Automating PMP450 Password Changes with cnMaestro

Vern · October 28, 2016, 1:51am

A while back I posted a method for automating password changes using config file import. The last sentence promised cnMaestro would simplify this task. I’m happy to say, it certainly does. I was able to create a template and push password changes in just a few minutes. cnMaestro eliminated all the hassle of setting up a web server to host the configuration file and creating a script that would instruct the radios to download and apply the file. It only took a couple of steps to quickly push password changes to my radios. Here’s how I did it…

Create The Config File:

The first step is to create a configuration file containing the user accounts and passwords. Since PMP450 radios don't require complete configuration files, this becomes quite simple. Create a file that looks something like this...

{
  "userParameters": {
    "authenticationConfig": {
      "accounts": [
        {
          "userName": "admin",
          "level": 3,
          "readOnly": false,
          "passwordEncrypted": "40b491d60000042f09c7950d27563018"
        },
        {
          "userName": "root",
          "level": 3,
          "password": "${password=newpassword}",
          "readOnly": false
        }
      ]
    }
  },
  "cfgFileString": "Canopy configuration file",
  "cfgFileVersion": "1.0"
}

You'll notice there are sections for each account. Feel free to add or remove accounts. You may set the password with either the "password" (not encrypted) or "passwordEncrypted" attributes. I prefer to use "passwordEncrypted" so the password isn't exposed as plain text.

You may also notice the plain text password for the root account looks a bit funny. The ${} instructs cnMaestro to make this a variable which can be set before the template is applied to devices. More on that later.

If you choose to use encrypted passwords in the configuration file, you'll first need to encrypt the password. To do this, log into any radio and go to Configuration->Unit Settings. On this page you'll find a section for encrypting passwords. Simply type the new password into the field and click "Encrypt the password". The radio will show the encrypted version just below where you typed the password.

Copy the output and paste it in the appropriate location of the configuration file.

Creating A Template In cnMaestro:

Now that you've created the configuration file, it's time to turn it into a configuration template in cnMaestro. Log into cnMaestro and go to Configure->Templates. Click Add New Template.

Since this configuration is valid for both APs and SMs, be sure to check both in the template dialog. Paste the config file you created earlier into the configuration text box and click save.

Applying The Template:

The hard work is done. Now it’s time to let cnMaestro take over. If you want to change passwords network wide, click on System in the network hierarchy on the left of the cnMaestro dashboard. You certainly could navigate to a tower or network if you want to limit which devices get the password change. Now click Configure->Devices. On the configuration tab, select PMP as the device type and select the template you created earlier.

If you made any passwords variables, but sure to click view variables and set the values appropriately. Now select all the devices you want to change passwords and click add job. I prefer to start the job automatically. If you don’t check that box, you’ll have to click on the Active Jobs tab and start the job manually.

That’s it! In a snap, cnMaestro will change the passwords on the radios you selected.

elmorekevin · October 31, 2016, 4:50pm

Thanks for the write-up.

When the job is started automatically, I assume it starts the job in short order. If we have a network with 2,000 devices (70 APs), what settings would you recommend in terms of how many in parallel?

Do the radios simply reboot and re-associate once the AP is ready as well? Since the AP and SM configuration needs to be staged, we can expect a short downtime. How long do you think this downtime is typically using this configuration method? Similar to applying through the web interface?

This should probably be scheduled for the middle of the night in a larger network. If you have 5 in parallel, how long might you think it would take to get through 100 devices?

Thanks,

Kevin

Vern · October 31, 2016, 5:17pm

I’ve only done this with the On Premises version. I would say within about 15 seconds of clicking “Add Configuration Job” with “start automatically” checked, the password was changed on my test AP. I suspect you could do more than 5 concurrently without issue. I would probably select 20.

Keep in mind this is a very minor configuration change that doesn’t require a reboot. Total downtime should be zero.

sgarbutt · December 14, 2016, 7:29pm

I would like to do the same thing for our Epmp radios. If someone has a template for those radios I would appreciate any help . Steven

vtindell · December 15, 2016, 2:27pm

Currently ePMP doesn't support changing passwords with configuration import. This functionality is planned for the very near future. Once I get the version which supports this, I'll make another post detailing how to do it.

j2sw · December 18, 2016, 3:54pm

Bump on the ePMP support. any news?

Cambium_Vern · December 19, 2016, 3:09pm

This functionality should be available with ePMP software version 3.2.1. I think it's expected to release around December 30th.

boydsoftprez · February 24, 2017, 6:18pm

Is this suported for epmp / epmp elevate now?

Vern · February 24, 2017, 6:33pm

Yes. I just haven't had time to do a write up. It's basically the same process with a template appropriate for ePMP.

bcotton · March 8, 2017, 7:03pm

What method is cnMaestro using to push these changes? SNMP? HTTPS GET?

bcotton · March 8, 2017, 7:49pm

Is there any type of training / guidelines for creating these templates? It is not clear at all which snippets of json are peritinent to what you are attempting to modify, particularly in regards to pushing SNMP changes, where there are tons of vaguely named attributes that do not seem to adhere to the same order that you see in the radio GUI itself.

Cambium_Emilio · March 8, 2017, 9:30pm

What method is cnMaestro using to push these changes? SNMP? HTTPS GET?

cnMaestro uses HTTPS to communicate with the device. So all configuration, including the password fields, is sent over HTTPS.

CambiumMatt · March 8, 2017, 10:12pm

@bcotton wrote:

Is there any type of training / guidelines for creating these templates? It is not clear at all which snippets of json are peritinent to what you are attempting to modify, particularly in regards to pushing SNMP changes, where there are tons of vaguely named attributes that do not seem to adhere to the same order that you see in the radio GUI itself.

Welcome to the forums bcotton!

With respect to this question, you can export a full configuration file from a SM. If any of the parameters are unclear, please start a separate thread with your questions. This thread was very specifically to discuss the ability to change passwords using a partial config file and cnMaestro.

Page 480 of the User Guide discusses this in some detail, but does not list all of the parameters.

CSup · March 10, 2017, 6:11pm

Silly question why does the above config trigger a reboot?

Vern · March 10, 2017, 6:15pm

It shouldn't. I can't remember what software version I tested with, but I do recall there wasn't a reboot. Usually templates have to specify "rebootifrequired"="true" to cause a reboot. Even then, the radio shouldn't reboot since password changes don't require a reboot.

Sean_Heskett · March 28, 2017, 5:53pm

if I want to set the passwords on the SMs to a different password than the APs is there a way to select all SMs in the system, network or tower (without having to individually check each SM)???

Thanks for providing this usefull info/tool!!!

-Sean

Cambium_Emilio · March 28, 2017, 8:16pm

Sean,

Yes. You can bulk configure your PMP SMs (and not APs). Assuming you have created your configuration template for your PMP SMs, follow the steps below.

1) In the cnMaestro device tree, click on the System folder (or network or tower). Then click on the CONFIGURE (gear) icon located above the SEARCH bar in the device tree.

2) Set the DEVICE TYPE pull-down menu to "PMP (Sectors)". Select the template that contains your PMP SM password configuration.

3) You should now see a table of PMP APs in the table. You can expand the carot symbol for each PMP AP to show all of it's SMs. Under each AP, you will see an option to "Select All SM Devices". (For now, you need to expand each AP and select it's SMs. In the near future, we will simplify this.)

4) At the bottom of the page, click on the "Add Configuration Job" button.

5) Click on the JOBS tab to start the job or monitor it's progress.

Hope this helps.

Sean_Heskett · March 30, 2017, 6:23pm

Awesome thanks Emilio!

-Sean

Sean_Heskett · March 30, 2017, 6:52pm

one small problem...selecting "select all SM devices" really only selects the visable SMs. for instance if an AP has 40 SMs only the first 15 get selected and pushed. you have to then go to the next set of 15 SMs and so on.

still kinda cumbersome but better than clicking on each SM

-Sean

jperez · May 1, 2017, 7:49pm

any updates of this featured for ePMP?