UniFi v8.2
CONFIGURATION GUIDE
The purpose of the following manual is to describe the necessary configuration of Ubiquiti equipment using the UniFi Controller platform for integration with Octopus Platform.
1- Pre-requisites
If there is a firewall in the network that might block the traffic, you will need to allow access to some domains to enable user's authentication:
Radius Servers:
Primary: <IP_Radius_1> 1812 and 1813 UDP ports
Secondary: <IP_Radius_2> 1812 and 1813 UDP ports
Splash Portal server:
Domain <captive_portal_domain> 80 and 443 TCP ports
For the operation of the Guest and Enterprise modules configuration, it will be necessary to previously contract the Octopus platform licenses with the respective modules.
For this configuration it is necessary to use an APP that we have developed. In the following steps its use will be explained.
In case of an error the application will create a debug.log file with detailed information about the error.
2- Guest module configuration
2.1 Radius Servers
First of all, the radius servers to which the authentication and accounting requests will be sent will be created. To do this within the web interface of Unifi Network Controller in the Site configuration object select the Settings > Profiles option and select CREATE NEW RADIUS PROFILE. Fill in the following data:
Profile Name: <Name of radius>
RADIUS Assigned VLAN Support
Wireless Networks: Check Enable
RADIUS Setting
Authentication Servers:
IP Address: <IP_Radius_1>
Port: 1812
Password/Shared Secret: <Secret>
Accounting: Check Enable
RADIUS Accounting Servers:
IP Address: <IP_Radius_1>
Port: 1813
Password/Shared Secret: <Secret>
Interim Update Interval: Check Enable / 600
2.2 Captive Portal
For the configuration of the Captive Portal we will use the APP ConfiguradorPortal. This app connects to the UniFi api and allows you to configure the portal, the configuration
First we will have to log them into UniFi:
URL: URL local de Unifi Controller (do not put “/” at the end)
User: <administrator user>
Password: <password>
Site: Site where we have created Radius Server (default is usually “default”)
Click on login and the configuration that can be edited will be displayed.
The app itself internally configures some of the parameters necessary for the captive portal to work, but other parameters that are optional or may vary can be configured from the app:
Radius: name of the Radius server that we have previously created.
Redirect enable: Check if we want to be redirected to a website after logging into the portal. When checking a new option appears where you have to add the IP of the web to which we want to redirect us, this IP must also be added to “Walled garden”. (add MAC , “/32”).
HTTPS redirect: Check Enable
Redirect to HTTPS: Check if you want to use the portal with HTTPS (if it is used, follow the steps in section Secure login configuration option)
Portal use hostname: Check if HTTPS is used for the portal (previous option), when checked a new option will appear where you will have to enter the domain you are going to use.
Walled garden: añadir IPs y dominios de los walled garden necesarios para el funcionamiento del portal cautivo (Walled Garden / Domain Whitelist, here you can check the walled garden to be added, in addition to “appx.octopuswifi.com” and its IP).
List walled garden: shows the list of the “walled garden”, if we want to delete any of them we select it and click on delete.
Click on Apply and the configuration will be applied to the AP. A message will appear at the bottom indicating whether the configuration has been successfully added.
2.3 Wireless Networks
Within the Unifi Controller user interface > Settings > Wifi, create a new or edit the network in which we want to integrate the captive portal.
Name/SSID: Name of the WiFi network to be radiated by the APs. It must match the one configured in Octopus Platform.
Broadcasting APs: All
Advanced: Select Manual
Hotspot Portal: Check Enable
WiFi Band: Mark what we want to use.
Band Steering: Check Enable
Client Device Isolation: Check Enable
BSS Transition: Check Enable
802.11 DTIM Period: Check Auto
Security Protocol: Open
2.4 Secure login configuration option
It is recommended that the whole authentication process is encrypted and therefore all interactions with Unifi Controller are done through https. The different steps to implement it are shown below:
The first thing will be to generate a certificate, taking into account the following considerations:
The certificate must have a subdomain associated with a DNS entry that resolves to the IP of Unifi Network Controller. The certificate can be wildcard, but the subdomain used must have the same DNS resolution.
Generate certificate in “pfx” format, with alias “unifi” and password “aircontrolenterprise”. Example of generation with OpenSSL program
sudo openssl pkcs12 -export -out certificate.pfx -inkey certificate.key -in certificate.crt -certfile certificate.ca.crt -name "unifi"
Upload and import the certificate to the server where Unifi Controller is installed, paying attention to the path it is stored.
For convenience in windows it is advisable to store it in the path where the Java executables are: <OS_Unit>:\Program Files Java Java_version>.
Using CLI, go to the folder where the certificate is (in case of windows, where there are also Java executable files).
Enter the command:
keytool.exe -importkeystore -srckeystore certificate.pfx -srcstoretype pkcs12 -srcalias unifi -destkeystore "<ruta_keystore>" -deststoretype jks -destalias unifi -deststorepass aircontrolenterprise
<keystore_path> on Linux: /usr/lib/unifi/data/keystore
<keystore_path> on Windows: <OS_drive>:<Users>:<User>:<User>:<Ubiquiti UniFiFi “keystore”.
<path_keystore> in Cloud key: /var/lib/unifi/keystore
If everything is correct restart Unifi Controller
It is advisable to make a previous copy of the keystore file, in case something goes wrong and it is necessary to restore it.
2.5 List of Authorized MACs
To identify the site in Octopus Platform, it is necessary to add the MAC addresses to the platform. To obtain the list of MAC addresses, in the Unifi Controller configuration, go to the DEVICES section.
3- Enterprise module configuration
In order to integrate the configurations of this module with the platform, it is necessary to contract the Octopus Wifi Enterprise Module.
3.1 MAC Authentication Configuration
To enable MAC authentication go to Setting > WiFi, access or edit the Wlan you want to configure and in the Radius Mac Authentication section:
RADIUS MAC Authentication: Check Enable
Radius Profile: Select the radius profile you have previously created.
MAC Address Format: aa:bb:cc:dd:ee:ff