This chapter describes how to configure Ubiquiti (with or without using the USG), version equal to or greater than 7.1.66.
Before proceeding further with the configuration, you need to configure HSNM with a domain and a gateway as described in Adding a New Gateway.
The prerequisites required for configuration are:
When you set the Secret Radius in your HSNM do not exceeds 12 digits code and do not use symbols, otherwise UniFi will not send it correctly.
Now inside HSNM, select your Gateway, click the dropdown menu, and choose Edit.
Expand the General Data session.
In the Hardware Type field, choose Ubiquiti UniFi Controller.
Login to your UniFi controller and click the Settings icon on the bottom left.
On the left menu, select WiFI and click Create New WiFi Network. Configure with:
In the Advanced Configuration session, select Manual.
In the WiFi Type, tick Guest Hotspot
Once completed, click Add WiFi Network at the bottom right.
On the left menu, select Profiles and scroll down till RADIUS.
Click Create New RADIUS Profile.
In the Radius Profile header, enter the details as follows:
In the IP Address fields enter the public IPs of the Radius server of your HSNM Radius and its relevant Secret.
In order to add the Secret you need to get it from your HSNM as described in the Radius Secret paragraph.
Caution: it will use the value you edit here and not the value you enter in the Product Policy. This value must be equal to or lower than the value entered in the products you set up for the users.
Caution: Ubiquiti UniFi Controller does not support or has errors in accounting radius. The data is correct only if the system is able to reach the UniFi controller (normally with NAT or VPN rules) and compensate directly for failings. If not possible, we recommend you to use this type of gateway only to authenticate users. You cannot parametrize the user data rate in the Products, you can define it only in the controller.
Now, you need to set up the guest hotspot.
From the Settings menu on the left, under profile, edit the default Guest Hotspot profile.
Enter the details as follows:
Ignore any update message about portal customization.
Click the Apply Change button to save the entries.
Now you need to configure the Walled Garden.
From the Settings menu, select Guest Hotspot.
Scroll down to Allowed Authorization Access Access
Add one by one the IP address or domains you need for social login, payments, etc.
Click Apply Changes to save the entries.
To know the accurate and relevant Walled Garden, you need to add one by one, access your HSNM platform and click the contextual dropdown menu of your gateway. Then select Download Walled Garden to get a .txt file with your accurate walled garden list as shown Figure Download Walled Garden.
Now you have the ability to limit the bandwidth assigned to the guests, by creating a Bandwidth Profile.
From the Settings menu, select Profiles.
Scroll down to Bandwidth Profile and click Create New Bandwidth Profile.
Configure with Name, Bandwidth Limit (Download), Bandwidth Limit (Upload)
Upon completion of the above steps, click the Apply Changes to save.
From the context menu of the gateway, press Download Gateway Config Files to download the configuration zip file.
Once the zip file is unpacked, you will find the following files:
The files must be edited in the Ubiquiti Themes folder. The paths vary depending on the SO where the Ubiquiti Controller is installed:
you don’t need to edit the MAC address of the gateway in your &DEVICE%.
In your firewall, configure the port forward to accept disconnection requests from your HSNM (the same as in the “Radius Authentication and Access Control” paragraph and prerequisites).
You need to create the rule must with the following characteristics:
For Ubiquiti-type gateways, you need to enable these settings for the reasons listed below:
From the Settings menu on the left, scroll down to Networks and enter the default one.
In the Gateway IP/Subnet enter the IP address of your LAN/Internet gateway and your LAN network.
If you are using the USG and it is rightly adopted from the Ubiquiti UniFi Controller, In the Gateway IP/Subnet the IP address will be automatically filled with the LAN IP set on your USG, and you can skip the below steps
Scroll down to Advanced Configuration and select Manual (only if you are NOT using USG)
Disable the internal DHCP by selecting None in the DHCP Mode (only if you are NOT using the USG).
In case you need to configure the access over HTTPS, you need to follow the steps below:
Decide which FQDN to dedicate to the UniFi controller (e.g. unifi.yourdomainhsnetworkmanager.com)
Purchase a valid certificate (in our case wildcard certificate .*yourdomainhsnetworkmanager.com)
Make sure that you have the complete chain (cert, intermediate, root) of your own certificate because the UniFi controller requires it. If you already have the full chain, then skip to the HTTPS keystore section otherwise continue in this section.
Purchase a valid certificate (in our case wildcard certificate *.yourdomain.com)
If the full chain is not available, you can use the following online utility: https://tools.keycdn.com/ssl to trace the correct concatenation.
In our test we initially had the CRT and CA-intermediate and not the root. (You can deduct it that in the form we have pasted only 2 —–BEGIN CERTIFICATE—– —–END CERTIFICATE—–).
After a small search we went back to the missing root certificate (in the previous box identified by ISSUER CN):
and the root certificate in our case, is available at the issuer’s official website:
https://knowledge.digicert.com/generalinformation/INFO4033.html#links.
Beware, this may vary depending on the issuer you choose for the certificate.
Once we have the entire chain available, repeat the verification on the site https://tools.keycdn.com/ssl to make sure that the complete chain is now correct.
(This time the —–BEGIN CERTIFICATE—– —–END CERTIFICATE—– should be 3)
We should be in this final situation:
With a text or client editor, we put certificate-intermediate-root into a single file, in the order in which we tested it in the online tool.
In our case, we will name the final file as fullcert.crt
Install the following software https://keystore-explorer.org/downloads.html
Create a new JKS-type keystore
Click on Tools > Import Key Pair
Select the certificate format (in our case we used PKCS #8)
Select the key and the concatenated fullcert you created earlier
Uncheck Encrypted Private Key if you don’t have any type of passphrase set for the certificate, or type the Decryption Password of your certificate
Click Import and choose UniFi as alias
Set as password aircontrolenterprise and as key pair and re-insert it for confirmation
Click on File > Save as
Set the keystore password aircontrolenterprise
Upload the new file created in the UniFi folder by replacing the existing “keystore” file.
The path of the file depends on the SO version where the UniFi controller is installed.
Restart ace.jar or the controller directly in the case, for example, it is installed in a WINDOWS environment.
If you are NOT using the USG, you have to configure in your gateway the static DNS route (prerequisites) of the FQDN chosen towards the LAN IP of your UniFi Controller (in our case unifi..com – 192.168.1.90)
If you are using the USG, If you are using the USG, you have to configure in your USG the static DNS entry (prerequisites) for the FQDN chosen towards the LAN IP of your UniFi Controller(e.g. unifi.yourdomain.com – 192.168.1.90).
For further details on how to perform that, read the paragraph “HTTPS Welcome Portal”.
At this time, we can invoke the controller via browser (your gateway IP in a pc/mac in the same network with the first DNS) with the newly configured FDQN. In case the installation of the certificate is successful, you will reach the portal in HTTPS.
If you are using the USG and you have not yet created the static DNS entry for the FQDN on USG, you can, in any case, invoke the controller via the FQDN. Simply change the hosts file, on the PC where you would connect, in order to point the USG IP to the valid FQDN (used for the certificate):
C:\Windows\system32>notepad c:\Windows\System32\drivers\etc\hosts
Save the change and through CMD, test the real changes of the host file with the command:
Ping execution unifi.valid-certificate-FQDN.com [IPCONFIG] with 32 bytes of data
Reply from IPCONFIG: byte=32 time=1ms TTL=62
Reply from IPCONFIG: byte=32 time<1ms TTL=62
If you do not get this point with the certificate correctly installed, you will need to check all the previous steps described in the current “HTTPS Keystore” paragraph.
From the Settings menu on the left, under Profiles, edit the default Guest Hotspot and on Redirection, be sure the following options are selected:
On textbox, set the same FQDN you tested in the “HTTPS Keystore” paragraph or a valid entry for the certificate you have configured
Click the Apply Change button to save the entries.
Note ONLY If you are using the USG, now you have to follow the other following steps to set a static DNS entry for the FDQN used to reach the UniFi Controller
Now you need to recover the SSH access password of the devices.
Go to the Settings menu, then scroll down to System.
Scroll down to Network Device SSH Authentication
Enter the details as follows:
Use a shell to access via SSH your USG and enter the following STATIC DNS:
sudo vi /etc/dnsmasq.d/dnsmasq.static.conf
digit
address=/chosenhostname in the previous point/CONTOLLERIPLANPRIVATE
in our case
address=/unifi.yourdomain.com/192.168.1.100
save the new (:wq) file created and run
sudo /etc/init.d/dnsmasq force-reload
Execute a ping text to unifi.yourdomain.com from the USG console.
If the solved IP is the one just edited, you have successfully executed the STATIC DNS.
admin@USG:~$ ping unifi.yourdomain.com
PING unifi (192.168.1.100) 56(84) bytes of data.
64 bytes from unifi (192.168.1.100): icmp_req=1 ttl=128 time=1.19 ms
64 bytes from unifi (192.168.1.100): icmp_req=2 ttl=128 time=0.758 ms
Step 7 This procedure will become permanent even if the USG is re-provisioned.