I recently embarked on an installation of three Ubiquiti UniFi Access Points to cover a medium-size office space. This is one of those installation stories with no “gotchas” or unexpected twists and turns.
This is the gear we purchased new:
- 3x Ubiquiti UniFi (standard 2.4Ghz model, no 5Ghz for us)
- 1x Ubiquiti ToughSwitch
This is what we integrated it in with:
- FortiNet FortiGate Firewall
- Windows Server 2008 R2 DHCP
- Windows Server 2008 R2 DNS
- Windows Server 2008 R2 RADIUS
- VMWare ESXi 5.1 (to host controller software)
The network consisted of two SSIDs: an “Office” SSID and a “Guest” SSID. The Office network was on one VLAN, with firewall routes to the wired office LAN and WAN links. The guests network is on another VLAN with firewall routes to the WAN links, limited internal HTTP(s) services, DNS & DHCP.
The ToughSwitch was setup with every port configured as a trunking port.
One port on the ToughSwitch connects to a physical interface on the FortiGate, which in turn has two VLANs and one physical interface (for AP management) setup on it. Each of these three interfaces appears as separate sources and destinations to create policy routes with. The FortiGate also has DHCP relaying setup to use the one existing Server 2K8 R2 DHCP server to serve the scopes.
The Ubiquiti Controller software is setup on a VMWare ESXi cluster. It sits on the traditional wired LAN’s subnet, and is routed through the firewall to make it available on the WLAN Management network.
To allow the APs to find the controller when they boot up, there needs to be a record in the DNS server called “unifi” which points at the controller. Ensure the DHCP server is serving up the correct search domain, so it can work out the FQDN. If you can’t add this DNS record or you APs aren’t getting DHCP leases, you can SSH into them to manually set the controller’s “inform” URL. I’ve dropped the instructions for this at the bottom of this post.
Authentication for the Office SSID is via the RAIDUS server on the domain controller. It’s nice, as I am able to push out certificates to computers as-needed so they can connect automatically. Setting this up is a little too in-depth for me to explain here, so I suggest you do a quick web search and find a tutorial there. (Hint: Whitelist the IP Addresses of the APs, NOT the controller)
For the guest network has a standard WPA2-Personal password, which is adequate for what it is. Captive portals, while easy to setup, are probably more hassle than they are worth as they require a web session before they can allow any other traffic through.
Overall, these are nice units and are providing very good quality WiFi to the office. Users are being pushed between APs as needed, and we aren’t seeing devices just drop off the network or lock to the furthest AP as we had been with the older consumer level Linksys gear.
Setting the Ubiquiti UniFi Inform URL via SSH
SSH into each Access Point, using PuTTY if you’re on a PC.
The default username and password is “ubnt”, but this will be different if it has already found your controller for some reason.
Enter the command: mca-cli
Now enter this command, using the IP address or FQDN of your controller software: set-inform http://10.10.1.90:8080/inform
The controller should see the AP within a few seconds, and begin provisioning it. If necessary, it will run a firmware upgrade.
Manually doing a Ubiquiti UniFi Firmware Upgrade via SSH
SSH into each Access Point, using PuTTY if you’re on a PC.
The default username and password is “ubnt”, but this will be different if it has already found your controller for some reason.
Run this command, substituting in the IP address of your controller and the available firmware version: syswrapper.sh upgrade http://10.10.1.90:8080/dl/firmware/BZ2/2.4.5.2077/firmware.bin
I found the version number by navigating to C:UsersAdministratorUbiquiti UniFidlBZ2 and looking at the names of the folders in there.