OpenWiFi Network Controller Usage Guide

Recommended deployment environment:
X86 server:
Linux Version: Ubuntu 18.04 LTS or later
Docker Version: 20 or later

1. Upload and extract the controller package file
Upload the controller package file to the target deployment environment and extract it:

tar -zxvf controller_V1.0_R005.tar.gz

2. Install Docker-Compose
Go to the deployment directory and run the initialization script:

cd controller_V1.0_R005/wlan-cloud-ucentral-deploy/docker-compose sudo sh deploy-init.sh

3. Modify the controller access domain or IP address
To change the default access domain or IP address of the controller (default domain is openwifi.wlan.local):

cd controller_V1.0_R005/wlan-cloud-ucentral-deploy/docker-compose

Edit the configuration file, which includes the domain configuration, and replace it:

sed -i "s/openwifi.wlan.local/ A.B.C.D/g" *.env

[Note]
This IP address is the IP address of the host where the controller is installed, and it can also be modified to a domain name as needed. Users can access the controller through this IP address.

4. Start the controller using Docker-Compose:

cd controller_V1.0_R005/wlan-cloud-ucentral-deploy/docker-compose-docker-compose up -d

[Note]

• -d: runs the command in the background
• up: starts the controller
• down: stops the controller

The following browsers are not supported: Internet Explorer, Opera Mini, and all versions of browsers that are no longer receiving updates.
Recommended browser: Chrome version 114.0.5735.199 or later.
Log in to the controller with the modified IP address or domain name:

• URL: https://A.B.C.D/

The default username and password are as follows:

• Email: tip@ucentral.com
• Password: openwifi

The network controller supports a multi-organizational structure, administrators can set up different organizations/places according to the actual organizational hierarchy of the enterprise, and the network will be managed in a hierarchical and decentralized manner. The devices are imported into the inventory in advance, and then automatically attributed to the designated places in the inventory when the devices are connected to the controller on line.

Click [Organization -Top Entity] to enter the initial default organization.
Click [ + Entity ] to create an organization.

After completing the organization creation, click [ Organization] to select the organization name created in the previous step to enter, and click [Venue] to create the venue.
Under Venue, users can manage, configure, and centrally monitor all devices in the venue.

The administrator can add inventory devices to the organization/place by creating or batch importing them under the place. Up to this point, once the device is online, the network controller will compare the MAC address of the online device, corresponding to the device in the inventory, and assign it to a specific place. The network controller administrator is then able to manage the devices according to the permissions of different locations.

Or use the excel file to upload devices:

• Required Fields
  • MAC: The MAC address of the device, usually labeled on the device.
  • DeviceType: The model of the device.
  • AfTAG: Device tag. When adding an AP to the inventory, it must be assigned a tag. After connecting to the controller, the AP will automatically pull the configuration file corresponding to this tag. By default, the tag value is “default”.

• Optional Fields
  • Name: The hostname of the device.
  • Loopback: The Loopback address of the device, which serves as the in-band management address for all Layer 3 devices.
  • License: The AP License file content. You can copy the file content into this field using the cat command or a text editor.
  • Description: A description of the device.

All Asterfusion devices can act as DHCP clients to dynamically obtain both the management IP address and the controller’s IP address, including the switch and AP. The network controller’s IP address is carried in the option 138 field of the DHCP packets.
The switch is able to obtain an IP address dynamically via a DHCP request in two situations:

• Zero Configuration Status
  When the switch is in the factory zero-configuration state, all physical interfaces will automatically send DHCP requests without any configuration.

• Configure the interface to obtain an IP via DHCP
  Users can configure the physical port or vlanif interface to dynamically obtain an IP address via DHCP.

To ensure that the device can receive the controller’s IP address via DHCP, the controller’s IP address should be configured in the corresponding address pool on the DHCP server. Here’s an example configuration for an ISC-DHCP server:

User can configure the IP address of the network controller on the switch using the command ucentral-client server <A.B.C.D> so that the device is connected to the network controller.
If the device uses out-of-band management and the management port belongs to VRF mgmt, users need to carry VRF parameters when specifying the management address, such as: ucentral-client server <A.B.C.D> vrf mgmt.
Here’s an example configuration for switch:

The network controller supports some simple device configurations. For example: interfaces, VLANs, security functions, and so on. The administrator can enter the management interface of a single device and click the [Configuration] button to select the corresponding function to configure the device. You can also click the [Connect] button in the upper right corner to enter the command line view of the device and use the command line to configure the device.

In order to simplify the configuration of the full three-layer network scenario, the controller has built in two typical scenarios. The administrator can select any one of the networking scenarios according to the network size to complete the network planning. After all the devices are connected to the rack, ACC will automatically discover and recognize the link relationship between the devices in the network, and automatically verify whether the topology is consistent with the pre-planned topology. After passing the verification, the entire network topology is generated, and the administrator can issue the configuration file with one click to complete the zero-configuration opening of the network, which significantly shortens the time for the new service to go online.

The small and medium-sized campus network adopts the Spine-Leaf two-level network structure, and up to 48 Leaf devices can be accessed. When the accessed network size is small, you can select the current topology to plan the network.
Select the small and medium-sized campus network scenario, fill in the model and number of Spine and Leaf devices, and click[Finish]to complete the network topology pre-planning. The controller will generate a recommended network topology based on the preplanned typical networking topology.

Users can click the Edit button on the device side and select the device in the inventory to be applied to the current topology in the slide-out box on the right, and select the interconnect interface.

Click [basic network] to enter the basic network configuration interface, which is mainly to configure the basic network used to carry the service network, such as: Spine uplink interface IP address and routing information. The controller will dynamically generate the configuration for each device in the network according to the input information, which can be sent to the device by the administrator to take effect after the device is online.

Configuring Spine device uplink interface information.
Configure the IP address of the Spine device’s uplink interface and static routing information on the Spine device.

If the Spine and the upstream device do not use a static route but use a dynamic route, the user can click [Advance] button to configure it.

• [BGP Enable] Enable the BGP function of the Spine device and configure the AS number and IP address information of the upstream device, so that Spine can establish a BGP neighbor relationship with the upstream device.
• [Route Aggregation Enable] When the Spine device enables the BGP function, the routing information of the terminal will be synchronized with the upstream device in the form of aggregated routes.
• [HA] When enabled, the two Spine devices will provide a cross-device LAG interface to the upstream device through the MC-LAG function.

Configure device management-related information:

• TimeZone: Configure the system time zone
• NTP: Configure NTP Server
• SNMP: Configure SNMP community
• Syslog: Configure syslog server
• TACACS+: Configure TACACS server
• Device ACL: Configure ACL rules restricting SSH, SNMP, and TELNET connections to the device

The medium and large-sized campus adopts the Spine-Aggregation-Leaf three-level structure, and extend the number of accessible Leaf devices through Aggregation to further extend the number of access ports. The device selection and topology editing are the same as the small and medium-sized campus networks. The topology overview is shown below:

Configure the in-band management network for aggregation devices. Typically. The Spine and Leaf devices are Layer 3 devices. In-band management can use the Loopback0 address. While the aggregation device is a Layer 2 device for which you need to configure the management VLAN and IP. The controller can assign an in-band management address to each aggregation device based on the address segments that are entered by the user.

Configure the Spine device uplink port information. The configuration of this part is consistent with the Egress route of [Small and Medium Campus Network]. Please refer to the previous section to complete the configuration.

Configure information related to device management. The configuration of this part is consistent with the Egress route of [Small and Medium Campus Network]. Please refer to the previous section to complete the configuration.

Click [Wireless Configuration] – [+] – [Wi-Fi Settings] to configure the necessary basic information for the wireless AP, e.g., SSID settings, security policy. The network controller can automatically generate the corresponding configuration script based on the administrator’s input.
The network controller supports the configuration of different wireless service configurations, and after the AP goes online, it will determine which configuration should be issued to the AP based on the TAG attributes of the configuration.

1. New SSID

If there is a specific application scenario, the administrator can also customize the default configuration of the AP in the advanced configuration.

2. LANs
If the terminal needs to use the wired interface provided on the panel AP to access the network, you need to configure the relevant parameters under this module.

• UpstreamPorts: Specify the upstream interfaces for the wired terminal to access the network through the AP. Usually, it is the interface for AP to connect to the switch, and keep the same with [UpstreamPort] in [SSID] – [Advanced] Settings, the default is: WAN*.
• DownstreamPorts: Interfaces for wired terminal access.
• Downstream VLAN Tag: Whether the wired terminal carries a VLAN Tag.
• VLAN ID: The VLAN on the AP that identifies the wired terminal.
• DHCP Snooping Trusted: DHCP Snooping Trusted interface, if the wired terminal needs to obtain an IP address through the DHCP service, this switch needs to be on.

When the AP is online and connected to the controller, according to the actual deployment environment, if you need to adjust the wireless RF-related configuration of the AP, you can configure it in the [Radio Configuration] page.

Click the [Switch Configuration] button to configure the wired service configuration, including service VLAN, service gateway IP address, security-related configurations, and so on. Select which switches to apply this service configuration to in the [Device] options.

• DHCP Relay: Configuration, DHCP server IP address. If the DHCP server does not support recognizing the Option82 field, you can turn off the Option82 switch.
• VLAN: Configure the VLAN. Configure the service VLAN, and note that in addition to the VLAN used by the service, you also need to configure a VLAN with the attribute access for use by the AP’s management service.
• IP: Fill the IP address as the gateway of the service VLAN.
• Access/Trunk: Select this mode according to the VLAN carried by the interface sending and receiving packets.
• MAC Scan: Enable the MAC Scan function, used with the DHCP Snooping function, the device actively probes the terminal in the Snooping table entries.
• Members: Select the physical interface to join the VLAN.

• DAI/IPSG

The controller enables the DHCP Snooping function by default, which effectively prevents DHCP Server impersonator attacks and enables DHCP clients to obtain IP addresses through legitimate DHCP servers. Administrators do not need to pay attention to the trusted and untrusted interfaces of different devices, but they are automatically generated through the topology information of the controller.
The administrator can choose whether to enable the ARP detection (DAI) and IP source attack prevention (IPSG) function according to the current security level of the network. This function determines whether a host is legitimate or not based on the global DHCP Snooping table entries, which prevents malicious hosts from spoofing legitimate hosts from accessing the network, and at the same time ensures that the hosts do not privately set up static IP addresses, which can result in possible IP address conflicts.

• ACL

Administrators can also set up black and white lists for users’ Internet traffic by configuring service ACLs to further secure the network.

When the system is applied in enterprise networks or public places with high requirements for network security, you can choose to enable 802.1x-based user authentication. This feature ensures that only authenticated users and devices can access network resources, enhancing network security. Through the GUI, administrators can define and apply authentication policies, including specifying which ports are enabled for 802.1x authentication and setting different authentication rules.

Devices in the factory state, both management and service ports, with a status of Up will initiate a DHCP request to ask the DHCP server to provide a temporary management IP address and the controller IP address on the cloud to connect to the controller for configuration information.

After all devices have finished going online, click [real topology] to confirm that the topology recognized by the controller based on the online devices is consistent with the planned topology. After confirming that there is no error, follow the steps below to issue the configuration:

1. Click [Design Topology] – [Basic-Network] – [Configuration] to issue the basic configuration for all devices.

2. Click [switch configuration] – [configuration] to issue a service configuration for the device.

The AP does not need to manually issue the configuration. After the configuration of the device is issued and takes effect, the PoE power supply function of the switch is turned on, and the AP can power on and work. When the AP connects to the controller with the information obtained through the DHCP service, the controller will automatically send the configuration to the corresponding AP based on the comparison between the TAG identification stored in the AP inventory and the TAG identification in the planning configuration.

Firmware management is an important feature of the controller for managing version image files and patch files for network devices. Users can upload local images to the controller for easy deployment of new software versions throughout the network, or update network devices directly with the uploaded firmware.
Administrators can upload local version images to the controller and record basic information about software versions.

The administrator can upload the local version image to the controller and record the basic information of the software version.
Operation steps:
1. Go to [Operation&Maintenance] – [Firmware] – [Firmware].

2. Click [+] to upload the version image to the controller.
3. Use [Type] to distinguish whether the firmware applies to the switch or the AP.
4. Use [Platform] to specify different hardware models.
a) ARM64: CX102 series, CX202 series, CX204 series and CX206 series.
b) X86: CX308 series, CX532 series

In the [Device] – [All] screen, the administrator can view the version information of all devices connected to the controller and compare it with the version description in [Firmware] to determine whether the device needs to be upgraded. The firmware image can be applied to the devices in the network individually or in batch.Select the devices that need to be upgraded. Click the [Firmware Upgrade] button.
In the pop-up window, select the firmware image file to perform the upgrade.

Note: The switch will not reboot automatically after the upgrade is completed; you need to manually perform the reboot operation to make the upgrade take effect.

Patch management allows administrators to upload patch files to the controller, The controller automatically parses the patch content to ensure that patches are applied to the correct device platforms, thereby enhancing network security and device stability.
Key Functions:

• Manual Patch Upload: Administrators can upload patch files in various formats (such as .bin, .tar.gz, .patch).
• Automatic Parsing: The system will extract version details, applicable device models, and dependencies to verify compatibility.

The administrator can view all devices that have not been patched in the [Devices] interface.
After selecting the device that needs to install the patch, click [Actions] – [Patch Apply] to install the patch.

Controller is equipped with powerful device status monitoring function, which can monitor the working status of switches and wireless APs in real time. Through the detailed dashboard display, administrators can grasp the operating status of the equipment at any time. Based on the acquired monitoring information, the controller evaluates various indicators and intelligently calculates the health value of each device. The health value is evaluated by considering the following factors:

• Resource utilization: Based on the memory and CPU utilization, evaluate the use of device resources and whether there is a risk of resource exhaustion.
• Traffic load: Based on traffic statistics, analyze the load of the device and determine whether there is a traffic bottleneck.
• Hardware Status: Monitor the temperature of each component of the device, the operation of the power supply, fan, and other hardware, whether it is within the expected range.
• Running status: detect the running status of each major process and container of the device in real time.

When the monitoring index exceeds the preset threshold, the controller will automatically generate an alarm message to notify the administrator to ensure that the administrator can find and solve the problem in a timely manner to ensure the efficient, safe, and stable operation of the network.

The controller supports full volume calculation of monitoring data from all online devices, and finally presents them globally as a comprehensive health value.

Administrators can enter the specific organization in the [Navigation] screen to view an overview of the status of devices and terminals under all premises within the organization..

Administrators can enter a specific venue under a specific organization in the [Navigation] interface to view an overview of the status of devices and terminals under all venues within the organization.

♦ Historical Statistics of Egress Throughput
Displays historical throughput statistics of the Spine up-link ports in this venue.
♦ Device Quantity
Displays the online status and quantity of all devices in this venue.
♦ Terminal Quantity
Displays the quantity of wired and wireless terminals in this venue; the number of terminals under each wireless radio frequency; and terminal manufacturer information.
♦ Terminal Online Trend Chart
Displays the online quantity trend of wired and wireless terminals in this venue over a period of time.
♦ Top Cumulative Data Traffic of Wired Terminals
Displays the top 5 cumulative data traffic of wired terminals in this venue over a period of time.
♦ Top Cumulative Data Traffic of Wireless Terminals
Displays the top 5 cumulative data traffic of wireless terminals in this venue over a period of time.
♦ Top Statistical Report of AP Uplink Port Traffic Rate
Displays the real-time top 5 AP uplink port traffic rates in this venue.
♦ Top Bandwidth Utilization Rate of Interconnected Devices
Displays the top 5 bandwidth utilization rates of interconnection links between Spine and Leaf devices in this venue.
♦ Memory Usage Rate
Shows the average memory usage rate of all devices in this venue. Click to view the memory usage rate of all devices, and click the MAC address of a device to jump to the management interface of the single device.
♦ Association Count
Shows the number of wireless terminals connected to all wireless access points in this venue via 5G and 2G. Click to view the number of terminals connected to each wireless access point and the basic information of the access points. Click the MAC address of a device to jump to the management interface of the single device.
♦ Device Statistics
Shows the top 10 ranking of all wireless access points in this venue based on the number of connected terminals or traffic statistics.
♦ Real-time AP Data
Shows the terminal access status of each SSID under different frequency bands of each wireless access point. Click the MAC address to view detailed information.
♦ Client Lifecycle
Searches for wireless terminals connected to the wireless access points in the current venue by MAC address, and views the terminal’s IP address, connection time, connected AP, traffic statistics, and other information.

The controller supports collecting data of wired and wireless terminals online and visually presenting the status of online users. After entering a specified organization/venue, administrators can click [Client] to view information of all terminals under the organization/venue.

Click the MAC address of a client allows access to the detailed view to check specific data such as online trends, roaming records, and traffic statistics of the terminal. This helps administrators analyze the network connection status of the terminal within a specific time frame.

Click [Device] – [Device MAC] to enter the management interface of the specified device and view the detailed information of this device:

• View interface statistics

• View the interface PoE power supply situation

• View interface optical module information

♦ Health Checks
The initial health check value for both the switch and the AP is 100%.
Health check calculation specification for the switch:

• CPU utilization over 80%, soundness reduced by 10%
• Memory utilization over 80%, soundness reduced by 10%
• Switch chip/CPU temperature over 85°C, soundness reduced by 10%
• PSU any one power supply status abnormality (power module not in position, power supply not powered), soundness minus 10%
• Service detection: any critical business service abnormality, soundness minus 10%

AP Health Check Calculation Rule:

• interface can successfully detect the DHCP/DNS server information is normal interface, integrity = normal interface / total number of interfaces

♦ Table entry resources
♦ Routing
♦ MAC
♦ Neighbor information (ARP)
♦ Temperature information
♦ Fan information
♦ PSU power supply information
♦ Patches List of patches already installed on the device
♦ Remarks

CPU Statistics
Historical CPU statistics over a three-day period.
Memory Statistics
Historical memory statistics over a three-day period.
Interface Statistics
Single interface/whole interface statistics, support KB/s and PPS two kinds of statistics.
Transmission Rate
The top 10 interfaces of the current device, displaying the current transmission rate of the interface in the RX & TX directions.
POE Terminal
Connection information of POE terminals on the current device, including: host name of the terminal, access port number, terminal MAC, IP and other information, and support to view the historical number of POE terminals accessed on the specified port within 3 days.
LLDP
Display LLDP information on the switch.

Administrators can configure the recipients of alarm emails and alarm thresholds in the [Configuration] – [Operation&Maintenance Configuration] interface of the designated venue. By default, all alarms supported by the controller are enabled.

The controller supports the following alarms:

Click [System] – [Mail Sender] to modify the source mailbox for sending alerts.

Click [Connectivity] to test the connectivity between the controller and the email server, preventing alarm emails from failing to be sent normally due to network connectivity issues.

Administrators can view alarm information for all devices within their management authority in the [Operations and Maintenance] – [Alarm] interface.

• Active Alarms: Displays alarm items that still exist currently.
• Alarms History: Displays alarm items that showed abnormalities before but have returned to normal.

Click the alarm item to view specific alarm information and process it. Click the [Edit] button, fill in the processing information for the current alarm in the [Analysis] section, and click the [Save] button to complete the edit. After that, this alarm information will no longer be displayed in [Active Alarms] but will be stored as a processed alarm in [Alarm History].

The device inspection feature is designed to regularly check and monitor network devices to ensure their normal operation and detect potential faults in a timely manner. Its main functions include:

• Device Status Monitoring: Checks critical parameters such as CPU usage, memory usage, storage, and port status to ensure devices are functioning properly.
• Log and Alarm Management: Collects device logs, analyzes abnormal events, and triggers alarm mechanisms.
• Critical Process Status Check: Monitors the status of essential processes to ensure smooth business operations.
• Automated Inspection Tasks: Supports scheduled inspection tasks, generates inspection reports, and facilitates network maintenance.

System inspection refers to the periodic check of the controller’s internal system to ensure stable and efficient operation. Key inspection items include:

• CPU & Memory Usage: Monitors CPU load and memory consumption to prevent system failures due to resource exhaustion.
• Disk Usage Check: Examines disk usage to prevent logs or cached data from consuming all available storage, which could impact system performance.
• Files Descriptor: Verifies the proper functioning of critical services (e.g., network management, authentication, logging) and automatically restarts abnormal processes.
• E-Mail Server Connected: Tests the controller’s connectivity with the email server to ensure alert notifications are successfully sent.

System inspections can be scheduled at fixed intervals (e.g., every 5 minutes or every hour) and automatically generate inspection reports for administrators to analyze and optimize system performance.

Business inspection refers to periodic or on-demand checks of network device operation to ensure stable business operations and prevent potential failures.

This feature allows users to specify inspection items and target venues for an instant inspection, defining the scope of the inspection accordingly.

Cycle inspection is configured based on the needs of different venues, allowing for automated inspections at scheduled intervals without manual intervention, thus improving operational efficiency.
Click the [View Details] button to view/edit the periodic inspection settings for the selected venue.

Both one-click inspections and periodic inspections are logged in the inspection records.
Click the [View Details] button to check the inspection results. All detected anomalies will be listed under the [Abnormal] section. Administrators can:
Click [Actions] – [View Details] to check the inspection results of a specific device.
Click on the MAC address to directly navigate to the device management interface for further analysis.