Ubiquiti UniFi with Cloud Key

The compatibility of the Ubiquiti UniFi system with the SOCIFI platform was tested on the controller version 5.4.11 (Build: atag_5.4.11_9184) and UniFi AP version 3.7.49.6201. This manual presumes a preconfigured controller with associated APs.

Important notice

The release of the Unifi Controller Firmware 5.10.12 is not compatible with SOCIFI at this moment. Please DO NOT UPGRADE to this version. If the the firmware is already updated to the latest version, please rollback the firmware to the previous version to keep the SOCIFI external portal service running.

We will inform you when the necessary changes are done and when the new version of the FW is compatible.

Information Update

The issue was caused by a bug on the firmware for APs in 5.10.12 and should be fixed in version 5.10.16

See https://community.ubnt.com/t5/UniFi-Updates-Blog/UniFi-Network-Controller-5-10-16-Stable-Candidate-has-been/ba-p/2674811 section bugfixes, Fix external guest portal cookies.

Information Update

The Ubiquiti community confirmed the bug was not definitely resolved in 5.10.16
Now the community announced resolving the bug in 5.10.17, However, the same issue was reported again on Ubiquiti portal.

As reported from users the issue was resolved after keeping the controller version on 5.10.16 or 5.10.17 and downgrading the firmware of the APs to 4.0.15 See
https://community.ubnt.com/t5/UniFi-Wireless/Change-params-for-external-redirect-after-update-to-5-10-12/m-p/2673362#M366635


1. Guest Control

1.1 Guest Policies

Login to the UniFi Controller and Click on "Settings" - "Guest Control"

Set the Guest Policies options with the following values:

Enable Guest Portalchecked
AuthenticationExternal portal server
Custom Portal IP AddressAccording to geolocation table (see below)
Redirection
Use Secure Portalunchecked
Redirect using hostnamehttp://connect-ip.socifi.com
Enable HTTPS Redirectionunchecked


Portal IP selection table according to geolocation:

Europe, Africa, Middle East52.51.203.246
North America52.44.151.156




1.2 Access Control

Under the Access Control section click "Add Hostname or Subnet" and enter the allowed subnet. Repeat this for all SOCIFI and CDN required subnets. Even if entering a hostname is allowed, the DNS translation functionality is limited and not recommended by SOCIFI.

List of IP addresses needed for SOCIFI service

IP / range
52.51.203.246/32
52.44.151.156/32
54.232.88.133/32

54.251.110.178/32



List of IP ranges for use with SOCIFI serviceList of IP ranges for enabling social networks login

CDNGoogleFacebook/InstagramTwitterLinkedIn

13.32.0.0/15
13.35.0.0/16
13.54.63.128/26
13.59.250.0/26
13.224.0.0/14
34.195.252.0/24
35.162.63.192/26
52.15.127.128/26
52.46.0.0/18
52.52.191.128/26
52.57.254.0/24
52.66.194.128/26
52.78.247.128/26
52.84.0.0/15
52.199.127.192/26
52.212.248.0/26
52.220.191.0/26
52.222.128.0/17
54.182.0.0/16
54.192.0.0/16
54.230.0.0/16
54.233.255.128/26
54.239.128.0/18
54.239.192.0/19
54.240.128.0/18
70.132.0.0/18
71.152.0.0/17
99.84.0.0/16
143.204.0.0/16
204.246.164.0/22
204.246.168.0/22
204.246.174.0/23
204.246.176.0/20
205.251.192.0/19
205.251.249.0/24
205.251.250.0/23
205.251.252.0/23
205.251.254.0/24
216.137.32.0/19

216.239.32.0/19

64.233.160.0/19

66.249.64.0/19

72.14.192.0/18

209.85.128.0/17

66.102.0.0/20

74.125.0.0/16

64.18.0.0/20

207.126.144.0/20

173.194.0.0/16

216.58.192.0/19

108.177.8.0/21

172.217.0.0/19

108.177.96.0/21


31.13.24.0/21

31.13.64.0/18

45.64.40.0/22

66.220.144.0/20

69.12.56.0/21

69.171.224.0/19

69.63.176.0/20

74.119.76.0/22

103.4.96.0/22

129.134.0.0/16

157.240.0.0/16

173.252.64.0/18

179.60.192.0/22

185.60.216.0/22

204.15.20.0/22


69.12.56.0/21

103.252.112.0/22

104.244.40.0/21

185.45.4.0/21

188.64.224.0/21

192.44.68.0/23

192.48.236.0/23

192.133.76.0/22

199.16.156.0/22

199.59.148.0/22

199.69.58.0/23

199.96.56.0/21

202.160.128.0/22

192.229.128.0/17

93.184.208.0/20


91.225.248.0/23

103.20.94.0/23

108.174.0.0/22

108.174.4.0/24

108.174.8.0/22

108.174.12.0/23

144.2.0.0/22

144.2.192.0/24

216.52.16.0/23

216.52.18.0/24

216.52.20.0/23

216.52.22.0/24

65.156.227.0/24

8.39.53.0/24

185.63.144.0/24

185.63.147.0/24

199.101.161.0/24

64.152.25.0/24

8.22.161.0/24

Due to the problems with the activation of the captive portal on IP-based Walled Garden systems with many allowed IP ranges, add these ranges only if you want to use the Social Network Login.

Generally, we cannot recommend using the Social Network Login on IP-based hotspot systems.




2.1 Profiles

2.1 RADIUS Profiles

Click on "Profiles". Under the section "Radius Profiles" click on "Create New Radius Profile". Set the RADIUS Auth Servers with following options:


Profile Namead lib
RADIUS Auth Server
IP addresssee bellow for RADIUS server selection
Port1812
Password/Sh. Secretsocifi

Click on "Add Auth Server" and repeat procedure for the secondary Auth server.


Check the option "Enable Accounting". Set the RADIUS Accounting Servers with following options:

RADIUS Accounting Server
IP addresssee bellow for RADIUS server selection
Port1813
Password/Sh. Secretsocifi

Click on "Add Accounting Server" and repeat procedure for the secondary Accounting server.

Click on "Save"

We recommend to use this set of RADIUS servers:
 


 List of RADIUS according to your location:
 For North America

RADIUS Server 1

rad-1-use-1.socifi.com or IP address: 52.7.148.174, Radius shared secret: socifi

RADIUS Server 2

rad-2-use-1.socifi.com or IP address: 52.55.217.23, Radius shared secret: socifi

 For Europe and Africa

RADIUS Server 1

rad-1-euw-1.socifi.com or IP address: 52.209.184.212, Radius shared secret: socifi

RADIUS Server 2

rad-2-euw-1.socifi.com or IP address: 52.50.155.202, Radius shared secret: socifi

 For Asia-Pacific

RADIUS Server 1

rad-1-euw-1.socifi.com or IP address: 52.209.184.212, Radius shared secret: socifi

RADIUS Server 2

rad-2-euw-1.socifi.com or IP address: 52.50.155.202, Radius shared secret: socifi

In order to have the Radius communication working fine, the IP addresses (above) and the ports 1812 Auth and 1813 Acc must be accessible.


3. Wireless Networks

Click on "Settings" - "Wireless Networks"

Select the SSID intended for use with SOCIFI and click on "Edit". 

Configure the network with the following values:

Name/SSIDad lib
Enabledchecked "Enable this wireless network"
SecurityOpen (recommended)
Guest Policychecked "Apply guest policies"


4. Admins

Click on "Admins" and create a new admin profile for API communication. This account must be set in the SOCIFI Dashboard when adding a new Ubiquity hotspot

Click on "Add New Admin" and enter the following values:

Namead lib (eg. apiSOCIFI)
Invite to ControllerManually
Paswordenter a secure password
Require the user to change their passwordunchecked
Emailad lib
RoleSuper Administrator

Click on "Create"

IMPORTANT NOTICE:

Enablig API Access

It is necessary to forward the TCP port 8443 to UniFi controller on your NAT service or to assign a public IP to the UniFi controller. This will allow to communicate the SOCIFI portal with UniFi API.

The access to the port shall be allowed for the following list of IP addresses:

Make sure your Firewall Settings are set correctly.

If you have a Firewall, it may or may not block the communication / connection to SOCIFI Servers (Captive Portal, API endpoints, RADIUS servers).

The following IP Addresses have to be passed thru the Firewall or any other blocking mechanism to successfully reach SOCIFI. Without allowing these IP Addresses to go thru your Firewall, your deployment cannot work properly.

API Access is used by Ruckus, Ubiquiti and ANTlabs devices

VPC:
use-1: 52.44.148.136
euw-1: 52.18.131.55
aps-1: 52.77.200.241
sae-1: 54.233.193.15

non-VPC:
euw-1: 54.246.88.74
use-1: 54.204.47.201    
aps-1: 54.251.110.178    
sae-1: 54.232.124.137


5. Registering in Dashboard

5.1 Locating the MAC for the registration in SOCIFI Dashboard.

Click on "Devices". The MAC address for registration is in the column "Device Name". All listed AP devices must be registered in SOCIFI Dashboard.

5.2 Hotspot Registering

Step 1: Login to SOCIFI Dashboard

Step 2: Click on the "Hotspots" tab on the left sidebar

Step 3: Click on the “Add a new hotspot” button located on the top right corner on the screen (pictured below)

Note: A pop-up window will appear (below)

Step 4: Select the Wi-Fi hardware manufacturer from the drop down menu

Step 5: Enter the serial number or MAC address (depending on the specific equipment manual) of your equipment. You can add multiple hotspots at once.

Step 6: Set your Network location (this step is essential for correct ad targeting)

Step 7: Set the API endpoint. Switch the API Set-up on and enter the API endpoint formated as https://(CreatedAdminUsername):(Password)@(yourWANIP):8443


Step 8: In the pop-up window type your location or just move the marker on the map and click on the save button to confirm the selection. This address is used for ad GEO targeting.

Step 9: Click Save


Note: Newly added hotspot are marked as  (Hotspot pending). After the first user connects to the hotspot via SOCIFI, the status will automatically change and appear as  (Active) within an hour. Get your first connections to test if it works properly.