background
The number of staff in the Beijing office is growing, and wi-fi equipment is increasing. In the early days, simply sharing a Wi-Fi password to connect to a corporate network exposed the following problems over time:
- Anyone who knows the password can connect any device to the company LAN (whether it is a company employee, whether it is a company approved device or not).
- After an employee leaves, he/she cannot be prohibited from connecting to the company network again.
- The client name you see on the UniFi Controller UI is the Hostname you set. Because only a few people will deliberately configure their Hostname, it is difficult to find the owner of this client.
Alternative solutions
For problem 3, we have only one solution using the UniFi bucket: pre-configure the UniFi Controller and create the corresponding client name according to the MAC address. You can also configure the DHCP service to reserve IP addresses for specific clients.
For questions 1 and 2:
- A. Together with SSO, configure the Radius service.
- B. Configure 802.1x access permission authentication.
- C. Use a MAC address whitelist to restrict the clients that can be connected.
We chose plan C. Here’s why:
- Plan A and B require a long time to investigate and implement, so we have no relevant experience.
- Currently, the enterprise is small enough to accept MAC whitelist configuration.
- Solution C can solve problem 3 at the same time, killing two birds with one stone.
automation
Manually maintaining a document list is used to record employee information, device list, and MAC address. It takes time and effort, and is difficult to be consistent with the actual UniFi configuration. The MAC Address Whitelist UI of the UniFi Controller is also not very convenient, for example, it does not provide batch edit, delete operations:
So we chose to use the API of UniFi Controller and find the PHP SDK maintained by a third party on GitHub. With the packaged SDK, we can easily develop a small CLI script and define a set of YAML configuration files by simply calling the create_user() and update_user() methods:
[email protected]: # Device owner
- mac: 78:7e:61:... MAC address of the device
description: iPad Device name/description
white_list: true Specifies whether to add Wi-Fi devices to the whitelist
[email protected]:
- mac: 78:7e:61:...
description: iMac
white_list: false # iMac uses a wired network connection, so does not need to be whitelisted
# By analogy...
Copy the codeWe stored all the configuration files and PHP scripts in a Git repository, configured the GitLab CI, and installed GitLab CI Runner in the local gateway for easy access to the UniFi Controller API from the LAN.
When devices need to be added or deleted, they can be submitted to the warehouse and PR created. The devices that meet the requirements of the company will be reviewed and merged into the Master branch, and then CI will be automatically triggered to invoke the script to configure the whitelist and device information:
Finally, you can view the client list and topology clearly in the UniFi Dashboard:
expand
In the previous article, we introduced a practical procedure for codifying scheduled task monitoring items. Consider further refining the small scripts and YAML format configuration files into resource declarations in Terraform Provider and HCL syntax. Each client is a separate resource, and Terraform helps us manage them more reliably.
Please follow our wechat official account “RightCapital”
