Reply
New Member
Posts: 8
Registered: ‎04-04-2014
Kudos: 3

Re: Interaction between External Captive Portal, unifi controller and external AAA RADIUS system

Take a look at:  UniFi-Hotspot-RADIUS-Attributes

These are the attributes the unifi controller will send to a radius server for various packet types.

The supported access-accept response attributes are limited.  There are no supported attributes for bandwidth nor redirect url, for example.

 

These are major holes since I, for one, want radius to be able to send specific bandwidth limits based on user profiles, etc.

 

Also, when you post to /login the unifi controller takes that data and forms the radius access-request.

You more than likely have very little control over this since it is in the controller code.

 

I have found that the unifi controller radius interaction is quite a bit different from others I have worked with and had to adopt my radius code appropriately.

Highlighted
Member
Posts: 239
Registered: ‎11-28-2016
Kudos: 126
Solutions: 1

Re: Interaction between External Captive Portal, unifi controller and external AAA RADIUS system

Does anyone have a good read on how to use an external radius server to manage direct loging credentials to the AP?

 

I don't want to use the hotspot login feature, just have them use their credentials for the WiFi connection.

 

WAP-Enterprise I believe is the term.

New Member
Posts: 15
Registered: ‎04-10-2018

Re: Interaction between External Captive Portal, unifi controller and external AAA RADIUS system

Thanks

 

Yes, I saw  that document (UniFi - Hotspot RADIUS Attributes)

 

This means that the additional parameters to be sent to the Radius server are sent automatically by the controller or I must specify them in the index.html file as I put in this example.

 

var data = { "by": "radius", "username": "allusers", "password": "allusers.2017", "Called-Station-Id" :"78:8A:20:66:AB:28", "Calling-Station-Id": "40:33:1A:E0:4B:90" };

 

Because I ask this, because only by sending the radius username and password, the other fields in the radius server are empty.

 

 

 

 

Veteran Member
Posts: 4,314
Registered: ‎06-13-2015
Kudos: 1132
Solutions: 202

Re: Interaction between External Captive Portal, unifi controller and external AAA RADIUS system

@reverged I like the creative solutionIcon Wink How do you handle errors etc. that occur on the page you finally redirect the user to? My feeling is that as soon as you “lose” the client on your custom portal you also lose a certain level of control to gracefully deals with errors.

Art of WiFi
Check out our UniFi API browser tool on GitHub. The PHP API client which it uses, can be found here on GitHub.
Details on our UniFi Device Search tool can be found here.
New Member
Posts: 8
Registered: ‎04-04-2014
Kudos: 3

Re: Interaction between External Captive Portal, unifi controller and external AAA RADIUS system

@chgss  

The additional attributes are sent automatically by the unifi controller radius client.

It does not seem there is a way to influence this beyond username and password.

You could create a username string like username.attribute1.attribute2 and then parse out on your radius server.

 

On your radius server you do not see the other attributes?

 

 

 

New Member
Posts: 8
Registered: ‎04-04-2014
Kudos: 3

Re: Interaction between External Captive Portal, unifi controller and external AAA RADIUS system

@slooffmaster

Do you have an example of your concern?

 

On initial redirect to an external portal, the browser either redirects or it doesn't.

If it does, then there is a well defined initial url that can be parsed.

If it doesn't then there is something wrong with unifi.

 

On login, if the result is success or error then the returned object will have that result and the redirect can be either the final landing page or back to the login page with an error message.

 

I did not post all my code......some of it is trade secret Icon Wink

 

Veteran Member
Posts: 4,314
Registered: ‎06-13-2015
Kudos: 1132
Solutions: 202

Re: Interaction between External Captive Portal, unifi controller and external AAA RADIUS system

[ Edited ]

@reverged A pity you chose to remove the post with your code, no sense discussing this then... Good luck!

 

Edit: NVM, the post disappeared on my mobile device, found it again. My concern was specifically how you handle errors on the prelogin.html page.

Art of WiFi
Check out our UniFi API browser tool on GitHub. The PHP API client which it uses, can be found here on GitHub.
Details on our UniFi Device Search tool can be found here.
New Member
Posts: 15
Registered: ‎04-10-2018

Re: Interaction between External Captive Portal, unifi controller and external AAA RADIUS system

[ Edited ]

Thanks @reverged

 

I have freeradius with mysql database with radacct table, in this table other columns are empty.

 

At least I need calledstationid, callingstationid for later get statitics of this AP.

 

In Guest Portal configuration I have CHAP authentication and Accept incoming disconnect requests is not checked.

 

My others APs request are:

 

Mon Apr 16 07:01:53 2018
Acct-Status-Type = Start
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "14:6B:72:7D:45:B5"
Called-Station-Id = "nwa_win_001"
NAS-Port-Id = "bridge_H"
User-Name = "14:6B:72:7D:45:B5"
NAS-Port = 2159018058
Acct-Session-Id = "80b0004a"
Framed-IP-Address = 192.168.101.123
Vendor-14988-Attr-10 = 0xc0a8657b
Event-Timestamp = "Apr 16 2018 07:01:53 ECT"
NAS-Identifier = "MikroTik"
Acct-Delay-Time = 0
NAS-IP-Address = 192.168.0.2
Acct-Unique-Session-Id = "42accd978b4ae37b"
Timestamp = 1523880113

 

Unifi controller AP request are:

 

Mon Apr 16 14:54:45 2018
User-Name = "allusers"
Acct-Session-Time = 123
Acct-Input-Octets = 25083
Acct-Output-Octets = 30994
Acct-Input-Packets = 353
Acct-Output-Packets = 96
Acct-Session-Id = "4cd7a3jl4dj8s2xd"
Acct-Status-Type = Interim-Update
Event-Timestamp = "Apr 16 2018 14:54:49 ECT"
NAS-IP-Address = 10.10.20.11
Acct-Unique-Session-Id = "d830700b79edafa1"
Timestamp = 1523908485
Request-Authenticator = Verified

 

You can check the Unifi request are incomplete, can we modify request for sending all parameters ???

New Member
Posts: 8
Registered: ‎04-04-2014
Kudos: 3

Re: Interaction between External Captive Portal, unifi controller and external AAA RADIUS system

Threre is a significant difference between the access-request packet and the subsequent accounting packets.

The second case you show is an accounting interim-update packet.

 

The unifi doc shows:

 

Request attributes (for authentication)

  • User: Name
  • Called-Station-Id = apmac:ssid
  • Calling-Station-Id = mac
  • Acct-Session-Id: Used for accounting and disconnect
  • NAS-IP-Address: Controller's IP address
  • NAS-Identifier: Controller's UUID
  • Framed-IP-Address: Guest's IP Address

Request attributes (acct interim update)

  • Acct-Status-Type = Interim-Update
  • Acct-Session-Id
  • Acct-Session-Time
  • Acct-Input-Octets
  • Acct-Output-Octets
  • Acct-Input-Gigawords
  • Acct-Output-Gigawords
  • Acct-Input-Packets
  • Acct-Output-Packets
  • User-Name

Also, 

 

Request attributes (acct start)

  • Acct-Status-Type = Start
  • Acct-Session-Id: The same value as during authentication
  • User-Name

None of what you are looking for is sent in the accounting packets, only the authentication packet.

 

I use freeradius and mysql, but I use custom code to interface with mysql so I can't help with that part.

I can only guess that you need to get freeradius to create a db row based on authentication rather than accounting or do something with sessions or tmp files, etc.

 

I had to make significant code changes to support unifi as it is different from other nas types.

 

Also beware if you use freeradius 'acct_unique' module.  The default config uses NAS-IP, Client-IP, plus more and those are all missing in the acct packets so it will hash the wrong unique id.  That was fun to figure out....

New Member
Posts: 15
Registered: ‎04-10-2018

Re: Interaction between External Captive Portal, unifi controller and external AAA RADIUS system

Hello @reverged

 

I completed the integration with Unifi and Freeradius, I had to create an additional table to store the variables of the session when authorized and then update it when inserted in radacct on start.

 

But now I'm afraid that what you warned is happening (acct_unique), I have thousands of records in the radacct table, every time unifi sends new information that is registered as new in this table.

 

You could solve this problem in some way ????? ' Can you help me with some idea of how you did it?

 

Thank you.

New Member
Posts: 8
Registered: ‎04-04-2014
Kudos: 3

Re: Interaction between External Captive Portal, unifi controller and external AAA RADIUS system

Unifi sends accounting start, a bunch of interim updates and finally an accounting stop.

 

When you look at these records, is AcctSessionId static and AcctUniqueId is changing?

 

If you have acct_unique enabled, then freeradius takes the acct-id unifi sends and rehashes it with some other attributes to make a truly unique session id.  Just comment out acct_unique altogether in your config file, restart and confirm that is the actual cause of the issue.

 

You can choose the attributes used to create the unique id in the module config for acct_unique in /etc/freeradius/modules/

 

I know that unifi accounting stop packets do not have the user-name attibute despite the document saying it is included.  I have sent packet captures to support already about that.  (v5.6.29 tested)

So don't use user-name as an attribute for unique.

 

Maybe post some sanitized db rows showing the problem?

New Member
Posts: 15
Registered: ‎04-10-2018

Re: Interaction between External Captive Portal, unifi controller and external AAA RADIUS system

Thanks @reverged

 

"When you look at these records, is AcctSessionId static and AcctUniqueId is changing?" -> The same for both, but I have some records with differents out and in packets, session time.

 

I saw debug information and I had UPDATE REQUEST and later INSERT REQUEST every time.

 

[radutmp] expand: /var/log/freeradius/radutmp -> /var/log/freeradius/radutmp
[radutmp] expand: %{User-Name} -> 04Man Very Happy6:AA:83:87:0A
rlm_radutmp: No NAS-Port seen. Cannot do anything.
rlm_radumtp: WARNING: checkrad will probably not work!
++[radutmp] returns noop
[sql] expand: %{User-Name} -> 04Man Very Happy6:AA:83:87:0A
[sql] sql_set_user escaped user --> '04Man Very Happy6:AA:83:87:0A'
[sql] expand: %{Acct-Input-Gigawords} ->
[sql] ... expanding second conditional
[sql] expand: %{Acct-Input-Octets} -> 2936945
[sql] expand: %{Acct-Output-Gigawords} ->
[sql] ... expanding second conditional
[sql] expand: %{Acct-Output-Octets} -> 53190299
[sql] expand: UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}' -> UPDATE radacct SET framedipaddress = '', acctsessiontime = '7622', acctinputoctets = '0' << 32 | '2936945', acctoutputoctets = '0' << 32 | '53190299' WHERE acctsessionid = 'wowi6iyhoa6f7dzg' AND username = '04Man Very Happy6:AA:83:87:0A'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: %{Acct-Session-Time} -> 7622
[sql] expand: %{Acct-Delay-Time} ->
[sql] ... expanding second conditional
[sql] expand: %{Acct-Input-Gigawords} ->
[sql] ... expanding second conditional
[sql] expand: %{Acct-Input-Octets} -> 2936945
[sql] expand: %{Acct-Output-Gigawords} ->
[sql] ... expanding second conditional
[sql] expand: %{Acct-Output-Octets} -> 53190299
[sql] expand: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctsessiontime, acctauthentic, connectinfo_start, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, servicetype, framedprotocol, framedipaddress, acctstartdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octe
rlm_sql (sql): Released sql socket id: 3

 

in the attachment you can see the repeated records.

 

 

Captura.PNG
Regular Member
Posts: 400
Registered: ‎02-16-2016
Kudos: 170
Solutions: 9

Re: Interaction between External Captive Portal, unifi controller and external AAA RADIUS system

@reverged did you use RADIUS-assigned VLAN(s) with your RADIUS AAA using your work-around? We tried briefly last night to do something similar, but the RADIUS VLAN assignment seems... iffy at best when using captive portals of any kind. 

New Member
Posts: 8
Registered: ‎04-04-2014
Kudos: 3

Re: Interaction between External Captive Portal, unifi controller and external AAA RADIUS system

I did not use radius based vlans.  I also dont have the supported attributes doc in front of me - is vlan a supported attribute?

Reply