WLAN and User Groups
WLAN Groups are a nice feature in the UniFi controller. WLAN Groups make it easy to configure wireless settings to a lot of APs quickly and easily. To provision one or more SSIDs on multiple APs, create a WLAN Group with the desired SSIDs and security values, then apply the Group to the desired APs.
As you configure a WLAN, you'll see the options for configuring each SSID. UniFi supports all typical forms of wireless security, including WEP, WPA/WPA2 (TKIP and AES), and WPA-Enterprise utilizing RADIUS authentication.
I tested WLAN Groups by creating Group1 with two SSIDs, one called Smallnet1 and the other called Guest1, shown below. I set up the SSID called Smallnet1 with WPA2 security and I set up the SSID called Guest1 with guest restrictions. I then selected one of my APs and set its WLAN Group to Group1. Once the controller pushed the configs to the AP, it started broadcasting both SSIDs.
Using WLAN Groups also makes it possible to apply more advanced SSID configurations. To associate individual SSIDs with different VLANs, click the VLAN checkbox as shown below and enter the VLAN ID to be associated with the SSID.
I successfully tested UniFi's VLAN functionality. I connected one of the UniFi APs to an 802.1q trunk from one of my network switches with VLAN1 as the untagged VLAN and VLAN3 as the tagged VLAN. Via the UniFI controller, I left the Smallnet1 SSID without VLANs enabled, meaning it should be on the untagged VLAN. I modified the Guest1 SSID to be on VLAN 3.
I then wirelessly connected to my two SSIDs, Smallnet1 and Guest1. Clients on Smallnet1 were given an IP address from VLAN1 and clients on Guest1 were given an IP address from VLAN3 as expected, thus successfully demonstrating the UniFi controller's VLAN option and the UniFi AP's support for 802.1q trunking.
Another group feature is the ability to create a bandwidth restriction to a specific SSID. I created a user group called GuestUsers and applied upload and download bandwidth limits as shown below. I configured the Guest1 SSID to use the GuestUsers bandwidth controls.
I verified this feature by connecting to the Guest1 SSID, browsing to and running a speed test on speedtest.net, and obseved my results closely matched the settings I applied in the GuestUsers group.
There are a few other controls buried in the Settings > WLAN Group screen that may come in handy for optimizing user experience. The Minimum RSSI is kind of interesting. When enabled, it issues a de-auth packet to a client when it falls below the set RSSI threshold. Ubiquiti describes this as a "soft" approach in that it doesn't force the client to another AP. If the client decides to connect back to the same AP, the AP will allow it. But then the client will get de-authed again after "a duration".
The Load Balancing control sets a per AP limit for clients so that APs don't get overloaded. Note that there is no auto channel selection or auto power adjustment. The Wiki says each AP finds "a best channel" on power up and that "background-scanning and automatic runtime channel change is on the road map".
UniFi guest configuration, shown below, does not create a guest SSID or WLAN, but instead activates the guest security policy that can be applied to an SSID. A device connected to a UniFi SSID is considered a "guest" if connected to a UniFi SSID configured with the guest option, otherwise the device is considered a "user."
Guest networks by default restrict guests from accessing all private IP addresses. Additional IP address ranges can be configured as blocked or permitted on guest networks. Guest networks can optionally require password authentication, be configured as a hotspot, or interact with an external portal server for which Ubiquiti provides an API (application program interface).
Enable Guest Network
In the previous discussion on WLAN Groups, the SSID Guest1 was created with guest restrictions. So when I connected to the Guest1 SSID, I was prompted to agree to the terms and conditions with the simple web page shown below. Once I clicked agree, I was able to surf the Internet but unable to ping or access any devices on the LAN, as would be expected. I configured my guest SSID with the default expiration of eight hours. But you can configure it so users have to re-authenticate on shorter or longer intervals.
Basic Guest Authorization
The hotspot and external portal server options allow creating addtional restrictions/controls to be placed on guest users. With the UniFi hotspot feature, you can customize portal login pages and bill user's PayPal account or credit card. Enabling the hotspot option provides options for voucher and payment configurations.
UniFi includes prebuilt payment options (shown below) for PayPal, plus credit card options including Stripe, Quickpay, Authorize.net, and Merchant Warrior. You need to set up your own account with one of these credit card payment providers, first. For example, if you select Authorize.net to create a credit card billed hotspot, additonal options become available to enter your Authorize.net API login ID and transaction key.
To further customize the guest portal and experience, UniFi can interact with an external server for managing guest customers. Ubiquiti provides an API to integrate the UniFi controller with applications such as billing software or other authentication programs.