freeradius with UNIFI APs

Matthew Newton mcn at freeradius.org
Thu Aug 15 23:09:54 CEST 2019 

On Thu, 2019-08-15 at 15:15 -0400, Arran Cudbard-Bell wrote:
> > On 15 Aug 2019, at 14:22, Elias Pereira <empbilly at gmail.com> wrote:
> > 
> > Arran, You can configure the vlans directly in freeradius and then
> > in unifi controller check "Enable RADIUS assigned VLAN for wireless
> > network". We have it here and it works perfectly.
> 
> This was for the FreeRADIUS/Network RADIUS office where all the
> octopuses live, we know how to do dynamic VLAN assignment ;)

Not _all_ the octopuses. I look after some here...

> Maybe this was just a coincidence, and the APs just had to warm up to
> the fact they were going to be assigning VLANs dynamically

Unifi seems a bit odd, and I can't explain its behaviour.

I've got four VLANs to the AP, let's say 7, 8, 9 and 10.

VLAN 7 is default, is defined in Unifi by network address range only
(the VLAN number isn't in the Unifi config), and dynamic assignment on
SSID1 works fine.

VLAN 8 is the static VLAN on SSID2 (no dynamic assignment). There is no
network covering it in the Unifi config. SSID2 works fine, but
dynamically assigning VLAN 8 on SSID1 doesn't.

VLAN 9 is not defined in Unifi anywhere. Dynamic assignment works fine.

VLAN 10 is defined in Unifi as a Network. Dynamic assignment doesn't
work.

AP has trunk - VLAN 7,8,9 are tagged, VLAN 10 is untagged (the AP
management is on 10).

(There's actually also another VLAN which is at another site on another
AP, and that's not defined anywhere either, but works fine dynamically
assigned.)

So that looks like the network must *not* be known to Unifi for it to
work. Except in my case for VLAN 8. But I have a feeling I read
somewhere that statically assigned VLANs for an SSID can't be
dynamically assigned for another SSID (grrr) which might explain that
one.

(I just added network 8 to the Unifi config and it still doesn't work
when dynamically assigned to a user. I also added network 9, and that
still *does* work. <sigh>)

I don't have a Unifi "security gateway", this is all normal switches
and routers.

My *guess* is that the "networks" list is irrelevant for dynamic
assignment: the untagged VLAN doesn't work, any static VLAN for another
SSID doesn't work, but all other VLANs do.

All rather weird. One thing is certain, though: FreeRADIUS is working
perfectly ;-)

-- 
Matthew

More information about the Freeradius-Users mailing list