TIP OpenWiFi Member Access Point Ordering Information
TIP Wi-Fi members may contact the ODM manufacturers in the TIP OpenWiFi eco-system using the information posted within Community Confluence page.
If your organization is not already a TIP Open Converged Wireless Project Group (OCW PG) member, consider signing up. Joining the OCW PG is free as a Software Participation Tier in TIP.
All TIP OpenWiFi devices use the same cloud discovery mechanism on initial boot.
OpenWiFi devices ship from factory with a unique device certificate signed by the Telecom Infra Project Certificate Authority.
When a device boots for the first time, or is factory reset, a 'first-boot' process occurs within the device.
First-boot initiates a connection over HTTPs to the Certificate Authority requesting the unique device record information. All connections to the Certificate Authority occur over mTLS encrypted session.
Devices use their unique certificate identity to authenticate and retrieve the location of the assigned cloud.
Once the cloud location has been learned from first-boot, the device no longer depends on this cloud discovery and will return to the assigned cloud learned from first-boot.
Devices may periodically initiate connection to the Certificate Authority to validate their unique certificate status. This is a normal process involved in mutual TLS security models.
When an operator or end customer seeks to change the cloud associated with their device(s), the value of the cloud stored in the Certificate Authority device record is updated. A factory reset of the device will cause first-boot to re-occur which will then discover the new cloud.
TIP OpenWiFi ODM partners are able to manage device records directly using the Certificate Authority portal. All other users should send an email to licensekeys@telecominfraproject.com to request update of cloud discovery.
Device First Boot / Factory Cloud Discovery
Provisioning
uCentral Data Model Introduction
OpenWiFi 2.0 makes it possible for integrators of the SDK to implement commercial products leveraging OpenWiFi Gateway service with vendor supplied provisioning above OpenWiFi SDK.
As a minimum, the OpenWiFi 2.0 SDK framework offers a Security service which handles all OpenAPI authentication northbound, and the Gateway service which provides all uCentral websocket interface functionality southbound.
Minimum 2.0 SDK - Assumes DB is either SQLite or PGSql
OpenWiFi also provides options to receive telemetry and events over both OpenAPI interface as well as Kafka message bus. When using Kafka, OpenWiFi Gateway directly publishes telemetry and event topics to the bus.
In future sprints of OpenWiFi dynamic device provisioning will be available as an added micro service.
Gateway
OpenWiFi 2.0 Gateway implements the uCentral device management interface. uCentral specifies the data model and interface for management and telemetry of OpenWrt based devices.
Gateway uCentral interface is a websocket JSON-RPC based design between OpenWiFi Gateway and the device running uCentral agent.
All communications from Gateway to Device are secured using mutual Transport Layer Security (mTLS). In mTLS systems each endpoint is a unique device sharing the same signed root or intermediate trust. In OpenWiFi each device has a signed certificate, key and device identifier. These are validated by the uCentral-Gateway to establish mTLS session.
Upon successful connection the device exchanges its capabilities with the OpenWiFi SDK. OpenWIFi SDK, via the Gateway micro service will send the entire device provisioning data as a JSON payload.
Within OpenWiFi devices, the uCentral agent has a reader and renderer process providing serialization and validation of data sent from cloud.
If any data presented can not be processed by the local agent, this is returned within an ERROR message using the same websocket connection.
If the device agrees with provisioning information presented, the render process builds calls into the operating system configuration sub-system known as UCI. The Unified Configuration Interface ensures OpenWrt compliant syntax is persisted within the device.
Configuration source of truth is the OpenWiFi SDK. Consistency of device configuration is handled with an applied hash compared by the Gateway for each device. If the value differs on device from that of the stored information in cloud, the device will be immediately resent its configuration from the OpenWiFi SDK Gateway service.
Once present, all configuration data is preserved on device restart.
It is possible to generate device configurations outside of the OpenWiFi 2.0 SDK as shown in the minimum SDK image at the start of this page. This may occur for some integrations or may occur when the OpenWiFi Provisioning micro service is not present. In this way, integrators of commercial products are welcome to build device provisioning outside of OpenWiFi and use the OpenWiFi cloud to manage the scale, state, security and validation of device websocket communications.
Getting Started
TIP OpenWiFi 2.0
OpenWiFi 2.0 Minimum Viable Product at the end of July, 2021 enables a cloud native and cloud agnostic Software Development Kit (SDK) with management and deployment support for a wide range of Access Point and PoE network switch platforms.
Initial release 2.0 SDK includes:
Zero Touch Cloud Discovery
Firmware Management
User Interface
Device List
Device Reboot
Upcoming sprint for August includes Dynamic Provisioning service support for template based device configuration.
OpenWiFi 2.0 SDK is deployable as both a Docker Compose or a Helm on Kubernetes model. See section for installation instructions.
New in this Release
Firmware
Basic Features for OpenWiFi Switching
Passpoint
Cloud Partner Information
TIP OpenWiFi
TIP OpenWiFi enables integration by commercial controllers to the OpenWiFi Software Development Kit (SDK).
The OpenWiFi SDK is designed to enable cloud partners to consume basic southbound device management and device discovery at a minimum. This is similar to augmenting a southbound device adapter for many orchestration or automation systems.
The OpenWiFi SDK also offers numerous micro services of incremental functionality for cloud partners to optionally consume including:
Firmware Management
Device Provisioning
Subscriber Portal
Analytics
User Interface
This independent micro service approach has numerous advantages including ease of integration, ability to leverage more of the stack to accelerate product availability or support only device communication and discovery for partners who seek to maintain more functionality within their own application.
Step 1 : Join
If your organization is not already a TIP Open Converged Wireless Project Group (OCW PG) member, consider signing up. Joining the OCW PG is free as a Software Participation Tier in TIP.
For more information please visit:
Step 2 : Slack, Keys & Atlassian Tools
Introduce your organization to the Community on Slack. All Community members have access to Telecom Infra Project Slack. Send a message to "general" and "open-wifi-ucentral" channels.
Send an email to licensekeys@telecominfraproject.com to request onboarding as a supplier for OpenWiFi Cloud. All OpenWiFi Gateway services in the SDK require a signed key to terminate incoming device connections in the southbound interface.
Ensure your GitHub account was linked in your Telecom Infra Project user profile, this will enable write access to OpenWiFi repositories. Also confirm Atlassian link is also present in user profile.
Step 3 : Integration
OpenWiFi SDK uses OpenAPI 3.0 compliant northbound Rest API and Kafka for message bus topics. Typical CRUD actions occur via the Rest API, Kafka will present topics for device discovery and all telemetry captured from the network edge.
Please consult the to begin with integration work.
Summary
Integrations that use the published interfaces are the easiest approach to starting with OpenWiFi SDK.
If a cloud partner seeks to contribute a new SDK micro service, please announce the idea on "general" and "open-wifi-ucentral" slack channels for the Community to help further.
There is a skeleton micro service example to help developers build new services that inherit SDK service discovery and security design.
Please find skeleton service .
Device Partner Information
TIP OpenWiFi
TIP OpenWiFi enables a turnkey from factory experience for the managed Wi-Fi ecosystem.
When an ODM or an OEM join TIP it is for the purpose of supplying a TIP SKU to market direct from factory.
This has numerous advantages including scale of supply, ease of distribution, partner branding, use of standard software including device certificates direct from factory.
Step 1 : Join
If your organization is not already a TIP Open Converged Wireless Project Group (OCW PG) member, consider signing up. Joining the OCW PG is free as a Software Participation Tier in TIP.
For more information please visit:
Step 2 : Slack, Keys & Atlassian Tools
Introduce your organization to the Community on Slack. All Community members have access to Telecom Infra Project Slack. Send a message to "general" and "open-wifi-ucentral" channels.
Send an email to licensekeys@telecominfraproject.com to request onboarding as a supplier for OpenWiFi SKU devices.
Ensure your GitHub account was linked in your Telecom Infra Project user profile, this will enable write access to OpenWiFi repositories. Also confirm Atlassian link is also present in user profile.
Step 3 : Build your device profile
Devices follow standard Linux patch process for enhancements and bug fixes. A development branch should be defined, perform work necessary to add support for the new device including a new profile for the build system.
Test your work locally, when confident push and submit a pull request for the next branch.
Follow the guidance posted:
Step 4 : Submit Device for Community Lab Testing
To obtain access to TIP OpenWiFi support and regression, devices must be sent to the Community Test Lab for QA sanity automation. A formal process for obtaining a TIP OpenWiFi Logo mark will be launched in 2022.
Summary
If the pull request review is successful the new device will be merged.
Provided the ODM / OEM device vendor has been onboarded for license keys, the device will be included in nightly builds.
TIP OpenWiFi is an open source community project that believes in democratizing premium Wi-Fi experiences for multiple market use cases. The TIP approach to OpenWiFi creates an open source disaggregated technology stack without any vendor lock in. OpenWiFi offers premium managed Wi-Fi features, local break-out design, cloud native open source controller, and an open source AP firmware operating system tested nightly.
Open Technology Stack - Many Platforms - Many Service Options
TIP OpenWiFi is the industry's first CI/CD open source Wi-Fi eco-system. Built nightly with a strong community of Wi-Fi leaders, new features are unit tested in automated RF chambers and checked from cloud to ground for Wi-Fi performance and conformance.
OpenWiFi 2.0 introduces management and telemetry based on uCentral offering expanded selection of managed devices including smaller APs and PoE access switches.
Multiple authentications including WPA, WPA2, WPA3, Enterprise Radius models, M-PSK
Each OpenWiFi PoE Switch offers:
IEEE802.1Q Virtual LAN
VxLAN
DHCP Snooping & Relay
Cloud SDK in OpenWiFi offers:
Zero Touch Provisioning
Firmware Management
Integration Northbound Interface (NBI) RESTful
OpenWiFi AP Detail List:
Wi-Fi 4 (n) Wi-Fi 5 (ac) Wi-Fi 6 (ax)
Dual Bank Bootloader
Multi-SSID per Radio
Cloud SDK additional features
Provisioning
Device Identity (Model, MAC, Serial Number)
Device Software Upgrade
How to contribute
If you or your company are interested in contributing to TIP Open Wi-Fi, please join the Wi-Fi Product Group by visiting to become a member.
Local Device Settings
OpenWiFi 2.0 Devices
When OpenWiFi devices are unable to connect to the cloud during their initial power on from factory, this may be a result of Internet connectivity issues.
Certain WAN connections may require credentials such as a username and password or a mobile configuration or simply static address assignment instead of dynamic.
OpenWiFi 2.0 supports these scenarios. When a device does not have an existing configuration and is unable to contact the cloud for provisioning it enters "Maverick" mode.
For all Wi-Fi devices this means a Wi-Fi network with the SSID 'Maverick' will become available.
Association with and logging in to the device will permit initial WAN connectivity to be entered.
Using Maverick
After association to the Maverick SSID, open a web browser to http://192.168.1.1
Log into the OpenWiFi device with username: root and password: openwifi
When the page above is displayed, begin to configure Uplink based on the WAN requirements of the deployment.
If connection uses Point to Point over Ethernet (PPPoE) username and password credentials, enter those values and save.
If the OpenWiFi device has a Cellular connection which is possible on device models with 4G and 5G radios, the network Access Point Name (APN) and PIN will be required. These values are supplied by your mobile network provider.
When dynamic address allocation is not available, static IP address assignment may be required. IPv4 and IPv6 are supported, enter these values with DNS address and save.
Otherwise leave the Uplink configuration to DHCP or cloud defaults.
Manual Redirector and Certificate Upload
If under rare circumstances it is not possible to discover the OpenWiFi cloud associated with the device or there is a need to replace device certificates, this may be configured in Settings.
System
It is possible to reset the device to defaults, or locally update firmware using the commands available from System.
****
Discovery without Cloud
TIP OpenWiFi 2.0
There could be reasons cloud discovery does not complete.
These include:
Lack of Internet Connectivity
Device may require additional WAN settings
Network may not be connected to Internet
No Configuration of Cloud in Certificate Authority
Manufacturer may have left this value blank in the device record stored in Certificate Authority
When the cloud can not be automatically discovered, OpenWiFi devices will turn on a local admin web UI made available via SSID "Maverick".
The Maverick UI will support configuring WAN interface parameters, including DHCP, Static, PPPoE, and LTE/5G settings. Please see for details on using Maverick.
Additionally the Maverick UI supports direct entry of the cloud for cases when the cloud value has not been supplied during manufacture.
For non-Wi-Fi devices such as PoE access switches, the same cloud location information may be configured using local management interface.
Initial Minimum Viable Product Release 2.0 does not include template driven device provisioning, this will be available in the next sprint.
Given many cloud and ODM partners wish to consume the 2.0 reference stack early, some with their own device provisioning logic as part of commercial cloud controllers, the following describes uCentral based management and telemetry, interactions with the OpenWiFi SDK processing provisioning and telemetry data.
Device Interactions with SDK
OpenWiFi with uCentral Management
OpenWiFi 2.0 follows the uCentral system. Complete data model is available . Upon discovery of the cloud, a device default or specific configuration is transferred.
All devices are known to the cloud by their unique id and provisioned based on advertised capabilities. Each configuration generates a new unique hash value to ensure as devices report back to the cloud, their configuration state is guaranteed.
If the cloud sends invalid configuration data or the device has insufficient ability to complete the provisioning commands, the error handling process will send this response back to the cloud.
For example results returned to SDK from a device configuration error:
Commands
OpenWiFi 2.0 SDK
Within the devices view, the Commands tile offers a number of features and administrative actions.
Each of these represent API calls exposed on the OpenAPI northbound interface from the SDK.
Reboot
Selecting the Reboot action will prompt the below dialog. Options presented permit an immediate reboot or a scheduled reboot based on date and time.
Firmware Upgrade
Multiple methods exist to execute a remote Firmware Upgrade of a device. When selecting Firmware Upgrade via the Commands tile, a simple dialog to upgrade immediately or at a scheduled time is presented. Alternatively using the Firmware Management Service provides a complete solution including managed access to all TIP firmware images.
Wi-Fi Scan
OpenWiFi devices may perform channel scanning and return this neighbor and RF data to the SDK in an on demand or ongoing manner.
Wi-Fi Scan Results
Scan operations function over all channels. If 5GHz channels do not display in the returned results ( either via the UI or over API ) this indicates the device is configured in a DFS channel for which it may not return survey scans at this time.
Connect
OpenWiFi enables remote connection to any managed device using rTTY encrypted shell session. Selecting Connect will cause a browser tab to open with the login session to current device.
Blink
To assist with remote identification of devices in the network, it is possible to turn the LED lights On, Off, of continuous blinking. This may be run on-demand or scheduled.
Trace
Trace feature enables a remote packet capture to occur on the managed device, over a specified period of time or amount of traffic, returning the "pcap" packet capture file locally to the OpenWiFi admin user.
Once complete the user is asked to open or save the packet capture file locally.
Factory Reset
It is possible to revert a device to initial out of box state from the OpenWiFi SDK. Sending a Factory Reset will remove all configuration on the device and optionally reset the discovered cloud stored as the 'Redirector' in the device configuration.
Note: When Redirector is not kept, devices will re-contact the Certificate Authority to re-discover their OpenWiFi cloud address
Configure
Prior to the introduction of OpenWiFi 2.0 Provisioning Service, device configuration is done through creation of the JSON provisioning file and either loading that file or applying its contents using the dialog presented via Configure. The same options exist when using the API directly.
Data Model Introduction
OpenWiFi 2.0
OpenWiFi 2.0 data model for device management is based on uCentral.
uCentral is set to become a leading component of OpenWrt, as such will have a diverse, and worldwide developer and support base in open source.
Within the model it is possible to provision or return state for all aspects of an OpenWiFi based device easily structured as a JSON payload.
Each device has a Universally Unique Identifier (UUID). For each device, the configuration presented either manually, via the future Provisioning service from OpenWifi or via a commercial controller generation of provisioning data, the high level relationships of the schema may be understood as follows.
The unique device record has a set of top level configurations. A device is referred to as a 'unit' that may have a Description, Location, TimeZone as example. Each unit may have globals for IPv4 and IPv6 networks that are derived to lower lever interfaces in later generation.
Services and Metrics are associated with logical and physical interfaces. Services enable configuration of features such as LLDP or SSH, rTTY, IGMP, 802.1x, RADIUS Proxy, WiFi-Steering, or NTP and are then associated with Interfaces as desired.
Interfaces define upstream and downstream configuration over both Wi-Fi logical (SSID) and wired physical ports.
Metrics enable visibility to the cloud for numerous states of the device. These are associated per interface and may be sent in 60 second or greater intervals and include Statistics of SSID, LLDP, Clients. Also include Health check reports of device load, network reachability, temperature.
To assist with fingerprinting DHCP-Snooping exposes numerous interactions of IP binding to clients. Additionally wifi-frames expose all 802.11 management frames to the SDK Gateway.
It is also possible to configure config-raw elements that will parse direct UCI commands once the device provisioning has been completed by the uCentral agent.
Devices
OpenWiFi 2.0 SDK
Each device presents Metrics and Health check data to the Gateway. Devices view displays this information in the following organization:
Status
Configuration
Statistics
OpenWiFi 2.0 SDK
Each device page presents statistics in traffic terms per interface as a line graph of bandwidth over time.
The generated image may be downloaded for offline use.
Accessing Wi-Fi Analysis and Last Statistics may be found at the top right of Statistics tile.
Creating a Configuration
OpenWiFi 2.0 Device Configuration
To introduce the Community to the uCentral data model structure, the below illustrates a basic Access Point configuration that assumes a typical enterprise Wi-Fi scenario of a ceiling mount or wall mount device presenting a single WAN interface with a private management network and separate Wi-Fi network on a virtual local area network.
Start with Location and Radios
We will set the unit location and timezone, then proceed to configure radios.
In this example, a two radio device that indicates it is Wi-Fi 6 as the channel-mode values for both radios is "HE" which defines 802.11ax operation. Valid values are "HT" -High Throughput 802.11n mode, "VHT" - Very High Throughput 802.11ac mode, "HE" - High Efficiency 802.11ax mode.
User Interface
OpenWiFi 2.0
Release 2.0 uses a Single-Page Application (SPA) as an example user interface built using React to demonstrate several interactions using the northbound OpenAPI.
Login to OpenWiFi SDK
Default username is: tip@ucentral.com and password is:
OpenAPI Definitions
OpenWiFi 2.0 SDK
Where is the OpenAPI?
This uses OpenAPI definition 3.0 and can be found . All endpoints begin with /api/v1.
Command History
OpenWiFi SDK 2.0
Multiple events are recorded in the Command History tile. Each line item will have a Result, Details, and Delete action.
When an rTTY session is executed, this is a displayed command history. Selecting the Result icons will display the Success or Fail of the command.
Each provisioning event is reflected as a configure command history. To see the entire JSON payload and the result, including success or error with message, simply select Details to expand the dialog below with this data. A date and time in the third column indicates when the configure command was executed successfully.
If a provisioning event has failed to complete, its command history for configure will show as pending.
Device Feature Configuration Examples
TIP OpenWiFi 2.0
OpenWiFi devices have a number of features that may be configured.
The following pages guide the user to understanding each of these features individually including example configuration information.
Channel defines the specific channel number the radio shall operate on as an integer from 1 - 171 and may also be set to a string for "auto" mode. Channel width permits configuring the amount of RF channel the radio will operator over from 20-40-80-160 including 8080 mode (also known as 80+80) .
OpenWiFi radios may be set to require UE clients to associate to a minimum standard such as excluding any 802.11b associations depicted above with "require-mode" set to "HT" meaning 802.11n or higher clients may associate.
Control of beacon interval and multicast rates is possible per radio as shown in the "rates" section.
Interfaces
OpenWiFi 2.0 offers a highly flexible model for arranging network interfaces. Multi-port devices may be easily provisioned for numerous types of network segmentation and logical network configuration. We will start with a simple WAN that has a management IP and also a VLAN sub-interface for a logical SSID in a subsequent step.
In the above configuration block we have a WAN interface, its role is "upstream" meaning it faces the upstream in terms of service it provides (WAN). This has a direct alignment to how the device interprets a physical or logical port participates in bridge forwarding domains.
Note we want this port to have an IP address for its management, therefore the "ipv4" configuration is associated as a child of any Ethernet WAN ports and set to DHCP.
Common Config - VLAN on WAN for SSID
Imagine the OpenWiFi device is an enterprise Access Point mounted on a ceiling. These devices do not always have a LAN port. Also in an enterprise, it is likely the Wi-Fi services are in their own network segments and not subject to Network Address Translation (NAT). Since the enterprise would also not want Wi-Fi on the same network as Management, an 802.1Q Virtual LAN is used.
In this next section of configuration, an additional logical interface associated to the WAN ports for the VLAN id of "100" is shown. Note there is no IP address associated to this interface, it is a layer 2 interface that will emit on any and all WAN ports with VLAN id 100.
To associate the Wi-Fi with the VLAN interface define, we continue within the WAN100 interface adding SSID services.
Within the "ssids" configuration block we can process an array of SSIDs. Often there may be separate "2G" and "5G" configurations. We have grouped them in this introductory example for simplicity however "2G", "5G", "5G-lower", "5G-upper", "6G" are all valid options.
The "name" value is the advertised SSID clients will discover for this access point. Hidden is supported by setting the "hidden-ssid" to true.
Which operating mode is determined by "bss-mode". The "bss-mode" is a highly flexible operating parameter to determine "ap", "sta", mesh", "wds-ap", "wds-sta", "wds-repeater" radio modes of operation.
Security of the SSID is determined using the "encryption" section. Many options are possible, in this initial example, a WPA-PSK2 shared key encryption is shown.
Lastly, for devices that support, 802.11w protected management frames are defined as optional for this SSID. This may also be disabled or required.
Metrics for wifi-frames will be described next.
Sending Data
Add metrics to our configuration that will help expose state of the Wi-Fi network and its services to the cloud.
Within metrics it is possible to define the interval for sending information to the cloud. Additionally the type of information sent is defined here. In this example configuration there are associated services to interfaces along the way. This included LLDP and dhcp-snooping and wifi-frames.
Within each uCentral device, the agent has a global health check feature that includes memory, cpu, temperature operating states in addition to performing various network and service health tests. The interval at which these reports are sent to the cloud is configured within health.
For all SSIDs that have wifi-frames associated as a service, the listed management frame types will be gathered and sent to the cloud, on each interval.
To assist with fingerprinting and client troubleshooting, dhcp-snooping sends the cloud all current client DHCP and DHCPv6 state.
Global Services
The final section of the simple configuration example turns on LLDP and SSH where those services were associated to interfaces listed above.
The complete simple configuration file as described in this page may be downloaded here:
API endpoints are secured with bearer-token authentication using end-point /oauth2.
Once you obtain access-token, you will need to pass it in the headers under Authorization: Bearer <place your token here>.
Basic Entities
The API revolves around devices, commands, and default_configurations.
To retrieve a list of devices to know what is available and then use the endpoint device to access all device specific information.
To retrieve commands and default_configurations follow those endpoints.
Most operations rely on the serialNumber of a device. That serialNumber is unique and generated on the device. Serial Number matches the device's MAC address.
devices: The list of all devices in the system. This maybe very large, pagination is recommended.
commands: The list of commands issued by the system. This list could also be large.
default_configurations: A list of default configurations used to supply existing devices.
Relationships
A device is a physical (or potentially logical) entity using the ucentral protocol.
Currently, APs and Switches are the only devices used. A device has several attributes.
Additionally, other collections are supported for each device:
logs: Specific for a device. Logs originate from the device or associated with the device by some mechanism.
healthchecks: Reports from the device coming periodically after device self tests.
statistics: Periodically produced by the devices and document actual state data from each device.
capabilities: This details the actual data model supported by the device.
The device entry point is also used to query about the status of the device and used to inject certain commands for a specific device.
Commands supported for each device:
reboot: This will force the device to reboot.
configure: Configure sends a new configuration to a device.
factory: Forces the device to perform a factory-reset.
upgrade: Forces the device to do a firmware upgrade.
leds: Ask the device to flash its LEDs or turn them on or off.
trace: Performs a remove LAN trace. Once the trace is completed, the produced file may be removed using the file endpoint.
command: Performs a proprietary command. The meaning depends on the device.
request: Request an immediate message of type state or healthcheck.
The file end point is used to retrieve and remove files produced by the Gateway. Currently this is limited to the results of a trace command. The file name will always match the uuid of the command that produced it. If several files are needed, the files will be named uuid, uuid.1, uuid.2, etc.
Dates
All dates should use the format defined in RFC3339. All times are UTC based. Here is an example:
Command when parameter
Most commands use a when parameter to suggest to the device when to perform the command. This is a suggestion only. The device may decide to perform the command when it is optimal for itself. It maybe busy doing something and decline to do a reboot for several minutes for example. The device may reply with the actual when it will perform the command.
Configuration UUID
The gateway manages the configuration UUID. So if you set a UUID for a configuration, it will be ignored. The gateway uses UUID as versioning. The UUID is unique within a single device. The resulting UUID or a configuration change is returned as part of the configure command.
Connection status reflects the Gateway to Device current communications status.
Uptime and Last Contact reflect communication state.
Load indicates processing load on the device.
Memory Used indicates free memory on the device.
Device Status
Configuration
Device UUID, Serial Number, MAC Address and Device Type are displayed.
Last configuration update date and timestamp reflects the last time a "configure" action completed on the device.
Password may be set and device notes may be added.
Device view Configuration Panel
Logs
Log history of the device is presented within Logs. Expand the tile selecting the down arrow.
Health
Health score is an active tile reflecting the device health out of a score reported by the device to Gateway. Health metrics are configured on the device based on chosen data model options. When the device falls out of 100%, this tile changes to red. Expanding the tile will present all health reports. Those with less than 100% score will contain reasons for the result from this interface.
Commands
Commands tile provides a number of administrative actions for the user:
Command
Action
Reboot
Warm Restart remote device
Firmware Upgrade
Initiate firmware upgrade process
WiFi Scan
Initiate remote scan of surrounding Wi-Fi
Connect
Initiate an rTTY Remote Shell session
Blink
Set LEDs to On, Off or Blinking state
Commands Tile
Wi-Fi Analysis
Operating channels, channel width, noise floor and transmit power are the first values reported in Radios table.
Viewing associations, from the Associations table, and their use is important in terms of bandwidth and connection quality. Wi-Fi Analysis helps visualize each client association, this could be an end user device or a WDS or Mesh association.
Each association is known by their MAC address or BSSID value. The mode of connection will indicate if an end user client device entering the "ap" or if a client is associated as "wds" or "mesh.
The access point view of RSSI, Rx and Tx Rate, Modulation Coding Scheme and Number of Spatial Streams are exposed for each association.
Using the slider along the top, the last 15 to 30 minutes of performances data may be viewed.
Latest Statistics
The option to view Latest Statistics is at time of the MVP release, intended to help the Community see on a per device basis how much, or how little depending on device configuration, is being sent to the OpenWiFi Gateway in terms of telemetry.
openwifi
Base Navigation
A left side navigation menu provides direction to major feature or service settings.
Left Navigation
Internationalization
OpenWiFi 2.0 SDK supports multiple languages. Simply select the desired language from the right drop down for pages to re-populate accordingly.
Devices
Upon login the first page presented is a Devices table. This table reflects all discovered and managed devices known by the OpenWiFi SDK.
Devices Table
Devices table indicates device Connected or Disconnected state in the first column with green and red respectively.
Certificate column indicates invalid, valid with mismatch serial, or valid device certificate identity state as red crossed seal, yellow seal and green seal respectively.
Serial Number column links to the device record.
Compatible model, Tx, Rx, and connected IP Address present basic information of the device type and its connection.
Three final columns provide Details (also obtained by selecting the serial number), Wi-Fi Analysis presenting current Wi-Fi associations and their performance and Refresh commands.
Displaying Associations
From the Devices table, second from right column icon the WiFi Analysis may be accessed. This may also be accessed within the Device View page of a single record along the top right of Statistics section.
Wi-Fi Analysis
Within the WiFi Analysis page, all active associations are displayed with the ability to view approximately the last 30 minutes of data reported from the Access Point.
For each association the device MAC address, mode of connection and SSID are displayed. This will include end devices as well as Wi-Fi infrastructure such as WDS and Mesh associations.
Associations have RSSI, Rx Rate & Bytes, Tx Rate & Bytes, MCS negotiated, Number Spatial Streams and IP Address information.
Dashboard View
OpenWiFi SDK provides visual indications on the overall health of the deployed Wi-Fi network. this includes Device Status for connected and non-connected devices. Device health indicating percentage of devices failing a health check. Distribution of devices by vendor in the network and by model.
Dashboard View
Additionally, verified certificates or serial mismatch certificates, number of Command actions from all Gateways to devices and devices with greater than 75% memory utilization, greater than 50% less than 75% memory and less than 50% utilization are displayed.
Login Page
configure Pending Command History
Remote packet capture is shown as the trace command history. When packet captures are persisted in the OpenWiFi SDK, they may be downloaded again through the cloud download icon.
trace Command History
Command History Tile
rTTY Command History
Configure Command History
"results": {
"serial": "aabbcc00120a",
"status": {
"error": 0,
"rejected": [
"[W] ("A Reason will be given"
],
Release 2.0 SDK offers a number of ways to consume OpenWiFi. Available as a single Docker for just the uCentralGW or as a set of micro services offering increasing value to consume helps multiple eco-system partners use as much or as little as desired to integrate with or build a commercial product on the TIP OpenWiFi SDK.
OpenWiFi services follow the OpenAPI 3.0 definition.
The complete API is described here: OpenWiFi SDK OpenAPI
Devices
OpenWiFi devices are Access Points or Switches (and other forms in the future), that support the uCentral configuration schema. Devices contact a controller using the uCentral protocol.
Communication
The communication between the controller and the devices use the uCentral protocol. This protocol is defined in this .
Device Configuration
A device is configured by ingesting a uCentral configuration. That configuration will be provided by the SDK Gateway as a result of a command through the API. Command processing occurs when the device's configuration is older than what is known in the SDK Gateway. The uCentral schema is a JSON document containing parameters to set on a particular device.
SDK Gateway Communication
In order to speak to the Gateway, you must implement a client that uses the OpenAPI definition for the gateway. You can find its . You cannot talk to a device directly.
API Basics
Device serialNumber
Throughout the API, the serialNumber of the device is used as the key. The serialNumber is actual the MAC address of the device, without its :. The serialNumber is guaranteed to be unique worldwide. The device uses its serial number to identify itself to the controller.
Device Configuration
The configuration can be supplied when the device is created. After the device is created, the only way to modify the configuration is by using the /device/{serialNumber}/configure endpoint. The Gateway maintains the versioning of the configuration through the use of a uuid. The Gateway maintains that number and will ignore anything your supply. The controller also does minimum validation on the configuration: it must be a valid JSON document and must have a uuid field which will be ignored.
Device Capabilities
Device capabilities are uploaded to the Gateway when the device performs its initial connection. Capabilities tell the Gateway what the device is able to support. The Gateway uses this information to provide a configuration matched to the device type.
Command Queue
The Gateway will send commands to the devices. These commands are kept in a table and are sent at the appropriate time or immediately when the device connects.
For example, you could ask a device to change its configuration, however it might be unreachable. Upon next device connection, this configure command will be sent. The list of commands is retrieved using the /commands endpoint.
Commands
Several commands maybe sent to a device: reboot, configure, factory reset, firmware upgrade, LEDs, trace, message request, etc. The API endpoint /device/{serialNumber}/{command} details all the available commands.
Device Specific Collections
For each device, a number of collections are collected and kept in the database. Here's a brief list:
logs: device specific logs are kept. A device amy also send something it wants added into its own logs. crashlogs are a special type of logs created after a device has had a hard crash.
statistics: statistics about the device. This is current la JSON document and will be documented at a later date.
The API is for an operator
This API is meant for an operator who would have to help a subscriber in configuring devices, reboot, manage firmware, etc.
Security Service
Deploy using Docker Compose
TIP OpenWiFi 2.0 SDK
The docker-compose directory within the deploy repository contains all the relevant files for various modes of SDK.
Modes
The following two modes are currently supported by docker-compose:
Deployments without a Load Balancer
This model contains single instances of SDK micro-services. Non-Load Balancer is suitable for scenarios where load given number of APs is below 10,000 or design for network availability is not required.
A single local docker-compose deployment performance is listed . Additionally this deployment includes options to use either self-signed certificates or user provided certificates:
Deployments with a Load Balancer
This model is suitable for deployments where there is a need to scale performance and/or use Letsencrypt certificates for northbound service interactions.
This deployment allows the user to scale up number of instances of micro-services to handle a larger load than listed .
The repository contains the instructions here:
The docker-compose yaml files are related as follows to the modes above:
docker-compose.yml : manages Non-LB deployment with self-signed and own certificates
docker-compose.lb.selfsigned.yml: manages LB deployment with self-signed certificates
docker-compose.lb.letsencrypt.yml: manages LB deployment with Letencrypt certificates
Docker Compose Environment Variables
The deployments are managed using different environment files for docker-compose:
.env : used for non LB deployments with either self-signed or own certificate deployments executed by docker-compose. For additional information please read .
.env.selfsigned: used for LB with self-signed deployments executed by alias docker-compose-lb-selfsigned. For additional information please read .
.env.letsencrypt: used for LB with letsencrypt deployments executed by alias docker-compose-lb-letsencrypt. For additional information please read .
Volumes
The deployment creates local volumes to persist mostly application and database data. In addition to that several bind mounts are created:
docker-compose/certs/ directory used by multiple services
docker-compose/{microservice}_data/ directory used by each service for configuration and data. Where {microservice} is one of: owgw, owsec, owfms and owprov.
Be aware that the deployment uses bind mounts on the host to mount certificate and configuration data for the micro services and therefore these files and directories will be owned by the user in the container.
Since the files are under version control, you may have to change the ownership to your user again before pulling changes.
Configuration Variables
Localizing the installation to the production environment is done through configuration information environment files per microservice. These files are: owgw.env, owgw-ui.env, owsec.env, owfms.env, owprov.env and owprov-ui.env.
These env files are used to generate runtime configuration (properties) file when no configuration is found in their respective {microservices}-data directory.
Ports
Exposed port dependencies by application are listed below:
127.0.0.1:80/443 tcp - OpenWiFi-uCentralGW-UI
127.0.0.1:8080/8443 tcp - OpenWiFi-Provisoning-UI
127.0.0.1:5912/tcp - rttys dev
127.0.0.1:5913/tcp - rttys user
0.0.0.0:15002/tcp - OpenWiFi-uCentralGW websocket
127.0.0.1:16002/tcp - OpenWiFi-uCentralGW REST API public
0.0.0.0:16003/tcp - OpenWiFi-uCentralGW fileupload
127.0.0.1:16102/tcp - OpenWiFi-uCentralGW alivecheck
127.0.0.1:16001/tcp - OpenWiFi-uCentralSec REST API public
127.0.0.1:16101/tcp - OpenWiFi-uCentralSec alivecheck
By default only the websocket and fileupload component of the OpenWiFi uCentralGW (Gateway) micro service are exposed on all interfaces. All other exposed services listen on localhost. You can change that according to your needs in the ports sections ofdocker-compose/docker-compose.yml.
Default Certificates
When cloning the repository, by default the southbound websocket certificate signed by TIP Root CA is provided for the *.wlan.local domain. Additionally a self-signed certificate for the northbound REST API is present. These enable creating a local deployment out of the box. Production deployments will replace both the southbound websocket and northbound API certificates.
The supplied certificates are valid for the *.wlan.local domain.
How to
First you'll have to according to your platform specific instructions. After that clone the repository with git clone https://github.com/Telecominfraproject/wlan-cloud-ucentral-deploy.
The Docker Compose uCentral micro service configs use openwifi.wlan.local as a hostname, so make sure you add an entry in your hosts file (or in your local DNS solution) which points to 127.0.0.1 or the IP of the host running the SDK.
When the certificate for the REST API and other components is self-signed, accepting trust for the self-signed REST API certificate on your local machine is required.
Add certs/restapi-ca.pem to your trusted browser certificates or add certificate exceptions in your browser by visiting each of the following URLs (one per port) :
https://openwifi.wlan.local:16001 and ports :16002 :16003 :16004 and :16005
Using the browser, accept the self-signed SSL certificate warnings (make sure to visit both and add the exceptions).
Connect to your AP via SSH and add a static hosts entry in /etc/hosts for openwifi.wlan.local which points to the address of the host the SDK deployment runs on.
To use the curl test scripts which are included in the micro service repositories make sure to set the following environment variables before issuing a request:
Upgrading Compose Deployments
Stop the running containers with docker-compose down
Check out the new branch by repeating Step 1 from How to above for the given release and docker-compose up -d.
Don’t forget to re-add the self-signed certificates to the containers with the provided script.
Also be aware that you may have to change back some file permissions. To obtain the most recent changes as the files are under version control, you may have to change the ownership to your user again before pulling changes.
Firmware
OpenWiFi 2.0 SDK
Firmware management service integrates across all OpenWiFi Gateways deployed in a cluster enabling updates to running firmware either from the latest published version, or any other released version.
Dashboard
Firmware dashboard provides a single view for overall health of deployed device firmware. Latest firmware charts, device firmware version distribution, distribution of device by type and current connected devices.
Firmware Dashboard
Device Table
From the Devices table, any device with a newer firmware published by TIP OpenWiFi is indicated with a yellow icon. Selecting this icon presents the option to upgrade to latest or specify which firmware to use.
When the upgrade has been sent successfully, a green Success dialog will display in the upper right on the screen. Devices with latest firmware version will show a green firmware icon in the Devices row.
Firmware Management Service
Viewing the contents of Firmware Management Service is available from the left navigation, select Firmware.
Once in Firmware, it is possible to search by device model for all known firmware revisions.
If in the Device Table reference above, instead of selecting Upgrade to Latest, the specific URI location of any available firmware is found using the Firmware table.
Selecting Details will present information for any firmware row, including the URI which may be copied into the Choose Custom Firmware dialog prompt accordingly.
Overview
The repository contains two packaging options:
The repository is managed using branches where:
healthchecks: periodically, a device will run a self-test and report its results. These includes anything that maybe going wrong with the current device configuration. A sanity level is associated to the degree of health of the device. 100 meaning a properly operating device.
status: tells you where the device is and how much data is used for protocol communication.
main branch: contains references to the latest development SDK images
release/v* branch: contains image references specific to the release artifacts. For example: release/v2.4.0 branch will contain references to SDK images related to 2.4.0 release candidates (RC) and GA.
One of the benefits of the new data plane in OpenWiFi 2.0 is the flexibility of physical port to logical forwarding that is easily conveyed through configuration structures.
New protocol support is both easily added to the system as well as associated with interfaces by their role in the device.
The following sections offer feature configuration examples.
For complete reference to the device data model please refer here.
Switch to the Compose project directory with cd docker-compose/.
Default user is: tip@ucentral.com and password is: openwifi
Service enforces a password change on first login
Initialize the deployment with docker-compose up -d. If your deployment was successfully created, you should see the following output with docker-compose ps:
While staying in the SSH session, copy the content of certs/restapi-ca.pem on your local machine to your clipboard and append it to the file /etc/ssl/cert.pem on the AP. This way your AP will also trust the self-signed certificate.
This step is necessary for rtty features and only required when using self-signed test deployment.
Navigate in a web browser to https://openwifi.wlan.local to access the UI and login with default username and password. You will now be prompted to change this default password to something more secured.
Based on the above Dual SSID NAT configuration, a unique 2GHz and 5GHz SSID are created and logically bound to the same NAT LAN side network.
The NAT service is inherited by the downstream role with DHCP addressing defined according to the range set within the downstream "ipv4" configuration.
ELK Integration
Kafka integration with ELK
The following pipeline is used to leverage Kafka messages being emitted from OpenWiFi 2.0 for ELK (Elastic Logstash Kibana) stack integration :
TIP OpenWiFi project has deployed an ELK stack for community members to access here.
The key for this integration is to use a plugin that enables Kafka to be used as an input for Logstash. This plugin can be found here. Once installed then Logstash can be configured to listen to the input source of the Kafka broker that is deployed as part of OpenWiFi SDK 2.0 release and its appropriate topics. Here is a sample Logstash configuration.
It is important to note that Logstash provides the ability to transform messages which then can be pushed to Elasticsearch for storage with effective indexing. Finally Kibana is used to create visualization such as this:
The following will be used to store necessary files for integration examples for monitoring.
Zero Touch Provisioning
OpenWiFi 2.0
OpenWiFi supports Zero Touch Provisioning in a number of ways.
Zero Touch Mesh
Zero Touch WDS
Zero Touch Provisioning ( Provisioning Services in upcoming 2.5/2.6 Release )
Onboarding
OpenWiFi makes use of TIP device certificates present on every access point as a secure identity from which to automate a number of Zero Touch operations.
Onboarding is a local EAP-TLS based authentication service available on any OpenWiFi device that works together with default OpenWiFi firstboot behavior to scan for "OpenWifi-onboarding" SSID, associate to that SSID, when challenged supply TIP root signed device certificate.
Onboarding Steps
Provision an Access Point for onboarding role as an SSID config
{
"purpose": "onboarding-ap",
"bss-mode": "ap",
"encryption": { "proto": "wpa2", "ieee80211w": "required" },
"certificates": { "use_local_certificates": true },
"radius": { "local":
{ "server-identity": "uCentral-EAP" }
},
"name": "OpenWifi-onboarding",
"wifi-bands": [ "2G" ]
}
Ensure the SSID for onboarding use provides network connectivity for clients
Zero Touch Mesh
Deployment of Mesh may have multiple Mesh Client access points with no wired connectivity. These devices use IEEE802.11s Mesh participating interface(s) as transit for WAN / LAN connections.
In a Zero Touch Mesh deployment, the Gateway Access Point, sometimes termed the Root node, advertises mesh participating interfaces when "bss-mode": "mesh" is applied to an SSID. Please see for further details on initial setup.
Mesh Client Access Points needing to associate wirelessly for initial provisioning to join the mesh network, may be served using the onboarding feature of OpenWiFi.
Adding an SSID to the Mesh Gateway Access Point configuration to advertise "OpenWifi-onboarding" enables initial boot of any OpenWiFi Access Point to reach the OpenWiFi Gateway.
Upon connection to Onboarding, the Access Point obtains management network access from the upstream Access Point providing "onboarding-ap" service.
With management network access, reachability for the Mesh Client Access Point to the OpenWiFi Gateway should be possible, device provisioning stage will initiate with the production configuration being loaded to the client device.
Once processed, client Access Point will have receive provisioning to join the Mesh network as a Mesh Client Access Point.
Zero Touch WDS
Deployment of WDS links may have multiple WDS client devices with no wired WAN connectivity. WDS Access Points use the 4-tuple frame header with participating WDS Clients. Therefore WDS Clients must first receive provisioning from the OpenWiFi Gateway for their production state as a WDS link participant.
WDS Client Access Points needing to associate wirelessly for initial provisioning to join the WDS network, may be served using the onboarding feature of OpenWiFi from the WDS Root Access Point at the top of the topology with a "bss-mode": "ap" SSID for onboarding.
Adding an SSID to the WDS Root Access Point configuration to advertise "OpenWifi-onboarding" enables initial boot of any OpenWiFi Access Point to reach the OpenWiFi Gateway.
Upon connection to Onboarding, the WDS Client Access Point obtains management network access from the upstream WDS Root Access Point providing "onboarding-ap" service.
With management network access, reachability for the WDS Client Access Point to the OpenWiFi Gateway should be possible, device provisioning stage will initiate with the production configuration being loaded to the client device. For more information on WDS configuration please consult .
Once processed, WDS Client Access Point will have receive provisioning to join the WDS link as a Client WDS node.
Gateway Service
Monitoring
OpenWiFi 2.0 Telemetry and Analysis
TIP OpenWiFi software stack is envisioned to have a rich telemetry data that can be extracted, transformed and stored for analytics purposes. This section will outline various integration using the current capabilities of the OpenWiFi release. These integrations will provide examples for the community to enrich, adopt and productize.
The current release of OpenWiFi utilizes both a rich open API and Kafka for retrieving telemetry information from Access Points and SDK services. For the purpose of this section and Release 2.0 we will be showcasing Kafka integration with third party monitoring subsystems.
Kafka Data Source
The current release of 2.0 SDK architecture contains a Kafka broker for the purposes inter-services communication, state, healthcheck, device provisioning state producing and consuming Kafka topics. You can find the latest information related to Kafka topics here:
The current Kafka topics used for this monitoring integration are:
state
healthcheck
All Kafka messages carry a JSON payload, example of a healthcheck message is as follow:
A state Kafka message looks like:
Name Command State Ports
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
openwifi_kafka_1 /opt/bitnami/scripts/kafka ... Up 9092/tcp
openwifi_owfms_1 /docker-entrypoint.sh /ope ... Up 0.0.0.0:16004->16004/tcp,:::16004->16004/tcp, 0.0.0.0:16104->16104/tcp,:::16104->16104/tcp, 17004/tcp
openwifi_owgw-ui_1 /docker-entrypoint.sh ngin ... Up 0.0.0.0:443->443/tcp,:::443->443/tcp, 0.0.0.0:80->80/tcp,:::80->80/tcp
openwifi_owgw_1 /docker-entrypoint.sh /ope ... Up 0.0.0.0:15002->15002/tcp,:::15002->15002/tcp, 0.0.0.0:16002->16002/tcp,:::16002->16002/tcp,
0.0.0.0:16003->16003/tcp,:::16003->16003/tcp, 0.0.0.0:16102->16102/tcp,:::16102->16102/tcp, 17002/tcp
openwifi_owprov-ui_1 /docker-entrypoint.sh ngin ... Up 80/tcp, 0.0.0.0:8080->8080/tcp,:::8080->8080/tcp, 0.0.0.0:8443->8443/tcp,:::8443->8443/tcp
openwifi_owprov_1 /docker-entrypoint.sh /ope ... Up 0.0.0.0:16005->16005/tcp,:::16005->16005/tcp, 0.0.0.0:16105->16105/tcp,:::16105->16105/tcp, 17005/tcp
openwifi_owsec_1 /docker-entrypoint.sh /ope ... Up 0.0.0.0:16001->16001/tcp,:::16001->16001/tcp, 0.0.0.0:16101->16101/tcp,:::16101->16101/tcp, 17001/tcp
openwifi_rttys_1 /rttys/rttys Up 0.0.0.0:5912->5912/tcp,:::5912->5912/tcp, 0.0.0.0:5913->5913/tcp,:::5913->5913/tcp
In the above example, the WAN untagged port will request DHCP in addition to present a VLAN interface with id 20 that both initiates the GRE tunnel as well as passes SSID traffic over that tunnel. Optionally the GRE tunnel itself may also carry a VLAN encapsulated payload. In the above example a WAN presentation of VLAN interface 20 has GRE tunnel. Within the GRE tunnel on WAN interface of VLAN 20 is a GRE payload with VLAN 30 in the payload header.
Creating logical bridges may be done through association to named "interfaces".
To associate a logical SSID interface directly to the WAN, place SSID configuration within the interface have a "role" of upstream.
Each micro service in the OpenWiFi SDK system has its own Helm chart that is managed in the micro service’s own repository. The assembly chart collects all the relevant micro service charts and other external dependencies like kafka, rtty, etc. and deploys them together as one cohesive release.
There are multiple ways you can install OpenWiFi SDK with assembly charts:
One way is by installing directly from the assembly chart’s repository. For that, you’ll need to install and extra Helm plugin that is used to pull the latest charts code from all the referenced micro services: .
Another way, which is considered more stable, is by installing from a prepackaged bundle that is published to on every official uCentral release. For this approach to work, you don’t need to install any additional plugins or dependencies, just to make sure you’ve got Helm installed on your local system.
Directly from the Assembly repository
Install the helm-git pluging according to the official documentation
Run helm upgrade --install tip-ucentral git+
You can also reference any other open branch from the deployment repository. For example, if you want to deploy using the assembly code from the v2.0.0-rc1 branch, you can just run helm upgrade --install tip-ucentral git+
Using the pre-built Helm package
This method doesn’t require to install anything locally other than Helm
Start by adding the wlan-cloud-ucentral Helm repository to your local list of repositories by running helm repo add tip-ucentral
helm upgrade --install tip-ucentral wlan-cloud-ucentral to install the latest version, or specify the release you want to install by adding the --version x.y.z flag.
Chart configuration using the Values file
The configuration of OpenWiFi SDK using Helm chart may be separated into layers:
Micro services default values - values files that are stored in micro service helm charts (i.e. ). These values are used by default if no other parameters are supplied, so in case you have any microservice-related variables that need to be added in default installation (for example new application configuration properties), add them in the related helm chart values as they will be applied in next release update.
Assembly chart values - values that are stored in the assembly repository ( ) – these are values that override default micro services values so that all uCentral components could connect to each other correctly, and the whole system can be installed as one bundle. These parameters are environment specific, and can differ between and installation of the bundle on an EKS cluster or a MicroK8s local setup.
During deployment all values are merged as maps with priority to the level of deployment (so Environment-specific values will override any overrides from Assembly chart values and so on).
Example: Let’s pass environment-specific ucentralgw.properties configuration parameter (which is probably quite common thing to test). For example, we have an environment that requires to set parameter ucentral.websocket.host.0.backlog to 1000. For that we would need to run following command, extending our base command:
Automated community deployment
OpenWiFi SDK can also be deployed to an AWS labs environment using a Github actions workflow: .
The configuration is dynamic, and new namespaces (a.k.a environments) may be created by adjusting the json configuration in the workflow.
The json format allows to deploy or upgrade and existing environment using the latest Docker images or to specify a specific version of each micro service.
To deploy specific version to the specific environment a list of things must be done:
First, you need to make sure that the Docker image with the correct version exists in Artifactory, otherwise, the Helm upgrade will fail.
Update the json configuration in the workflow to reference the require version for the require micro service (examples are attached in the json file itself)
Re-run the deployment in Github actions. You can also make all the above changes in a separate branch, and re-run the workflow from that branch (using a drop-down in the top left corner in Github’s UI).
Metrics
TIP OpenWiFi 2.0
Metrics
Several metrics are reported during intervals to the OpenWiFi Gateway. In general metrics contain traffic counters, neighbor tables, discovered clients.
Each OpenWiFi device is capable of sending statistics on SSID, LLDP, and associated Clients learned by the device.
Additionally, OpenWiFi devices expose all 802.11 management data within wifi-frames and to assist network troubleshooting and client fingerprinting solutions OpenWiFi provides dhcp-snooping for all possible client exchanges over DHCP and DHCPv6.
The metrics data is sent to OpenWiFi Gateway at the intervals set where configurable.
Metrics must be associated with the interfaces they are to report on. For example, to send DHCP data from LAN to OpenWiFi Gateway, the following configuration would apply.
DHCP Relay
TIP OpenWiFi 2.0
When operators of enterprise or service provider networks seek to influence or control the allocation of dynamically assigned IP address, typically the network edge has been provisioned to encode information in DHCP Relay packets that help identify the access device through which a subscriber is attached, the logical sub-interface of that network edge or the subscriber directly.
TIP OpenWiFi supports DHCP Relay with encoding of client Circuit-Id information containing any of:
Interface
VLAN-Id
SSID
Encryption Mode
Device Name
Device Model
Device Location
Access Point MAC Address
Access Point MAC in Hex
Client MAC Address
Client MAC Address in Hex
TIP OpenWiFi Relay-Agent remote-id may be configured to contain any of the following:
VLAN-Id
SSID
AP-MAC
The remote-id originates from a configured IPv4 interface address.
In the above example, when the IPv4 downstream interface 192.168.1.1 has DHCP enabled for relay-server a DHCP relay process associates to the IP interface of the subnet. When DHCP DISCOVER packets arrive as broadcasts, they will be copied to a unicast packet from the 192.168.1.1 interface as the relay-id source address and unicast forwarded to the defined relay-server address. Additional parameters are encoded for inspection at the DHCP server as present in circuit-id-format and remote-id-format options.
Multi-VLAN SSID
OpenWiFi 2.0
The most common use case for VLANs and Wi-Fi is likely the service provider, venue, enterprise where Wi-Fi traffic is not subject to address translation. This is the example that will be shown, however it is entirely possible to create multiple downstream VLANs with SSIDs as well. Simply replace the logic of upstream to downstream where desired.
In all cases the WAN port without VLAN id is using DHCP to obtain a management IP address.
Each additional "upstream" role interface with an SSID associated have no IP configuration.
Services
TIP OpenWiFi 2.0
OpenWiFi devices have global services that operate either independently system wide or as an association to a physical or logical interface.
Within the "services" configuration block, define the operating mode for each service, then associate a service with an interface.
SSH
Secure shell may optionally be enabled on OpenWiFi devices, associated to specific interface(s), and optionally support operator defined keys or password authentication.
L2TP
TIP OpenWiFi 2.0
Layer 2 Tunneling Protocol may be associated to any interface using the "tunnel" configuration option.
This makes it possible to configure L2TP for multiple types of deployments as any interface may be encapsulated by the "tunnel" parameter.
For example, to send all content of a specific SSID over an L2TP tunnel, the following configuration would apply.
VxLAN
TIP OpenWiFi 2.0
VXLAN’s goal is allowing dynamic large scale isolated virtual L2 networks to be created for virtualized and multi-tenant environments. It does this by encapsulating Ethernet frames in VXLAN packets which when deployed in Wi-Fi topologies can create highly extensible Layer 2 inter-network domains over large campus, MDU, venue service networks.
VxLAN header uses a 24-bit VNID as a unique layer 2 forwarding domain value. VxLAN maintains layer 2 isolation between the forwarding domains and does not leak MAC addresses into upstream switches. Through the use of 24 bits in VNID VxLAN scales up to 16 million unique LAN forwarding domains.
The VXLAN encapsulation method is IP based and provides for a virtual L2 network. With VXLAN the full Ethernet Frame (with the exception of the Frame Check Sequence: FCS) is carried as the payload of a UDP packet. VXLAN utilizes a 24-bit VXLAN header, to identify virtual networks. This header provides for up to 16 million virtual L2 networks.
Frame encapsulation is done by an entity known as a VxLAN Tunnel Endpoint (VTEP.) A VTEP has two logical interfaces: an uplink and a downlink. The uplink is responsible for receiving VxLAN frames and acts as a tunnel endpoint with an IP address used for routing VxLAN encapsulated frames.
WDS
OpenWiFi 2.0
Wireless Distribution System (WDS) supports an Access Point, Station and Repeater mode of operation. OpenWiFi 2.0 supports all three.
In the below example, the LAN side of the Access Point at the top of the topology will be wirelessly bridged to the LAN side of the Access Point Station at the bottom of the topology.
In this configuration, LAN clients of the WDS Station AP receive IP addresses from the WDS Access Point AP from its LAN side DHCP service, via WDS link at 5GHz.
Helm upgrade/install flag overwrites - these values cam be specific for each specific helm install command during execution and usually contain installation-specific values like TLS certificates, security credentials, loadbalancer configuration parameters and so on. These may be passed using --set flag or --values flag (details may be found in https://helm.sh/docs/chart_best_practices/values/ and in micro services helm charts), or you can also save them into one file and reference this file during the helm upgrade command using the --values flag.
OpenWiFi supports multiple models for Captive Portal. A built-in captive portal is described below. With multiple overlay tunnel services such as GRE and L2TP in addition to VLAN features, OpenWiFi is also easily deployed with any number of Captive Portal appliance solutions in either in-band or out-of-band style deployments.
Local Captive Portal
Creating a local captive portal involves associating the "captive" service with an interface. In the example below, "captive" is enabled on a downstream role interface. Any associated SSID on LAN side of this Access Point will be subject to configuration of the local captive portal. This would also apply to LAN interfaces if also associated with "captive".
Local captive portal will redirect to a default landing page and display the name as configured in "gateway-name". Per associated user bandwidth and usage quota limits and total association limits may all be defined.
Associate Service to Interface
Operator Key Management
For production deployments, it is recommended to assign operator SSH key from the OpenWiFi Provisioning configuration of the Venue or Entity which the device associates.
In this way, an operator may ensure their standard SSH key is delivered to all devices on a network operating region basis. All keys remain base64 encoded when added to the device.
NTP
Network time protocol for OpenWiFi devices may be configured to listen for time synchronization from NTP sources and may also be configured to supply NTP source.
Associate to an Interface
LLDP
Link Layer Discovery Protocol describes interfaces and capabilities between directly attached neighbors over Layer 2.
Associate "lldp" as a services attribute to any interface.
MDNS
To assist in device or service discovery over smaller networks, multicast DNS (mDNS) protocol if often used. In an mDNS environment there is no local name server for resources to leverage. mDNS zero-configuration service effectively behaves as unicast Domain Name Service (DNS).
Associate "mdns" as a services attribute to any interface.
Syslog
Remote syslog systems may be configured to receive device logs in a central location. This content is standard device log and not related to telemetry for metrics and service information received by the OpenWiFi Gateway. Valid port range is from 100 - 65535 with operation over UDP or TCP.
Associate "log" as a services attribute to appropriate interface.
IGMP
When enabled the OpenWiFi device will process IGMP Proxy.
Associate "igmp" as a services attribute to any interface participating in IGMP Proxy.
The VTEP in a TIP OpenWiFi device would be a management interface or designated uplink port(s). VTEP in an AP would be the AP WAN interface, or otherwise designated management interface (such as sub-interface on bridge wan).
In a traditional L2 switch a behavior known as flood and learn is used for unknown destinations (i.e. a MAC not stored in the MAC table). This means that if there is a miss when looking up the MAC the frame is flooded out all ports except the one on which it was received. When a response is sent the MAC is then learned and written to the table.
The next frame for the same MAC will not incur a miss because the table will reflect the port it exists on. VXLAN preserves this behavior over an IP network using IP multicast groups.
Configure VxLAN
OpenWiFi device will establish a VTEP adjacency to the upstream switch. It is anticipated that any Wi-Fi networks in a VxLAN topology are associated to "upstream" interface(s).
The following example creates a VxLAN endpoint from a WAN upstream port that will participate in VLAN 100, encapsulate this into VxLAN where it may be distributed across the campus or venue transparently.
At home, in a cafe, or on the go, Express Wi-Fi gives you access to fast, affordable, and reliable internet so you can make connections that matter.
Express Wi-Fi partners with service providers to deliver great wi-fi to people when and where it's needed.
For information about becoming an expressWIFI partner please visit their site.
Configuration
ExpressWiFi builds a captive portal experience using a control plane protocol called OpenFlow.
Configuring OpenWiFi for use with expressWiFi is as simple as defining a downstream interface and associating with an SSID and the open-flow service.
Contact expressWiFi for appropriate CA, Client Cert, and Key for TLS Security mode in addition to the specific expressWiFi Controller FQDN. Ensure these values are Base64 encoded when passed into the configuration
Roaming RRM and SON
TIP OpenWiFi 2.0
Radio Resource Management and Self Organizing Network features in OpenWiFi 2.0 operate by default in local mode from the Access Point device without dependency on the cloud. Data and state related to client steering and roaming is also possible in co-operation with the cloud when so configured.
Metrics and telemetry are sent to the cloud as desired based on configuration however operation of 802.11k/v/r behavior and autonomous channel control are built in features of all OpenWiFi 2.0 Access Points.
Steering
OpenWiFi services feature "wifi-steering" determines the operating parameters of RRM on the Access Point.
When mode is set to local, the Access Point handles steering decisions autonomously with the surrounding OpenWifi devices.
Which network association, in this case "upstream" will steering be operating on. Note in prior examples most service provider, venue, enterprise services operate on the WAN side upstream network of the Access Point.
Apply Wi-Fi Steering to enable 802.11r Fast Roaming SSIDs
Each SSID to participate in roaming must have "services" : [ "wifi-steering" ] associated.
Additional fast roaming configuration is possible including setting message-exchange either to "air" or "ds" to determine pre authenticated message exchange occurs over the air or distribution system.
The generate-psk option generates FT response locally for PSK networks. This avoids use of PMK-R1 push/pull from other APs with FT-PSK networks.
Configuring domain-identifier sets Mobility Domain identifier (dot11FTMobilityDomainID, MDID) permitting segmentation of fast roaming RF topologies.
When pmk-r0-key-holder and pmk-r1-key-holder are left un-configured, the pairwise master key R0 and R1 will generate a deterministic key automatically for fast mobility domain exchange over the air.
RRM 802.11k
To enable 80211k parameters, associate these on a participating SSID basis.
In addition to 802.11k features for neighbor reporting, fine timing measurement responder and stationary ap indication, OpenWiFi also supports LCI measurement, Civic Location subelement as well.
Automatic Channel Balancing
As part of "wifi-steering" feature, autonomous channel management algorithm may be enabled to establish a self organizing Wi-Fi network.
The auto-channel setting operates in co-ordination with other OpenWiFi Access Points by enumerating the newest AP in the network, then running neighbor and RF scans to determine the best channel of operation. Once the newest AP completes this process, the next AP is sequence will run the same algorithm for channel balancing until all APs in the network complete. The entire process may take up to 5 minutes the first time a network is powered on. The algorithm will re-run every 12 hours.
Mesh
OpenWiFi 2.0
OpenWiFi Mesh has been designed to eliminate configuration complexity while also remaining capable of advanced topology designs including Multi-Gateway, Multi-SSID, VLAN, and Zero Touch Mesh onboarding.
The physical wired interface(s) to participate in the mesh topology egress are defined with the protocol "mesh".
The logical wireless interface(s) to participate in mesh topology are defined by their bss-mode set to "mesh".
In this basic mesh, dual SSIDs are configured for clients while an SSID for mesh transit is configured for IEEE802.11s client associations. Additional mesh clients simply use the same approach, no other configuration is required for the client to participate in this mesh.
Advanced examples with VLANs and roaming are all possible by adding additional configuration steps.
],
"ipv4": {
"addressing": "dynamic"
},
"ssids": [
{
"name": "transit",
"wifi-bands": [
"5G"
],
"bss-mode": "mesh",
"encryption": {
"proto": "psk2",
"key": "meshpassword",
"ieee80211w": "optional"
}
},
{
"name": "2GHz Clients",
"wifi-bands": [
"2G"
],
"bss-mode": "ap",
"encryption": {
"proto": "psk2",
"key": "OpenWiFi",
"ieee80211w": "optional"
}
},
{
"name": "5GHz Clients",
"wifi-bands": [
"5G"
],
"bss-mode": "ap",
"encryption": {
"proto": "psk2",
"key": "OpenWiFi",
"ieee80211w": "optional"
}
}
]
},
Dynamic Subscriber QoS
TIP OpenWiFi 2.0
minimum signal level in dBm client roaming threshold
load-kick-threshold
minimum channel load as % available before clients are kicked
Parameter
Value
mode: local
autonomous operation
network: upstream
performs roaming among SSIDs on upstream interfaces
assoc-steering
reject client association requests when the UE is subject to a steering event
required-snr
minimum signal in dBm a client will be permitted to remain connected
required-probe-snr
minimum signal level in dBm for management probes to be replied to
required-roam-snr
Dynamic VLANs with RADIUS
TIP OpenWiFi 2.0
In many deployment scenarios, user authentication is centralized with RADIUS systems. In addition, users may have association to their own networks or private networks. A common approach for this is to dynamically assign VLANs to Wi-Fi subscribers as they join the OpenWiFi network.
To configure Dynamic VLANs with RADIUS, associate an SSID with RADIUS authentication, and associate the interface to "upstream" role as dynamic VLANs are most likely to be applicable across the service provider, venue, enterprise network.
RADIUS Access-Accept
OpenWiFi devices will determine a VLAN is associated to the authentication of a subscriber when the access-accept message returns the following attribute value pairs:
Tunnel-Type = 13
Tunnel-Medium-Type = 6
Tunnel-Private-Group-Id = VLAN Id Number
Upon return of an access-accept from RADIUS, based on any method chosen for security, OpenWiFi will dynamically create a VLAN Id as described in Tunnel-Private-Group-Id, associated to the interface role, in this example upstream.
Many parameters are possible with RADIUS authentications given the many methods in use worldwide. Many of the EAP methods have configuration options described below.
RADIUS Attribute
Description
nas-identifier
External Captive Portal
TIP OpenWiFi 2.0
When an external access controller, such as a captive portal appliance or a Universal Access Method (UAM) redirector is required to handle subscriber login, OpenWiFi optionally supports builds that include use of CoovaChili. This would be found in build profile chilli-redirect.yml.
To configure a CoovaChilli service, OpenWiFi supports the "third-party" schema definition.
Through the use of third-party, many configurations are possible, for external captive portal, third-party will process a services lookup of "chilli-redirect" applied to an interface.
Within "third-party" will be the necessary CoovaChilli configuration parameters.
In the above example, captive portal redirection occurs via a NAT interface on LAN side or "downstream" role.
When a direct to WAN presentation, or bridge mode operation is desired, associate the service to the "upstream" interface.
Associate to an interface:
Dynamic Air-Time Policy
TIP OpenWiFi 2.0
Dynamic Air-Time Policy is a service to influence underlying co-ordination function of the Wi-Fi MAC domain per associated UE in terms of priority to use the air interface.
It is possible to govern certain application use cases such as streaming media or real time communications based on the resolution of those services through DNS.
This results in the UE, by its IP address having matched a specific fully qualified domain name or a wildcard therein, to having its air-time weighted priority to the value set in the weight parameter.
Note: In release 2.1, airtime-policies must be applied to SSIDs in a NAT configuration. Bridge / VLAN mode SSIDs with airtime-policies will be updated in a future release
Possible Uses
Any application a user may commonly use the OpenWiFi administrator seeks to prioritize air-time for may be triggered via the airtime-policies.
For example:
Any number of services may interest the administrator for airtime-policies. Simply determine the FQDN or wildcard FQDN applicable and update the OpenWiFi device configuration.
Passpoint® Configuration
TIP OpenWiFi 2.0
Ahead of the Provisioning service coming in release 2.1 sprint, it is possible to configure all Passpoint attributes as OpenWiFi has tested in prior OpenWiFi releases.
Capabilities for Hotspot 2.0 / Passpoint® include:
venue-name
venue-group
venue-type
venue-url
auth-type
domain-name
nai-realm
osen
anqp-domain
anqp-3gpp-cell-net
firendly-name
icons
Configuration Introduction
TIP OpenWiFi 2.0
TIP OpenWiFi devices implement support for both the air interface and systems interfaces necessary to support Passpoint® Release 2 and above. Once also termed Hotspot 2.0, IEEE 802.11u specified added air interface fields exposing Access Network Query Protocol interactions for clients to discovery Access Point capabilities.
Wi-Fi Alliance expanded ANQP to include Online Signup (OSU) concepts to leverage seamless onboarding and client security for Passpoint® networks. Following on from these efforts, Wireless Broadband Alliance has provided the necessary system interfaces for identity, security, mobile offload within a common federated operator solution known as OpenRoaming.
TIP OpenWiFi enables operators to deploy the full range of Passpoint® and OpenRoaming solutions.
Term
Description
Port Speed
OpenWiFi 2.1
Configuring port speed and operation is most commonly done with PoE access switches however the same configurations are possible for all OpenWiFi device types.
By default all ports attempt 1,000 Mb/s full duplex operation.
Advertising Services
TIP OpenWiFi 2.0
Passpoint® requires ANQP to supply three information elements from the Access Point.
PLMN-Id
Public Land Mobile Network Id is defined by 3GPP and comprised of two, three digit numbers to uniquely identify the Mobile Network Operator (MNO).
Switching
TIP OpenWiFi 2.0
Switching Features Remain Under Test
TIP OpenWiFi use of the OpenWrt operating system combined with new virtual data plane present in all images for 2.0 major release and the uCentral data model make it possible to include PoE access switching as a cloud managed component of the OpenWiFi stack.
Nightly builds include supported switch platforms.
Currently the list of features for switching include:
Passpoint®
TIP OpenWiFi 2.0
Passpoint® brings seamless, automatic and secure Wi-Fi connectivity using either pre-provisioned credentials or the SIM card in a mobile device. Passpoint provides simple, fast online sign-up and provisioning that is only required upon a user’s first visit to a Passpoint network. Once a Passpoint enabled device contains the Wi-Fi AP or network credentials, it will discover and securely connect when the user is nearby—without requiring additional user action. This makes staying connected while mobile infinitely easier, and because Passpoint employs enterprise-level security, users can feel confident their data is better protected.
Passpoint® also delivers more value to carriers, service providers, and IT managers of enterprise networks, enabling:
Mobile data offload
Multi-PSK (MDU Shared Key)
TIP OpenWiFi 2.0
Multiple Pre Shared Key is a popular configuration option in Multi Dwelling Unit, dormitory or similar environment where it is costly to implement complex 802.1x security however that same level of per-client security is highly desired.
A SSID when configured for multi-psk can have multiple PSK/VID mappings. Each one of them can be bound to a specific MAC or be a wildcard.
Note: M-PSK passwords must be unique per vlan-id as the device will attempt to match security key to assigned virtual lan. In the above example, a password of OpenWifi
Security
The following list of major security enhancements have been implemented within the 2.4 release:
A Fully Qualified Domain Name (FQDN) is a realm representing the service provider of the Wi-Fi service. Non MNO operators are an example of 'realm-based' service advertisements. Examples include Cable MSOs, Enterprises or other on MNO providers. Authentication methods used with realm-based configuration are EAP-TLS and EAP-TTLS.
OI / RCOI
Organization Id or as defined by Wireless Broadband Alliance, Roaming Consortium Organization Id indicate the federated identity capable of authentication. Examples would be OpenRoaming, Eduroam and follow the Passpoint® EAP authentication methods.
Wi-Fi networks for
Hospitality, venues and enterprise
Streamlined, enterprise-class device provisioning and credential management for enterprise and other private networks
Wi-Fi–based services such as Wi-Fi calling, and collaboration tools
Wi-Fi roaming agreements across carriers and service providers
Opportunities to engage users and extract additional value from the network
Passpoint® is already supported by most enterprise-class APs on the market today, and natively supported by major mobile operating systems including Android, iOS, macOS, and Windows 10. With active support from a wide ecosystem of device manufacturers, mobile operators, and service providers, Passpoint® benefits both users and Wi-Fi network providers
All ports needs to be specified for link negotiation to occur. In the below example, the "ethernet" section defines the physical port. The "interfaces" configuration will cause the physical port to negotiate. Effectively removal of a "select-ports" for a physical port in any or all "interfaces" is the equivalent of an interface in shutdown state.
Without any "interfaces" defined, the ifconfig on the switch will return eth0, lan1, lo as an output. When adding "interfaces" additional ports become active and also visible.
Vlan-Id 30 has been assigned to interfaces 7 and 8 on the switch. Traffic is isolated among participating ports.
Ifconfig output example
Bridge Vlan Table Output
Assigning VLANs to Ports
To define additional VLAN memberships to any port, create additional "interfaces" configuration.
UI: mismatch serial AP: post upgrade now has another new MAC address. Old entry still stay on UI
MU-MIMO is not working EAP-102
webui: Dashboard not displaying accurate associations on several places plus suggested UI issues combined
AP194C: post upgrade connected to SDK but has a mismatch serial warning /changed mac
REGDM is outdated inside qca/ax BDF files
hfcl_ion4 CI device type is wrong
TPlink ex227/447 are using the wrong memory profile
DFS: CAC start is failing on channel 52 on EAP102 using latest image.:TIP-devel-0e0f8c6
UI:command history does not auto populate in TIP-devel-0e0f8c6 ( compared to 2.3)
EAP101 AP - UI feature- Showing as Mismatch serial
hostapd: add script foo for multiple_bssid/ema
rate-limiting only works on 2.4GHz
Wi-Fi Scan breaks 5GHz 11ax 80MHz and 40MHz operation
Interop(Manual)captive portal:5GHz: Verify that internet access after getting successful splash page on WPA authentication-iOS--Error While Joining the SSID
Interop:Mobiles are not showing 5g ssid after getting Successfully pushed by AP
WiFi Frames in Telemetry Non Functional
Docker Compose Self-Signed Non-LB Not Deploy Functional
Interop: Iphone is not getting connected for 5g wpa2_enterprise ssid
Interop: phones unable to select enterprise ssids in iOS
Hitting Invalid Response Code from Gateway when executing /configure
Viasat - XWF Wired Client Not getting IP/rediret
Test Failiure due to not showing WPA Enterprise VLAN 5g SSID's on the mobiles
AP in disconnected state in the UI
Radio down for 2G ssid
Interface names and MAC address not stable on CIG-194C and EX-447 on uCentral load
WIFI6 AP's - 2G radio is getting down, during test execution
Captive Portal : Captive portal is not working on WF188n (basic 5)
Why does interop test summary banner show up on non-interop marker runs
{
"latestId": "text",
"image": "text",
"imageDate": 1,
"revision": "text",
"uri": "https://example.com",
"age": "this is in seconds. a 0 means we cannot determine the age. something like 'unknown' should be shown to the user.",
"latest": true
}
