Ubiquiti Unifi Dynamic Wireless VLAN Assignment

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello this is Andrew with missing around today we're gonna dig into a more advanced topic which is setting a VLAN dynamically for a client device that connects to your wireless network there's a built-in way to do this in unify using the built-in radio server but it has some shortcomings the biggest shortcoming is that you need to define every client in its users list and I don't want to do that because I'm lazy so this video will talk briefly about how to do it that way but then we're gonna dig in how to do it with creative radius over with FreeNAS that will define a VLAN for any client that you define but then every client that you don't define a user for will just get the default VLAN which is generally what I want and I guess I would explain why I want this so I have some wireless cameras and the easy way to get them on a VLAN is to create an SSID a separate SSID just for those just for the cameras but you can only put for SS IDs on an Access Point and unify and each one has a small performance penalty so if you have a ton of clients and you don't care and you've a lot of access points then the simplest way to do this is just great another SSID and they core wireless light network and force every client that attaches to that or LS network to get a VLAN but I don't want to do that so we're gonna walk out alright walk through how to not do it that way we're gonna do it a different way this is also a great way to test something so I've mentioned a few times that I'm having some issues with my UD and pro and what this lets me do is have it so that my phone which is a wireless client device can use the UTM pro as its gateway without me dedicating access points in the house to the UTM pro so I can just use a dynamic crate you use a single SSID that everyone that I'm already using create a radius account for my phone and then assign the UTM pros internal network VLAN to my phone using that radius user so let's dig in so inside your wireless network is where you would set have the unit configure unified to use a radius server for authentication or specifically Mac authentication which is how you would assign an VLAN to the device I already have my free radius profile set up here but you can see that there are two profiles one is the default which is USG and the other which is the free radius profile that i created unify if you have a USG will allow you to run a radius server on it and you can figure that in the Gateway radius and then just enable the radius server you want to set a secret the secret is like a big password you want that to be a really long random string because that's what's used to encrypt the data that goes between the devices requesting authentication and the radius server the actual client devices shouldn't ever get the secret so you turn that on here and interestingly enough the profiles are in a different place they're in configuration profiles and radius so this default one which you can use there's no reason why you can't use it if you want it to work the way that it works out of the box with USG and unify which is that you can just enable radius for wired and wireless clients and then you're done with that part you do need to of course create accounts for each device then that will be using radius nak authentication you can also use the USG radius server for VPN authentication which is what these other accounts are right here but you can see here that I have a couple three different MAC addresses that I've set up to assign for authentication so that the username and the password is both the Mac without any minus signs or colons that's the default configuration but again if you do it this way you have to define a user for every device that's going to attach to this wireless network so if you have like ten of them it's not a big deal if you have twenty becomes a bigger maintenance issue so as I mentioned we're not going to do it that way we're gonna do it using free radius so with free radius you will need to have some kind of system somewhere that you can run it on you can do it on Raspberry Pi you can do it on a virtual machine you could do it on kind of any really anything like your insulin X onon boo - you'll install free be free radius using the sudo apt install free radius and then hit enter I already have it installed on this box I'm not gonna run the command but that's the command you would run on a boon - it is slightly different depending on your distribution so if you're using something that isn't Debian based you'll want to go look up whatever the command is to install free via free radius and when you're running on those non Debian environments the command is slightly different for how you run the server and how you manage some things I'll put a link in the description below on documentation for installing it once you've installed it you will want to escalate privilege which is sudo su then just to make it a little easier we're gonna go to et Cie slash free radius 3.0 is a root folder so looking around there's some basic information here the thing that we'll want to touch first is this clients dot-com for conf file so since we're s collided we're fine we're just gonna a no or use whatever text editor you like clients in in this file you will need to add a client definition for which will allow device is that like your access points to I'll use this radio radio server as for authentication the client configuration that I've put in here is a very simple one you can get much more complicated but for the for the purposes of this guide and my home network I'm completely fine using it in this way which is to allow any device on the 192.168.1.1 everex network to use this radius server for authentication if I was more picky or I needed a more secure environment obviously I would want to do this differently where I would create a client per device or in a much more restricted way I have four access points and I didn't feel like creating a client configuration per access point but you can do that that is a more secure way to do it just note that if you do it the way I did it you will need to put a your base IP in here and then also the netmask which will be used to authorize the clients and then of course your secret it would that super secure key you'll need to generate something long and complicated and you'll need to make sure that you put it here so you also need to make sure that when you create your profile your radius profile when you put in the authentication server section which is whatever the server is which in this case in my network gets 192.168.20.10 section there and then you name it enable wired and enable wireless well I guess you don't need to enable wired in this scenario but if you want to use this for Mac authentication on a wired device you would enable wired here as well and then you give it a name and apply and that's all there is to it for this profile and that that's what I have here is my free radius profile once that's done you can exit out and that won't take effect until you restart the free radius server so the next step to getting this working is to define our users and if we do an LS space - L we can see that there is a file in this directory which is called users but is actually massively linked to the file that it actually is which is in mods config files authorized so we can either mess with the authorized file directly or we can just open up users so this is where we put in our accounts and this is where we make it so that free radius will accept anything that's not it one of the defined clients and that's in this section here so as we can see here we have some MAC addresses which I've used the same format that unify requires which is that you have the MAC address with nothing in between no no hyphens no colons and the reason why I did it that way is simple it's because I didn't want to mess with it first if I wanted to change back and forth between unify and free radius I just changed the profile I want to change any other configuration so you have your the MAC address and clear tax password and the MAC address again and then this is the important part this tunnel type 13 tunnel medium type equals 6 and then tunnel private group ID equals the VLAN which in this case for me is 30 10 for these two which are cameras and then this last one here which it is my phone so I put it on a separate VLAN then I have my cameras on and then this bit here is where the magic happens when it comes to making so everything else just kind of gets authenticated you notice here on this 13 and 6 this is same configuration that if you were to create a radius user and unify you need the tunnel type to be 13 and you need the medium type to be six that has to be the same and then the VLAN ID is the same as just in a different order so with that in place let's stop our service and we'll run free radius in the user space so we can see what's going on to do that you type in free radius space - uppercase X and then that runs the service we can run a quick test to see what happens when we try to authenticate to our service and the command to do that is rad test and then the username the password the server to use and then here's our client secret which in this case is testing one two three so if I run this we can see up here I get a message that basically tells me that it worked because I get my tunnel type a medium type in my VLAN right in this section here and then I also see them here so that works brilliant that works exactly the way that it would work and it using the unify stock configuration but I don't want that right I want to make it so that anything is not in that list also get something it also passes authentication so let's go back down here and let's just enter some gibberish hello which is you'll take my word for I don't have a user called hello with a password of world 127.0.0.1 0 to 93 and here we can see and again it allowed the authentication or it authorized the authentication impressed username password but I don't get any of that other stuff here so in this case we can see that it is working the way that I want it to be work now let's look at my phone because that's that's the the real test okay so here we have the wireless configuration on my phone and I have a one plus seven pro and it has a neat feature which is that it lets me pretend it to spoof a Mac basically and right now I have it set up so that it's sending the device is real Mac which is this you know 98 0 9 C F value you can see it here on the screen and we can see that my IP address is 192.168 31.2 3 8 so what happens if I go up here and I just change the Mac to use a randomized Mac so I save it disconnects me which is what should happen and now I go to connect and we should see some chatter up here and now we go we can see my MAC address has changed and we more importantly we can see that my IP address is now 192.168.1.2 34 which is brilliant so now if I want to go back I just edit the where L is set up again change the device Mac I save and I connect and we can see here that I got the data that I want to get and then on my phone I have the device Mac and then I'm back into the IP space into 31 subnet so that's all there is to it it's super easy I wish that unify would order bik WA T would allow me to have that level of flexibility with the stock out of the box radius configuration but they don't and I guess I kind of understand why they don't but I do wish that it was available because then you know obviously I'm gonna have to go through all this to make it work the way that I want it to work one thing to know to get out of the running free radius in the user space you just want to press ctrl C which will exit and then you want to make sure that you start the service otherwise stuffs gonna break and then of course you want to get out of privilege so hopefully you found that useful if you did go ahead and like the video and subscribe to the channel if you have any questions or comments about this drop down below I'll get to them as soon as I can or if you want me to do something else some other kind of video about how to do something cool with unify drop that below - and I will see what I can do Cheers
Info
Channel: Missing Remote
Views: 6,034
Rating: undefined out of 5
Keywords: Ubiquiti Unifi Dynamic Wireless VLAN Assignment, Unifi, MAC, VLAN, Wireless, freeRADIUS
Id: wJvv7qw0HAQ
Channel Id: undefined
Length: 16min 32sec (992 seconds)
Published: Thu Apr 23 2020
Related Videos
UniFi Network Deployment Tutorial & In Depth Look At The Platform / Port Forwarding, WiFI, & VLANS
Lawrence Systems
222K
Freeradius 3 : dynamic VLAN (assignment) and EAP-TLS configuration
La Tech
598
Setup freeRADIUS + mySQL + daloRADIUS for dynamic VLAN assignment on Unifi
Missing Remote
9.7K
Hubitat Elevation C-7 Home Automation Controller
Missing Remote
7.7K
VLANs in UniFi - Setup & Configuration
Simple Networks
36K
Configure Windows Server 2019 for Ubiquiti UniFi RADIUS Authentication
Alexander Hubbard
31K
WiFi Roaming
Lawrence Systems
51K
VLAN,s on UniFi with a Different Router
David Grillo
2.3K
Ubiquiti EdgeRouter - EdgeSwitch - Dedicated Private Internet VLAN and Wireless Network
Willie Howe
35K
Unifi IOT Firewall Rules with Pihole DNS
FroggTech
15K
UniFi Radius Controlled VLANs
Willie Howe
27K
Securing Your Unifi Network
Mactelecom Networks
11K
How Secure is your IOT Network configuration? Make it secure with UniFi in 4 simple steps
InsideWire
5.9K
UniFi Network Types Explained
Willie Howe
48K
UniFi Guest WiFi
Crosstalk Solutions
342K
How to Have One UniFi AP-AC-LR & Two WiFi Networks with pfsense, VLANS, & No Managed Switch.
Lawrence Systems
70K
Ubiquiti UniFI Dream Machine Tear Down Photos, IDS/IPS System, Honey Pot and More!
Lawrence Systems
46K
Complete UniFi Setup Start to Finish 2019
Crosstalk Solutions
703K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.