Ubiquiti WLAN & FreeRadius Dynamic VLANs

I recently got a Unifi AP AC Lite for my home and decided to consolidate my SSIDs into one.

In my configuration example i use a single SSIDs for my client devices (mobile phones, notebook) and the same SSIDs for guest users.

The basic idea is to secure the SSID with a PSK and let the Radius Server assign VLANs based on MAC adresses. My management VLAN has the ID 10, the Client VLAN has the ID 20 and the Guest VLAN has the ID 30. You can assign as many dynamic VLANs to your clients as you want, just be sure that all those VLANs you assigned are tagged on the AP’s port.

Im running the UniFi Controller Version 5.12.35 and freeRadius 3.0.20 with both appliances on their own Ubuntu 18.04 LTS virtual machine. This version of the UniFi Controller offers an optional, new Settings Site which lacks some settings that we are going to use, so stick with the old Settings page for now.

We start with setting up the basics on the freeRadius server. Edit the file /etc/freeradius/clients.conf to allow clients to connect to the server (we need the Access Point(s) to talk to the Radius server, not the UniFi controller!). So we add the following block to it:

client unifiAP {
  ipaddr = <IP of AP>
  secret = <your_secret>
}

The secret can be any string of ASCII characters. We need it on the UniFi Controller, where we add the radius server next: Go to Settings – Profiles – RADIUS and click „Create new radius profile“. Give the profile a name, select „Enable RADIUS assigned VLAN for wireless network“, add your radius IP, port (1812 by default) and secret.

Go to Settings – Wireless Networks and create a new wireless network. Fill in the basic configuration like SSID, WPA Personal and PSK. At the bottom of the advanced options there’s a „Radius MAC authentication“-section. Open it, click „Enable RADIUS MAC authentication“ and select the Radius profile from above. You can select which MAC Address Format you like, i just left it default and made sure to unselect „Empty Password“.

After saving, scroll up again and check for the VLAN setting, it should say „RADIUS assigned VLAN“ grayed out since we enabled the RADIUS profile with „Enable RADIUS assigned VLAN for wireless network“.

Connecting to the SSID now will always give you a reject, since the RADIUS server has a user list, which is empty, and the default action is to send a „Reject“.

The next step is needed for the AP to understand the reply from the radius server. Edit the file /etc/freeradius/mods-available/eap and look for the following block under ttls:

                #  The reply attributes sent to the NAS are usually
                #  based on the name of the user 'outside' of the
                #  tunnel (usually 'anonymous').  If you want to send
                #  the reply attributes based on the user name inside
                #  of the tunnel, then set this configuration entry to
                #  'yes', and the reply to the NAS will be taken from
                #  the reply to the tunneled request.
                #
                #  allowed values: {no, yes}
                #
                use_tunneled_reply = no

Change use_tunneled_reply = no to yes. The same line is in the block peap, change it there aswell.

Since i want to use the SSID for guests, i need the Radius to default to „Allow“, because i can’t create a user for every guest device in the future. The users are defined in the file /etc/freeradius/users. Adding the following line will change the Auth-Type sent for every unknown user:

DEFAULT Auth-Type := Accept

Restart the freeradius service with sudo systemctl restart freeradius for the changes to take effect.

Connecting to the SSID now is going to work since the radius server sends „Allow“ for every unknown user. But there are no VLAN-Tags in any of the replies, so your client will just be in the network of your APs management network (in my case VLAN 10).

We have to add 2 more things for it to finally work: Default all unknown clients to VLAN 30 and send known clients to VLAN 20. Open up the /etc/freeradius/users again, go the DEFAULT block from above and add the following lines:

DEFAULT Auth-Type := Accept
                Tunnel-Type = 13,
                Tunnel-Medium-Type = 6,
                Tunnel-Private-Group-Id = <VLAN-ID Guest>

With this change, all unknown clients will be accepted and put into the VLAN <VLAN-ID Guest>. Now we have to add one entry for every known client. The client identifies by its mac address (use the format you selected when creating the Radius profile!) and the mac adress is also the password (since we didn’t allow Empty Password).

aabbccxxyyzz    Cleartext-Password := "aabbccxxyyzz"
                Tunnel-Type = 13,
                Tunnel-Medium-Type = 6,
                Tunnel-Private-Group-Id = <VLAN-ID for the device>

As soon as you connect with a device that is listed there, it gets the VLAN-ID you assigned it in the entry and if a client is unknow it gets the default ID.

I’m using a pfSense to deal with the clients in their respective VLANs, so we’re not using any of the guest functionality from the UniFi Controller.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.