ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Unifi + RADIUS + AD

    IT Discussion
    6
    6
    2.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • notverypunnyN
      notverypunny
      last edited by notverypunny

      We're evaluating a switch from Meraki to Ubiquity and want to keep the AD user-based sign-on for employee devices (phones, tablets etc).

      With Meraki it's dum-dum simple, no special attribs to send back or anything since the VLAN is assigned by the network config on their portal.

      I think I've got the basics sorted, but does anyone have a good reference for doing this with Windows NPS before I start trying to re-invent the wheel?

      Related question: Anyone have any thoughts on the merits of Ubiquity vs Cambium Networks? They were suggested as another player to consider but I'd never heard of them before.

      *** Clarification ***
      Radius is working for corporate devices using WPA2 Enterprise / Certificate based access. It was just a matter of adding the AP as an authorized RADIUS client and the existing setup worked.

      Things don't jive when I try to have the hotspot portal authenticate against AD users via NPS / RADIUS. I've got it working with other scenarios (vpn authorization via our security appliances being the main one).

      The guide that I found (http://www.sysadminlab.net/certificate_and_ca/configure-ubiquiti-wireless-ap-to-authenticate-users-using-ad-usernamepassword) has had some of it's most relevant screenshots eaten by the monsters of the interwebs.

      On the NPS side of things I'm seeing connection attempts coming from the server IP for the unifi controller (and not the AP as the guide would have me expect). I see the logic in the request coming from the controller, and have added it as an authorized client, but can't get any farther than the following error:

      An Access-Request message was received from RADIUS client X.X.X.X with a Message-Authenticator attribute that is not valid.

      There's a post on the ubnt forums (https://community.ui.com/questions/802-1x-Message-Authenticator-attribute-that-is-not-valid/4fa44f43-483b-4c75-8e99-e42dc6d41aaa) but their only suggestions are with regards to ensuring that the shared secret is the same on both ends, and unless I've completely forgotten how to copy/paste, I've done everything reasonably possible there.

      jt1001001J 1 Reply Last reply Reply Quote 0
      • coliverC
        coliver
        last edited by

        Cambium used to be Xirrus IIRC. Xirrus was really cool but really designed for a high density.

        1 Reply Last reply Reply Quote 1
        • jt1001001J
          jt1001001 @notverypunny
          last edited by

          Related question: Anyone have any thoughts on the merits of Ubiquity vs Cambium Networks? They were suggested as another player to consider but I'd never heard of them before.

          We looked at Cambium around the time of the Xirrus purchase; and was not impressed. Way to much glitter for not a lot of gold; their cloud controller was very difficult to navigate at the time. Can't vouch for Ubiquiti on doing 802.1x as I only use it at home with SSID/VLAN/PSK security

          gjacobseG 1 Reply Last reply Reply Quote 2
          • gjacobseG
            gjacobse @jt1001001
            last edited by

            @jt1001001 said in Unifi + RADIUS + AD:

            Related question: Anyone have any thoughts on the merits of Ubiquity vs Cambium Networks? They were suggested as another player to consider but I'd never heard of them before.

            We looked at Cambium around the time of the Xirrus purchase; and was not impressed. Way to much glitter for not a lot of gold; their cloud controller was very difficult to navigate at the time. Can't vouch for Ubiquiti on doing 802.1x as I only use it at home with SSID/VLAN/PSK security

            I have to say - that the UBNT controller is pretty straight forward and easy to use. And the system just works. Best of all on the controller, hosted external or internal, it works perfectly as a VM,.. and on a very light OS (DietPi). I have three UBNT APs,.. 2 old models and one much newer one, and the controller didn't skip a beat on it. Even with moving the instance from a dedicated PC to the Raspberry Pi 3b+ running DietPi.

            travisdh1T 1 Reply Last reply Reply Quote 0
            • travisdh1T
              travisdh1 @gjacobse
              last edited by

              @gjacobse said in Unifi + RADIUS + AD:

              @jt1001001 said in Unifi + RADIUS + AD:

              Related question: Anyone have any thoughts on the merits of Ubiquity vs Cambium Networks? They were suggested as another player to consider but I'd never heard of them before.

              We looked at Cambium around the time of the Xirrus purchase; and was not impressed. Way to much glitter for not a lot of gold; their cloud controller was very difficult to navigate at the time. Can't vouch for Ubiquiti on doing 802.1x as I only use it at home with SSID/VLAN/PSK security

              I have to say - that the UBNT controller is pretty straight forward and easy to use. And the system just works. Best of all on the controller, hosted external or internal, it works perfectly as a VM,.. and on a very light OS (DietPi). I have three UBNT APs,.. 2 old models and one much newer one, and the controller didn't skip a beat on it. Even with moving the instance from a dedicated PC to the Raspberry Pi 3b+ running DietPi.

              I've seen the UBNT controller software running on 1 CPU and 512MB or RAM for 500+ sites. Many of those were single device sites, but they also had some large deployments. Ran like a champ, because the only time it had to communicate anything more than "devices are online" were for setting changes (so no guest login portals.)

              1 Reply Last reply Reply Quote 0
              • dbeatoD
                dbeato
                last edited by

                This is a configuration I have for AD with Unifi APs using RADIUS

                SSID
                c8fc6bbc-4100-43a0-b22a-a9ed6602bd50-image.png

                RADIUS Profile in UNifi
                c0cefead-a9e5-43d5-ae0b-7514a24654b1-image.png

                NPS Connection Request Policies
                APs are configured under RADIUS Clients with the Authentication password used on the RADIUS profile in the Unifi Controller.
                b1ae5e7f-9929-4bb0-9201-f611c134f126-image.png
                Policies
                efbc0274-d174-4a78-891d-97d2f0bf3b0c-image.png
                e845192a-8846-4136-b7fc-091d4e294bb7-image.png
                Nothing to change here
                2560bb73-6b15-4872-970c-1f34f105b3d0-image.png

                **NPS Network Policy **
                c5099fb8-2878-4a6d-986a-938dbda77e54-image.png
                e25485fb-3694-4d97-94f9-67a515551531-image.png
                7264e0ad-dfe8-4a35-8f92-36b68db0ac7f-image.png
                Under the Editing of the PEAP settings make sure to select your CA Certificate Authority
                5804bed9-4d88-48cd-a5f4-336a82bb7f88-image.png
                cb1a9740-a219-4a60-8786-2f7cc21b4bb9-image.png

                1 Reply Last reply Reply Quote 7
                • 1 / 1
                • First post
                  Last post