cnMaestro 3.2.0 (On-Premises) Release (Part 1: Features)


This document highlights new features and significant updates in cnMaestro On-Premises. A separate topic lists the fixes and known issues. The text was revised on 4/3/2023 for release 3.2.0-r7.

Note: Upgrading from 3.2.0-r5
The primary updates in 3.2.0-r7 (over 3.2.0-r5) are: CBRS is now fully supported, and there are a couple enhancements for 60 GHz cnWave (detailed below). There are also several CR fixes listed at the end of this document. Outside of these items, upgrading from 3.2.0-r5 to 3.2.0-r7 is optional.

Important: OVA Upgrade
cnMaestro 3.2.0 On-Premises is distributed as an OVA file, which can be installed as a new Virtual Machine or used to update an existing installation running cnMaestro 3.1.0/3.1.1.

Important: System Backup
It is strongly recommended to take a System Backup prior to upgrading to 3.2.0. This can be done in the UI at Administration > Server > Operations. This is required in case you ever want to downgrade back to the previous version.

Important: Cloud Anchor Accounts
All existing cnMaestro On-Premises instances need to attach to an Anchor account before upgrading to cnMaestro 3.2.0.

Important: Minimum Device Versions
cnMaestro 3.2.0 has removed support for TLS 1.0/1.1 as per current security guidelines. Older Cambium devices use these versions by default, and their software should be updated before transitioning to 3.2.0 (else they will lose connectivity). The minimum versions are:

# Device Type Version
1 cnPilot E Series 3.9-r3
2 cnPilot R Series 4.5
3 ePMP 4.3
4 ePMP 1000 Hotspot Only supports TLS 1.0/1.1 (product is EOL)
5 PMP 20.0.1

If you cannot upgrade to these versions, read the section Enabling TLS 1.0/TLS 1.1 in the User Guide.

Important: API v1 No Longer Supported
As announced during 3.0.0 release, support for the “v1” API version is removed starting in 3.2.0. More information is available in the API Clients section of the User Guide.

Swagger documentation for the v2 RESTful API is available at:

cnMaestro - RESTful API Announcements

Note: Activation of 90-Day Free Trial
By default, a 90-day free trial for cnMaestro X is activated if cnMaestro X is selected during upgrade. This ensures customers have sufficient time to purchase cnMaestro X subscriptions, and devices can complete the Cloud sync operation.

Customers creating new 3.2.0 On-Premises instances can request a 90-day free trial at

Note: Web Browser
Restart your browser (or clear the browser cache with a hard reload) if you are having UI problems with the 3.2.0 version.

Introduction to cnMaestro Subscription Variants

cnMaestro 3.2.0 supports two subscription variants: Essentials and X.

cnMaestro Essentials

This unlicensed, free version of cnMaestro delivers the same experience as the previous cnMaestro, but without the X features.

cnMaestro X

This paid subscription offers advanced cnMaestro network management capabilities and Cambium Care Pro, which provides 24x7 technical support, accelerated access to L2 engineers, and regular software updates for advanced features.

cnMaestro X Features

# Feature Description
1 Administrator User Limit Support for up to 200 cnMaestro administrators.
2 Application Visibility Insight into wireless client application usage.
3 Assists Support for PMP devices.
4 Audit Logs Log user management activity.
5 Auto Manage Routes Automated IPv6 routes for 60 GHz cnWave Distribution Node (DN) and Client Node (CN) based on topology and status of Point of Presence (PoP) Node.
6 Auto-Provisioning Automatically provision devices based on the device subnet.
7 Concurrent Device Jobs Parallel execution of software, configuration, and operation jobs.
8 Configuration Lock Reapply Wi-Fi AP/cnMatrix device configuration if changed outside of cnMaestro.
9 cnArcher Installation Summary Display installation summary of PMP and ePMP SMs.
10 Custom Map Server Enable third-party WMS geolocation map server.
11 Data Reports Schedule recurring CSV data report jobs.
12 ePSK Limit ePSK limit increased to 2,000.
13 External Authentication and Authorization Servers Authenticate and authorize cnMaestro administrators using Active Directory, LDAP, RADIUS, TACACS+, OpenID Connect, and SAML.
14 Guest Access Portal (Paid) Provide guest access through a paid service.
15 Guest Access Portal (Limits) Support 500 Guest Access Portals; 10,000 sessions; 20,000 login event session for maximum of 1 year.
16 Long Term Historical Data Enhanced Performance Graphs and Reports:
  • 1 Year Data : cnMatrix and Wi-Fi APs (such as cnPilot Home, cnPilot E-Series, XE/XV-Series, Xirrus).
  • 1 Year Data : IIoT devices (cnReach).
  • 2 Years Data : Fixed Wireless Broadband (such as 60 GHz cnWave, cnWave 5G fixed, ePMP, PMP, PTP and cnRanger)
17 Link Events Store 60 GHz cnWave Link Events for 30 Days.
18 Managed Service Provider (MSP) Partition a cnMaestro account into separate Managed Accounts, each with its own independent administration and configuration.
19 Map Overlay for 60 GHz cnWave Includes auto-refresh for up to 10 60 GHz cnWave devices for 5-minute statistics.
20 Map Views Enable Satellite and Terrain views.
21 Multi-floor plan Add up to 50 floor plans per site.
22 RADIUS Proxy Proxy RADIUS packets sent through cnMaestro On-Premises instead of directly to the RADIUS server from the AP.
23 RESTful APIs Read data and perform operations programmatically using client applications.
24 Session Management Track current cnMaestro user sessions and force logout of current user sessions.
25 SNMP Support basic SNMP for inventory and alarms.
26 Syslog Forward events and audit logs to remote syslog.
27 Topology Scan Allow users to select a 60 GHz cnWave DN and scan for nodes listening on the same channel sector-wise.
28 Wireless Intrusion Detection System (WIDS) for Enterprise Wi-Fi APs Detect rogue APs in the network.
29 Webhooks Configure Webhooks endpoints to forward alarms.

Cloud Anchor Account

Important: Cloud Anchor Accounts
All existing cnMaestro On-Premises instances need to attach to an Anchor account before upgrading to cnMaestro 3.2.0. All new 3.2.0 On-Premises installations must link to a Cloud Anchor account after installation.

The Cloud Anchor Account exists alongside current NMS Accounts (which host cnMaestro Cloud NMS). The cnMaestro On-Premises instances link to an Anchor account using the Cambium ID and Onboarding Key, both created with the Anchor account. The User Guide details creating an Anchor Account and associating it with one-or-more cnMaestro On-Premises instances.

The Cloud Anchor account serves multiple purposes:

  • Manages subscriptions for both cnMaestro Essentials (free) and cnMaestro X (paid).
  • Automatically pushes announcements of new device firmware and cnMaestro software images.
  • Simplifies CBRS provisioning and billing by aggregating multiple cnMaestro On-Premises instances.


Subscription Management

The Manage Subscriptions > Subscriptions page in the cnMaestro Cloud Anchor account provides a usage summary and a list of pending/active/expired subscriptions across all cnMaestro X On-Premises instances. It aids planning for renewals and the purchase of new subscriptions. The table lists the available subscription tiers; the number of slots used; the status of the subscriptions; the start and end date of the subscriptions; how long the subscriptions are valid; and the EID to which the subscriptions were assigned.



The Manage Subscriptions > Devices page shows devices mapped to cnMaestro X On-Premises instances. It displays a pie chart with different subscription tiers and a table which lists the devices assigned to subscriptions, including MAC Address, Serial Number, Type, Device Tier, Slot Issued to, Slot Issued by, Subscription Name, Subscription Validity, and Subscription State.


On-Prem Instances

This Manage Subscriptions > On-Prem Instances page lists the Tier Category and the number of Subscriptions per Tier for each On-Premises instance linked to the Anchor Account.


On-Premises Cloud Connectivity

Starting in 3.2.0, On-Premises instances must connect to a Cloud Anchor Account to synchronize devices and subscriptions with Cambium. Two connection models are supported: persistently connected and intermittently connected. It is highly recommended On-Premises instances maintain a persistent connection to their Anchor account.

If a persistent connection is not possible, the On-Premises instance can disconnect provided all device(s) have completed Cloud sync with the Anchor Account. This can be verified by reviewing the “Cloud Sync Status” column on the pages below:

  • Onboard > 60 GHz cnWave > Devices page for the 60 GHz cnWave devices
  • Onboard > Edge Controller > Devices page for PTP8xx devices
  • Onboard > Devices page for rest of the device types.
Anchor Account connectivity is required for the following operations:
  • Device onboarding
  • Device deletion and On-Premises instance deletion from the Anchor Account
  • Restore from a backup
  • Upgrade to cnMaestro X
  • Downgrade to cnMaestro Essentials
cnMaestro On-Premises reports the following details to the Anchor Account:
Type Details
System Uptime, Processor, RAM, Disk, Virtualization Vendor
Devices Count, Type, MAC, MSN
Application Software Version, User Types and Count, Account View, Country
Features MSP, CBRS, Wi-Fi Performance, Auto-Provisioning, SNMP, etc.

The graphic below displays the Cloud Connectivity page in the cnMaestro On-Premises UI.


The Cambium ID and Onboarding Key set in the Cloud Anchor Account need to be entered into the On-Premises UI. The graphic below displays the page in the Cloud Anchor Account UI used to change the Onboarding Key.


Manage Subscriptions

A new page, Manage Subscriptions > Subscriptions, is available in the On-Premises UI to track cnMaestro X subscription usage in an individual On-Premises instance. It provides a Usage Summary and a list of pending/active/expired subscriptions pertaining to an individual cnMaestro X instance.



The Manage Subscriptions > Devices page shows the devices in the cnMaestro X On-Premises instance. It presents a pie chart with different subscription tiers and the devices assigned to them. The table underneath lists the devices mapped to subscriptions, including the MAC Address, Serial Number, Type, Device Tier, Subscription Name, Subscription State, and Subscription Validity.



In the cnMaestro On-Premises Onboarding page, all existing action buttons, including Basic Details, Set Location, Update Software and Configure Devices, are now consolidated into a single Edit Device button to improve space utilization.

Additionally, the Approval/Undo Approval toggle button is replaced with an interactive icon button 3.2.0op-11/3.2.0op-12. the existing CBRS “Deregister Devices” action icon is replaced with 3.2.0op-13; and a new “Cloud Sync Status” column tracks the Cloud sync status with the Anchor Account. The system automatically attempts Cloud sync when devices are approved.


Security Enhancements

Support for TLS 1.0/1.1 Removed

The underlying OS for cnMaestro 3.2.0 is upgraded to Ubuntu 20.04, and support for TLS 1.0/1.1 is removed. Devices running a lower version than that specified below cannot connect to cnMaestro.

# Device Type Version
1 cnPilot E Series 3.9-r3
2 cnPilot R Series 4.5
3 ePMP 4.3
4 ePMP 1000 Hotspot Only supports TLS 1.0/1.1 (product is EOL)
5 PMP 20.0.1

If you are unable to upgrade device software, please refer to the section “Enabling TLS1.0/TLS1.1” in the User Guide.

WiFiPerf Server Moved to Essentials

The WiFiPerf daemon at a Site level, used for wireless performance testing between a Wi-Fi AP/Client, is now an Essentials feature.


Assists X3

The Assists feature scans PMP configuration and generates an Assists Score. It evaluates settings that may lead to security or deployment issues, and it generates a summary score at System, Network, Tower, and Device levels. Assists Scores are displayed as a percentage of successful evaluations. This score allows users to recognize and isolate issues in their infrastructure.

NOTE: This feature is evaluated every 24 hours, and it is currently only available for PMP devices. In the future, Assists will be extended to support additional evaluations and device types.

Assists Dashboard

The Assists Dashboard presents the Assists Score and the list of evaluated Assists.


Assist Details

Assist Details presents information about individual Assists.


Affected Devices

Devices failing the evaluation are displayed in a table.


PMP Dashboard with Assists Score

The PMP Dashboard is enhanced to include the Assists Score.


cnWave 5G Fixed Device Support beta

cnMaestro supports the following monitoring and management functionalities for cnWave 5G Fixed devices.

Feature Details
Onboarding Onboard cnWave 5G Fixed BTS device using Cambium ID and Serial Number.
Dashboard Device (BTS/CPE) level Dashboard.
Configuration Device (BTS) level can move to another MSP/Network/Tower.
Details Device (BTS/CPE) level details.
Notifications Device specific notifications and alarms.
Performance Performance graphs with the following metrics:
BTS: Throughput and CPE Count
CPE: Throughput, MCS, EVM, and Rx Power
Statistics System and Network level Statistics can be viewed and exported for cnWave 5G Fixed devices.
Software Update Bulk software update
Reports System and Network Reports can be downloaded for cnWave 5G Fixed devices

Onboarding cnWave 5G Fixed BTS Device

The cnWave 5G Fixed BTS device can be onboarded by claiming its MSN (Manufacturer Serial Number) in cnMaestro, or alternatively by entering Cambium ID and Onboarding Key in the cnWave 5G Fixed BTS device GUI.


Onboarding Queue

cnWave 5G Fixed BTS


Device Dashboard

cnWave 5G Fixed BTS


cnWave 5G Fixed CPE




Device Configuration

cnWave 5G Fixed BTS


Device Details

cnWave 5G Fixed BTS


cnWave 5G Fixed CPE


CPE List

List of cnWave 5G Fixed CPE Devices under cnWave 5G Fixed BTS Device



cnWave 5G Fixed BTS


cnWave 5G Fixed CPE


Software Update


Device Statistics

cnWave 5G Fixed BTS


cnWave 5G Fixed CPE


Reports X3


Edge Controller and PTP 820/850 Device Support

cnMaestro now supports PTP 820/850 device management using an Edge Controller, which is a software application installed on a Ubuntu or CentOS server running behind the customer firewall. The following management functionalities are available:

Edge Controller

Feature Details
Onboarding Onboard the Edge Controller using Cambium ID.
Dashboard Device Dashboard for Edge Controller.
Discovery Configure SNMP rules to discover PTP 820/850 devices.
Monitor Monitor Edge Controller CPU Utilization and Load, Process Activity, Memory Usage, Swap Usage, and File system.
MSP Managed Service Provider support for Edge Controller
Software Update Edge Controller updates (Edge Controller > Tools >Operations).
Tools Diagnostics, Operations, and Services

PTP 820/850

Feature Details
Onboarding Onboard PTP 820/850 through SNMP discovery rules.
Dashboard Dashboard for PTP 820/850 devices.
Configuration Template support for a subset of PTP 820/850 configuration.
Details Overview, Ethernet, Security, and Activation Key details
Notifications Device-specific notifications and alarms.
Performance Performance graphs with the following metrics:
  • Throughput by Groups and Radios
  • Peak Throughput by Groups and Radios
  • Signal Level: RSL and TSL
  • Modem MSE and XPI
  • MRMC Profile
Statistics System, Network, and Tower Statistics can be viewed and exported.
Software Update Bulk software updates.
Maps Device and link display on the Map.
Tools Diagnostics, Operations, and Services
Reports System, Network, and Tower level Reports for PTP 820/850 devices

Edge Controller


The Edge Controller is installed using a script executed as super user. See the Edge Controller User Guide for more details.


The Edge Controller is onboarded to cnMaestro by configuring the cnMaestro URL, Cambium ID, and Onboarding Key through the Edge Controller CLI:


Once onboarded, the Edge Controller is placed into the Onboarding Queue in cnMaestro.



It must be Approved to complete onboarding. Once approved, Edge Controller is listed under Network Services > Edge Controller.



A basic dashboard is available for the Edge Controller application.



SNMP discovery rules are configured to locate PTP 820/850 devices; a blacklist is also available to ignore devices.





Monitor resource utilization on the Edge Controller installation.


PTP 820/850


Onboarding PTP 820/850 devices is though SNMP discovery rules, configured in Edge Controller > Configuration. The Edge Controller will discover PTP 820/850 devices using SNMP.


Discovered devices are placed in Onboard > Edge Controller > Devices Onboarding Queue.


They must be Approved in order to be onboarded into cnMaestro.

PTP 820/850 Device Dashboard

The PTP 820/850 Device Dashboard is presented below. It displays information on Radio Health as well as Radio Groupings, such as MC-ABC, HSB, XPIC, and AMCC.


PTP 820/850 Notifications


PTP 820/850 Configuration

A subset of PTP 820/850 configuration is available through Templates.


PTP 820/850 Details


PTP 820/850 Performance

Device performance graphs are available for various metrics, including Throughput, Signal, Modem MSE, and Modem XPI.


PTP 820/850 Statistics

PTP 820/850 Statistics are displayed at the System level in the hierarchy.


PTP 820/850 Reports X3

PTP 820/850 details are also available in Data Report aggregations.


PTP 820/850 Software Update

Bulk Software Update is available.


60 GHz cnWave Topology Scan X3

This feature discovers the 60 GHz cnWave network and creates a comprehensive, detailed network topology. This tool only detects nodes operating in responder mode. It will not detect CNs with a wireless link already established. Offline nodes with a configured channel override will not be detected on a different channel.

Topology Scan Option


Start Topology Scan


Results of Topology Scan


Add Node to Topology



MSP support for 60 GHz cnWave E2E Controller X3

When a new E2E Controller onboards, it can be moved to a Managed Account at the time of approval. Existing E2E Controllers can be moved into Managed Accounts by selecting Edit from the menu options of the E2E Network in the hierarchical tree.

Onboard E2E Network


External E2E Network


Moving Existing E2E Network


60 GHz cnWave Improvements (new in 3.2.0-r7)

Unmanaged 60 GHz cnWave devices on Map

The unmanaged 60 GHz cnWave devices will be shown with a different icon and links will be displayed in grey on the Map.


Link Availability Options in Reports

Link Availability Duration and Percentage are available when selecting type as Links with 1 hour period in Report > Performance page.


Introducing the Radio tab in E2E Network

A new Radio tab is added under E2E Network > Configuration. The Wireless Scans option is moved from the Basic to Radio tab with the below new options:

  • CN Channel Re-Scan
  • Beam Persist
  • Asymmetric TDD
  • Other Settings


E2E Controller Gateway Unreachable Alarm

A New Alarm is generated and shown on the Notifications page when the E2E Controller Gateway is unreachable.

Wireless Intrusion Detection System (WIDS) X3

This feature is available under AP Group > Security page. It detects Flood Attacks such as for Association, Authentication, Disassociation, Deauthentication, and EAP.


WIDS Monitoring

WIDS monitoring details are available at the Site level. The WIDS page displays details of Rogue AP, Honeypot APs, and Known APs for 2.4 GHz, 5 GHz, and 6 GHz.

Rogue APs


Honeypot APs


Known APs


Miscellaneous UI Improvements

Onboarding Queue

All existing provisioning action buttons – Basic Details, Set Location, Update Software and Configure Devices are consolidated into a single Edit Device action button to improve space utilization.

Also, the Approval/Undo Approval toggle button is replaced with an interactive icon button 3.2.0r1-25 / 3.2.0r1-26.

Existing CBRS “Deregister Devices” action icon is replaced with 3.2.0r1-27.


Filter in Alarms and Alarms History Grids

Advanced Filter option added in the Alarms and Alarms History grids.


APs Tab renamed to Devices under Sites

Due to the release of the NSE (Network Services Edge) under Sites, the existing APs tab is renamed Devices.


APs Tab renamed to Devices under Sites

Due to the release of the NSE (Network Services Edge) under Sites, the existing APs tab is renamed Devices.


Expand/Collapse Icon for Main Menu is Enhanced (new in 3.2.0-r7)

The Expand/Collapse icon for Main Menu is changed from one to two.

API Updates X3

Important: API v1 No Longer Supported
As announced during 3.0.0 release, support for the “v1” version of the API is removed starting in 3.2.0. More information is available in the API Clients section of the User Guide.

Swagger documentation for the v2 RESTful API is available at:


Hey Rob,

So if we’re utilizing CBRS at all, we can’t upgrade to this release?



Hi @jnovak --yes, please don’t install this version if you are using CBRS. We will release an updated 3.2.0 that will work correctly.

I still find it sad that 3.2 now requires a subscription fee for on-prem features that were around since day one, but even then i can get that more advanced stuff being behind a license… But losing access to RESTapis seems like a major restriction thats sad to see moved behind a license.


Just stay on 3.1.1 :wink:

Right up until they change the firm/software so the devices will no longer work on 3.1.1


You can’t use cnMatrix devices anymore on free version, more and more features going for paid subscription. We just got used to Cambium, but right now, we are not so sure about it anymore. Tough spot for Cambium, to make your loyal customers question if it is worth it anymore.
I wish we would have road map plan for devices and software, so we know what can we expect in the feature and how to decide.

Just to clarify this statement: you absolutely can still use cnMatrix devices with the free version of cnMaestro (cnMaestro Essentials).

The recent change was to require subscriptions for cnMatrix devices with cnMaestro X.


You might wanna make that more clearer on PMBs. Especially on PMB-1559. Multiple of us read that document and we all came to the same conclusion. Thank god, I am on Community from time to time! :slight_smile:

Thanks Simon!


Hi, how is with licensing for PTP820/850 for X version? Which license should we buy?


I believe all PTP devices are Tier 2, so you would want one of the MSX-SUB-T2-[1/3/5] subscriptions.

1 Like

A few questions:

  1. Does cnMaestro 3.2 include an upgrade from the Ubuntu 18.04.1 to a newer LTS image?
  2. What ports need to be opened in the corporate firewall for outbound connectivity for the anchor account?
  3. Does cnMaestro 3.2 ship with the OS level firewall enabled and only necessary ports allowed? If not, what ports are necessary to maintain inbound and outbound connectivity between the APs, SMs, and cnMaestro?
  4. Per the 3.2 user manual, if only outbound connectivity is required, how does Cambium plan on pushing notifications to the on-prem cnMaestro? If inbound is eventually the goal, what inbound ports are required?
  5. Does Cambium eventually plan on phasing out on-prem cnMaestro, hence the insistence of an anchor account?

Both device-to-cnMaestro connections and On-Prem-to-Anchor connections use websockets over HTTPS (port 443). For devices, the connection is initiated by the device, and for On-Prem-to-Anchor it is initiated by the On-Prem server.

Once the connections have been established, they can be used for bi-directional communication. This is how cnMaestro Cloud is able to push configuration down to devices, and is also how cnMaestro Cloud can push notifications to the On-Premises instance. There will never be a need to allow inbound connections from the cloud to your network.

Thanks Simon! Do you know if the 3.2 on-prem release has an upgraded Ubuntu image, i.e. something newer than 18.04.1? That version of Ubuntu ends support this month.

Hiya @rnelson - it does, its updated the base image to 20.04 :slight_smile:


Is there will be a drawback to use cnMaestro essential without internet access (just access one time for the anchor during install)?

1 Like

From reading the release notes and threads, it sounds like on-prem is unable to onboard devices unless anchor account regains internet access. It is essentially no different than requiring internet access to play Sim City.

1 Like

Thanks. So maybe ok if all devices are already onboarded. Will test it.