wiki.wi5stars.com
Open in
urlscan Pro
193.238.77.60
Public Scan
URL:
https://wiki.wi5stars.com/?contenuto=configuring-ubiquiti-without-usg-gateway
Submission: On September 07 via api from US — Scanned from IT
Submission: On September 07 via api from US — Scanned from IT
Form analysis 3 forms found in the DOM
GET wiki.wi5stars.com
<form method="get" id="searchform" action="wiki.wi5stars.com">
<div class="FlexRow">
<div>
<input type="text" class="MobileInputField FormField" name="s" id="s" placeholder="Search something in this Wiki">
<input type="hidden" class="FormField" name="CurrentManual" value="">
<input type="hidden" class="FormField" name="CurrentVersion" value="">
<input type="hidden" class="FormField" name="CurrentVersionName" value="">
</div>
<div>
<input type="submit" class="SubmitButton" name="submit" id="searchsubmit" value="Search">
</div>
</div>
</form>POST
<form action="" method="POST">
<select name="VersionSelect" class="Vtest5 VersionDropDown" onchange="this.form.submit()">
<option value="4848|800|Version 8">Version 8</option>
<option value="6047|900|Version 9">Version 9</option>
<option value="6832|1000|Version 10">Version 10</option>
<option selected="" value="7259|1100|Version 11">Version 11</option>
</select>
</form>GET /
<form method="get" id="searchform" action="/">
<div class="FlexRow">
<div>
<input type="text" class="FormField" name="s" id="s" placeholder="Search inside this manual">
<input type="hidden" class="FormField" name="CurrentManual" value="890">
<input type="hidden" class="FormField" name="CurrentVersion" value="7259">
<input type="hidden" class="FormField" name="CurrentVersionValue" value="1100">
<input type="hidden" class="FormField" name="CurrentVersionName" value="Version11">
</div>
<div>
<input type="submit" class="SubmitButton" name="submit" id="searchsubmit" value="Search">
</div>
</div>
</form>Text Content
Wi5stars-Configuring Ubiquiti without USG
www.wi5stars.com
Gateway & AP – Set-Up Guide
Version 8 Version 9 Version 10 Version 11
* About This Guide
* Configuring Wi5stars
* Radius Secret
* ALCATEL
* ARUBA
* CAMBIUM
* CISCO
* CISCO MERAKI
* CLOUDTRAX & OPEN MESH
* CRADLEPOINT
* ENGENIUS
* FORTIGATE
* GRANDSTREAM
* HUAWEI
* LIGOWAVE
* MIKROTIK
* RUCKUS
* PEPWAVE
* TELTONIKA
* TP-LINK
* UBIQUITI
* Configuring Ubiquiti with USG
* Configuring Ubiquiti without USG
* Configuring Ubiquiti Version 7.1.66
* Walled Gardens
* Notebook Connection
* Logging in to the Hotspot
Configuring Ubiquiti without USG
This chapter describes how to configure Ubiquiti with no USG, version equal to
or greater than 5.12.66.
Before proceeding further with the configuration, you need to configure your
Wi5stars with a domain and a gateway as described in Adding a New Gateway.
PREREQUISITES
The prerequisites required for configuration are:
* Ubiquiti controller version> = 5.12.66 installed on PC / Mac connected to the
private LAN
* AP Unifi connected to the same LAN network
* Wi5stars version >= 7.0.142
* Ability to forward to port forward (refer to “Radius Authentication and
Access Control”) for Radius responses to the Unifi controller
* Optional: if you want to use HTTPS login, you need to use a gateway that
allows you to enter a static DNS route (in our case 192.168.1.1 is a MikroTik
router).
* If you don’t need to use HTTPS but only the HTTP, you can stop at Step 8 of
“Downloading the Configuration Files” chaptter, and you won’t need any
particular gateway.
* Wi5stars gateway configured with Ubiquiti hardware type
1. Now inside Wi5stars , select your Gateway, click the dropdown menu, choose
Edit.
2. Expand the General Data session.
3. In the Hardware Type field, choose
When you set the Secret Radius in your Wi5stars do not exceeds 12 digits code
and do not use symbols, otherwise UniFi will not send it correctly.
WIRELESS NETWORK
STEP 1
Login to your Unifi controller and click the Settings icon on the bottom left.
On the left menu, scroll down to Wireless Networks and click Create New Wireless
Network.
Configure with:
* Name/SSID–Edit the name for your network
* Enabled–Tick Enable this wireless network
* Security–Select Open
* Guest Policy–Tick Apply guest policies
STEP 2
Optional: expand the Advanced Options session and select the User Group (traffic
shaping) that you will configure in the “User Group (Option)” paragraph.
STEP 3
Once completed, click the Save button to save the entry.
RADIUS PROFILE
STEP 1
On the left menu, select Profiles and create the Radius profile.
In the Radius Profile header, enter the details as follows:
* Profile Name–Edit the name for your profile
* VLAN Support–Tick Enable RADIUS assigned VLAN and tick Enable RADIUS assigned
VLAN for wireless network
* RADIUS Auth Server–Edit the Port and insert the Secret
* Accountings–Tick Enable accounting
* Interim Update–Tick Enable Interim Update (see note above)
* Interim Update Interval–Edit the time
* RADIUS Accounting Server–Edit the Port and insert the Secret
In the IP Address fields enter the public IPs of the Radius server of your
Wi5stars Radius and its relevant Secret.
In order to add the Secret you need to get it from your Wi5stars as described in
the Radius Secret paragraph.
Troubleshoot: Interim Update
It will use the value you edit here and not the value you enter in the Product
Policy. This value must be equal to or lower than the value entered in the
products you set up for the users.
Ubiquiti UniFi Controller does not support or has errors in accounting radius.
The data is correct only if the system is able to reach the UniFi controller
(normally with NAT or VPN rules) and compensate directly for failings. If not
possible, we recommend you to use this type of gateway only to authenticate
users. You cannot parametize the user data rate in the Products, you can define
it only in the controller.
GUEST POLICIES AND PORTAL CUSTOMISATION
STEP 1
Now, you need to set up the guest policies. From the Settings menu on the left,
open the Guest Control page.
In the Guest Policies header, enter the details as follows:
* Guest Portal–Tick Enable Guest Portal
* Authentication–Select Hotspot
* Landing Page–Select Redirect to the original URL
Once you have completed the above steps, in the Portal Customisation header,
enter the details as follows:
* Template Engine–Select Angular JS
* Override Default Template–Tick Override templates with custom changes
* Title–Edit the title for your welcome portal
Ignore any update message about portal customization.
RADIUS AUTHENTICATION AND ACCESS CONTROL
Now in the same page, the next step is to set up the Radius authentication and
access control.
STEP 1
In the Hotspot header, tick Enable RADIUS base authorisation
STEP 2
In the Radius header, enter the details as follows:
* Profile–Choose the profile you have previously edited in the “Radius Profile”
paragraph
* Authentication Type–Select CHAP
* Disconnect Request–Tick Accept incoming disconnect request
* Receiver Port–Edit a port that should be the same as in the “Downloading the
Configuration Files” Step 5 (including Wi5stars) and prerequisites (for
forwarding)
STEP 3
In the Access Control header, in the Pre-Authorization Access fields configure
with:
* The public or private IP class of your Wi5stars and in addition any FQDN that
points to it
* The network class of the private LAN
* Option: the FQDN chosen for the UniFi controller for HTTPS authentication
In the access control section, always enter IPs with CIDR notation even for
individual IPs (e.g. 1.1.1.1/32).
STEP 4
Upon completion of the above steps, click the Apply Changes button to finish.
USER GROUP (OPTION)
Now you have the ability to limit the bandwidth assigned to the guests, by
creating a User Group.
STEP 1
On the left menu, scroll down to User Group and click Create New User Group.
STEP 2
Configure with Name, Bandwidth Limit (Download), Bandwidth Limit (Upload)
STEP 3
Upon completion of the above steps, click the Save button to finish.
It will take into account the speed you set up here and not the one of the
Product Policy in your Wi5stars.
STEP 4
Now you need to apply the User Group to your network. On the left menu, scroll
down to Wireless Networks and select your Wireless Network.
STEP 5
Expand the Advanced Options session and select the User Group you have just
created.
DOWNLOADING THE CONFIGURATION FILES
STEP 1
From the context menu of the gateway, press Download Gateway Config Files to
download the configuration zip file.
STEP 2
Once the zip file is unpacked, you will find the following files:
* authorize.html
* index.html
STEP 3
The files must be edited in the Ubiquiti Themes folder. The paths vary depending
on the SO where the Ubiquiti Controller is installed:
* Windows: C:\Users\<username>\Ubiquiti
UniFi\data\sites\default\app-unifi-hotspot-
portal
* MAC: ~/Library/Application
Support/UniFi/data/sites/default/app-unifi-hotspot-portal
* Linux: /usr/lib/unifi/data/sites/default/app-unifi-hotspot-portal
* For some Linux installations path will be:
/opt/unifi/data/sites/default/app-unifi-hotspot-portal
* CloudKey: /srv/unifi/data/sites/default/app-unifi-hotspot-portal
You don’t need to edit the MAC address of the gateway in your Wi5stars.
STEP 4
In your firewall, configure the port forward to accept disconnection requests
from your Wi5stars (the same as in the “Radius Authentication and Access
Control” paragraph and prerequisites).
You need to create the rule must with the following characteristics:
1. enable it
2. limit it to the public IP of your Wi5stars (optional but we suggest it for
security reason)
3. the port must be the same set up in the “Radius Authentication and Access
Control” paragraph and chosen in the prerequisites
4. address it to the LAN IP address of the Unifi controller
5. select the UDP protocol
6. afterwards in your Wi5stars > gateway. configure the Radius session as
follows
STEP 5
For Ubiquiti-type gateways, you need to enable these settings for the reasons
listed below:
* Force disconnections: if enabled, connections that have not received updates
from the gateway for the ‘Interim Update’ time defined in the Product Policy
plus the Timeout for Idle’ value are automatically closed.
* Send disconnections requests to the gateway: in addition to forcing
disconnections, it also sends a radius disconnection request to the gateway.
Some types of gateways (e.g. Ubiquiti) may not send the stop to the radius
and consider the device always active. If enabled, the gateway has to be
reachable for the UDP port indicated in the “Radius Authentication and Access
Control” paragraph.
* Port for disconnection requests: port used by the gateway to accept
disconnection requests. It is usually the 3799 but can vary depending on the
type of gateway. It is the same one configured in the “Radius Authentication
and Access Control” paragraph and opened in the firewall at the beginning of
Step 5 in the “Downloading the Configuration Files” paragraph.
* Check consumption by users: If the gateway does not support all the necessary
radius attributes and the appliance is able to send disconnection requests
(points listed above), it periodically checks the consumption of the
logged-in users and if time/traffic limits are reached or at expiration,
disconnects the user.
STEP 7
Go to the Settings menu, then scroll down to Networks and enter the IP address
of your external gateway.
STEP 8
Disable the internal DHCP of your Unifi Controller by ticking None in the DHCP
Mode field.
HTTPS FULLCHAIN
In case you need to configure the access over HTTPS, you need to follow the
steps below:
STEP 1
Decide which FQDN to dedicate to the Unifi controller (in our test unifi..com)
STEP 2
Purchase a valid certificate (in our case wildcard certificate ..com)
STEP 3
Make sure that you have the complete chain (cert, intermediate, root) of your
own certificate because UNIFI controller requires it. If you already have the
full chain, then skip to the HTTPS keystore section otherwise continue in this
section.
STEP 4
Purchase a valid certificate (in our case wildcard certificate .Wi5stars.com)
STEP 5
If the full chain is not available, you can use the following online utility:
https://tools.keycdn.com/ssl to trace the correct concatenation.
In our test we initially had the CRT and CA-intermediate and not the root. (You
can deduct it that in the form we have pasted only 2 —–BEGIN CERTIFICATE—– —–END
CERTIFICATE—–).
After a small search we went back to the missing root certificate (in the
previous box identified by ISSUER CN):
and the root cerfiticate in our case, is available at the issuer’s official
website:
https://knowledge.digicert.com/generalinformation/INFO4033.html#links
Beware, this may vary depending on the issuer you choose for the certificate.
Once we have the entire chain available, repeat the verification on the site
https://tools.keycdn.com/ssl to make sure that the complete chain is now
correct.
(This time the —–BEGIN CERTIFICATE—– —–END CERTIFICATE—– should be 3)
We should be in this final situation:
With a text or cli editor, we put certificate-intermediate-root into a single
file, in the order in which we tested it in the online tool.
In our case we will name the final file as fullcert.crt
HTTPS KEYSTORE
STEP 1
Install the following software https://keystore-explorer.org/downloads.html
STEP 2
Create a new JKS-type keystore
STEP 3
Click on Tools > Import Key Pair
STEP 4
Select the certificate format (in our case we used PKCS #8)
STEP 5
Select the key and the concatenated fullcert you created earlier
STEP 6
Uncheck Encrypted Private Key if you don’t have any type of passphrase set for
the certificate, or type the Decryption Password of your certificate
STEP 7
Click Import and choose Unifi as alias
STEP 8
Set as password aircontrolenterprise and as key pair and re-insert it for
confirmation
STEP 9
Click on File > Save as
STEP 10
Set the keystore password aircontrolenterprise
STEP 11
Upload the new file created in the Unifi folder by replacing the existing
“keystore” file.
The path of the file depends on the SO version where the UniFi controller is
installed.
STEP 12
Restart ace.jar or the controller directly in case, for example, it is installed
in a WINDOWS environment.
STEP 13
Configure in your gateway the static DNS route (prerequisites) of the FQDN
chosen towards the LAN IP of your Unifi Controller (in our case unifi..com –
192.168.1.90)
At this time, we can invoke the controller via browser (your gateway IP in a
pc/mac in the same network with first DNS) with the newly configured FDQN. In
case the installation of the certificate is successful, you will reach the
portal in HTTPS.
If you do not get this point with the certificate correctly installed, you will
need to check all the previous points described in the current “HTTPS Keystore”
paragraph.
HTTPS WELCOME PORTAL
In this session, you can configure the ability to use the HTTPS protocol.
STEP 1
Go to the Settings menu, then scroll down to Guest Control.
Select the options as follows:
* Use Secure Portal–Tick it
* Redirecting Using Hostname–Set up the same FQDN entered in the DNS static
route
* Enable HTTPS Redirection–Tick it
STEP 2
Click Save in the bottom left corner of the page. Your selected entries are
saved.
CONFIGURING THE HTTPS NETWORK
By default, Ubiquiti does not allow using a DNS outside the controller.
To allow using your gateway (where you have entered the DNS static route), you
need to perform these steps:
STEP 1
Go to the Settings menu, then scroll down to Site
STEP 2
Tick Enable Advanced Features and disable Optimize Network.
STEP 3
As primary DNS of the AP, you need to edit the IP of your gateway as the image
that follows:
You can now redirect to the Welcome Portal with a secure HTTPS protocol.
Prometeo, Wi5stars and logos Wi5stars