Example: UniFi govroam settings (SP only)
- tech
Some smaller deployments might use SoHo suppliers like UniFi. If getgovroam is used as the user database (IdP), no RADIUS server is necessary within the deployment at the organisation. So the UniFi access points can be configured through the UniFi management server to send their RADIUS requests directly to govroam. The RADIUS traffic does not traverse the management server so the placement of the management server is not critical.
The steps below are to be followed in chronological order, since the earlier steps provide the prerequisites for the later steps.
Prerequisites
1 public IP address for inbound and outbound RADIUS traffic
Firewall accepts port UDP 1812 to and from our national govroam RADIUS servers
Settings > Profiles > RADIUS
You will receive the IP-addresses of the govroam national roaming servers in the onboarding process. Do not enable accounting!
Settings > Networks:
…where your VLAN ID is the VLAN that access is allowed to after authentication via govroam, which is usually an internet-bound guest network without web authentication portal. You could use a previously defined network that you want to use for guest access.
The VLAN ID is dependent on your choice, just like the other options on this page).
Settings > wifi:
…where:
Name is ‘govroam’ in all small letters (so no GOVroam, GovRoam, govRoam, govROAM etc)!
Broadcasting AP’s is where you apply the ‘govroam’ SSID to
hotspot Portal MUST be disabled
the ‘Network’ is the one you created above
Client Device Isolation MUST be enabled
Security Protocol MUST be WPA2 Enterprise
RADIUS profile is the govroam profile you created above.
You might experiment with settings like BSS Transition, Fast Roaming and PMF but the settings above are most safe to support most clients.
For wired govroam, add: Settings > Profiles > Ethernet ports:
and assign this profile to switchports that you want to protect with govroam (where the advanced settings and VLAN settings are dependent on your local situation).