Ubiquiti Unifi Hotspot (up to version 7.36)

Access Point Instructions for Ubiquiti Unifi Hotspot

This page explains configuration of Captive Portal with authentication through IronWiFi for the Ubiquiti Unifi Controller (hotspot version) using UI version 7.36 or earlier. If your Controller is using the a version over 7.36, these instructions will not work. You can find the new instructions here.

IronWiFi Console Configuration

  1. Log into the IronWiFi console or register for free
  2. Create a new network
  3. After that, create a new captive portal, with vendor Ubiquiti Unifi Hotspot

Access Point Configuration

If you are running UniFi 6.0+ you need to disable the new UI until you've set everything up. To do so, click System Settings on the left menu and click enable  on "Legacy Interface."

Log in to your UniFi controller and click the Setting icon (bottom left).

  1. On the left menu, under Wireless Networks click Create New Wireless Network and configure with:
  • Name/SSID - Guest WiFi (or whatever you wish)
  • Enabled - Enabled
  • Security - Open
  • Guest Policy - Enabled
  • Network -  select your network (or default)

Click Save to apply.

  1. Next, click on Guest Control and configure with:

Under the Guest Policies header

  • Enable Guest Portal - Enabled
  • Authentication - Hotspot
  • Default Expiration - 8 hours
  • Landing Page - Promotion URL - Enter the web address of your captive portals success page from the Ironwifi Console. (In console click "Networks" -> "Captive Portals" -> under "Portal Pages" header click on Success Page -> Copy the web address and enter into UniFi console.
Screenshot 2023-06-06 11.04.26 AM

  • Use Secure Portal - Disabled
  • Redirect using hostname - Disabled
  • Enable HTTPS Redirection - Disabled
  • Enable encrypted redirect URL - Disabled

Under the Portal Customization header

  • Template Engine - AngularJS
  • Override Default Templates - Enabled

Under the Hotspot header

  • RADIUS - Enabled

Under the RADIUS header

  1. Profile: click Create New RADIUS Profile and open the IronWiFi console in a separate tab. 
  2. In the IronWiFi console navigate to networks and open your network.
  3. Scroll to header "Primary Radius Sever."
  • Profile Name - guestwifi
  • RADIUS Auth Server - get this value from the IronWiFi console under "RADIUS IPv4 Address".
  • Port - get this value from the IronWiFi console under "Authentication Port"
  • Password - get this value from the IronWiFi console under "Shared Secret"

Click Add Auth Server and configure it with your "Backup Radius Server" information:

  1. Scroll to header "Backup Radius Sever"
  • RADIUS Auth Server - get this value from the IronWiFi console under "RADIUS IPv4 Address"
  • Port - get this value from the IronWiFi console under "Authentication Port"
  • Password - get this value from the IronWiFi console under "Shared Secret"
  • Accounting - Enabled
  • Accounting Server - get this value from the IronWiFi console -> Primary Server Heading -> under "RADIUS IPv4 Address"
  • Accounting Port - get this value from the IronWiFi console -> Primary Server Heading -> under "Accounting Port"
  • Password - get this value from the IronWiFi console under "Shared Secret"

Click Save to continue.

  • Authentication type - CHAP
  1. Under the Access Control -> Pre-Authorization header add the following IP address:
  • 107.178.250.42/32

If you wish to support social network logins, you also need to add further IP's as per below for each network you plan to support

Facebook - 31.13.24.0/21 - 31.13.64.0/18 - 45.64.40.0/22 - 66.220.144.0/20 - 69.63.176.0/20 - 69.171.224.0/19 - 74.119.76.0/22 - 103.4.96.0/22 - 129.134.0.0/16 - 157.240.0.0/16 - 173.252.64.0/18 - 179.60.192.0/22 - 185.60.216.0/22 - 204.15.20.0/22

Twitter - 199.16.156.0/22 - 199.59.148.0/22 - 199.96.56.0/21 - 192.133.76.0/22 - 104.244.42.0/24 - 104.244.43.0/24 - 104.244.46.0/24

LinkedIn - 91.225.248.0/23 - 103.20.94.0/23 - 108.174.0.0/22 - 108.174.4.0/24 - 108.174.8.0/22 - 108.174.12.0/23 - 144.2.0.0/22 - 144.2.192.0/24 - 216.52.16.0/23 - 216.52.18.0/24 - 216.52.20.0/23 - 216.52.22.0/24 - 65.156.227.0/24 - 8.39.53.0/24 - 185.63.144.0/24 - 185.63.147.0/24 - 199.101.161.0/24 - 64.152.25.0/24 - 8.22.161.0/24

NOTE: These IP ranges are subject to change depending on the social network setup.

Click Apply Changes to save.

Next, you will need to modify two html on the controller so that it correctly redirects and authenticates. First of all, download the below two files:

Open the index.html file in a text editor (right click on the file and choose your favorite text/code editor) and at the top of this document you will see an item named "splashurl", edit this so that it shows:

!This has been done automatically if you opened these instructions from the ironwifi console!

var splashurl = get this value from the IronWifi console
(Click "Network" -> Captive Portal.
Under "Portal Settings" header -> "Splash Page URL")
;

Now, as a root user, you need to copy these two html files to your UniFi controller Hotspot directory. This is typically located at the below location. If you are using multiple sites, replace the string "default" with your side identifier which can be obtained from the Unifi controller address bar:

  • Windows: C:\Users\\Ubiquiti UniFi\data\sites\default\app-unifi-hotspot-portal
  • MAC: ~/Library/Application Support/UniFi/data/sites/default/app-unifi-hotspot-portal
  • Linux: /usr/lib/unifi/data/sites/default/app-unifi-hotspot-portal
  • UDM Pro: /data/unifi/data/sites/default/app-unifi-hotspot-portal
  • CloudKey: /srv/unifi/data/sites/default/app-unifi-hotspot-portal

To upload those two files to your controller, you will need an FTP client such as https://winscp.net/ or https://filezilla-project.org/ for macOS/Linux users. This software will enable you to connect to your controller and manipulate with its file system easily.

(replace default in the folder structure with your site name if different)

If the sites folder is not present, you can created it by simply uploading a floorplan (even a dummy one if required) in the UniFi controller which will create the folder you need.

[CloudKey Users: Having trouble finding your CloudKey IP for the FTP? Under the UniFi console, on the first page where you select your controller, switch from grid to table view, and your devices IP address will be displayed. Enter that with the file path in your FTP to upload the file. Screenshot 2023-06-06 12.54.53 PM

Additionally, if your FTP is not directing you to the proper folder in the UniFi console to upload the Index.html & auth.html files, do not enter a mount path, and manually navigate to the correct folder.Screenshot 2023-06-06 12.51.59 PM

SSL Certificate installation

Finally, you will have to purchase and install a valid SSL certificate on your controller and this certificate needs to have a unique common name - for example unifi.example.com

 

An SSL certificate can only be purchased for a domain, therefore, you will need to alter your DNS records so that this hostname resolves to the IP address of your controller, for example: unifi.yourdomain.com -> 192.168.1.10

 

! You must also install a valid SSL certificate on your controller/AP, in order to avoid authentication issues !

 

There are a lot of articles and videos about this topic, here are some:

 

 

Another guide on how to install an SSL certificate on Ubiquiti Unifi can be found here - https://www.namecheap.com/support/knowledgebase/article.aspx/10134/33/installing-an-ssl-certificate-on-ubiquiti-unifi/

 

After uploading the SSL certificate to your controller, you need to switch on the "Use Secure Portal" and "Redirect using hostname" options and enter the hostname from the SSL certificate, for example unifi.example.com

Click Settings -> Guest Control -> Under "Guest Policies" header -> enable "Use Secure Portal" and "Redirect Using Hostname"