Your Cradlepoint router is still running. Packets are still moving. From the outside, nothing looks wrong.

But if your NetCloud license has expired, or is about to expire, the clock is already working against you. Cradlepoint’s licensing model has three distinct states, and the transition from licensed to unlicensed is not a gradual dimming. It is a series of discrete capability losses that happen on a defined schedule, often while the router keeps routing and no one is watching the dashboard.

This article explains exactly what those states are, what breaks and when, and how the impact differs across branch, IoT, and vehicle deployments. The impact is not the same in all three.

—

The Three NetCloud Licensing States

Every Cradlepoint endpoint in your NetCloud account exists in one of three states. Understanding the distinction between them is the foundation of managing your exposure.

**Licensed** is the baseline. The device has an active NetCloud subscription, all purchased plan features are available, and the device can be managed, updated, and monitored through NetCloud Manager.

**Non-Compliant** is the first warning stage. An endpoint enters this state when its license expires or when the number of devices on an account exceeds the number of active subscription licenses. Non-compliant status triggers a 30-day remediation period during which most functionality is preserved, but not all. Advanced Add-On plan features are removed immediately. These include Cradlepoint’s CP Secure Threat Management, CP Secure Web Filter, Zscaler integration, NetCloud Edge Connector, and SDK access. For branch and mobile endpoints, Geoview dashboards and Out-of-Band Management (OOBM) are also removed during this period.

**Unlicensed** is the end state. If the licensing issue is not resolved within the 30-day remediation window, the endpoint transitions to unlicensed. At this point, NetCloud locks the device into its last known configuration and removes access to nearly every management, monitoring, and update function. The device continues to route traffic using its frozen configuration, but it cannot be changed, updated, monitored, or remotely recovered.

The key practical distinction: non-compliant is recoverable without disruption if you act within 30 days. Unlicensed means you are flying blind, with a frozen configuration and no remote hands.

—

What You Lose During the Non-Compliant Period

Most IT administrators assume that a lapsed license is a billing problem, not a technical one. The 30-day grace period reinforces that impression: basic routing continues, and the dashboard still shows the device. But the advanced functionality that justified the investment has already been removed.

For **branch and mobile endpoints**, the non-compliant period removes access to the entire Advanced plan tier: CP Secure Threat Management, CP Secure Web Filter, Zscaler, NetCloud Edge Connector, and SDK. It also removes Geoview, modem usage and health dashboards, client dashboards, Remote Connect, and Out-of-Band Management. If a branch router goes down during this period, remote recovery through OOBM is not available.

For **IoT endpoints**, the non-compliant period removes the IoT Advanced Plan: advanced VPN tunneling, Remote Connect, OOBM, NetCloud Edge Connector, advanced real-time endpoint and network interface status, and dashboards for health, client, and modem data usage.

For **LTE-Adapter endpoints**, the non-compliant period removes the LTE-Adapter Advanced Plan, Remote Connect, OOBM, advanced real-time status, and health and modem data usage dashboards.

In practice, the 30-day remediation period is your window to renew before capability loss becomes configuration lock. Organizations that do not monitor their license expiration dates often discover the non-compliant state only when a feature they depend on is unavailable, by which point they may have less than 30 days before the unlicensed state begins.

—

After 30 Days: What Going Fully Unlicensed Actually Means

Once the remediation period expires, the unlicensed state is a different category of problem.

NetCloud locks the endpoint into its last known basic configuration. The router continues to route traffic: enterprise routing protocols, some VPN configurations, zone firewall rules, basic URL filtering, most LAN protocols, and Wi-Fi all remain active in their frozen state. The problem is not that the device stops working. The problem is that you cannot change anything, see anything, or update anything.

Specifically, an unlicensed endpoint cannot:

• Be managed through NetCloud Manager at the device or group level
• Receive NetCloud OS (firmware) updates
• Support NetCloud Perimeter
• Use NetCloud API or SDK
• Act as a hub or spoke in Auto VPN
• Receive any configuration changes
• Run NetCloud at full functionality

Additionally, the following are removed across all unlicensed endpoints regardless of plan:

• Remote Connect
• Out-of-Band Management
• Alerts, reports, and logs
• NetCloud API
• All NetCloud dashboards except the Subscriptions dashboard
• Real-time diagnostics

The configuration freeze is the most operationally significant consequence. If a network change is required (a new VLAN, an updated security policy, a failover adjustment, it cannot be made without first relicensing the device. If the device develops a problem that requires a configuration change to resolve, it cannot be fixed remotely. A technician must physically access the device, which for a distributed deployment could mean travel time measured in hours or days.

The firmware lock is the most dangerous long-term consequence. An unlicensed device cannot receive security patches. Over time, its running firmware version becomes increasingly vulnerable as new CVEs are published against older Cradlepoint OS versions.

—

How This Plays Out Across Deployment Types

The unlicensed state has different operational consequences depending on how and where the device is deployed.

Branch Deployments

In a branch deployment, the configuration freeze means your traffic policies, QoS rules, and failover logic are locked at whatever state they were in when the license expired. If business requirements change: a new application needs priority routing, a carrier change requires a failover policy update, or a compliance requirement demands a new firewall rule. None of those changes can be pushed to the device without relicensing first.

The loss of firmware updates creates a compounding risk. Branch routers handling sensitive traffic (financial data, patient records, government information) running on months-old firmware without patches are increasingly exposed to known vulnerabilities. Most enterprise compliance frameworks require current patch levels on all network infrastructure.

The absence of OOBM means that if a branch router hangs, loses connectivity, or enters an error state, the only recovery path is an on-site visit or a router replacement shipped to the location. For organizations with branches in remote areas, this is a material operational cost.

IoT Deployments

IoT deployments have a specific vulnerability: the devices behind the gateway are often not independently accessible from the network. They communicate through the Cradlepoint gateway, and the gateway is the management plane for those endpoints. When the gateway goes unlicensed, the advanced VPN tunneling that provides secure connectivity for IoT sensors and controllers goes with it.

Remote Connect and OOBM loss hits IoT deployments particularly hard. IoT gateways are often installed in locations that are inconvenient or difficult to access physically: equipment rooms, remote infrastructure, industrial sites. The assumption that they can be managed remotely is built into the deployment model. When that assumption breaks, the operational model for the entire IoT deployment breaks with it.

The inability to push configuration changes also means that if an IoT device or sensor network requires a reconfiguration (new data routing, updated security policies for a new device type, firmware updates for connected equipment), those changes cannot be applied until the gateway is relicensed.

Vehicle and In-Transit Deployments

Vehicle deployments are the most time-sensitive category. Cradlepoint’s in-vehicle routers (IBR and R-series) are typically deployed in fleet vehicles, transit systems, public safety vehicles, and mobile command units where continuous connectivity and real-time visibility are operational requirements.

When a vehicle router goes unlicensed, GPS and location services are removed. Fleet operators lose real-time visibility into vehicle locations. Public safety agencies lose location data for field units. Transit operators lose passenger Wi-Fi management visibility.

The loss of remote management is especially consequential for vehicles that are in the field continuously. A configuration issue on a vehicle router cannot be remediated remotely. The vehicle must be brought to a service location, or a technician must travel to the vehicle. Neither option is compatible with operational continuity for public safety, transit, or logistics deployments.

Alerts and logs are also removed for unlicensed vehicle endpoints. If connectivity issues are occurring on vehicles (poor handoff between carriers, dropped connections in specific geographic areas), those events are not recorded and not surfaced through NetCloud. Troubleshooting becomes reactive and anecdotal rather than data-driven.

—

How to Keep This From Catching You Off Guard

NetCloud license expiration is a predictable, preventable event. The conditions that lead to it are usually organizational rather than technical: renewal decisions handled by finance rather than IT, multi-year agreements that expire quietly at the end of a fiscal year, procurement cycles that don’t align with subscription timelines.

A few practices prevent the scenario described above from becoming your problem:

Set expiration alerts in NetCloud Manager. The Subscriptions dashboard shows license status and expiration dates for all endpoints. Configure alerts at least 90 days in advance, which is a reasonable lead time for most procurement processes.

Audit your license-to-device count regularly. Non-compliant status can result from license count mismatches as well as expiration. If a deployment grows and licenses are not added to match, devices quietly enter the non-compliant state without any expiration event.

Consider a managed renewal program. RCN Technologies’ managed Cradlepoint subscription service handles renewal tracking, co-termination of licenses across a fleet, and proactive reminders before expiration windows open. Organizations with large or distributed Cradlepoint deployments benefit from having a partner responsible for the renewal cycle rather than managing it internally.

Renew before the non-compliant period starts, not during it. The 30-day remediation window exists as a safety net, not a renewal timeline. Renewing during the non-compliant period restores full functionality immediately, but organizations that treat the grace period as their renewal window will regularly find themselves operating with reduced capability for days or weeks before the renewal is processed.

—

About RCN Technologies

RCN Technologies partners with 4,200 businesses & over 1,100 unique government agencies across local, state, education, and federal sectors. We specialize in delivering turnkey wireless connectivity where wired options fall short, and we have the procurement experience to help you find an approved purchasing path fast.

You May Also Be Interested In…

Talk to a Cradlepoint Specialist Today