UniFi with Freeradius — Part 2: Configure UniFi and APs
This is the second part of configuring the UniFi and Freeradius to work with Dynamic VLANs for wireless clients.
I had previously written on how to setup UniFi Controller on a Raspberry Pi, you can find that post here. So I won’t cover that process here, but instead will look into the configuration of the radius settings.
Create a Radius Profile
First, we create the radius profile within the settings of the UniFi Controller. Go to the Settings, then to the Profile section and click on the Create new radius profile button
On the new Radius Profile form, use any name you want, this will only be to identify the profile within the UniFi Controller.
Be sure to select the Enable RADIUS assigned VLAN for wireless network so that the access point will know to apply the VLAN based on the parameters sent by the Freeradius server.
Finally, add the details of the Freeradius server and the secret that will be used to “encrypt” and “sign” the packets between the access points and the Freeradius server. You can add the accounting details as well if that is needed.
Click save and now we are able to create the wireless profile or enable this profile on an existing wireless profile.
Setup Wireless Network
Under the Settings click on the Wireless Network section and then click on the Create new wireless network button
On the new wireless network form, enter the SSID that this wireless network will receive.
Select the WPA Enterprise setting under the Security section. By default, the UniFi controller uses WPA2 only, but this can be changed to either WPA1 only or Both (meaning WPA1 and WPA2) modes under the Advanced Options.
From the Radius Profile dropdown, select the appropriate profile for the Freeradius server that was created in the previous step.
You can further configure this network under the Advanced Options or simply click the Save button and the wireless network will appear on any device that can connect to the Wi-Fi network.
At this point proceed to test connecting to the Wi-Fi and entering the username and password that was added on the Freeradius database. Verify that the device is connecting to the correct VLAN and if that is not the case, then some troubleshooting needs to be done.
Troubleshooting
There are a couple of issues that may arise, troubleshooting is straight forward but can become a hassle to resolve if it’s an issue that appears under different conditions.
For most issues, the device will say that it was unable to connect or that the credentials are bad. So let’s run down a list of steps to take to analyze the issue.
Make sure that the credentials exist on the Freeradius database and that the server is able to read the data. You can use the radtest tool that comes with Freeradius to make sure that the credentials are working.
Check that the Access Point is able to connect to the Freeradius server and viceversa. You can do a simple ping test between the devices. You can also capture packets on both ends, meaning the AP and the Freeradius server, using tcpdump and looking for radius packets. You may also run the Freeradius in debug mode to see if the packets are being dropped by Freeradius or if they’re being accepted and replied to.
If the VLAN is not being set, make sure that the user is added to a group and the parameters being passed are the correct ones. Be sure to enable the inner-tunnel replies so that the AP is able to configure the network and the device goes through the appropriate VLAN. You can also capture packets using tcpdumps to check that the VLAN parameters are passed in the radius packets. If the inner-tunnel replies are not enable, the VLAN parameters are still passed in the radius packets but the AP ignores them, so be sure to enable that setting in Freeradius configuration of the inner-tunnel.
