Automating ePMP Password Changes using cnMaestro

Some time ago, I posted a method for Automating PMP450 Password Changes with cnMaestro.  There were a few requests asking how to do the same thing with ePMP.  This post will describe the process to automate ePMP password changes.

Create The Config String:

The first step is to create a configuration string cnMaestro will push to the radios.  Since ePMP devices don’t require complete configurations, we can simply copy the cambiumSysAccountsTable from a device configuration file.  You can get the file directly from the radio by clicking Tools->Backup/Restore.  There’s an option to backup the configuration file as text.  I usually open it with Wordpad because it handles Unix style line feeds pretty well.  You can also retrieve the configuration from cnMaestro by clicking “View Device Configuration” on the “Configure Devices” screen.   Near the end of the file you’ll see the cambiumSysAccountsTable section.  Copy that entire section.  It should look like the text below.

{
  "device_props": {
    "cambiumSysAccountsTable": [
      {
        "cambiumSysAccountsName": "admin",
        "cambiumSysAccountsHash": "$1$Q4yAUtfC$E0acJjgS3LxPdxVTghsYh.",
        "cambiumSysAccountsUID": "1000",
        "cambiumSysAccountsGID": "4",
        "cambiumSysAccountsDir": "/tmp",
        "cambiumSysAccountsShell": "/usr/bin/clish"
      },
      {
        "cambiumSysAccountsName": "installer",
        "cambiumSysAccountsHash": "$1$WmN77JQD$fO7YDVacRXNNEHEIH1bhm.",
        "cambiumSysAccountsUID": "2000",
        "cambiumSysAccountsGID": "100",
        "cambiumSysAccountsDir": "/tmp",
        "cambiumSysAccountsShell": "/bin/false "
      },
      {
        "cambiumSysAccountsName": "home",
        "cambiumSysAccountsHash": "$1$/Bv9wvkq$5lBZqqsoAJj4uYOhb7pOS0",
        "cambiumSysAccountsUID": "3000",
        "cambiumSysAccountsGID": "100",
        "cambiumSysAccountsDir": "/tmp",
        "cambiumSysAccountsShell": "/bin/false "
      },
      {
        "cambiumSysAccountsName": "readonly",
        "cambiumSysAccountsHash": "$1$zn4/PlCl$1qP9PGmPChDwkDAgp5Qgw0",
        "cambiumSysAccountsUID": "4000",
        "cambiumSysAccountsGID": "100",
        "cambiumSysAccountsDir": "/tmp",
        "cambiumSysAccountsShell": "/bin/false "
      },
      {
        "cambiumSysAccountsName": "dashboard",
        "cambiumSysAccountsHash": "$1$Y9oz6eRg$ysokBk9VZCGo4AN6WQgVF0",
        "cambiumSysAccountsUID": "5000",
        "cambiumSysAccountsGID": "100",
        "cambiumSysAccountsDir": "/tmp",
        "cambiumSysAccountsShell": "/bin/false"
      }
    ]
  }
}

Inside the cambimSysAccountsTable you’ll see a few elements.  I don’t recommend editing anything other than cambiumSysAccountsHash.  That element is the password for the account.  You’ll notice it’s a hash.  The only way I’ve found to generate the hash is by changing the password on a radio and reading it from the configuration file.

Creating A Template In cnMaestro:

Now that you've created a configuration string, it's time to turn it into a configuration template in cnMaestro.  Log into cnMaestro and go to Configure->Templates.  Click Add New Template.

Since this configuration is valid for both APs and SMs, be sure to check both in the template dialog.  Paste the config string you created earlier into the configuration text box and click save.

Applying The Template:

The hard work is done.  Now it’s time to let cnMaestro take over.  If you want to change passwords network wide, click on System in the network hierarchy on the left of the cnMaestro dashboard.  You certainly could navigate to a tower or network if you want to limit which devices get the password change.  Now click Configure->Devices.  On the configuration tab, select ePMP as the device type and select the template you created earlier.

Now select all the devices you want to change passwords and click add job.  I prefer to start the job automatically.  If you don’t check that box, you’ll have to click on the Active Jobs tab and start the job manually.

That’s it!  In a snap, cnMaestro will change the passwords on the radios you selected.

7 Likes

I tried to export a config from another ePMP 1000 and the file not contain the

cambiumSysAccountsTable

To get the password hash what I want.

You can share the cambiumSysAccountsHash from admin default password?

@Kgblaster, use the ePMP device UI to export a text editable configuration file.  It will include cambiumSysAccountsTable.  Apparently, this table is omitted when cnMaestro is used to "View Device Configuration" file.

ePMP Device UI - Device configuration export

cnMaestro - Device configuration export

Although cnMaestro can be used to view/export the device configuration file, as shown below, the cambiumSysAccountsTable is not included.

3 Likes

casa

Hi, how would it be for a Force300 please.

cnMaestro will skip devices that are offline at the time the job is running. Is there a way to automate this process so cnMaestro can push the template file to devices that come online later?

1 Like

Which hashing algorithm is used for the hashes here?

Hi. as far as I know, the only way to get the hash is this.

Login to a live radio, set the password to whatever you want the password to be, save the configuration out of that radio, load the configuration into some sort of text editor and you’ll see the password represented as a hash.

That’s the only way I’m aware to you generate that password hash. So, then cut and paste that hash to use in your template.