Enterprise wifi on UBNT with portal and domain authentication

    Hello. I want to share the option of implementing corporate wifi on several SSIDs with different access policies for each wireless network and domain authentication.
    The test bench layout looks like this:


    Details under the cut.

    So, the task is as follows. The point should broadcast 3 wireless networks

    • vlan 10 - SSID PL_Public - a network with domain authorization for connecting personal devices of employees to the Internet without access to corporate resources
    • vlan 20 - SSID PL_Private - a network with domain authorization for employees located in a domain in the WIFI_PL_Private group with access to corporate resources
    • vlan 30 - SSID PL_Guest - a network with one-time passwords with a validity period of 8 hours entered through the web portal

    The first task is to create the necessary wireless networks on the controller. The controller allows you to spill settings on all points on the network.

    In Profiles we add our Radius server, indicating a shared Secret. The point must be added as a Radius Client on the server. If there are many points, you can configure nat so that all points are seen on the server with the same IP.



    Add the desired SSID on the controller.




    The peculiarity of the solution is that the Radius server must apply different authentication policies for these SSIDs. Policy separation can be done based on the Called-Station-ID field , which is transmitted in the authentication request and represents the MAC points and SSID.



    To do this, create a policy for Private vlan that checks whether the user is a member of the WIFI_PL_Private domain group .



    In the conditions, we specify the regular expression for Caller Station ID, which allows checking the SSID from all points on the network . *: PL_Private , as well as checking membership in the group.



    The second policy prohibits access for all other domain users to this SSID. This is because if there is no explicit Deny Access, the next policy on the list authenticates all users.

    The third policy allows access to the PL_Public network for all domain users.

    The second task is a guest portal for one-time passwords. This problem is solved by the UniFi controller itself.

    For the PL_Guest network, we determine that it is open and guest.



    In the Guest Portal tab, enable Hotspot authentication, if desired, customize the portal start page.



    In Hotspot settings, enable authentication by vouchers.



    By clicking on the link Go to hotspot manager , we generate vouchers.



    When trying to connect to the guest network from the phone, we see an invitation to enter the voucher code:


    After connecting, we see statistics in the hotspot manager.



    From the VLAN in which the guest network is located, there must be access to the UniFi controller, since the portal is spinning on it.

    Thank you for attention :)

    Also popular now: