Open-Mesh Trust and Security


With more than seven million WiFi access points on our cloud-managed networks serving billions of wireless users around the world daily, Cambium Networks is one of the largest providers of cloud-based networking services in the world. Operating around the world after spinning off from Motorola, Cambium Networks cnMaestro™ Wireless Network Management controller has been trusted to power the networks of hotels, shops, schools, businesses, and communities worldwide.

Cambium Networks makes it easy for anyone to build enterprise-grade wireless networks across large areas or multiple locations and manage them all behind a single pane of glass.

Our cloud controller, cnMaestro™, is free to use on the web, iOS, and Android to manage an unlimited number of access points and networks.

This page details how Cambium Networks and cnMaestro™ safeguard your data and keep your network running reliably.

Cambium Networks Data Centers

Cambium Networks’ network controller, cnMaestro™, runs in at least 3 geographically separate Amazon AWS data centers. A combination of physical and cyber security, coupled with geographic regions and availability zones allow cnMaestro™ to remain secure and resilient in the face of most failure modes, including natural disasters or system failures.

AWS has achieved ISO 27001 certification and has been validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). AWS undergoes annual SOC 1 audits and has been successfully evaluated at the Moderate level for Federal government systems as well as DIACAP Level 2 for DoD systems.

Cambium Networks Data Center Highlights:

  • Globally distributed, redundant, physically separate data centers
  • 24/7 automatic outage detection and alert system
  • Underlying architecture provides cnMaestro™ with 99.99% uptime
  • All network settings replicated across at least two geographically separate data centers simultaneously
  • Automated nightly backups
  • IP and port-based firewall protection
  • Comprehensive physical on-site security
  • Immediate failover to hot spare in case of hardware failure or natural disaster

Out of Band Management

cnMaestro™ separates user data from network monitoring and configuration with an out-of-band management system.


No user traffic—browsing data, application data, etc.—passes through cnMaestro™: it flows unimpeded to its intended internal or external destination. cnMaestro™ sends network configuration data via a secure (AES encrypted) connection with Cambium Networks access points. Each access point maintains its own key. Only aggregate user data is sent to cnMaestro™ for reporting purposes.

Cambium Networks uses cloud-based out-of-band management as it is:

User traffic is routed directly to the intended destination; no user traffic passes through cnMaestro™ data centers.

With no local controller, each network has no controller bottlenecks.

Cloud-hosted in multiple redundant locations for high availability. The network continues to function even if cnMaestro™ is unavailable.

Other cloud-based solutions will disable your access points if you don’t purchase a license. Cambium Networks is different. We provide the cloud controller free of charge and have built the architecture to keep a network operational (with most features) without relying on the cloud controller at all. It’s truly your network.

Hardware Architecture

Cambium Networks has an advanced architecture to ensure minimum disruption to users in the event Cambium Networks access points cannot communicate with cnMaestro™ due to a temporary WAN failure or other outages.


In the event an access point is unable to communicate with cnMaestro™:

  • Users can access the Internet, provided a WAN connection is available
  • Users can access local network resources (directories, printers, etc.)
  • Users can continue to authenticate via splash pages (unlike other cloud systems, cnMaestro™ hosts the splash pages on the access points).
  • Network policies (walled garden, blocked devices, etc.) remain in effect
  • Users can authenticate via 802.1X/RADIUS
  • Users can roam between access points
  • Users can initiate and renew DHCP leases
  • Established VPN tunnels continue to operate

If cnMaestro™ is temporarily unreachable, the following services are unavailable:

  • Network configuration and monitoring tools
  • On voucher-enabled public networks, splash pages continue to load and all vouchers are presumed authentic, granting users temporary access for up to one hour. Normal authentication resumes once a connection with cnMaestro™ is reestablished.

Security Best Practices

Cambium Networks recommends users follow these security best practices for an added layer of security on their networks.

1. Enable WPA2 Security

Each SSID can be protected with WPA or WPA2 security to restrict access to users with a pre-shared key (or “passphrase”). To reduce vulnerability to password cracking attacks, Cambium Networks recommends using a truly random passphrase of 13 characters (selected from the set of 95 permitted characters). If possible, use WPA2 as it is far more secure.


2. Verify SSL certificates

cnMaestro™ uses https, ensuring communication between an administrator’s browser and the cloud controller is encrypted. As with any secure web service, do not log in if your browser displays any of the certificate warnings shown here, as it may indicate a man-in-the-middle attack.