Introduction
This document highlights new features and significant updates in cnMaestro Cloud.
Important: Web Browser
Restart your browser (or clear the browser cache with a hard reload) if you are having UI problems with the 4.0.0 update.
Assists for cnMatrix, cnPilot Home, and ePMP 
Assists are extended to cnPilot Home, cnMatrix and ePMP. The Assists feature scans device configuration and generates an Assists Score. It evaluates settings that may lead to security or deployment issues and generates a summary score for System, Network, Site, Tower, and Device. Assists Scores are displayed as a percentage of successful evaluations.
Assists Dashboard
The Assists Dashboard presents the Assists Score and the list of evaluated Assists.
Assists Details
Assist Details provide information about individual Assists.
Affected Devices
Devices failing evaluation are displayed in a table.
Dashboard Widgets
The Assists Dashboard widget has been added to the Dashboard pages.
cnPilot Dashboard Page
cnMatrix Dashboard Page
ePMP Dashboard Page
Fix Now Support for ePMP and PMP
The Fix Now option resolves Assists discovered scanning ePMP and PMP devices.
ePMP Fix Now
PMP Fix Now
Edit Client Host Name
This feature allows users to edit the host name of wired and wireless clients. Navigate to Clients > Wireless/Wired Clients and click the Edit icon under Actions.
The edited host name is displayed in Audit logs, Reports, Data Export, and Client Dashboards.
Access Control Policies for Enterprise Wi-Fi
Access Control Policies limit network traffic. They can be configured at the AP Group and WLAN levels. AP Group policies have higher priority than WLAN policies. Both Layer 2 and Layer 3 rules are available; they are processed in the priority order of MAC Filters (Layer 2), IP Filters, then Application Filters. Application Filters are a cnMaestro X feature.
Access Control Policies are available under Configuration > Wi-Fi Profiles.
WLAN Access Policy
After creation, link the policy under WLAN > Access Control tab.
AP Group Policy
After creation, link the policy under the AP Group > Access Control tab.
NSE 3000 Specific Features
VPN Two-Factor Authentication
In the VPN and RADIUS Server configuration, administrators can enable two-factor authentication for users:
Click the QR Code icon and scan with the Google Authenticator app to add a 16-digit key.
An email is also sent with the QR code and 16-digit key.
Two-Factor Authentication is available for users accessing NSE using a remote VPN client from the WAN side. You must select the “Enable 2fa” checkbox in the “Client VPN” configuration” for this feature to work. You should also select “Enable inbuilt RADIUS server” when setting up the remote VPN server on the NSE.
PPPoE Support on WAN
The WAN interface now supports PPPoE (in addition to static and dynamic IP address learning). PPPoE is configured with the username and password given by the service provider.
PPPoE Statistics
PPPoE Statistics display the connection status and uptime along with the IP address and default gateway learned from the service provider.
Flow Preference
NSE Flow Preference sends Internet traffic through a specific WAN interface based on Layer 3 or Layer 7 properties. The Flow Preference policy will be pushed to the device if the load balancing mode of the attached WAN interface is set to Shared.
Layer 7 Rule
Layer 3 Rule
Site-to-Site IPsec
An IPsec tunnel provides a secure, encrypted connection between two devices or networks. An IPsec site-to-site tunnel connects two remote sites.
IPsec Tunnel Statistics
IPsec tunnel statistics display the tunnel status of IKE phase 1 and phase 2 along with the session time.
Static DNS Configuration
Static IP Address assignment now supports configuration of Primary and Secondary DNS servers.
VLAN Tag on WAN [Dot1q]
If enabled, NSE will insert Dot1q tag with configured VLAN id for all packets exiting the WAN interface.
DNS Logging
Log DNS queries received from the client to external syslog server.
User-Defined Overrides
Ability to set configuration parameters in NSE Groups which are not supported in the GUI.
Factory Reset
Erase all configuration on the device and restore to factory default.
Configuration Lock
Keep the configuration between NSE devices and cnMaestro synchronized: any changes performed on the device will be overridden by cnMaestro.
Outbound Firewall Rules Count Increased to 150
The Outbound firewall rule count in the NSE Group has been increased to 150. The rules can be a combination of Layer 3 and Layer 7 rules.
MAC to IP Binding Increased to 200
The MAC to IP binding under the DHCP Server is increased to 200.
NSE Group Import/Export
Tools
Troubleshooting tools are added for NSE devices:
- Log view
- Remote CLI to visualize real-time statistics and execute traceroute and ping
- Live packet capture
UI Navigational Changes
The “AP Groups and WLANs” menu item is renamed “Wi-Fi Profiles” to accommodate new Access Control Policies and existing Association ACLs.
Expand/Collapse Icon for Main Menu is Enhanced
The Expand/Collapse icon for Main Menu changed from 
to 
.
Supported Cambium Products
cnMaestro supports the following Cambium Networks products. The software versions are the minimum required to use cnMaestro (not the recommended versions).
| Family | Model | Version |
|---|---|---|
| 60 GHz cnWave | V1000 | 1.0 |
| V2000 | 1.2.2-beta3 | |
| V3000 | 1.0 | |
| V5000 | 1.0 | |
| cnMatrix | EX2K/EX1K | 2.0.4-r1 |
| cnPilot Home | cnPilot R200, R200P | 4.4.2-R2 |
| cnPilot R201, R201P | 4.4.2-R2 | |
| cnPilot R190V, R190W | 4.4.2-R2 | |
| cnPilot R195P | 4.5.2 | |
| cnPilot R195W | 4.7 | |
| cnRanger | Sierra 800 | 1.0.1.0-r1 |
| Tyndall 101 | 1.0.1.0-r1 | |
| Tyndall 201 | 2.0.0.0-r1 | |
| cnReach | N500 | 5.2.17e |
| cnVision | Hub 360r, FLEXr | 4.6 |
| Client Micro, Mini, Maxr | 4.6 | |
| cnWave 5G Fixed | B1000 (BTS) | 2.0 |
| C100 (CPE) | 2.0 | |
| Edge Controller | N/A | 1.0.0 |
| Enterprise Wi-Fi | cnPilot e400/e500 | 2.5.2-r3 |
| cnPilot e410/e430w/e600 | 3.5.2-R4 | |
| cnPilot e501S/e502S | 3.2.1-r6 | |
| cnPilot e700 | 3.8 | |
| cnPilot e425/e505 | 4.0-r17 | |
| cnPilot e510 | 3.11.4-r9 | |
| XE3-4 | 6.4 | |
| XE3-4TN | 6.5.1 | |
| XE5-8 | 6.4.1-r15 | |
| XV2-2 | 6.1 | |
| XV2-2T0 | 6.4 | |
| XV2-2T1 | 6.4.1-r15 | |
| XV2-21X | 6.5 | |
| XV2-22H | 6.5 | |
| XV2-23T | 6.5 | |
| XV3-8 | 6.0 | |
| ePMP 1000 Hotspot | ePMP 1000 Hotspot | 2.5.2-r3 |
| ePMP | ePMP 1000, Force 180/200 | 2.6.2 |
| ePMP 2000 | 3.0.1 | |
| ePMP Elevate XM/XW | 3.2 | |
| ePMP Force 190 | 3.5 | |
| ePMP Force 300 | 4.1 | |
| ePMP PTP 550 | 4.1.1 | |
| ePMP Force 130 5 GHz | 4.3.2 | |
| ePMP 3000L | 4.3.2 | |
| ePMP Elevate SXGLITE5, LHG5 | 4.3.2.1 | |
| ePMP Force 130 2.4 GHz | 4.4 | |
| ePMP Force 300-19, 19R, 13 | 4.4 | |
| ePMP 3000 | 4.4.1 | |
| ePMP PTP 550 E | 4.4.2 | |
| ePMP MP 3000 | 4.5 | |
| ePMP Force 300-13L | 4.5.2 | |
| ePMP Force 300-13LC, 22L, 25L | 4.6 | |
| ePMP Force 200L | 4.7.0 | |
| ePMP 4000, Force 400 GPS, 400 CSM, 425 | 5.1.0 | |
| ePMP 4600, ePMP4600L, ePMP Force 4600C, ePMP Force 4525, ePMP Force 4500, ePMP Force 4625 | 5.4.0 | |
| NSE | NSE 3000 | 1.2-b5 |
| PMP | PMP 450i, PMP 450, PMP 450m, PMP 430 SM | 15.0.1 |
| PTP 450, and PTP 450i | 15.0.1 | |
| MicroPoP Omni/Sector | 16.2.1 | |
| PTP | PTP 650 | 01-47 |
| PTP 670 (650 Emulation) | 01-47 | |
| PTP 670, PTP 700 | 02-67 | |
| PTP 820/850 | PTP 820C, 820E, 820F, 820G, 820S | 11.9 |
| PTP 850C, 850E | 11.9 | |
| Xirrus (Enterprise Wi-Fi) | XA4-240 | 8.7.0 |
| XD2-230 | 8.7.0 | |
| XD2-240 | 8.7.0 | |
| XD4-130 | 8.7.0 | |
| XH2-120 | 8.7.0 | |
| XH2-240 | 8.7.0 | |
| XR-620 | 8.7.0 | |
| XR-630 | 8.7.0 | |
| XR-2226 | 8.7.0 | |
| XR-2236 | 8.7.0 | |
| XR-2247 | 8.7.0 | |
| XR-2426 | 8.7.0 | |
| XR-2436 | 8.7.0 | |
| XR-2447 | 8.7.0 | |
| XR-4426 | 8.7.0 | |
| XR-4436 | 8.7.0 | |
| XR-4447 | 8.7.0 |
Supported Browsers
cnMaestro supports the following browsers:
| Platform | Browser | Version |
|---|---|---|
| Linux | Firefox | 45 and above |
| Chrome | 49 and above | |
| MacOS | Safari | 9 and above |
| MS Windows | Internet Explorer | Deprecated |
| Microsoft Edge | 44.17763.1.0 | |
| Firefox | 45 and above | |
| Chrome | 49 and above |
Significant Fixes
The following issues have been fixed:
| Id | Details |
|---|---|
| CNSSNG-29430 | Searching Events by name does not work. |
| CNSSNG-30207 | Device offline outages count shown in device dashboard is incorrect. |
| CNSSNG-30266 | Roaming history is present in client grid page. |
Known Issues
The following issues exist:
| Id | Issue | Details |
|---|---|---|
| CNREACH-139 | Radio Software Update is not happening for EP-based devices. | |
| CNSSNG-4083 | DHCP errors after cnMaestro reboot | When cnMaestro On-Premises is rebooted, after Data Import, sometimes DHCP and Disk Errors are encountered. Workaround: Explicitly run the dhclient command from the Command Line (accessed through the CLI) after reboot to assign the IP address. |
| CNSSNG-5365 | RADIUS Proxy drops packets after retrying is exhausted. | After RADIUS Proxy Retries are exhausted in cnMaestro On-Premises, all subsequent RADIUS packets are dropped. Workaround: Reboot cnMaestro server. |
| CNSSNG-9631 | High Availability: Network cable unplug: Device count is taken from Primary and jobs/users list is taken from Secondary. | |
| CNSSNG-9632 | High Availability: Network cable unplug: Devices onboarded during network disconnect need to be reapproved by user. | |
| CNSSNG-10145 | Certificate exports are not part of Data Backup and Restore. | Certificates must be exported manually. |
| CNSSNG-10187 | During Migration, moving, or deleting a device from the Managed Account will mark all events and alarms as undefined once Migration has completed. | |
| CNSSNG-11299 | AP Regulatory Channel list support check needed for checking valid channels. | |
| CNSSNG-11389 | Microsoft Edge Browser does not support in system OVA file upgrade. | Workaround : Use the Google Chrome browser |
| CNSSNG-12812 | cnPilot R-series dual radio devices (r-201P, r-195W) AP Group country code/SSID configured from overrides getting applied only to 2.4 GHz radio. | |
| CNSSNG-12888 | Connected Clients count in the WLAN page is not properly shown when SSID is overridden for the WLAN at Device level. | |
| CNSSNG-13054 | Mismatch in Clients count for cnPilot E-series device at WLAN and AP Group configuration level. | |
| CNSSNG-14030 | CBRS race condition: SM “stuck” in cnMaestro during reparenting if import and start occurs as SMs arrive in onboarding queue. | Workaround : To avoid this issue, follow the suggested SM reparenting procedures listed in the latest version of Cambium CBRS standalone procedures document. |
| CNSSNG-14518 | Device Type selection needs to be provided at Site and AP Group for Report generation. | |
| CNSSNG-14932 | PMP/ePMP Configuration Backup: LAST BACKUP date and time is not updating if device under an MSP account. | |
| CNSSNG-15356 | If a device is weak serial number and have a non CBRS build, when imported the sector first and then tried to onboard the devices (even with Cambium ID onboarding), device will not come and contact the CnMaestro. | |
| CNSSNG-15432 | Deleting a device in Base Infrastructure and claiming it immediately to another Managed Account returns Device Registration Failed message. | |
| CNSSNG-15595 | cnMatrix Hostname fall backs to old Hostname if the template is pushed for the first time (if a Switch Group already exists). | |
| CNSSNG-15656 | Duplicate entries observed in 802.11ax Clients Report. | |
| CNSSNG-16197 | CBSDID search will not work when device was synced from tool without obtaining grant first. | Workaround : Perform CBSDID search from domain proxy view on Cloud to obtain mac address, then perform MAC address search on tool to find the device. |
| CNSSNG-18856 | cnVision Client is not shown under hub. | Workaround : Reboot the Client |
| CNSSNG-18913 | On resizing, the graph/widgets are not properly rendering. | |
| CNSSNG-18923 | After migration Reports Job page is empty due to cached data. | Workaround : Clear Cache and Cookies after migration. |
| CNSSNG-18927 | Configuration push from Onboarding page is getting device timeout error in ePMP 1000 Hotspot device. | |
| CNSSNG-18936 | Graph plotting is empty if the page is zoomed out/in. | |
| CNSSNG-19264 | Unmanaged expired device approve button is not disabled. | |
| CNSSNG-19275 | Issues related to Offline alarm of expired devices. | |
| CNSSNG-20508 | Last Super Administrator deletion should be shown proper error message. | |
| CNSSNG-20605 | User-Defined Overrides (Advanced) should be handled from Switch Groups > Switches > Actions > Configuration tab. | |
| CNSSNG-20745 | AP Count is -1 in Anchor when deregistering the device from Anchor. | |
| CNSSNG-20820 | After server upgrade, device throws error [Invalid CBSD ID and Grant ID], even the Domain Proxy shows the device is registered. | |
| CNSSNG-21068 | Not able to deregister or delete the SM when PMAC mismatched (SM reported different PMAC). | Workaround: Reinitialize the SM from inside the sector of the AP, not by directly searching for the SM in the tool; then deregister and delete the device. |
| CNSSNG-21264 | Auto refresh is not working when Site/Tower/Device details are updated in Network level map. | |
| CNSSNG-21271 | Map: SM status is missing in AP details. | |
| CNSSNG-21345 | RF Statistics related information should not be available in reports for XV type device. | |
| CNSSNG-21396 | Issues related to cnMatrix onboarding overrides. | |
| CNSSNG-22089 | New Changes in Clients report in 3.1.0. | |
| CNSSNG-23732 | Min Data Rate and Multicast Data Rate configuration push always sets default for both bands. | |
| CNSSNG-24529 | Multi-floor issue with Firefox browser. | |
| CNSSNG-24823 | Device overrides and config apply will not work after Migration from 3.1.0 to 3.1.1 due to cache. | |
| CNSSNG-24826 | Site Floorplan: in Edit mode, able to drag devices outside the boundary without an error. | |
| CNSSNG-25071 | If ePSK entries exist under an MSP WLAN, then upon disabling MSP in the account, the MSP WLAN ePSK count persists. | |
| CNSSNG-25150 | AOS device Configuration Job times out if Device is in DHCP. | |
| CNSSNG-25238 | AOS device WebSocket does not disconnect for an X account downgraded to Pure ESS after Retention expired. | |
| CNSSNG-25758 | Able to see cnPilot R-series AP Groups in Enterprise View. | |
| CNSSNG-26188 | Error on deleting NSE device from the inventory page. | |
| CNSSNG-26871 | Client Local Table intermittently displays no data even when clients are connected. | |
| CNSSNG-26911 | NSE configuration page should use Management IP as clickable link, not WAN Address. | |
| CNSSNG-27055 | Port numbering in UI does not match physical labels. | |
| CNSSNG-27223 | Not able to override passphrase of SSID when SSID contains special character “.” when created at group level (for ex: dot). | |
| CNSSNG-27314 | No toast message displayed on deleting a NSE Group linked to a device. | |
| CNSSNG-27416 | NSE Groups - Firewall - Rule “Action” needs to be Deny only (read only). | |
| CNSSNG-27581 | Configuration Variables (Advanced) details are not displayed for Switch groups in onboarding page. | |
| CNSSNG-28101 | Logout option not visible in iPhone. | |
| CNSSNG-28140 | Graphs alignment issues when menu bar is expanded. | |
| CNSSNG-28151 | Total device count and count displayed in Recommended Software metrics do not match. | |
| CNSSNG-28282 | Scheduled Reports for Expired device are completed. | |
| CNSSNG-28292 | Major Alarm count does not match system level notifications. | |
| CNSSNG-28306 | Usage summary displays Available and Used slots in the same color. | |
| CNSSNG-28326 | AP Groups/Sites/Towers list all types of devices while generating reports. | |
| CNSSNG-28377 | Number of onboarding devices from Dashboard does not match number of devices on Onboarding page. | |
| CNSSNG-28433 | After rebooting a BTS, the Audit Log displays the entry as failed. | |
| CNSSNG-28544 | PTP: While moving from one managed account to another, device details are not updated properly. | |
| CNSSNG-29982 | The LAN ports numbers on the NSE dashboard and the Network page of NSE group configuration should be identical. | |
| CNSSNG-30024 | Total Bytes and other KPI doubled if navigated from Top User. | |
| CNSSNG-30040 | Change Bulk Edit and Import labels. | |
| CNSSNG-30137 | Inactive VPN Sessions cleared after an hour and not after 24 hours. | |
| CNSSNG-30142 | Some of the time ranges are missing for NSE performance graphs. | |
| CNSSNG-30593 | In NSE, packet capture for VLAN 2000 fails with undefined error. | |
| CNSSNG-30691 | Should not allow configuration of duplicate subnet in remote subnet and local subnet. | |
| CNSSNG-30693 | DH group setting under IKE phase 2 of site-to-site tunnel cannot be set to disabled. | |
| CNSSNG-30696 | Changes required if the IKE version 1 is selected. | |
| CNSSNG-30697 | Remove the check box “enable inbuilt VPN server” from the VPN and RADIUS server page. | |
| CNSSNG-30890 | Clicking on apply filters when in bottom of page should open the apply filter pop upwards. | |
| CNSSNG-30927 | Modify the remote subnet and local subnet fields under IPsec to have option to enter subnet in list form. | |
| CNSSNG-30981 | Load Balancing is not allowing WAN 1 backup WAN 2 shared combination. | |
| CNSSNG-30982 | Job Details popup should auto hide when navigated to device. | |
| CNSSNG-31004 | The status of SNMP v2c assist for cnMatrix does not change from failed to be passed | |
| CNSSNG-31006 | If the site contains NSE, cnMatrix, and Wi-Fi AP, the devices are not sorted correctly. | |
| CNSSNG-31029 | For responder role, Site-to-Site VPN tunnel, remote address field is not present. | |
| CNSSNG-31072 | VPN user Password and shared secret are not encrypted in exported configuration. | |
| CNSSNG-31098 | Navigation to client is not working from Impacted Clients pop-up. | |
| CNSSNG-31115 | Device type is blank for NSE in onboard reports. | |
| CNSSNG-31116 | Navigation is broken when accessed from Jobs Page in Enterprise View | |
| CNSSNG-31131 | Navigation is broken when accessed from Threats bar graph in System and Home in Enterprise View. | |
| CNSSNG-31234 | Client host name is not updated in System > Applications > Application Name. | |
| CNSSNG-31238 | Client host name alignment not proper in application tab. | Workaround: Enter less than 64 characters for Host Name |
Where to Get Help
There are several places to get help with cnMaestro.
Cambium Community : The cnMaestro Forum provides the best place to ask questions and get up-to-date information.
Cambium Support : The Cambium Support team is available 24x7 to answer questions and resolve issues.
