In this document, we will be specifically talking about External Hotspot integrating with on-premise cnMaestro to securely POST the user credentials to authenticate the user using External RADIUS.

Since the secure POST needs installation of certificate and installing certificate in each AP’s in a big deployment is not straightforward, we are providing the option to install certificate in a single point(cnMaestro) for the whole network. Another benefit is this option also opens up the flow where the external portal can directly POST to cnMaestro and have the login flow completely done between client and the external portal which gets ways the issues with cross origin requests which are getting slowly blocked on browsers.

Customers who wanted a secure communication channel to authenticate the user securely should choose to POST the user credentials to cnMaestro. To enable this feature, one must enable External Portal Post Through cnMaestro available in Guest Access.


A general workflow when an external webserver and cnMaestro is configured to accept HTTPS POST messages from client.

This setup consists of below main parts:

  1. Supplicant (Wireless clients- Laptops, mobile phones etc)

  2. Cloudi-Fi Portal

  3. DNS server

  4. On-Premise cnMaestro

  5. Authenticator (Cambium Access Point)

  6. HTTPS POST by client

  7. Authentication Server (RADIUS)

3rd party certificate loading on cnMaestro

First of all, you have to choose a hostname on a domain name you own in order to purchase a public certificate.

Let's take "" as an example.

You must purchase a public server certificate with CN ( Common Name ) attribute equals to "" in our example.

Once you have the certificate, import it into cnMaestro under Application > Server > SSL Certificates > Import section.

Select "Import Signed Certificate and new Key"

After loading the certificate, change the guest portal’s URL to reflect the new hostname under Services > Guest Access Portal > Guest Portal Hostname / IP.

Note: DNS Server forward zone should be updated with an entry to point to the cnMaestro hostname. This will ensure that when client tries to contact the redirected URL (which AP provides to contact cnMaestro) external DNS can send a query response.


  1. On cnPilot Access Points: Configure > WLAN

  2. On cnMaestro: Shared Settings/ WLANs and AP Groups > WLANs

WLAN: Key in the WLAN name and description. By default, WLAN Name is taken as SSID Name.

AAA Server: Key in the AAA server setting like IP address (RADIUS server) and shared secret ( This shared secret will be given by Cloudi-Fi support team ).

Guest Access: Enter the URL of captive portal hosted on external web server and select other required parameters.

Go to your Cloudi-Fi administration interface and get the URL for external authentication.

Go to Locations Menu

Click on the menu button of the location and select "Copy Splash page URI"

  • Copy the URI

Did this answer your question?