I've been scratching my head with this one for a while. Any ideas on what settings to tweak to make this a better expereince? This network is in a coworking space and I require all clients to log in daily.
The problem is that once the wireless client authenticates, as they roam between APs (mostly mobile phone clients are doing this) they still are presented with an OS message to log into the wifi network as they pass between APs. I would assume that once they are logged in and authorized for the duration of the day, that authorization would carry between APs as they roam. Current behavior also only requires RADIUS authentication once, then as the client roams and is presented with "Tap to Sign On" via the OS, it's really just that, a tap and they're on - the captive protal does not present again (this at least is good!).
- I have just one LAN (type "Corporate") and one wireless network assigned to it.
- The wireless network is Open
- The wireless network has Guest Control ("Apply Guest Policies") enabled
- UniFi's Guest Portal is active
- Authentication is via RADIUS with MS-CHAPv2
- No VLANs are in use
- APs are all AC-Pro
- All latest stable firmware, all APs hang off the same switch
So you have two WLANs - one with Radius login and one for guests using the Portal?
Which Radius server are you using?
And you're on controller 5.10.12 with firmware 4.0.21?
Can you post your Controller > Settings > Maintenance > Show System Config > Download (mask names if you don't want to show them)
Hey @flamber thanks for jumping in.
No, just one WLAN. The Guest Control is using RADIUS under the "Hotspot" section.
The profile is set to use an IronWifi server (our member management software integrates there).
Here's the System Config. Mainly have the APs in Auto on channel and power, as well as have the newer "Auto Optimize Wireless Network" enabled to see if that's would have fixed this issue.
Any reason why you're using the Portal with Radius instead of just using WPA-Enterprise with Radius?
You should disable Settings > Site > Uplink Connectivity Monitor, since everything is wired.
Most of the channels are overlapping, so I'm hoping all the APs are far from each other - otherwise you should really consider settings channels manually.
Well, only reason I think is that 1.5 years ago when I first did this install the combo of Guest Policies + Hotspot 2.0 + RADIUS wasn't available on the WPA-Enterprise option yet.
So, your recommendation would be to just repurpose the SSID but with these settings:
I disabled the uplink connectivity monitor. Thanks for that tip.
And for overlapping channels, well, yes, two of the APs are within the same room (WAP 1 & WAP 2) The other two are down different hallways. I would have assumed that "AUTO" would have set non-overlapping channels if needed and also set the power accordingly since the APs would be detecting each other in proximity. I'll tweak those tonight after all our members leave. (That's what I get for checking off the Auto boxes and hoping for magic!)
@flamber just an update.
Looks like the various suggestions you offered have removed the "Tap to Sign In" from popping up as clients roam. Score!
I manually set each of the channels last night and removed any overlap. Our coworking space is within a much larger facility with a ton of other APs. I didn't do the standard 1/6/11 set since those channels were heavily utilized.
However, your suggestion to use WPA-Enterprise with RADIUS I'm still unable to implement. When I do that, the devices ask for credentials with a native OS prompt. I want members to view our captive portal for login and not a variation of OS dialogues that we'd need to be able to troubleshoot. I can continue to work on that after hours, but from what I'm seeing thus far, I don't know how I could use WPA-Enterprise, allow a client to connect, then present the unifi hosted captive portal to grant access beyond my pre-authorization restriction domains.
Thanks again for all your help!
Have you tried doing the entire Portal/Radius settings over, and select as few settings as possible.
The best process is less-is-more - it also makes sure, that you go over every single option again and re-validate it.