Now inside HSNM, select your Gateway, click the dropdown menu, choose Edit.

Expand the General Data session.

In the Hardware Type field, choose Ubiquiti.

Login to your Unifi controller and click the Settings icon on the bottom left.
On the left menu, scroll down to Wireless Networks and click Create New Wireless Network.

Configure with:

• Name/SSID–Edit the name for your network
• Enabled–Tick Enable this wireless network
• Security–Select Open
• Guest Policy–Tick Apply guest policies

Optional: expand the Advanced Options session and select the User Group (traffic shaping) that you will configure in the “User Group (Option)” paragraph.

Once completed, click the Save button to save the entry.

On the left menu, select Profiles and create the Radius profile.
In the Radius Profile header, enter the details as follows:

• Profile Name–Edit the name for your profile
• VLAN Support–Tick Enable RADIUS assigned VLAN and tick Enable RADIUS assigned VLAN for wireless network
• RADIUS Auth Server–Edit the Port and insert the Secret
• Accountings–Tick Enable accounting
• Interim Update–Tick Enable Interim Update (see note above)
• Interim Update Interval–Edit the time
• RADIUS Accounting Server–Edit the Port and insert the Secret

Troubleshoot: Interim Update

Now, you need to set up the guest policies. From the Settings menu on the left, open the Guest Control page.
In the Guest Policies header, enter the details as follows:

• Guest Portal–Tick Enable Guest Portal
• Authentication–Select Hotspot
• Landing Page–Select Redirect to the original URL

Once you have completed the above steps, in the Portal Customisation header, enter the details as follows:

• Template Engine–Select Angular JS
• Override Default Template–Tick Override templates with custom changes
• Title–Edit the title for your welcome portal

In the Hotspot header, tick Enable RADIUS base authorisation

In the Radius header, enter the details as follows:

• Profile–Choose the profile you have previously edited in the “Radius Profile” paragraph
• Authentication Type–Select CHAP
• Disconnect Request–Tick Accept incoming disconnect request
• Receiver Port–Edit a port that should be the same as in the “Downloading the Configuration Files” Step 5 (including HSNM) and prerequisites (for forwarding)

In the Access Control header, in the Pre-Authorization Access fields configure with:

• The public or private IP class of your HSNM and in addition any FQDN that points to it
• The network class of the private LAN
• Optional: in the Post-Authorization Restrictions fields, you need to add the network class of the USG WAN, so guests cannot access your public network.

Upon completion of the above steps, click the Apply Changes button to finish.

On the left menu, scroll down to User Group and click Create New User Group.

Configure with Name, Bandwidth Limit (Download), Bandwidth Limit (Upload)

Upon completion of the above steps, click the Save button to finish.

Now you need to apply the User Group to your network. On the left menu, scroll down to Wireless Networks and select your Wireless Network.

Expand the Advanced Options section and select the User Group you have just created.

Now access your HSNM and select your gateway. In the Hardware Type section, select Ubiquiti UniFi Controller

From the context menu of the gateway, press Download Gateway Config Files to download the configuration zip file.

Once the zip file is unpacked, you will find the following files:

• authorize.html
• index.html

The files must be edited in the Ubiquiti Themes folder. The paths vary depending on the SO where the Ubiquiti Controller is installed:

• Windows: C:\Users\<username>\Ubiquiti UniFi\data\sites\default\app-unifi-hotspot-
  portal
• MAC: ~/Library/Application Support/UniFi/data/sites/default/app-unifi-hotspot-portal
• Linux: /usr/lib/unifi/data/sites/default/app-unifi-hotspot-portal
• For some Linux installation path will be: /opt/unifi/data/sites/default/app-unifi-hotspot-portal
• CloudKey: /srv/unifi/data/sites/default/app-unifi-hotspot-portal

For some Linux distributions, path may differ:
/opt/UniFi/data
/var/opt/UniFi/data

In your firewall, configure the port forward to accept disconnection requests from your HSNM (the same as in the “Radius Authentication and Access Control” paragraph and prerequisites).

You need to create the rule must with the following characteristics:

1. enable it
2. limit it to the public IP of your HSNM (optional but we suggest it for security reason)
3. the port must be the same set up in the “Radius Authentication and Access Control” paragraph and chosen in the prerequisites
4. address it to the LAN IP address of the Unifi controller
5. select the UDP protocol
6. afterwards in your HSNM > gateway. configure the Radius section as follows

For Ubiquiti-type gateways, you need to enable these settings for the reasons listed below:

• Force disconnections: if enabled, connections that have not received updates from the gateway for the ‘Interim Update’ time defined in the Product Policy plus the Timeout for Idle’ value are automatically closed.

• Send disconnections requests to the gateway: in addition to forcing disconnections, it also sends a radius disconnection request to the gateway. Some types of gateways (e.g. Ubiquiti) may not send the stop to the radius and consider the device always active. If enabled, the gateway has to be reachable for the UDP port indicated in the “Radius Authentication and Access Control” paragraph.
• Port for disconnection requests: port used by the gateway to accept disconnection requests. It is usually the 3799 but can vary depending on the type of gateway. It is the same one configured in the “Radius Authentication and Access Control” paragraph and opened in the firewall at the beginning of Step 5 in the “Downloading the Configuration Files” paragraph.
• Check consumption by users: If the gateway does not support all the necessary radius attributes and the appliance is able to send disconnection requests (points listed above), it periodically checks the consumption of the logged-in users and if time/traffic limits are reached or at expiration, disconnects the user.

Decide which FQDN to dedicate to the Unifi controller (in our test unifi.http://hsnm1.hsnetworkmanager.com.com)

Purchase a valid certificate (in our case wildcard certificate .http://hsnm1.hsnetworkmanager.com.com)

Make sure that you have the complete chain (cert, intermediate, root) of your own certificate because UNIFI controller requires it. If you already have the full chain, then skip to the HTTPS keystore section otherwise continue in this section.

Purchase a valid certificate (in our case wildcard certificate .HSNM.com)

If the full chain is not available, you can use the following online utility: https://tools.keycdn.com/ssl to trace the correct concatenation.

Install the following software https://keystore-explorer.org/downloads.html

Create a new JKS-type keystore

Click on Tools > Import Key Pair

Select the certificate format (in our case we used PKCS #8)

Select the key and the concatenated fullcert you created earlier

Uncheck Encrypted Private Key if you don’t have any type of passphrase set for the certificate, or type the Decryption Password of your certificate

Click Import and choose Unifi as alias

Set as password aircontrolenterprise and as key pair and re-insert it for confirmation

Click on File > Save as

Set the keystore password aircontrolenterprise

Upload the new file created in the Unifi folder by replacing the existing “keystore” file.
The path of the file depends on the SO version where the UniFi controller is installed.

Restart ace.jar or the controller directly in case, for example, it is installed in a WINDOWS environment.

Optional: to verify from the front end of the controller that the installation was successful, change the hosts file to point the public IP with which the USGWAN exits, to a valid FQDN for the certificate:
C:\Windows\system32>notepad c:\Windows\System32\drivers\etc\hosts

Save the change and through CMD, test the real changes of the host file with the command:
Ping execution unifi.valid-certificate-FQDN.com [IPCONFIG] with 32 bytes of data
Reply from IPCONFIG: byte=32 time=1ms TTL=62
Reply from IPCONFIG: byte=32 time<1ms TTL=62

Go to the Settings menu, then scroll down to Routing & Firewall and select Port Forwarding. Enter the details as follows:

• Name–Edit the name for your port forward rule
• Enabled–Tick Enable this port forward rule
• From–Select Limited
• Port–Enter 8443
• Forward IP–Enter 10.0.150.100 (example)
• Forward Port–Enter 8443
• Protocol–Select TCP

Click Save in the bottom left corner of the page. Your selected entries are saved

Go to the Settings menu, then scroll down to Routing & Firewall and select Port Forwarding.
Select the options as follows:

• Name–Enter the name (e.g. 8843toController)
• Enabled–Tick Enable this port forward rule
• From–Select Limited and enter the controller IP 10.0.150.1/24
• Port–Enter 8843
• Forward IP–Enter 10.0.150.100
• Forward Port–Enter 8843
• Protocol–Select TCP

Click Save in the bottom left corner of the page. Your selected entries are saved.

Go to the Settings menu, then scroll down to Guest Control.
Select the options as follows:

• Use Secure Portal–Tick it
• Redirecting Using Hostname–Set up the same FQDN you tested in the “HTTPS Keystore” paragraph or a valid entry for the certificate you have configured.
• Enable HTTPS Redirection–Tick it

Once completed, click the Save button

Now you need to recover the SSH access password of the devices.
Go to the Settings menu, then scroll down to Site.
Select the options as follows:

• DHCP Snooping–Tick Enable DHCP Snooping
• Automatically Optimite Network and WiFi performance–Switch ON
• SSH Authentication–Tick Enable SSH authentication
• Username–Enter the username
• Password–Enter the password

Use a shell to access via SSH to your own USG and enter the following STATIC DNS:
sudo vi /etc/dnsmasq.d/dnsmasq.static.conf
digit
address=/chosenhostname in the previous point/CONTOLLERIPLANPRIVATE
in our case
address=/unifi.valid-certificate-FQDN.com/10.0.150.100
save the new (:wq) file creted and run
sudo /etc/init.d/dnsmasq force-reload

Execute a ping text to unifi valid-certificate-FQDN.com from the USG.
If the solved IP is the one just edited, you have successfully executed the STATIC DNS.

admin@USG:~$ ping unifi. valid-certificate-FQDN.com
PING unifi (10.0.150.100) 56(84) bytes of data.
64 bytes from unifi (10.0.150.100): icmp_req=1 ttl=128 time=1.19 ms
64 bytes from unifi (10.0.150.100): icmp_req=2 ttl=128 time=0.758 ms

Go to the Settings menu, then scroll down to Networks
Enter the details as follows:

• Name–Enter the name
• Purpose–Select Corporate
• Network Group–Select LAN
• Gateway/Subnet–Enter the details of your gateway and network IP
• Domain Name–Edit as domain name the domain belonging to the FQDN set up in the previous step.
• DHCP Mode–Select DHCP Server
• DHCP Name Server–Select Auto
• DHCP Gateway IP–Select Auto
• DHCP Unifi Controller–Enter the IP of your controller

Click the Save button that displays at the bottom left of the window.