cnMaestro 2.2.0 (On-Premises)


This document highlights new features and significant updates in cnMaestro On-Premises. Note 2.2.0, is a major release, and Cambium recommends all customers update to the latest version.


cnMaestro 2.2.0 On-Premises is distributed as an OVA file, which can be installed as a new Virtual Machine or used to update an existing 2.1.0 OVA installation. Please verify at least 1 GB of available memory before updating using the OVA.

Existing cnMaestro On-Premises users running with version 1.6.3 should export their data and import it into cnMaestro 2.2.0. Data exported from cnMaestro 1.6.3 is supported.

Important: Web Browser

You may need to restart your browser (or clear the browser cache with a hard reload) after the 2.2.0 update.

Important: AMI Installation

This OVA cannot be used to upgrade the cnMaestro 2.1.1 AWS AMI released in the Amazon AWS Marketplace. There will be a separate AMI release for 2.2.0.

Layer 2 High Availability (HA) Pro.png Beta.png  (On-Premises)

cnMaestro On-Premises supports Layer 2 High Availability Beta through an Active-Standby (1+1) architecture. The default HA installation has a single Management interface (eth0) and a Shared (floating) Management IP address. HA is configured through the Console.


Failover Times

An on-premises failover occurs over the following intervals:

15-20 seconds

Commit to failover.

60-90 seconds

Transition databases and services. UI becomes available during this period.

Up to 5 minutes

Devices reconnect in staggered fashion, to limit large deployment overhead.

During a failover, RADIUS Proxy will be unavailable until the hosting device reconnects, and EoGRE requires service initiation on the new Active system. Data Plane failover will be optimized in a later release.

Rogue AP Detection

A Rogue AP is an unsanctioned AP not onboarded to a Site. The Cambium AP scans channels and collects details about neighboring APs, which are displayed in cnMaestro.

Configuring Rogue (Unsanctioned) AP

  1. Navigate to AP Groups > Configuration > Security page
  2. Select the Enable Rogue AP detection check box

Monitoring Rogue APs

Rogue APs can be monitored at the Access Point and Site levels in the hierarchy. The graphic below highlights the Rogue AP Dashboard for an Access Point. Rogues can be visualized by channel over time, and they can be whitelisted directly from the Dashboard.


Secondary External Authentication Servers Pro.png (On-Premises)

Support for an optional Secondary Authentication Server for cnMaestro application authentication. The default Local Users authentication will only be performed if both Primary and Secondary servers are unreachable.

Guest Portal Self Registration

The user can customize the fields in the Splash page by choosing the Custom Field option in the Guest Access Portal page and clicking Add New button.

Wired Clients for cnPilot Home

Added support to display Wired Clients for cnPilot Home devices.

Wired Guest Clients for cnPilot Enterprise

Added support to display Wired Guest Clients for cnPilot Enterprise devices.

CLI Debug Option for cnPilot Enterprise APs

Execute CLI commands on cnPilot Enterprise APs as part of Advanced Debug option. This feature is for debugging purposes: it is not meant to configure APs. This option is supported on APs running software version 3.10.2 or higher.


cnPilot Radio Enable/Disable Override

The Device Override section in the Device Configuration tab now has the option to enable/disable Radio 2.4 GHz and Radio 5 GHz.

Enhanced Statistics for PTP Devices

Below parameters are added to Statistics table for PTP devices:

  1. Error Seconds
  2. Severe Error Seconds
  3. Unavailable Seconds

A new Network Info tab is added under the Details tab for PTP devices.

Enhanced Data Report for PTP Devices Pro.png

Existing Devices Data Report is enhanced with addition of significant PTP Radio parameters.

Unique Device Name Enforcement

Device name validation to enforce uniqueness across the system. In case of Managed Services, uniqueness is enforced within the Managed Account.

Satellite View (US and EU)

Support for Satellite View in Map is added in limited United States and European Union regions. This option can be enabled from Application > Settings > Advanced Features page.

API Updates Pro.png (On-Premises)

New APIs



Guest Portal API (Section 19.3)

/api/v1/portals/{Portal ID}/vouchers/{voucher plan}

List of vouchers

/api/v1/portals/{Portal ID}/vouchers/{voucher plan}/generate

Generate vouchers

/api/v1/portals/{Portal ID}/events

List of guest login events

Devices API (Section 8.5.6)

/api/v1/devices/{MAC Address}/disconnect_clients

Disconnect clients under an AP

Supported Cambium Products

cnMaestro supports the following Cambium Networks products. The software versions are the minimum required to use cnMaestro (not the recommended versions).





cnPilot R200, R200P


cnPilot R201, R201P


cnPilot R190V,  R190W


cnPilot E400/E500


cnPilot E410/E430w/E600


cnPilot E501S


cnPilot E502S


cnPilot E700


ePMP 1000 Hotspot

ePMP 1000 Hotspot



ePMP 1000, Force 180/200


ePMP 2000


ePMP Elevate


ePMP Force 190


ePMP Force 300


ePMP PTP 550


ePMP 3000


PMP 450i, PMP 450, PMP 450m, PMP 430 SM


PTP 450, and PTP 450i



PTP 650


PTP 670 (650 Emulation)


PTP 670, PTP 700


cnReach (Beta)






Supported Browsers

cnMaestro supports the following browsers:





Internet Explorer

11 and above


45 and above


49 and above



9 and above



45 and above


49 and above

Significant Fixes

The following issues have been fixed:




cnMaestro is logging out automatically even though the session should not expire until the browser closes.


PTP 450 Bi-directional Frame Utilization information is missing.


Client sessions data not exporting when exporting and importing to new server.


No option to enable/disable SSIDs in C3VoIP.


Link Test does not work for ePMP AC devices.


R201 supports 1Gbps for LAN and WAN port, while setting speed from cnMaestro using QoS, we can set maximum as 100 Mbps.


Replacement variables can't be unset. Blank defaults not properly supported.


Report jobs which are in processing state during failover is creating empty/incomplete report.


Static gateway is not being deleted from cnMaestro.


Device name restrictions not consistent.


By default, Telnet is enabled for config pushed through cnMeastro.


Delimiter for MAC Address in MAC Authentication (in WLAN Group) must accept only valid parameters.


802.11k RRM configuration is not available in cnMaestro WLAN configuration page.


Equals sign = Breaks User-Defined Overrides.


Maps view do not display any device with Lat/Long coordinate of 0,0.


Not able to export vouchers after creation using generate and export option.


Top Wi-Fi Networks by Throughput/Clients is not fetching managed accounts.


"Redirect Hostname" option missing for external hotspot in cnMaestro.


Move PPPoE configuration as per cnPilot device.


Web access protocol HTTPS needs to be removed under R-Series AP Group under Management.

Known Issues

The following issues exist:





WiFi Guest Access does not work with Microsoft Edge Browser

Guest Access on cnMaestro does not work with Edge browser on cnPilot 1.4.0-r12 with 3.2.1-6 and 1.5.0-r4 with 3.3 beta builds.

Workaround: Users need to use supported browsers like Chrome, Firefox, or Internet Explorer (IE) 11.


Failure to load success page after quick pay authentication


Error contacting server when clicking on Orange Money button


DHCP errors after cnMaestro Reboot

When cnMaestro On-Premises is rebooted, after Data Import, sometimes DHCP and Disk Errors are encountered.

Workaround: Explicitly run the dhclient command from the Command Line (accessed through the CLI) after reboot to assign the IP address.


Captive Portal Auto Login fails with latest Android devices

Workaround: Whitelist the URL for Google (*


RADIUS Proxy drops packets after retry exhausted

After RADIUS Proxy Retries are exhausted in cnMaestro On-Premises, all subsequent RADIUS packets are dropped.

Workaround: Reboot cnMaestro.


Access token is expired after data migration

Workaround: User has to generate a new token after the migration.


Auto sync always times out if the device IP changes during auto sync


ePMP: “No GPS Sync” or
“GPS Sync Down” alarm/event not raised in cnMaestro

ePMP devices are not sending the GPS Sync status events to cnMaestro when GPS Sync is down or there is NO GPS Sync.

Also for PMP GPS SYNC events, details shows sync source instead of indicating whether the GPS SYNC source is up or Down.


Certificate export is not part of Data Backup and restore

Certificates must be exported manually.


While Migration is happening moving or deleting a device from the Managed account will mark all the events and alarms as undefined once migration is completed


cnReach performance reports do not have throughput values for radios


MSP images not imported on server when exported from 1.6.3 and imported in 2.2.0 

Workaround: Customers need to apply 1.6.3-r39 build and then import the data to 2.2.0


HA: Network cable unplug: Device count is taken from NOC1 and jobs/users list is taken from NOC2.


HA: Network cable unplug: Devices Onboarded during network disconnect needs to be reapproved by user.


HA No Standby Server Banner message will be seen when we do any bulk operation in cnMaestro.


AP Regulatory Channel list support check needed for checking valid channels.


Microsoft Edge Browser does not support in system OVA file upgrade.

Workaround: Use the Google chrome browser

Where to Get Help

There are a number of places to get help with cnMaestro.

Cambium Community: The cnMaestro Forum provides the best place to ask questions and get up-to-date information.

  1. On-Premises Quick Start Guide: This guide walks you through the initial management process and allows you to get onboarded quickly. It is embedded into the cnMaestro image and can be accessed on the Home Page of the UI. It can also be downloaded in PDF format from the Cambium Support website.
  2. Cambium Support: The Cambium Support team is available 24x7 to answer questions and resolve issues.

With HA support in cnMaestro 2.2, connected Wi-Fi clients should see no interruption to their session if they are not roaming during the failiover period. 

cnMaestro 2.1.1-r14

Is this procedure correct for updating with the OVA? When it arrives at 100% it does nothing and the page it's refreshed. I have already tried to restart the server without success.

I'm seeing this same issue.  Any further word?

Hi jhh -- please verify you have enough available memory. We updated the Release Notes to require at least 1 GB. Also, there is a pending issue with the Microsoft Edge browser.

Thanks for the quick reply.  I'm configured for 4GB of memory, and am using Chrome.

Hi Jhh -- just want to check a couple more things. The 1 GB needs to be available. So if you had 2,000 devices, the recommendation would be 8 GB RAM total (which should be sufficient). Also, the upgrade occurs in two steps, because the OVA is large and needs to be unpacked. Once 100% is reached for the partition, there should be an "Apply" link next to the partition. Clicking that will reboot into the 2.2 image. Just want to make sure you see "Apply" and have clicked it.

We have tried a few time now. seems like after getting to 100% it stalls and reboot or reloads. It stays at 100% for about 1 or 2 minutes. I never get an accept button. Got an error with html code in it one time but other times it refreshes like nothing happened. Also, we have 10gb for memory and i am also using chrome Version 74.0.3729.131 (Official Build) (64-bit)

Hi Josephistre -- thanks, this is helpful. The image is first uploaded into the system (which is the 100% you are seeing), and then it is unpacked into the unused partition (which takes about 10 minutes, due to the size and the composition in the OVA). The unpacking status is displayed next to the partition as another percent-to-completion. When that hits 100%, then the Apply is displayed. But it looks like the system is not even getting to the unpacking. I was able to verify it works in a local environment without devices. We will prioritize trying to reproduce in our test setup.

Is there a way to "unboard" device and then try uploading? Since i have downloaded a generated backup.

Hi Joseph

How many device you are managing?


If you're getting strange behavior with attempting to upgrade via the OVA option in the GUI double-check the hash value of the OVA you downloaded. Downloaded a couple copies of the OVA earlier that had an incorrect hash but just got a correct one a few minutes ago and it's working fine now.

For reference: 

SHA-256 Checksum: e46f3aa0e4ca760e905739486d8d0720868c609cba1903a085b2d3f82061164a

1 Like

Just checked the hash on the file I downloaded yesterday and it's good.  I'll try downloading again just to see if it makes a difference despite that.

I'm only managing 5 devices. 

Here's are screenshots of df -h and top's memory statistics from my system.


Top doesn't show 1GB free, but when I rebooted yesterday it did.

i have sent a private message, could you please check and confirm?

we are running right under 2000 devices. We decided to reinstall with the new ova file. It is up now.. but the upgrade never worked.

I understand that all users are in the same situation. 
Are there solutions apart from completely rebuilding the machine? Should we expect a patch?

I got connected to a Cambium employee through this thread and they remoted in to my environment to troubleshoot the issue.  In the end I was told they did find a bug that will be fixed in the next release.  He also helped me manually update.  The manual update is supposed to be documented somewhere, but I don't think I've seen that in all my research.  It involved enabling ssh, then using WinSCP to transfer the OVA to the cnmaestro host, then running a command to have it start the upgrade.  Wish I could give you the details, but perhaps they will interject into this thread with those details.

Thanks Anish!!!

Hi Tuvix_IT -- it looks like there is an issue with the image download and staging through the UI. There is a failsafe mechanism to manage this using the Command Line. Once the image is accessible to the OS (either by downloading through SCP or mounting a shared folder), you can execute the following commands:

# Extract and stage the image into the unused partition

sudo /srv/bin/cnmaestro-image stage <OVA Filename>

# View status of the extraction (wait until it completes/hits 100% -- about 10 minutes)

watch -n2 sudo /srv/bin/cnmaestro-image status

# Boot into the new image. Use the inactive partition from the status command

sudo /srv/bin/cnmaestro-image upgrade <os2 or os1>

Edit (3/30/2021): Note these steps are only a failsafe if the UI upgrade is unavailable. They should not be used for downgrades, which are unsupported.


On the homepage (Manage) and keep selected the "SYSTEM" tree, in the general map at the right of the screen, the towers become red even if a SM is offline, so the map is almost red.

I think will be helpful if the Tower become red if an AP in the tower go offline instead a single SM.



Agree. We should show tower in red color only if any of the APs installed on the tower are offline. This one looks like a bug, will validate this behavior in our lab setup and let you know. Thanks for bringing this observation to our notice.