Skip to content

MisterErwin/UniFiPPSK

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
README.md
README.md
 
 

Repository files navigation

UniFiPPSK

UniFi does support RADIUS mac authentication for WPA2 personal, but does not support individual PSKs (out of the box). Other vendors offer this, sometimes marketed as Dynamic Pre-shared Key (DPSK), Identity PSK (IPSK), or Private PSK (PPSK).

This thread on the UniFi forums outlines a POC for Private PSKs with dynamic VLAN assignment.

Since this POC has been published, Ubiquiti has introduced UID which comes with its own kind of WiFi access - one where the PSK is unique per user.

Due to the addition of UID, the controller will provision the required system.cfg lines itself, if the network is marked as a UID IoT network. This is usually only possible via the UDM, but by modifying the mongoDB directly, it is possible to enable the UID IoT mode:

In case you already have set up a wireless network with RADIUS mac authentication, you can skip ahead. Create a new WPA Personal wireless network using the UniFi web UI, enter a name, and an arbitrary passphrase (it will not be used, but the controller requires one set.).

In the radius mac authentication section select a RADIUS profile. (If required, enable RADIUS assigned VLANs in the profile).

To morph your plain WPA 2 personal network with a fixed passphrase to one using PPSK, we have to connect to the MongoDB used by the controller.

mongo --port 27117

First, we set the attr_hidden_id to UidIot, then enable the option to retrieve the WPA passphrase from RADIUS, and finally require the dynamic VLANs (only required for RADIUS assigned VLANs).

use ace
db.wlanconf.update(
    {name: "Your Wireless Network Name"},
    {
        $set: {
            "attr_hidden_id": "UidIot",
            "wpa_psk_radius": "required",
            "vlan_wlan_mode": "required"
        }
    }
)

Now you just have to (force-)provision all APs once for this change to the MongoDB/wireless network to take effect.

Make sure to use an updated firmware (should be a v6 firmware) and controller, as otherwise you will be greeted by "UID IoT WLAN Your Wireless Network Name is not supported by f4:92:aa:bb:cc:dd and will be skipped" errors in your server.log.

Your radius' users file should look like the following and include the Tunnel-Password option.

aa:bb:cc:dd:ee:ff Cleartext-Password := "aa:bb:cc:dd:ee:ff"
    Tunnel-Type = 13,
    Tunnel-Medium-Type = 6,
    Tunnel-Private-Group-Id = 1234,
    Tunnel-Password = ILikeTrams

From now on, you only have to modify and update your radius users config for new PSKs to be useable.

About

Private Pre-shared Keys with UniFi

Resources

Readme
Activity

Stars

3 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published