Upgrading past 15.2 questions

So, I have been putting off upgrading to 15.2 and beyond due to the encryption changes.  I'm ready to take the plunge now but I'm not quite understanding something.  I plan on lab testing our senario but thought I'd ask here to confirm my thinking. I've read the KB article on this upgrade too, here: http://community.cambiumnetworks.com/t5/PMP-FAQ/15-2-AES-256-Encryption-FAQ/m-p/85930#M306

We were already running AES and have only 450 style (no 430)subs.  We use our own preshared key prior to 15.2 changes and that passkey was complex but not as complex as the what the equipment is requiring now it seems.  Basically just using a complex 10 character passkey.  When you upgrade to this newest firmware it won't let you use this passkey anymore.  I can't remember what it says but it will only take a 16 character key (we currently use 10 characters). 

I guess my question is, do I need to enhance my AES passkey to 16 characters before upgrading past 15.2 and on to version 16 software?  Also, the option to use "default key" is availabe after 15.2 release and I'm not sure if that is specific to the AP that gets generated or whether its a default passkey for all Cambium 450 AP's?  

1 Like

We had a similar issue when we migrated. For us, it was easier to disable encryption through cnMaestro by pushing profiles to SM's and AP's then upgrade the AP's to 15.2.1. Once upgraded we used cnMaestro to enable AES again with a new key.

1 Like

Hi Nathan,

First, regarding the Pre-Shared Key requirements, the entry field has always expected a hexadecimal string (i.e. 0-9 or A-F digits). If anything other than those digits is entered, attempting to save on the page indicates that 0xFF is being used instead. In 15.2, addtional red text and an explicit error message were added to the right of the entry field to make this more obvious. When the key is set correctly, the text to the right of the entry field should read "Key Set". Choosing the radio button for "Default Key" will default to a string of 0xFF bytes (16 bytes for 128-bit, and 32 bytes for 256-bit AES encryption, respectively.) This is not a recommended operating mode as the default key is well-known.

You are not required to use a 16-bit (or 32-bit for AES256) key, but those are the maximum supported lengths. For example, entering simply "A" or "5" is a valid (though weak) encryption key.

To answer your primary question, since you are already using AES encryption, I would make sure the key you are using is non-default and valid, based on my description above ("Default Key" is NOT selected, and "Key Set" is present after entering a proper hex string of desired length), then follow the instructions in the link you provided to proceed. The recommendation there is to upgrade SMs first, then AP so that in the case of lost connectivity, you can simply turn off encryption on the AP temporarily to allow SMs to register and assess what went wrong.  Most likely things should go smoothly, and that won't be necessary.



You're correct.  I was able to change the preshared key to something in the range of A-F and 0-9 and it worked after upgrading.  Using default key also worked but I'm going to just update the passkey on every SM, then AP, then upgrade and it should go fine.  Thanks!

1 Like

Glad to hear things worked out!