Device and Cloud Certificates

TIP OpenWiFi program ensures unique identity of all devices, encryption of traffic to and from the management cloud, discovery of management cloud, and ability to change device to cloud service discovery. TIP model ensures worldwide Zero Touch Provisioning, unique identity of all device and cloud conversation with no vendor lock in.

TIP device and cloud partners in OpenWiFi are uniquely managed members within a division of the Telecom Infra Project CA within DigiCert.

Device Onboarding

TIP ODM partners have the ability to generate signed certificates from the TIP Root Certificate Authority. This is done during manufacture for any TIP SKU product using signed certificates.

Each ODM partner will use the Manufacturer name, device MAC address, and optionally a value for Redirector and Model of device when requesting a new certificate.

The Redirector value is what determines cloud discovery and may be empty for example if the devices being manufactured do not yet have a cloud service provider assigned, for example a retail distribution model. Alternatively the value of the Redirector may be set at the same time as the certificate generation occurs.

TIP provides an automated script to perform the device certificate request.

Cloud Onboarding

TIP Cloud partners have the ability to generate signed certificates for the cloud SDK.

Similar to device onboarding, TIP provides a script to automate this process. For the cloud components the Operator name and a Fully Qualified Domain Name of the cloud are sent with each cloud key request. In addition, local configuration files are set in the request script to generate certificates matched to the operating name of certain services such as the opensync-controller and the mqtt-broker.

Cloud Discovery

Each device on initial startup or when factory reset will connect to the Certificate Authority using its unique device credentials requesting its current 'cloud' value. This functions both as cloud discovery as well as redirector in the event the device owner wishes to change the cloud or cloud service provider relationship with their device.

Configuration without Internet Connection

In certain situations, a connection to the cloud or the root authority may not be possible. When this occurs, each TIP OpenWiFi Access Point device on factory boot presents an initial configuration Wi-Fi Management SSID called 'Maverick'. Connecting to Maverick presents a web page where updating WAN interface settings and the fully qualified domain name of the cloud may be entered.

When the device is a PoE Ethernet switch, a local management interface exists where the same configuration of cloud and WAN are possible.

Open Wi-Fi Access Point Partners

TIP members may contact the ODM manufacturers in the TIP OpenWiFi eco-system using the information posted within Community Confluence page.

There are two ways to get started with TIP OpenWiFi. For those interested in 'rolling their own' feel free to continue through the Cloud SDK Installation and related information to configure and consume the open source stack. Note you will need to join the TIP Open Converged Wireless PG for this.

Interested in getting started with a partner? Obtaining a TIP AP directly or via a partner is simple and these partners will help setup cloud trial environment with you.

Consuming the stack is exciting, and up to you how to integrate into a complete solution. Accessing the source code is free: Github

Understanding how to consume the project needs membership with the Telecom Infra Project Open Converged Wireless group: Join OCW Group

There is no fee to join, once you are approved, access to Confluence, JIRA, Slack will all be included in addition to the ability to check in and contribute code to the project.

Initial Lab Setup

Deploying the TIP OpenWiFi solution into a lab or into production is simple to do. Some basic pre-requisites should be satisfied before beginning.

Ensure the following are known before beginning installation:

• Fully Qualified Domain Name (FQDN) is available and configurable

• Internet Protocol (IP) subnet with Dynamic Host Configuration Protocol (DHCP) for access points is available

• Internet Protocol (IP) subnet with static addressing is available for Cloud SDK

• If using VLAN features of the access points, an IEEE 802.1q compliant Ethernet switch and VLAN topology are supported in your network

• Network traffic is permitted for the following ports from Access Points to Cloud SDK:

  • 80

  • 443

  • 1883

  • 6640

  • 6643

Cloud Discovery

All TIP Open Wi-Fi devices implement discovery of the cloud SDK through a Zero Touch Provisioning design based on the unique signed certificate present on each device.

Each device contacts the Certificate Authority (CA) using its certificate credentials to lookup the current value of the cloud SDK.

Once the configured cloud is returned from CA to the device, a connection is created to the cloud SDK where provisioning of the device will occur.

For more information on cloud discovery, devices and obtaining keys please proceed to the next section.

For questions on how to obtain keys or support related to certificates please contact: licensekeys@telecominfraproject.com

What is OpenWiFi?

TIP OpenWiFi is an open source community project that believes in democratizing premium Wi-Fi experiences for multiple market use cases. The TIP approach to OpenWiFi creates an open source disaggregated technology stack without any vendor lock in. OpenWiFi offers premium managed Wi-Fi features, local break-out design, cloud native open source controller, and an open source AP firmware operating system tested nightly.

TIP OpenWiFi is the industry's first CI/CD open source Wi-Fi eco-system. Built nightly with a strong community of Wi-Fi leaders, new features are unit tested in automated RF chambers and checked from cloud to ground for Wi-Fi performance and conformance.

High Level Features

Cloud SDK in OpenWiFi offers:

• Zero Touch Provisioning

• Firmware Management

• Integration Northbound Interface (NBI) RESTful

• Data model driven API

• Template based device provisioning with RADIUS profile management

• Advanced RF control with RRM

Each OpenWiFi AP offers:

• Multiple topologies including Bridging, Virtual LAN, NAT Gateway, Local Breakout, Overlay

• Multiple authentications WPA2, WPA3, Enterprise Radius models

• Passpoint® Release 2 and above

• Zero Touch Provisioning

• Captive Portal

OpenWiFi AP Detail List:

• Wi-Fi 4 (n) Wi-Fi 5 (ac) Wi-Fi 6 (ax)

• Dual Bank Bootloader

• Multi-SSID per Radio

• SSID Authentications: WPA/WPA2/WPA3 - Mixed, Personal, Enterprise

• Un-Authorized Device Control

• 802.1Q VLAN per SSID

• 802.1d Bridge Mode per SSID

• RADIUS Accounting, Interim-Accounting, NAS-IP, CUI

• Network Address Translation Gateway Mode Operation

• Network Time Protocol Client

• Management VLAN

• Wi-Fi 6 (ax) Specific

  • BSS Coloring

  • UL/DL OFDMA sub-carrier allocation

  • Channel Switch Announcement

• Wi-Fi General Features

  • WMM® - Wi-Fi Multi Media

    • UAPSD Procedures (Unscheduled Power Save)

    • Upstream/Downstream Queues & L3 DSCP

    • Over The Air QoS EDCH Procedures

  • WMM-Admission Control (AC)

  • WMM-Power Save (PS)

  • Wi-Fi Optimized Connectivity

    • (ai) Fast Initial Link Support

  • Wi-Fi Agile Multiband

    • (k) Client Radio Resource Management - Directed Steering

    • (v) Network Assisted Roaming

    • (r) Fast BSS Transition

  • Protected Management Frames (PMF)

    • (w) Management Frame Encryption

  • Channel Switch Announcement (CSA)

  • Dynamic Frequency Selection & Transmit Power Control (DFS/TPC)

  • Beacon Rate

  • Min Client Noise Immunity

  • Basic Rate Control

  • De-Auth RSSI Control

  • Burst Beacon Support

  • Per SSID Client Rate Limiting

  • Promiscuous Mode Support

• Additional TIP AP NOS Features

  • Embedded Captive Portal (Local Splash non-auth)

  • Link Layer Discovery Protocol (LLDP)

  • Airtime Fairness

  • Wireline & Wireless Tracing (PCAP Cloud Remote Troubleshooting)

  • Synthetic Client (Cloud Remote Troubleshooting)

  • Flight Recorder (Stack Remote Collection)

  • Local Provisioning over SSID (when Cloud or WAN down)

  • Multimedia Heuristics (Detection of Unified Communication Sessions)

  • SSID Rate Limiting

  • Inter-AP Communication (Client - Session Signalling)

  • Client / AP / Network Metric Telemetry (MQTT)

Cloud SDK additional features

• Provisioning

  • Device Identity (Model, MAC, Serial Number)

  • AP Software Upgrade

  • Profile Provisioning Templates

  • Multiple SSID Configuration

  • Bandwidth Rate Control per SSID

  • Multi-Radio 2.4/5GHz control

  • AP Network Mode Control (Bridge/NAT mode)

  • Basic Captive Portal (Local Splash Page admin from Controller)

  • Security (WPA2/WPA3 Personal/Enterprise Mixed)

  • VLAN per SSID

  • NTP Enable/Disable

  • RTLS (Location Services) Enable/Disable

• RF Control

  • Wi-Fi Agile Multiband

    • (k) Client Radio Resource Management - Directed Steering

    • (v) Network Assisted Roaming

    • (r) Fast BSS Transition

  • RRM Location AP Channel Table Provisioning

  • RRM Location AP Cell Size Table Provisioning

  • RRM Location Client Steering Threshold Table Provisioning

• Remote Troubleshooting and Service Assurance

  • Syslog

  • Synthetic Client

    • Remote DHCP, RADIUS, UE Network Analysis

  • Remote Shell

  • Remote Packet Capture Analysis

How to contribute

If you or your company are interested in contributing to TIP Open Wi-Fi, please join the Wi-Fi Product Group by visiting Telecom Infra Project to become a member.

Cloud Providers

Current Release 1.x OpenWiFi cloud partners can accelerate your deployment of TIP OpenWiFi.

OpenWiFi Cloud SDK may be deployed to both public and private cloud environments.

Helm charts support automated deployment of the Cloud SDK PODs and containers into AWS and MicroK8s Kubernetes platforms.

The following pages provide step-by-step instructions to deploy in public cloud (AWS) or private on-premises (MicroK8s) cloud.

Base System

MicroK8s deployment is available as part of Release 1.0 candidate. API services, database, message bus and ability to adjust Kubernetes POD performance parameters are all possible with this system which may be useful to the Community for local on premises installations.

A snap capable operating system is required for MicroK8s installation. TIP Controller has been installed on an Ubuntu 20 system with 32Gb memory, 500Gb disk and Gigabit Ethernet network interface with a user account tip created.

The system should have a fully qualified domain name and the deployment of TIP controller will require additional DNS records to be created.

Local /etc/hosts should contain the following DNS entires for your controller assigned to the IP address your machine is using to connect to the network. This same IP will be used when configuring metallb address in a subsequent step.

When accessing the UI from a workstation or when AP is connecting to the local controller the local DNS server will need to provide authoritative response for these A records in the wlan.local domain. In a future release of TIP Controller instructions will be provided to modify the FQDN of all Controller services.

DNS default entries for /etc/hosts

## 
# Replace with your IP address to be used with Load Balancer 
# Incoming Connections (It may be same as your system IP or may
# be another address on your network determiend for use between 
# TIP AP Clients and the TIP SDK) 
##
<IP Address> wlan-ui.wlan.local wlan-ui-graphql.wlan.local opensync-redirector.wlan.local opensync-controller.wlan.local opensync-mqtt-broker.wlan.local wlan-filestore.wlan.local

Install microk8s

sudo snap install microk8s --classic --channel=latest/stable

Set user permissions

sudo usermod -a -G microk8s $USER
sudo chown -f -R $USER ~/.kube

Setup MicroK8s

microk8s enable helm3 dns storage metallb

Begin Controller Setup

TIP Controller may be deployed with self-signed certificates for a local lab environment. The following steps will guide the reader through that process.

Install Keytool and Zip Packages

sudo apt install -y openjdk-11-jre-headless 
sudo apt install -y default-jdk
sudo apt install -y zip

Enable Firewall to permit Controller traffic from Container Network Interface

sudo ufw allow in on cni0 && sudo ufw allow out on cni0
sudo ufw default allow routed

Downloading TIP Controller Software

Obtain Controller PKI Certs Locally

git clone https://github.com/Telecominfraproject/wlan-pki-cert-scripts.git

Obtain Controller Locally

git clone https://github.com/Telecominfraproject/wlan-cloud-helm.git

From the current directory, two sub-directories now exist for wlan-pki-certs and wlan-cloud-helm. Enter the PKI directory and the configs sub-directory cd /wlan-pki-cert-scripts/configs

Modify all certificate configuration files for the value of your organizationalUnitName_default value set to your organizational name or other string value used in each of the PKI certificate files. Optionally this may be left unchanged.

Within the following files, ensure the FQDN (Fully Qualified Domain Name) based on local setup for DNS aligns accordingly. The following files are updated per:

• mqtt-server.cnf

  commonName_default = opensync-mqtt-broker.FQDN

• openssl-server.cnf

  DNS.1 = opensync-redirector.FQDN

  DNS.2 = opensync-controller.FQDN

Once complete generate the service certificates and copy these to the controller.

cd wlan-pki-cert-scripts 
./generate_all.sh 
./copy-certs-to-helm.sh ~/wlan-cloud-helm/

Deploy Controller

TIP controller defaults to a domain of wlan.local. It is possible to operate a lab DNS service permitting local resolution of this domain for the TIP controller services. Certificate instructions for a self-signed private domain will follow in a subsequent release of service and documentation.

cd ~/wlan-cloud-helm
git checkout release/v1.0.0
microk8s helm3 dependency update tip-wlan
microk8s kubectl create namespace tip
microk8s helm3 upgrade --install tip-wlan tip-wlan/ --namespace tip -f tip-wlan/example-values/microk8s-basic/values.yaml

Helm will deploy the Controller containers within a TIP namespace to microk8s on the machine.

Release "tip-wlan" does not exist. Installing it now.
NAME: tip-wlan
LAST DEPLOYED: Wed Feb  3 20:45:13 2021
NAMESPACE: tip
STATUS: deployed
REVISION: 1
TEST SUITE: NoneCheck Controller Status

To check status of the PODs, Services, and Persistent Volume Claims (storage) use the following commands. Please note, depending on your server, all PODs may take several minutes to fully initialize.

microk8s kubectl get services -n tip
microk8s kubectl get pvc -n tip
microk8s kubectl get pods -n tip

Examples of all three commands:

tip@microk8slocal:~$ microk8s kubectl get svc -n tip
NAME                                TYPE           CLUSTER-IP       EXTERNAL-IP   PORT(S)                                                       AGE
tip-wlan-postgresql-headless        ClusterIP      None             <none>        5432/TCP                                                      47h
tip-wlan-kafka-headless             ClusterIP      None             <none>        9093/TCP                                                      47h
tip-wlan-cassandra-headless         ClusterIP      None             <none>        7000/TCP,7001/TCP,7199/TCP,9042/TCP,9160/TCP                  47h
tip-wlan-zookeeper-headless         ClusterIP      None             <none>        2181/TCP,3888/TCP,2888/TCP                                    47h
tip-wlan-postgresql-read            ClusterIP      10.152.183.145   <none>        5432/TCP                                                      47h
tip-wlan-cassandra                  ClusterIP      10.152.183.31    <none>        9042/TCP,9160/TCP                                             47h
tip-wlan-zookeeper                  ClusterIP      10.152.183.75    <none>        2181/TCP                                                      47h
tip-wlan-wlan-cloud-static-portal   NodePort       10.152.183.7     <none>        80:32186/TCP                                                  47h
tip-wlan-wlan-cloud-graphql-gw      NodePort       10.152.183.117   <none>        4000:30223/TCP                                                47h
tip-wlan-kafka                      ClusterIP      10.152.183.42    <none>        9093/TCP                                                      47h
tip-wlan-wlan-spc-service           ClusterIP      10.152.183.165   <none>        9041/TCP,9042/TCP                                             47h
tip-wlan-postgresql                 ClusterIP      10.152.183.216   <none>        5432/TCP                                                      47h
tip-wlan-nginx-ingress-controller   LoadBalancer   10.152.183.232   10.75.0.9     80:32101/TCP,443:31122/TCP                                    47h
tip-wlan-wlan-ssc-service           ClusterIP      10.152.183.189   <none>        9031/TCP,9032/TCP                                             47h
tip-wlan-wlan-prov-service          ClusterIP      10.152.183.160   <none>        9091/TCP,9092/TCP                                             47h
tip-wlan-opensync-mqtt-broker       LoadBalancer   10.152.183.32    10.75.0.9     1883:31511/TCP,9001:32046/TCP                                 47h
tip-wlan-wlan-portal-service        LoadBalancer   10.152.183.246   10.75.0.9     9051:30504/TCP,9052:31817/TCP                                 47h
tip-wlan-opensync-gw-cloud          LoadBalancer   10.152.183.97    10.75.0.9     6640:31000/TCP,6643:31932/TCP,9096:30749/TCP,9097:31793/TCP   47h
tip@microk8slocal:~$

tip@microk8slocal:~$ microk8s kubectl get pvc -n tip
NAME                                             STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS        AGE
datadir-tip-wlan-kafka-0                         Bound    pvc-df6a471f-6a79-4a60-8e83-6c89326b6152   1Gi        RWO            microk8s-hostpath   4d2h
data-tip-wlan-zookeeper-0                        Bound    pvc-d139d789-123c-41e4-a299-2c1dc001a044   1Gi        RWO            microk8s-hostpath   4d2h
data-tip-wlan-opensync-mqtt-broker-0             Bound    pvc-d31682b7-db86-4022-8079-2acb3689ef68   1Gi        RWO            microk8s-hostpath   4d2h
data-tip-wlan-postgresql-master-0                Bound    pvc-127bc86a-acc1-420c-8cca-d3d619615cba   1Gi        RWO            microk8s-hostpath   4d2h
data-tip-wlan-postgresql-slave-0                 Bound    pvc-f000dbd6-dcd7-4fd1-8dfb-056475e4b9dc   1Gi        RWO            microk8s-hostpath   4d2h
db-tip-wlan-opensync-mqtt-broker-0               Bound    pvc-9d6c25ce-0712-4660-ad3e-cdc4ce41bdf7   1Gi        RWO            microk8s-hostpath   4d2h
data-tip-wlan-cassandra-0                        Bound    pvc-645ae94f-36e7-4fe3-a093-c66c56e82092   1Gi        RWO            microk8s-hostpath   4d2h
file-store-data-tip-wlan-wlan-portal-service-0   Bound    pvc-530ed2bf-b120-4eee-b6d5-0d7cdd468d2b   4Gi        RWX            microk8s-hostpath   4d2h
tip@microk8slocal:~$ tip@microk8slocal:~

$ microk8s kubectl get pods -n tip
NAME                                                 READY   STATUS    RESTARTS   AGE
tip-wlan-kafka-0                                     0/1     Pending   0          4d1h
tip-wlan-wlan-cloud-static-portal-bdfcb4559-9wt9r    0/1     Pending   0          4d1h
tip-wlan-wlan-spc-service-68cffddd96-prppd           0/1     Pending   0          4d1h
tip-wlan-wlan-ssc-service-66dbdd89f4-rhfxv           0/1     Pending   0          4d1h
tip-wlan-nginx-ingress-controller-7458d6f654-cwnw6   0/1     Pending   0          4d1h
tip-wlan-postgresql-slave-0                          0/1     Pending   0          4d1h
tip-wlan-opensync-gw-cloud-7b69865fcc-8fzbw          0/1     Pending   0          4d1h
tip-wlan-wlan-cloud-graphql-gw-bc897994b-gpf8b       1/1     Running   0          4d1h
tip-wlan-cassandra-0                                 0/1     Pending   0          4d1h
tip-wlan-opensync-mqtt-broker-0                      1/1     Running   0          4d1h
tip-wlan-zookeeper-0                                 1/1     Running   0          4d1h
tip-wlan-postgresql-master-0                         1/1     Running   0          4d1h
tip-wlan-wlan-portal-service-0                       1/1     Running   0          4d1h
tip-wlan-wlan-prov-service-84fc7bfc5f-xqjgx          1/1     Running   0          4d1h
tip@microk8slocal:~$

Access Point Self-Signed Keys

In the earlier stage when self-signed keys were created for the controller, keys were also created to support Access Point connections over SSL to the newly deployed controller. To obtain these keys, return to the /wlan-pki-cert-scripts/generated folder and copy AP.zip containing the Access Point keys. Extract this archive and using sing secure copy (SCP) transfer keys to the /usr/opensync/certs folder on the AP.

Directing Access Point To Controller

In the current release of a TIP Controller using self-signed certificates, Access Points communicate to the TIP Controller using OpenSync. Access Points are directed to the controller at this time using local configuration.

The default TIP Open AP username and login are 'root' and 'openwifi'

/bin/wlan_ap_redirector.sh ssl:<IP or FQDN of controller>:6643

Prerequisites

The following must be available to start this installation:

• AWS Account

• AWS Route 53 Hosted Zone

The steps outlined in this guide will create a local installation of the Terraform automation environment that will also depend on the AWS command line interface, Helm and Kubectl local command line packages.

Each of these applications provide detailed instructions for installation on multiple client operating systems.

• Install Kubectl https://kubernetes.io/docs/tasks/tools/install-kubectl/

• Install Helm https://helm.sh/docs/intro/install/

• Install AWS CLI https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html

• Install Terraform https://learn.hashicorp.com/tutorials/terraform/install-cli#install-terraform

Example Local Prerequisites Installation on MAC OS

If the instructions for Terraform were followed, a Docker container was locally created, nginx was run with a default localhost:80 nginx returned web page displayed. After which 'terraform destroy' was run to remove the local test of Terraform.

If the instructions for AWS CLI were followed, AWS CLI version 2 has been installed. This may be verified using the command which aws and aws --version. If these succeed installation of AWS CLI has completed.

If the instructions for Helm were followed, Helm has now been locally installed. This may be verified using the command which helm and helm version. If these succeed installation of Helm has completed.

If the instructions for Kubectl were followed, Kubectl has not been locally installed. This may be verified using the command which kubectl and kubectl version --client. If these succeed installation of Kubectl has completed.

Access to AWS should have been satisfied with an AWS account as noted in Prerequisites. This account is entitled with Administrator level permissions. For information on this process please refer to: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html

Controller Installation

Create a workspace on your local system and clone in the TIP Controller project.

git clone https://github.com/Telecominfraproject/wlan-cloud-helm/
### A merge of final AWS deployments is pending. 
### At this time, switch to the following branch
git checkout cloudsdk-aws-deployment
cd /terraform/aws-cloudsdk

Create a Terraform file in the aws-cloudsdk directory named aws.tfadding the following to that new file:

provider "aws" {
        region = "Replace with your preferred AWS region here"
}

If a specific authentication method previously exists depending on your local machine environment when connecting to AWS, adjustments may be required. Please consult Terraform instructions accordingly: https://registry.terraform.io/providers/hashicorp/aws/latest/docs#authentication

Initialize Terraform

Terraform will use the initial configuration of your environment variables from the previous step when communicating with AWS. Prior to initializing Terraform, ensure authentication is successful.

terraform init

### Several emitted lines will occur.
### When succesful the following will display:

Terraform has been successfully initialized!

Adjusting to AWS Environment

Within the /wlan-cloud-helm/terraform/aws-cloudsdk directory, copy the terraform.tfvars.sample file to terraform.tfvars and edit the content of the new terraform.tfvars replacing parameter values for cidr and route53_zone_name accordingly:

name = "cloudsdk"
cidr = "Enter a valid CIDR Range of your AWS VPC"
route53_zone_name = "Enter a valid Route53 Hosted-Zone"
subdomain = "cloudsdk"

Once these steps have been completed, it is now possible to deploy the TIP Controller to AWS.

terraform apply

If Terraform is able to connect and authenticate to AWS, a prompt to accept the creation of the deployment is presented. Answer yes to proceed. Terraform will execute for 10-15 minutes during which time the following are being configured:

• EKS cluster with three nodes where CloudSDK will run on

• VPC for the EKS cluster

• ACM that will sign the certificate for the public HTTPS services exposed by CloudSDK

• Route53 record to let ACM know that you own the domain

• external-dns that will take care of creating DNS entries for all CloudSDK components

• aws-load-balancer-controller which will take care of exposing CloudSDK components to the public

• Required IAM roles for all components

Terraform Results

When Terraform completes the following should have emitted:

Apply complete! Resources: 57 added, 0 changed, 0 destroyed.

Outputs:

acm_arn = "arn:aws:acm:ca-central-1:1xxxxxxx68:certificate/7e3xxxx7-74xx-4xxx-8bef-d6xxxxxx5a3"

Deploy TIP Controller

TIP Controller services use SSL certificates to ensure inter-service security. These certificates must be generated. To generate TIP Controller certificates, navigate out of the tip-wlan-cloud directory to a directory where cloning the TIP PKI repository may occur:

git clone https://github.com/Telecominfraproject/wlan-pki-cert-scripts.git

Enter the PKI directory and the configs sub-directory cd /wlan-pki-cert-scripts/configs

Modify all certificate configuration files for the value of your organizationalUnitName_default value set to your organizational name or other string value used in each of the PKI certificate files. Optionally this may be left unchanged.

Within the following files, ensure the FQDN (Fully Qualified Domain Name) based on the Terraform setup for Route53 hosted-zone aligns accordingly. If the defaults were not changed Terraform will have created a sub-domain cloudsdk within the supplied Route53 hosted-zone. The following files are updated per:

• mqtt-server.cnf

  commonName_default = opensync-mqtt-broker.cloudsdk.route53hosted-zone_name

• openssl-server.cnf

  DNS.1 = opensync-redirector.cloudsdk.route53hosted-zone_name

  DNS.2 = opensync-controller.cloudsdk.route53hosted-zone_name

To generate keys, ensure necessary Java resources are installed for your operating system:

• openjdk-11-jre-headless

• default-jdk

From within the wlan-pki-cert-scripts folder execute ./generate_all.sh script.

Copy the generated keys assuming the wlan-cloud-helm folder is at the same level as the wlan-pki-certs folder per: ./copy-certs-to-helm.sh ~/wlan-cloud-helm/

Satisfy Cloud Deployment Charts

Certain TIP Charts have upstream dependencies, form the wlan-cloud-helm folder execute:

helm dependency update tip-wlan

Various Bitnami charts will be brought into the deployment such as Kafka, PostGres, Cassandra.

Localizing the Helm charts for AWS is a critical step. Editing the following file

             `tip-wlan/example-values/aws-basic/values.yml`

Key variables to replace in this file are:

• alb.ingress.kubernetes.io/certificate-arn: "Enter the ARN supplied during terraform output"

• All locations with a URL or FQDN align to your AWS environment such as:

  • external-dns.alpha.kubernetes.io/hostname: wlan-filestore.cloudsdk.route53hosted-zone

  • ovsdb: opensync-controller.cloudsdk.route53hostedzone

  • mqtt: opensync-mqtt-broker.cloudsdk.route53hostedzone

  • All occurrences of a URL or FQDN within this file replacing route53hostedzone with your deployed Route53 hosted zone name

Deploy Controller to AWS

Local Kubeconfig is associated to the AWS service to enable Helm control of EKS resources by entering the following:

aws eks update-kubeconfig --region $your_aws_region --name cloudsdk

With all dependencies met, certificates created and in place, using Helm and the authenticated session to AWS, execute the following:

helm upgrade --install cloudsdk tip-wlan -f tip-wlan/example-values/aws-basic/values.yml --namespace tip --create-namespace

If a connection error occurs, AWS CLI may need to re-authenticate. This can be done with aws configure.

If Helm has a successful connection to AWS the following returns:

Release "cloudsdk" does not exist. Installing it now.

NAME: cloudsdk

LAST DEPLOYED: Sun Feb 7 14:00:28 2021

NAMESPACE: tip

STATUS: deployed

REVISION: 1

TEST SUITE: None

To check on status of PODs now launching in AWS enter kubectl get pods -n tip to return results from the operational EKS Kubernetes CloudSDK cluster:

NAME                                                             READY   STATUS            RESTARTS   AGE
cloudsdk-cassandra-0                                             0/1     Running           0          99s
cloudsdk-kafka-0                                                 0/1     Running           0          99s
cloudsdk-kafka-config-1-qnf7j                                    0/1     Init:0/1          0          100s
cloudsdk-opensync-gw-cloud-685b5c9d4-t485c                       0/1     Init:0/1          0          100s
cloudsdk-opensync-mqtt-broker-0                                  1/1     Running           0          99s
cloudsdk-postgresql-primary-0                                    1/1     Running           1          99s
cloudsdk-postgresql-read-0                                       1/1     Running           0          99s
cloudsdk-wlan-cloud-graphql-gw-76c69db46d-cc2zv                  1/1     Running           0          100s
cloudsdk-wlan-cloud-static-portal-8595fd964d-fkd6g               1/1     Running           0          100s
cloudsdk-wlan-port-forwarding-gateway-service-68d745b84b-2xmvq   0/1     Init:0/1          0          100s
cloudsdk-wlan-portal-service-0                                   0/1     Running           0          99s
cloudsdk-wlan-prov-service-944f44d67-4p5z5                       0/1     PodInitializing   0          100s
cloudsdk-wlan-spc-service-596ff5c546-bmgw5                       0/1     Init:0/1          0          100s
cloudsdk-wlan-ssc-service-6db4c8c8b8-jrmrc                       0/1     Init:0/2          0          100s
cloudsdk-zookeeper-0                                             1/1     Running           0          99s

After 5 to 8 minutes elapse, all POD services should be operational for example:

NAME                                                             READY   STATUS      RESTARTS   AGE
cloudsdk-cassandra-0                                             1/1     Running     0          11m
cloudsdk-kafka-0                                                 1/1     Running     0          11m
cloudsdk-kafka-config-1-qnf7j                                    0/1     Completed   0          11m
cloudsdk-opensync-gw-cloud-685b5c9d4-t485c                       1/1     Running     0          11m
cloudsdk-opensync-mqtt-broker-0                                  1/1     Running     0          11m
cloudsdk-postgresql-primary-0                                    1/1     Running     1          11m
cloudsdk-postgresql-read-0                                       1/1     Running     0          11m
cloudsdk-wlan-cloud-graphql-gw-76c69db46d-cc2zv                  1/1     Running     0          11m
cloudsdk-wlan-cloud-static-portal-8595fd964d-fkd6g               1/1     Running     0          11m
cloudsdk-wlan-port-forwarding-gateway-service-68d745b84b-2xmvq   1/1     Running     0          11m
cloudsdk-wlan-portal-service-0                                   1/1     Running     0          11m
cloudsdk-wlan-prov-service-944f44d67-4p5z5                       1/1     Running     0          11m
cloudsdk-wlan-spc-service-596ff5c546-bmgw5                       1/1     Running     0          11m
cloudsdk-wlan-ssc-service-6db4c8c8b8-jrmrc                       1/1     Running     0          11m
cloudsdk-zookeeper-0                                             1/1     Running     0          11m

Check in on the UI

Navigate to https://wlan-ui.cloudsdk.yourdomainname

Default username support@example.com and password support

Navigating the UI

TIP open source SDK offers a web based user interface supporting many common configurations. The web based interface uses the SDK north bound API.

It is possible to further extend functionality of the SDK user interface or to create other interfaces using the SDK API.

Log In

Default user account is support@example.com with password support.

If using the self-signed certificates provided in the open source distribution, it will be necessary to add an exception to the web browser for the following URLs:

• https://wlan-ui.wlan.local/login

• https://wlan-ui-graphql.wlan.local/

Further instructions available here.

TIP OpenWiFi devices are available from many hardware partners. All TIP OpenWiFi devices have the same standard image of open source software.

TIP OpenWiFi 1.0 devices run OpenWrt operating system with OpenSync as a management stack. The use of OpenWrt is largely upstream based on OpenWrt 19.07 in Open WiFi 1.0.

When a TIP firmware image is created, the system will merge TIP specific patches, kernel specific patches, and build this with the target OpenWrt 19.07 operating system as one complete firmware image. From this process a TIP OpenWiFi standard firmware results with the following settings.

Device Defaults

Unable to Connect to WAN or Controller

If the OpenWiFi device has been unable to reach the internet or the assigned controller, the 'Maverick' SSID will appear. Joining this Wi-Fi network will join the local management interface to help onboard the device to the internet and controller.

After joining Maverick SSID, opening a web browser to the address 192.168.1.1 where the following login displays. Enter root login and password.

Common setup to enable internet access is available. WAN interface defaults to DHCP, if the WAN requires static configuration select the drop down to continue:

Changing the Local Area Network is also possible from Maverick mode. There may be cases where an IP overlap has occurred in certain double NAT internal networks. For this reason it may be necessary to change this value, else no change is required here:

It is possible to apply a firmware update from the Maverick interface. This operation is normally performed by the controller however in the event it is desired, have the sysupgrade image downloaded locally before continuing:

Manually setting the cloud location may be done using its Fully Qualified Domain Name (FQDN) in the Redirector field. Device certificates are unique per TIP Open WiFi access point or switch. It should not be required to change these values at any time. Please exercise caution if replacing certificates manually.

TIP Cloud SDK is organized into main components presented along the top of the screen.

Dashboard is the default landing page for the user interface. Network enables management of Access Points and display of Client Devices status. Profiles enables template based management of all provisioning parameters. System enables Manufacturer OUI Updates, Firmware Updates, Auto-Provisioning and Client Block List. Users enables configuration of local user accounts of the Cloud SDK. Alarm indicates an error condition has occurred with one or multiple Access Points. Gear icon to Log Out.

Dashboard Components

With the Cloud SDK now installed into either a public cloud or on premises, logging in with default username support@example.com and password support are now possible.

Once successfully logged in, please refer to User Interface documentation for further details of specific configuration.

Cloud SDK local accounts support user interface and API connections. Adding and removing accounts from the web user interface may be completed from the Users navigation tab.

Select 'Add User' to create a new Cloud SDK user, assign a Role and password.

From the Network page it is possible to create organizational regions to group devices within, view all devices, retrieve individual device records and view all associated and disassociated client devices.

Location Tree

In a future release it will be possible to assign devices to new locations to help in building an administrative hierarchy supporting convenient organization of device to service location. This functionality is exposed in the API and may be further refined in subsequent open source UI releases.

Access Points

For each access point that has contacted Cloud SDK, a row will populate within Access Points. Specific information for each device including Device name, alarm state, model and IP address are shown.

Along the right side of each Access Point row are Profile, Channel, Occupancy, Noise Floor and Devices. Channel indicates the current provisioned RF Channel for each radio in the device. Occupancy indicates available RF bandwidth for Wi-Fi clients as a value over 100. Noise Floor represents the reported RF noise condition being measured by the device within the operating channel and reported to the Cloud SDK. Devices indicated the total associated clients for each radio in the access point.

Access Point Device Record

Each access point managed by Cloud SDK inherits provisioning information from Profiles in addition to supporting device specific configurations and reporting device specific operating conditions.

General information includes device name, model, MAC address and country of operation. Status presents operating conditions for each frequency band of operation in addition to Alarms. Location permits the assignment of the device to a location in Cloud SDK hierarchy tree.

OS Stats

Operating System Stats are sent to Cloud SDK from each device using the MQTT interface. These statistics are regularly received as part of the overall telemetry stream.

Firmware

The Cloud SDK may initiate an on demand firmware upgrade for any associated device. The Active Version of firmware is reported to the Cloud SDK. If the reported version from the device is not part of the System known firmware, the status will be 'UNDEFINED'.

Several TIP devices implement a secondary boot loader bank which Cloud SDK supports the method to command a device to 'Switch to Inactive Bank and Reboot' .

To initiate a firmware upgrade, select a version from the drop down within Upgrade, select the 'Download, Flash, Reboot' button.

On-Demand Device Reboot

Within the Firmware sub-tab, Reboot AP button. Selecting this will cause Cloud SDK to send a warm reboot command to the Access Point.

Cloud SDK uses multiple templates to perform provisioning of Cloud SDK managed devices.

Sample default templates are provided on initial startup of Cloud SDK.

Templates

Cloud SDK System configuration permits uploading OUI data file to assist with device fingerprinting as shown on the initial dashboard landing page dials.

Device OUI Fingerprints

Obtain the OUI file locally and upload to Cloud SDK via Device Manufacturer

Firmware

Firmware image upgrades may be triggered from the Cloud SDK. It is necessary to populate Cloud SDK with Model Target information. If your model is not displayed select Add Model Target Version then proceed to defined a firmware version for use.

Adding firmware version:

When returning to the Network and selecting an Access Point, available Firmware will be presented for actions on a per device basis.

Auto-Provisioning

Locations defined within the Cloud SDK may be auto-provisioned by default or subject to pre-provisioning logic in the Cloud SDK. When a device associates to the Cloud SDK, a Model : Profile match will be attempted in Auto-Provisioning mode.

Client Blocked List

If any client should be denied access to any Wi-Fi service visible to Cloud SDK management it may be added through the global Client Blocked List.

TIP OpenWiFi project is a data-model driven design, meaning the features in the solution are designed as interfaces to be consumed either by micro-services, network devices, or other applications integrating with the solution.

The most useful way to learn the TIP OpenWiFi API is to consume the Swagger interface that fully describes all implemented REST methods.

TIP OpenWiFi controller uses OAuth for authentication. A bearer token must first be obtained for subsequent API calls to succeed.

Curl Request to controller for Bearer Token

curl -k --request POST --header "Content-Type: application/json; charset=utf-8" --data '{"userId":"support@example.com","password":"support"}'   https://${portal-service-ip:port}/management/v1/oauth2/token

Successful Response

{
  "model_type" : "WebTokenResult",
  "twoFactorAuthenticationRequired" : false,
  "resetPassword" : false,
  "access_token" : "eyJpc3MiOiJ0aXAiLCJqdGkiOiI2OTM1NTg3OC1jOGVhLTRiMTItOWU3OS0zMTMyOGJlNWQ1NTEiLCJleHBpcnlUaW1lIjoxNjA2Njg5MjA2MjEyLCJjdXN0b21lcklkIjoyLCJ1c2VyTmFtZSI6InN1cHBvcnRAZXhhbXBsZS5jb20iLCJ1c2VySWQiOjAsInVzZXJSb2xlIjoiU3VwZXJVc2VyIn0=.UYKrayawxxtw9qLbqW70rgOcjSY7oUp8XpalyiGAwUF6zRRsXQ0ILJxvKZxpAwftU4nNosmSS3i2j/vRr5gtD.",
  "refresh_token" : "eyJpc3MiOiJ0aXAiLCJqdGkiOiIwZWU2MjAzZi1iNWI0LTRlZGMtYTM1My0yZWUxZGMwOTUzMzMiLCJleHBpcnlUaW1lIjoxNjA2Njg5ODA2MjMyLCJjdXN0b21lcklkIjoyLCJ1c2VyTmFtZSI6InN1cHBvcnRAZXhhbXBsZS5jb20iLCJ1c2VySWQiOjAsInVzZXJSb2xlIjoiU3VwZXJVc2VyIiwicmVmcmVzaCI6dHJ1ZX0=.hiE1Pcb2O0wUNw/ySga6IqPtmgcAkeMAxrMOC85ZN1AJ2v/WLik6DCVoBk8VZXcJNoEc9Gr6WE7RrtMpJGSee1",
  "id_token" : null,
  "token_type" : "Bearer",
  "expires_in" : 3000,
  "idle_timeout" : 3600,
  "aclTemplate" : {
    "model_type" : "WebTokenAclTemplate",
    "aclTemplate" : {
      "Delete" : true,
      "Read" : true,
      "PortalLogin" : true,
      "ReadWrite" : true,
      "ReadWriteCreate" : true
    },
    "alias" : 2,
    "id" : "",
    "name" : "Webtoken Portal Login",
    "versionTimestamp" : 1551549825443000
  }
}

Use the value from access_token for subsequent API calls into the controller

Cloud SDK processes Profiles by aggregating certain profile types as child profiles inherited during device configuration.

Association of devices to Access Point and SSID is possible as one-to-one (1:1) or one-to-many (1:M). The decision on using 1:1 or 1:M is entirely based on the desired deployment.

Creating a 1:1 Access Point Profile could be useful in certain lab or specific network locations. If a specific RF Profile was desired on a select device, using an Access Point Profile with reference to the specific RF Profile would accomplish this provisioning logic.

Creating an RF Profile specifically for IEEE802.11ac Wi-Fi 5 Access Points to inherit may be a common approach with another RF Profile for all IEEE802.11ax Wi-Fi 6 Access Points. Another reason to create a unique RF Profile may configured outdoor RF configuration that is unique from other indoor based Access Points.

Creating RF Profile with specific Client Steering, Channel Hop, or general radio operation other than default settings are useful when defining behavior of Access Points individually or as a large group of managed devices.

Wi-Fi 5 802.11AC Mode General RF Profile

Example Wi-Fi 5 IEEE802.11AC RF Profile:

Wi-Fi 6 802.11AX Mode General RF Profile

Example Wi-Fi 6 IEEE802.11AX RF Profile

Access Point Profile

TIP SDK will process a 1:1 (one to one) or 1:Many (one to many ) association of Access Point Profile offering a number of possible configuration approaches.

When configuring in a 1:1 approach, it is advised to name the Access Point Profile in a manner meaningful to the deployment, for example Profile Name including significant OUI information.

When configuring in a 1:M approach, it is advised to name the Access Point Profile in a manner meaningful to the shared service, RF parameters or grouped function all Access Points of this Profile will inherit.

Within the Access Point Profile, RF configuration all device members will share is specified.

One or many SSID Profiles may be associated to the Access Point Profile.

Access Point

Relationship of RF Profile and Access Point Profile is visible in the Network, Access Point device record.

Example inherited Profiles to an Access Point device:

Bridging Wi-Fi to Ethernet

When bridging an SSID this has the affect of moving the SSID virtual interface from the 'LAN' side of an Access Point to the 'WAN' side of an Access Point.

Bridging SSID is configured within Profiles, SSID Profile:

• Create a Profile of type SSID

• Assign a Profile Name

• Create the SSID

  • Assign SSID Name

  • Set related optional SSID parameters

• Network Connectivity

  • Ensure Mode is set to Bridge

• Security and Encryption

  • Set a Mode and related security for the SSID

802.1Q VLAN to 802.11 Wi-Fi SSID

When assigning an SSID to a VLAN, this has the affect of adding the Virtual LAN inner tag to the header of Ethernet frames once Wi-Fi client traffic reaches the Access Point for forwarding onward over Ethernet.

The 'WAN' side of the Access Point will present an Ethernet sub-interface with the Virtual LAN identifier equivalent to VLAN set duing SSID creation.

802.1Q VLAN SSID is configured within Profiles, SSID Profile:

• Create a Profile of type SSID

  • Assign a Profile Name

• Create the SSID

  • Assign SSID Name

  • Set related optional SSID parameters

• Network Connectivity

  • Mode is set as Bridge

• Security and Encryption

  • VLAN is set to 'Use Custom VLAN'

    • Enter desired value from 2 - 4,095

Once the SSID Profile configured for a unique VLAN is associated to an Access Point, clients will receive DHCP, Routing, DNS from the Virtual LAN of the upstream network provider

TIP Open Wi-Fi controller implements an Open API compliant NorthBound Interface (NBI) to assist with integration and related back office features.

Cloud SDK north bound API is a key function for most open source community members or vendors seeking to consume the SDK for integration or for value added software development above the SDK layer.

Swagger is a useful tool to explore and learn any system API. Both online and local options are available to help development teams consume the Cloud SDK.

Running a local Swagger instance requires a current version of NodeJS installed.

Online Swagger - Cloud SDK Open API

Current SDK open API is available at the following URL: CloudSDK Open API

Local Swagger - Obtain latest Cloud SDK Open API Model

When running a local instance of Swagger, first obtain the most current Cloud SDK open API from source control:

Install Swagger

mkdir ~/swagger
cd ~/swagger
git clone https://github.com/swagger-api/swagger-editor.git
cd swagger-editor
git clone https://github.com/swagger-api/swagger-ui.git
cd ~/swagger/swagger-editor
npm install
npm run build
npm start

With Swagger running, open the Open API data model file and begin to use locally on port 9091 or add your own TIP Open Wi-Fi controller to the Swagger definitions. Remember to obtain an OAuth bearer token to 'Authorize' your session.

Network Address Translation Wi-Fi to Ethernet

When defining an SSID in NAT mode, this has the affect of isolating all SSID virtual interface traffic in Layer 2 and Layer 3 behind a NAT function inside the Access Point.

The Access Point will use its 'WAN' interface as the public facing IP address for clients behind the SSID associated to NAT mode operation.

NAT mode SSID will have a local DHCP service enabled by default with an address range of 192.168.1.0/24 where the first address is used by the Access Point as the SSID NAT LAN interface serving as default gateway address to all associated UE clients.

NAT SSID is configured within Profiles, SSID Profile:

• Create a Profile of type SSID

• Assign a Profile Name

• Create the SSID

  • Assign SSID Name

  • Set related optional SSID parameters

• Network Connectivity

  • Ensure Mode is set to NAT

Once the SSID Profile is associated to an Access Point, clients will receive DHCP, Routing, DNS from the Access Point 'LAN' side

A common deployment model is to use a RADIUS system for authentication of client devices. Cloud SDK supports this using a RADIUS type Profile.

Defining a RADIUS Profile requires a Name, RADIUS server IP, shared secret and port. Default port for Authentication and Authorization is 1812 and Accounting is 1813. Cloud SDK does not assume these defaults, they must be entered as each deployment may choose to change these values.

It is possible to configure independent authentication from accounting as these services may be unique for some operators.

Associate RADIUS with SSID Service

The RADIUS Profile is associated with a Security and Encryption Mode of an SSID Profile. For example, any Enterprise mode for WPA & WPA2 will depend on RADIUS. Select the desired RADIUS Profile from drop down and set the desired accounting interval in seconds.

Passpoint® brings seamless, automatic and secure Wi-Fi connectivity using either pre-provisioned credentials or the SIM card in a mobile device. Passpoint provides simple, fast online sign-up and provisioning that is only required upon a user’s first visit to a Passpoint network. Once a Passpoint enabled device contains the Wi-Fi AP or network credentials, it will discover and securely connect when the user is nearby—without requiring additional user action. This makes staying connected while mobile infinitely easier, and because Passpoint employs enterprise-level security, users can feel confident their data is better protected.

Passpoint® also delivers more value to carriers, service providers, and IT managers of enterprise networks, enabling:

• Mobile data offload

• Wi-Fi networks for

  • Hospitality, venues and enterprise

  • Streamlined, enterprise-class device provisioning and credential management for enterprise and other private networks

• Wi-Fi–based services such as Wi-Fi calling, and collaboration tools

• Wi-Fi roaming agreements across carriers and service providers

• Opportunities to engage users and extract additional value from the network

Passpoint® is already supported by most enterprise-class APs on the market today, and natively supported by major mobile operating systems including Android, iOS, macOS, and Windows 10. With active support from a wide ecosystem of device manufacturers, mobile operators, and service providers, Passpoint® benefits both users and Wi-Fi network providers

TIP OpenWiFi devices implement support for both the air interface and systems interfaces necessary to support Passpoint® Release 2 and above. Once also termed Hotspot 2.0, IEEE 802.11u specified added air interface fields exposing Access Network Query Protocol interactions for clients to discovery Access Point capabilities.

Wi-Fi Alliance expanded ANQP to include Online Signup (OSU) concepts to leverage seamless onboarding and client security for Passpoint® networks. Following on from these efforts, Wireless Broadband Alliance has provided the necessary system interfaces for identity, security, mobile offload within a common federated operator solution known as OpenRoaming.

TIP OpenWiFi enables operators to deploy the full range of Passpoint® and OpenRoaming solutions.

In earlier sections of OpenWiFi documentation, the association of Access Point Equipment and SSID Profiles were described.

For Passpoint® configuration, each Equipment Profile may reference multiple SSID Profiles. Within the SSID Profile, an association to RADIUS and Passpoint® Profile is made.

From the Passpoint® Profile, an Operator, Venue and multiple Identity Providers are defined.

Passpoint® requires ANQP to supply three information elements from the Access Point.

PLMN-Id

Public Land Mobile Network Id is defined by 3GPP and comprised of two, three digit numbers to uniquely identify the Mobile Network Operator (MNO).

Realm

A Fully Qualified Domain Name (FQDN) is a realm representing the service provider of the Wi-Fi service. Non MNO operators are an example of 'realm-based' service advertisements. Examples include Cable MSOs, Enterprises or other on MNO providers. Authentication methods used with realm-based configuration are EAP-TLS and EAP-TTLS.

OI / RCOI

Organization Id or as defined by Wireless Broadband Alliance, Roaming Consortium Organization Id indicate the federated identity capable of authentication. Examples would be OpenRoaming, Eduroam and follow the Passpoint® EAP authentication methods.

Cloud SDK user interface enables all Passpoint® configuration needed for live service.

Passpoint® services will combine multiple Cloud SDK Profiles.

• RADIUS

• Passpoint

• Passpoint ID Provider

• Passpoint Operator

• Passpoint Venue

RADIUS Profile

Add a RADIUS Profile, specify the IP address and shared secret and port required for reachability and authentication and accounting with the defined server(s).

Operator Profile - Venue

Each Operator of Wi-Fi services or Venue must be defined.

Passpoint Operator

Passpoint ID Provider

Network Access Identifier (NAI) Realm implements all possible EAP methods for authentications. When adding EAP method, select the appropriate configuration to the deployment.

Passpoint Profile

Passpoint profile aggregates the other Operator / Venue, Identity Provider together, once joined to an SSID will be combined with RADIUS in terms of the Access Point processing logic for UE association and authentication.

Add Passpoint Profile

Associate to the SSIDs of network service:

Advertise type of IP Connectivity

Advanced settings support ANQP Domain ID, GAS Behaviors and DGAF operation

Cloud SDK accepts all Passpoint® configuration via API if desired. Please refer to API for additional instructions on use of Cloud SDK OpenAPI.

For reference: Postman collection for Passpoint to assist the reader is available.

RADIUS Profile Example: PLMN ID Based Identity Provider Profile

{
    "model_type": "Profile",
    "id": 3,
    "customerId": 2,
    "profileType": "radius",
    "name": "Identity_Provider-radius-profile",
    "details": {
        "model_type": "RadiusProfile",
        "primaryRadiusAuthServer": {
            "model_type": "RadiusServer",
            "ipAddress": "10.16.10.50",
            "secret": "testing123!",
            "port": 11812,
            "timeout": 0
        },
        "secondaryRadiusAuthServer": null,
        "primaryRadiusAccountingServer": {
            "model_type": "RadiusServer",
            "ipAddress": "10.16.10.60",
            "secret": "testing123!",
            "port": 11813,
            "timeout": 5
        },
        "secondaryRadiusAccountingServer": null,
        "profileType": "radius"
    },
    "childProfileIds": []

Identities

Identity Provider Profile Example: PLMN ID Based Identity

{
    "model_type": "Profile",
    "id": 11,
    "customerId": 2,
    "profileType": "passpoint_osu_id_provider",
    "name": "MNO",
    "details": {
        "model_type": "PasspointOsuProviderProfile",
        "mccMncList": [
            {
                "model_type": "PasspointMccMnc",
                "mcc": 3-digit,
                "mnc": 3-digit,
                "iso": "us",
                "country": "USA",
                "countryCode": 1,
                "network": "MNO Name",
                "mccMncPairing": "3-digit,3-digit"
            }
        ],
        "naiRealmList": [],
        "osuIconList": [],
        "osuServerUri": null,
        "osuFriendlyName": [],
        "osuNaiStandalone": "anonymous@mno_fqdn",
        "osuNaiShared": "anonymous@mno_fqdn",
        "osuMethodList": [],
        "osuServiceDescription": [],
        "roamingOi": [],
        "profileType": "passpoint_osu_id_provider"
    },
    "childProfileIds": []
}

In the above example, an MNO with PLMN identifiers is configured. The result of this configuration will be a UE mobile handset learns its home network operator is available over Wi-Fi network and attempts authentication seamlessly. The MNO logo will display in the UE home screen top bar.

Identity Provider Profile Example: OI / RCOI Based Identity

{
    "model_type": "Profile",
    "id": 16,
    "customerId": 2,
    "profileType": "passpoint_osu_id_provider",
    "name": "RCOI-Member-OpenRoaming",
    "details": {
        "model_type": "PasspointOsuProviderProfile",
        "mccMncList": [],
        "naiRealmList": [],
        "osuIconList": [],
        "osuServerUri": null,
        "osuFriendlyName": [],
        "osuNaiStandalone": "anonymous@member_fqdn",
        "osuNaiShared": "anonymous@member_fqdn",
        "osuMethodList": [],
        "osuServiceDescription": [],
        "roamingOi": [
            "FFFFF00000",
            "FFFFF00100",
            "FFFFF8F5F4",
            "000000",
            "000000"
        ],
        "profileType": "passpoint_osu_id_provider"
    },
    "childProfileIds": []
}

In the above example, a settled roaming provider part of the OpenRoaming federated RCOI has been defined. The UE device will automatically discover this network, for many devices with existing OpenRoaming credentials will seamlessly associate to the advertised service from this Wi-Fi network.

Identity Provider Profile Example: Realm Based

{
    "model_type": "Profile",
    "id": 7,
    "customerId": 2,
    "profileType": "passpoint_osu_id_provider",
    "name": "Realm Operator Name",
    "details": {
        "model_type": "PasspointOsuProviderProfile",
        "mccMncList": [],
        "naiRealmList": [
            {
                "model_type": "PasspointNaiRealmInformation",
                "naiRealms": [
                    "operator.fqdn.com"
                ],
                "encoding": 0,
                "eapMethods": [
                    "EAP-TTLS with username/password"
                ],
                "eapMap": {
                    "EAP-TTLS with username/password": [
                        "Non-EAP Inner Authentication Type:MSCHAPV2"
                    ]
                }
            }
        ],
        "osuIconList": [],
        "osuServerUri": null,
        "osuFriendlyName": [],
        "osuNaiStandalone": "anonymous@operator_fqdn.com",
        "osuNaiShared": "anonymous@operator_fqdn.com",
        "osuMethodList": [],
        "osuServiceDescription": [],
        "roamingOi": [],
        "profileType": "passpoint_osu_id_provider"
    },
    "childProfileIds": []

The above example demonstrates a realm-based identity provider configured for authentication using EAP-TTLS.

Operators and Venues

Wi-Fi Operator Profile Example

{
    "model_type": "Profile",
    "id": 12,
    "customerId": 2,
    "profileType": "passpoint_operator",
    "name": "TIP Lab",
    "details": {
      "model_type": "PasspointOperatorProfile",
      "serverOnlyAuthenticatedL2EncryptionNetwork": false,
      "x509CertificateLocation": null,
      "operatorFriendlyName": [
          {
              "model_type": "PasspointDuple",
              "locale": "eng",
              "dupleIso3Language": "eng",
              "dupleName": "Telecom Infra Project",
              "defaultDupleSeparator": ":",
                "asDuple": "eng:Telecom Infra Project"
          },
          {
              "model_type": "PasspointDuple",
              "locale": "fra",
              "dupleIso3Language": "fra",
              "dupleName": "Le Telecom Infra Project",
              "defaultDupleSeparator": ":",
              "asDuple": "fra:Le Telecom Infra Project"
            }
        ],
        "domainNameList": [
            "telecominfraproject.com"
        ],
        "profileType": "passpoint_operator"
    },
    "childProfileIds": []
}

Venue Profile

{
    "model_type": "Profile",
    "id": 13,
    "customerId": 2,
    "profileType": "passpoint_venue",
    "name": "TIP Lab",
    "details": {
        "model_type": "PasspointVenueProfile",
        "venueNameSet": [
            {
                "model_type": "PasspointVenueName",
                "locale": "fra",
                "dupleIso3Language": "fra",
                "dupleName": "Le TIP Lab c'est Ici",
                "defaultDupleSeparator": ":",
                "venueUrl": null,
                "asDuple": "fra:Le TIP Lab"
            },
            {
                "model_type": "PasspointVenueName",
                "locale": "eng",
                "dupleIso3Language": "eng",
                "dupleName": "TIP Lab",
                "defaultDupleSeparator": ":",
                "venueUrl": null,
                "asDuple": "eng:TIP Lab"
            }
        ],
        "profileType": "passpoint_venue",
        "venueTypeAssignment": {
            "model_type": "PasspointVenueTypeAssignment",
            "venueDescription": "Research and Development Facility",
            "venueGroupId": 7,
            "venueTypeId": 7
        }
    },
    "childProfileIds": []

Passpoint Profile

With all other profile configuration in place, the logical association of these profiles occurs within the Passpoint Profile.

{
    "model_type": "Profile",
    "id": 14,
    "customerId": 2,
    "profileType": "passpoint",
    "name": "test-Passpoint-Profile",
    "details": {
        "model_type": "PasspointProfile",
        "enableInterworkingAndHs20": true,
        "hissed": null,
        "passpointAccessNetworkType": "free_public_network",
        "passpointNetworkAuthenticationType": "acceptance_of_terms_and_conditions",
        "additionalStepsRequiredForAccess": 1,
        "deauthRequestTimeout": 0,
        "operatingClass": 0,
        "termsAndConditionsFile": {
            "model_type": "ManagedFileInfo",
            "md5checksum": null,
            "lastModifiedTimestamp": null,
            "apExportUrl": null,
            "fileCategory": "ExternalPolicyConfiguration",
            "fileType": "TEXT",
            "altSlot": false
        },
        "whitelistDomain": null,
        "emergencyServicesReachable": false,
        "unauthenticatedEmergencyServiceAccessible": false,
        "internetConnectivity": true,
        "connectionCapabilitySet": [
            {
                "model_type": "PasspointConnectionCapability",
                "connectionCapabilitiesPortNumber": 8888,
                "connectionCapabilitiesIpProtocol": "TCP",
                "connectionCapabilitiesStatus": "open"
            }
        ],
        "ipAddressTypeAvailability": "public_IPv4_address_available",
        "qosMapSetConfiguration": null,
        "apGeospatialLocation": null,
        "apCivicLocation": null,
        "apPublicLocationIdUri": null,
        "gasAddr3Behaviour": "p2pSpecWorkaroundFromRequest",
        "anqpDomainId": 5432,
        "disableDownstreamGroupAddressedForwarding": true,
        "enable2pt4GHz": true,
        "enable5GHz": true,
        "associatedAccessSsidProfileIds": [15],
        "osuSsidProfileId": null,
        "passpointOperatorProfileId": 12,
        "passpointVenueProfileId": 13,
        "passpointOsuProviderProfileIds": [
            7,
            11,
	    16
        ],
        "profileType": "passpoint",
        "networkAuthenticationType": "acceptance_of_terms_and_conditions",
        "accessNetworkType": "free_public_network"
    },
    "childProfileIds": [
        7,     // Realm Based Example IDP 
        11,    // MNO Based Example IDP
        12,    // RCOI Based Example / OpenRoaming IDP
        13,    // Venue Profile
	 16    // Wi-Fi Operator Profile
    ]

Passpoint SSID Profile Association

{
    "model_type": "Profile",
    "id": 15,
    "customerId": 2,
    "profileType": "ssid",
    "name": "passpoint-access-ssid",
    "details": {
        "model_type": "SsidConfiguration",
        "ssid": "OpenRoaming",
        "appliedRadios": [
            "is5GHz",
            "is2dot4GHz"
        ],
        "ssidAdminState": "enabled",
        "secureMode": "wpa2EAP",
        "vlanId": 1,
        "dynamicVlan": "disabled",
        "keyStr": "sdfksfh$%#2f@#$",
        "broadcastSsid": "enabled",
        "keyRefresh": 0,
        "noLocalSubnets": false,
        "radiusServiceId": 3,  // RADIUS Profile
        "radiusAcountingServiceInterval": 60,
        "captivePortalId": null,
        "bandwidthLimitDown": 0,
        "bandwidthLimitUp": 0,
        "clientBandwidthLimitDown": 0,
        "clientBandwidthLimitUp": 0,
        "videoTrafficOnly": false,
        "radioBasedConfigs": {
            "is5GHzU": {
                "model_type": "RadioBasedSsidConfiguration",
                "enable80211r": null,
                "enable80211k": null,
                "enable80211v": null
            },
            "is2dot4GHz": {
                "model_type": "RadioBasedSsidConfiguration",
                "enable80211r": null,
                "enable80211k": null,
                "enable80211v": null
            },
            "is5GHzL": {
                "model_type": "RadioBasedSsidConfiguration",
                "enable80211r": null,
                "enable80211k": null,
                "enable80211v": null
            }
        },
        "bonjourGatewayProfileId": null,
        "enable80211w": null,
        "useRadiusProxy": false,
        "wepConfig": null,
        "forwardMode": "BRIDGE",
        "profileType": "ssid",
        "radiusClientConfiguration": {
            "model_type": "RadiusNasConfiguration",
            "nasClientId": "USER_DEFINED",
            "nasClientIp": "WAN_IP",
            "userDefinedNasId": "FB001AP001",
            "userDefinedNasIp": null,
            "operatorId": "AmeribandTIP"
        }
    },
    "childProfileIds": [
        3,    // RADIUS Profile
        14    // Passpoint Profile
    ]
}