freeradius with UNIFI APs
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Mon Aug 19 23:02:14 CEST 2019
> On 15 Aug 2019, at 17:09, Matthew Newton <mcn at freeradius.org> wrote:
>
> On Thu, 2019-08-15 at 15:15 -0400, Arran Cudbard-Bell wrote:
>>> On 15 Aug 2019, at 14:22, Elias Pereira <empbilly at gmail.com> wrote:
>>>
>>> Arran, You can configure the vlans directly in freeradius and then
>>> in unifi controller check "Enable RADIUS assigned VLAN for wireless
>>> network". We have it here and it works perfectly.
>>
>> This was for the FreeRADIUS/Network RADIUS office where all the
>> octopuses live, we know how to do dynamic VLAN assignment ;)
>
> Not _all_ the octopuses. I look after some here...
True :)
>
>> Maybe this was just a coincidence, and the APs just had to warm up to
>> the fact they were going to be assigning VLANs dynamically
>
> Unifi seems a bit odd, and I can't explain its behaviour.
"At the time of writing, one known limitation with RADIUS controlled VLANs is that you can't share a VLAN ID between RADIUS users and a static VLAN assignment on another SSID on that AP. So, if SSID1 has a static VLAN assignment of 10, and SSID2 is configured for RADIUS controlled VLANs, the users on SSID2 cannot use the VLAN ID of 10, but they can use any other VLAN ID. If you had a 3rd SSID, that also used RADIUS controlled VLANs, you can use the same VLAN IDs as you would for the users on SSID 2 (except for 10). This applies on a per-AP basis. Disabling the wireless network on the controller is sufficient means to avoid the static VLAN overlap while transitioning to dynamic VLAN."
https://help.ubnt.com/hc/en-us/articles/219654087-UniFi-Using-VLANs-with-UniFi-Wireless-Routing-Switching-Hardware
That's what got us. We had a "legacy" SSID for devices which couldn't do 802.1X, which had one of the VLANs we were assigning dynamically configured.
Setting the legacy network to mac-auth and removing the static VLAN assignment fixed it.
> My *guess* is that the "networks" list is irrelevant for dynamic
> assignment:
Yeah I agree, it was definitely this other issue.
> the untagged VLAN doesn't work, any static VLAN for another
> SSID doesn't work, but all other VLANs do.
> All rather weird. One thing is certain, though: FreeRADIUS is working
> perfectly ;-)
Indeed :)
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
More information about the Freeradius-Users
mailing list