Learn how to set up and configure the Cloudi-Fi cloud captive portal solution with Cambium 

Introduction to Cambium integration with the Cloudi-Fi captive portal

This document will specifically discuss External Hotspot integrating with on-premise cnMaestro to securely POST the user credentials to authenticate the user using External RADIUS.

Since the secure POST needs the installation of a certificate and a certificate in each AP in a big deployment is not straightforward, we are providing the option to install the certificate in a single point(cnMaestro) for the whole network. Another benefit is that this option also opens up the flow where the external portal can directly POST to cnMaestro and have the login flow completely done between the client and the external portal, which solves the issues with cross-origin requests which are getting slowly blocked on browsers.

Customers who want a secure communication channel to authenticate the user securely should choose to POST the user credentials to cnMaestro. One must enable External Portal Post Through cnMaestro, available in Guest Access to enable this feature.

Cambium integration workflow

A general workflow is when an external web server and cnMaestro are configured to accept HTTPS POST messages from the client.

This setup consists of below main parts:

1. Supplicant (Wireless clients- Laptops, mobile phones etc.)

2. Cloudi-Fi Portal

3. DNS server

4. On-Premise cnMaestro

5. Authenticator (Cambium Access Point)

6. HTTPS POST by client

7. Authentication Server (RADIUS)

3rd party certificate loading on cnMaestro

First of all, you have to choose a hostname on a domain name you own to purchase a public certificate.

Let's take "guest.3wi.fi" as an example.

You must purchase a public server certificate with CN ( Common Name ) attribute equal to "guest.3wi.fi" in our example.

Once you have the certificate, import it into cnMaestro under the Application Server SSL Certificates Import section.

Select "Import Signed Certificate and new Key"

After loading the certificate, change the guest portal’s URL to reflect the new hostname under Services Guest Access Portal Guest Portal Hostname / IP.

Note: DNS Server forward zone should be updated with an entry to point to the cnMaestro hostname. This will ensure that external DNS can send a query response when a client tries to contact the redirected URL (which AP provides to contact cnMaestro).

Cambium configuration in Cloudi-Fi cloud captive portal

1. On cnPilot Access Points: Configure WLAN

2. On cnMaestro: Shared Settings/ WLANs and AP Groups WLANs

WLAN: Key in the WLAN name and description. By default, WLAN Name is taken as SSID Name.

AAA Server: Key in the AAA server setting like IP address (RADIUS server) and shared secret ( This shared secret will be given by the Cloudi-Fi support team ).

Guest Access: Enter the URL of the captive portal hosted on an external web server and select other required parameters.

Go to your Cloudi-Fi administration interface and get the URL for external authentication (Locations Click on the menu button of the location and select Copy Splash page URI)

Transform the URL as follows.

• Copy the URL

You can visit our partner page for additional information on Cambium Networks’ solution partnership.