Automating ePMP Password Changes using cnMaestro

Vern · May 8, 2017, 9:38pm

Some time ago, I posted a method for Automating PMP450 Password Changes with cnMaestro. There were a few requests asking how to do the same thing with ePMP. This post will describe the process to automate ePMP password changes.

Create The Config String:

The first step is to create a configuration string cnMaestro will push to the radios. Since ePMP devices don’t require complete configurations, we can simply copy the cambiumSysAccountsTable from a device configuration file. You can get the file directly from the radio by clicking Tools->Backup/Restore. There’s an option to backup the configuration file as text. I usually open it with Wordpad because it handles Unix style line feeds pretty well. You can also retrieve the configuration from cnMaestro by clicking “View Device Configuration” on the “Configure Devices” screen. Near the end of the file you’ll see the cambiumSysAccountsTable section. Copy that entire section. It should look like the text below.

{
  "device_props": {
    "cambiumSysAccountsTable": [
      {
        "cambiumSysAccountsName": "admin",
        "cambiumSysAccountsHash": "$1$Q4yAUtfC$E0acJjgS3LxPdxVTghsYh.",
        "cambiumSysAccountsUID": "1000",
        "cambiumSysAccountsGID": "4",
        "cambiumSysAccountsDir": "/tmp",
        "cambiumSysAccountsShell": "/usr/bin/clish"
      },
      {
        "cambiumSysAccountsName": "installer",
        "cambiumSysAccountsHash": "$1$WmN77JQD$fO7YDVacRXNNEHEIH1bhm.",
        "cambiumSysAccountsUID": "2000",
        "cambiumSysAccountsGID": "100",
        "cambiumSysAccountsDir": "/tmp",
        "cambiumSysAccountsShell": "/bin/false "
      },
      {
        "cambiumSysAccountsName": "home",
        "cambiumSysAccountsHash": "$1$/Bv9wvkq$5lBZqqsoAJj4uYOhb7pOS0",
        "cambiumSysAccountsUID": "3000",
        "cambiumSysAccountsGID": "100",
        "cambiumSysAccountsDir": "/tmp",
        "cambiumSysAccountsShell": "/bin/false "
      },
      {
        "cambiumSysAccountsName": "readonly",
        "cambiumSysAccountsHash": "$1$zn4/PlCl$1qP9PGmPChDwkDAgp5Qgw0",
        "cambiumSysAccountsUID": "4000",
        "cambiumSysAccountsGID": "100",
        "cambiumSysAccountsDir": "/tmp",
        "cambiumSysAccountsShell": "/bin/false "
      },
      {
        "cambiumSysAccountsName": "dashboard",
        "cambiumSysAccountsHash": "$1$Y9oz6eRg$ysokBk9VZCGo4AN6WQgVF0",
        "cambiumSysAccountsUID": "5000",
        "cambiumSysAccountsGID": "100",
        "cambiumSysAccountsDir": "/tmp",
        "cambiumSysAccountsShell": "/bin/false"
      }
    ]
  }
}

Inside the cambimSysAccountsTable you’ll see a few elements. I don’t recommend editing anything other than cambiumSysAccountsHash. That element is the password for the account. You’ll notice it’s a hash. The only way I’ve found to generate the hash is by changing the password on a radio and reading it from the configuration file.

Creating A Template In cnMaestro:

Now that you've created a configuration string, it's time to turn it into a configuration template in cnMaestro. Log into cnMaestro and go to Configure->Templates. Click Add New Template.

Since this configuration is valid for both APs and SMs, be sure to check both in the template dialog. Paste the config string you created earlier into the configuration text box and click save.

Applying The Template:

The hard work is done. Now it’s time to let cnMaestro take over. If you want to change passwords network wide, click on System in the network hierarchy on the left of the cnMaestro dashboard. You certainly could navigate to a tower or network if you want to limit which devices get the password change. Now click Configure->Devices. On the configuration tab, select ePMP as the device type and select the template you created earlier.

Now select all the devices you want to change passwords and click add job. I prefer to start the job automatically. If you don’t check that box, you’ll have to click on the Active Jobs tab and start the job manually.

That’s it! In a snap, cnMaestro will change the passwords on the radios you selected.

Kgblaster · November 22, 2017, 8:18pm

I tried to export a config from another ePMP 1000 and the file not contain the

cambiumSysAccountsTable

To get the password hash what I want.

You can share the cambiumSysAccountsHash from admin default password?

Cambium_Emilio · August 20, 2018, 10:11pm

@Kgblaster, use the ePMP device UI to export a text editable configuration file. It will include cambiumSysAccountsTable. Apparently, this table is omitted when cnMaestro is used to "View Device Configuration" file.

ePMP Device UI - Device configuration export

cnMaestro - Device configuration export

Although cnMaestro can be used to view/export the device configuration file, as shown below, the cambiumSysAccountsTable is not included.

arturo0890 · December 6, 2018, 5:16am

casa

dimas_j_perez · July 18, 2020, 1:39pm

Hi, how would it be for a Force300 please.

gregoryeid1 · August 21, 2020, 9:40am

cnMaestro will skip devices that are offline at the time the job is running. Is there a way to automate this process so cnMaestro can push the template file to devices that come online later?

promea_villa · July 15, 2022, 11:17pm

Which hashing algorithm is used for the hashes here?

ninedd · July 16, 2022, 6:32am

Hi. as far as I know, the only way to get the hash is this.

Login to a live radio, set the password to whatever you want the password to be, save the configuration out of that radio, load the configuration into some sort of text editor and you’ll see the password represented as a hash.

That’s the only way I’m aware to you generate that password hash. So, then cut and paste that hash to use in your template.

Rinat_Aliyev · November 11, 2024, 5:40am

Unfortunately, with Software Version 5.9.0 this method just doesn’t work
the job completed successfully but the password doesn’t change.
Is there any other method to reset the password except full reset to factory default ?

Fedor · November 11, 2024, 3:37pm

This has been broken in 5.8/4.8.1 and we apologise for the inconveniences caused.
The fix is coming in 5.9.1. We anticipate to get 5.9.1 Beta released this week.

Thank you.

Rinat_Aliyev · November 13, 2024, 1:02pm

Ok, will wait for the update. Spasibo, Fedor.

maxwire · November 13, 2024, 3:48pm

Please issue a notice
We onboard all of our devices as they come in, they pull firmware first then have the template applied. Are you saying the passwords will not be updated when our template applies on 4.8.1?