Login to your Unifi controller and click the Settings icon on the bottom left.
On the left menu, scroll down to Wireless Networks and click Create New Wireless Network.

Configure with:

• Name/SSID–Edit the name for your network
• Enabled–Tick Enable this wireless network
• Security–Select Open
• Guest Policy–Tick Apply guest policies

Optional: expand the Advanced Options session and select the User Group (traffic shaping) that you will configure in the “User Group (Option)” paragraph.

Once completed, click the Save button to save the entry.

On the left menu, select Profiles and create the Radius profile.
In the Radius Profile header, enter the details as follows:

• Profile Name–Edit the name for your profile
• VLAN Support–Tick Enable RADIUS assigned VLAN and tick Enable RADIUS assigned VLAN for wireless network
• RADIUS Auth Server–Edit the Port and insert the Secret
• Accountings–Tick Enable accounting
• Interim Update–Tick Enable Interim Update (see note above)
• Interim Update Interval–Edit the time
• RADIUS Accounting Server–Edit the Port and insert the Secret

Troubleshoot: Interim Update

Now, you need to set up the guest policies. From the Settings menu on the left, open the Guest Control page.
In the Guest Policies header, enter the details as follows:

• Guest Portal–Tick Enable Guest Portal
• Authentication–Select Hotspot
• Landing Page–Select Redirect to the original URL

Once you have completed the above steps, in the Portal Customisation header, enter the details as follows:

• Template Engine–Select Angular JS
• Override Default Template–Tick Override templates with custom changes
• Title–Edit the title for your welcome portal

In the Hotspot header, tick Enable RADIUS base authorisation

In the Radius header, enter the details as follows:

• Profile–Choose the profile you have previously edited in the “Radius Profile” paragraph
• Authentication Type–Select CHAP
• Disconnect Request–Tick Accept incoming disconnect request
• Receiver Port–Edit a port that should be the same as in the “Downloading the Configuration Files” Step 5 (including Wi5stars) and prerequisites (for forwarding)

In the Access Control header, in the Pre-Authorization Access fields configure with:

• The public or private IP class of your Wi5stars and in addition any FQDN that points to it
• The network class of the private LAN
• Option: the FQDN chosen for the UniFi controller for HTTPS authentication

Upon completion of the above steps, click the Apply Changes button to finish.

On the left menu, scroll down to User Group and click Create New User Group.

Configure with Name, Bandwidth Limit (Download), Bandwidth Limit (Upload)

Upon completion of the above steps, click the Save button to finish.

Now you need to apply the User Group to your network. On the left menu, scroll down to Wireless Networks and select your Wireless Network.

Expand the Advanced Options session and select the User Group you have just created.

From the context menu of the gateway, press Download Gateway Config Files to download the configuration zip file.

Once the zip file is unpacked, you will find the following files:

• authorize.html
• index.html

The files must be edited in the Ubiquiti Themes folder. The paths vary depending on the SO where the Ubiquiti Controller is installed:

• Windows: C:\Users\<username>\Ubiquiti UniFi\data\sites\default\app-unifi-hotspot-
  portal
• MAC: ~/Library/Application Support/UniFi/data/sites/default/app-unifi-hotspot-portal
• Linux: /usr/lib/unifi/data/sites/default/app-unifi-hotspot-portal
• For some Linux installations path will be: /opt/unifi/data/sites/default/app-unifi-hotspot-portal
• CloudKey: /srv/unifi/data/sites/default/app-unifi-hotspot-portal

In your firewall, configure the port forward to accept disconnection requests from your Wi5stars (the same as in the “Radius Authentication and Access Control” paragraph and prerequisites).

You need to create the rule must with the following characteristics:

1. enable it
2. limit it to the public IP of your Wi5stars (optional but we suggest it for security reason)
3. the port must be the same set up in the “Radius Authentication and Access Control” paragraph and chosen in the prerequisites
4. address it to the LAN IP address of the Unifi controller
5. select the UDP protocol
6. afterwards in your Wi5stars > gateway. configure the Radius session as follows

For Ubiquiti-type gateways, you need to enable these settings for the reasons listed below:

• Force disconnections: if enabled, connections that have not received updates from the gateway for the ‘Interim Update’ time defined in the Product Policy plus the Timeout for Idle’ value are automatically closed.

• Send disconnections requests to the gateway: in addition to forcing disconnections, it also sends a radius disconnection request to the gateway. Some types of gateways (e.g. Ubiquiti) may not send the stop to the radius and consider the device always active. If enabled, the gateway has to be reachable for the UDP port indicated in the “Radius Authentication and Access Control” paragraph.
• Port for disconnection requests: port used by the gateway to accept disconnection requests. It is usually the 3799 but can vary depending on the type of gateway. It is the same one configured in the “Radius Authentication and Access Control” paragraph and opened in the firewall at the beginning of Step 5 in the “Downloading the Configuration Files” paragraph.
• Check consumption by users: If the gateway does not support all the necessary radius attributes and the appliance is able to send disconnection requests (points listed above), it periodically checks the consumption of the logged-in users and if time/traffic limits are reached or at expiration, disconnects the user.

Go to the Settings menu, then scroll down to Networks and enter the IP address of your external gateway.

Disable the internal DHCP of your Unifi Controller by ticking None in the DHCP Mode field.

Decide which FQDN to dedicate to the Unifi controller (in our test unifi..com)

Purchase a valid certificate (in our case wildcard certificate ..com)

Make sure that you have the complete chain (cert, intermediate, root) of your own certificate because UNIFI controller requires it. If you already have the full chain, then skip to the HTTPS keystore section otherwise continue in this section.

Purchase a valid certificate (in our case wildcard certificate .Wi5stars.com)

If the full chain is not available, you can use the following online utility: https://tools.keycdn.com/ssl to trace the correct concatenation.

Install the following software https://keystore-explorer.org/downloads.html

Create a new JKS-type keystore

Click on Tools > Import Key Pair

Select the certificate format (in our case we used PKCS #8)

Select the key and the concatenated fullcert you created earlier

Uncheck Encrypted Private Key if you don’t have any type of passphrase set for the certificate, or type the Decryption Password of your certificate

Click Import and choose Unifi as alias

Set as password aircontrolenterprise and as key pair and re-insert it for confirmation

Click on File > Save as

Set the keystore password aircontrolenterprise

Upload the new file created in the Unifi folder by replacing the existing “keystore” file.
The path of the file depends on the SO version where the UniFi controller is installed.

Restart ace.jar or the controller directly in case, for example, it is installed in a WINDOWS environment.

Configure in your gateway the static DNS route (prerequisites) of the FQDN chosen towards the LAN IP of your Unifi Controller (in our case unifi..com – 192.168.1.90)

Go to the Settings menu, then scroll down to Guest Control.
Select the options as follows:

• Use Secure Portal–Tick it
• Redirecting Using Hostname–Set up the same FQDN entered in the DNS static route
• Enable HTTPS Redirection–Tick it

Click Save in the bottom left corner of the page. Your selected entries are saved.

Go to the Settings menu, then scroll down to Site

Tick Enable Advanced Features and disable Optimize Network.

As primary DNS of the AP, you need to edit the IP of your gateway as the image that follows: