Getting Started with Unifi Access Points
Posted by Robert Sandling on Nov 14th 2017
Why Unifi?
Ubiquity Unifi Access Points are a deceptively powerful wireless solution with a very low price point. In many cases an individual access point is less expensive than a SOHO router commonly used in small offices, yet provides several features you won’t find with your average SOHO router.
For Example:
- Central Web Based Management
- Automatic configuration of wireless roaming
- Single click load balancing
- Easy deployment of a guest network with separate SSID and security settings
- Captive Portal
- Google Maps integrated site map
- Wireless client counts, and bandwidth tracking
- Point and click MAC based ACLs
In short, features normally not found until you spend much more on a Cisco or similar full enterprise wireless solution.
Resources:
Unifi FAQ: http://wiki.ubnt.com/UniFi_FAQ
Unifi Access Controller Download: http://www.ubnt.com/download#UniFi:AP
Putty Download: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Java Download: http://www.java.com
Unifi Access Controller is a java based application, so you'll need an up to date java installation if you don't have one already. This is true for both Mac and Windows controllers available on the Ubiquity web site, there is also a Linux access controller available via Debian repository. Please be sure you’re using the most recent version of the Access Controller software available. Failure to do so can destroy your access points! You'll also need an SSH client to work with the access points. We recommend the venerable Putty.
The FAQ linked is a gold mine of information. It covers every topic you could ever need to deploy Unifi Access Points, but it's a huge amount of information to navigate! The goal of this blog is to get you started with a working basic deployment. Just don’t forget the FAQ, it can carry you farther than this document. Or who knows, shoot a request to us at support@nexgenappliances.com and we might just make another blog on the more advanced deployments. Finally, fair warning this blog will be written assuming some familiarity with Windows networks and administration.
Installing the Access Controller
We’re going to be using the Windows Access Controller as an example here. The installation process is pretty straight forward. There are however two things that need to covered here to save you some frustration. First, by default the Access Controller is an application, not a service. So unless you've manually started it it's not running. Yes, you can make it a service but that’s beyond the scope of this blog. Second, the Windows Firewall is going to need configured. That doesn’t mean go stop the service because it's in the way, you have to configure it. Stopping the Windows firewall service on Windows 7 and Windows 8 doesn't disable the firewall, it simply configures the system for a different set of defaults. In Server 2008, 2012, and Windows 8's case the firewall can be so locked down you can't ping the host anymore, much less access a service running on the host. This poses a problem when the APs are trying to connect to the access controller.
To that end, the Unifi FAQ indicates several ports are used by default, there are only two we need concern ourselves with at the moment. These are TCP 8443 for the web management console, and TCP 8080 for the device information. By default TCP 8443 seems to work fine, it’s 8080 that can give us some headache. But to be safe you should create a windows firewall rule to pass both the ports manually.
Windows 7, and 8.1 (2008 and 2012 are very similar)
1.) Open the Control Panel
2.) Open the Windows Firewall Applet
3.) Click the Advanced Settings Link to the left
4.) In the Windows Firewall with Advanced Security Window, select Inbound Rules
5.) Now select the new rule option in the actions pane to the right
6.) Rule Type should be port
7.) Protocol and Ports is TCP, and ports is 8443, 8080
8.) Action is Allow the Connection
9.) Profile is based on your security objectives, all three means wide open. My installations tend to use Domain and Private only.
10.) Name can be whatever you want, Pass Unifi Access Controller is what I’ve used. Pick something descriptive so you can find it in the list later
That should take care of the firewall. Use the Unifi shortcut on your desktop to launch the controller software. It will test all ports required, and throw an error if any of the TCP ports it needs are already in use. In the interests of brevity I won’t be covering what to do if you get an error. It is possible to change the ports Unifi uses, but that has implications later and is considered advanced. For simplicity we need to use the default ports. Once the software is working click the Launch button to open a browser. If you’re working from a server and would rather use your desktop/laptop/tablet’s browser you can point it at https://:8443 as well. The first time you launch you’ll get a wizard this process will configure basic wireless defaults, as well as a username / password pair to login to the controller. It will also start scanning your network for access points, however if you’re on Server 2012 or Windows 8 you’ll discover very shortly the access points might not be found automatically. We’ll deal with that in a second, for now just get the controller software up with the Access Points tab selected.
Bringing the first Access Point online
Plug the access point into the same network as the access controller, DHCP will configure it and it’ll get online just like any other workstation. If you don’t have DHCP on your wireless segment, you’ll need to configure it. You’ll want DNS too, but more on that later. If the access point shows up in the access points list in your web control panel, click adopt and schedule a party. Because you’re online and don’t need anything else I’m going to type here. If it doesn’t, time to roll up our sleeves.
Using DNS
The easiest way to get all of your access points to connect to a central access controller, is to configure your DNS servers to resolve unifi to the IP address of your access controller. This will only work if you left the ports at default, and only if you get the DNS correct. Now, the more technically inclined reading are probably yelling, unifi isn’t a full DNS name, you can’t resolve that. And, you’re correct! DHCP is should be passing out a DNS suffix by default, so if you have active directory running on your network all of this is likely already working. All you need to do is make a cname for unifi and point it at the host name of the server running the access controller software. The access points will attempt to access the controller at http://unifi:8080/inform every few seconds. If you get that URL working and pointed at the controller, the access points will simply file in and be ready to work. If you don’t have DNS control of your network, never fear there is a way out!
Going Manual
This process involves a bit more work. You may find it however worth knowing even if the DNS approach works because it will unmask how the access points really find the access controller, and allow you to change this behavior to fit any network, anywhere, at any time. We will be connecting to a Linux command line. Do not panic! You can’t break anything!
First, the hard part, you need to figure out what IP address your access point has. Unifi provides a discovery tool http://www.ubnt.com/download#app. We haven’t had much luck with it, because if this was working the Access Controller would have found the Access Point for us. The approach that worked for us? We went digging in the DHCP lease table. Regardless of what router, or DHCP service you’ve got somewhere a table of leases. Ubiquity devices have MAC addresses that start with DC:9F:DB. It’s likely the most recent lease, or somewhere close. Once you’ve got a likely address, stuff it into putty and see if you can connect. The default SSH login for Unifi access points is logon: ubnt and password: ubnt. If you end up with a BusyBox prompt you’re ready to go!
Unifi Command Line Commands
info Display AP information
set-default Restore AP to factory Defaults
set-inform Attempt manual inform
upgrade Upgrade firmware
reboot reboot
All of these commands except upgrade are useful. I have not found a place to download manual firmware for the Unifi Access Points, and once connected to the Access Controller firmware updates are handled there at a click. Info displays the access point’s model number, MAC address, IP address, uptime, and inform URL. It’s basically a quick dump of the settings used to get the AP online. The set-default command is something to use if your AP is stuck partially configured. The access point will not attempt to configure itself on an access controller if it’s already configured. You’ll have to reset it to move to a new access controller. The set-inform command is what we’re after here to get the AP online!
set-inform, and Unifi’s strange provisioning!
This command is very simple syntactically. Simply input set-inform http://ipofserver:8080/inform or use whatever URL will resolve back to your access controller. You can do this to get to an access controller on a local network, different network, or even across the Internet. However, the strange thing about this command is, it only does it once! So, if you execute this command once, you should see the access point pop up in the access controller. From there you can click adopt, and shortly thereafter the access controller will report the AP disconnected. This is because for some strange reason, the access point once told to manually use an inform URL, it won’t retry this URL ever again, unless it’s provisioned successfully. So set-inform on the AP, adopt in the web console, set-inform on the AP a second time. NOW, it’s being adopted. If the AP doesn’t appear in the access controller after use of this command, you’ve likely got a firewall problem preventing access. Again the SSH terminal is a great way to troubleshoot. Ping works. Another more advanced tool that helped some of our deployments is tail –f /var/log/messages. That command will follow changes to /var/log/messages which is an event log for the access point. It’ll automatically update until you press ctrl + c to end it. You can use exit to close or simply click the little X when you’re done.
Changing the SSH login credentials
You don’t have to! The access points once adopted and connected to an access controller will change their login details to match what you used on the access controller. So if you need to SSH into an access point later, use the same login and password you used on the access controller. There is a reset button on the device that can be used to reset the unit to factory defaults if you’ve forgotten this password.
Conclusion
If you’ve made it this far, thanks for reading. Nexgen Appliances is here to assist network administrators to identify, learn about, and deploy competitive networking solutions. While we cannot competitively resell Unifi solutions at this time, we do want to highlight them. And you can bet we’re working on fixing that little detail! We believe these access points are an in incredible option for wireless networks on any size. They have one of the best cost / feature ratios of any other product we’ve worked with. As always if you have any questions feel free to contact us at support@nexgenappliances.com.