Introduction
This document highlights new features and significant updates in cnMaestro On-Premises. A separate topic lists the fixes and known issues.
Important: OVA Upgrade
cnMaestro 3.2.0 On-Premises is distributed as an OVA file, which can be installed as a new Virtual Machine or used to update an existing installation running cnMaestro 3.1.0/3.1.1.
Important: System Backup
It is strongly recommended to take a System Backup prior to upgrading to 3.2.0. This can be done in the UI at Administration > Server > Operations. This is required in case you ever want to downgrade back to the previous version.
Important: Cloud Anchor Accounts
All existing cnMaestro On-Premises instances need to attach to an Anchor account before upgrading to cnMaestro 3.2.0.
Important: Minimum Device Versions
cnMaestro 3.2.0 has removed support for TLS 1.0/1.1 as per current security guidelines. Older Cambium devices use these versions by default, and their software should be updated before transitioning to 3.2.0 (else they will lose connectivity). The minimum versions are:
| # | Device Type | Version |
|---|---|---|
| 1 | cnPilot E Series | 3.9-r3 |
| 2 | cnPilot R Series | 4.5 |
| 3 | ePMP | 4.3 |
| 4 | ePMP 1000 Hotspot | Only supports TLS 1.0/1.1 (product is EOL) |
| 5 | PMP | 20.0.1 |
If you cannot upgrade to these versions, read the section Enabling TLS 1.0/TLS 1.1 in the User Guide.
Important: API v1 No Longer Supported
As announced during 3.0.0 release, support for the “v1” API version is removed starting in 3.2.0. More information is available in the API Clients section of the User Guide.
Swagger documentation for the v2 RESTful API is available at:
cnMaestro - RESTful API Announcements
Important: CBRS
This 3.2.0 OVA does not support updating an existing On-Premises server currently using CBRS. Similarly, an On-Premises server running 3.2.0 does not support restoring data from a system backup containing CBRS data.
A version of 3.2.0 will be released in the near future which has support for CBRS.
Note: Activation of 90-Day Free Trial
By default, a 90-day free trial for cnMaestro X is activated if cnMaestro X is selected during upgrade. This ensures customers have sufficient time to purchase cnMaestro X subscriptions, and devices can complete the Cloud sync operation.
Customers creating new 3.2.0 On-Premises instances can request a 90-day free trial at https://www.cambiumnetworks.com/cnmaestro-x/.
Note: Web Browser
Restart your browser (or clear the browser cache with a hard reload) if you are having UI problems with the 3.2.0 version.
Introduction to cnMaestro Subscription Variants
cnMaestro 3.2.0 supports two subscription variants: Essentials and X.
cnMaestro Essentials
This unlicensed, free version of cnMaestro delivers the same experience as the previous cnMaestro, but without the X features.
cnMaestro X
This paid subscription offers advanced cnMaestro network management capabilities and Cambium Care Pro, which provides 24x7 technical support, accelerated access to L2 engineers, and regular software updates for advanced features.
cnMaestro X Features
| # | Feature | Description |
|---|---|---|
| 1 | Administrator User Limit | Support for up to 200 cnMaestro administrators. |
| 2 | Application Visibility | Insight into wireless client application usage. |
| 3 | Assists | Support for PMP devices. |
| 4 | Audit Logs | Log user management activity. |
| 5 | Auto Manage Routes | Automated IPv6 routes for 60 GHz cnWave Distribution Node (DN) and Client Node (CN) based on topology and status of Point of Presence (PoP) Node. |
| 6 | Auto-Provisioning | Automatically provision devices based on the device subnet. |
| 7 | Concurrent Device Jobs | Parallel execution of software, configuration, and operation jobs. |
| 8 | Configuration Lock | Reapply Wi-Fi AP/cnMatrix device configuration if changed outside of cnMaestro. |
| 9 | cnArcher Installation Summary | Display installation summary of PMP and ePMP SMs. |
| 10 | Custom Map Server | Enable third-party WMS geolocation map server. |
| 11 | Data Reports | Schedule recurring CSV data report jobs. |
| 12 | ePSK Limit | ePSK limit increased to 2,000. |
| 13 | External Authentication and Authorization Servers | Authenticate and authorize cnMaestro administrators using Active Directory, LDAP, RADIUS, TACACS+, OpenID Connect, and SAML. |
| 14 | Guest Access Portal (Paid) | Provide guest access through a paid service. |
| 15 | Guest Access Portal (Limits) | Support 500 Guest Access Portals; 10,000 sessions; 20,000 login event session for maximum of 1 year. |
| 16 | Long Term Historical Data | Enhanced Performance Graphs and Reports:
|
| 17 | Link Events | Store 60 GHz cnWave Link Events for 30 Days. |
| 18 | Managed Service Provider (MSP) | Partition a cnMaestro account into separate Managed Accounts, each with its own independent administration and configuration. |
| 19 | Map Overlay for 60 GHz cnWave | Includes auto-refresh for up to 10 60 GHz cnWave devices for 5-minute statistics. |
| 20 | Map Views | Enable Satellite and Terrain views. |
| 21 | Multi-floor plan | Add up to 50 floor plans per site. |
| 22 | RADIUS Proxy | Proxy RADIUS packets sent through cnMaestro On-Premises instead of directly to the RADIUS server from the AP. |
| 23 | RESTful APIs | Read data and perform operations programmatically using client applications. |
| 24 | Session Management | Track current cnMaestro user sessions and force logout of current user sessions. |
| 25 | SNMP | Support basic SNMP for inventory and alarms. |
| 26 | Syslog | Forward events and audit logs to remote syslog. |
| 27 | Topology Scan | Allow users to select a 60 GHz cnWave DN and scan for nodes listening on the same channel sector-wise. |
| 28 | Wireless Intrusion Detection System (WIDS) for Enterprise Wi-Fi APs | Detect rogue APs in the network. |
| 29 | Webhooks | Configure Webhooks endpoints to forward alarms. |
Cloud Anchor Account
Important: Cloud Anchor Accounts
All existing cnMaestro On-Premises instances need to attach to an Anchor account before upgrading to cnMaestro 3.2.0. All new 3.2.0 On-Premises installations must link to a Cloud Anchor account after installation.
The Cloud Anchor Account exists alongside current NMS Accounts (which host cnMaestro Cloud NMS). The cnMaestro On-Premises instances link to an Anchor account using the Cambium ID and Onboarding Key, both created with the Anchor account. The User Guide details creating an Anchor Account and associating it with one-or-more cnMaestro On-Premises instances.
The Cloud Anchor account serves multiple purposes:
- Manages subscriptions for both cnMaestro Essentials (free) and cnMaestro X (paid).
- Automatically pushes announcements of new device firmware and cnMaestro software images.
- Simplifies CBRS provisioning and billing by aggregating multiple cnMaestro On-Premises instances.
Subscription Management
The Manage Subscriptions > Subscriptions page in the cnMaestro Cloud Anchor account provides a usage summary and a list of pending/active/expired subscriptions across all cnMaestro X On-Premises instances. It aids planning for renewals and the purchase of new subscriptions. The table lists the available subscription tiers; the number of slots used; the status of the subscriptions; the start and end date of the subscriptions; how long the subscriptions are valid; and the EID to which the subscriptions were assigned.
Devices
The Manage Subscriptions > Devices page shows devices mapped to cnMaestro X On-Premises instances. It displays a pie chart with different subscription tiers and a table which lists the devices assigned to subscriptions, including MAC Address, Serial Number, Type, Device Tier, Slot Issued to, Slot Issued by, Subscription Name, Subscription Validity, and Subscription State.
On-Prem Instances
This Manage Subscriptions > On-Prem Instances page lists the Tier Category and the number of Subscriptions per Tier for each On-Premises instance linked to the Anchor Account.
On-Premises Cloud Connectivity
Starting in 3.2.0, On-Premises instances must connect to a Cloud Anchor Account to synchronize devices and subscriptions with Cambium. Two connection models are supported: persistently connected and intermittently connected. It is highly recommended On-Premises instances maintain a persistent connection to their Anchor account.
If a persistent connection is not possible, the On-Premises instance can disconnect provided all device(s) have completed Cloud sync with the Anchor Account. This can be verified by reviewing the “Cloud Sync Status” column on the pages below:
- Onboard > 60 GHz cnWave > Devices page for the 60 GHz cnWave devices
- Onboard > Edge Controller > Devices page for PTP8xx devices
- Onboard > Devices page for rest of the device types.
- Device onboarding
- Device deletion and On-Premises instance deletion from the Anchor Account
- Restore from a backup
- Upgrade to cnMaestro X
- Downgrade to cnMaestro Essentials
| Type | Details |
|---|---|
| System | Uptime, Processor, RAM, Disk, Virtualization Vendor |
| Devices | Count, Type, MAC, MSN |
| Application | Software Version, User Types and Count, Account View, Country |
| Features | MSP, CBRS, Wi-Fi Performance, Auto-Provisioning, SNMP, etc. |
The graphic below displays the Cloud Connectivity page in the cnMaestro On-Premises UI.
The Cambium ID and Onboarding Key set in the Cloud Anchor Account need to be entered into the On-Premises UI. The graphic below displays the page in the Cloud Anchor Account UI used to change the Onboarding Key.
Manage Subscriptions
A new page, Manage Subscriptions > Subscriptions, is available in the On-Premises UI to track cnMaestro X subscription usage in an individual On-Premises instance. It provides a Usage Summary and a list of pending/active/expired subscriptions pertaining to an individual cnMaestro X instance.
Devices
The Manage Subscriptions > Devices page shows the devices in the cnMaestro X On-Premises instance. It presents a pie chart with different subscription tiers and the devices assigned to them. The table underneath lists the devices mapped to subscriptions, including the MAC Address, Serial Number, Type, Device Tier, Subscription Name, Subscription State, and Subscription Validity.
Onboarding
In the cnMaestro On-Premises Onboarding page, all existing action buttons, including Basic Details, Set Location, Update Software and Configure Devices, are now consolidated into a single Edit Device button to improve space utilization.
Additionally, the Approval/Undo Approval toggle button is replaced with an interactive icon button 
/
. the existing CBRS “Deregister Devices” action icon is replaced with 
; and a new “Cloud Sync Status” column tracks the Cloud sync status with the Anchor Account. The system automatically attempts Cloud sync when devices are approved.
Security Enhancements
Support for TLS 1.0/1.1 Removed
The underlying OS for cnMaestro 3.2.0 is upgraded to Ubuntu 20.04, and support for TLS 1.0/1.1 is removed. Devices running a lower version than that specified below cannot connect to cnMaestro.
| # | Device Type | Version |
|---|---|---|
| 1 | cnPilot E Series | 3.9-r3 |
| 2 | cnPilot R Series | 4.5 |
| 3 | ePMP | 4.3 |
| 4 | ePMP 1000 Hotspot | Only supports TLS 1.0/1.1 (product is EOL) |
| 5 | PMP | 20.0.1 |
If you are unable to upgrade device software, please refer to the section “Enabling TLS1.0/TLS1.1” in the User Guide.
WiFiPerf Server Moved to Essentials
The WiFiPerf daemon at a Site level, used for wireless performance testing between a Wi-Fi AP/Client, is now an Essentials feature.
Assists 
The Assists feature scans PMP configuration and generates an Assists Score. It evaluates settings that may lead to security or deployment issues, and it generates a summary score at System, Network, Tower, and Device levels. Assists Scores are displayed as a percentage of successful evaluations. This score allows users to recognize and isolate issues in their infrastructure.
NOTE: This feature is evaluated every 24 hours, and it is currently only available for PMP devices. In the future, Assists will be extended to support additional evaluations and device types.
Assists Dashboard
The Assists Dashboard presents the Assists Score and the list of evaluated Assists.
Assist Details
Assist Details presents information about individual Assists.
Affected Devices
Devices failing the evaluation are displayed in a table.
PMP Dashboard with Assists Score
The PMP Dashboard is enhanced to include the Assists Score.
cnWave 5G Fixed Device Support 
cnMaestro supports the following monitoring and management functionalities for cnWave 5G Fixed devices.
| Feature | Details |
|---|---|
| Onboarding | Onboard cnWave 5G Fixed BTS device using Cambium ID and Serial Number. |
| Dashboard | Device (BTS/CPE) level Dashboard. |
| Configuration | Device (BTS) level can move to another MSP/Network/Tower. |
| Details | Device (BTS/CPE) level details. |
| Notifications | Device specific notifications and alarms. |
| Performance | Performance graphs with the following metrics: BTS: Throughput and CPE Count CPE: Throughput, MCS, EVM, and Rx Power |
| Statistics | System and Network level Statistics can be viewed and exported for cnWave 5G Fixed devices. |
| Software Update | Bulk software update |
| Reports | System and Network Reports can be downloaded for cnWave 5G Fixed devices |
Onboarding cnWave 5G Fixed BTS Device
The cnWave 5G Fixed BTS device can be onboarded by claiming its MSN (Manufacturer Serial Number) in cnMaestro, or alternatively by entering Cambium ID and Onboarding Key in the cnWave 5G Fixed BTS device GUI.
Onboarding Queue
cnWave 5G Fixed BTS
Device Dashboard
cnWave 5G Fixed BTS
cnWave 5G Fixed CPE
Notifications
Device Configuration
cnWave 5G Fixed BTS
Device Details
cnWave 5G Fixed BTS
cnWave 5G Fixed CPE
CPE List
List of cnWave 5G Fixed CPE Devices under cnWave 5G Fixed BTS Device
Performance
cnWave 5G Fixed BTS
cnWave 5G Fixed CPE
Software Update
Device Statistics
cnWave 5G Fixed BTS
cnWave 5G Fixed CPE
Reports
Edge Controller and PTP 820/850 Device Support
cnMaestro now supports PTP 820/850 device management using an Edge Controller, which is a software application installed on a Ubuntu or CentOS server running behind the customer firewall. The following management functionalities are available:
Edge Controller
| Feature | Details |
|---|---|
| Onboarding | Onboard the Edge Controller using Cambium ID. |
| Dashboard | Device Dashboard for Edge Controller. |
| Discovery | Configure SNMP rules to discover PTP 820/850 devices. |
| Monitor | Monitor Edge Controller CPU Utilization and Load, Process Activity, Memory Usage, Swap Usage, and File system. |
| MSP | Managed Service Provider support for Edge Controller |
| Software Update | Edge Controller updates (Edge Controller > Tools >Operations). |
| Tools | Diagnostics, Operations, and Services |
PTP 820/850
| Feature | Details |
|---|---|
| Onboarding | Onboard PTP 820/850 through SNMP discovery rules. |
| Dashboard | Dashboard for PTP 820/850 devices. |
| Configuration | Template support for a subset of PTP 820/850 configuration. |
| Details | Overview, Ethernet, Security, and Activation Key details |
| Notifications | Device-specific notifications and alarms. |
| Performance | Performance graphs with the following metrics:
|
| . | |
| Statistics | System, Network, and Tower Statistics can be viewed and exported. |
| Software Update | Bulk software updates. |
| Maps | Device and link display on the Map. |
| Tools | Diagnostics, Operations, and Services |
| Reports | System, Network, and Tower level Reports for PTP 820/850 devices |
Edge Controller
Installation
The Edge Controller is installed using a script executed as super user. See the Edge Controller User Guide for more details.
Onboarding
The Edge Controller is onboarded to cnMaestro by configuring the cnMaestro URL, Cambium ID, and Onboarding Key through the Edge Controller CLI:
Once onboarded, the Edge Controller is placed into the Onboarding Queue in cnMaestro.
It must be Approved to complete onboarding. Once approved, Edge Controller is listed under Network Services > Edge Controller.
Dashboard
A basic dashboard is available for the Edge Controller application.
Configuration
SNMP discovery rules are configured to locate PTP 820/850 devices; a blacklist is also available to ignore devices.
Tools
Monitoring
Monitor resource utilization on the Edge Controller installation.
PTP 820/850
Onboarding
Onboarding PTP 820/850 devices is though SNMP discovery rules, configured in Edge Controller > Configuration. The Edge Controller will discover PTP 820/850 devices using SNMP.
Discovered devices are placed in Onboard > Edge Controller > Devices Onboarding Queue.
They must be Approved in order to be onboarded into cnMaestro.
PTP 820/850 Device Dashboard
The PTP 820/850 Device Dashboard is presented below. It displays information on Radio Health as well as Radio Groupings, such as MC-ABC, HSB, XPIC, and AMCC.
PTP 820/850 Notifications
PTP 820/850 Configuration
A subset of PTP 820/850 configuration is available through Templates.
PTP 820/850 Details
PTP 820/850 Performance
Device performance graphs are available for various metrics, including Throughput, Signal, Modem MSE, and Modem XPI.
PTP 820/850 Statistics
PTP 820/850 Statistics are displayed at the System level in the hierarchy.
PTP 820/850 Reports
PTP 820/850 details are also available in Data Report aggregations.
PTP 820/850 Software Update
Bulk Software Update is available.
60 GHz cnWave Topology Scan
This feature discovers the 60 GHz cnWave network and creates a comprehensive, detailed network topology. This tool only detects nodes operating in responder mode. It will not detect CNs with a wireless link already established. Offline nodes with a configured channel override will not be detected on a different channel.
Topology Scan Option
Start Topology Scan
Results of Topology Scan
Add Node to Topology
MSP support for 60 GHz cnWave E2E Controller
When a new E2E Controller onboards, it can be moved to a Managed Account at the time of approval. Existing E2E Controllers can be moved into Managed Accounts by selecting Edit from the menu options of the E2E Network in the hierarchical tree.
Onboard E2E Network
External E2E Network
Moving Existing E2E Network
Wireless Intrusion Detection System (WIDS)
This feature is available under AP Group > Security page. It detects Flood Attacks such as for Association, Authentication, Disassociation, Deauthentication, and EAP.
WIDS Monitoring
WIDS monitoring details are available at the Site level. The WIDS page displays details of Rogue AP, Honeypot APs, and Known APs for 2.4 GHz, 5 GHz, and 6 GHz.
Rogue APs
Honeypot APs
Known APs
Miscellaneous UI Improvements
Onboarding Queue
All existing provisioning action buttons – Basic Details, Set Location, Update Software and Configure Devices are consolidated into a single Edit Device action button to improve space utilization.
Also, the Approval/Undo Approval toggle button is replaced with an interactive icon button 
/ 
.
Existing CBRS “Deregister Devices” action icon is replaced with 
.
Filter in Alarms and Alarms History Grids
Advanced Filter option added in the Alarms and Alarms History grids.
APs Tab renamed to Devices under Sites
Due to the release of the NSE (Network Services Edge) under Sites, the existing APs tab is renamed Devices.
API Updates
Important: API v1 No Longer Supported
As announced during 3.0.0 release, support for the “v1” version of the API is removed starting in 3.2.0. More information is available in the API Clients section of the User Guide.
Swagger documentation for the v2 RESTful API is available at:
