UniFi Controller

Owned by Adrián Macarro (Unlicensed)
Last updated: Jun 07, 2021 by Santiago Nanclares (Unlicensed)
5 min read

CONFIGURATION GUIDE

The purpose of the following manual is to describe the necessary configuration of Ubiquiti equipment using the UniFi Controller platform for integration with Octopus Platform.

1- Pre-requisites

  • If there is a firewall in the network that might block the traffic, you will need to allow access to some domains to enable user's authentication:

    • Radius Servers:

      • Primary: <IP_Radius_1> 1812 and 1813 UDP ports

      • Secondary: <IP_Radius_2> 1812 and 1813 UDP ports

    • Splash Portal server: 

      • Domain <captive_portal_domain> 80 and 443 TCP ports

  • For the operation of the Guest and Enterprise modules configuration, it will be necessary to previously contract the Octopus platform licenses with the respective modules.

2- Guest module configuration

2.1 Radius server

First of all, the radius servers to which the authentication and accounting requests will be sent will be created. To do this within the web interface of Unifi Network Controller in the Site configuration object select the Settings > Profiles option and select CREATE NEW RADIUS PROFILE. Fill in the following data:

  • Profile Name: Octopus_Radius

  • RADIUS Auth Server:

    • IP Address: <IP_Radius_1>

    • Port: 1812

    • Password/Shared Secret: <Secret>

    • IP Address: <IP_Radius_2>

    • Port: 1812

    • Password/Shared Secret: <Secret>

  • Accounting: Enable Accounting

  • Interim Update: Enable Interium Update

  • Interim Update Interval: 600s

  • RADIUS Accounting Server:

    • IP Address: <IP_Radius_1>

    • Port: 1813

    • Password/Shared Secret: <Secret>

    • IP Address: <IP_Radius_2>

    • Port: 1813

    • Password/Shared Secret: <Secret>

2.2 Captive Portal

As a first step it will be necessary to change the login pages sent by the support team to the Unifi Controller server. The location in each Operating System is:

  • Linux: /usr/lib/unifi/data/sites/<site_name>/app-unifi-hotspot-portal

  • Windows: <Unidad_OS>:\Users\<usuario>\Ubiquiti UniFi\data\sites\<site_name>\app-unifi-hotspot-portal

  • Cloud Key: /srv/unifi/data/sites/<site_name>/app-unifi-hotspot-portal

The steps would be:

  • Copy the original pages in another folder (Ex: app-unifi-hotspot-portal-original) without altering the original folder. This way we keep them in case we want to use them again at some point.

  • Then paste the content of the new pages in the app-unifi-hotspot-portal folder, accepting the replacement of the files with the same name.

 

Once the new redirection pages are available, return to the Unifi Network Controller interface and within the Site, access Settings > Guest Control. In the GUEST POLICIES section:

  • Guest portal: Enabled Guest Controller

  • Authentication: Hotspot

  • Landing Page: Redirect to the original URL (This way it will be configured from Octopus Platform)

  • Redirection: All disable

 

Within PORTAL CUSTOMIZATION:

  • Template Engine: Angular JS

  • Override Default Templates: Override templates with custom changes

  • The rest of the values in the paragraph do not apply.

 

 

In the HOTSPOT section:

  • RADIUS: Enable RADIUS-based authorization

  • Rest of values: Disabled

 

 

In the RADIUS section:

  • Profile: Octopus_Radius (Created in section 2.1)

  • Authentication type: CHAP

 

 

In the last section ACCESS CONTROL, the walled garden or domains with free access necessary for the operation of the captive portal must be added:

  • Pre-Authorization Access: Add the basic ones for the operation and depending on the selected access methods consult the necessary domains in the following link.

 

 

2.3 Wireless Network

Within the Unifi Controller user interface > Settings > Wireless Networks, create a new or edit the network in which we want to integrate the captive portal.

  • Name/SSID: Name of the WiFi network to be radiated by the APs. It must match the one configured in Octopus Platform.

  • Enabled: Enable this wirreless network

  • Security: Open

  • Guest Policy: Apply guest policies (captive portal, guest authentication, access)

2.4 Secure login configuration option

It is recommended that the whole authentication process is encrypted and therefore all interactions with Unifi Controller are done through https. The different steps to implement it are shown below:

The first thing will be to generate a certificate, taking into account the following considerations:

  • The certificate must have a subdomain associated with a DNS entry that resolves to the IP of Unifi Network Controller. The certificate can be wildcard, but the subdomain used must have the same DNS resolution.

  • Generate certificate with "pfx" format, with alias "unifi" and password "aircontrolenterprise". Example of generation with OpenSSL program

sudo openssl pkcs12 -export -out certificate.pfx -inkey certificate.key -in certificate.crt -certfile certificate.ca.crt -name "unifi"

  • Upload and import the certificate to the server where Unifi Controller is installed, paying attention to the path where it is stored.

    • For convenience in windows it is advisable to store it in the path where the Java executables are: <Unity_OS>:\Program Files "Java".

  • Using CLI, go to the folder where the certificate is (in case of windows, where Java executable files are also located).

  • Enter the command:

    keytool.exe -importkeystore -srckeystore certificate.pfx -srcstoretype pkcs12 -srcalias unifi -destkeystore "<ruta_keystore>" -deststoretype jks -destalias unifi -deststorepass aircontrolenterprise

    • <ruta_keystore> en Linux: /usr/lib/unifi/data/keystore 

    • <ruta_keystore> en Windows: <Unidad_OS>:\Users\<usuario>\Ubiquiti UniFi\data\keystore

    • <ruta_keystore> en Cloud key: /var/lib/unifi/keystore

  • If everything is correct restart Unifi Controller

 

It is advisable to make a previous copy of the keystore file, in case something goes wrong and it is necessary to restore it.

 

Finally, changes must be made in the web interface of Unifi Controller configuration, inside the site configuration object Settings > Guest Control > GUEST POLICIES

  • Redirection:

    • “Use secure portal”

    • Redirect using hostname and enter the subdomain assigned to the certificate and resolves to the IP of Unifi Controller.

2.5 Authorized MAC addresses

To identify the site in Octopus Platform, it is necessary to add the MAC addresses to the platform. To obtain the list of MAC addresses, in the Unifi Controller configuration, go to the DEVICES section.

3- Configuración módulo Enterprise

Para poder integrar las configuraciones de este módulo con la plataforma, es necesario contratar el Módulo Enterprise de Octopus Wifi

3.1 MAC Authentication

To enable MAC authentication go to Configuration > Wireless Networks, access or edit the Wlan you want to configure and in the section Radius Mac Authentication:

  • Enabled: Enable RADIUS MAC authentication

  • Radius Profile: Select Radius Profile (section 2.1 of the guide)

  • MAC Address Format: aa:bb:cc:dd:ee:ff

  • Empty Password: Enable