Ubiquiti UniFi with Cloud Key

The compatibility of the Ubiquiti UniFi system with the SOCIFI platform was tested on the controller version 5.4.11 (Build: atag_5.4.11_9184) and UniFi AP version 3.7.49.6201. This manual presumes a preconfigured controller with associated APs.

Important notice

The release of the Unifi Controller Firmware 5.10.12 is not compatible with SOCIFI at this moment. Please DO NOT UPGRADE to this version. If the the firmware is already updated to the latest version, please rollback the firmware to the previous version to keep the SOCIFI external portal service running.

We will inform you when the necessary changes are done and when the new version of the FW is compatible.

Information Update

The issue was caused by a bug on the firmware for APs in 5.10.12 and should be fixed in version 5.10.16

See https://community.ubnt.com/t5/UniFi-Updates-Blog/UniFi-Network-Controller-5-10-16-Stable-Candidate-has-been/ba-p/2674811 section bugfixes, Fix external guest portal cookies.

Information Update

The Ubiquiti community confirmed the bug was not definitely resolved in 5.10.16
Now the community announced resolving the bug in 5.10.17, However, the same issue was reported again on Ubiquiti portal.

As reported from users the issue was resolved after keeping the controller version on 5.10.16 or 5.10.17 and downgrading the firmware of the APs to 4.0.15 See
https://community.ubnt.com/t5/UniFi-Wireless/Change-params-for-external-redirect-after-update-to-5-10-12/m-p/2673362#M366635

1. Guest Control

1.1 Guest Policies

Login to the UniFi Controller and Click on "Settings" - "Guest Control"

Set the Guest Policies options with the following values:

Enable Guest Portal	checked
Authentication	External portal server
Custom Portal IP Address	According to geolocation table (see below)
Redirection
Use Secure Portal	unchecked
Redirect using hostname	http://connect-ip.socifi.com
Enable HTTPS Redirection	unchecked

Portal IP selection table according to geolocation:

Europe, Africa, Middle East	52.51.203.246
North America	52.44.151.156

1.2 Access Control

Under the Access Control section click "Add Hostname or Subnet" and enter the allowed subnet. Repeat this for all SOCIFI and CDN required subnets. Even if entering a hostname is allowed, the DNS translation functionality is limited and not recommended by SOCIFI.

List of IP addresses needed for SOCIFI service

IP / range
52.51.203.246/32
52.44.151.156/32
54.232.88.133/32
54.251.110.178/32

List of IP ranges for use with SOCIFI service

List of IP ranges for enabling social networks login

CDN

Google

Facebook/Instagram

Twitter

32.0.0/15
35.0.0/16
54.63.128/26
59.250.0/26
224.0.0/14
195.252.0/24
162.63.192/26
15.127.128/26
46.0.0/18
52.191.128/26
57.254.0/24
66.194.128/26
78.247.128/26
84.0.0/15
199.127.192/26
212.248.0/26
220.191.0/26
222.128.0/17
182.0.0/16
192.0.0/16
230.0.0/16
233.255.128/26
239.128.0/18
239.192.0/19
240.128.0/18
132.0.0/18
152.0.0/17
84.0.0/16
204.0.0/16
246.164.0/22
246.168.0/22
246.174.0/23
246.176.0/20
251.192.0/19
251.249.0/24
251.250.0/23
251.252.0/23
251.254.0/24
137.32.0/19

216.239.32.0/19

64.233.160.0/19

66.249.64.0/19

72.14.192.0/18

209.85.128.0/17

66.102.0.0/20

74.125.0.0/16

64.18.0.0/20

207.126.144.0/20

173.194.0.0/16

216.58.192.0/19

108.177.8.0/21

172.217.0.0/19

108.177.96.0/21

31.13.24.0/21

31.13.64.0/18

45.64.40.0/22

66.220.144.0/20

69.12.56.0/21

69.171.224.0/19

69.63.176.0/20

74.119.76.0/22

103.4.96.0/22

129.134.0.0/16

157.240.0.0/16

173.252.64.0/18

179.60.192.0/22

185.60.216.0/22

204.15.20.0/22

69.12.56.0/21

103.252.112.0/22

104.244.40.0/21

185.45.4.0/21

188.64.224.0/21

192.44.68.0/23

192.48.236.0/23

192.133.76.0/22

199.16.156.0/22

199.59.148.0/22

199.69.58.0/23

199.96.56.0/21

202.160.128.0/22

192.229.128.0/17

93.184.208.0/20

91.225.248.0/23

103.20.94.0/23

108.174.0.0/22

108.174.4.0/24

108.174.8.0/22

108.174.12.0/23

144.2.0.0/22

144.2.192.0/24

216.52.16.0/23

216.52.18.0/24

216.52.20.0/23

216.52.22.0/24

65.156.227.0/24

8.39.53.0/24

185.63.144.0/24

185.63.147.0/24

199.101.161.0/24

64.152.25.0/24

8.22.161.0/24

Due to the problems with the activation of the captive portal on IP-based Walled Garden systems with many allowed IP ranges, add these ranges only if you want to use the Social Network Login.

Generally, we cannot recommend using the Social Network Login on IP-based hotspot systems.

2.1 Profiles

2.1 RADIUS Profiles

Click on "Profiles". Under the section "Radius Profiles" click on "Create New Radius Profile". Set the RADIUS Auth Servers with following options:

Profile Name	ad lib
RADIUS Auth Server
IP address	see bellow for RADIUS server selection
Port	1812
Password/Sh. Secret	socifi

Click on "Add Auth Server" and repeat procedure for the secondary Auth server.

Check the option "Enable Accounting". Set the RADIUS Accounting Servers with following options:

RADIUS Accounting Server
IP address	see bellow for RADIUS server selection
Port	1813
Password/Sh. Secret	socifi

Click on "Add Accounting Server" and repeat procedure for the secondary Accounting server.

Click on "Save"

We recommend to use this set of RADIUS servers:

List of RADIUS according to your location:

For North America

RADIUS Server 1

rad-1-use-1.socifi.com or IP address: 52.7.148.174, Radius shared secret: socifi

RADIUS Server 2

rad-2-use-1.socifi.com or IP address: 52.55.217.23, Radius shared secret: socifi

For Europe and Africa

RADIUS Server 1

rad-1-euw-1.socifi.com or IP address: 52.209.184.212, Radius shared secret: socifi

RADIUS Server 2

rad-2-euw-1.socifi.com or IP address: 52.50.155.202, Radius shared secret: socifi

For Asia-Pacific

RADIUS Server 1

rad-1-euw-1.socifi.com or IP address: 52.209.184.212, Radius shared secret: socifi

RADIUS Server 2

rad-2-euw-1.socifi.com or IP address: 52.50.155.202, Radius shared secret: socifi

In order to have the Radius communication working fine, the IP addresses (above) and the ports 1812 Auth and 1813 Acc must be accessible.

3. Wireless Networks

Click on "Settings" - "Wireless Networks"

Select the SSID intended for use with SOCIFI and click on "Edit".

Configure the network with the following values:

Name/SSID	ad lib
Enabled	checked "Enable this wireless network"
Security	Open (recommended)
Guest Policy	checked "Apply guest policies"

4. Admins

Click on "Admins" and create a new admin profile for API communication. This account must be set in the SOCIFI Dashboard when adding a new Ubiquity hotspot

Click on "Add New Admin" and enter the following values:

Name	ad lib (eg. apiSOCIFI)
Invite to Controller	Manually
Pasword	enter a secure password
Require the user to change their password	unchecked
Email	ad lib
Role	Super Administrator

Click on "Create"

IMPORTANT NOTICE:

Enablig API Access

It is necessary to forward the TCP port 8443 to UniFi controller on your NAT service or to assign a public IP to the UniFi controller. This will allow to communicate the SOCIFI portal with UniFi API.

The access to the port shall be allowed for the following list of IP addresses:

Make sure your Firewall Settings are set correctly.

If you have a Firewall, it may or may not block the communication / connection to SOCIFI Servers (Captive Portal, API endpoints, RADIUS servers).

The following IP Addresses have to be passed thru the Firewall or any other blocking mechanism to successfully reach SOCIFI. Without allowing these IP Addresses to go thru your Firewall, your deployment cannot work properly.

API Access is used by Ruckus, Ubiquiti and ANTlabs devices

VPC:
use-1: 52.44.148.136
euw-1: 52.18.131.55
aps-1: 52.77.200.241
sae-1: 54.233.193.15

non-VPC:
euw-1: 54.246.88.74
use-1: 54.204.47.201    
aps-1: 54.251.110.178    
sae-1: 54.232.124.137

5. Registering in Dashboard

5.1 Locating the MAC for the registration in SOCIFI Dashboard.

Click on "Devices". The MAC address for registration is in the column "Device Name". All listed AP devices must be registered in SOCIFI Dashboard.

5.2 Hotspot Registering

Step 1: Login to SOCIFI Dashboard

Step 2: Click on the "Hotspots" tab on the left sidebar

Step 3: Click on the “Add a new hotspot” button located on the top right corner on the screen (pictured below)

Note: A pop-up window will appear (below)

Step 4: Select the Wi-Fi hardware manufacturer from the drop down menu

Step 5: Enter the serial number or MAC address (depending on the specific equipment manual) of your equipment. You can add multiple hotspots at once.

Step 6: Set your Network location (this step is essential for correct ad targeting)

Step 7: Set the API endpoint. Switch the API Set-up on and enter the API endpoint formated as https://(CreatedAdminUsername):(Password)@(yourWANIP):8443

Step 8: In the pop-up window type your location or just move the marker on the map and click on the save button to confirm the selection. This address is used for ad GEO targeting.

Step 9: Click Save

Note: Newly added hotspot are marked as (Hotspot pending). After the first user connects to the hotspot via SOCIFI, the status will automatically change and appear as (Active) within an hour. Get your first connections to test if it works properly.