cnMaestro 4.0.0 (Cloud) Release


This document highlights new features and significant updates in cnMaestro Cloud.

Important: Web Browser
Restart your browser (or clear the browser cache with a hard reload) if you are having UI problems with the 4.0.0 update.

Assists for cnMatrix, cnPilot Home, and ePMP X

Assists are extended to cnPilot Home, cnMatrix and ePMP. The Assists feature scans device configuration and generates an Assists Score. It evaluates settings that may lead to security or deployment issues and generates a summary score for System, Network, Site, Tower, and Device. Assists Scores are displayed as a percentage of successful evaluations.

Assists Dashboard

The Assists Dashboard presents the Assists Score and the list of evaluated Assists.


Assists Details

Assist Details provide information about individual Assists.


Affected Devices

Devices failing evaluation are displayed in a table.


Dashboard Widgets

The Assists Dashboard widget has been added to the Dashboard pages.

cnPilot Dashboard Page


cnMatrix Dashboard Page


ePMP Dashboard Page


Fix Now Support for ePMP and PMP

The Fix Now option resolves Assists discovered scanning ePMP and PMP devices.

ePMP Fix Now



PMP Fix Now



Edit Client Host Name

This feature allows users to edit the host name of wired and wireless clients. Navigate to Clients > Wireless/Wired Clients and click the Edit icon under Actions.

The edited host name is displayed in Audit logs, Reports, Data Export, and Client Dashboards.



Access Control Policies for Enterprise Wi-Fi

Access Control Policies limit network traffic. They can be configured at the AP Group and WLAN levels. AP Group policies have higher priority than WLAN policies. Both Layer 2 and Layer 3 rules are available; they are processed in the priority order of MAC Filters (Layer 2), IP Filters, then Application Filters. Application Filters are a cnMaestro X feature. X

Access Control Policies are available under Configuration > Wi-Fi Profiles.


WLAN Access Policy


After creation, link the policy under WLAN > Access Control tab.


AP Group Policy


After creation, link the policy under the AP Group > Access Control tab.


NSE 3000 Specific Features

VPN Two-Factor Authentication

In the VPN and RADIUS Server configuration, administrators can enable two-factor authentication for users:

Click the QR Code icon and scan with the Google Authenticator app to add a 16-digit key.

An email is also sent with the QR code and 16-digit key.

Two-Factor Authentication is available for users accessing NSE using a remote VPN client from the WAN side. You must select the “Enable 2fa” checkbox in the “Client VPN” configuration” for this feature to work. You should also select “Enable inbuilt RADIUS server” when setting up the remote VPN server on the NSE.

PPPoE Support on WAN

The WAN interface now supports PPPoE (in addition to static and dynamic IP address learning). PPPoE is configured with the username and password given by the service provider.

PPPoE Statistics

PPPoE Statistics display the connection status and uptime along with the IP address and default gateway learned from the service provider.

Flow Preference

NSE Flow Preference sends Internet traffic through a specific WAN interface based on Layer 3 or Layer 7 properties. The Flow Preference policy will be pushed to the device if the load balancing mode of the attached WAN interface is set to Shared.

Layer 7 Rule

Layer 3 Rule

Site-to-Site IPsec

An IPsec tunnel provides a secure, encrypted connection between two devices or networks. An IPsec site-to-site tunnel connects two remote sites.

IPsec Tunnel Statistics

IPsec tunnel statistics display the tunnel status of IKE phase 1 and phase 2 along with the session time.

Static DNS Configuration

Static IP Address assignment now supports configuration of Primary and Secondary DNS servers.

VLAN Tag on WAN [Dot1q]

If enabled, NSE will insert Dot1q tag with configured VLAN id for all packets exiting the WAN interface.

DNS Logging

Log DNS queries received from the client to external syslog server.

User-Defined Overrides

Ability to set configuration parameters in NSE Groups which are not supported in the GUI.

Factory Reset

Erase all configuration on the device and restore to factory default.

Configuration Lock

Keep the configuration between NSE devices and cnMaestro synchronized: any changes performed on the device will be overridden by cnMaestro.

Outbound Firewall Rules Count Increased to 150

The Outbound firewall rule count in the NSE Group has been increased to 150. The rules can be a combination of Layer 3 and Layer 7 rules.

MAC to IP Binding Increased to 200

The MAC to IP binding under the DHCP Server is increased to 200.

NSE Group Import/Export


Troubleshooting tools are added for NSE devices:

  • Log view
  • Remote CLI to visualize real-time statistics and execute traceroute and ping
  • Live packet capture

UI Navigational Changes

The “AP Groups and WLANs” menu item is renamed “Wi-Fi Profiles” to accommodate new Access Control Policies and existing Association ACLs.



Expand/Collapse Icon for Main Menu is Enhanced

The Expand/Collapse icon for Main Menu changed from Picture39 to two.

Supported Cambium Products

cnMaestro supports the following Cambium Networks products. The software versions are the minimum required to use cnMaestro (not the recommended versions).

Family Model Version
60 GHz cnWave V1000 1.0
V2000 1.2.2-beta3
V3000 1.0
V5000 1.0
cnMatrix EX2K/EX1K 2.0.4-r1
cnPilot Home cnPilot R200, R200P 4.4.2-R2
cnPilot R201, R201P 4.4.2-R2
cnPilot R190V, R190W 4.4.2-R2
cnPilot R195P 4.5.2
cnPilot R195W 4.7
cnRanger Sierra 800
Tyndall 101
Tyndall 201
cnReach N500 5.2.17e
cnVision Hub 360r, FLEXr 4.6
Client Micro, Mini, Maxr 4.6
cnWave 5G Fixed B1000 (BTS) 2.0
C100 (CPE) 2.0
Edge Controller N/A 1.0.0
Enterprise Wi-Fi cnPilot e400/e500 2.5.2-r3
cnPilot e410/e430w/e600 3.5.2-R4
cnPilot e501S/e502S 3.2.1-r6
cnPilot e700 3.8
cnPilot e425/e505 4.0-r17
cnPilot e510 3.11.4-r9
XE3-4 6.4
XE3-4TN 6.5.1
XE5-8 6.4.1-r15
XV2-2 6.1
XV2-2T0 6.4
XV2-2T1 6.4.1-r15
XV2-21X 6.5
XV2-22H 6.5
XV2-23T 6.5
XV3-8 6.0
ePMP 1000 Hotspot ePMP 1000 Hotspot 2.5.2-r3
ePMP ePMP 1000, Force 180/200 2.6.2
ePMP 2000 3.0.1
ePMP Elevate XM/XW 3.2
ePMP Force 190 3.5
ePMP Force 300 4.1
ePMP PTP 550 4.1.1
ePMP Force 130 5 GHz 4.3.2
ePMP 3000L 4.3.2
ePMP Force 130 2.4 GHz 4.4
ePMP Force 300-19, 19R, 13 4.4
ePMP 3000 4.4.1
ePMP PTP 550 E 4.4.2
ePMP MP 3000 4.5
ePMP Force 300-13L 4.5.2
ePMP Force 300-13LC, 22L, 25L 4.6
ePMP Force 200L 4.7.0
ePMP 4000, Force 400 GPS, 400 CSM, 425 5.1.0
ePMP 4600, ePMP4600L, ePMP Force 4600C, ePMP Force 4525, ePMP Force 4500, ePMP Force 4625 5.4.0
NSE NSE 3000 1.2-b5
PMP PMP 450i, PMP 450, PMP 450m, PMP 430 SM 15.0.1
PTP 450, and PTP 450i 15.0.1
MicroPoP Omni/Sector 16.2.1
PTP PTP 650 01-47
PTP 670 (650 Emulation) 01-47
PTP 670, PTP 700 02-67
PTP 820/850 PTP 820C, 820E, 820F, 820G, 820S 11.9
PTP 850C, 850E 11.9
Xirrus (Enterprise Wi-Fi) XA4-240 8.7.0
XD2-230 8.7.0
XD2-240 8.7.0
XD4-130 8.7.0
XH2-120 8.7.0
XH2-240 8.7.0
XR-620 8.7.0
XR-630 8.7.0
XR-2226 8.7.0
XR-2236 8.7.0
XR-2247 8.7.0
XR-2426 8.7.0
XR-2436 8.7.0
XR-2447 8.7.0
XR-4426 8.7.0
XR-4436 8.7.0
XR-4447 8.7.0

Supported Browsers

cnMaestro supports the following browsers:

Platform Browser Version
Linux Firefox 45 and above
Chrome 49 and above
MacOS Safari 9 and above
MS Windows Internet Explorer Deprecated
Microsoft Edge 44.17763.1.0
Firefox 45 and above
Chrome 49 and above

Significant Fixes

The following issues have been fixed:

Id Details
CNSSNG-29430 Searching Events by name does not work.
CNSSNG-30207 Device offline outages count shown in device dashboard is incorrect.
CNSSNG-30266 Roaming history is present in client grid page.

Known Issues

The following issues exist:

Id Issue Details
CNREACH-139 Radio Software Update is not happening for EP-based devices.
CNSSNG-4083 DHCP errors after cnMaestro reboot When cnMaestro On-Premises is rebooted, after Data Import, sometimes DHCP and Disk Errors are encountered.
Workaround: Explicitly run the dhclient command from the Command Line (accessed through the CLI) after reboot to assign the IP address.
CNSSNG-5365 RADIUS Proxy drops packets after retrying is exhausted. After RADIUS Proxy Retries are exhausted in cnMaestro On-Premises, all subsequent RADIUS packets are dropped.
Workaround: Reboot cnMaestro server.
CNSSNG-9631 High Availability: Network cable unplug: Device count is taken from Primary and jobs/users list is taken from Secondary.
CNSSNG-9632 High Availability: Network cable unplug: Devices onboarded during network disconnect need to be reapproved by user.
CNSSNG-10145 Certificate exports are not part of Data Backup and Restore. Certificates must be exported manually.
CNSSNG-10187 During Migration, moving, or deleting a device from the Managed Account will mark all events and alarms as undefined once Migration has completed.
CNSSNG-11299 AP Regulatory Channel list support check needed for checking valid channels.
CNSSNG-11389 Microsoft Edge Browser does not support in system OVA file upgrade. Workaround : Use the Google Chrome browser
CNSSNG-12812 cnPilot R-series dual radio devices (r-201P, r-195W) AP Group country code/SSID configured from overrides getting applied only to 2.4 GHz radio.
CNSSNG-12888 Connected Clients count in the WLAN page is not properly shown when SSID is overridden for the WLAN at Device level.
CNSSNG-13054 Mismatch in Clients count for cnPilot E-series device at WLAN and AP Group configuration level.
CNSSNG-14030 CBRS race condition: SM “stuck” in cnMaestro during reparenting if import and start occurs as SMs arrive in onboarding queue. Workaround : To avoid this issue, follow the suggested SM reparenting procedures listed in the latest version of Cambium CBRS standalone procedures document.
CNSSNG-14518 Device Type selection needs to be provided at Site and AP Group for Report generation.
CNSSNG-14932 PMP/ePMP Configuration Backup: LAST BACKUP date and time is not updating if device under an MSP account.
CNSSNG-15356 If a device is weak serial number and have a non CBRS build, when imported the sector first and then tried to onboard the devices (even with Cambium ID onboarding), device will not come and contact the CnMaestro.
CNSSNG-15432 Deleting a device in Base Infrastructure and claiming it immediately to another Managed Account returns Device Registration Failed message.
CNSSNG-15595 cnMatrix Hostname fall backs to old Hostname if the template is pushed for the first time (if a Switch Group already exists).
CNSSNG-15656 Duplicate entries observed in 802.11ax Clients Report.
CNSSNG-16197 CBSDID search will not work when device was synced from tool without obtaining grant first. Workaround : Perform CBSDID search from domain proxy view on Cloud to obtain mac address, then perform MAC address search on tool to find the device.
CNSSNG-18856 cnVision Client is not shown under hub. Workaround : Reboot the Client
CNSSNG-18913 On resizing, the graph/widgets are not properly rendering.
CNSSNG-18923 After migration Reports Job page is empty due to cached data. Workaround : Clear Cache and Cookies after migration.
CNSSNG-18927 Configuration push from Onboarding page is getting device timeout error in ePMP 1000 Hotspot device.
CNSSNG-18936 Graph plotting is empty if the page is zoomed out/in.
CNSSNG-19264 Unmanaged expired device approve button is not disabled.
CNSSNG-19275 Issues related to Offline alarm of expired devices.
CNSSNG-20508 Last Super Administrator deletion should be shown proper error message.
CNSSNG-20605 User-Defined Overrides (Advanced) should be handled from Switch Groups > Switches > Actions > Configuration tab.
CNSSNG-20745 AP Count is -1 in Anchor when deregistering the device from Anchor.
CNSSNG-20820 After server upgrade, device throws error [Invalid CBSD ID and Grant ID], even the Domain Proxy shows the device is registered.
CNSSNG-21068 Not able to deregister or delete the SM when PMAC mismatched (SM reported different PMAC). Workaround: Reinitialize the SM from inside the sector of the AP, not by directly searching for the SM in the tool; then deregister and delete the device.
CNSSNG-21264 Auto refresh is not working when Site/Tower/Device details are updated in Network level map.
CNSSNG-21271 Map: SM status is missing in AP details.
CNSSNG-21345 RF Statistics related information should not be available in reports for XV type device.
CNSSNG-21396 Issues related to cnMatrix onboarding overrides.
CNSSNG-22089 New Changes in Clients report in 3.1.0.
CNSSNG-23732 Min Data Rate and Multicast Data Rate configuration push always sets default for both bands.
CNSSNG-24529 Multi-floor issue with Firefox browser.
CNSSNG-24823 Device overrides and config apply will not work after Migration from 3.1.0 to 3.1.1 due to cache.
CNSSNG-24826 Site Floorplan: in Edit mode, able to drag devices outside the boundary without an error.
CNSSNG-25071 If ePSK entries exist under an MSP WLAN, then upon disabling MSP in the account, the MSP WLAN ePSK count persists.
CNSSNG-25150 AOS device Configuration Job times out if Device is in DHCP.
CNSSNG-25238 AOS device WebSocket does not disconnect for an X account downgraded to Pure ESS after Retention expired.
CNSSNG-25758 Able to see cnPilot R-series AP Groups in Enterprise View.
CNSSNG-26188 Error on deleting NSE device from the inventory page.
CNSSNG-26871 Client Local Table intermittently displays no data even when clients are connected.
CNSSNG-26911 NSE configuration page should use Management IP as clickable link, not WAN Address.
CNSSNG-27055 Port numbering in UI does not match physical labels.
CNSSNG-27223 Not able to override passphrase of SSID when SSID contains special character “.” when created at group level (for ex: dot).
CNSSNG-27314 No toast message displayed on deleting a NSE Group linked to a device.
CNSSNG-27416 NSE Groups - Firewall - Rule “Action” needs to be Deny only (read only).
CNSSNG-27581 Configuration Variables (Advanced) details are not displayed for Switch groups in onboarding page.
CNSSNG-28101 Logout option not visible in iPhone.
CNSSNG-28140 Graphs alignment issues when menu bar is expanded.
CNSSNG-28151 Total device count and count displayed in Recommended Software metrics do not match.
CNSSNG-28282 Scheduled Reports for Expired device are completed.
CNSSNG-28292 Major Alarm count does not match system level notifications.
CNSSNG-28306 Usage summary displays Available and Used slots in the same color.
CNSSNG-28326 AP Groups/Sites/Towers list all types of devices while generating reports.
CNSSNG-28377 Number of onboarding devices from Dashboard does not match number of devices on Onboarding page.
CNSSNG-28433 After rebooting a BTS, the Audit Log displays the entry as failed.
CNSSNG-28544 PTP: While moving from one managed account to another, device details are not updated properly.
CNSSNG-29982 The LAN ports numbers on the NSE dashboard and the Network page of NSE group configuration should be identical.
CNSSNG-30024 Total Bytes and other KPI doubled if navigated from Top User.
CNSSNG-30040 Change Bulk Edit and Import labels.
CNSSNG-30137 Inactive VPN Sessions cleared after an hour and not after 24 hours.
CNSSNG-30142 Some of the time ranges are missing for NSE performance graphs.
CNSSNG-30593 In NSE, packet capture for VLAN 2000 fails with undefined error.
CNSSNG-30691 Should not allow configuration of duplicate subnet in remote subnet and local subnet.
CNSSNG-30693 DH group setting under IKE phase 2 of site-to-site tunnel cannot be set to disabled.
CNSSNG-30696 Changes required if the IKE version 1 is selected.
CNSSNG-30697 Remove the check box “enable inbuilt VPN server” from the VPN and RADIUS server page.
CNSSNG-30890 Clicking on apply filters when in bottom of page should open the apply filter pop upwards.
CNSSNG-30927 Modify the remote subnet and local subnet fields under IPsec to have option to enter subnet in list form.
CNSSNG-30981 Load Balancing is not allowing WAN 1 backup WAN 2 shared combination.
CNSSNG-30982 Job Details popup should auto hide when navigated to device.
CNSSNG-31004 The status of SNMP v2c assist for cnMatrix does not change from failed to be passed
CNSSNG-31006 If the site contains NSE, cnMatrix, and Wi-Fi AP, the devices are not sorted correctly.
CNSSNG-31029 For responder role, Site-to-Site VPN tunnel, remote address field is not present.
CNSSNG-31072 VPN user Password and shared secret are not encrypted in exported configuration.
CNSSNG-31098 Navigation to client is not working from Impacted Clients pop-up.
CNSSNG-31115 Device type is blank for NSE in onboard reports.
CNSSNG-31116 Navigation is broken when accessed from Jobs Page in Enterprise View
CNSSNG-31131 Navigation is broken when accessed from Threats bar graph in System and Home in Enterprise View.
CNSSNG-31234 Client host name is not updated in System > Applications > Application Name.
CNSSNG-31238 Client host name alignment not proper in application tab. Workaround: Enter less than 64 characters for Host Name

Where to Get Help

There are several places to get help with cnMaestro.

Cambium Community : The cnMaestro Forum provides the best place to ask questions and get up-to-date information.

Cambium Support : The Cambium Support team is available 24x7 to answer questions and resolve issues.


Thanks Rob! When should we expect to see an on-prem version?

1 Like

I hope the on-prem version will have a letsencrypt support.

Do I think - along with version 4.0, the recommended version of the software for old cnPilots migrated from 4.2.3 to
Again a mistake or a conscious change?
There was a circus like this last time too.

There will not be any 4.0.0 On-Prem but a combined 4.0.1 (4.0.0 + 4.0.1 features) On-Prem release by end of May.


1 Like

As part of cnMaestro release, we mention only the minimum required version for a device family and not the recommended version. Please see below.

Recommended version for a device family is not strictly tied up with the cnMaestro release and keeps changing as we make new releases. Can you please specify for which cnPilot Home/Enterprise model you see the change?


I see that, as before, you can’t do without a screenshot.
Before 4.0.0 was uploaded to the cloud, the recommended soft version in the SoftwareUpdate section was 4.2.3. After uploading 4.0.0 to the cloud, is again recommended in SoftwareUpdate (see picture)
Does anyone of you have control over which version is finally recommended for which products? I get the impression that sometimes it’s like on the wheel of fortune. Someone spins the wheel and falls on version 4.2.x.x :slight_smile:

1 Like

Look what miracles.
Again 4.3.2 is recommended :slight_smile:

I might be wrong here, but atleast on cnMaestro on-prem (not sure about cloud); Me myself as an administrator sets which firmware should be the recommended one.

This is about cloud version. Not on-prem.

Hi @PFR thanks for highlighting the issue, we have fixed already. sorry for the inconvenience.

1 Like

I’m reporting another problem :slight_smile: In previous versions, I could change the location of the WiFi hotspot by dragging it with the mouse on the map. Now it is not possible, it still works for ePMP but for hotspots it has been deactivated ?
Please reactivate.