Gateway & AP – Set-Up Guide
Configuring Cambium cnMaestro on-Premise HTTPS

This chapter describes how to configure Cambium cnMaestro on Premise HTTPS.
Before proceeding further with the configuration, you need to configure HSNM with a domain and a gateway as described in Adding a New Gateway.

Prerequisites

The prerequisites required for configuration are:

  • Pre-installed CnMaestro on-premise (https://support.cambiumnetworks.com/files/cnmaestro/)
  • Web access on port 443 HTTPS to cnMaestro and cnPilot
  • CnPilot with installed firmware 3.11.4.1-b3 (E500) installed
  • CnPilot configured with a correct IP address based on your network configuration
  • Cambium Network cnMaestro-type gateway on Premises gateway configured in your HSNM
  • CnPilot must be able to reach cnMaestro through 443 HTTPS
  • Intermediate Certificate, and Key valid for FQDN chosen for HSNM/cnMaestro,example*.hsnetworkmanager.com
  • HSNM gateway configured with Cambium cnMaestro hardware type
    1. Now inside HSNM, select your Gateway, click the dropdown menu, choose Edit.
    2. Expand the General Data session.
    3. In the Hardware Type field, choose Cambium Network cnMaestro On Premises.

Creating the WLAN and AP Group

Step 1

Once logged in to your cnMaestro, you have to add your AP in order to update and manage it. Click on the gear icon on the left, go to Shared Setting Menu > WLANS and AP GROUP.

Step 2

Click New WLAN on the top right

Step 3

Create your WLAN by entering the SSID and select Open in the Security dropdown menu

Step 4

Click the Save button that displays at the bottom of the window

Configuring the Radius Server for Authentication and Accounting

Step 1

From the Configuration tab on the left, select AAA Servers
In the Authentication Server section, enter the details as follows:

  • Host–Enter the IP used to reach HSNM
  • Secret–Enter the radius secret that you have set in the System Settings of your HSNM

Step 2

Scroll down to Accounting Server
Enter the details as follows:

  • Host–Enter the IP used to reach HSNM
  • Secret–Enter the radius secret that you have set in the System Settings of your HSNM.
  • Accounting Mode-choose Start-interim-Stop
  • Interim Update Interval-edit 600

In order to add the Secret you need to get it from your HSNM as described in the Radius Secret paragraph.

Step 3

Expand the Advanced Settings section and edit an identifier in the NAS-Identifier field

Step 4

Upon completion of the above steps, click the Save button in the bottom left corner of the page.

Step 5

From the Configuration tab on the left, select Guest Access > Basic Settings and enter the relevant information in the following fields:

  • Basic Setting–Tick Enable
  • Portal Mode–Choose External Hotspot
  • Access Policy– Choose Radius
  • Redirect Mode– Choose HTTPS Use HTTPS URLs for redirection
  • External Page URL–Enter the HTTPS URL used to upload the gateway’s Welcome Portal (e.g. https://fqdn_of_your_appliance/portal/portal.php?gateway=NAME_OF_YOUR_GATEWAY)
  • External Portal Post Trhough cnMaestro–Tick it
  • External Portal Type–Select Standard
  • Success Action– Choose Redirect User to Original URL

Entering the Walled Garden (Whitelist)

Step 1

Now you need to configure the Walled Garden. Expand the Whitelist section from the Guest Access menu.

Step 2

Click on Add New and add one by one the IP addresses or domains downloaded from your HSNM

Figure Download Walled Garden

Step 3

Upon completion of the above steps, click the Save button to finish.

Adding the AP group

Step 1

Now you have to add the AP group for the WLAN you have created. Click on the Inventory icon from the main menu on the left.

Step 2

Select System > Add AP Group.

Step 3

In the Basic Information section, define the Type, Name and all relevant

Step 4

Scroll down and click on Add WLAN

Step 5

Select the WLAN you have prior created in Creating the WLAN and AP Group and click Add.

Step 6

Once completed, click the Save button

Configuring the AP

Step 1

Now, you need to configure the cnPilot to work with your cnMaestro. First, click on the Onboard icon from the main menu on the left.

Step 2

Select the Claim for Device tab and tick Enable Cambium ID based authentication to onboard devices

Step 3

Connect to the web interface of your cnPilot by using your cnPilot’s IP address and go to Configure > System.
Configure the cnMaestro section and enter the relevant information in the following fields:

  • Remote Management–Tick Enable
  • Validate Server Certificate– Tick it
  • cnMaestro URL–Edit the https://FQDN_CNMAESTRO_ONPREMISES
  • Cambium ID– Edit cnmaestro_on_premise
  • Onboarding Key– Digit the password you have chosen in the previous Step 2

If the configuration is successful and the cnPilot communicates correctly with the cnMaestro, the dashboard of the cnPilot will display Connected to in the cnMaestro Connection Status field.
Obtain or copy the cnPilot’s MAC address because you will need to edit it inside the cnMaestro

If not succesfull, skip to the Configuring and Installing the SSL Certificate chapter to install the certificate and try again.

Step 4

Now you can add it to the AP Group inside the cnMaestro. So go back to your cnMaestro web interface. Then click on the Manage icon from the main menu on the left.

Step 5

Select the Wi-Fi AP Groups tree view and click on your group. From the menu select Claim Device(s)

Step 6

The above screen appears and you have to paste the cnPilot’s MAC address copied on Step 3

Step 7

If the operation is successful, you’ll have your device online:

Step 8

Now you can test the connection using a device.

Configuring and Installing the SSL Certificate

Step 1

Configure and install the SSL Certificate

Step 2

Use a text editor to link together the CRT, the intermediate and the certificate key with the following format:

—–BEGIN CERTIFICATE—–
CERTIFICATE
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
INTERMEDIATE
—–END CERTIFICATE—–
—–BEGIN PRIVATE KEY—–
PRIVATE KEY
—–END PRIVATE KEY—–

Step 3

Save the entry.

Step 4

Now, move to the Application section and then click Server > SSL Certificate > Import.

Step 5

Check the Import Signed Certificate and New Key field and select the file you have just created.

Step 6

Click the Import button.

Step 7

If successful, you’ll receive a confirmation. Also, in the View section, the issuer and the expiration date will be available.

Setting Up a Valid FQDN

Step 1

Set up a valid FQDN for the Certificate already installed. You will need the FQDN to point to the public IP of cnMaestro on Premises (atyourchoice.hsnetworkmanager.com in our case).

Step 2

Now select the Services menu on the left and then the Guest Access Portal In the Guest Portal Hostname/IP field, type the FQDN you have previously chosen.

Testing the Device

Step 1

Test the connection using the device.

Configuring the Logs (Optional)

If you need, you can configure dedicated logs from the cnMaestro/Pilot

Step 1

Once logged in to your cnMaestro, from the main menu on the left click Application > Settings and press the Syslog tab.

Step 2

Click Add on the top right corner for Event Syslog.
Enter the relevant information in the following fields:

  • Name–Specify a name
  • IP/Host– Enter the public IP to reach your HSNM
  • Port–Edit 1514
  • Event Type–Tick the relevant events
  • Severity–Tick the relevant severeties
  • New Severity–Choose Debug

Step 3

Click Add on the top right corner for Audit Syslog.
Enter the relevant information in the following fields:

  • Name–Specify a name
  • IP/Host– Enter the public IP to reach your HSNM
  • Port–Edit 1514
  • Audit Type–Tick the relevant events
  • New Severity–Choose Debug

Step 4

Once completed, click the Add button

Step 5

Now click the Manage icon from the main menu on the left. Choose the Wi-Fi AP Group and the related group.

Step 6

From the menu, select Edit > Management. Scroll down till Event Logging and edit the public IP to reach your HSNM and port 1514.

Step 7

Log in to your HSNM, select the gateway where you have selected Cambium Network cnMaestro or CnPilot standalone as type of gateway.

Step 8

In the Activate Logs field, select Enabled with registration on separate file from the dropdown.

Step 9

In the Internet Connection IP Address or DynDNS Name fields, digit the connection public IP of your cnPilot.

Step 10

Once completed, click the Save button on the top right corner to save the entry.