UniFi Controller
CONFIGURATION GUIDE
The purpose of the following manual is to describe the necessary configuration of Ubiquiti equipment using the UniFi Controller platform for integration with Octopus Platform.
1- Pre-requisites
If there is a firewall in the network that might block the traffic, you will need to allow access to some domains to enable user's authentication:
Radius Servers:
Primary: <IP_Radius_1> 1812 and 1813 UDP ports
Secondary: <IP_Radius_2> 1812 and 1813 UDP ports
Splash Portal server:
Domain <captive_portal_domain> 80 and 443 TCP ports
For the operation of the Guest and Enterprise modules configuration, it will be necessary to previously contract the Octopus platform licenses with the respective modules.
2- Guest module configuration
2.1 Radius server
First of all, the radius servers to which the authentication and accounting requests will be sent will be created. To do this within the web interface of Unifi Network Controller in the Site configuration object select the Settings > Profiles option and select CREATE NEW RADIUS PROFILE. Fill in the following data:
Profile Name: Octopus_Radius
RADIUS Auth Server:
IP Address: <IP_Radius_1>
Port: 1812
Password/Shared Secret: <Secret>
IP Address: <IP_Radius_2>
Port: 1812
Password/Shared Secret: <Secret>
Accounting: Enable Accounting
Interim Update: Enable Interium Update
Interim Update Interval: 600s
RADIUS Accounting Server:
IP Address: <IP_Radius_1>
Port: 1813
Password/Shared Secret: <Secret>
IP Address: <IP_Radius_2>
Port: 1813
Password/Shared Secret: <Secret>
2.2 Captive Portal
As a first step it will be necessary to change the login pages sent by the support team to the Unifi Controller server. The location in each Operating System is:
Linux: /usr/lib/unifi/data/sites/<site_name>/app-unifi-hotspot-portal
Windows: <Unidad_OS>:\Users\<usuario>\Ubiquiti UniFi\data\sites\<site_name>\app-unifi-hotspot-portal
Cloud Key: /srv/unifi/data/sites/<site_name>/app-unifi-hotspot-portal
The steps would be:
Copy the original pages in another folder (Ex: app-unifi-hotspot-portal-original) without altering the original folder. This way we keep them in case we want to use them again at some point.
Then paste the content of the new pages in the app-unifi-hotspot-portal folder, accepting the replacement of the files with the same name.
Once the new redirection pages are available, return to the Unifi Network Controller interface and within the Site, access Settings > Guest Control. In the GUEST POLICIES section:
Guest portal: Enabled Guest Controller
Authentication: Hotspot
Landing Page: Redirect to the original URL (This way it will be configured from Octopus Platform)
Redirection: All disable
Within PORTAL CUSTOMIZATION:
Template Engine: Angular JS
Override Default Templates: Override templates with custom changes
The rest of the values in the paragraph do not apply.
In the HOTSPOT section:
RADIUS: Enable RADIUS-based authorization
Rest of values: Disabled
In the RADIUS section:
Profile: Octopus_Radius (Created in section 2.1)
Authentication type: CHAP
In the last section ACCESS CONTROL, the walled garden or domains with free access necessary for the operation of the captive portal must be added:
Pre-Authorization Access: Add the basic ones for the operation and depending on the selected access methods consult the necessary domains in the following link.
2.3 Wireless Network
Within the Unifi Controller user interface > Settings > Wireless Networks, create a new or edit the network in which we want to integrate the captive portal.
Name/SSID: Name of the WiFi network to be radiated by the APs. It must match the one configured in Octopus Platform.
Enabled: Enable this wirreless network
Security: Open
Guest Policy: Apply guest policies (captive portal, guest authentication, access)
2.4 Secure login configuration option
It is recommended that the whole authentication process is encrypted and therefore all interactions with Unifi Controller are done through https. The different steps to implement it are shown below:
The first thing will be to generate a certificate, taking into account the following considerations:
The certificate must have a subdomain associated with a DNS entry that resolves to the IP of Unifi Network Controller. The certificate can be wildcard, but the subdomain used must have the same DNS resolution.
Generate certificate with "pfx" format, with alias "unifi" and password "aircontrolenterprise". Example of generation with OpenSSL program
sudo openssl pkcs12 -export -out certificate.pfx -inkey certificate.key -in certificate.crt -certfile certificate.ca.crt -name "unifi"
Upload and import the certificate to the server where Unifi Controller is installed, paying attention to the path where it is stored.
For convenience in windows it is advisable to store it in the path where the Java executables are: <Unity_OS>:\Program Files "Java".
Using CLI, go to the folder where the certificate is (in case of windows, where Java executable files are also located).
Enter the command:
keytool.exe -importkeystore -srckeystore certificate.pfx -srcstoretype pkcs12 -srcalias unifi -destkeystore "<ruta_keystore>" -deststoretype jks -destalias unifi -deststorepass aircontrolenterprise
<ruta_keystore> en Linux: /usr/lib/unifi/data/keystore
<ruta_keystore> en Windows: <Unidad_OS>:\Users\<usuario>\Ubiquiti UniFi\data\keystore
<ruta_keystore> en Cloud key: /var/lib/unifi/keystore
If everything is correct restart Unifi Controller
It is advisable to make a previous copy of the keystore file, in case something goes wrong and it is necessary to restore it.
Finally, changes must be made in the web interface of Unifi Controller configuration, inside the site configuration object Settings > Guest Control > GUEST POLICIES
Redirection:
“Use secure portal”
Redirect using hostname and enter the subdomain assigned to the certificate and resolves to the IP of Unifi Controller.
2.5 Authorized MAC addresses
To identify the site in Octopus Platform, it is necessary to add the MAC addresses to the platform. To obtain the list of MAC addresses, in the Unifi Controller configuration, go to the DEVICES section.
3- Configuración módulo Enterprise
Para poder integrar las configuraciones de este módulo con la plataforma, es necesario contratar el Módulo Enterprise de Octopus Wifi
3.1 MAC Authentication
To enable MAC authentication go to Configuration > Wireless Networks, access or edit the Wlan you want to configure and in the section Radius Mac Authentication:
Enabled: Enable RADIUS MAC authentication
Radius Profile: Select Radius Profile (section 2.1 of the guide)
MAC Address Format: aa:bb:cc:dd:ee:ff
Empty Password: Enable