Root Password

Michael_DeCota · May 3, 2021, 12:53pm

Is this password used by cnmaestro for connectivity, I want to lock down my devices default accounts. We plan on using radius Auth as well.

rnelson · May 3, 2021, 3:03pm

I believe cnMaestro uses snmp or an api to connect (the device only needs the cnMaestro server IP address). We have a admin password set on each device, then use radius for individual accounts. If individual account login fails, the SM login then checks the accounts on the device itself.

Steven · May 3, 2021, 10:30pm

As far as I am aware, “root” is identical to “admin”, and it is only in the devices as a historical artifact. I can confirm you can set it to whatever you like without affecting cnMaestro.

I believe, old timers correct me if I’m wrong, but once upon a time there was no admin, just “root” and I think with somewhere around version 8, “admin” was added for some reason. I was never clear as to why there were two different high level access user names out of the box. Also, it’s a good reminder for all Cambium users that out of the box, root, like admin, has no password and must be manually set!

Michael_DeCota · May 4, 2021, 1:36pm

Thank you Steven,

This is the info I needed.

-Mike

Douglas_Generous · May 5, 2021, 1:38am

root and admin are two different accounts used for different purposes. Root is used by Prism/Wireless Manager to control the SM and gather statistics. Admin is your admin access account, it has mostly the same access level as root but unlike root there are things that this account can not change/ access. In the newer radios, admin is effectively an alias for root, but both are not the same password.

You should set a password for both admin and root independently.

cnMaestro uses the authoritive granted by the onboarding username and key to manage the radios. This is seperate from the SNMP connection and usernames on the radio.

If you are using RADIUS to control login, be sure to think carefully about local login access and if the default passwords should be kept or even allowed. IF you choose to allow local login on RADIUS fail, I highly suggest setting to a private password. Even better is to disallow local login unless there is no connection to the RADIUS server and still have a private password to prevent possible config limits bypassing.