Reply
Member
Posts: 157
Registered: ‎08-09-2010
Kudos: 4
Solutions: 3

Interaction between External Captive Portal, unifi controller and external AAA RADIUS system

Dear All,

 

After many searches about this topic I have not found really a clear picture on how should be the code of  captive portal in order to properly work with unificontroller. Therefore I decided to open this topic in order to collect all the useful informations (not only for me ) but I hope even for someone else in the community. I'd like to make more clear the way how the communication between the extarnal captive and unificontroller  it is.

First of all I did a sketch to summarize with some simple blocks how should be the communication between all the actors in the hotspot scenario. I hope my understanding on how the things work, is right, but in case please feel free to  change the current drawing according to the required adjustment.

 

cp-aaa-unifi.jpg   

 

Here below my questions related to the configuration:

 

  • First: in case of captive portal is external what should be the settings under the section "Landing pages" of Guest Control?
  • Second: when external captive is used the section Portal customization is ignored?
  • Third: under Hotspot section RADIUS should be flagged and then the RADIUS profile configured before associating. This point I think is quite clear.

Here below my questions related to the captive portal and its code:

 

  • Fourth: when I use the external captive and based on the first question what should be the basic structures of files expected in the captive portal directory?
  • Fifth: code of captive portal should contain the calls to the unifi controller through the API, but I didn't find any specific guide on how it should be programmed based on API. Is there any detailed guide about the work flow should be implemented in the captive in order to make a full authentication process?

 

I opened this topic with the idea to help anyone want to implement a proper hotspot solution like me and create only one guide that collects all the informations found in the community but fragmented.

 

Thanks to all in advance

Maria  

Member
Posts: 157
Registered: ‎08-09-2010
Kudos: 4
Solutions: 3

Re: Interaction between External Captive Portal, unifi controller and external AAA RADIUS system

Hi,

 

after searching and searching again I found the following sentence by 

 

Use Hotpost authentication with RADIUS-based authentication and Override templates with custom changes

enabled. In this case you need to build your own UI with a redirect flow to your external portal and callback to process RADIUS request. The API you need to call is:

 

POST https://controlerhostname:8443/guest/s/default/login
{
  "by": "radius",
  "username": "...",
  "password": "..."
}

You can use http on port 8880 if you don't use Secure Portal.

 

It seems a good point where to start but is not enough because I think there some missing informations. Can someone help to me with more details on what could be the API call  for the  Hotspot authentication with RADIUS? This part is completely uncovered by the documentation and it is hard  to find out how the call should be done.

 

Thanks

Maria

Senior Member
Posts: 3,890
Registered: ‎06-13-2015
Kudos: 1014
Solutions: 188

Re: Interaction between External Captive Portal, unifi controller and external AAA RADIUS system

@loffy I can see whether I'm able to help out here. It will help if you can share a link to the original post you referenced so we can see the context.

Art of WiFi
Check out our UniFi API browser tool on GitHub. The PHP API client which it uses, can be found here on GitHub.
Details on our UniFi Device Search tool can be found here.
Member
Posts: 157
Registered: ‎08-09-2010
Kudos: 4
Solutions: 3

Re: Interaction between External Captive Portal, unifi controller and external AAA RADIUS system

Hi slooffmaster,

 

here below the original link

 

https://community.ubnt.com/t5/UniFi-Wireless-Beta/Hotspot-w-Radius/m-p/2271227#M64229

 

I have seen your great job on API client and  I hope you can help me on this matter.

 

Thanks

Maria 

Senior Member
Posts: 3,890
Registered: ‎06-13-2015
Kudos: 1014
Solutions: 188

Re: Interaction between External Captive Portal, unifi controller and external AAA RADIUS system

@loffy Hmm, could be that this API route is meant to accept a regular browser form POST from the captive portal? Hence the 302 redirect. There is also no submission of a client MAC address to authorize.

 

To investigate further you can check what happens if you use invalid credentials with that cURL command and what happens if you don't have a redirect URL configured. You can also check the event log in the controller to see what shows up there WRT to the Radius auth request.

Art of WiFi
Check out our UniFi API browser tool on GitHub. The PHP API client which it uses, can be found here on GitHub.
Details on our UniFi Device Search tool can be found here.
Member
Posts: 157
Registered: ‎08-09-2010
Kudos: 4
Solutions: 3

Re: Interaction between External Captive Portal, unifi controller and external AAA RADIUS system

Hi slooffmaster,

 

your help is really appreciated, really thank you so much. 

 

I did a test as you suggested with real and fake credentials by curl,  the answer from the server is the same. In the event log I don't see any message related to my attempts, I don't know if there is a better place where to see more debug messages this could be help a lot.

 

As you said for me it is also strange there is no MAC address in the call, I was expecting something similar:

 

 curl -v --cookie /tmp/cookie --cookie-jar /tmp/cookie -k -d '{"by":"radius", "username":"0002test", "password":"pass", "mac":"xx:xx:xx:xx:xx:xx"}' -H "Content-Type: application/json" -X POST https://192.168.1.34:8443/guest/s/default/login

 

Do you know where I can look for debug messages in the controller?

 

Thanks

Senior Member
Posts: 3,890
Registered: ‎06-13-2015
Kudos: 1014
Solutions: 188

Re: Interaction between External Captive Portal, unifi controller and external AAA RADIUS system

@loffy You're welcome.

 

The reason (I believe) there is no MAC address is that this route is meant to accept HTML form POSTs from the client device which is connected to the controller captive portal (it's session attributes within the controller will hold the MAC address I guess).

 

To further debug you can increase the log levels in the controller settings under the "Maintenance" sections. The output will end up in the log files.

Art of WiFi
Check out our UniFi API browser tool on GitHub. The PHP API client which it uses, can be found here on GitHub.
Details on our UniFi Device Search tool can be found here.
Senior Member
Posts: 3,890
Registered: ‎06-13-2015
Kudos: 1014
Solutions: 188

Re: Interaction between External Captive Portal, unifi controller and external AAA RADIUS system

Maybe @UBNT-MichalS can shed some light on this? What we are looking for is an API route to authenticate the user based on Radius, not the one where to POST a form to.

Art of WiFi
Check out our UniFi API browser tool on GitHub. The PHP API client which it uses, can be found here on GitHub.
Details on our UniFi Device Search tool can be found here.
Member
Posts: 157
Registered: ‎08-09-2010
Kudos: 4
Solutions: 3

Re: Interaction between External Captive Portal, unifi controller and external AAA RADIUS system

Hi slooffmaster,

 

thank you for the suggestion to increase the debug level. I have repeated the curl command to see thre reaction in the log. Below the result:

 

I don't know if you have an idea looking in the log messages, but I think someone from ubnt could help us with an example how should be the string to send via API. I see an URL exception in the beginnig that could be an indication of a wrong string sent via api.

 

 

debug messages.png

Member
Posts: 157
Registered: ‎08-09-2010
Kudos: 4
Solutions: 3

Re: Interaction between External Captive Portal, unifi controller and external AAA RADIUS system

[ Edited ]

Hi,

 

any suggestion ??? I'm stuck on this and I cannot move forward on my implementation Icon Cry 

Can some one point me in the right direction?

 

 

Thank you

Maria 

Highlighted
Member
Posts: 157
Registered: ‎08-09-2010
Kudos: 4
Solutions: 3

Re: Interaction between External Captive Portal, unifi controller and external AAA RADIUS system

[ Edited ]

Hello Guys,

 

I did something more trying to uderstand how to call  the web api and using api sniffer on chrome  I get the following output using the default AngularJS captive portal.

 

Screen Shot 2018-03-13 at 22.29.45.png

Well.....!!! then I tried to make same call through curl line command like this, but nothing good because I get always the 302Found as result of my call:

 

 

root@debian9:~# curl -v --cookie /tmp/cookie --cookie-jar /tmp/cookie -k -d '{"t": "1520976396865", "by": "radius", "username": "test@test", "password": "1234"}' -X  POST https://192.168.1.34:8443/guest/s/default/login
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 192.168.1.34...
* TCP_NODELAY set
* Connected to 192.168.1.34 (192.168.1.34) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=CA; L=San Jose; O=ubnt.com; OU=UniFi; CN=UniFi
*  start date: Feb 27 21:07:15 2018 GMT
*  expire date: Feb 25 21:07:15 2028 GMT
*  issuer: C=US; ST=CA; L=San Jose; O=ubnt.com; OU=UniFi; CN=UniFi
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
> POST /guest/s/default/login HTTP/1.1
> Host: 192.168.1.34:8443
> User-Agent: curl/7.52.1
> Accept: */*
> Cookie: ec=h7UP4Mvt4EiEymrDbLNqXhLRBfOKsnHd_lQRwmPQ5avJygQEsir7Prsrb5AcnrxBOYFojhuvwPYvmF92CWJDSMjfuZn3-qmfn_MzWI53cjA1SglEluOwBZf2Z8UYbrD_; csrf_token=grEyxjHBJD7SADwvFxkoMzQxZteU8dxz; unifises=b1aioqdXf69B7Pg4UD37fP6a0o5ZoP1Z
> Content-Length: 83
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 83 out of 83 bytes
< HTTP/1.1 302 Found
< Server: Apache-Coyote/1.1
< Location: http://www.google.com/
< Content-Length: 0
< Date: Tue, 13 Mar 2018 21:31:30 GMT
< 
* Curl_http_done: called premature == 0
* Connection #0 to host 192.168.1.34 left intact
root@debian9:~#

I don't understand what is the way to test the hotspot authentication with radius using the command line. What is wrong in my thought?

 

thanks

Maria

 

Member
Posts: 157
Registered: ‎08-09-2010
Kudos: 4
Solutions: 3

Re: Interaction between External Captive Portal, unifi controller and external AAA RADIUS system

My Dear,

 

no one can help me???? This part is not documented and it is really appreciated an help from you Ubnt guys .

 

Thanks

Member
Posts: 157
Registered: ‎08-09-2010
Kudos: 4
Solutions: 3

Re: Interaction between External Captive Portal, unifi controller and external AAA RADIUS system

[ Edited ]

Hi slooffmaster,

 

do you have any hint to try according to my last attempts. I'm thinking what can I try more but I don't know where to Mad2

 

Thanks

Maria

 

Senior Member
Posts: 3,890
Registered: ‎06-13-2015
Kudos: 1014
Solutions: 188

Re: Interaction between External Captive Portal, unifi controller and external AAA RADIUS system


@loffywrote:

Hi slooffmaster,

 

do you have any hint to try according to my last attempts. I'm thinking what can I try more but I don't know where to Mad2

 

Thanks

Maria

 


Unfortunately not without confirmation from the UBNT that an API route exists for Radius authentication. This is something completely different from an endpoint for the captive portal forms to POST to.

Art of WiFi
Check out our UniFi API browser tool on GitHub. The PHP API client which it uses, can be found here on GitHub.
Details on our UniFi Device Search tool can be found here.
Member
Posts: 157
Registered: ‎08-09-2010
Kudos: 4
Solutions: 3

Re: Interaction between External Captive Portal, unifi controller and external AAA RADIUS system

Thanks again @slooffmaster .

I hope someone of ubnt will help on this . I wrote an email @UBNT-MichalS hoping in some help. We will see.

 

thanks

Maria

New Member
Posts: 7
Registered: ‎04-04-2014
Kudos: 2

Re: Interaction between External Captive Portal, unifi controller and external AAA RADIUS system

I just went through this effort and fumbled around enough to learn this:

 

1. Use Hotspot, not external.  That sounds counterintuitive, but you'll see why.  It seems radius only works with Hotspot.

2. The redirect is to your controller IP or hostname if you have fqdn.  http or https, depending on your site, etc.  Promotional url is where you want users to land after logging in, altough you can manipulate this, see below.

3. Click save.  Then click "Override templates...."  Then click save again.  This creates the default pages but supposedly won't overwrite them again.  I hope.

4. On the controller, (I use linux so Windoze might be different) find the data folder for the site and in that folder there is another folder that has the default login page files.  For me its: /usr/lib/unifi/data/sites/<site-id>/app-unifi-hostpot-portal

5. Edit index.html in this folder with a simple redirect to your external login page.  Use a header or js.  js allows you to put up content if the redirect is slow, etc.  angular is available and jquery should be in there somewhere or you can add it.

6. Setup radius in the profile.

7. Configure your external page to make a get to the controller with the protocol, port and path the same as the original redirect you see when you connect.  ie the path to index.html with username, password as get params.. 

8. This get can go to index.html or another page you make in the same folder on the controller.  I chose the latter and called the file prelogin.html.  It just makes index.html simpler and made debugging this simpler.

9. prelogin.html takes the get variables and makes an xml post to 'login' with the correctly formatted json { by: "radius", username: "blah", password: "bleh"}  'login' has the path of index.html

10. The controller will get the post and should then make a radius request.  The radius reply is processed and returned in the xml response.

11. The response is json, (I don't have in front of me to put a sample), but it includes "authorized" true, the redirect_url etc. You can then do a window.location with redirect_url or redirect to another page you sent in the original get.

Cavets:

1.  I have this working as of yesterday after pulling many hairs out.  (I came here looking for why radius acct-stop's aren't happening)

2. Radius interim-updates don't seem to obey the time you put in the controller.  They come much more often.  Or the field is not seconds.  TBD.

3. Nas-Id is only sent for the first Access-Request as The Notes show.  That was a big pain.

4. Nasid is the controller uuid which is fine if you have 1 site per controller.  Not so fine with multiple sites.  So I used locations as realms and made user@location.

5. I have only seen 1 acct-stop and I'm not even sure I saw it as I erased my log before I could examine it.

6. The controller sends an acct-off when you restart unifi (linux: service unifi restart)

7. I have not seen an acct-on packet yet, despite the notes listing it.

8. I'm using freeradius

 

I hope this helps.

 

 

New Member
Posts: 15
Registered: ‎04-10-2018

Re: Interaction between External Captive Portal, unifi controller and external AAA RADIUS system

[ Edited ]

Hello reverged,

 

I'm trying to do the example according to your instructions, but when I put the route http: // IP: 8880 / guest / s / site_name /

I redirected again to the modified index.html, and not to receive the previously received parameters, you can clarify a bit what the URL would be, or suddenly you can upload the sample files.

 

I am confused in point 9, I do not know which address to send the XML

 

Thank you very much for your help.

 

 

New Member
Posts: 7
Registered: ‎04-04-2014
Kudos: 2

Re: Interaction between External Captive Portal, unifi controller and external AAA RADIUS system

For index.html I have this:

 

<html><head><title></title>
<script> var initialPath = location.href; location.replace('https://myexternalserver.com/loginpage.php?initialpath=' + initialPath); </script>
</head>
<bady> etc...

That redirects the user to my external login page.  I pass initialPath from the unifi generated redirect url and then parse that in php to get the mac address and other things.

My external login page does a bunch of stuff, but eventually redirects the browser to:

https://<unifidomain>:<port>/guest/s/<sitename>/prelogin.html?username=<username>&password=<password>&t=0000001

t is part of the original unifi redirect url and I don't know if it is used so I appended it to the url

 

Then prelogin.html has:

...
... I have afunction that gets data from the url - and makes it into json.
... the json needs to look like the var data= line below
...  it's here commented out so I remember next time I edit this file ;)
..  lots is removed here to show only the simple case
... for testing I uncommented this line:
//var data = { by: "radius", username: "test", password: "test"};
// this does the actual login by posting to 'login'
var xhr = new XMLHttpRequest();
   xhr.open("POST", "/guest/s/" + siteName + "/login" + location.search, true);
   xhr.setRequestHeader('Content-Type', 'application/json; charset=UTF-8'); 
   xhr.onload = function (e) {
      if (xhr.readyState === 4) {
         if (xhr.status === 200) {
            var resp = JSON.parse(xhr.responseText);
	    if(resp.data[0].redirect_url) {
		window.location = resp.data[0].redirect_url;
	    }
         }
      }
   };
   try {
      var resp = xhr.send(JSON.stringify(data));
   } catch(err){
      console.log(err);
   }
   console.log(resp);
</script>

Once you post to login, unifi should send radius access-accept packet to your radius server.  Then the radius reply makes a post reply based on radius response.

 

 

New Member
Posts: 15
Registered: ‎04-10-2018

Re: Interaction between External Captive Portal, unifi controller and external AAA RADIUS system

Hello, thanks for quick reply.

 

Now, authorization with radius works Thanks for your help.

 

I want to send other parameters that in Radius database are null.

var data = { by: "radius", username: "allusers", password: "allusers.xxx", Called-Station-Id :"78:8A:20:66:XX:XX", Calling-Station-Id: "40:33:1A:E0:XX:XX" };

 

But when I send javascript var like above, the page not respond doesnt send anything to radius server, I can´t login.

 

Can you help me how you are sending another parameters to radius server please ??

 

Thanks

 

Christian

New Member
Posts: 15
Registered: ‎04-10-2018

Re: Interaction between External Captive Portal, unifi controller and external AAA RADIUS system

For example my other APPs send complete information like these:

 

nasportid
nasporttype
calledstationid
callingstationid
framedipaddress

 

I need these variables to get statitics from AP, users, etc.

 

Thanks a lot.

Reply