Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
TIP OpenWiFi 2.0
OpenWiFi 2.0 Minimum Viable Product at the end of July, 2021 enables a cloud native and cloud agnostic Software Development Kit (SDK) with management and deployment support for a wide range of Access Point and PoE network switch platforms.
Zero Touch Cloud Discovery
Firmware Management
User Interface
Device List
Device Reboot
Device LED Blink
Device Remote Packet Capture
Device Configuration
Device Factory Reset
Device Remote TTY shell
Remote Wi-Fi Scan
Associations
UE (Wi-Fi Clients)
Mesh and WDS Clients
MCS, NSS, RSSI, Channel, SSID, Tx/Rx
Device Health Check
Interface Statistics
Device Command History
Upcoming sprint for August includes Dynamic Provisioning service support for template based device configuration.
Firmware
Basic Features for OpenWiFi Switching
Passpoint
NAPTR Functionality
Proxy Static Routing
HSP Auth / Acc Service Discovery
Last Resort Proxy
RADIUS OpenRoaming Compliance
External 3rd Party Captive Portal Redirect
Burst Rate Ad-Hoc Telemetry
Static Routing
CS1 Merge - Wi-Fi 6
IEEE802.1d STP Control
Timestamp on Health Check messages
L2 DHCP Relay
Station Association Idle and Session time
SDK
OpenWiFi Provisioning Service
OpenWiFi Inventory Service
Multi Tenant Support
Service Group - Venues
Logical Regions - Entities
TIP OpenWiFi 2.0
All TIP OpenWiFi devices use the same cloud discovery mechanism on initial boot.
OpenWiFi devices ship from factory with a unique device certificate signed by the Telecom Infra Project Certificate Authority.
When a device boots for the first time, or is factory reset, a 'first-boot' process occurs within the device. First-boot initiates a connection over HTTPs to the Certificate Authority requesting the unique device record information. All connections to the Certificate Authority occur over mTLS encrypted session. Devices use their unique certificate identity to authenticate and retrieve the location of the assigned cloud.
Once the cloud location has been learned from first-boot, the device no longer depends on this cloud discovery and will return to the assigned cloud learned from first-boot.
Devices may periodically initiate connection to the Certificate Authority to validate their unique certificate status. This is a normal process involved in mutual TLS security models.
When an operator or end customer seeks to change the cloud associated with their device(s), the value of the cloud stored in the Certificate Authority device record is updated. A factory reset of the device will cause first-boot to re-occur which will then discover the new cloud.
TIP OpenWiFi ODM partners are able to manage device records directly using the Certificate Authority portal. All other users should send an email to licensekeys@telecominfraproject.com to request update of cloud discovery.
Telecom Infra Project OpenWiFi
TIP OpenWiFi is an open source community project that believes in democratizing premium Wi-Fi experiences for multiple market use cases. The TIP approach to OpenWiFi creates an open source disaggregated technology stack without any vendor lock in. OpenWiFi offers premium managed Wi-Fi features, local break-out design, cloud native open source controller, and an open source AP firmware operating system tested nightly.
TIP OpenWiFi is the industry's first CI/CD open source Wi-Fi eco-system. Built nightly with a strong community of Wi-Fi leaders, new features are unit tested in automated RF chambers and checked from cloud to ground for Wi-Fi performance and conformance.
OpenWiFi 2.0 introduces management and telemetry based on uCentral offering expanded selection of managed devices including smaller APs and PoE access switches.
Multiple topologies including :
Bridging, Virtual LAN, VxLAN, NAT Gateway, Local Breakout, Overlay (PPPoE, L2oGRE, L2TP), Mesh, WDS
Multiple authentications including WPA, WPA2, WPA3, Enterprise Radius models, M-PSK
Passpoint R1 and R2 Mobile Offload
Encrypted Zero Touch Provisioning and Cloud Discovery
Autonomous RRM and Channel Control
Captive Portal & ExpressWiFi
IEEE802.1Q Virtual LAN
VxLAN
DHCP Snooping & Relay
Multicast
PoE
IEEE802.1x Access Control
Zero Touch Provisioning
Firmware Management
Integration Northbound Interface (NBI) RESTful
Data model driven API
Enterprise Message Bus data access
OpenWiFi AP Detail List:
Wi-Fi 4 (n) Wi-Fi 5 (ac) Wi-Fi 6 (ax)
Dual Bank Bootloader
Multi-SSID per Radio
SSID Authentications: WPA/WPA2/WPA3 - Mixed, Personal, Enterprise
802.1Q VLAN per SSID
802.1d Bridge Mode per SSID
RADIUS Accounting, Interim-Accounting, NAS-IP, CUI
Network Address Translation Gateway Mode Operation
Network Time Protocol Client
Management VLAN
Wi-Fi 6 (ax) Specific
BSS Coloring
UL/DL OFDMA sub-carrier allocation
Channel Switch Announcement
Wi-Fi General Features
WMM® - Wi-Fi Multi Media
UAPSD Procedures (Unscheduled Power Save)
Upstream/Downstream Queues & L3 DSCP
Over The Air QoS EDCH Procedures
WMM-Admission Control (AC)
WMM-Power Save (PS)
Wi-Fi Optimized Connectivity
(ai) Fast Initial Link Support
Wi-Fi Agile Multiband
(k) Client Radio Resource Management - Directed Steering
(v) Network Assisted Roaming
(r) Fast BSS Transition
Protected Management Frames (PMF)
(w) Management Frame Encryption
Channel Switch Announcement (CSA)
Dynamic Frequency Selection & Transmit Power Control (DFS/TPC)
Beacon Rate
Min Client Noise Immunity
Basic Rate Control
De-Auth RSSI Control
Burst Beacon Support
Per SSID Client Rate Limiting
Promiscuous Mode Support
Additional TIP AP NOS Features
ISP WAN Profiles ( PPPoE, L2TP, L2oGRE )
Embedded Captive Portal (Local Splash non-auth)
Link Layer Discovery Protocol (LLDP)
Dynamic Airtime Fairness
Service Flow QoS
Wireline & Wireless Tracing (PCAP Cloud Remote Troubleshooting)
Health Check Reports
Local Provisioning over SSID (when Cloud or WAN down)
Multimedia Heuristics (Detection of Unified Communication Sessions)
SSID Rate Limiting
GPS Reporting
Autonomous RRM Client Steering
Client / AP / Network Metric Telemetry
Cloud SDK additional features
Provisioning
Device Identity (Model, MAC, Serial Number)
Device Software Upgrade
Multiple SSID Configuration
Bandwidth Rate Control per SSID
Multi-Radio 2.4/5/6GHz control
AP Network Mode Control (Bridge/NAT mode)
Security (WPA-Personal/WPA & WPA2/3 Personal Mixed/WPA & WPA2/3 Enterprise Mixed/WPA2/3 Personal/WPA2/3 Enterprise/WEP)
VLAN per SSID
VxLAN port configuration
NTP Enable/Disable
RTLS (Location Services) Enable/Disable
RF Control
IEEE802.11r Fast BSS Transition per Radio Control
IEEE802.11k RRM Radio Information per Radio Control
IEEE802.11v Network Assisted Roaming per Radio Control
RRM Location AP Channel (uChannel) Provisioning
RRM Location Client Steering (uSteer) Threshold Provisioning
Remote Troubleshooting and Service Assurance
Syslog
Health Check Reports
Remote DHCP, RADIUS, UE Network Analysis
Remote TTY Shell
Remote Packet Capture Analysis
If you or your company are interested in contributing to TIP Open Wi-Fi, please join the Wi-Fi Product Group by visiting Telecom Infra Project to become a member.
TIP OpenWiFi 2.0
Release 2.0 SDK offers a number of ways to consume OpenWiFi. Available as a single Docker for just the uCentralGW or as a set of micro services offering increasing value to consume helps multiple eco-system partners use as much or as little as desired to integrate with or build a commercial product on the TIP OpenWiFi SDK.
Features of the 2.0 SDK at July MVP include:
RBAC based security framework
OpenAPI compliant Northbound
Kafka Message Bus
PGSql HA Cluster
Firmware Manager
Central Logging Dashboard
User Interface
Docker Compose & Helm DevOps Deployment Automation
TIP OpenWiFi 2.0 SDK
The contains a Compose file and the related files and directories to set up a local uCentral instance with Docker Compose. You'll find all related data under the docker-compose/
directory.
The deployment creates local volumes to persist mostly application and database data. In addition to that several bind mounts are created:
docker-compose/certs/
directory used by multiple services
Service specific data directories and configuration files located under docker-compose/
mounted into the appropriate containers.
Be aware that the deployment uses bind mounts on the host to mount certificate and configuration data for the micro services and therefore these files and directories will be owned by the user in the container. Since the files are under version control, you may have to change the ownership to your user again before pulling changes.
Changing image tags used in the deployments may be performed in docker-compose/.env
.
By default this file specifies the micro service image tags according to the release branch you have checked out.
Additional configuration changes such as database settings or passwords are found in the various other service specific .env
files.
The rest of the configuration is done through the config files located in the appropriate subdirectories of the Compose project directory.
Exposed port dependencies by application are listed below:
127.0.0.1:80/tcp
- OpenWiFi-UI
127.0.0.1:5912/tcp
- rttys dev
127.0.0.1:5913/tcp
- rttys user
0.0.0.0:15002/tcp
- OpenWiFi-uCentralGW websocket
127.0.0.1:16002/tcp
- OpenWiFi-uCentralGW REST API public
0.0.0.0:16003/tcp
- OpenWiFi-uCentralGW fileupload
127.0.0.1:16102/tcp
- OpenWiFi-uCentralGW alivecheck
127.0.0.1:16001/tcp
- OpenWiFi-uCentralSec REST API public
127.0.0.1:16101/tcp
- OpenWiFi-uCentralSec alivecheck
By default only the websocket and fileupload component of the OpenWiFi uCentralGW (Gateway) micro service are exposed on all interfaces. All other exposed services listen on localhost. You can change that according to your needs in the ports
sections ofdocker-compose/docker-compose.yml
.
The repository includes a TIP Root CA Digicert-signed (for the Gateway websocket to devices) and a self-signed certificate (for the REST API northbound and other components), which you can use to create a local deployment out of the box.
The certificates are valid for the *.wlan.local
domain.
The Docker Compose uCentral micro service configs use ucentral.wlan.local
as a hostname, so make sure you add an entry in your hosts file (or in your local DNS solution) which points to 127.0.0.1
or whatever the IP of the host running the deployment is.
Switch to the Compose project directory with cd docker-compose/
.
Spin up the deployment with docker-compose up -d
. If your deployment was successfully created, you should see the following output with docker-compose ps
:
Since the certificate for the REST API and other components is self-signed, you have to add it to the system trust store of the containers communicating together internally via TLS. The add-ca-cert.sh
script located in the Compose project directory does the work for you.
You also have to trust the self-signed REST API certificate on your local machine. To achieve that you either have to add certs/restapi-ca.pem
to your trusted browser certificates or add certificate exceptions in your browser by visiting https://ucentral.wlan.local:16001
and https://ucentral.wlan.local:16002
and accepting the self-signed SSL certificate warnings (make sure to visit both and add the exceptions).
Connect to your AP via SSH and add a static hosts entry in /etc/hosts
for ucentral.wlan.local
which points to the address of the host the Compose deployment runs on.
While staying in the SSH session, copy the content of certs/restapi-ca.pem
on your local machine to your clipboard and append it to the file /etc/ssl/cert.pem
on the AP. This way your AP will also trust the self-signed certificate.
Go to http://ucentral.wlan.local
to visit the UI and login with username tip@ucentral.com
and password openwifi
if you didn't change the default credentials in the uCentralSec configuration.
To use the curl test scripts which are included in the micro service repositories make sure to set the following environment variables before issuing a request:
Stop the running containers with docker-compose down
Check out the new branch by repeating Step 1 from How to above for the given release and docker-compose up -d
.
Don’t forget to re-add the self-signed certificates to the containers with the provided script. Also be aware that you may have to change back some file permissions. To obtain the most recent changes as the files are under version control, you may have to change the ownership to your user again before pulling changes.
TIP OpenWiFi 2.0
There could be reasons cloud discovery does not complete. These include:
Lack of Internet Connectivity
Device may require additional WAN settings
Network may not be connected to Internet
No Configuration of Cloud in Certificate Authority
Manufacturer may have left this value blank in the device record stored in Certificate Authority
When the cloud can not be automatically discovered, OpenWiFi devices will turn on a local admin web UI made available via SSID "Maverick".
For non-Wi-Fi devices such as PoE access switches, the same cloud location information may be configured using local management interface.
TIP Wi-Fi Member Access Point Ordering Information
TIP Wi-Fi members may contact the ODM manufacturers in the TIP Wi-Fi eco-system using the information posted within Community Confluence page.
OpenWiFi 2.0 SDK is deployable as both a Docker Compose or a Helm on Kubernetes model. See section for installation instructions.
First you'll have to according to your platform specific instructions. After that clone the repository with git clone https://github.com/Telecominfraproject/wlan-cloud-ucentral-deploy
.
The Maverick UI will support configuring WAN interface parameters, including DHCP, Static, PPPoE, and LTE/5G settings. Please see for details on using Maverick. Additionally the Maverick UI supports direct entry of the cloud for cases when the cloud value has not been supplied during manufacture.
OpenWiFi 2.0 Device Configuration
To introduce the Community to the uCentral data model structure, the below illustrates a basic Access Point configuration that assumes a typical enterprise Wi-Fi scenario of a ceiling mount or wall mount device presenting a single WAN interface with a private management network and separate Wi-Fi network on a virtual local area network.
We will set the unit location and timezone, then proceed to configure radios.
In this example, a two radio device that indicates it is Wi-Fi 6 as the channel-mode values for both radios is "HE" which defines 802.11ax operation. Valid values are "HT" -High Throughput 802.11n mode, "VHT" - Very High Throughput 802.11ac mode, "HE" - High Efficiency 802.11ax mode.
Channel defines the specific channel number the radio shall operate on as an integer from 1 - 171 and may also be set to a string for "auto" mode. Channel width permits configuring the amount of RF channel the radio will operator over from 20-40-80-160 including 8080 mode (also known as 80+80) .
OpenWiFi radios may be set to require UE clients to associate to a minimum standard such as excluding any 802.11b associations depicted above with "require-mode" set to "HT" meaning 802.11n or higher clients may associate.
Control of beacon interval and multicast rates is possible per radio as shown in the "rates" section.
OpenWiFi 2.0 offers a highly flexible model for arranging network interfaces. Multi-port devices may be easily provisioned for numerous types of network segmentation and logical network configuration. We will start with a simple WAN that has a management IP and also a VLAN sub-interface for a logical SSID in a subsequent step.
In the above configuration block we have a WAN interface, its role is "upstream" meaning it faces the upstream in terms of service it provides (WAN). This has a direct alignment to how the device interprets a physical or logical port participates in bridge forwarding domains.
Note we want this port to have an IP address for its management, therefore the "ipv4" configuration is associated as a child of any Ethernet WAN ports and set to DHCP.
Imagine the OpenWiFi device is an enterprise Access Point mounted on a ceiling. These devices do not always have a LAN port. Also in an enterprise, it is likely the Wi-Fi services are in their own network segments and not subject to Network Address Translation (NAT). Since the enterprise would also not want Wi-Fi on the same network as Management, an 802.1Q Virtual LAN is used.
In this next section of configuration, an additional logical interface associated to the WAN ports for the VLAN id of "100" is shown. Note there is no IP address associated to this interface, it is a layer 2 interface that will emit on any and all WAN ports with VLAN id 100.
To associate the Wi-Fi with the VLAN interface define, we continue within the WAN100 interface adding SSID services.
Within the "ssids" configuration block we can process an array of SSIDs. Often there may be separate "2G" and "5G" configurations. We have grouped them in this introductory example for simplicity however "2G", "5G", "5G-lower", "5G-upper", "6G" are all valid options.
The "name" value is the advertised SSID clients will discover for this access point. Hidden is supported by setting the "hidden-ssid" to true. Which operating mode is determined by "bss-mode". The "bss-mode" is a highly flexible operating parameter to determine "ap", "sta", mesh", "wds-ap", "wds-sta", "wds-repeater" radio modes of operation.
Security of the SSID is determined using the "encryption" section. Many options are possible, in this initial example, a WPA-PSK2 shared key encryption is shown. Lastly, for devices that support, 802.11w protected management frames are defined as optional for this SSID. This may also be disabled or required.
Metrics for wifi-frames will be described next.
Add metrics to our configuration that will help expose state of the Wi-Fi network and its services to the cloud.
Within metrics it is possible to define the interval for sending information to the cloud. Additionally the type of information sent is defined here. In this example configuration there are associated services to interfaces along the way. This included LLDP and dhcp-snooping and wifi-frames.
Within each uCentral device, the agent has a global health check feature that includes memory, cpu, temperature operating states in addition to performing various network and service health tests. The interval at which these reports are sent to the cloud is configured within health.
For all SSIDs that have wifi-frames associated as a service, the listed management frame types will be gathered and sent to the cloud, on each interval.
To assist with fingerprinting and client troubleshooting, dhcp-snooping sends the cloud all current client DHCP and DHCPv6 state.
The final section of the simple configuration example turns on LLDP and SSH where those services were associated to interfaces listed above.
The complete simple configuration file as described in this page may be downloaded here:
OpenWiFi 2.0 Devices
When OpenWiFi devices are unable to connect to the cloud during their initial power on from factory, this may be a result of Internet connectivity issues.
Certain WAN connections may require credentials such as a username and password or a mobile configuration or simply static address assignment instead of dynamic.
OpenWiFi 2.0 supports these scenarios. When a device does not have an existing configuration and is unable to contact the cloud for provisioning it enters "Maverick" mode.
For all Wi-Fi devices this means a Wi-Fi network with the SSID 'Maverick' will become available. Association with and logging in to the device will permit initial WAN connectivity to be entered.
After association to the Maverick SSID, open a web browser to http://192.168.1.1
Log into the OpenWiFi device with username: root
and password: openwifi
When the page above is displayed, begin to configure Uplink based on the WAN requirements of the deployment.
If connection uses Point to Point over Ethernet (PPPoE) username and password credentials, enter those values and save.
If the OpenWiFi device has a Cellular connection which is possible on device models with 4G and 5G radios, the network Access Point Name (APN) and PIN will be required. These values are supplied by your mobile network provider.
When dynamic address allocation is not available, static IP address assignment may be required. IPv4 and IPv6 are supported, enter these values with DNS address and save.
Otherwise leave the Uplink configuration to DHCP or cloud defaults.
If under rare circumstances it is not possible to discover the OpenWiFi cloud associated with the device or there is a need to replace device certificates, this may be configured in Settings.
It is possible to reset the device to defaults, or locally update firmware using the commands available from System.
****
TIP OpenWiFi 2.0
Initial Minimum Viable Product Release 2.0 does not include template driven device provisioning, this will be available in the next sprint.
Given many cloud and ODM partners wish to consume the 2.0 reference stack early, some with their own device provisioning logic as part of commercial cloud controllers, the following describes uCentral based management and telemetry, interactions with the OpenWiFi SDK processing provisioning and telemetry data.
OpenWiFi 2.0 follows the uCentral system. Complete data model is available here. Upon discovery of the cloud, a device default or specific configuration is transferred.
All devices are known to the cloud by their unique id and provisioned based on advertised capabilities. Each configuration generates a new unique hash value to ensure as devices report back to the cloud, their configuration state is guaranteed.
If the cloud sends invalid configuration data or the device has insufficient ability to complete the provisioning commands, the error handling process will send this response back to the cloud.
For example results returned to SDK from a device configuration error:
OpenWiFi 2.0
Release 2.0 uses a Single-Page Application (SPA) as an example user interface built using React to demonstrate several interactions using the northbound OpenAPI.
Default username is: tip@ucentral.com
and password is: openwifi
A left side navigation menu provides direction to major feature or service settings.
OpenWiFi 2.0 SDK supports multiple languages. Simply select the desired language from the right drop down for pages to re-populate accordingly.
Upon login the first page presented is a Devices table. This table reflects all discovered and managed devices known by the OpenWiFi SDK.
Devices table indicates device Connected or Disconnected state in the first column with green and red respectively.
Certificate column indicates invalid, valid with mismatch serial, or valid device certificate identity state as red crossed seal, yellow seal and green seal respectively.
Serial Number column links to the device record.
Compatible model, Tx, Rx, and connected IP Address present basic information of the device type and its connection.
Three final columns provide Details (also obtained by selecting the serial number), Wi-Fi Analysis presenting current Wi-Fi associations and their performance and Refresh commands.
From the Devices table, second from right column icon the WiFi Analysis may be accessed. This may also be accessed within the Device View page of a single record along the top right of Statistics section.
Within the WiFi Analysis page, all active associations are displayed with the ability to view approximately the last 30 minutes of data reported from the Access Point.
For each association the device MAC address, mode of connection and SSID are displayed. This will include end devices as well as Wi-Fi infrastructure such as WDS and Mesh associations.
Associations have RSSI, Rx Rate & Bytes, Tx Rate & Bytes, MCS negotiated, Number Spatial Streams and IP Address information.
OpenWiFi SDK provides visual indications on the overall health of the deployed Wi-Fi network. this includes Device Status for connected and non-connected devices. Device health indicating percentage of devices failing a health check. Distribution of devices by vendor in the network and by model.
Additionally, verified certificates or serial mismatch certificates, number of Command actions from all Gateways to devices and devices with greater than 75% memory utilization, greater than 50% less than 75% memory and less than 50% utilization are displayed.
OpenWiFi 2.0 SDK
Each device page presents statistics in traffic terms per interface as a line graph of bandwidth over time.
The generated image may be downloaded for offline use.
Accessing Wi-Fi Analysis and Last Statistics may be found at the top right of Statistics tile.
Operating channels, channel width, noise floor and transmit power are the first values reported in Radios table.
Viewing associations, from the Associations table, and their use is important in terms of bandwidth and connection quality. Wi-Fi Analysis helps visualize each client association, this could be an end user device or a WDS or Mesh association.
Each association is known by their MAC address or BSSID value. The mode of connection will indicate if an end user client device entering the "ap" or if a client is associated as "wds" or "mesh.
The access point view of RSSI, Rx and Tx Rate, Modulation Coding Scheme and Number of Spatial Streams are exposed for each association.
Using the slider along the top, the last 15 to 30 minutes of performances data may be viewed.
The option to view Latest Statistics is at time of the MVP release, intended to help the Community see on a per device basis how much, or how little depending on device configuration, is being sent to the OpenWiFi Gateway in terms of telemetry.
OpenWiFi 2.0 SDK
Within the devices view, the Commands tile offers a number of features and administrative actions. Each of these represent API calls exposed on the OpenAPI northbound interface from the SDK.
Selecting the Reboot action will prompt the below dialog. Options presented permit an immediate reboot or a scheduled reboot based on date and time.
Multiple methods exist to execute a remote Firmware Upgrade of a device. When selecting Firmware Upgrade via the Commands tile, a simple dialog to upgrade immediately or at a scheduled time is presented. Alternatively using the Firmware Management Service provides a complete solution including managed access to all TIP firmware images.
OpenWiFi devices may perform channel scanning and return this neighbor and RF data to the SDK in an on demand or ongoing manner.
Scan operations function over all channels. If 5GHz channels do not display in the returned results ( either via the UI or over API ) this indicates the device is configured in a DFS channel for which it may not return survey scans at this time.
OpenWiFi enables remote connection to any managed device using rTTY encrypted shell session. Selecting Connect will cause a browser tab to open with the login session to current device.
To assist with remote identification of devices in the network, it is possible to turn the LED lights On, Off, of continuous blinking. This may be run on-demand or scheduled.
Trace feature enables a remote packet capture to occur on the managed device, over a specified period of time or amount of traffic, returning the "pcap" packet capture file locally to the OpenWiFi admin user.
Once complete the user is asked to open or save the packet capture file locally.
It is possible to revert a device to initial out of box state from the OpenWiFi SDK. Sending a Factory Reset will remove all configuration on the device and optionally reset the discovered cloud stored as the 'Redirector' in the device configuration.
Note: When Redirector is not kept, devices will re-contact the Certificate Authority to re-discover their OpenWiFi cloud address
Prior to the introduction of OpenWiFi 2.0 Provisioning Service, device configuration is done through creation of the JSON provisioning file and either loading that file or applying its contents using the dialog presented via Configure. The same options exist when using the API directly.
OpenWiFi 2.0 SDK
Each device presents Metrics and Health check data to the Gateway. Devices view displays this information in the following organization:
Status
Configuration
Logs
Health
Commands
Statistics
Command History
Connection status reflects the Gateway to Device current communications status. Uptime and Last Contact reflect communication state. Load indicates processing load on the device. Memory Used indicates free memory on the device.
Device UUID, Serial Number, MAC Address and Device Type are displayed. Last configuration update date and timestamp reflects the last time a "configure" action completed on the device. Password may be set and device notes may be added.
Log history of the device is presented within Logs. Expand the tile selecting the down arrow.
Health score is an active tile reflecting the device health out of a score reported by the device to Gateway. Health metrics are configured on the device based on chosen data model options. When the device falls out of 100%, this tile changes to red. Expanding the tile will present all health reports. Those with less than 100% score will contain reasons for the result from this interface.
Commands tile provides a number of administrative actions for the user:
OpenWiFi 2.0
OpenWiFi 2.0 data model for device management is based on uCentral.
uCentral is set to become a leading component of OpenWrt, as such will have a diverse, and worldwide developer and support base in open source.
Within the model it is possible to provision or return state for all aspects of an OpenWiFi based device easily structured as a JSON payload.
The complete data model may be found here :
Each device has a Universally Unique Identifier (UUID). For each device, the configuration presented either manually, via the future Provisioning service from OpenWifi or via a commercial controller generation of provisioning data, the high level relationships of the schema may be understood as follows.
The unique device record has a set of top level configurations. A device is referred to as a 'unit' that may have a Description, Location, TimeZone as example. Each unit may have globals for IPv4 and IPv6 networks that are derived to lower lever interfaces in later generation.
Services and Metrics are associated with logical and physical interfaces. Services enable configuration of features such as LLDP or SSH, rTTY, IGMP, 802.1x, RADIUS Proxy, WiFi-Steering, or NTP and are then associated with Interfaces as desired.
Interfaces define upstream and downstream configuration over both Wi-Fi logical (SSID) and wired physical ports.
Metrics enable visibility to the cloud for numerous states of the device. These are associated per interface and may be sent in 60 second or greater intervals and include Statistics of SSID, LLDP, Clients. Also include Health check reports of device load, network reachability, temperature. To assist with fingerprinting DHCP-Snooping exposes numerous interactions of IP binding to clients. Additionally wifi-frames expose all 802.11 management frames to the SDK Gateway.
It is also possible to configure config-raw elements that will parse direct UCI commands once the device provisioning has been completed by the uCentral agent.
uCentral Data Model Introduction
OpenWiFi 2.0 makes it possible for integrators of the SDK to implement commercial products leveraging OpenWiFi Gateway service with vendor supplied provisioning above OpenWiFi SDK. As a minimum, the OpenWiFi 2.0 SDK framework offers a Security service which handles all OpenAPI authentication northbound, and the Gateway service which provides all uCentral websocket interface functionality southbound.
OpenWiFi also provides options to receive telemetry and events over both OpenAPI interface as well as Kafka message bus. When using Kafka, OpenWiFi Gateway directly publishes telemetry and event topics to the bus.
In future sprints of OpenWiFi dynamic device provisioning will be available as an added micro service.
OpenWiFi 2.0 Gateway implements the uCentral device management interface. uCentral specifies the data model and interface for management and telemetry of OpenWrt based devices. Gateway uCentral interface is a websocket JSON-RPC based design between OpenWiFi Gateway and the device running uCentral agent.
All communications from Gateway to Device are secured using mutual Transport Layer Security (mTLS). In mTLS systems each endpoint is a unique device sharing the same signed root or intermediate trust. In OpenWiFi each device has a signed certificate, key and device identifier. These are validated by the uCentral-Gateway to establish mTLS session.
Upon successful connection the device exchanges its capabilities with the OpenWiFi SDK. OpenWIFi SDK, via the Gateway micro service will send the entire device provisioning data as a JSON payload. Within OpenWiFi devices, the uCentral agent has a reader and renderer process providing serialization and validation of data sent from cloud. If any data presented can not be processed by the local agent, this is returned within an ERROR message using the same websocket connection.
If the device agrees with provisioning information presented, the render process builds calls into the operating system configuration sub-system known as UCI. The Unified Configuration Interface ensures OpenWrt compliant syntax is persisted within the device.
Configuration source of truth is the OpenWiFi SDK. Consistency of device configuration is handled with an applied hash compared by the Gateway for each device. If the value differs on device from that of the stored information in cloud, the device will be immediately resent its configuration from the OpenWiFi SDK Gateway service.
Once present, all configuration data is preserved on device restart.
It is possible to generate device configurations outside of the OpenWiFi 2.0 SDK as shown in the minimum SDK image at the start of this page. This may occur for some integrations or may occur when the OpenWiFi Provisioning micro service is not present. In this way, integrators of commercial products are welcome to build device provisioning outside of OpenWiFi and use the OpenWiFi cloud to manage the scale, state, security and validation of device websocket communications.
TIP OpenWiFi 2.0 SDK
OpenWi-Fi 2.0 SDK can be deployed to Kubernetes using a Helm package. The Helm package code is located at repository.
Each micro service in the OpenWiFi SDK system has its own Helm chart that is managed in the micro service’s own repository. The assembly chart collects all the relevant micro service charts and other external dependencies like kafka, rtty, etc. and deploys them together as one cohesive release.
You can review the full list of all the assembled micro services and related dependencies here:
There are multiple ways you can install OpenWiFi SDK with assembly charts:
One way is by installing directly from the assembly chart’s repository. For that, you’ll need to install and extra Helm plugin that is used to pull the latest charts code from all the referenced micro services: .
Another way, which is considered more stable, is by installing from a prepackaged bundle that is published to on every official uCentral release. For this approach to work, you don’t need to install any additional plugins or dependencies, just to make sure you’ve got Helm installed on your local system.
Install the helm-git pluging according to the official documentation
Run helm upgrade --install tip-ucentral git+
You can also reference any other open branch from the deployment repository. For example, if you want to deploy using the assembly code from the v2.0.0-rc1 branch, you can just run helm upgrade --install tip-ucentral git+
This method doesn’t require to install anything locally other than Helm
Start by adding the wlan-cloud-ucentral Helm repository to your local list of repositories by running helm repo add tip-ucentral
helm upgrade --install tip-ucentral wlan-cloud-ucentral to install the latest version, or specify the release you want to install by adding the --version x.y.z flag.
The configuration of OpenWiFi SDK using Helm chart may be separated into layers:
During deployment all values are merged as maps with priority to the level of deployment (so Environment-specific values will override any overrides from Assembly chart values and so on).
Example: Let’s pass environment-specific ucentralgw.properties configuration parameter (which is probably quite common thing to test). For example, we have an environment that requires to set parameter ucentral.websocket.host.0.backlog to 1000. For that we would need to run following command, extending our base command:
The configuration is dynamic, and new namespaces (a.k.a environments) may be created by adjusting the json configuration in the workflow.
The json format allows to deploy or upgrade and existing environment using the latest Docker images or to specify a specific version of each micro service.
To deploy specific version to the specific environment a list of things must be done:
First, you need to make sure that the Docker image with the correct version exists in Artifactory, otherwise, the Helm upgrade will fail.
Update the json configuration in the workflow to reference the require version for the require micro service (examples are attached in the json file itself)
Re-run the deployment in Github actions. You can also make all the above changes in a separate branch, and re-run the workflow from that branch (using a drop-down in the top left corner in Github’s UI).
OpenWiFi SDK 2.0
Multiple events are recorded in the Command History tile. Each line item will have a Result, Details, and Delete action.
When an rTTY session is executed, this is a displayed command history. Selecting the Result icons will display the Success or Fail of the command.
Each provisioning event is reflected as a configure command history. To see the entire JSON payload and the result, including success or error with message, simply select Details to expand the dialog below with this data. A date and time in the third column indicates when the configure command was executed successfully.
If a provisioning event has failed to complete, its command history for configure will show as pending.
Remote packet capture is shown as the trace command history. When packet captures are persisted in the OpenWiFi SDK, they may be downloaded again through the cloud download icon.
Micro services default values - values files that are stored in micro service helm charts (i.e. ). These values are used by default if no other parameters are supplied, so in case you have any microservice-related variables that need to be added in default installation (for example new application configuration properties), add them in the related helm chart values as they will be applied in next release update.
Assembly chart values - values that are stored in the assembly repository ( ) – these are values that override default micro services values so that all uCentral components could connect to each other correctly, and the whole system can be installed as one bundle. These parameters are environment specific, and can differ between and installation of the bundle on an EKS cluster or a MicroK8s local setup.
Helm upgrade/install flag overwrites - these values cam be specific for each specific helm install command during execution and usually contain installation-specific values like TLS certificates, security credentials, loadbalancer configuration parameters and so on. These may be passed using --set flag or --values flag (details may be found in and in micro services helm charts), or you can also save them into one file and reference this file during the helm upgrade command using the --values flag.
OpenWiFi SDK can also be deployed to an AWS labs environment using a Github actions workflow: .
Command
Action
Reboot
Warm Restart remote device
Firmware Upgrade
Initiate firmware upgrade process
WiFi Scan
Initiate remote scan of surrounding Wi-Fi
Connect
Initiate an rTTY Remote Shell session
Blink
Set LEDs to On, Off or Blinking state
Trace
Initiate a remote Packet Capture
Factory Reset
Hard Reset remote device - destroys device local config
Configure
Upload Device Configuration
OpenWiFi 2.0 SDK
This uses OpenAPI definition 3.0 and can be found here. All endpoints begin with /api/v1
.
API endpoints are secured with bearer-token authentication using end-point /oauth2
.
Once you obtain access-token
, you will need to pass it in the headers under Authorization: Bearer <place your token here>
.
The API revolves around devices
, commands
, and default_configurations
.
To retrieve a list of devices
to know what is available and then use the endpoint device
to access all device specific information.
To retrieve commands
and default_configurations
follow those endpoints.
Most operations rely on the serialNumber
of a device. That serialNumber
is unique and generated on the device. Serial Number matches the device's MAC address.
devices
: The list of all devices in the system. This maybe very large, pagination is recommended.
commands
: The list of commands issued by the system. This list could also be large.
default_configurations
: A list of default configurations used to supply existing devices.
A device is a physical (or potentially logical) entity using the ucentral protocol. Currently, APs and Switches are the only devices used. A device has several attributes. Additionally, other collections are supported for each device:
logs
: Specific for a device. Logs originate from the device or associated with the device by some mechanism.
healthchecks
: Reports from the device coming periodically after device self tests.
statistics
: Periodically produced by the devices and document actual state data from each device.
capabilities
: This details the actual data model supported by the device.
The device
entry point is also used to query about the status
of the device and used to inject certain commands for a specific device.
Commands supported for each device:
reboot
: This will force the device to reboot.
configure
: Configure sends a new configuration to a device.
factory
: Forces the device to perform a factory-reset.
upgrade
: Forces the device to do a firmware upgrade.
leds
: Ask the device to flash its LEDs or turn them on or off.
trace
: Performs a remove LAN trace. Once the trace is completed, the produced file may be removed using the file
endpoint.
command
: Performs a proprietary command. The meaning depends on the device.
request
: Request an immediate message of type state
or healthcheck
.
The file
end point is used to retrieve and remove files produced by the Gateway. Currently this is limited to the results of a trace
command. The file name will always match the uuid
of the command that produced it. If several files are needed, the files will be named uuid
, uuid.1
, uuid.2
, etc.
All dates should use the format defined in RFC3339. All times are UTC based. Here is an example:
when
parameterMost commands use a when
parameter to suggest to the device when to perform the command. This is a suggestion only. The device may decide to perform the command when it is optimal for itself. It maybe busy doing something and decline to do a reboot for several minutes for example. The device may reply with the actual when
it will perform the command.
The gateway manages the configuration UUID. So if you set a UUID for a configuration, it will be ignored. The gateway uses UUID as versioning. The UUID is unique within a single device. The resulting UUID or a configuration change is returned as part of the configure
command.
OpenWiFi 2.0
One of the benefits of the new data plane in OpenWiFi 2.0 is the flexibility of physical port to logical forwarding that is easily conveyed through configuration structures.
New protocol support is both easily added to the system as well as associated with interfaces by their role in the device.
The following sections offer feature configuration examples.
For complete reference to the device data model please refer here.
OpenWiFi 2.0 SDK
OpenWiFi services follow the OpenAPI 3.0 definition. The complete API is described here: OpenWiFi SDK OpenAPI
OpenWiFi devices are Access Points or Switches (and other forms in the future), that support the uCentral configuration schema. Devices contact a controller using the uCentral protocol.
The communication between the controller and the devices use the uCentral protocol. This protocol is defined in this document.
A device is configured by ingesting a uCentral configuration. That configuration will be provided by the SDK Gateway as a result of a command through the API. Command processing occurs when the device's configuration is older than what is known in the SDK Gateway. The uCentral schema is a JSON document containing parameters to set on a particular device.
In order to speak to the Gateway, you must implement a client that uses the OpenAPI definition for the gateway. You can find its definition here. You cannot talk to a device directly.
serialNumber
Throughout the API, the serialNumber
of the device is used as the key. The serialNumber
is actual the MAC address of the device, without its :
. The serialNumber
is guaranteed to be unique worldwide. The device uses its serial number to identify itself to the controller.
The configuration can be supplied when the device is created. After the device is created, the only way to modify the configuration is by using the /device/{serialNumber}/configure
endpoint. The Gateway maintains the versioning of the configuration through the use of a uuid
. The Gateway maintains that number and will ignore anything your supply. The controller also does minimum validation on the configuration: it must be a valid JSON document and must have a uuid
field which will be ignored.
Device capabilities are uploaded to the Gateway when the device performs its initial connection. Capabilities tell the Gateway what the device is able to support. The Gateway uses this information to provide a configuration matched to the device type.
The Gateway will send commands to the devices. These commands are kept in a table and are sent at the appropriate time or immediately when the device connects.
For example, you could ask a device to change its configuration, however it might be unreachable. Upon next device connection, this configure command will be sent. The list of commands is retrieved using the /commands
endpoint.
Several commands maybe sent to a device: reboot, configure, factory reset, firmware upgrade, LEDs, trace, message request, etc. The API endpoint /device/{serialNumber}/{command}
details all the available commands.
For each device, a number of collections are collected and kept in the database. Here's a brief list:
logs
: device specific logs are kept. A device amy also send something it wants added into its own logs. crashlogs
are a special type of logs created after a device has had a hard crash.
statistics
: statistics about the device. This is current la JSON document and will be documented at a later date.
healthchecks
: periodically, a device will run a self-test and report its results. These includes anything that maybe going wrong with the current device configuration. A sanity
level is associated to the degree of health of the device. 100 meaning a properly operating device.
status
: tells you where the device is and how much data is used for protocol communication.
This API is meant for an operator who would have to help a subscriber in configuring devices, reboot, manage firmware, etc.
OpenWiFi 2.0
The most common use case for VLANs and Wi-Fi is likely the service provider, venue, enterprise where Wi-Fi traffic is not subject to address translation. This is the example that will be shown, however it is entirely possible to create multiple downstream VLANs with SSIDs as well. Simply replace the logic of upstream to downstream where desired.
In all cases the WAN port without VLAN id is using DHCP to obtain a management IP address. Each additional "upstream" role interface with an SSID associated have no IP configuration.
TIP OpenWiFi 2.0
When operators of enterprise or service provider networks seek to influence or control the allocation of dynamically assigned IP address, typically the network edge has been provisioned to encode information in DHCP Relay packets that help identify the access device through which a subscriber is attached, the logical sub-interface of that network edge or the subscriber directly.
TIP OpenWiFi supports DHCP Relay with encoding of client Circuit-Id information containing any of:
Interface
VLAN-Id
SSID
Encryption Mode
Device Name
Device Model
Device Location
Access Point MAC Address
Access Point MAC in Hex
Client MAC Address
Client MAC Address in Hex
TIP OpenWiFi Relay-Agent remote-id may be configured to contain any of the following:
VLAN-Id
SSID
AP-MAC
AP-MAC-Hex
Client MAC
Client MAC Hex
The remote-id originates from a configured IPv4 interface address.
In the above example, when the IPv4 downstream interface 192.168.1.1 has DHCP enabled for relay-server
a DHCP relay process associates to the IP interface of the subnet. When DHCP DISCOVER packets arrive as broadcasts, they will be copied to a unicast packet from the 192.168.1.1
interface as the relay-id
source address and unicast forwarded to the defined relay-server
address. Additional parameters are encoded for inspection at the DHCP server as present in circuit-id
-format and remote-id
-format options.
OpenWiFi 2.0 SDK
Firmware management service integrates across all OpenWiFi Gateways deployed in a cluster enabling updates to running firmware either from the latest published version, or any other released version.
Firmware dashboard provides a single view for overall health of deployed device firmware. Latest firmware charts, device firmware version distribution, distribution of device by type and current connected devices.
From the Devices table, any device with a newer firmware published by TIP OpenWiFi is indicated with a yellow icon. Selecting this icon presents the option to upgrade to latest or specify which firmware to use.
When the upgrade has been sent successfully, a green Success dialog will display in the upper right on the screen. Devices with latest firmware version will show a green firmware icon in the Devices row.
Viewing the contents of Firmware Management Service is available from the left navigation, select Firmware.
Once in Firmware, it is possible to search by device model for all known firmware revisions.
If in the Device Table reference above, instead of selecting Upgrade to Latest, the specific URI location of any available firmware is found using the Firmware table.
Selecting Details will present information for any firmware row, including the URI which may be copied into the Choose Custom Firmware dialog prompt accordingly.
OpenWiFi 2.0
Creating logical bridges may be done through association to named "interfaces". To associate a logical SSID interface directly to the WAN, place SSID configuration within the interface have a "role" of upstream.
TIP OpenWiFi 2.0
Several metrics are reported during intervals to the OpenWiFi Gateway. In general metrics contain traffic counters, neighbor tables, discovered clients.
Each OpenWiFi device is capable of sending statistics on SSID, LLDP, and associated Clients learned by the device.
Additionally, OpenWiFi devices expose all 802.11 management data within wifi-frames and to assist network troubleshooting and client fingerprinting solutions OpenWiFi provides dhcp-snooping for all possible client exchanges over DHCP and DHCPv6.
The metrics data is sent to OpenWiFi Gateway at the intervals set where configurable.
Metrics must be associated with the interfaces they are to report on. For example, to send DHCP data from LAN to OpenWiFi Gateway, the following configuration would apply.
TIP OpenWiFi 2.0
OpenWiFi devices have global services that operate either independently system wide or as an association to a physical or logical interface.
Within the "services" configuration block, define the operating mode for each service, then associate a service with an interface.
Secure shell may optionally be enabled on OpenWiFi devices, associated to specific interface(s), and optionally support operator defined keys or password authentication.
For production deployments, it is recommended to assign operator SSH key from the OpenWiFi Provisioning configuration of the Venue or Entity which the device associates.
In this way, an operator may ensure their standard SSH key is delivered to all devices on a network operating region basis. All keys remain base64 encoded when added to the device.
Network time protocol for OpenWiFi devices may be configured to listen for time synchronization from NTP sources and may also be configured to supply NTP source.
Link Layer Discovery Protocol describes interfaces and capabilities between directly attached neighbors over Layer 2.
Associate "lldp" as a services attribute to any interface.
To assist in device or service discovery over smaller networks, multicast DNS (mDNS) protocol if often used. In an mDNS environment there is no local name server for resources to leverage. mDNS zero-configuration service effectively behaves as unicast Domain Name Service (DNS).
Associate "mdns" as a services attribute to any interface.
Remote syslog systems may be configured to receive device logs in a central location. This content is standard device log and not related to telemetry for metrics and service information received by the OpenWiFi Gateway. Valid port range is from 100 - 65535 with operation over UDP or TCP.
Associate "log" as a services attribute to appropriate interface.
When enabled the OpenWiFi device will process IGMP Proxy.
Associate "igmp" as a services attribute to any interface participating in IGMP Proxy.
Kafka integration with ELK
The following pipeline is used to leverage Kafka messages being emitted from OpenWiFi 2.0 for ELK (Elastic Logstash Kibana) stack integration :
TIP OpenWiFi project has deployed an ELK stack for community members to access .
The key for this integration is to use a plugin that enables Kafka to be used as an input for Logstash. This plugin can be found . Once installed then Logstash can be configured to listen to the input source of the Kafka broker that is deployed as part of OpenWiFi SDK 2.0 release and its appropriate topics. Here is a Logstash configuration.
It is important to note that Logstash provides the ability to transform messages which then can be pushed to Elasticsearch for storage with effective indexing. Finally Kibana is used to create visualization such as this:
OpenWiFi 2.0 Telemetry and Analysis
TIP OpenWiFi software stack is envisioned to have a rich telemetry data that can be extracted, transformed and stored for analytics purposes. This section will outline various integration using the current capabilities of the OpenWiFi release. These integrations will provide examples for the community to enrich, adopt and productize.
The current release of OpenWiFi utilizes both a rich open API and Kafka for retrieving telemetry information from Access Points and SDK services. For the purpose of this section and Release 2.0 we will be showcasing Kafka integration with third party monitoring subsystems.
The current release of 2.0 SDK architecture contains a Kafka broker for the purposes inter-services communication, state, healthcheck, device provisioning state producing and consuming Kafka topics. You can find the latest information related to Kafka topics here:
The current Kafka topics used for this monitoring integration are:
state
healthcheck
All Kafka messages carry a JSON payload, example of a healthcheck message is as follow:
A state Kafka message looks like:
The following will be used to store necessary files for integration examples for monitoring.
TIP OpenWiFi 2.0
OpenWiFi devices have a number of features that may be configured.
The following pages guide the user to understanding each of these features individually including example configuration information.
OpenWiFi 2.0
Creating a NAT Gateway is easily done via association to an interface having a role of "downstream".
Based on the above Dual SSID NAT configuration, a unique 2GHz and 5GHz SSID are created and logically bound to the same NAT LAN side network.
The NAT service is inherited by the downstream role with DHCP addressing defined according to the range set within the downstream "ipv4" configuration.
TIP OpenWiFi 2.0
OpenWiFi 2.0 supports Generic Routing Encapsulation as an available "tunnel" protocol type.
This makes it possible to configure GRE for multiple types of deployments as any interface may be encapsulated by the "tunnel" parameter.
For example, to send all content of a specific SSID over an GRE tunnel, the following configuration would apply.
In the above example, the WAN untagged port will request DHCP in addition to present a VLAN interface with id 20 that both initiates the GRE tunnel as well as passes SSID traffic over that tunnel. Optionally the GRE tunnel itself may also carry a VLAN encapsulated payload. In the above example a WAN presentation of VLAN interface 20 has GRE tunnel. Within the GRE tunnel on WAN interface of VLAN 20 is a GRE payload with VLAN 30 in the payload header.
OpenWiFi 2.0
OpenWiFi Mesh has been designed to eliminate configuration complexity while also remaining capable of advanced topology designs including Multi-Gateway, Multi-SSID, VLAN, and Zero Touch Mesh onboarding.
The physical wired interface(s) to participate in the mesh topology egress are defined with the protocol "mesh".
The logical wireless interface(s) to participate in mesh topology are defined by their bss-mode set to "mesh".
In this basic mesh, dual SSIDs are configured for clients while an SSID for mesh transit is configured for IEEE802.11s client associations. Additional mesh clients simply use the same approach, no other configuration is required for the client to participate in this mesh.
Advanced examples with VLANs and roaming are all possible by adding additional configuration steps.
TIP OpenWiFi 2.0
VXLAN’s goal is allowing dynamic large scale isolated virtual L2 networks to be created for virtualized and multi-tenant environments. It does this by encapsulating Ethernet frames in VXLAN packets which when deployed in Wi-Fi topologies can create highly extensible Layer 2 inter-network domains over large campus, MDU, venue service networks.
VxLAN header uses a 24-bit VNID as a unique layer 2 forwarding domain value. VxLAN maintains layer 2 isolation between the forwarding domains and does not leak MAC addresses into upstream switches. Through the use of 24 bits in VNID VxLAN scales up to 16 million unique LAN forwarding domains.
The VXLAN encapsulation method is IP based and provides for a virtual L2 network. With VXLAN the full Ethernet Frame (with the exception of the Frame Check Sequence: FCS) is carried as the payload of a UDP packet. VXLAN utilizes a 24-bit VXLAN header, to identify virtual networks. This header provides for up to 16 million virtual L2 networks.
Frame encapsulation is done by an entity known as a VxLAN Tunnel Endpoint (VTEP.) A VTEP has two logical interfaces: an uplink and a downlink. The uplink is responsible for receiving VxLAN frames and acts as a tunnel endpoint with an IP address used for routing VxLAN encapsulated frames.
The VTEP in a TIP OpenWiFi device would be a management interface or designated uplink port(s). VTEP in an AP would be the AP WAN interface, or otherwise designated management interface (such as sub-interface on bridge wan).
In a traditional L2 switch a behavior known as flood and learn is used for unknown destinations (i.e. a MAC not stored in the MAC table). This means that if there is a miss when looking up the MAC the frame is flooded out all ports except the one on which it was received. When a response is sent the MAC is then learned and written to the table.
The next frame for the same MAC will not incur a miss because the table will reflect the port it exists on. VXLAN preserves this behavior over an IP network using IP multicast groups.
OpenWiFi device will establish a VTEP adjacency to the upstream switch. It is anticipated that any Wi-Fi networks in a VxLAN topology are associated to "upstream" interface(s).
The following example creates a VxLAN endpoint from a WAN upstream port that will participate in VLAN 100, encapsulate this into VxLAN where it may be distributed across the campus or venue transparently.
TIP OpenWiFi 2.0
When an external access controller, such as a captive portal appliance or a Universal Access Method (UAM) redirector is required to handle subscriber login, OpenWiFi optionally supports builds that include use of CoovaChili. This would be found in build profile chilli-redirect.yml.
To configure a CoovaChilli service, OpenWiFi supports the "third-party"
schema definition.
Through the use of third-party, many configurations are possible, for external captive portal, third-party will process a services lookup of "chilli-redirect"
applied to an interface.
Within "third-party"
will be the necessary CoovaChilli configuration parameters.
Associate to an interface:
In the above example, captive portal redirection occurs via a NAT interface on LAN side or "downstream"
role.
When a direct to WAN presentation, or bridge mode operation is desired, associate the service to the "upstream"
interface.
Associate to an interface:
TIP OpenWiFi 2.0
OpenWiFi supports multiple models for Captive Portal. A built-in captive portal is described below. With multiple overlay tunnel services such as GRE and L2TP in addition to VLAN features, OpenWiFi is also easily deployed with any number of Captive Portal appliance solutions in either in-band or out-of-band style deployments.
Creating a local captive portal involves associating the "captive" service with an interface. In the example below, "captive" is enabled on a downstream role interface. Any associated SSID on LAN side of this Access Point will be subject to configuration of the local captive portal. This would also apply to LAN interfaces if also associated with "captive".
Local captive portal will redirect to a default landing page and display the name as configured in "gateway-name". Per associated user bandwidth and usage quota limits and total association limits may all be defined.
TIP OpenWiFi 2.0
In many deployment scenarios, user authentication is centralized with RADIUS systems. In addition, users may have association to their own networks or private networks. A common approach for this is to dynamically assign VLANs to Wi-Fi subscribers as they join the OpenWiFi network.
To configure Dynamic VLANs with RADIUS, associate an SSID with RADIUS authentication, and associate the interface to "upstream" role as dynamic VLANs are most likely to be applicable across the service provider, venue, enterprise network.
OpenWiFi devices will determine a VLAN is associated to the authentication of a subscriber when the access-accept message returns the following attribute value pairs:
Tunnel-Type = 13
Tunnel-Medium-Type = 6
Tunnel-Private-Group-Id = VLAN Id Number
Upon return of an access-accept from RADIUS, based on any method chosen for security, OpenWiFi will dynamically create a VLAN Id as described in Tunnel-Private-Group-Id, associated to the interface role, in this example upstream.
TIP OpenWiFi 2.0
Passpoint® brings seamless, automatic and secure Wi-Fi connectivity using either pre-provisioned credentials or the SIM card in a mobile device. Passpoint provides simple, fast online sign-up and provisioning that is only required upon a user’s first visit to a Passpoint network. Once a Passpoint enabled device contains the Wi-Fi AP or network credentials, it will discover and securely connect when the user is nearby—without requiring additional user action. This makes staying connected while mobile infinitely easier, and because Passpoint employs enterprise-level security, users can feel confident their data is better protected.
Passpoint® also delivers more value to carriers, service providers, and IT managers of enterprise networks, enabling:
Mobile data offload
Wi-Fi networks for
Hospitality, venues and enterprise
Streamlined, enterprise-class device provisioning and credential management for enterprise and other private networks
Wi-Fi–based services such as Wi-Fi calling, and collaboration tools
Wi-Fi roaming agreements across carriers and service providers
Opportunities to engage users and extract additional value from the network
Passpoint® is already supported by most enterprise-class APs on the market today, and natively supported by major mobile operating systems including Android, iOS, macOS, and Windows 10. With active support from a wide ecosystem of device manufacturers, mobile operators, and service providers, Passpoint® benefits both users and Wi-Fi network providers
TIP OpenWiFi 2.0
When authenticating clients with back office RADIUS systems, the configuration of OpenWiFi permits this on a per SSID basis.
Many parameters are possible with RADIUS authentications given the many methods in use worldwide. Many of the EAP methods have configuration options described below.
RADIUS Attribute
Description
nas-identifier
Unique NAS Id used with RADIUS server
chargeable-user-id
Chargeable User Entity per RFC4372
local
Local RADIUS within AP device
server-identity
users - Local EAP users based on username, PreShared Key and VLAN id
authentication
RADIUS server
host IP address
port ( example 1812)
secret ( Shared secret with RADIUS server )
Additional methods within Access-Request
request-attribute ( id of RADIUS server )
id ( numeric value of RADIUS server )
value
Any sub-value defined as integer RADIUS attribute value
accounting
RADIUS server
host IP address
port ( example 1813)
secret ( Shared secret with RADIUS server )
Additional methods within Access-Request sent in Accounting
request-attribute ( id of RADIUS server )
id ( numeric value of RADIUS server )
value
Any sub-value defined as integer RADIUS attribute value
accounting
interval ( Interim accounting interval defined in seconds )
TIP OpenWiFi 2.0
Ahead of the Provisioning service coming in release 2.1 sprint, it is possible to configure all Passpoint attributes as OpenWiFi has tested in prior OpenWiFi releases.
Capabilities for Hotspot 2.0 / Passpoint® include:
venue-name
venue-group
venue-type
venue-url
auth-type
domain-name
nai-realm
osen
anqp-domain
anqp-3gpp-cell-net
firendly-name
icons
TIP OpenWiFi 2.0
TIP OpenWiFi devices implement support for both the air interface and systems interfaces necessary to support Passpoint® Release 2 and above. Once also termed Hotspot 2.0, IEEE 802.11u specified added air interface fields exposing Access Network Query Protocol interactions for clients to discovery Access Point capabilities.
Wi-Fi Alliance expanded ANQP to include Online Signup (OSU) concepts to leverage seamless onboarding and client security for Passpoint® networks. Following on from these efforts, Wireless Broadband Alliance has provided the necessary system interfaces for identity, security, mobile offload within a common federated operator solution known as OpenRoaming.
TIP OpenWiFi enables operators to deploy the full range of Passpoint® and OpenRoaming solutions.
Term
Description
Operator
Wi-Fi Infrastructure Operator
Access Network Provider (ANP) as defined by OpenRoaming
Venue
Deployed location of Wi-Fi service
Identity Provider
Subscriber authenticating service provider
Home Service Provider (HSP) as defined by OpenRoaming
Roaming Exchange
Operator and Identity Provider Authentication, Authorization, Accounting
ANQP
Access Network Query Protocol contains:
Domain
Venue Name
Venue Info
Operator Friendly Name
IP Type
WAN Metric
Connection Capability
Operating Class
Authentication Type
Service Providers List
GAS
Generic Advertisement Layer 2 Service for client query
Client query returns:
Organization Identifier / Service Provider Identity
Domain
Authentication
Roaming Consortium List
Network Access Identifier Realm (NAI)
3GPP Network Data
OSU
Online Signup - Advertised over ANQP contains:
OSU SSID
OSU URI
OSU Method
OSU Available Icons
OSU ESS (OSEN) SSID
OSU Description
OSEN
OSU Server Authenticated Layer 2 Encryption Network
OpenWiFi 2.0
Wireless Distribution System (WDS) supports an Access Point, Station and Repeater mode of operation. OpenWiFi 2.0 supports all three.
In the below example, the LAN side of the Access Point at the top of the topology will be wirelessly bridged to the LAN side of the Access Point Station at the bottom of the topology.
In this configuration, LAN clients of the WDS Station AP receive IP addresses from the WDS Access Point AP from its LAN side DHCP service, via WDS link at 5GHz.
TIP OpenWiFi 2.0
Content coming soon...
OpenWiFi 2.1
Configuring port speed and operation is most commonly done with PoE access switches however the same configurations are possible for all OpenWiFi device types.
By default all ports attempt 1,000 Mb/s full duplex operation.
TIP OpenWiFi 2.0
Passpoint® requires ANQP to supply three information elements from the Access Point.
Public Land Mobile Network Id is defined by 3GPP and comprised of two, three digit numbers to uniquely identify the Mobile Network Operator (MNO).
A Fully Qualified Domain Name (FQDN) is a realm representing the service provider of the Wi-Fi service. Non MNO operators are an example of 'realm-based' service advertisements. Examples include Cable MSOs, Enterprises or other on MNO providers. Authentication methods used with realm-based configuration are EAP-TLS and EAP-TTLS.
Organization Id or as defined by Wireless Broadband Alliance, Roaming Consortium Organization Id indicate the federated identity capable of authentication. Examples would be OpenRoaming, Eduroam and follow the Passpoint® EAP authentication methods.
TIP OpenWiFi 2.0
Switching Features Remain Under Test
TIP OpenWiFi use of the OpenWrt operating system combined with new virtual data plane present in all images for 2.0 major release and the uCentral data model make it possible to include PoE access switching as a cloud managed component of the OpenWiFi stack.
Nightly builds include supported switch platforms.
Currently the list of features for switching include:
IEEE 802.1Q VLAN
Port based Untagged
Tagged trunk
IEEE 802.1ad Q-inQ
VxLAN
PoE Auto Power
Port Mirroring / Monitor
Link Aggregation
Link Layer Discovery Protocol
Port Speed Control
All ports needs to be specified for link negotiation to occur. In the below example, the "ethernet" section defines the physical port. The "interfaces" configuration will cause the physical port to negotiate. Effectively removal of a "select-ports" for a physical port in any or all "interfaces" is the equivalent of an interface in shutdown state.
Without any "interfaces" defined, the ifconfig on the switch will return eth0, lan1, lo as an output. When adding "interfaces" additional ports become active and also visible.
Vlan-Id 30 has been assigned to interfaces 7 and 8 on the switch. Traffic is isolated among participating ports.
To define additional VLAN memberships to any port, create additional "interfaces" configuration.
TIP OpenWiFi 2.0
Layer 2 Tunneling Protocol may be associated to any interface using the "tunnel" configuration option.
This makes it possible to configure L2TP for multiple types of deployments as any interface may be encapsulated by the "tunnel" parameter.
For example, to send all content of a specific SSID over an L2TP tunnel, the following configuration would apply.
TIP OpenWiFi 2.0
Multiple Pre Shared Key is a popular configuration option in Multi Dwelling Unit, dormitory or similar environment where it is costly to implement complex 802.1x security however that same level of per-client security is highly desired.
A SSID when configured for multi-psk can have multiple PSK/VID mappings. Each one of them can be bound to a specific MAC or be a wildcard.
Note: M-PSK passwords must be unique per vlan-id
as the device will attempt to match security key to assigned virtual lan. In the above example, a password of OpenWifi
will match the untagged interface of the SSID and unique password of "akey"
will match client(s) to virtual lan 100.
TIP OpenWiFi 2.0
Radio Resource Management and Self Organizing Network features in OpenWiFi 2.0 operate by default in local mode from the Access Point device without dependency on the cloud. Data and state related to client steering and roaming is also possible in co-operation with the cloud when so configured.
Metrics and telemetry are sent to the cloud as desired based on configuration however operation of 802.11k/v/r behavior and autonomous channel control are built in features of all OpenWiFi 2.0 Access Points.
OpenWiFi services feature "wifi-steering" determines the operating parameters of RRM on the Access Point.
When mode is set to local, the Access Point handles steering decisions autonomously with the surrounding OpenWifi devices. Which network association, in this case "upstream" will steering be operating on. Note in prior examples most service provider, venue, enterprise services operate on the WAN side upstream network of the Access Point.
Parameter
Value
mode: local
autonomous operation
network: upstream
performs roaming among SSIDs on upstream interfaces
assoc-steering
reject client association requests when the UE is subject to a steering event
required-snr
minimum signal in dBm a client will be permitted to remain connected
required-probe-snr
minimum signal level in dBm for management probes to be replied to
required-roam-snr
minimum signal level in dBm client roaming threshold
load-kick-threshold
minimum channel load as % available before clients are kicked
Each SSID to participate in roaming must have "services" : [ "wifi-steering" ] associated.
Additional fast roaming configuration is possible including setting message-exchange either to "air" or "ds" to determine pre authenticated message exchange occurs over the air or distribution system.
The generate-psk option generates FT response locally for PSK networks. This avoids use of PMK-R1 push/pull from other APs with FT-PSK networks.
Configuring domain-identifier sets Mobility Domain identifier (dot11FTMobilityDomainID, MDID) permitting segmentation of fast roaming RF topologies.
When pmk-r0-key-holder and pmk-r1-key-holder are left un-configured, the pairwise master key R0 and R1 will generate a deterministic key automatically for fast mobility domain exchange over the air.
To enable 80211k parameters, associate these on a participating SSID basis.
In addition to 802.11k features for neighbor reporting, fine timing measurement responder and stationary ap indication, OpenWiFi also supports LCI measurement, Civic Location subelement as well.
As part of "wifi-steering" feature, autonomous channel management algorithm may be enabled to establish a self organizing Wi-Fi network.
The auto-channel setting operates in co-ordination with other OpenWiFi Access Points by enumerating the newest AP in the network, then running neighbor and RF scans to determine the best channel of operation. Once the newest AP completes this process, the next AP is sequence will run the same algorithm for channel balancing until all APs in the network complete. The entire process may take up to 5 minutes the first time a network is powered on. The algorithm will re-run every 12 hours.
TIP OpenWiFi 2.0
Dynamic Air-Time Policy is a service to influence underlying co-ordination function of the Wi-Fi MAC domain per associated UE in terms of priority to use the air interface.
It is possible to govern certain application use cases such as streaming media or real time communications based on the resolution of those services through DNS.
This results in the UE, by its IP address having matched a specific fully qualified domain name or a wildcard therein, to having its air-time weighted priority to the value set in the weight parameter.
Note: In release 2.1, airtime-policies must be applied to SSIDs in a NAT configuration. Bridge / VLAN mode SSIDs with airtime-policies will be updated in a future release
Any application a user may commonly use the OpenWiFi administrator seeks to prioritize air-time for may be triggered via the airtime-policies.
For example:
Service
FQDN / URL
MS Teams
*.lync.com, *.teams.microsoft.com, teams.microsoft.com
Zoom
*.zoom.us
Any number of services may interest the administrator for airtime-policies. Simply determine the FQDN or wildcard FQDN applicable and update the OpenWiFi device configuration.
OpenWiFi 2.1
At home, in a cafe, or on the go, Express Wi-Fi gives you access to fast, affordable, and reliable internet so you can make connections that matter.
Express Wi-Fi partners with service providers to deliver great wi-fi to people when and where it's needed.
For information about becoming an expressWIFI partner please visit their site.
ExpressWiFi builds a captive portal experience using a control plane protocol called OpenFlow. Configuring OpenWiFi for use with expressWiFi is as simple as defining a downstream interface and associating with an SSID and the open-flow service.
Contact expressWiFi for appropriate CA, Client Cert, and Key for TLS Security mode in addition to the specific expressWiFi Controller FQDN. Ensure these values are Base64 encoded when passed into the configuration