitialized.
l Reinitialize modifies or corrects the parameters. For example, if a device is in HALT state due to a
parameter error, the user can stop the CBRS procedure and reinitialize the device after modifying
device parameters.
Deregistration
The deregistration procedure allows the user to deregister devices from the Domain Proxy.
1. Navigate to Services > CBRS > Management Tool and select a sector.
2. Click Stop if the CBRS procedure is already running.
3. Select one or more devices which need to be deregistered.
4. Click Deregister to deregister selected devices.
5. Once the user clicks Deregister, once a job will be scheduled and update once complete.
Spectrum Inquiry
1. Navigate to Services > CBRS > Management Tool and select a sector.
2. Click Spectrum Inquiry button.
3. Spectrum Inquiry status button is enabled once the device is registered (REGISTERED state) to the SAS.
l If the selected SAS is not Google, EIRP is unsupported, and Spectrum Inquiry is displayed as shown below:
465 | Citizen Broadband Radio Service (CBRS) Cambium cnMaestro On-Premises | User Guide
l If the users is selected SAS is Google, it supports EIRP. Spectrum Inquiry displays as below:
l Unregistered
l Registered
l Registering
l Grant
l Grant Suspended
l Grant Terminate
l Relinquished Spectrum
l Relinquishing Spectrum
l Authorized
l Deregistering
l Unknown
466 | Citizen Broadband Radio Service (CBRS) Cambium cnMaestro On-Premises | User Guide
Management Tool Sync
The Sync procedure allows the user to transfer grant information from the Management Tool to a real device. The
Sync action can only be performed on an AP or BHM. The SM and BHS are synced automatically when they come
online. Once the AP/BHM/SM/BHS are synced, no further action is taken from Management Tool.
1. Navigate to Services > CBRS > Management Tool and select a sector.
2. Click Sync to perform the synchronization procedure.
3. Click Yes to enable CBRS on AP/BHM after successful sync or click No to cancel synchronization procedure.
Once Yes is clicked, the Management Tool checks the accessibility of AP/BHM and proceeds with sync.
NOTE:
l AP or BHM requires manual Sync whereas SM or BHS does not require manual Sync. The latter
two are synced automatically.
l Once the device is synced, it cannot be administered by the Management Tool.
l The Sync procedure copies CBRS parameters to the device and enables CBRS to transmit with
configured parameters.
NOTE:
GRANT_SUSPENDED is a temporary suspend state where HEARTBEAT messages are sent for an
extended period prior to getting AUTHORIZED.
l Authorized
l Deregistered
l Deregistering
467 | Citizen Broadband Radio Service (CBRS) Cambium cnMaestro On-Premises | User Guide
l Deregistration Failed
l Granted
l Grant Failed
l Grant Suspended
l Grant Wait
l Halt
l Heartbeat
l Heartbeat Failed
l Others
l Registration Failed
l Registered
l Registering
l Relinquished Spectrum
l Relinquishing Spectrum
l Relinquishing
l Unknown
l Unregistered
Common Device Name Name given to device on SAS Admin (max 120 characters. This is to identify
device on SAS Admin: it does not get copied to the device via sync.
User ID Unique identifier is assigned by the SAS. The User ID is part of the
registration request message. The wrong User ID leads to REGISTRATION_
FAILED.
468 | Citizen Broadband Radio Service (CBRS) Cambium cnMaestro On-Premises | User Guide
Category Parameter Details
Horizontal A positive number in meters to indicate the accuracy of the device antenna
Accuracy horizontal location.
Vertical A positive number in meters to indicate the accuracy of the device antenna
Accuracy vertical location.
Co-Existence Sector ID The default AP MAC address and allows editing the default MAC address.
Related
Parameters Spectrum The Spectrum Reuse ID defined in the network.
Reuse ID
ECGI Enter both PLMN ID and ECI parameters and it calculates displays in the
ECGI field.
ECGI Related
Parameters
ECI E-UTRAN Cell Identifier. It is a length of 28 bits and contains the eNodeB-ID.
Azimuth Boresight direction of the horizontal plane of the antenna in degrees with
(degrees) respect to True North.
Antenna Beamwidth 3-dB antenna beam width of the antenna in the horizontal-plane in degrees.
Parameters (degree)
469 | Citizen Broadband Radio Service (CBRS) Cambium cnMaestro On-Premises | User Guide
Using a HTTP Proxy Server for CBRS Connectivity
Proxy Suggestions for CBRS Connectivity
We do not recommend against using cnMaestro On-Premises, as a HTTP Proxy for CBRS connectivity. Normally,
upgrades to cnMaestro that result in a small amount of downtime do not impact network devices under
management. In the case of CBRS even a brief outage of the proxy during upgrade will result in a network outage.
## WARNING:
## While this config may work for your use case,
we encourage you to follow your own best practices and modify this file for your network.
## Tested on squid version 4.10
## This localnet ACL is not useful unless you want to use this proxy for anything other than
a cbrs proxy.
#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#acl localnet src fc00::/7 # RFC 4193 local private network range
#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
## This cbrs ACL limits connections to sas.cbrs.cambiumnetworks.com only.
acl cbrs dstdomain sas.cbrs.cambiumnetworks.com
## Updates require access to destinations under cloud.cambiumnetworks.com
## This is a separate ACL for readability, but can be combined with the cbrs ACL if
preferred.
acl cloud dstdomain .cloud.cambiumnetworks.com
## This group blocks http CONNECT to non-standard https ports
acl SSL_Ports port 443
acl CONNECT method CONNECT
http_access deny CONNECT !SSL_Ports
## Allow access only to the sas and cloud acls. Add your own ACLs here if needed
http_access allow CONNECT cbrs
http_access allow CONNECT cloud
http_access deny all
## We dont need any cache for proxying cbrs traffic cache deny all Port config, change this
to suit your requirements
http_port 3128
470 | Citizen Broadband Radio Service (CBRS) Cambium cnMaestro On-Premises | User Guide
LTE
cnMaestro supports LTE as part of its On-Premises deployment. LTE allows customers to onboard the SM with IMSI
into cnMaestro.
System access in cnRanger is dependent on installation of SIM credentials on every BBU in the operator network.
To ease the operations aspects of SIM card management, cnMaestro provides utilities for claiming, managing, and
distributing Cambium Networks cnRanger SIM card credentials (3rd party SIM cards are not currently supported on
cnRanger).
Note:
User can download the .CSV file from the Cloud account once the Serial Number is validated from
the cnMaestro Cloud data base.
l User Management
l Server Management
l Syslog
l Webhooks
l Audit Logs
User Management
l Authentication
l Local Users
l Authentication Servers
l Session Management
Authentication
cnMaestro On-Premises supports a Primary mode of authentication and an optional Secondary mode. If the Primary
mode is Local Users (users specified in cnMaestro in the Users tab), no Secondary mode is available. If the Primary
mode is an Authentication Server, then the Secondary mode will be set to Users and cannot be changed.
Local Users
To add Local Users, navigate to Administration > Users.
Role-Based Access
Each user is assigned a Role that defines their authorization. On successful authentication, every request from this
user is processed in light of their Role.
NOTE:
l cnMaestro On-Premises allows the user to limit the number of concurrent sessions for each Role
and display current active user sessions.
l CPI role is authorized only when the CBRS is enabled.
Role-Mappings
The table below defines how Roles are authorized to access specific features.
Application Operations Application level operations such as to create, update and delete
operations for Networks, Towers/Sites. Bulk device configuration.
l Super Administrator - All
l Administrator - All
l Operator - None
l Monitor - None
l CPI - None
l CPI - None
Device Operations Device operations such as reboot device, link test, connectivity test,
technical support file download, and Wi-Fi performance test.
l Super Administrator - All
l Administrator - All
l Operator - All
l Monitor - None (except Wi-Fi Performance test which is supported in
On-Premises only)
l CPI - None (except Wi-Fi Performance test which is supported in On-
Premises only)
Global Configuration The ability to create and apply configuration for global features such as
Templates, WLANs, AP Groups, auto-provisioning, and bulk sync
configuration.
l Super Administrator - All
l Administrator - All
l Operator -View
l Monitor - None
l CPI - None
Managed Service Provider (MSP) MSP operations such as modification of branded service, managed
account and user invitations.
l Super Administrator - All
l Administrator - View
l Operator - None
l Monitor – None
l CPI - None
l Operator - All
l Monitor - All
l CPI - All
System Operations System operations such as Reboot VM, change log level, system
upgrade, system monitoring, uploading SSL certificate, import/export
server data and server tech dump, and upload/delete device software
images.
l Super Administrator - All
l Administrator - All
l Operator - None
l Monitor - None
l CPI - None
User Management User management operations such as manage users and roles.
l Super Administrator - All
l Administrator - View
l Operator - None
l Monitor - None
l CPI - None
7. Select any one of the role for the user from the Role drop-down:
l Super Administrator
l Administrator
l Operator
l Monitor
l CPI
To edit or delete a user, click the Edit icon or the Delete icon against the user in the Administration > Users page.
Changing Password
Change Password option is available only for local users.
Ensure the primary Authentication must be local users to Change Password option. After changing the password,
the current session will get logged out.
Also, ensure that there are no parallel sessions with the same users before going for Change Password option.
To change password:
Authentication Servers
cnMaestro supports authentication and authorization with TACACS+, RADIUS, LDAP, and Active Directory servers,
and is a cnMaestro X feature.
Authentication Server
Authentication Servers can be configured by cnMaestro Super Administrators. The following operations are
available:
TACACS+
The fields that are present when TACACS+ server is selected are listed below:
Server Settings
IP Address/Host Enter the FQDN (Fully Qualified Domain Name) of the server or the IP address of the
name server.
Shared Secret Shared secret key for communicating with the server.
Service Name Name defined in the service configuration table configured by TACACS+ server
administrator. This is used to configure service and corresponding user groups.
Role Mappings TACACS+ user groups should be mapped to one or more cnMaestro Roles. Refer
Role-Based Access section to view the supported Roles on cnMaestro.
Enter the role strings that are configured in the TACACS+ server. Atleast one
mapping must be completed for this feature to work correctly.
NOTE:
TACACS+ server administrator should setup the service name and corresponding user group as per
the configuration.
RADIUS
The fields present when RADIUS is selected are listed below:
Server Settings
IP Address/Hostname Enter the FQDN (Fully Qualified Domain Name) of the server or the IP address
of the server.
Shared Secret Shared secret key for communicating with the server.
Role Mappings Radius user groups should be mapped to one or more cnMaestro Roles. Refer
the Role-Based Access section to view cnMaestro supported Roles.
Enter the role strings that are configured in the Active Directory server. At least
one mapping must be completed for this feature to work correctly.
NOTE:
The RADIUS administrator should setup user group as per configuration. The RADIUS administrator
can choose a user group and the same should be configured on cnMaestro Authentication server
configuration.
Active Directory
The fields present when Active Directory is selected are listed below:
Server Settings
Port TCP port of the server. (default 389). When SSL/TLS option is enabled, the port
will automatically change to 636.
SSL/TLS Select this check box if Active Directory connection should be secured over SSL/
TLS as LDAPS. Browse and select the Root certificate of the Active Directory
server in .PEM format.
Role Mappings Active Directory user groups should be mapped to one or more cnMaestro Roles.
Refer the Role-Based Access section to view cnMaestro supported Roles.
Enter the role strings that are configured in the Active Directory server. Atleast
one mapping must be completed in order for this feature to work correctly.
Examples:
CN=super-admin
CN=admin
CN=network
CN=operator
NOTE:
If Role is not configured in TACACS+/RADIUS server or group is not configured in Active Directory,
you cannot login to cnMaestro.
NOTE:
A user with valid credentials will not be to able to login if:
1. cnMaestro role to Authentication server's user group mapping is missing in Authentication server
configuration
2. User group of the user is not configured in Authentication server and is a required field for
cnMaestro login.
LDAP
The fields present when LDAP is selected are listed below:
Server Settings
Base DN Base DN is generally the Admin DN used to log in to LDAP server. For example:
cn=admin,dc=xyz,dc=com.
IP Address/Hostname Provide IP address for LDAP and hostname of server if SSL/TLS is enabled.
LDAP Password LDAP Password is the admin password used by Admin DN to log in.
Port TCP port of the server. (Default for LDAP is 389 and for LDAPs is 636)
Suffix Suffix is the DNS name. For example: dc= xyz, dc=com.
SSL/TSL Security Select this check box LDAP connection should be secured over SSL/ TLS as
LDAPS. Browse and select the Root certificate of the Active Directory server in
.PEM format.
Note:
n If you enable SSL/TSL Security check box, the default port will appear as
636 in the Port text box.
n If you disable SSL/TSL Security check box, the default port will appear as
389 in the Port text box.
Role Mappings RADIUS user groups should be mapped to one or more cnMaestro Roles. Refer
the Role-Based Access section to view cnMaestro supported Roles.
Enter the role strings that are configured in the Active Directory server.At least
one mapping must be completed for this feature to work correctly.
NOTE:
Same authentication will not be shown on the server. For example, If we select primary as Test-TAC-
IP, then we cannot select the same in secondary authentication.
Tertiary authentication is always default to the local users. Local users logs in only when primary and secondary are
not reachable or when the services are not being run on authentication server. If the primary server is not reachable
then fallback happens to the secondary authentication server. If the secondary authentication server is not
reachable then fallback happens to tertiary authentication. If primary authentication server is running properly then
users belonging to primary authentication server can only be logged in. If secondary authentication server is
running properly then users belonging to secondary authentication server can only be logged in.
Refer Create New Authentication Server Configuration section for explanation of fields on Edit page.
2. Click delete.
Primary authentication order will change as Local Authentication if this server is setup as Primary Authentication
under Manage Authentication Server Authentication section.
2. Click the test icon ( ) next to any of the Active Directory type. The following window appears:
2. Click the test icon ( ) next to any of the LDAP type. The following window appears:
1. Enter Active Directory User ID. The User ID should be a valid string (Eg: user@example.com).
2. Enter Active Directory password.
3. Enter Account to Verify.
For searching the group of the user, the Users ID should follow the user@example.com format.
Session Management
View and optionally log out current cnMaestro administrator sessions. The users with Super Administrator Role can
logout all other users' sessions and the users with Administrator Roles can log out Operator and Monitor accounts.
Sessions
Displays the detailed information on the user sessions.
l Monitoring
l Settings
l Operations
l SSL Certificate
l Syslog
Monitoring
The Server tab provides monitoring and operations for the virtual machine instance.
Settings
This section provides the following details:
l Basic
l Configure NTP Server
l Configure Email Server
l Login Security Banner
Basic
The user can enter the System Name and enable the SSH access to cnMaestro server.
NOTE:
In High Availability (HA) enabled environment, it enables SSH access only to the primary server.
NOTE:
When user tries to disable SMTP configuration a warning message pops-up.
NOTE:
Email Subscribers are limited to two per account.
l Critical
l Major
l Minor
The content of the email alert is in JSON or HTML format. The subscriber gets an email alert only when the global
setting is enabled.
To receive email notifications, the user need to enable Notification checkbox. If SMTP settings are disabled, then
below notification message does not pop-up.
You can use the filter option for the following fields:
l Email
l Severity
You can use the sorting option for the following fields:
l Content Type
l Last Modified Date
NOTE:
Managed Account option will appear only if MSP feature is enabled.
All alarms of chosen severity and above are sent through email as explained below:
To enable :
Operations
This section provides the following details:
Warning:
All devices goes offline when the virtual devices is rebooted.
OVA Image
The OVA image contains all software needed to run the cnMaestro application. It is installed on a virtual machine
and releases intermittently to update system software. Moving to a new OVA image requires an in-system upgrade
of the current OVA (no import and export of data is required after the 2.0 release). The OVA is approximately 3.0
GB in size.
Package Upgrade
The package file is installed on top of an OVA image; and updates the cnMaestro application. Packages releases
more frequently and provide a faster upgrade path for enhancements. Packages can be installed by downloading
them from Cambium and uploading them through the UI (at Administration > Server > Operations).
NOTE:
1. The general update flow will be an OVA file followed by package releases. For significant
system-level updates, a new OVA file will be generated.
2. Refer to Cloud connectivity page for download of software from cnMaestro Cloud.
System Backup
Cambium recommends customers periodically backup their system as a precautionary measure. To Backup
navigate to Server > Operations > System Backup and Restore. Backups can be done manually, in real-time, or
scheduled to execute daily or weekly. cnMaestro can also automatically transfer backup files off-box using FTP or
SFTP (this support is configured under Settings > Optional Features > Scheduled Jobs).
A System Backup stores the entire state of cnMaestro On-Premises as a file. This file can be downloaded to the local
hard drive through the UI and imported into a new cnMaestro instance to recreate the application state. Only one
System Backup is available at any time, and a later entry overwrites an earlier one.
Generate Backup
NOTE:
From 3.0.0 release, backup generated by on-premise instance will have only current month data. It
is suggested to take backup at the last day of the month if needed. Please refer to Data Backup for
more info.
The user can create a system backup through a system backup job at Administration > Server > System Backup and
Restore. The created backup file can be downloaded to the user's local machine for archiving.
1. Navigate to Administration > Server > Operations > System Backup and Restore.
You can download the last backup file using the download icon in the table. The file transfer configuration is defined
at Administration > Settings > Optional Features > Scheduled Jobs and it is shared with Reports. If FTP is enabled,
then a copy of each backup file will be stored in the configured FTP/SFTP server. The FTP column table displays the
status of the upload to the FTP/SFTP server.
NOTE:
Only the latest backup is retained in the disk and available to download. The old backup is deleted
once the new backup is generated.
Click View System Backup Jobs link in Operations > System Backup and Restore or navigate to Administration >
Jobs > System Backups.
Restore Backup
The user can now restore the downloaded system backup file to the new cnMaestro instance to recreate the
application state under Manage > Server > Operations > System Backup and Restore.
To restore backup files, select the file from Restore From Backup option and click Restore.
Data migration to 3.0.4 from lower version takes some amount of time depending upon the size of backup file.
During migration, the below banner is displayed:
NOTE:
l The indexing will happen whenever the user navigates to different UI pages. For example, when
the user navigates to WLAN-AP group page, the respective indexing will be created and the
banner will be displayed in the top of the UI.
l Database indexing pauses during the database migration and emails once indexing the
webhooks.
l Do not Import data or Export data when the Migration banner is running.
Software Update
The basic UI allows the user to upload a new OVA, and install it. This process is used for both standalone and HA
installations. The Software Upgrade can be done through OVA or package.
Package Upgrade
1. Navigate to Administration > Server > Operations > Software Update.
2. Click Package.
3. Browse and select the cnmaestro-package_2.5.0.tar.gz file.
4. Click Apply Update.
OVA Upgrade
NOTE:
Ensure to have minimum of 1 GB free RAM in the cnMaestro On-Premises server for the OVA to
upgrade successfully.
1. Click OVA.
2. Select the “cnmaestro-on-premises_3.0.0-b30_amd64.ova” file.
3. Click Upload OVA. After upload it will progress with Staging.
In the CLI, it can be verified by executing the command sudo /srv/bin/cnmaestro-image status
If you are unable to apply the upgrade OVA using the UI, there is a command line mechanism that can be used as a
failsafe. See Appendix > Maintenance > Command Line Alternatives > Apply OVA Upgrade for more details.
Diagnostics
This section provides the following details:
Logging Severity
Change the severity level of the messages logged by the cnMaestro system. These messages are not accessible
directly, but can be downloaded as part of the Technical Support Dump. The Log Level Severity can be changed at
runtime and it does not require reboot of server to take effect.
Services
Real time display of the status of critical cnMaestro services.
Network Tools
The Network Tools page consolidates a number of operations that can be performed on cnMaestro On-Premises.
The operations are listed below:
DNS Lookup Lists the DNS records for a domain in priority order.
Traceroute Lists the hosts or IP addresses showing the route of the test packets starting from the
selected monitoring location to the destination Domain or IP.
SSL Certificate
cnMaestro On-Premises generates a self-signed certificate when it boots the first time. Because the root CA is not
present in standard browsers, cnMaestro users (administrators or Captive Portal customers) receive an SSL error
message as shown below:
Certificate Management
To fix the browser error, cnMaestro needs to host a certificate from a trusted certificate authority, and map the
FQDN (fully qualified domain name) used to access cnMaestro. This requires the administrator to export a CSR
(Certificate Signing Request) and import the signed Certificate back into cnMaestro.
l View Certificate
l Generate a Certificate Signing Request (CSR)
l Import a Certificate
l Backup Management
l Reset
View Certificate
To view the certificate details, click View tab.
To generate a CSR:
Common Name Enter FQDN name of the cnMaestro server. This is either the Domain Name or the
IP Address.
Country (C) Select the name of the country from the drop-down list.
4. Click Generate CSR., the user is prompted to save a cnMaestro .csr file to their hard drive. The CSR can then be
sent to a Certificate Authority and signed.
Import a Certificate
Once the CSR has been transferred to the Certificate Authority to create a certificate, it can be imported back into
cnMaestro. cnMaestro will validate the certificate maps correctly to the stored Private Key, and disallow the import
if incorrect. Alternatively, the user can append the Private Key to the Certificate file in PEM format and upload both
if certificate and key is generated outside cnMaestro. User can also provide password optionally if key is generated
with the password. This will replace both the Certificate and Key on cnMaestro.
To import a certificate:
When importing a Certificate and Key, a single PEM-encoded file should be submitted with entries in
the following order: Certificate, intermediate certificates, and Key. If the Key is encrypted, a
password should be provided in the textbox on the UI at the time of import.
Backup Management
cnMaestro generates a 4096-bit Private Key when it boots up. This section allows the customer export this Key and
current Certificate for backup. These will be exported as a single file, and the Key can optionally be encrypted with a
password. To backup the certificate and the key:
2. Enter the password for the key in the Key Password texbox.
3. Click Backup.
Reset
It replaces the current Private Key and Certificate and recreates them from scratch. The Certificate is self-signed,
and it can be replaced using the Certificate import mechanism detailed above.
l Overview
Overview
cnMaestro On-Premises allows one to add new device software images as they are released by the device teams.
Adding new device software is a manual process: one needs to first download the images from the Cambium
Support Center and then upload them into cnMaestro.
5. Once file is successfully uploaded to the server, it will appear in the grid.
NOTE
cnMaestro uses the name of the uploaded file to determine the version and device type. Please do
not change the file name during the upload or download process.
Add Images
Once the On-Premises server is synced with the cloud, the user can upload the software images from cloud directly
to the On-Premises.
Delete Images
To delete Software Image perform as follows:
1. Navigate to Administration > Server > Software Images > Automatically Update Device Software tab.
2. Select the version file and then click onboarding/Managed Devices.
NOTE:
l Once auto software update job for managed devices is triggered, it automatically aborts any
manually created running/scheduled software update jobs.
l To avoid failures in onboarding devices having minimum supported version, other than
recommended version enable the onboarding checkbox.
cnMaestro Webhooks provides real-time streaming for alarms using a push notification model. Webhooks data
is HTTPS posted to an external Web service. They enable the following benefits:
Benefit Details
Cloud Friendly Webhooks are a standard mechanism for Cloud alerts and inter-
service asynchronous communication.
Firewall Friendly HTTPS is generally amenable for outgoing and incoming firewall
connections.
Security All communication is over HTTPS, and the target domain is validated.
Optional security parameters are available for client authentication.
TCP Webhooks use TCP instead of UDP, so they can alert when the
external system is down, or the event was not received.
Integrations
Webhooks enable integration with external Cloud services, such as Slack, Twilio, Zapier, Datadog, PagerDuty,
etc. They can also be supported using a local HTTPS server and custom applications. Once configured,
cnMaestro streams alarms to these services over HTTPS to the configured URL. Some example services are
provided below:
The Webhooks payload is sent in a JSON or a URL-encoded format, and the parameters are comparable to the
alarm details present in the RESTful API and email notifications. In addition, cnMaestro also provides default and
custom Webhooks templates, so the data format can be tailored to specific services.
Parameter Description
The Webhooks JSON payload follows the same format as the cnMaestro RESTful API, with a
few additional Webhook-specific variables/keys.
Basic Optionally add HTTPS Basic Authentication to the Webhook POST request. By enabling
Authentication Basic Authentication, you can configure the username and password associated with your
endpoint. The Basic Authentication parameters are Base64 encoded and included in the
header of HTTP request.
Note 1:
The username and password for Basic Authentication are different from
cnMaestro user credentials. These credentials are used at your endpoint, few
external integrations like Slack only require Webhooks URL, for integrations
where Basic Authentication is not required.
Note 2:
Filters You can filter the alarms based on severity such as Minor, Major, or Critical. You can also
select multiple severities.
Device type allows to select the particular device from the drop-down.
Managed If cnMaestro is configured for MSP (Managed Service Provider), you can map the Webhooks
Account to a Managed Account.
Note
Name and URL Webhooks label for display and filtering purposes. This will also be included in the default
payload as Webhook_name. The URL defines the endpoint for the HTTPS POST request.
Only HTTPS is supported.
Note
cnMaestro release 2.4.0 supports only alarms as the type for Webhooks
configuration.
For example, Configuration Sync Alarm from e500 Device default payload is as shown below:
{
"ip": "10.110.212.130",
"network": "FR",
"message": "Failed to push configuration to device",
"name": "Configuration Sync",
"severity": "minor",
"source_type": "wifi-enterprise",
"Device Model": "cnPilot e500",
"status": "active",
"time_raised": "2019-07-29T11:36:35+00:00",
"site": "lehavre",
"tower": "",
"duration": "0",
"id": "5d3eda434e222e0a28d14372",
"code": "CONFIG_SYNC",
"mac": "00:04:56:BB:14:4E",
"acknowledged_by": "",
"source": "E500-BB144E-Test-LAB-A",
"managed_account": "",
"webhook_retry_count": "0",
"webhook_timestamp": "2019-07-29T11:36:35+00:00",
"webhook_name": "cnmaestro_webhook"
}
Variable Description
$SITE_NAME Site name (note: value will be blank if the device is not under a Site)
$TOWER_NAME Tower name (note: 'value will be blank if the device is not under a Tower')
Note
If there are multiple Webhooks configured, a retry/error on the one Webhook will not affect the
other. For example, if you have Zapier and Twilio, a retry/error on the Twilio will not affect the
Zapier, any new alarm notification on Twilio will be discarded and a retry will happen only with the
cached payload.
Parameter Description
Managed If the MSP Service is enabled, this is the type of account (E.g. All Accounts, Base
Account Infrastructure, or Managed Account Name).
Delete a Webhook.
Status Check
Click View Details to check the status of message sent last.
View Details displays the response Code, Headers and Body of Webhooks endpoint.
Following is a simple example of configuring Slack integration with cnMaestro Webhooks using a custom Template.
1. On your Slack Screen, click on your workspace name at the top of the left-hand menu and open Administration >
Manage apps.
3. In the Create Slack App screen, enter an app name of your choice and select your Slack Workspace in the drop-
down. Click Create App.
5. From the above screen copy the Webhook URLs, which needs to be used as URL in cnMaestro Webhooks in the
next steps.
NOTE
Learn more about Slack Webhook and expected JSON format at https://api.slack.com/incoming-
webhooks
For this example, we are using the following custom template with variables $DEVICE_IP and $ALARM_SEVERITY
in the formatted message.
{
"text" : "$DEVICE_IP has generated an alarm of severity $ALARM_SEVERITY”
}
8. Once an alarm occurs, the following message appears in the configured Slack channel. Notice the variables have
been replaced with actual values.
Datadog Configuration
Datadog is a service for IT, Operations and Development teams who write and run applications at scale.
Sign up to https://app.datadoghq.com/signup and set up your Datadog agent. The agent can also be set up
outside the cnMaestro UI device.
1. On your Datadog dashboard, navigates to Integrations and open APIs > API keys.
2. In the API keys, create a new API key and enter a name for the API key created.
3. Datadog expects a custom JSON payload, following is a simple Datadog specific payload format using
cnMaestro Webhook variables.
{
"title": "$DEVICE IP",
"text": “Alarm of severity $ALARM_SEVERITY $ALARM_STATUS",
"priority": "normal",
"tags": ["$WEBHOOK_NAME"],
"alert_type": "warning"
}
Note
6. Once an Alarm occurs, the following message appears to configure Datadog events. This can be checked in
Datadog dashboard at Events > My Apps.
Following is a simple example of configuring PagerDuty integration with cnMaestro Webhooks. We can use both
default or custom templates in JSON and x-www-form-urlencoded content types.
https://app.pagerduty.com/
To capture the cnMaestro alarms you need to add a new integration into PagerDuty using a Transformer tool.
https://events.pagerduty.com/integration/<integartion_key>/enqueue
Note
7. Once an Alarm occurs, the following message appears in configured service’s incidents. Notice the variables
have been replaced with actual values.
Twilio Configuration
Twilio is a developer platform for communications. Software teams use the Twilio API to add capabilities like voice,
video, and messaging to their applications. Twilio is mainly used as an SMS service provider for websites and apps.
Twilio supports HTTP Basic Authentication. This allows you to protect the URLs on your web server so only you and
Twilio can access them.
To send a cnMaestro alarm as an SMS directly to a phone, we are going to use the Twilio’s API to programmatically
send text messages.
Make a note of the Account SID, Auth Token values on the main twilio.com/user/accountpage – you need it when
you configure the cnMaestro Webhooks with Basic Authentication username and password.
4. Go to Phone Numbers under All Products and Services in the console to get the phone number or click on the
red plus (+) icon to add a new number and note down the assigned number.
Using the custom payload option in cnMaestro, specify a custom payload adapted to Twilio’s format.
{
"Body": "<message>",
"From": "+<country_code><Twilio_number>",
"To": "+<country_code><destination_number>"
}
For this example, we are using the following custom template with variables $DEVICE_IP and $ALARM_SEVERITY
in the formatted message.
{
"Body": "$DEVICE_IP has generated an alarm of severity $ALARM_SEVERITY",
"From": "+12024100491",
"To": "+91**********"
}
NOTE
7. Once an Alarm occurs in cnMaestro, the following message will be sent to the destination number from the
Twilio number. Notice the variables have been replaced with actual values.
With Zapier you can build Zaps that perform your automation for you. These automations are achieved by mixing a
Trigger with actions available on your favourite apps. Zapier supports hundreds of apps. You can mix and match
triggers and actions to automate.
Following is an example of configuring Zapier integration with cnMaestro Webhooks. For example, you could make
a Zap that would automatically save alarms from cnMaestro Webhooks to a new row on a Microsoft Excel. Zapier
can catch a Webhook POST from cnMaestro, automatically adding the information to a new row in Excel.
/https://zapier.com/
3. Choose Webhooks by Zapier and Catch Hook as the trigger app and trigger event.
6. To test the connection, open cnMaestro Webhooks and configure the given custom URL from Zapier then can
customize and fill the Advanced Configuration.
8. Now go back to Zapier and click Find Hook to complete the testing.
10. To check if your action works as expected. Click Send Test to run the action step. The next screen shows
whether Zapier has been able to successfully perform the action step or not.
11. Once an Alarm occurs, the following message appears in the configured excel sheet. Notice the variables
replaces with actual values.
Audit Logs record administration activities through both the Web UI and the RESTful API. Audit Log entries
usually include destination and source addresses, a timestamp and user login information. User can access
Audit Logs in the Administartion > Audit Logs page.
The following table describes the Audit Logs parameters and their descriptions.
Action Displays the action performed by the user (create, delete, download, etc.).
Log Action
An action log contains a set of transactions. Each transaction contains one or more Actions. Each Action has a
name and input parameters. Some Actions have output parameters.
The following Actions will be supported for individual Audit Log entries. Each activity performed in the server is
detailed in this table.
Audit Modules
Auditing activity is mapped to individual modules within cnMaestro. A breakdown of the available modules is listed
below.
operations
security
operations
operations
operations
operations
System provisioning System Services: VM management, change log level, system upgrade,
system monitoring, software images, system settings
operations
security
operations
operations
security
cnMaestro supports Notification Syslog (Event Log) and Audit Syslog. The generated Event Logs and Audit
Logs are sent to the syslog server configured under Administartion > Settings page. Every syslog has a Facility
and a Severity level. Maximum of five entries can be added in Notification syslog and Audit syslog.
Event Type The type of event (Infrastructure, Network, Operation, Security and Wireless). You
can select one or multiple events.
New Facility The type of program logging the message. The allowed facilities are local 0 to local
7.
Severity The initial severity of the generated syslog messages (i.e. Critical, Major, Minor or
Notify).
Event Syslog
Notification messages are filtered based upon Type (which may be slightly different between Events and
Alarms) and Severity.
1. Enter Name.
2. Enter the IP/Host address.
3. Enter the Port number. Port 514 is the default for syslog
4. Select Event Type.
5. Select Severity Type.
6. Select the New Facility from the drop-down list.
Facility Description
7. In the New Severity drop-down, select the type of Severity. Please refer to the below Severity table:
5 Notice Normal but significant conditions. Conditions that are not error conditions
but may require special handling.
7 Debug Debug-level-messages.
Audit Syslog
The Audit Syslog separates messages based upon Audit Type.
1. Enter Name.
2. Enter the IP/Host address.
3. Enter the Port number. The port number 514 is the standard syslog port.
4. Filter by Audit Type.
5. Select New Facility from the drop-down list.
Facility Description
Overview
Cloud Anchor accounts exist alongside Cloud NMS accounts, which enable device management through
cloud.cambiumnetworks.com. Anchor accounts are attached to cnMaestro On-Premises installations and have their
own Cambium ID. In cnMaestro 3.2.0, all On-Premises deployments must be mapped to an Anchor account;
however, prior to that release, their use is optional.
The Anchor account collects statistics and automatically pushes announcements of new device firmware and
cnMaestro software images. cnMaestro On-Premises reports the following details to the Anchor account:
Type Details
Application Software Version, User Types and Count, Account View, Country
Anchor accounts also simplify CBRS provisioning and billing by aggregating multiple On-Premises instances. In
future, Anchor accounts will be used to manage On-Premises cnMaestro X subscriptions.
You must create an Anchor account before connecting the On-Premises instance, as shown below:
1. Navigate to https://cloud.cambiumnetworks.com.
2. Click Create Account.
Onboarding Key
Once the Anchor Account is created, an Onboarding Key needs to be set, to allow On-Premises instances to
connect.
1. Navigate to the Manage Instances page and edit the Onboarding Key. This key will be entered into the cnMaestro
On-Premises UI to connect to the Anchor Account.
2. Once the On-Premises server onboards, the On-Premises Instances page lists all servers in the account.
Click the instance host name, to view the collected information specific to the On-Premises server.
1. Navigate to the Administration > Settings > Cloud Connectivity in the cnMaestro On-Premises UI.
2. Enter the Cambium ID for the Cloud Anchor Account.
3. Enter the On-boarding Key created in the section above.
4. Enable HTTP Proxy if required by setting the IP address or Host Name.
NOTE:
Enable HTTP Proxy only when On-Premises server needs to connect with public network through
proxy.
NOTE:
l During the retry time it will take 15 minutes to connect the On-Premises with Anchor Cloud
account.
l For every 1 hour it updates the periodic inventory status of On-Premises to Cloud.
Software Images
Once the On-Premises server is synced with the cloud, the user can upload the software images from cloud directly
to the On-Premises.
l Maintenance
l Deployments
l Windows DHCP
l Network Port Requirements
l Contacting Cambium Networks
Maintenance
The location of the exported data file is printed when the command completes. It can then be copied to an
external directory using SCP or FTP. From there it can be imported into a different cnMaestro instance.
The data file needs to be copied to the cnMaestro instance prior to executing this command. This can be done
using either SCP or FTP.
The location of the file will be printed when the command completes. It can then be copied to an external directory
using SCP or FTP and then sent to Cambium support personnel.
l View status of the extraction (wait until it completes/hits 100% -- about 10 minutes)
l Boot into the new image. Use the inactive partition from the status command
NOTE:
Above mentioned steps are only a failsafe if the UI upgrade is unavailable. They should not be used
for downgrades, which are unsupported.
The upgrade file needs to be copied to the cnMaestro instance prior to executing this command. This can be done
using either SCP or FTP. The update file itself is downloaded from Cambium Networks and only updates the
cnMaestro application.
SSH Access
cnMaestro supports SSH access using the ‘cambium’ user account and password. Enabling this feature is not
recommended, due to the password security, but it is available if needed.
You can then log into the cnMaestro system using the same ‘cambium’ account used to log in through the Console.
The Windows application putty, by default, will not print the dialog correctly, and the customer needs to set the
Translation accordingly.
NOTE:
When accessing the CLI from putty on Windows, you may need to change the Remote Character Set
( Window > Translation in the putty Configuration dialog) to “ISO-8859-1 1998 (Latin-1, West
Europe)” to correctly display the menu.
cnMaestro On-Premises recommends using a separate data disk for network data and using the snapshot
functionality of your Virtualization infrastructure to back up this data consistently.
User will be using a backup system connected to Virtualization infrastructure, so details may differ, but if the
system is based on snapshots of the disks it works. Guest-based backup agents are not supported, as consistent
point-in-time backups of the entire disk are needed. Serial agent-based backups may back up one part of the disk
while another is being written, and result in unusable backups.
Cambium Networks does not recommend relying only on persistent snapshots, as it may seriously degrade
performance. Users are recommended to use snapshots to ensure data consistency only, not as backup storage.
The recommended backup method is to create a snapshot, copy data, then delete the snapshot, and most backup
software is done automatically. It is not recommended keeping of snapshots for more than 24 hours.
NOTE:
It is not recommended to use non-snapshot backup methods, as data is constantly being written,
and backups are likely to be inconsistent or unuseable.
OpenStack
For LVM and Ceph RBD, snapshots from the storage node should be taken and then copied to offsite storage. We
recommend backing up individual volumes if possible, and restoring these. While file-based recovery from within a
volume may be possible in some situations, it is not supported.
Account Recovery
cnMaestro has two types of accounts: the Virtual Machine (Console) account and the cnMaestro Application
account. Both of these can be recovered if you forget the administrator password.
1. When booting up cnMaestro in the VM Console after a full shutdown, quickly press and hold the Shift key after
the BIOS has finished loading. This will launch the GNU GRUB menu.
4. The shell will display a command parser along the bottom of the screen. Type the following (without the '#')to
reset the password of the cambium user.
# passwd cambium
# reboot
5. You should now be able to login to the console using the new password.
l Phase 1: Expand the virtual disk (using the virtual machine infrastructure).
l Phase 2: Extend the cnMaestro partition and file system (using the command line instructions listed below).
NOTE:
Please take a backup copy of your virtual machine before performing any operations below.
Once the resized.vmdk is created, replace the current Disk 2 in the VirtualBox UI with the resized vmdk and restart
the virtual machine.
Once the resized.vmdk is created, replace the current Disk 2 in the VirtualBox UI with the resized vmdk and restart
the virtual machine.
You can validate the command completed successfully by typing df -k and reviewing the size of /dev/sdb1
(/mnt/data).
2. Click Next.
3. Select Information and click Ok.
NOTE:
The username for temporary user login is cnmaestrotemp. It cannot be changed.
This section provides the Statistics API response v1 Format for the following devices:
l cnMatrix
l cnReach
l Fixed Wireless
l PTP
l Wi-Fi
Name Details
network Network
Networks
Name Details
ip IP address
cnReach
General
Networks
ip IP address All
Radios
ap_mac AP MAC SM SM SM
last_sync Last synchronization (UTC Unix time milliseconds) AP/SM AP/SM AP/SM
Radios
PMP […]
PMP […]
Networks
ip IP address All
PMP: […]
Wi-Fi
NOTE:
Mode is Enterprise, Home, or All.
General
ip IP address All
Radios
l cnMatrix
l cnReach
l Fixed Wireless
l PTP
l Wi-Fi
Name Details
network Network
site Site
timestamp Timestamp
tower Tower
Switch
Name Details
Radios
PTP
General
Ethernet
Wi-Fi
General
cnMaestro VM Deployment
1. Login into ESXi host.
2. Click Virtual Machines.
4. Click Next.
5. Click Next.
9. When the loading is complete, a virtual machine with the name chosen will appear. Choose the VM and click
power on button.
1. Open Oracle VirtualBox Manager, and select File > Import Appliance.
2. Browse and select CnMaestro On-Premises release OVA file and click Next to continue.
4. Click Import.
The new virtual machine appears in the left panel. After the VM is started, customer gets the login screen, and
continue to configure cnMaestro and access the UI.
VMWare Workstation
1. Open VMware workstation player. Navigate to Player > File > Open Menu and select CnMaestro On-Premises
release OVA file.
2. Accept the cnMaestro EULA, once the EULA is accepted, cnMaestro will be imported into the VM environment
and it could take a couple minutes.
4. Once the file is loaded, click Play and wait for the configuration screen.
Deployment
After installing KVM on the hardware, follow the below steps to import cnMaestro On-Premises into KVM:
cnmaestro-on-premises_1.2.1-b19_amd64.ovf
cnmaestro-on-premises_1.2.1-b19_amd64.mf
cnmaestro-on-premises_1.2.1-b19_amd64-disk1.vmd
3. Create New VM
9. Begin Installation
a. Click Begin installation on the top left. It would take few minutes to complete.
b. After installation console may show blank for some time. Wait for 10-15 minutes. Restart VM if cnmaestro
login: prompt is not shown.
This section details how to configure a Microsoft Windows-based DHCP server to send DHCP Options to
Cambium Networks devices such as ePMP, ePMP 1000 Hotspot, and cnPilot Enterprises and Home devices.
l Configuring Option 60
l Configuring Option 43
l Configuring Option 15
l Configuring Vendor Class Identifiers
l Defining DHCP Policies
DHCP servers are a popular way to configure clients with basic networking information such as an IP address,
default gateway, network mask, and DNS server. Most DHCP servers have the ability to also send a variety of
optional information, including the Vendor-Specific Option Code Option 43. When a Cambium device requests
Option 43 Vendor Specific Information, the DHCP server responds with values configured by the DHCP
administrator.
Configuring Option 60
This section describes how to configure the Vendor Class Identifier Code (option 60) on a Microsoft Windows-
based DHCP server. As mentioned in the overview section, option 60 identifies and associates a DHCP client
with a particular vendor. Since option 60 is not a predefined option on a Windows DHCP server, you must add it
to the option list.
Field Information
Name CambiumOption60
Code 60
5. In the Predefined Options and Values dialog box, make sure 060 CambiumOption60 is selected from the
Option Name drop-down list.
6. In the Value field, enter the following information: String: Cambium, Cambium-WiFi-AP, Cambium-cnPilot
r200P, Cambium-cnPilot R201P
NOTE:
The Data type should be string. If only one device type is to be onboarded to the cnMaestro server,
then there is no need to select the Array option. If multiple device types need to be onboarded, then
please select the Array option, so the value can contain multiple option 60 entries.
Configuring Option 43
Option 43 returns the cnMaestro URL to the Cambium Devices.
Field Information
Name CambiumOption43
Code 43
NOTE:
If Option 43 is already in predefined options with the data type as Binary, then it cannot be changed
to string. If this is the case, while defining the policies, specify the values in the ASCII column in the
Actions tab of the policy after selecting Option 43. This will be detailed in the Policies section later in
the document.
Field Information
Name CambiumOption15
Code 15
NOTE:
In the DNS Server, the user needs to map the cnMaestro hostname to the IP address of the
cnMaestro On-Premises server.
The above example is for an ePMP device. In order to create the VCI for other device types, please follow the same
steps, and in the ASCII column provide the following values:
ePMP Cambium
1. Select the scope in which you want to create the policy, and then right click on the Policies option. Select New
Policy.
3. The Policy consists of Matching conditions based on Vendor Class, user class, MAC Address, Client Identifiers,
FQDN and Relay Agent Information. For Cambium Devices we need Vendor Class based match conditions only.
a. In the dialog, click on the Add button and in the pops-up select the Criteria as Vendor Class, the Operator as
Equals, and the Value as the VCI created for the Cambium Device type.
b. For example, for cnPilot R201P device the Vendor Class selection is “Cambium-cnPilot R201P”.
c. Click Add and then OK in the pop-up. Click Next in the Policy Configuration Wizard.
Then select the vendor class as DHCP standard options and Select the options 43 and 60 from the available options
and specify the values that need to be sent to the device. Click Next once the options are selected and values are
specified.
The above Policy is a generic one. For all the device types, the policies should be created in a similar way --, with the
match conditions and action as follows:
Also the Policies can be created at the Scope level or Server level. If separate scope is defined for Cambium
devices, it is better to define scope level policies; otherwise the policies can be defined at the Server level in the
similar way.
cnPilot Home Vendor Class for cnPilot R190/R195/R200/R201 Cambium option 43 and
60 selected and values
specified
ePMP 1000 Hotspot Vendor Class for Hotspot Cambium option 43 and
60 selected and values
specified
Inbound Ports
The following table provides information about network port requirements for inbound:
Outbound Ports
The following table provides information about network port requirements for outbound:
8 389 and 636 TCP/UDP LDAP or Active Directory (AD) server communication