User Tools
This is an old revision of the document!
Table of Contents
Ubiquiti Unifi
User Guide: http://dl.ubnt.com/guides/UniFi/UniFi_Controller_V4_UG.pdf
Web Site: http://www.ubnt.com/unifi
Wiki: http://wiki.ubnt.com/UniFi
KnowledgeBase: http://community.ubnt.com/t5/tkb/communitypage
Blogs: https://community.ubnt.com/t5/custom/page/page-id/Blogs
Videos: http://www.youtube.com/results?search_query=unifi
Unifi is a controller-based wireless networking platform:
- Cost-effective
- Software controller (free)
- Various APs
- Indoor
- Outdoor
- 2.4GHz and 5GHz
- Single and dual radio
- Controller can be local or cloud based
- Multiple sites supported
- Version 3.0+
- Integrated billing system available
Controller Installation
https://pimylifeup.com/ubuntu-unifi-controller/
This is for a minimal Ubuntu 22.04 LTS Server with 2 vCPU, 2GB RAM and a 20GGB vHD.
apt install curl haveged gpg openjdk-8-jre-headless curl https://dl.ui.com/unifi/unifi-repo.gpg | sudo tee /usr/share/keyrings/ubiquiti-archive-keyring.gpg >/dev/null echo 'deb [signed-by=/usr/share/keyrings/ubiquiti-archive-keyring.gpg] https://www.ui.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list > /dev/null curl https://pgp.mongodb.com/server-3.6.asc | sudo gpg --dearmor | sudo tee /usr/share/keyrings/mongodb-org-server-3.6-archive-keyring.gpg >/dev/null echo 'deb [signed-by=/usr/share/keyrings/mongodb-org-server-3.6-archive-keyring.gpg] https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/3.6 multiverse' | sudo tee /etc/apt/sources.list.d/mongodb-org-3.6.list > /dev/null apt update
Firewall
| TCP Ports | 22, 8080, 8443, 8880, 8843 |
|---|---|
| UDP Ports | 3478 |
Management
Browser
| Default Username | Admin |
|---|---|
| Default Password | 123456 |
SSH
| Default Username | ubnt |
|---|---|
| Default Password | ubnt |
Add New Site
Once an AP is managed, you configure the SSH username and password for the APs using the web interface.
Be aware that under Settings → Networks → Edit you will find a DHCP Server enabled.
Select the site → Settings → Site
Site NameCountryTime ZoneDevice Authentication
Select the site → Settings → Wireless Networks
Name/SSIDEnabledSecurity→WPA2Security Key
Show/Change Passphrase
- Log into Unifi Controller and select correct client/site
- Bottom left select
settings - Select
Wireless Networks - Click
Edit - Click in
Security Keyfield to expose the current password
Channel Selection
RF Scan
Perform as part of installation or during scheduled down-time. An RF Scan will disconnect all users.
Re-provisioning after changing settings will disconnect all users.
Available on newer 802.11ac APs.
Unifi Controller → Devices → <AP> → Tools → RF Environment → Scan
Guest Networks
Guest FAQ: http://wiki.ubnt.com/UniFi_FAQ#Guest_Access
Guest Doc: https://help.ubnt.com/hc/en-us/articles/115000166827-UniFi-Wireless-Guest-Network-Setup
If Using VLANs: https://help.ubnt.com/hc/en-us/articles/219654087-UniFi-Using-VLANs-with-UniFi-Wireless-Routing-Switching-Hardware
Simple guest access uses single DHCP server and restricts access to Internet only.
- To restrict bandwidth of guests, create a “Guests” User Group
- Unifi → Settings → User Groups
- Set bandwidth restrictions
- Create and enable a Wireless Network
- Unifi → Settings → Wireless Networks
- Set SSID
- Set Security authentication protocol to
WPA Personal - Assign your desired Security Key
- Tick Apply Guest Policy option
- Restricts guest access to Internet only
- Under Advanced Options
- Select the User Group you created previously
- Deselect
Block LAN to WLAN Multicast and Broadcast Datato permit DHCP
Click in Security Key field to expose the current password.
To restrict guest access, make sure your guest/access control has the following Post-Authorization Restrictions:
192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
Site Administrators
Add an end-user (site) administrator:
- Unifi → <site> → Settings → Admins → Create New Admin
- Enter Users email and Users first name (first name is used for greeting in invite email)
- Select Role, read only or Admin
- Click Invite
End user will receive and email with a link that will allow them to select a password and login name.
Layer 3 AP Management
L3 Adoption
http://www.youtube.com/watch?v=y5tkToD_nds
- Install AP
- Configure networking to controller (Internet, DHCP)
- Determine IP address of the AP (DHCP log)
- SSH into the AP
- Default configuration
- Drop into mca-cli
- Set inform URL to cloud controller
- Adopt the AP at the controller (after selecting site and configuring map)
- Reset the Inform URL again at the AP
- Controller should show the AP as Connected
gcooper@snoopy:~$ ssh -l ubnt 192.168.0.72 ubnt@192.168.0.72's password: BusyBox v1.11.2 (2013-03-22 03:26:44 PDT) built-in shell (ash) Enter 'help' for a list of built-in commands. BZ.v2.4.1# help UniFi Command Line Interface - Ubiquiti Networks info disaplay AP information set-default restore to factory default set-inform <inform_url> attempt inform URL (e.g. set-inform http://192.168.0.8:8080/inform) upgrade <firmware_url> upgrade firmware (e.g. upgrade http://192.168.0.8/unifi_fw.bin) reboot reboot the AP BZ.v2.4.1# info Model: UniFi_AP-AC Version: 2.4.1.2004 MAC Address: dc:9f:db:fc:0e:a1 IP Address: 192.168.0.72 Uptime: 3096 seconds Status: Unable to resolve (http://unifi:8080/inform) BZ.v2.4.1# syswrapper.sh restore-default BZ.v2.4.1# mca-cli UniFi# set-inform http://"ip or url of unifi controller":8080/inform Adoption request sent to 'http://"ip or url of unifi controller":8080/inform'. 1. please adopt it on the controller 2. issue the set-inform command again 3. <inform_url> will be saved after device is successfully managed
Adopt the AP at the controller. Go to the site that you want the device in and click Devices. The device should show. Click the Adopt option to the right. After the device comes back online SSH and re-run the inform command.
BZ.v2.4.1# mca-cli UniFi# set-inform http://"ip or url of unifi controller":8080/inform Adoption request sent to 'http://"ip or url of unifi controller":8080/inform'. 1. please adopt it on the controller 2. issue the set-inform command again 3. <inform_url> will be saved after device is successfully managed
After the AP is adopted at the controller, SSH into it using the same credentials specified at the controller.
The password is configurable via the controller at Settings → Site → Device Password. If you change the password and click apply, it will reboot and provision the APs.
Change the inform url
- You must ssh into the AP. Use login/pass specified in the controller
- Default the AP using set-default
- Let the unit disconnect (it will take a few minutes) from the controller.
- SSH back into the AP (using ubnt ubnt for login/pass).
- Set inform url with set-inform. The AP will reconnect.
The set-default command does not change some of the settings. A wireless uplink configured AP reconnected to the controller after changing the inform url and being disconnected from the wired connection without any reconfiguration.
VLANs
Wireless Uplinks
http://wiki.ubnt.com/UniFi_FAQ#Wireless_Uplink
http://www.youtube.com/watch?v=oA6m0P-NDnA
Switch -----(wired)----- Uplink AP (((((wireless))))) Island AP
SSL Certificate
Traffic Shaping
https://help.ubnt.com/hc/en-us/articles/204911354-UniFi-Set-traffic-bandwidth-limits
- To impose limits on bandwidth used at the WAN interface, you should consider traffic-shaping policies at the gateway
- Limits are applied at the UAP
- Layer-2 traffic shaping policies can be applied for either:
- Groups - SSID, VLAN
- Can be applied automatically as users join a particular WLAN when configured at the WLAN itself
- Individuals - Individual WLAN clients
Troubleshooting
Disconnected
If you have an AP showing as Disconnected in the console, try this:
- Log into the problem AP using SSH
- The username and password are at Unifi Controller Console → Settings → Device Authentication
- Issue the
informcommand twice in quick succession- The AP will reboot and show as
Connected
If wireless clients connect but do not have network access for example NLA shows unidentified:
- Disable the uplink connectivity monitor. (Disable this if not using wireless uplink) System → Uplink Connectivity Monitor
- Enable the Multicast Enhancement. WIFI → SSID → Advanced
- Enable Fast Roaming. WIFI → SSID → Advanced → Enable Fast Roaming
