RADIUS

Take a look here and hereCheers,jonatha

Thank you for the response.

I have been able to configure successuflly the RADIUS portion of the setup, but have been unsuccessful in the Dynamic VLAN portion.

The solution in the link was for FreeRADIUS. However, I may be able to utilize the following settings and see where that goes.

Framed-Protocol : PPP

Service-Type : Framed

Termination-Action : RADIUS-Request

Tunnel-Medium-Type : 802

Tunnel-Pvt-Group-ID : (VLAN number, as an octet string)

Tunnel-Type : VLAN

redfive

Yes, the solution is for freeradius because the 3d is on freeradius, but the post I linked (first link) should be for windows NPS ....Cheers,jonatha

It is for NPS and that is working as expected, but not for Dynamic VLAN.

bmartindcs

I'm having same issue.

Server 2012R2

Unifi AP-AC-PRO running 3.7.21.5389

Unifi Controller running 5.2.9

I've got Radius working fine with NPS as long as I don't try to use Dynamic VLAN via Radius.

Radius Attributes I add are:

Tunnel-Pvt_Group-ID = <VLAN I WANT>

Tunnel-Type = Virtual LANs (VLAN)

Tunne-Medium-Type = 802

Enabled Radius Assigned VLAN within Unif Controller.

Looking at logs with debug mode on, on the AP, I see that Radius completes, and the AP understand that the client should be getting the correct VLAN as per the following being logged:

Jan 15 13:09:05 UBNT user.warn kernel: [ 3262.410000] ieee80211_ioctl_setparam: VLANID32 = <CORRECTVLANHERE>

However, client doesn't get DHCP. I statically set the IP on the device and no change. Enabled port mirroring on the switch port that the AP connects to, and wiresharked that traffic, and never see any packets coming from the client computer in question (looked via IP and/or MAC address). Almost seems like the endpoints are put into limbo within the AP after RADIUS handshaking is completed.

Behavior is same regardless if it's an Android phone, or 2 different Windows 10 wireless laptops.

I've also simply tried communicating (ping, etc) between the 2 laptops, with static IP's set, that should be on the same VLAN (and show as such via AP logs handshaking results, like what I listed above), and they can't communicate with eachother.

I've also SSH into the AP, run tcpdump wide open (not restricted to a specific interface) and see zero of the traffic attempting to be generated from either of the laptops.

I'm testing this with only a single SSID for simplicity. I've tried differing VLAN's too, no change. Wired devices do not have any issue, it's only wireless devices behind the AP.

Only thing I've found from others with same behavior is regarding FreeRadius and needing to enable "use_tunneled_reply = yes" to solve the problem, however I don't know how to do that within NPS or if that's even possible.

I have tried all kinds of options ad can only get it to work with static VLAN for the SSID.

Does the port and switch that is connected to the AP have the VLAN trucking.

My initial thought is maybe the switch is stripping the tag.

bmartindcs

The switch is trunked on thsoe VLANs.

The switch isn't stripping the VLAN tags, as I've wiresharked the feed from the AP and see ZERO traffic from the devices once they are assigned vlan via Radius. In addition, besides wiresharking, I've also ran TCPDUMP directly on the wireless access point and also see ZERO traffic from the devices once they are assigned the dynamic vlan via radius.

It's not the switch. It's like the AP puts the devices into some kind of limbo/jail.

If I go back to static VLAN per SSID, it works fine.

Didn't think it was just wanted to verify.

You're issue is the exact issue I have as well.

Until they fix this issue or give me an official response as to what's going on, I've needed to look at other vendors to expand my wifi network.

The only resolution that I came up with was multiple SSID's with static VLAN and have the switch segregate the traffic. This is only temporary until I replace the AP's with something else that supports dynamic VLAN and I can get actual support outside of Forums.

greid

I am in the exact same place. Was hoping to use Ubiquiti to expand.

I am having exactly the same issue here.

Were you able to find any way to fix it ?

This is what I get on the AP in the logs (Vlan 101)

Jan 31 13:17:28 BCN-WAP-2 daemon.info hostapd: ath8: STA 78:4f:43:62:9a:d3 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Jan 31 13:17:28 BCN-WAP-2 kern.warn kernel: [ 167.720000] ieee80211_ioctl_setparam: VLANID32 = 101Jan 31 13:17:28 BCN-WAP-2 kern.warn kernel: [ 167.720000] 78:4f:43:62:9a:d3: node vid=101 rsn_authmode=0x00000040, ni_authmode=0x00

And the RADIUS Response:

Frame 280: 368 bytes on wire (2944 bits), 368 bytes captured (2944 bits) on interface 0Ethernet II, Src: Microsof_ff:08:0d (00:15:5d:ff:08:0d), Dst: Ubiquiti_4d:c7:32 (80:2a:a8:4d:c7:32)Internet Protocol Version 4, Src: 10.10.254.8, Dst: 10.10.255.11User Datagram Protocol, Src Port: 1812, Dst Port: 38072RADIUS Protocol Code: Access-Accept (2) Packet identifier: 0x36 (54) Length: 326 Authenticator: 341fbbcd9b756ebf76218f2a0a676656 [This is a response to a request in frame 279] [Time from request: 0.001054000 seconds] Attribute Value Pairs AVP: l=6 t=Tunnel-Medium-Type(65) Tag=0x00: IEEE-802(6) AVP: l=5 t=Tunnel-Private-Group-Id(81): 101 AVP: l=6 t=Tunnel-Type(64) Tag=0x00: VLAN(13) AVP: l=6 t=EAP-Message(79) Last Segment[1] AVP: l=46 t=Class(25): 4c0f044f00000137000102000a0afe080000000000000000... AVP: l=12 t=Vendor-Specific(26) v=Microsoft(311) AVP: l=12 t=Vendor-Specific(26) v=Microsoft(311) AVP: l=16 t=Vendor-Specific(26) v=Microsoft(311) AVP: l=51 t=Vendor-Specific(26) v=Microsoft(311) AVP: l=58 t=Vendor-Specific(26) v=Microsoft(311) AVP: l=58 t=Vendor-Specific(26) v=Microsoft(311) AVP: l=18 t=Message-Authenticator(80): b2d9ed505a2f136cc9c3eff5ba668f5a

Thanks

audio-catalyst

i have this running without issues on the latest beta controller and latest beta firmware, but it has been running like this since it first came out.

things to verify :

are all vlans trunked to the ap ?

is you ias log actually returning tge vlan value ?

have you removed under networks any ref. networks that have the same vlan tag ?

VLANs trunked correctly (As other SSID's are using them already)

The IAS logs return the VLAN (can be seen on the packet capture and on the AP's logs too)

The network work fine when I fix the value as fixed vlan (so 2 SSID's with the same VLAN on the same AP, so I don't think this would be the issue?)

I updated to the beta one also. No changes so far, I have exactly the same behaviour.

UI5.7.15.0Backend5.7.15Buildatag_5.7.15_10517

audio-catalyst

these are my working settings on one of the NPS servers :

furthermore, make sure that in your controller, under networks, no networks with vlans that are being given by the NPS excists

waterside

wrote:VLANs trunked correctly (As other SSID's are using them already)

Do you mean you have other SSIDs using the same VLAN as a static assignment? That specifically is documented to be an invaild configuration.

RADIUS-assigned VLANs can not be also statically assigned to SSIDs. This has been in the release notes for a long time:

You cannot re-use a VLAN ID for dynamic VLAN if it is set as a static value for another SSID on the same AP. So, if I have a SSID set to use VLAN 10, I cannot use VLAN ID 10 for RADIUS controlled VLAN users as those users will not get an IP.

Looks like this would be the issue, as the same VLAN are still used in the "to be legacy" SSID's

I confirm that was the issue, removing the legacy SSID and it worked instantly

langella

https://community.cambiumnetworks.com/t/how-to-configure-nps-and-active-directory-for-dynamic-radius-based-vlan-assignment/55086

Sorry for bringing this back but I'm having the same issue and I don't understand why I have to remove the network VLAN with same VLAN ID that NPS is given. If I delete it how am I supposed to configure DHCP?

I'm sure I am missing something here because does not make any sense.. hahahah

How Duo Auth Proxy Works in my Setup

How To Configure NPS and Active Directory For Dynamic Radius based Vlan assignment

This document is to describe the steps to configure NPS(network policy servicer)server with below use case

Vlans need to be assigned based on different Radius group i.e Sales group to Vlan 10

Account group to Vlan 20.

Steps:-

Open Active directory Users and Computers. Right click on Users .Create a new group.

1.png1152×648 76.1 KB
Give group name Vlan10(User is free to use any name)

2.png1152×648 63.3 KB

3. Like these create as many groups required.

Make the group part of Domain Users by clicking on Member of tab and then click on add.

3.png1152×648 3.99 KB

4. Add AD user. Click on Users and right click. Select New users. Give name xyz(User chosen)

4.png1152×648 60.4 KB

5. Give Username as xyz and click on OK

5.png1152×648 67.3 KB

6.

Click on properties of the created user xyz and click on Dial In tab.

Select Allow access and then press OK.

6.png1152×648 37.4 KB

7.

Click on Member Of tab.

Add domain users and the radius group by clicking on Add button

7.png1152×648 29.5 KB

Adding group

8.png1152×648 3.94 KB

Adding domain users

9.png1152×648 3.99 KB

8.Press Ok . Now the user is part of the domain user and group .

Configuring NPS server

==================================

9.Click on Network Policy and click on New

10.png1152×648 50.5 KB

10. Give policy name such as Vlan10_policy.Click on Next

11.png1152×648 55.7 KB

11. Click on Add button.

12.png1152×648 34.4 KB

12. Select User Groups and click on Add.

13.png1152×648 57.9 KB

13. Adding user group .Click on Add Groups

14.png1152×648 3.04 KB

14.

Click on Add Groups and add the configured AD group , in this example Vlan10.Click on OK

15.png1152×648 3.73 KB

15.

Add another condition in Network policy that is Nas port type

16.png1152×648 62.4 KB

16. Select Nas port type and then add. Select Wireless –IEEE 802.11

17.png1152×648 5.52 KB

17.  Now Both the conditions are added.

18.png1152×648 53.8 KB

19. Click on constraints and select EAP methods that you want to be supported.

19.png1152×648 76.5 KB

20. Now click on Settings tab

20.png1152×648 77.1 KB

20. Click on Add button.Add three attributes

Select Tunnel-Pvt-Group-ID,Tunnel-Medium-Type,Tunnel-Type

Select Tunnel-Pvt-Group-ID

21.png1152×648 5.52 KB

21.

Click on Add . Then click on Add

22.png1152×648 4 KB

22. Select String radio button under “Enter the attribute value in ”.Configure the vlan ID that you want to configure and click OK.

23.png1152×648 3.75 KB

23. This way add Tunnel-Medium-Type and Tunnel-Type attributes

as 802(includes all 802 media plus Ethernet Calonical Format) and Tunnel-Type as Vlan

How to Configure Windows 2012 NPS for Radius Authentication with Ubiquiti Unifi

https://www.gypthecat.com/how-to-configure-windows-2012-nps-for-radius-authentication-with-ubiquiti-unifi

In a corporate environment shared key encryption is rarely used due to the problems associated with distributing the appropriate keys. In the corporate wireless world many organisations prefer to use 802.1x or Radius authentication so that their users can log on to the wireless networks with their domain credentials.

I was recently asked to set up just s system with Unifi access points and controllers on Windows Server 2012 with Microsofts own Radius solution NPS (or Network Policy Server) and 802.1x. There is plenty of information out there but I found that some of it was out of date and others were missing some fairly key components. So I present this tutorial to hopefully helps others get this up and running as quickly as possible.

The Unifi system was running 4.8.18, and obviously may change a little as things progress. The network I was working on looking like the following:

Windows Server 2012 Active Directory – 192.168.1.50
Ubuntu Server 14.04LTS Unifi Controller – 192.168.1.60
Floor 1 Unifi AP – 192.168.1.250
Floor 2 Unifi AP – 192.168.1.251
Floor 3 Unifi AP – 192.168.1.252

As part of this project we wanted to turn on the following:

Windows Server 2012 Network Policy Server – 192.168.1.55

The client also provided the server it’s own server certificate to allow clients to authenticate, and we installed that too.

I will assume you already have Active Directory installed, and you have a server ready to install Network Policy Server which is joined to the appropriate domains.

Oh and feel free to click on any of the screenshots for a bigger picture!

Step 1 – OPTIONAL – Install a Trusted Certificate for Authentication

Update 16 July 2016: An emailer has suggested that if you’ve got an enterprise Windows Certificate Services server setup you shouldn’t need to manually import a certificate, you should be able to do it quite happily via the usual certificate request process. Thanks Anon for the clarification suggestion 🙂

In this particular example the customer had a full and proper PKI infrastructure so they wanted to provide a certificate on the Radius/NPS server which clients could authenticate with. You don’t need to do this step, but if not you’ll have to get users to accept the certificate when they connect or otherwise distribute the certificate.

Download the certificate (in this case a .p12) and double click to install and you’ll probably want to install it on the “Local Machine” as opposed to the “Current User”, and click “Next”:

Type the password as appropriate for the file and click “Next”:

Leave the default on the next screen and click “Next”:

Then click “Finish”

And you should get a message like the following:

Step 2 – Install Microsoft Network Policy Server for Radius & 802.1x

From the Server Manager click “Add Roles or Features”

Make sure “Role-based or feature-based installation” is selected and click “Next”

Select the appropriate server in the next screen and click “Next”

Click on “Network Policy and Access Services”:

A box like this should pop up, click on “Add Features”:

Then click “Next”:

And click “Next” again:

And “Next” again:

And yet again, click “Next”:

And then click “Install”:

The Wizard should happily go away and install the NPS role for you. When it’s finished press “Close”:

Step 3 – Configure NPS for Unifi Authentication

Next we have to set up our server to allow domain authentication via 802.1x for our wireless clients. Click on Start and find the icon for Network Policy Server and click on it:

On the window that opens up drop down to “RADIUS Server for 802.1x Wireless or Wired Connections” and then click “Configure NAP”:

Make sure “Secure Wireless Connections” is highlighted, give it a sensible name and click “Next”:

The next screen is where we will add the details for all our Unifi access points, so click “Add”:

You will want to fill in the client area like this, note our “IP addresses” and “Shared Secret”. You’ll probably want to make the “Shared Secret” some complex string, but for this example I’ve just used “Password123!”. You need to type this into the Unifi controller for each AP. When complete click “Ok”:

When you’ve completed the process for the rest of your access points your screen will probably look like this, when you’re happy click “Next”:

On the next screen you want to drop down the EAP type to “Microsoft: Protected EAP (PEAP)”, and then click “Configure”:

On this screen you will want to select the certificate you want to present to the clients connecting over Wifi. Since in Option 1 I installed a given certificate just for this purpose this is what I need to select, and make sure “Enable Fast Reconnect” is ticked. When you’re happy with it click “Ok”:

Then click “Next”:

The next screen lets us select which groups we want to allow to authenticate wirelessly, click “Add” and find your appropriate group(s) and when you’re happy click “Next”:

Click “Next” on the following screen since we’re happy with the defaults:

On the next screen click “Finish”:

Next we need to disable some insecure options. Under Policies, Network Policies, right click “Secure Wireless Connections” and click “Properties”:

Click on the Constraints tab:

By default we have some insecure methods enabled:

Make sure they are all unchecked, like this and click “Ok”:

Well done! Your NPS server should be ready to go.

Step 3 – Configure Unifi to use NPS

WARNING: Your access points will likely have to re-provision at the end of this step. This means anyone connected to the APs will lose connectivity, if in doubt do it out of hours.

The previous Step was most certainly the biggest one, on Unifi it’s quick and easy.

Logon to your controller as normal and click on “Settings”:

Click on “Create New Wireless Network” or edit an existing one. Fill in the Wireless Network like this, make sure you select WPA-Enterprise and fill in the IP Address and Share Secret of the appropriate details, in our example it looks like the below. When you’re happy click “Save”:

At this point we found that the APs restarted, but not to worry if you’ve come this far it’s obviously going to be ok.

Step 4 – Connect Clients to Unifi Network

Now all that is configuered, you should be ready to attach your clients to the wireless network.

In the optional first step we installed a certificate specifically to allow the Radius server to be trusted by our clients. If you’ve got a proper PKI in place then all your devices should trust the Radius server already, so your steps below may be slightly different than mine (I deliberately didn’t install the certificate for testing purposes).

If you search for wireless networks the network you’ve added should show up, click on it:

Now enter your network details as normal and click Join:

If you DON’T have the certificate trusted by the end point you’ll get a warning like this, click on “Show Certificate” to make sure it’s as it should be:

That screen should look something like this (please note I’ve deleted some bits):

You can check that it’s how it should be, and this process will let you install the certificate so it will never ask you again for it.

But again if you’re using a properly trusted certificate by your end point you shouldn’t see this communication!

Once you’re connected you should have data like the following, notice it says 802.1X at the bottom:

Well done, you’ve got your Unifi using Radius authentication!

Network Policy Server

Currently the NPS is CH-VM-DC02

The following is the configuration of this server

There is a backup at \\truenas.coltscomputer.services\Mass-Storage\Computer Technician\Upload to Cloud\NPS

The RADIUS server is used by the Unifi Controller for both Wifi networks, pFsense to control the VPN access and login to the home screen.

pfSense admin logins via RADIUS using Active Directory Accounts

https://community.spiceworks.com/how_to/128944-pfsense-admin-logins-via-radius-using-active-directory-accounts

This guide will allow you to setup RADIUS authentication to log into your pfSense firewall.

It assumes you have already installed the Network Policy Server role. If you have not already installed this role, do this now through the Add Roles and Features Wizard. I usually install this role on a domain controller.

If a setting is not mentioned throughout this guide, leave the setting at its default.

This will only work on pfSense v 2.3.1 or later.

Section 1 is Windows configuration. Section 2 is pfSense configuration.

6 Steps total

Step 1: Section 1.1 Create an AD group

Create a new local group that will be used to grant members access to pfSense. Add the members who should have access.

I have called the group pfSense.

Step 2: Section 1.2 Network Policy Server RADIUS Clients

First we need to define a new RADIUS client. pfSense will be the client that queries active directory (via RADIUS) to authenticate the login. The RADIUS client and server use a matching key pair to authenticate communication with each other.

-Server Manager – Tools – Network Policy Server – RADIUS Clients and Servers – RADIUS Clients – Action - New

-Settings tab --Friendly name: Enter a name for this client. I have used the DNS name of the firewall. --Address: Enter the IP address of your pfSense firewall --Select an existing Shared Secrets template: None --Generate: Generate a shared secret and copy this to notepad, we will need this again later. --Click OK to finish.

Step 3: Section 1.3 Network Policy Server Network Policies

Create the policy used to grant access to members of the AD group.

-Server Manager – Tools – Network Policy Server – Policies – Network Policies – Action – New

This starts the New Network policy wizard

-Specify Name and connection type --Policy Name: Enter a name for the policy. I have used ‘shr-gw1 Policy’. --Type of network access server: Unspecified --Next

-Specify Conditions --Add.. – Windows Groups – [select the group you created] --Add.. – Client IPv4 Address – [enter the IP address of pfSense] --Next

-Specify Access Permission --Access granted --Next

-Configure Authentication Methods --Unencrypted authentication (PAP, SPAP) – enabled --All other types off -Next

-Configure Constraints --No changes --Next

-Configure Settings --RAIDUS Attributes – Standard – Add… - Class – Add… - String – [enter the name of the AD Group you created] – OK (Note: the class string will be parsed back to pfSense where a matching group name to this string must exist. For simplicity I have used the same group name in AD and in pfSense, therefore the Class string matches both)

--Next --Finish

Step 4: Section 2.1 Authentication Servers

Add the RADIUS server.

-pfSense – System – User Manager – Authentication Servers – Add --Descriptive Name: Name of the RADIUS Server --Type: RADIUS --Hostname or IP address: Enter the DNS name or IP address --Shared Secret: Enter the secret you copied to notepad in an earlier step --Services Offered: Authentication and Accounting --Save

Step 5: Section 2.2 Groups

Add a shadow group to pfSense with the same name as the AD group you created.

-pfSense – System – User Manager – Groups – Add --Group Name: [enter the same name as the AD group, this is where the class string parsed from the RADIUS server looks for this group name] --Scope: Local (I tested with Remote and it worked with that setting too) --Group membership: no members need to be added --Assigned Privileges – Add – ‘WebCfg - All pages’ --Save

Step 6: Section 2.3 Settings