AP discovery is done with L2 multicast/broadcast in order for a controller to see it. The adoption is done by controller SSHing into the Access Point (AP), to tell the AP where the controller is. After that, it limits to the AP "calling home" to perform tasks the controller is asking it to do. All the AP-controller management traffic goes untagged.
The Controller manages the AP using a proprietary TR-069-like management protocol. The main idea, for scalability, is for the AP to "call home" periodically via L3. And to support instant notifications from controller->AP, STUN is also used. The protocol is encrypted and does not rely on TLS for integrity.
In basic terms, the process is as follows:
- By default, AP “discovery” occurs via Layer-2 broadcast traffic in order for a “local” controller to see it.
- Once “discovered”, the “adoption” takes place via SSH, whereby the controller tells the AP where it’s located on the network. (Layer-3 is possible too)
- After that, it's all AP “calling home” to perform tasks that the controller asks it to do.
NOTE: All the AP-controller management traffic goes untagged. The design has L3-management in mind where you can set up a controller in the cloud or off-premise.
Table of Contents
There's an initial handshake that needs to occur between UAP beaconing and controller.
- When an AP is in factory default (see What do the LED Color Patterns Represent for UniFi Devices for more), it will obtain an IP from DHCP server and send out beacons: "I'm at factory default settings. Who can manage me?"
- Controller hears the beacon. As this device is in a default state, it will show the AP as "pending adoption".
- When the user decides to adopt the AP, the controller will adopt the AP via SSH (using the IP information in the beacon and the default username/password)
- AP sends initial inform to http://controller_ip:8080/inform, and the binding of controller-AP is now completed
After the UniFi device is adopted, communication changes slightly.
- When a UniFi device has been adopted, but the controller is not present, the AP sends a slightly different beacon - "I'm here. When you (the controller) are up/ready, come pick me up."
- When the original controller comes up, it pics up on the device beacon and finds that the device is already adopted. It will readopt the AP automatically via SSH (using the IP information in the beacon and with the non-default credential).