Corporate wifi on UBNT with portal and domain authentication
Hello. I want to share the option of implementing corporate wifi on multiple SSIDs with different access policies for each wireless network and domain authentication.
The scheme of the test stand looks like this:
Details under the cut.
So, the task is as follows. Point should broadcast 3 wireless networks
The first task is to create the necessary wireless networks on the controller. The controller allows you to spread the settings to all points in the network.
')
We add our Radius-server to Profiles, having specified the general Secret. The point must be added as Radius Client on the server. If there are many points, you can configure nat, so that all points can be seen on the server with the same IP.
Add the required SSID on the controller.
The peculiarity of the solution is that the Radius server must apply different authentication policies for these SSIDs. The separation by policy can be made on the basis of the Called-Station-ID field, which is transmitted in the authentication request and is a MAC point and SSID.
To do this, create a policy for Private vlan, which checks whether the user is a member of the WIFI_PL_Private domain group.
In the conditions, we specify a regular expression for Caller Station ID, which allows you to check SSID from all points in the network . *: PL_Private , as well as verification of group membership.
The second policy prohibits access for all other domain users to this SSID. This is done because if there is no explicit Deny Access, the next policy in the list authenticates all users.
The third policy allows access to the PL_Public network for all domain users.
The second task is a guest portal for one-time passwords. This task is solved by means of the UniFi controller itself.
For the PL_Guest network, we define that it is open and guest.
In the Guest Portal tab, we enable Hotspot authentication, if you wish, customize the portal start page.
In the Hotspot settings, we enable voucher authentication.
By clicking on the link Go to hotspot manager , we generate vouchers.
When trying to connect to the guest network from the phone, we see an invitation to enter the voucher code:
After connecting, we see statistics in the manager of the hotspot.
From the VLAN in which the guest network is located, there must be access to the UniFi controller, since the portal is spinning on it.
Thank you for attention :)
The scheme of the test stand looks like this:
Details under the cut.
So, the task is as follows. Point should broadcast 3 wireless networks
- vlan 10 - SSID PL_Public - a domain-based network for connecting personal devices of employees to the Internet without access to corporate resources
- vlan 20 - SSID PL_Private - a network with domain authorization for employees located in a domain in the WIFI_PL_Private group with access to corporate resources
- vlan 30 - SSID PL_Guest - a network with one-time passwords with a validity of 8 hours, entered through a web portal
The first task is to create the necessary wireless networks on the controller. The controller allows you to spread the settings to all points in the network.
')
We add our Radius-server to Profiles, having specified the general Secret. The point must be added as Radius Client on the server. If there are many points, you can configure nat, so that all points can be seen on the server with the same IP.
Add the required SSID on the controller.
The peculiarity of the solution is that the Radius server must apply different authentication policies for these SSIDs. The separation by policy can be made on the basis of the Called-Station-ID field, which is transmitted in the authentication request and is a MAC point and SSID.
To do this, create a policy for Private vlan, which checks whether the user is a member of the WIFI_PL_Private domain group.
In the conditions, we specify a regular expression for Caller Station ID, which allows you to check SSID from all points in the network . *: PL_Private , as well as verification of group membership.
The second policy prohibits access for all other domain users to this SSID. This is done because if there is no explicit Deny Access, the next policy in the list authenticates all users.
The third policy allows access to the PL_Public network for all domain users.
The second task is a guest portal for one-time passwords. This task is solved by means of the UniFi controller itself.
For the PL_Guest network, we define that it is open and guest.
In the Guest Portal tab, we enable Hotspot authentication, if you wish, customize the portal start page.
In the Hotspot settings, we enable voucher authentication.
By clicking on the link Go to hotspot manager , we generate vouchers.
When trying to connect to the guest network from the phone, we see an invitation to enter the voucher code:
After connecting, we see statistics in the manager of the hotspot.
From the VLAN in which the guest network is located, there must be access to the UniFi controller, since the portal is spinning on it.
Thank you for attention :)
Source: https://habr.com/ru/post/321726/
All Articles