Skip to content

Instantly share code, notes, and snippets.

@planetWayne

planetWayne/ReadME.rst

Last active April 25, 2024 06:45
Show Gist options
  • Star 6 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save planetWayne/f1a94c63f3424950b05d85d0df2d8ef4 to your computer and use it in GitHub Desktop.
Save planetWayne/f1a94c63f3424950b05d85d0df2d8ef4 to your computer and use it in GitHub Desktop.
Download ZIP
Quick and Dirty walkthrough for setting up Enterprise WiFi on Unifi on Windows domain
Raw
ReadME.rst

Walk-through to setup Enterprise Wifi with Unifi on Windows Server =================================================================

Update 14/02/2024 : Added step 3-d - allowing the cert template to be issued by a CA

Why

Quite simply, you will have the ability to log on to your Company Wifi network using your Windows Domain Username and Password. No more remembering someone else's idea of a secure password. A Single Sign-on for all resources.

You will also be able to automatically authenticate when logging on with a Windows computer as is 'passes on' your username and password to authenticate. Any none windows / none domain joined devices will not be able to automatically sign on but WILL be able to use their network credentials.

From an administrative point, access can be controlled with a security group membership of either the user or potentially AD joined devices, time of day etc.

Pre-Requisites

  • NPS Role (For RADIUS)
  • Active Directory - Certificate Services. (to issue an auto cert to the RADIUS server)
  • Unifi Controller (goes without saying.)

Note that although this looks like a lot of steps - there isn't that much to go through. It's mainly Wizards.

Installation

  1. All of your Unifi AP's need to have a STATIC IP address or FQDN for your internal network. This can be either a static assignment on the device itself OR via DHCP reservation.
  2. If you want to control access via security group membership - Open Active Directory Users and Computers.
    1. Create the relevant groups within AD and add members as needed - make a note for later.
    2. Also check the members of the groups and ensure that on the 'Dial In' tab in the section for Network Access Permission, you have checked 'Control Access through NPS Policy'.
  3. Ensure you have a working CA server set up on the domain and an auto enrol template for RRAS and IAS Server.
    1. On the CA Server, load up the Certification Authority MMC.
    2. Select the 'Certificate Templates' folder, Right Click and select 'Manage' - this should load 'Certificate Template Manager'
      1. Find the 'RAS and IAS Server', Right Click and select Duplicate Template.
      2. Change the name to 'Auto Enrol - RAS and IAS Server' and select 'OK'
      3. Right Click Properties on the new template.
        1. On the 'General Tab' tick 'Publish Certificate in Active Directory'
        2. On the 'Subject Name' tab, select 'Build from this Active Directory Information'
          1. Subject Name Format: Common Name
          2. Under 'Include this information in Alternate subject name' - Tick 'DNS Name'
        3. On the 'Security' tab ensure the permissions for 'RAS and IAS Servers' group has READ, Enrol and AUTOENROLL selected.
      4. Once this new template is in your certificate templates list, you then need to ensure that it can be 'issued' by the CA.
        1. Right Click the 'Certificate Templates' folder under your CA and this time select 'New' -> 'Certificate Template to Issue'
        2. From the list of certificates, find the 'Auto Entrol...' certificate template created above, click to highlight and then OK. This should then list this new template in your CA's 'Certificate Templates' list. In short the CA can now issue this type of certificate.
  4. Change the Default Domain Policy to allow Auto Enrolment (https://technet.microsoft.com/en-us/library/jj125378.aspx)
    1. In GPO Manager, edit the default Domain Policy
      1. Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies and Right Click Properties for 'Certificate Services Client - Auto-enrolment'
        1. Change the Configuration Model to 'Enabled'
        2. Tick Renew Expired Certificates...
        3. Tick Update certificates that use certificate templates.
    2. Run GPUpdate on your NPS/RADIUS server.
  5. Install and configure NPS - We ONLY need the Network Policy Server role.

    1. Setup each of your Unifi AP's as RADIUS Clients. Ensure that your chosen Shared Secret is IDENTICAL across ALL of your Unifi AP's.

      1. To aid in consistent shared secrets, and a single place to change it if you update, consider using a Shared Secret Template.
        1. Under Template Manager Right Click 'Shared Secret' and select New.
        2. Give it a meaningful name and either select Manual or Automatic for the shared secret, be mindful of the length of automatic secrets.
      2. Under Radius Clients and Servers, Right Click Radius Clients and select NEW.
      3. Give it Friendly Name, fill in the the IP or FQDN the the AP and select the the Shared Secret Template from the drop-down created above.

      If you are looking at using multiple NPS / Radius servers you may want to consider creating a Radius Client template for each AP, these will be visible then on each NPS server.

    2. Under Policies, create a new 'Connection Request Policy' to set up PEAP authentication.
      1. Right Click Connection Request Policy and select 'New'
      2. Give it a meaningful policy name. Select 'Unspecified' as the 'Type of Network Access Server', Click Next
      3. Under Conditions, Click 'Add' and find 'NAS Port Type' in the list and click Add
      4. In NAS Port Type, from the section headed 'Common 802.1x...' select 'Wireless - IEEE 802.11' and from 'Others' tick 'Wireless - Other' and click OK, then Next.
      5. Leave the defaults for 'Forwarding Connection Requests', Click Next
      6. Select to 'Override Network Policy Authentication Settings.
        1. Under EAP types, click ADD and select 'Microsoft: Protected EAP (PEAP)' from the list and click OK
        2. Highlight 'Microsoft: Protected EAP (PEAP)' and click 'EDIT'
          1. ensure that the 'Certificate Issued To' is correct and valid (See troubleshooting and Step 3 and 4).
          2. DESELECT 'Enforce Network Access Protection' - not having this cleared can result in 'Error 300' when devices attempt to connect.
          3. Click OK to get back to the wizard.
        3. Under EAP types, again click ADD, this time adding 'Microsoft: Secure Password (EAP-MSCHAP v2)'
        4. Under 'Less Secure Authentication Methods' tick 'MS-CHAP-V2 and MS-CHAP optionally tick 'User can change password' if required. Then click NEXT
        5. You do not need to add anything at this point for Realm's or extra RADIUS attributes. Click Next
        6. Confirm the settings and Click Finish to complete the Wizard.
        7. Confirm the processing Order of this new policy and move up if required.
    3. Under Policy, create a new 'Network Policy', this sets up authentication as well as windows groups for access.
      1. Give it a meaningful name, Ideally different from the name of the policy created above. Select 'Unspecified' as the 'Type of Network Access Server', Click Next
      2. Under Conditions, Click 'Add' and find 'NAS Port Type' in the list and click Add
      3. In NAS Port Type, from the section headed 'Common 802.1x...' select 'Wireless - IEEE 802.11' and from 'Others' tick 'Wireless - Other' and click OK, then Next.
      4. Whilst still in 'Conditions' add 'Windows Groups' and select your user group that matches what you created back in step 2. Be mindful that you can also add Time Of Day restrictions as well if required. Click Next
      5. On Specify Access Permission select 'Access Granted' if client connection match this policy. Click Next
      6. Under EAP types, click ADD and select 'Microsoft: Protected EAP (PEAP)' from the list and click OK
      7. Highlight 'Microsoft: Protected EAP (PEAP)' and click 'EDIT'
        1. ensure that the 'Certificate Issued To' is correct and valid (See troubleshooting and Step 3 and 4).
        2. Check that 'Enforce Network Access Protection' is again DESELECTED
        3. Under EAP types, again click ADD, this time adding 'Microsoft: Secure Password (EAP-MSCHAP v2)'
      8. Leave the defaults for 'Configure Constraints' and click Next
      9. Again, leave the defaults for additional settings and click Next
      10. Confirm the settings and click Finish to complete the Wizard.
      11. Check the Processing Order of this new policy and move up if required.
      12. Select your new entry and go to Properties and ensure that 'Ignore User Account Dial-in Properties' is ticked. (This overrides any dial in permission per user - just in case)
  6. Set up WiFi on Unifi control panel.
    1. Under Wireless Configurations on the Unify add your new SSID and ensure that WPA-Enterprise
    2. Add in the IP address of your RADIUS server (NPS Server). The password needed is the one set up at 5-a which is the Shared Secret of your RADIUS clients.

Troubleshooting

You should be seeing events on the NPS / RADIUS server in the event logs if it is processing RADIUS events.

If you are getting Event ID 6273 - check the authentication details for 'Reason Code: 300' 'No credentials are available in the security package' - This has been seen with Android devices. Check out point 5, b, iv, 1, b. (It's trying to do Network Access Protection (NAP))

For devices not on the domain, you may have to accept the certificate for the RADIUS/NPS server. Again, this should be recognisable as your internally issues certificates. The issue being that a none domain joined device would know about your CA Server unless you have added the Root CA's Cert to the device. Again a typical thing with a mobile device (iOS etc.) - to fix that you will need to export your Root CA's public cert and add it in to your devices.

As your CA is domain based, then the Root CA will be auto accepted on any PC's by joining the domain and thus any certs it created will be accepted.

There should be a certificate on the NPS server in the Personal Certificate Store for the Computer that corresponds to the computer name and should be valid and signed.

You WILL notice other certificates being issued by the CA with AutoEnrollment enabled.

Ensure that the NPS roll is running - I have seen a server that had NPS installed and removed - typically it left the management tools and let you config it but didn't actually do anything :-/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment