About 3 month before writing this post, I have discovered, that our ISP was not fulfilling their plan, which was an expensive connection of asynchronous 10/2 Mbit/s with guaranteened 2Mbit/s both directions. The truth however was, that I have never seen download speed higher than 2Mbit/s. I really dont know why or how, but no matter how much I tried during 2 weeks of testing, I have never seen speed going higher. I have of course contacted our ISP,but they told me that everything was OK, so I went on the internet, found a new ISP with even higher speeds (20/5 Mbit) and lower prices and told the previous ISP that I would like to leave :) …

But the point is, that the new ISP (uvt.cz) uses ubiquiti (ubnt) Power Beam stations instead of Mikrotik devices. I decided to buy one of these devices for the new ISP and see whats it capable of before giving them login details for the new internet connection. And I have to say that I was really impressed, in my opinion UBNT PowerBeam M5 is a very good and solid both station and antenna with an awesome directivity of 22Dbi (PBE-M5-300). Its lightweight, easy to use and easy to configure. The device runs Ubiquiti AirOS, which is a linux based system, but with a very friendly java user interface.

I went onto ubiquiti website and started checking their products. Most of them (including my PowerBeam M5 device) are quite expensive, or to be correct, just a bit more expensive than the standard home routers from zyxel, asus, airlive or whatever. But all of them look very professional, so I decided to update our home network with UBNT Unifi AP and UBNT EdgerouterX. Unifi AP as it name suggest is a lightweight AP for commercial use in restaurants and hotels. Its configurable from a PC running Unifi Controller. This application can configure all of your unifi devices at once, which saves your time if you are running more than one device in your network.

UniFi-AP

But since its only an AP,it needs to have a router somewhere. That is why I have also ordered ubnt EdgerouterX, that serves as a DHCP server on my network. The EdgeRouter is a very small black box with 5 Gbit LAN connectors running ubnt’s EdgeOS,which is again a linux based system running debian.

At first, I would like to say, that I am really satisfied with all devices on my network. The powerbeam works like a charm along with the router and Unifi AP. If you are not used to AirOS or EdgeOS, its not a big problem anyway, I spent just a few hours browsing all the configuration and I became familiar with all I needed almost in no time. The good thing is that you can even use a wizard on your EdgeOS,that will help you to setup your network. This comes handy in situations where you would like to configure load-balancing for example. My own network is quite simple:

Almost everything is on the subnet 192.168.168.0/24, however I made a small change in ISP’s networks in order to distinguish the 2 networks. My old ISP uses 192.168.1.0/24 so I tought it would be nice to create a new subnet of 192.168.2.0/24 for the new ISP. Therefore 2 NATs on EdgeOS are requied and 2 EthernetPorts are configured with static IPs: 192.168.1.17 and 192.168.2.17. The wizard for load-balancing helped me a lot. In fact I just had to rename Ethernet port descriptions,update DNS servers to google public DNS (8.8.8.8 and 8.8.4.4) and modified the wizard-created DHCP Server to match my network (With pool starting at 192.168.168.100 up to 192.168.168.254). This is caused by the fact,that I had a public web server in my network before and that was assigned 192.168.168.50, also my printer is (still) on 192.168.168.60 and my previous airlive router was 192.168.168.70 …

NetworkDiagram

There is plenty of fun you can have with the EdgeRouterX. Even enabling and configuring firewall (this is topic better left for specialist – I do not like firewalls anyway). You can also set weight for load-balancing (20:80) which is a config that I believe suits my network since the old ISP’s connection is somewhat shitty … I also have to say, that the Unifi AP’s range is very good,it covers even our garden with a good signal quality for notebooks. The signal quality for phones or tablets is a bit more problematic. I do not usually care much about bandwidth, so far I had no problems with anything beeing slow.

Radius Server and 802.1X

Althought setting up the AP and router is quite easy, we will do an updated version of the network setup. As we know, Unifi APs support Enterprise Security (Authentification using RADIUS server). Fortunately our EdgeMax OS (is a debian-based linux) support installing a Radius Server (freeradius). It is not that easy however for several reasons.

I will be using EdgeOS firmware version: 1.7. this is important, because we will have to setup repositories with the correct distribution in order to install freeradius. But first of all,make sure to backup your router configuration. Once you are finished,open up your favorite ssh client (putty is awesome for windows) and navigate to your router. Login and switch your user account to root by typing “sudo su“.

You can check,that “apt-get install freeradius” command is not working. In order to install it,we will have to modify our repositories (if you have read a different post from older time,you may have noticed that all “wheezy” were changed to “squeeze“. This is alright, wheezy is the correct distribution for EdgeOS 1.7)

  • “configure”
  • “set system package repository wheezy components ‘main contrib non-free’ “
  • “set system package repository wheezy distribution wheezy”
  • “set system package repository wheezy url http://http.us.debian.org/debian”
  • “set system package repository wheezy-security components main”
  • “set system package repository wheezy-security distribution wheezy/updates”
  • “set system package repository wheezy-security url http://security.debian.org”
  • “commit”
  • “save”
  • “exit”

Now we need to update our cache by typing “apt-get update“. Once this is done,we can install freeradius by “apt-get install freeradius“. Dont bother yourself by the terminal output,its not working and its a long way to go. Next, install nano (terminal editor) and wget. We will need both. You can do so by typing “apt-get install nano” and “apt-get install wget“. Once this is done, you can check that your repositories are setup correctly by sending “nano /etc/apt/sources.list“. The output should look like:

Sources.list

We can also finally see that the nano is working as well. Alright back to radius,in order to make it work,we will have to create server and client certificates. These were already preinstalled in older versions as a part of openvpn package (easy-rsa). The bad news is, that they are no more and we will have to install them separately. Thats why we have a wget. Regardless of your current EdgeOS path, go to your favorite PC browser and navigate to a download page for easy-rsa.deb. In my own scenario: “wget http://ftp.us.debian.org/debian/pool/main/e/easy-rsa/easy-rsa_2.2.2-2_all.deb” for downloading it (once we are finished, you can delete the .deb file and folder by running “rm xxxxx or rm -r xxxxx for folder”). Alternatively, use this link.

Once it is downloaded, we need to install it by typing  “dpkg -i easy-rsa_2.2.2-2_all.deb“. Next we create a new folder: “mkdir /etc/openvpn/easy-rsa” and copy content of the created directory “easy-rsa” into it by typing “cp /usr/share/easy-rsa/* /etc/openvpn/easy-rsa“. You should see something like (after typing “nano /etc/openvpn/easy-rsa/vars“):

Easy-rsa

Next,we will have to edit it. Since I was reading a lot about it right here,I would encourage you to do the same. I am too lazy to rewrite all, but just look at the blue and red sections and do the same. Dont forget to save your file.

KeyManage

Once you are done,we can create the certificates:

  • “cp openssl-1.0.0.cnf openssl.cnf”
  • “source ./vars”
  • “./clean-all”
  • “./pkitool –initca”
  • “./pkitool –server radius”
  • “./pkitool –pkcs12 client” – Choose a password and write it somewhere just in case.

Now copy (and rename – we can do so while copying) those certificates into radius folder:

  • “cp /etc/openvpn/easy-rsa/keys/ca.crt /etc/freeradius/certs/ca.pem”
  • “cp /etc/openvpn/easy-rsa/keys/radius.crt /etc/freeradius/certs/server.pem”
  • “cp /etc/openvpn/easy-rsa/keys/radius.key /etc/freeradius/certs/server.key”

Furthermore,we have to change permissions for the radius-created user “freerad“:

  • “chown freerad:freerad /etc/freeradius/certs/*”

Navigate to /etc/freeradius/certs and create one more certificate:

  • “cd /etc/freeradius/certs”
  • “openssl dhparam -check -text -5 512 -out dh”

Freeradius_logo.svg

Now everything should be OK and we can start finally our radius server (in debug mode – note the uppercase X):

  • “freeradius -X”

A “ready to process requests” line should appear – that is correct,but we dont need the debug mode,so feel free to press ctrl+c. Next we are restarting the service – this is recommended each time you do something strange with the configuration:

  • “service freeradius restart”

Now you can test,that your server is listening by sending “radtest username password 127.0.0.1 0 testing123”. You will probably receive an Access-Reject packet since there are no users yet :) The “0” tells it to use the default port,which is 1812 by the way and the last “testing123” is a default shared server secret for localhost client.

Creating Users and Clients

Now we would like to add some users (Please backup “users” and “clients.conf” first):

  • “cd /etc/freeradius”
  • “ls”
  • “cp clients.conf clients.conf.bac”
  • “cp users users.bac”

Now we are about to add a user:

  • “nano users”

Search for a line beginning with “steve” and add a new user below the commented section:

TaySwift Cleartext-Password:=”ILoveTaylor”

You can add as many users as you want here. Once you are done, save.We now have to add some clients (So that the radius server knows, that its a client). Now, since my network consists of AP without NAT and since the Unifi AP has a static IP, we can define just one client. However to make things easier, we will add the whole subnet (Scroll down to the end of the file):

  • “nano clients.conf”

You should add something like this:Clients

feel free to set “secret” to some random string of lowercase/uppercase chars and numbers. Also notice that our client is a subnet in fact. Alternatively, you can just enter the APs IP (192.168.168.3 in my case). Of course you can enter as many clients as you want. If you have some extra time, you can just browse clients.conf, you will find a client on IP 127.0.0.1 which is a localhost with a predefined secret “testing123” – a phrase we used earlier. You dont have to change it :) Just make sure to save your file again.

There is one more trick, we have to apply,else radius log will be deleted each time you reboot your router:

  • “nano /etc/init.d/freeradius”

add next 4 lines just under the very first commented section:

if [ ! -d /var/log/freeradius ]; then
mkdir -p /var/log/freeradius
chown freerad:freerad /var/log/freeradius
fiRadiusBootEntry

 

 

Configuring Unifi AP

Now the hard part is over,we just have to launch Unifi Controller on our PC,create a new network (recommended for testing and playing with it) and set security to WPA2-Enterprise. Make sure to set your Radius server IP (EdgeRouter’s IP – 192.168.168.1) and to set your secret as the password (the unnatural string of chars and numbers and or symbols :D ).

You can also download NTRadPing test utility if you are having some problems and test your Radius – Enter Server IP, Server Secret, Username and its password, you should see “response: Access-Accept“:

RadtestPing

Windows 7 manual connect

Now comes another funny part, you can either download (somewhat) the client certificate you created on your router and install it on your PC in order to connect, or do the following: (After trying that your network access with username and pass is not working):

Manually create a network profile, Set its SSiD (name) and Security (Prolly WPA2-Enterprise). Save your settings and navigate to section “manage wireless networks”. Go to properties and select security tab. Make sure that Microsoft Protected EAP is selected, click on settings and uncheck “validate server certificate“. Also navigate down to “select authentification method”,click configure and uncheck “Automatically use my Windows logon name and password (and domain if any)“.Close “protected EAP Properties” window by clicking OK and in the first window: “– networkname — Wireless Network Properties” click on Advanced settings. Under 802.1X settings tab, specify authentification to “user authentification” and fill your username and password. Also switch tab to 802.11 settings and check “this network uses pre-authentification“.

For some reason, my android device connected without any problems and without modifying anything. Thats why I suggested a few lines earlier to try connecting without playing with network properties. The good thing is, that you can have multiple PCs and or devices connected with a single username and password. For me it worked well with 2 devices connected. I believe that the unchecked “validate server certificate” is a network vulnerability and if you care about security, you should probably download the client certificate and install it to each client device. 

 

  • Thank you for visit, have fun with ubnt devices! :)
  • Dont hesitate to post comments ! :)
  • Big thanks goes also to Dragan Bjelic!