cnMaestro 2.1.0 (On-Premises)


This document highlights new features and significant updates in cnMaestro On-Premises. cnMaestro 2.1.0 is a major OVA release, and Cambium recommends all customers update to the latest version. cnMaestro 2.1.0 is the next release after 1.6.3 (there was no official 2.0.0).

The latest releases are the cnMaestro 2.1.0-r22 OVA and the cnMaestro 2.1.0-r23 Package. The Package is only for customers who want to upgrade from cnMaestro 2.1.0-r21.

Important: Upgrading from r21 to r23

The cnMaestro 2.1.0-r23 Package is for customers running the previous 2.1.0-r21 OVA : it provides an easier upgrade. Current 1.6.3 users should only install the cnMaestro 2.1.0-r22 OVA and follow the standard upgrade procedure listed below.

Customers blocked importing data from 1.6.3-r39 into 2.1.0-r21 should apply 2.1.0-r23 and then import the data.

A list of fixes in 2.1.0-r22/r23 is presented later in this document.


cnMaestro 2.1.0 On-Premises is distributed as an OVA file which requires installation on a new virtual machine. Existing cnMaestro On-Premises users should export their data and import it into cnMaestro 2.1.0. Only data exported from cnMaestro 1.6.3 is supported.

The basic steps are defined in the User Guide and consist of:

1.      Export Data from current cnMaestro Installation at Application > Server > Operations.

2.      Import Data file into the new cnMaestro 2.1.0 installation at Application > Server > Operations.

Important: VMware ESXi

Some customers have seen SHA-256 errors when importing the OVA into older versions of VMware ESXi using the vSphere C# Client. This is due to a security enhancement by VMware, which deprecated the original SHA-1 hash. To resolve, one can do the following:

1.      Upgrade VMware to the latest version, which uses SHA-256 by default.

2.      Use the ESXi Web Client, instead of the vSphere C# Client.

3.      Use OVFTOOL to convert SHA-256 to SHA-1. See this post for details.

4.      Convert the OVA manually using a shell script. See this post for details.

Important: Web Browser

You may need to restart your browser (or clear the browser cache with a hard reload) after the 2.1.0 update.

Important:  Update Precautions!

This update has significant database changes that require data migration. This process is done in the background, so regular network management operations are not impacted. The migration duration depends on the total number of devices: approximately 30 minutes per 1,000 devices. We recommend limiting UI access during this period, to keep the load down. Devices will otherwise reconnect as normal. Please also do the following:

1.      If the Managed Service Provider (MSP) feature is enabled in the current 1.6.3 system, it is mandatory to first apply the latest 1.6.3-r39 package (available at before exporting the system backup. This package contains a major fix to export MSP related data.

2.      Keep the system backup from 1.6.3 in a safe location, in case of unforeseen issues.

3.      Export Application > Server > SSL Certificates from the 1.6.3 system and import after upgrading to 2.1.0. This is in addition to the System Backup: certificates are not included and need to be replaced manually.

4.      During data migration, the virtual machine must NOT be rebooted or powered off. Also do not start System Backup or Data Report jobs.

All subsequent updates after cnMaestro 2.1 will be in-system and not require export/import.

PTP 650/670/700 Support

cnMaestro supports the following monitoring and management functionalities on PTP 650/670/700 in both Cloud and On-Premises.




Onboard PTP devices using MSN or Cambium ID.


Multiple, distinct dashboards, depending upon whether PTP devices are HCMP enabled (and in master or slave state).


PTP-specific notifications and alarms.


Device details and performance graphs with the following metrics: channel utilization, throughput, capacity, receive vector error, receive power, receive signal strength ratio, transmit power, link loss, and packet error.


Visual integration into global map.

Hierarchical Tree

Full cnMaestro Tree support, with HCMP visibility.


Device reboot.

Data Report

Data reports downloaded and scheduled in On-Premises.

System Integration

Fully integrated into system-components, such as System/Network/Tower dashboards, inventory, and managed services.

PTP Dashboard


PTP Performance


Note: Configuration and Image Upgrade should still be performed using the PTP device UI.

cnReach Support

cnMaestro now supports full integration of cnReach devices, including monitoring, configuration, and image upgrade in both Cloud and On-Premises.




Onboard all cnReach device types using MSN or Cambium ID.


cnReach-specific dashboards, including individual dashboards for cnReach Radio 1 and Radio 2.


cnReach notifications and alarms.


Device details and performance graphs with the following metrics: throughput, RSSI, transmit power, noise, and neighbor count.


Visual integration into global map.

Hierarchical Tree

Full integration into the cnMaestro Tree, including deeply-nested cnReach backhaul paths.


Device reboot support.


Template-based device configuration.

Software Update

OS and Radio updates, including bulk software distribution.

Data Report

Data reports can be downloaded and scheduled in On-Premises.


Ping, RF Ping, RF Throughput

System Integration

Fully integrated into system-components, such as System/Network/Tower dashboards, inventory, managed services.

cnReach Dashboard


cnReach Performance


cnReach Bulk Software Upgrade

cnReach AP Bulk Software Distribution efficiently copies software to all devices in a VLAN, where it can then be applied.

Email Notification

Email Notification allows Super Administrator and Administrator users to add Subscribers (email addresses) for receiving Alarms.

The Alarm Severity can be filtered by:

  • Critical
  • Major
  • Minor

The content of the email can be either HTML or JSON format. This feature must be enabled globally in Application > Settings.

HTML Email Example


JSON Email Example


Scheduled Software Upgrade

Select a time to apply device software upgrades.


Dashboard Device Health Component

The Dashboard Device Health component has been rewritten to better represent the many device types now supported in cnMaestro.


WLAN Overrides (cnPilot Enterprise)

WLAN details unique to a device, such as SSID, Enabling/Disabling SSID and Passphrase, are now supported as part of Device Overrides. These can be configured in the Device Configuration page at Manage > Configuration, and then selecting the device in the tree to update.


Link Quality Indicator (LQI) for PMP SMs

The LQI statistic indicates if a PMP link is degraded by interference or noise. An LQI of 100% means there is no interference. A value of 90% or higher is considered reasonable. Depending on their environment, operators may differ on what is unacceptable (i.e. 80%, 70%, 60%). The Manage > Statistics table shows the LQI, in downlink and uplink, for every PMP SM. An administrator can sort the table by downlink or uplink to identify the SMs experiencing the most significant degradation. Click on an individual PMP SM Performance tab to view the LQI over the last day or week to correlate degradations to certain periods of time.

Busy Index for PMP APs

This represents the percentage of time during the last week in which a PMP AP is congested -- determined by the frame utilization exceeding 90%. The System and Tower dashboards display a list of the top five busy PMP APs. The Manage > Statistics table shows the Busy Index, in downlink and uplink, for every PMP AP. An administrator can sort the table to identify the most congested APs. Click on an individual PMP AP Performance tab to view the frame utilization over the last day or week to understand when usage tends to be highest.


Bulk Reboot

Bulk reboot is added as part of Actions available on Inventory page.

In-System Upgrade (On-Premises)

Upgrading to new cnMaestro versions post 2.1.0 will not require an Import/Export. Instead, the images can be updated within the current virtual machine.


SSH Access (On-Premises)

SSH can be enabled through the Console to provide network access to the cnMaestro CLI. The system uses password authentication, and it is recommended only for debugging purposes. SSH is enabled in the Console at Maintenance > SSH.


NTP Support (On-Premises)

NTP is enabled by default, and external servers can be added in the Console at Settings > NTP.


CSV Configuration Import (Backhaul Devices)

Global cnMaestro Configuration CSV import is available from the Inventory page at the following levels: System, Network, Managed Account, ePMP or PMP AP devices. This feature is supported only for Access and Backhaul devices (AP and SM).

The following parameters are supported for ePMP/PMP AP devices:

  • Latitude
  • Longitude
  • Height
  • Azimuth
  • Elevation

The following parameters are supported for ePMP/PMP SM devices:

  • Latitude
  • Longitude

CSV Example


cnPilot Home WLAN and LAN Statistics

The Wireless LAN Dashboard displays  cnPilot Home (R-Series) devices in the Client and Network sections (this functionality is already available for cnPilot Enterprise).

Guest Access Portal Logout

Logout is added to the cnMaestro Guest Access Portal. This feature helps guests use allocated session time more precisely.

For example, if a guest user has a session time of 1 hour, and 1 day as renewal frequency, the user can logout of guest session after 10 min of usage, and the remaining 50 min of session time can be used across different sessions within 1 day (renewal frequency).

  1. Navigate to Services > Guest Access Portal page and select the respective Guest Portal Name.
  2. Select Access
  3. Select Enable Logout functionality for the guest client check box.
  4. Click Save.


Twitter Support for Guest Login

Support for Twitter is added under Social Login to Guest Access Portals. Now Guest Clients can login using Twitter.


Change Your Password (On-Premises)

cnMaestro users can change their own passwords, irrespective of their role.


IPv6 Networking (On-Premises)

cnMaestro supports both IPv4 and IPv6 networking. The eth0 interface requires IPv4 (for the system IP address and cluster configuration), and optionally IPv6.


API Updates (On-Premises) image.png

New APIs



Clients API (Section 14.3)


Aggregated data for all Wi-Fi clients

/api/v1/devices/{MAC}/clients/{client MAC}/summary

Aggregated data for a single client

Devices API (Section 8.2, 8.3, 8.4)


Claim new device


Update/Delete an existing device

JOBS API (Section 9)


Configuration job management


Networks API (Section 10.2)


Create new network

Sites API (Section 11.2)


Create new site

Towers API (Section 12.2)


Create new tower

Deprecation/Update Notice for Existing APIs



Devices API


- A new property called site_id is added for WiFi Device

Statistics API


- site_id property is added for WiFi devices only.

- Until 1.6.3 rx_bps, tx_bps were returning values in kilobits per sec. In 2.1.0 we changed it to return as bits per second

- Until 1.6.3 tx_bytes, rx_bytes were returning values in kilobits. In 2.1.0 tx_bytes, rx_bytes will be sending value as bytes. 

- session_drops field is deprecated.

Performance API


- Until 1.6.3 rx_bps, tx_bps was returning values in kilobits per sec. In 2.1.0 we changed it to return as bits per second

- Until 1.6.3 throughput was returning values in kilobits per sec. In 2.1.0 we changed it to return as bits per second

Sites API


- Sites object will contain created_at field denoting site’s creation time. From 2.1.0 this API will accept stop_time and start_time header fields which returns sites created within that period.

Supported Cambium Products

cnMaestro supports the following Cambium Networks products. The software versions are the minimum required to use cnMaestro (not the recommended versions).





cnPilot R200, R200P


cnPilot R201, R201P


cnPilot R190V,  R190W


cnPilot E400/E500


cnPilot E410/E430w/E600


cnPilot E501S


cnPilot E502S


cnPilot E700


ePMP 1000 Hotspot

ePMP 1000 Hotspot



ePMP 1000, Force 180/200


ePMP 2000


ePMP Elevate


ePMP Force 190


ePMP Force 300


ePMP PTP 550


ePMP 3000


PMP 450i, PMP 450, PMP 450m, PMP 430 SM


PTP 450, and PTP 450i



PTP 650


PTP 670 (650 Emulation)


PTP 670, PTP 700


cnReach (Beta)



 Supported Browsers

cnMaestro supports the following browsers:





Internet Explorer

11 and above


45 and above


49 and above



9 and above



45 and above


49 and above

Significant Fixes

The following issues have been fixed:




Login not working after selecting the user accounts in EDGE browser in Windows 10.


Device name is not present when exported as CSV/PDF.


Not able to export the uptime/downtime data from Inventory/Statistics grid.


PMP/ePMP: Getting upgrade in progress internal error, but the device was upgraded successfully.


Monitor user should be able to export and schedule Reports at all levels.


Moving devices to tower after setting the device location fails.


Job in not started state created from tenant account is not able to start from the global account.


Devices API sort with name and sort with registration_date is not working


BHM/BHS software update broken in 1.6.3.


Scheduled Report issues with devices in MSP accounts.


Distance value for PMP SMs is not displayed.


NAS IP should be cnMaestro Server IP instead of RADIUS Server IP.


PTP550: Devices stuck in onboarding and updating state in production cloud.


PTP550 and Force 300 devices with build 4.1.1 are not sending the software update events to cnMaestro.

Additional Fixes in cnMaestro 2.1.0-r22

The following updates are in addition to the 2.1.0-r21 release.




Wi-Fi devices are getting hidden in tree when each of them report each other as parent device


After update with 2.1.0-r21 "Towers" and "Sites" are not in alphabetical order


Data migration is failing when 1.6.3-r39 data is imported on 2.1.0-r21


Tower level Top AP's throughput value is empty


PMP Medusa AP Downlink data is missing in frameutil performance graphs


Auto Provisioning feature is not working for cnPilot R-series.


SM WAN IP is not shown in 2.1.0-r21 version


Fixed UI dashboard freeze issue due to c3 chart


Site floor plan got distorted after migrating data from 1.6.3 to 2.1.0


Sector not showing due to missing gain in Maps

Known Issues

The following issues exist:





Failure to load success page after quick pay authentication


Error contacting server when clicking on Orange Money button


WiFi Guest Access does not work with Microsoft Edge Browser

Guest Access on cnMaestro does not work with Edge browser on cnPilot 1.4.0-r12 with 3.2.1-6 and 1.5.0-r4 with 3.3 beta builds.

Workaround: Users need to use supported browsers like Chrome, Firefox, or Internet Explorer (IE) 11.


DHCP errors after cnMaestro Reboot

When cnMaestro On-Premises is rebooted, after Data Import, sometimes DHCP and Disk Errors are encountered.

Workaround: Explicitly run the dhclient command from the Command Line (accessed through the CLI) after reboot to assign the IP address.


DHCP Option 15 not working for cnPilot Home

DHCP Option 15 onboarding is not working for cnPilot Home devices (R-series). These devices cannot use this onboarding mechanism.


Captive Portal Auto Login fails with latest Android devices

Workaround: Whitelist the URL for Google (*


RADIUS Proxy drops packets after retry exhausted

After RADIUS Proxy Retries are exhausted in cnMaestro On-Premises, all subsequent RADIUS packets are dropped.

Workaround: Reboot cnMaestro.


Access token is expired after data migration

Workaround: User has to generate a new token after the migration.


Auto sync always times out if the device IP changes during auto sync


ePMP: “No GPS Sync” or
“GPS Sync Down” alarm/event not raised in cnMaestro

ePMP devices are not sending the GPS Sync status events to cnMaestro when GPS Sync is down or there is NO GPS Sync.

Also for PMP GPS SYNC events, details shows sync source instead of indicating whether the GPS SYNC source is up or Down.


MSP images not imported on server when exported in 1.6.3 and imported in 2.1.0 

Workaround: Customers need to apply 1.6.3-r39 build and then import the data to 2.1.0


cnReach performance reports do not have throughput values for radios


Certificate exports are not part of Data Backup and restore

Certificates must be exported manually.


While Migration is happening moving or deleting a device from the Managed account will mark all the events and alarms as undefined once migration is completed


These are some great features, the email notifications will be particularly useful!

When do you plan to upgrade the cloud to this version?

Cloud version we will start rolling in the next 2 weeks, we have servers across region so it may take some time.



Hi, during deploy on ESXi 6.7 booting ends in Busy box. Looks like that provided ova file is corrupted or contains some error. Could you check it please?


could you please validate the sha256sum with the OVA which you downloaded?

sha256sum -  96c8b55f74bf7467e2d1cb69f939a9b4a1fb799648b3905361f5ceeb27cf5bfc

1 Like

I did it and it matches.

After powering on  I can see only this ...

i have sent you a private message.

I'd like a bit of clarity before I get really angry - the notes explicitly say "Only data exported from cnMaestro 1.6.3 is supported." I am running Version 1.6.0-r22, and I really don't want to have to backup, update to 1.6.3, reconfigure it and import data, then back that up, update to 2.1.0, and reconfigure and import data again. It's not like this is an ancient version - please tell me that there are no significant differences in the data between these two versions and I can just do the one upgrade...

1 Like

Hi dshea -- the upgrade process from the 1.6.0 version will require an intermediate step to 1.6.3 (which includes exporting and importing data). The 2.1.0 release removes this complexity moving forward, and it will be upgraded in-system (with no more export/import). However to get to this point, the baseline data needs to be exported off a cnMaestro 1.6.1 OVA installation with a package upgrade to 1.6.3. This can be done either by importing into 1.6.1 and upgrading to 1.6.3, or by installing 1.6.1 and upgrading to 1.6.3 before the import.

Both 2.1.0 and 1.6.3 have significant database updates that make this process especially complex as we look at supporting earlier versions for data migration. 1.6.3 added an updated data model for MSP and multiple tenants  (which entailed a significant transition), and 2.1.0 includes additional data restructuring for performance and scalability.


That's awsome job! Can't wait to test it the first thing tomorrow morning.


we have error in vmware ESXi.

pls check the file.

thank you.



@netreality wrote:


we have error in vmware ESXi.

pls check the file.

thank you.


Tested file in VirtualBox: works.

Upgraded to this new version.

8000+ devices onboarded.

Imported backup file and after some few hours seems all be up but first thing i noticed is that the Towrs and Sites are not in alphabetical order but are all mixed up...

I keep you updated with some testing...

hi netreality,

I have sent private message.

1 Like

Could you please help me with configuring email settings?
We get error:

Error on sending mail: unable to verify the first certificate

This is on port 587 with STARTTLS.
Kind regards


ho un problema nella creazione dell' OVA

mi viene fuori l' errore in allegato

come posso risolvere?

You have to use OVF vmware tool to convert from SHA256 to SHA1. Or use vmware greater than 6.5

Kind regards

Having issues booting the OVA provided online. Runing xen 6.5 it fails to emergency boot console.

Tried it on a VMware 6.5u1 box I run personally and it boots fine.

Anyone else running Xen figure out how to get this OVA to boot?