1) The 2.4 software release from Mimosa Networks includes new features like auto provisioning, VLAN tagging, and a fallback IP address for C5 devices.
2) The auto provisioning allows C5 devices to be automatically unlocked and configured through a Radius server integrated with a customer's billing system. This streamlines installation.
3) VLAN tagging options include assigning a unique VLAN per C5, double tagging with QinQ, and separate management VLANs for security. A persistent fallback IP address prevents loss of connectivity during installation.
Mimosa 2.4 Software Release: Key Features and Auto Provisioning Workflow
1. @GoMimosa
Mimosa Networks
2.4 Software Release: Overview and Basic Training
A5/A5c, C5/C5c PTMP, PTP
Presented By:
David Stiff
Vice President, Product Management
Mimosa Networks
2. • What’s in the 2.4 release?
• Auto Provisioning Details
• VLANs
• Fallback IP Address
• Mobile App 3.0
Agenda
3. • Auto Provisioning
• 802.1x Secure Auto Connect for SRS
• C5 Auto-Unlock for WPA2/Enterprise Security
• Radius Subscriber/C5 Provisioning (VSA)
• C5 Auto Configuration (file)
• Fallback IP Address
• VLAN per C5, VLAN double tagging (QinQ)
2.4 Major Features (1)
4. • KRACK (Key Reinstallation Attacks) Fix
• Fix for both A5/A5c and C5/C5c
• Enhanced Interference Rejection
• Significantly improves performance in the presence of high
interference
• Improved Peak Client Throughput
• As subscribers scale their networks above 25 stations, a
single client can burst to utilize peak available capacity
2.4 Major Features (2)
5. • C5 Ethernet Data Port Authentication (802.1x)
• A5 MAC forwarding table
• SNMP enhancements
• 802.1p Downlink Priority Tagging
• Disable Traffic shaping for UDP traffic
• C5 auto LED brightness, derives time from A5
• C5 follows A5 regulatory domain
• Broadcast SSID is always enabled for CPE and Trunk
mode.
2.4 Other Features
6. • C5 factory default mode is SRS
• Improves SSID scanning and reduces a reboot step during initial setup
• G2 no longer requires IP connectivity to A5 management interface for
software upgrades
• Enables A5/C5 to be in a separate management VLAN from the G2
• The SNR value is replaced with the EVM value and EVM is no longer shown
as a separate statistic
• C5 reset unlock command is removed
• Resetting the unlock code is no longer necessary as the C5 learns it’s regulatory domain
from the A5 it is associated to
Noteworthy 2.4 Updates & Fixes
8. C5 Auto Configuration
• Dramatically shortens C5 installation time
• Enables lower skilled installation technicians
“Satellite TV Guys”
• Automates C5 unlock and configuration
• Integrates into customer billing system for
subscriber provisioning & management
• RADIUS based
C5
Fresh out of
box C5/C5c
Update
firmware
from Mimosa
App
Associate
Subscriber
Info
Provision
C5/C5c
Select
Network and
Aim
Authenticate
& Secure
Client
Uniquely
9. Conf
iden
tial
WPA2/Enterprise Security (802.1X)
C5 Authentication
• 2-Factor authentication using EAP-PEAP & MSCHAPv2
• Mimosa device certificates (optional)
• Predefined user/pass (MAC/Serial) or user defined
Radius Subscriber Provisioning
• Radius server integrated into customer’s billing system
• Per subscriber provisioning of rate limits, VLANs, and
network settings using Mimosa VSA library
• Subscriber configuration update via Radius COA and DM
C5 Auto-Unlock
• Cloud connected A5 unlocks to the A5’s cloud
account
• C5 Follows A5 regulatory domain
• Enabled when using WPA2/Enterprise Security
C5 Auto Configuration (flat file)
• Optional C5 settings can be loaded via a flat file
located on customer’s file system
Install App
• Firmware updates, SSID Selection, Aiming
Key Features
Inventory Management on Mimosa Cloud
• Easily scan C5 for inventory and RADIUS passwords.
C5 Persistent Fallback IP address
• C5 has a new non-routable persistent fallback IP
address, preventing disconnects during
installation. (169.254.200.20)
C5 Auto Provisioning
10. Mimosa Cloud – Device Inventory
1
Scan C5 Inventory
into Mimosa Cloud
C5 Serial Number + MAC
Export C5 SN + MAC &
inventory .csv
2
Billing SystemImport into Subscriber
Management system3
11. To enable auto-unlock and subscriber provisioning the following is required:
• 2.4 Software (A5 & C5)
• Mimosa cloud connected A5
• Radius Server
• Minimum requirement is WPA2/Enterprise (802.1x) for C5 authentication to use auto-unlock
• Recommended to use RADIUS VSA to provision the C5. For security, at least C5 management
password
• Automated Subscriber Management system (recommended)
• Handles the automation of configuring RADIUS
Auto Provisioning Requirements
12. C5 Auto Configuration Options
Network & Management
• C5 Management IP Information (DHCP/static)
• Management VLAN
• Management password
• Device name
Subscriber Provisioning
• Traffic Shaping (Max UL/DL, Commit UL/DL)
• Subscriber VLAN
System Settings
• Wireless MAC protocol
• Firmware version & image location
• Config file & location
Network & Management
• C5 Management IP Information (DHCP/static)
• Management VLAN
• Management password
• Device name
System Settings
• Wireless MAC protocol
• Firmware version & image location
From Radius
Subscriber + Device Config
From Flat File
Device Config
Flat File location is configured via RADIUS
Adding DHCP Option 66/67 config file location in next release
RADIUS and Flat File format documentation & sample files are
available online
http://ap.help.mimosa.co/ug-radius-installation-files
13. Enterprise/RADIUS Authentication
• Using IEEE 802.1X with RADIUS protocol
• Supported for WiFi-Interop and SRS modes
• Terminology
• Two factor authentication
• Outer Tunnel (between C5 and RADIUS server) -- Optional
• EAP-PEAP using Mimosa Certificates (Authentication Server should be pre-configured with Mimosa’s
Trusted CA certificates)
• Inner Tunnel (between C5 and RADIUS server)
• MS-CHAPv2 using a username and password (default username and password is the <C5-WIFI-
MAC><C5-SERIAL-NUMBER>)
C5 IEEE 802.1X Supplicant
A5 IEEE 802.1X Authenticator
RADIUS Server Authentication Server
14. Flat File Setup (optional)
• Flat File location is pushed to the C5 via RADIUS
• Supported file transfer protocols: TFTP, FTP, HTTP, HTTPS.
• No per subscriber settings are available, use RADUIS for VLAN and rate limiting provisioning.
• Flat File settings are useful for network wide device settings
• DNS, SNMP, Syslog, etc
Sample Flat File configuration for a C5
Management:
DNS1: 8.8.8.8
DNS2: 8.8.4.4
EnableSNMP: True
SNMPCommunityString: mimosa
SNMPTrapServer: 1.1.1.1
NTPServerAddress: time.nist.gov
RemoteSyslog:
EnableSyslog: True
SyslogServerAddress: 1.1.1.1
SyslogPort: 514
SyslogProtocol: UDP
15. Auto Provisioning Workflow
1 – Back Office
• Inventory Mimosa products (generate credentials)
• Customer provisions billing system/radius server with new C5 credentials
• Customer ensures C5 configuration file is setup (optional)
2 – Onsite
• Tech finds suitable C5 mounting location
• Install App pushes firmware to C5
• Install App selects SSID and connects
3 – Automation
• Association & 802.1x 2-factor Authentication (A5/Radius)
• Subscriber & Device provisioning (Radius/File)
• Auto C5 Unlock (Mimosa cloud)
4 – Onsite
• Install App aims C5
• Tech secures C5 and finishes install
AAA Radius Billing System
(optional)
File Server
www.mimosa.co
16. Auto Provisioning Workflow
1 – Back Office
• Inventory Mimosa products (generate credentials)
• Customer provisions billing system/radius server with new C5 MAC/SN
• Customer ensures C5 configuration file is setup
2 – Onsite
• Tech finds suitable C5 mounting location
• Install App pushes firmware to C5
• Install App used to select SSID and connect
3 – Automation
• Association & 802.1x 2-factor Authentication (A5/Radius)
• Subscriber & Device provisioning (Radius/File)
• Auto C5 Unlock (Mimosa cloud)
4 – Onsite
• Install App aims C5
• Tech secures C5 and finishes install
AAA Radius
(optional)
File Server Billing System
17. Auto Provisioning Workflow
1 – Back Office
• Inventory Mimosa products (generate credentials)
• Customer provisions billing system/radius server with new C5 MAC/SN
• Customer ensures C5 configuration file is setup
2 – Onsite
• Tech finds suitable C5 mounting location
• Install App pushes firmware to C5
• Install App selects best SSID and connects
3 – Automation
• Association & 802.1x 2-factor Authentication (A5/Radius)
• Subscriber & Device provisioning (Radius/File)
• Auto C5 Unlock (Mimosa cloud)
4 – Onsite
• Install App aims C5
• Tech secures C5 and finishes install
AAA Radius Billing System
(optional)
File Server
Auth & Provision
Unlock
18. Auto Provisioning Workflow
1 – Back Office
• Inventory Mimosa products (generate credentials)
• Customer provisions billing system/radius server with new C5 MAC/SN
• Customer ensures C5 configuration file is setup
2 – Onsite
• Tech finds suitable C5 mounting location
• Install App pushes firmware to C5
• Install App selects SSID and connects
3 – Automation
• Association & 802.1x 2-factor Authentication (A5/Radius)
• Subscriber & Device provisioning (Radius/File)
• Auto C5 Unlock (Mimosa cloud)
4 – Onsite
• Install App aims C5 (audio assist)
• Tech secures C5 and finishes install
AAA Radius Billing System
(optional)
File Server
19. Auto Provisioning Workflow
1 – Back Office
• Inventory Mimosa products (generate credentials)
• Customer provisions billing system/radius server with new C5 MAC/SN
• Customer ensures C5 configuration file is setup
2 – Onsite
• Tech finds suitable C5 mounting location
• Install App pushes firmware to C5
• Install App selects SSID and connects
3 – Automation
• Association & 802.1x 2-factor Authentication (A5/Radius)
• Subscriber & Device provisioning (Radius/File)
• Auto C5 Unlock (Mimosa cloud)
4 – Onsite
• Install App aims C5
• Tech secures C5 and finishes install
AAA Radius Billing System
C5
(optional)
File Server
21. CPE Ethernet Port Authentication
• IEEE 802.1X Port based Authentication
• Enabling RADIUS authentication of the devices connecting to
Ethernet Port of C5
• Terminology
• Ethernet Port is disabled for data traffic till RADIUS authentication
is successful
Device connecting to Ethernet port of C5 Supplicant
C5
IEEE 802.1X
Authenticator
A5 Authenticator Proxy
RADIUS Server Authentication Server
Configured in Wireless->SSID->Edit
802.1x port
authentication
AAA Radius
23. Subscriber network
Untagged or untagged
Unique VLAN tag per C5 data packet
InternetRouter
A5
C5
802.1Q VLAN Trunk
VLAN per C5
• Enables VLAN tagging per C5 for upstream device
client isolation and identification (802.1Q)
• Supports VLAN double tagging for QinQ
• Support for separate C5 management VLAN
• Secures management VLAN from subscriber access
24. VLANS tagging is enabled when using Fixed/CPE SSID Mode. Independent from the Management
VLAN. Trunk mode (pass through) is used to transport existing VLANs.
• Per CPE VLAN
• Adds a VLAN tag per client assigned manually or via RADIUS
• Default VLAN tag is used when no per C5 VLAN configured. Useful as the a provisioning VLAN until a subscriber
VLAN is set.
• Multiple C5/clients can use the same VLAN.
• SSID VLAN
• Adds the same VLAN tag for all C5/clients connected to an SSID
• QinQ Support
• Utilize both CPE VLAN and SSID VLAN for stacked or double tagged VLANs.
• C-VLAN – VLANs from the customer network are allowed to pass-through
• CPE VLAN (CPE S-VLAN) is first tag, SSID VLAN (S-VLAN) is the second tag.
Understanding Data VLANs
25. Enabling VLANs
SSID and CPE VLANs are enabled in the Wireless->SSID page
• The SSID VLAN will add the same VLAN tag to all C5 client.
• Enabling CPE Data VLAN will add a tag
per C5
• The Default CPE Data VLAN tag will be
assigned if no manual or RADIUS VLAN
tag is specified. Useful as a
provisioning or remediation VLAN.
26. Assigning per C5 VLANs
Per C5 VLAN assignments are managed in the Client->Settings tab or via Radius
• Manually assign VLANs to each C5
• C5s can have the same VLAN, but client isolation will prevent traffic from
flowing directly between C5/C5.
27. Configuring TPID
• Provider Bridging customization for Q-in-Q
• Custom TPID for CPE (C-VLAN) and SSID (S-VLAN)
• Leave these values to default for normal single
and double tagging VLAN use.
28. ¡ New persistent fallback IP address of 169.254.200.20.
¡ In addition to the C5 default IP of 192.168.1.20, this non-routable
IP address is always reachable regardless of a manual or DHCP
assigned IP address to C5.
¡ It is recommended to this new persistent IP address when using
auto-provisioning to prevent loss of connectivity to the C5.
¡ Most laptop DHCP clients will default to an IP address this
subnet, making connectivity to an un configured C5 extremely
easy.
Fallback IP Address