Free Guest Wi-Fi for Ubiquiti UniFi
TIP: This is a long-ish tutorial. If you want to save it for later, click here and email yourself a PDF version of it :)
Simple.
Want to offer guest wifi with a social login? Do you want to build a marketing database by offering Free WiFI?
This guide is for you if you already have Unifi wireless access points & want to add configurations to broadcast a ‘Free WiFi’ solution.
What you’ll need
- Access to your Unifi Controller Dashboard / web portal
- A free PoweredLocal account — you can get one of these by reaching out to us at hi@poweredlocal.com
This guide will help you configure a Unifi controller to broadcast a wireless internet network that seems unlocked/no password, but requires the user to authenticate with their Social login details or an email form.
Setting up PoweredLocal on the Unifi Controller
The below guide is a generic one to setup a PoweredLocal service onto a Unifi Controller as additional WiFi Networks. You or your IT department may need to configure other settings that will be unique to your network. For the images and instructions below, we have used the UniFi online demo
Please note, we will be setting up two SSiDs, a Direct Network and a Mesh Network. This means you will need to have the ability to setup an additional two SSiDs. At time of writing, Unifi is limited to four SSiDs per WLAN group. If you need to have more than 4 SSiDs including our two — then get in touch at hi@poweredlocal.com, as we have the solution.
Let’s begin
- Log in to your UniFi Controller
- Click
Settingson the bottom left hand corner. - Click
Wireless Networks - Click to
+ CREATE NEW WIRELESS NETWORK - Set the name to the SSiD (Wireless network name) you want to broadcast. For this example, we are going to use
Super Burgers Free Wi-Fi - ☑ T︎ick
Enable this wireless network - Set
Securityto🔘 Open - ☑ Check the box for
Guest Policy - Click
SAVE
Next Step
Click onto Guest Control and set as following
+----------------+-------------------------------------------------+
| Guest Control | Guest Policies |
+----------------+-------------------------------------------------+
| Guest Portal | ☑︎ Enabled |
| Authentication | 🔘 External portal server |
| IPv4 Address | 13.210.155.93 |
| Redirection | ☑︎ Use Secure Portal |
| Redirection | ☑︎ hostname: direct.login.poweredlocal.com |
| Redirection | ☐ Enable HTTPS Redirection |
+----------------+-------------------------------------------------+If you have controller version 5.5.24+ and the security gateway…
Add some Pre-Authorization Access URLs & IPs
+--------------------------+-------------------------------+
| Guest Control | Access Control |
+--------------------------+-------------------------------+
| Pre-Authorization Access | direct.login.poweredlocal.com |
| | stats.poweredlocal.com |
| | poweredlocal.com |
| | fbcdn.net |
| | www.facebook.com |
| | akamaihd.net |
| | connect.facebook.net |
+--------------------------+-------------------------------+Click Apply Changes
~OR~
If your controller only accepts IPs…
Add some Pre-Authorization Access IPs
+-------------------------+------------------+
| Guest Control | Access Control |
+-------------------------+------------------+
| Pre-Authorizaton Access | 13.210.155.93/32 |
| | 13.54.51.210/32 |
+-------------------------+------------------+And then add all of Facebook’s IP ranges from https://ipinfo.io/AS32934
your ISP/internet provider’s DHCP will determine if its IPv4 or IPv6, but to future-proof, you should do both sets.
Sorry, there are lots — it’s an issue with the older UniFi Controller firmware. We recommend updating to the latest version and ignoring this section.
Click Apply Changes
The next two steps allow us remote access to the controller. We need you to create a user account that our API can use to authorise users onto your Wi-Fi network automatically.
Setting up access step
Click Admins and + ADD A NEW USER
+-------------------------+-------------------------------------+
| Create New Admin | |
+-------------------------+-------------------------------------+
| Invite to Controller | Manually set and share the password |
| Name | poweredlocal |
| Password | *create something unique here |
| Require Password change | ☐ Uncheck |
| Email | support@poweredlocal.com |
| Role | Administrator |
| Global Permissions | ☐ Uncheck |
+-------------------------+-------------------------------------+Click CREATE to save
External Access
As part of the authentication process for people to connect to WiFi, we need API access to the controller.
This is fundamental to the system working properly. If we cannot access the controller, Authentication will not complete and users won’t be able to connect to wifi.
Make sure that your UniFi Controller (Computer/VM/Server running the controller software or a Cloud Key) is accessible via the internet and pass the static access url/link (eg. https://132.456.78.90:8443 or https://unifi.mydomain.com:8443) to our team along with the login credentials you created above.
To achieve this, we would need you to setup port forwarding or open up firewall access to port 8443 (the port that runs the secure UnFi Controller web GUI) on the Cloud Key, computer &/or router that your controller is running on. If the device running the controller is behind a NAT, you may need to configure port mapping as well.
You can (and should) restrict access and whitelist/allow our server IPs if you are further concerned about security .
We prefer the domain column, but if you can only whitelist IP addresses, then use the 2nd column.
+------------------------+-------------------+----------------+
| Whitelist Domain | Whitelist IP | Description |
+------------------------+-------------------+----------------+
| node3.poweredlocal.com | 13.55.171.148/32 | Auth Server |
| node4.poweredlocal.com | 52.63.53.68/32 | Auth Server |
| node5.poweredlocal.com | 52.65.79.143/32 | Auth Server |
| 49.255.128.14 | 49.255.128.14 | Support Center |
| 69.162.124.224/28 | 69.162.124.224/28 | Uptime Monitor |
| 63.143.42.240/28 | 63.143.42.240/28 | Uptime Monitor |
+------------------------+-------------------+----------------+Do you use the hosted controller at https://account.ubnt.com ?
it’s okay, as long as you have a static public IP at the site where the APs are, we can give you the workaround here too, we’ll still need a login to the hosted controller.
Craft an email to us
Send us over the details created in the above steps, we need to configure a few extra settings at our end and then get you online. Please note, if you add a network, device or use a new login page, we will need to make back-end configuration changes, so please let us know if you do.
Items to send us;
- Controller URL: ex.
https://132.456.78.90:8443 - Username (this should be
poweredlocal):poweredlocal - Password:
***** - The Site ID of the group of APs (default it is
default):default
Otherwise it is this part of this example URL when you select your site (see below example)
https://unifi.demourl.com:8443/manage/site/default/dashboard
https://unifi.demourl.com:8443/manage/site/x36knvl9/dashboardSSiD #2 — The Mesh network (optional — but you are cray cray if you don’t do it:))
To enable the Mesh Network, a few extra steps are required. Please note, this is the 2nd SSiD to be used.
- First, head to Settings and Wireless Networks menu, click
Create New Wireless Network. Use the following settings:
- SSID:
PoweredLocal Free Wi-FiYou must copy this exactly for it to work - Enable this wireless network:
Yes - Security:
Open - Apply guest policies:
Yes
2. Un-collapse the Advanced Options, then un-collapse Radius MAC Authentication and use the following settings:
- Enabled:
☑︎ Enable RADIUS MAC authentication - Radius Profile:
Create New Radius Profile, configure with the below settings. Note you will need to add a 2nd Auth Server.
+--------------------------+-----------------+
| Field | Value |
+--------------------------+-----------------+
| Profile Name | PL-Radius |
| VLAN Support - wired | ☐ Uncheck |
| VLAN Support - wireless | ☐ Uncheck |
| | |
| Radius Auth Server IP#1 | 35.189.26.255 |
| Port | 1812 |
| Password/Shared Secrete | vxTFg1AWMd)m<#q |
| | |
| Radius Auth Server IP#2 | 13.55.169.104 |
| Port | 1812 |
| Password/Shared Secrete | vxTFg1AWMd)m<#q |
| | |
| Enable Accounting | ☑︎ Enabled |
| Enable Interim Update | ☑︎ Enabled |
| Interim Update Interval | 300 |
| | |
| Radius Accounting Server | 35.189.26.255 |
| Port | 1813 |
| Password/Shared Secret | vxTFg1AWMd)m<#q |
| | |
| Radius Accounting Server | 13.55.169.104 |
| Port | 1813 |
| Password/Shared Secret | vxTFg1AWMd)m<#q |
+--------------------------+-----------------++------+
Click | SAVE |
+------+
- MAC Address Format:
aa:bb:cc:dd:ee:ff
Click SAVE
Now the more advanced part
We now need to add a leading space to the SSiD. The Unifi web interface doesn’t allow you to add them — leading spaces are stripped every time you update settings.
NOTE: Mesh network will not function without a leading space. You have to install curl (command line tool) or any other web tool to send a modified request to the Ubiquiti controller.
To overcome this, use Developer Tools in browser. Example below will be based on Chrome but all modern browsers have the same functionality built-in. While you are on the Wireless Networks page, open Inspector or Developer Tools, then click over to the Network tab:
In the Unifi Portal, click Edit on PoweredLocal Free Wi-Fi network, add a leading space to the SSiD and click “Save”. You will see a new network request towards the bottom of your Developer Tools panel.
On a notepad or any clean text editor, paste this command syntax:
curl -v -k -X PUT <Request URL> -H 'X-Csrf-Token:<token>' -H 'Cookie:<cookie>' -H 'Content-Type:<content-type>' -d '<Request Payload>'Change <Request URL> to the Request URL noted under the General section in the Developer Tools e.g. https://132.456.78.90:8443/api/s/default/rest/wlanconf/5b1730418bb29a01eab16f10
Get the X-Csrf-Token from the Request Headers section in Developer Tools and replace <token>
Get the Cookie from the Request Headers section in Developer Tools. eg. unifises=lF0ZVEsVfjsO9q6OfF12hgtRKlWdqmOm;csrf_token=xkanzMOkkrBTqGNgRFCaJrHAKyQdGw and replace <cookie>
Remove the space between Cookie:
unifisesandcsrf_tokento avoid getting errors when running the command.
Get the Content-Type from the Response Headers section. eg. application/json;charset=UTF-8 and replace <content-type>
Change out <Request Payload> with the data from Developer Tools — you may need to click view source to toggle the format to see the original unmodified request, you will see a part that says ”PoweredLocal Free Wi-Fi”. Change that to ” PoweredLocal Free Wi-Fi” — just add a leading space.
DEMO Example of CURL command from above GIF:
curl -v -k -X PUT https://localhost:8443/api/s/default/rest/wlanconf/5c64eb93deda0aca5377f516 -H 'X-Csrf-Token:RgjM16QCxuzP6991dGcfACirskqKiJOf' -H 'Cookie:unifises=e8LUKnInpIRhpmhNnGXhmgc20Lok6p9J;csrf_token=RgjM16QCxuzP6991dGcfACirskqKiJOf' -H 'Content-Type:application/json;charset=UTF-8' -d '{"enabled":true,"security":"open","wep_idx":1,"wpa_mode":"wpa2","wpa_enc":"ccmp","usergroup_id":"598bcf44ef86be2ca180d756","dtim_mode":"default","dtim_ng":1,"dtim_na":1,"minrate_ng_enabled":false,"minrate_ng_advertising_rates":false,"minrate_ng_data_rate_kbps":1000,"minrate_ng_cck_rates_enabled":true,"minrate_na_enabled":false,"minrate_na_advertising_rates":false,"minrate_na_data_rate_kbps":6000,"mac_filter_enabled":false,"mac_filter_policy":"allow","mac_filter_list":[],"bc_filter_enabled":true,"bc_filter_list":[],"group_rekey":3600,"name":" PoweredLocal Free Wi-Fi","is_guest":true,"wlangroup_id":"598bcf44ef86be2ca180d757","fast_roaming_enabled":false,"schedule":[],"minrate_ng_mgmt_rate_kbps":1000,"minrate_na_mgmt_rate_kbps":6000,"minrate_ng_beacon_rate_kbps":1000,"minrate_na_beacon_rate_kbps":6000,"site_id":"598bcf3def86be2ca180d74f","x_iapp_key":"89bb12d1a18da9c2badedb5ec38b6b3d","_id":"5c64eb93deda0aca5377f516","radius_mac_auth_enabled":true,"radiusprofile_id":"5c64eea3deda0aca5377f51d","radius_macacl_format":"colon_lower"}'Now go to the command line (terminal/etc) and copy/paste & run the script. After two minutes (though often immediately after a refresh), logout and re-login and you should be able to see a leading space on your PoweredLocal Mesh SSID.
That’s it — your Mesh network should be up and running!
Tip: You can use the same procedure to add a space at the start of your other SSIDs to get them to the top of a user’s list on their phone or laptop.
Final Steps — NOT OPTIONAL
Add all of the MAC addresses of your Access Points to the Location in the PoweredLocal dashboard.
Each AP will have up to nine MAC addresses that we need. In the Unifi Dashboard, click on DEVICES and then click into each Wireless AP. A PROPERTIES frame will appear on the right hand side. You will need to note MAC addresses from OVERVIEW and under WLANS. Under WLANS, you will need to copy across each of the MAC addresses for the ESSIDs that relate to the two guest wifi networks. There are multiple MAC addresses for each of the 2.4Ghz and 5Ghz radios.
A further suggestion..
As noted above, allowing us access to the controller is essential in being able to authenticate and allow users onto the WiFi. If the controller is offline, the network will still show, we will receive data coming to us from your users and we will send API calls to allow them onto the network, but these calls will not get through.
There is a simple and free way for you to monitor your controller and get alerts when it is down. The below is an example of one of many free services to monitor “uptime” of a website which can be used to monitor the availability of your controller over the web. We like UptimeRobot which is free and easy to use. If you have restricted your controller access to specific IPs, then please also allow to the UptimeRobot IPs
Steps
- Sign-up for an account with UptimeRobot
- Click the green
+ Monitorbutton on the top left - Set a friendly name for the alert
- Enter the full url for the controller accessible over the web
- Check the box next to your email address for alerts
Done!
Note that since you are using your own equipment (UniFi), some of the network settings (website whitelists, bandwidth limits, etc) may not be configurable through PoweredLocal panel and you can apply appropriate settings on your controller.
If you like what you just read, please scroll to the bottom and hold the clap icon and give us a clap or two or 50 so that others might stumble upon this guide.
If you want to get yourself a demo or preview of the PoweredLocal dashboard, please reach out to us on hi@poweredlocal.com or chat with someone on our website www.poweredlocal.com
