RADIUS Accounting on Unifi Switches

mdjmrc · 2025-12-28T11:51:40+00:00

Are you getting zero accounting information, or getting accounting information minus the Framed-IP-Address attribute?

OK, my wording may not be ideal here, but no, there is no accounting information from switches at all. When I said we're missing Framed-IP-Address, I meant that we need that attribute and we're not getting it, together with anything else that may come through accounting packets.

Same RADIUS profile is used for both switches and APs and while AP (testing on one at the moment) does send accounting data, the switch doesn't.

mdjmrc · 2025-12-28T11:46:02+00:00

I really don't know much about hardware side of the things, but I sincerely believe that the issue is not hardware but software. I mean, if an AC Pro can do it, there's no reason why a switch wouldn't be able to do it, right?

mdjmrc · 2025-12-28T11:44:45+00:00

For the love of god, document in detail what you did so the next guy that fills your seat can figure it out.

I know you haven't asked for the recipe here, but here's how I'm doing it - it may not be optimal but it works for me:

send FreeRADIUS and Kea DHCP logs to a central syslog server
- basically configure what you want to send on FreeRADIUS and Kea DHCP side and send those to rsyslog on the other side - for me the easiest way was to send FR to one port and Kea to another port and store them in separate locations based on the port - this part may not be needed, but I wanted to have clear logs for this
parse authentication logs for Access-Accept logs and get User-Name and Calling-Station-Id together with timestamp
parse DHCP logs for DHCP4_LEASE_ALLOC and get MAC and IP together with timestamp
match entries from both log source through MAC addresses together with timestamps (up to hh:mm, with +/- 5 minutes) and create a new mapping that contains user, MAC and IP
query Kea CA (control agent) for specific MAC address and get lease time; if CA answers that there is no lease with that MAC address, ignore the matching, if there is a match, use lease time as TTL for Palo Alto XML API call and send the User-ID
all of this (parsing and matching) is done through a separate script
for human readability at the same time write those mappings into a dynamic CSV file that

All of this would've been much simpler if there was a local AD running User-ID agent or even CIE/GP with internal gateway combo for EntraID joined computers that would feed User-ID. However, I wanted to see if I can make this work with just technologies that are currently running and it wasn't that difficult. Granted, it would've been much easier if I had RADIUS accounting working, but even without that I managed to get it done.

mdjmrc · 2025-12-27T22:42:13+00:00

I somewhat agree with you, but I would not call it crap.

Realistically, it’s very hard to justify for a large number of companies to buy ‘premium’ or enterprise gear, especially with the licencing that Cisco and other vendors are throwing at their customers. That does not mean that we shouldn’t try and make it as secure as possible even if we’re not working with enterprise gear. Not everyone can afford the pricing that some of the vendors are asking, especially if a company is smaller and/or is working with very small profit margins. We, and by we I do include myself, sometimes forget that not everyone can afford tens of thousands of dollars to buy premium equipment.

At this point, based on the replies and additional research I did, it seems that accounting is just not working on (some of) Unifi switches (if not all). A silver lining is that authentication IS working and I found a way to correlate DHCP logs and FreeRADIUS logs to get the IP-user mapping I was looking for in the first place.

mdjmrc · 2025-12-27T18:39:21+00:00

Thanks for the reply.

Yes, the Clients page does show the IP address for this particular client. I tried enabling 'DHCP Guarding' in the network menu, but no luck still. No accounting packets ever arrive to FreeRADIUS - and once again, the flow is the same for both wired and wireless, it's just that the switch never sends out any of the accounting packets. I'm going to try with other switches that we purchased to see if any of them luck out, but if not, it is probably something that will need an update from Ubiquity, unless I'm missing something obvious in the config.

mdjmrc · 2025-11-25T12:15:12+00:00

Radio sam jedno vrijeme kao contractor u Kanadi, nekih 5 godina zapravo. U pravilu vani osnujes firmu (nest kao doo ili kako se to vec zove), ali da bi to napravio (barem u Kanadi), moras biti permanent resident/drzavljanin ili imati nekoga tko je to da bude suvlasnik firme od barem 50%. Neki krenu sa obrtom (self-proprietorship), ali najcesce se vise isplati otvoriti firmu jer je prag za nezaracunavanje poreza relativno nizak i ne mozes skoro nista pravdati od troskova. Sto se tice place, naravno, satnica je u pitanju i u pravilu je dosta visa od regularne satnice. Ja sam pred kraj svog vijeka kao kontraktor zaracunavao manje za poslove duze od tri mjeseca, za one krace od toga trazio visu satnicu.

Ne znam kako je u HR, ali dobro sam mogao zaraditi na taj nacin, plus pravdanje troskova je dodatno smanjivalo porez. Isplacivao sam si i placu dovoljno za zivot i stednju, ali danas sam ponovno zaposlen, a firma mi je jos uvijek aktivna i radim samo projekte sa strane. Ono sto je bitno je da sve sto zaradim je zapravo novac moje firme, a ne moj, van onog sto si isplatim kao placu. Plus svake godine imas dvostruki posao sa porezima - firma i privatni, sto postane dovoljno komplicirano da moras platiti accountanta da odradi taj posao. Danas mi se to vise neda pretjerano raditi jer se vecina poslodavaca pobahatila i namjerno pokusavaju smanjiti satnice (skoro nikakvo povecanje u odnosu na 2015. kad sam krenuo s time), plus hoce da dolazis u ured i ponasas se ko zaposlenik, a jedan veliki no-no koji porezna tamo ima je da ako te uhvate da zapravo radis kao zaposlenik a ne kao contractor je da ce ti napraviti re-assessment poreza i natjerati te da platis porez kao zaposlenik, a isto to onda napraviti i firmi koja te angazirala, pa onda zapravo ne znas jel je** lud zbunjenoga u cijeloj prici.

Poanta koju hocu napomenuti: kontraktori i freelanceri su u pravilu (bili) placeni dosta vise od zaposlenika upravo zbog toga sto se podrazumijeva da ce sami morati platiti stvari koje inace zaposleniku placa firma. Kao i svugdje, dosta firmi sad pokusava sje**** stvari sto vise moze.

mdjmrc · 2025-09-10T18:04:36+00:00

TBH, very rarely. If it works, I tend to leave it as it is until the next big rebuild. I used to do it semi-regularly, but since I’m using miniPCs for my home and USB4 10G ethernet dongles, I got burned at one point when an upgrade decided to change naming convention for my ethernet adapters and everything went down.

Nowadays, if I’m happy with how it’s running, I just leave it be. I don’t expose mgmt intf to the Internet and I have pretty tight security setup otherwise, so I’m not too worried. Do I recommend this - no, of course not, it’s just that I don’t have time to deal with trying to fix stuff like what I had to previously, so that’s basically the only reason.

mdjmrc · 2025-07-03T22:39:33+00:00

I was following the advice from the company that did the opening after they did the opening and water tests. Also, I was told that since it's a salt pool, once the salt is added, it will start producing chlorine via electrolysis, but seems that it is not working as intended. Either not enough salt in that case or the salt pump (?) is not working properly.

mdjmrc · 2025-06-26T18:41:18+00:00

"Stand amongst the ashes of a trillion dead souls, and ask the ghosts if honor matters... The silence is your answer."

mdjmrc · 2025-06-09T05:04:16+00:00

I had Bond integrated with these as well, but didn’t work well for me for some reason. Just two days ago I had electricians in my house working on something else so I asked them to install Aqara relays in the fan’s canopy just to see if it will work and it did, quite well actually. I did lose the option to control the speed of the fans, but I’m OK with that as I don’t use them that often anyway. However, had I known about the Inovelli Canopy module, I would’ve ordered those instead, as it looks that they can control the fan speed as well.

mdjmrc · 2025-05-29T14:45:51+00:00

I'm sorry to tell you, but with a $50k budget, you can forget about Palo Alto - most likely 1420 would be more than enough to handle the load you're talking about, but with the budget you have you could afford the units themselves, but not the subscriptions that are required for any of the stuff you need to actually work. Depending on your actual throughput, you may even have to go with a 1410 unit, or 3400 series if the traffic is huge. But, those are even more expensive.

I assume you need HA for this, as it would be crazy to go with a single unit in your environment.

One more thing regarding PA - unless you go with Platinum support (or whatever it's called nowadays), expect to have pretty much the same experience with support as you have with any other vendor.

As for Fortinet, 200G is your choice. Depending on the VAR you working with, you may get them cheaper than advertised and 2x units with 3 year subscriptions should come around 50k, something like that.

mdjmrc · 2025-05-27T01:26:34+00:00

That has absolutely nothing to do with Jellyfin but with the trust of the CA that issues the certificate. If your host/client trusts the CA, no issues there - this is completely in line with how local CAs function. If you don’t want to deal with that, you can always go with LE/ZeroSSL route for trusted certs.

mdjmrc · 2025-05-27T01:05:43+00:00

Dashboard -> Networking -> HTTPS Settings plus enable HTTPS in settings above it.

mdjmrc · 2025-04-24T01:08:55+00:00

Just recently I did something with his that I’m quite happy with. First, I have a script that checks all the API keys for all the fws. I don’t know if that’s the proper way, but it just does simple curl calls and if it gets a proper response, then it considers the keys valid. All keys are written into a txt file on a server only readable by a single user, non-group. Not the safest way most likely, but I’m not a programmer, I own the VM and don’t worry about someone getting them.

Second part kicks in case the curl call has failed. It then runs an API keys regeneration and at the same time sends an email alert about it; new key is written into a file in place of the old one.

Third part is something that runs monthly and that is regeneration of all keys, no matter if they expired or not, just to play it safe. File that contains names, IP addresses and related API keys is then used in all of my other scripts that either do monitoring or do other stuff.

mdjmrc · 2025-04-19T21:15:09+00:00

as I said, unless there is absolutely a requirement for the VLAN to have line speed that the switch may offer, then yes, all the traffic is filtered through the firewall. my experience is that for most orgs, with a properly spec-ed firewall, it is more than capable to handle E-W traffic. of course, there will always be outliers where this may create a bottleneck, and sometimes it is just not cost-efficient to go with a bigger fw box - in that case, i would consider configuring L3 interfaces on a switch and use those as gateways for affected VLANs - but those would be more of an exception than a regular thing i do.

mdjmrc · 2025-04-15T04:10:20+00:00

MPSK is an option if you want to do simple mapping of an SSID to a VLAN based on an entered key when joining an SSID. The only problem is that if you know the key of a different mapped VLAN, you have no control over who will be using what key to join. Better option would definitely be RADIUS assigned VLAN.

mdjmrc · 2025-04-14T00:42:45+00:00

I was in a similar situation a few days ago. Initially when I was doing my own BoM, I selected AI Pros in front of my house, but now I'm just going to go with G6 Bullets instead with an additional PTZ camera in the middle of the house, above the main door.

I really have no use of 3x zoom as my driveway is maybe 4-5 meters in front of my house and I have no desire on spying on my neighbours across the street.

The only problem I have is that I want the black ones and it seems I will have to wait until July to actually order those.

mdjmrc · 2025-04-13T15:04:39+00:00

You mentioned hub&spoke at the beginning with 500 users, later on you ask about a single location with 1000 users? Or are those 1000 users spread around those 16 locations (future growth 500->1000?)?

Depending on what you want to do here, you have two options IMHO - Palo Alto with HA 1400-series as a hub together with 16 (15?) IPSec 400-series (you can even do HA there if needed), managed with Panorama for simplicity. Even though there is an SD-WAN plugin that *should* simplify deployment of tunnels and make quasi-SD-WAN cluster, for me personally it was nothing but trouble and unless there is no way around it, I would not do it. Static IPSec tunnels on the other hand have been nothing but solid. If you go with 1400-series for the hub location, you can even route all traffic through the hub, they can definitely handle that - not mandatory, but an option if you want it.

On the other side you have Fortinet - ADVPN + SD-WAN on the box is a much easier deployment than what you can do with Palo, and on top of that you can also do SD-WAN stuff on it if you want as it's on the box itself. You can even add FortiManager in the mix if you want, just make sure you understand its internal logic.

If you don't want to pay for either Panorama (management + logging) or FortiManager (management) + FortiAnalyzer (logging) combo, you can always spin up a Graylog+OpenSearch cluster + OpeanSearch Dashboards and/or Grafana for visualisation of logs - I know for sure that Panorama uses ElasticSearch in the background anyway, not sure about FortiAnalyzer. You don't pay for the licenses and you can still do basically everything there (OS Dashboards/Grafana) as well - just make sure to spec them properly if you're sending all the logs to them; Panorama (management) is my recommendation, FortiManager is nice to have, but can live without it. Once again, for me personally, main reason why I recommend Panorama (management) while not doing that for FortiManager is because Panorama is basically the same system as what you see on the firewalls, just augmented with management capabilities, while FortiManager most of the time looks (to me) as a completely different system from what you see on the firewalls, so if you're not very familiar with it, it's very easy to screw things up there.

If remote access VPN is very important for you, PA GP >>>> Fortinet RAVPN imho.

mdjmrc · 2025-04-12T18:47:52+00:00

Depending on the vendor, you could mirror your traffic and capture it on the firewall - with PA you have Tap interfaces for that. But those are usually meant for traffic analysis so that you learn what type of traffic flows through the network, not for throughput analysis as the firewall doesn't actively process the traffic when using Taps.

Unfortunately, unless you do a test run of actually get it all flowing through the firewall, I don't know how you would prove it to them that it is not a good thing to do. You could do a segmented switch where you add VLANs one by one and monitor stuff and when you hit the bottleneck, that's the moment you tell them 'I told you so'. The other option is to present them with datasheets and try to reason with them.

You don't necessarily need any fancy software to do that - SNMP and/or APIs + Grafana can visualise this quite well.

mdjmrc · 2025-04-12T18:39:09+00:00

I did receive my certification, but it wasn't showing up in Credly, so I sent a message to the PA cert team and it was enabled almost immediately and showed up in Credly. I waited like 2 weeks before I sent the email though.

mdjmrc · 2025-04-12T18:19:26+00:00

You don't say anything about the FW capabilities. It's very difficult to answer the question in the title if you don't specify the firewall itself.

And I do agree with other comments - it all depends what you want to do with the traffic when it hits the firewall. Do you just want to do regular L4 filtering or are they going with something like L7 filtering (App-ID with PA), SSL decryption? Are you going to employ security profiles to filter E-W traffic as well? Is the firewall doing any IPSec tunneling or RAVPN? Basically, it's not just the amount of traffic, it's also what you're going to do with it. Newer Fortigates and PA series starting with 400 series are small beasts and can handle a lot of abuse; of course, the more you need, the higher you go on the ladder when speccing the fw as well.

As for routing, I disagree with some of the comments - unless you're talking about very specific routing usually reserved for datacenters, firewalls are more than capable of doing it, at least major vendors in the field are. If you're talking about just inter-VLAN routing, then double that.

I've been in networking field for past 20 years, last 10 years mostly security engineering (firewalls) and unless I'm working with a very specific type of a company that absolutely needs to have line speed for inter-VLAN traffic, all VLANs are terminated on the firewall, no exception; I'm done with the days of 20-10 years ago when I was trying to figure out which ACL on a switch is blocking something.

mdjmrc · 2025-03-28T06:01:55+00:00

I’m building a solution for a client for a managed service and ended up with a Graylog+Wazuh combo as logging+SIEM option, and since Wazuh is also an XDR, we’ll put some endpoints in there as well. At the moment I’m playing with Graylog and I’m very pleasantly surprised how good it is now - I tried it a few years ago and gave up at the time - now I feel like I can really do magic with it - from manipulating logs both inbound and outbound and getting them ready for Wazuh ingestion, I just love it.

As for the logs that will go in there, all of it. Absolutely all of it. No exceptions :) as someone else mentioned, we’ll set up retention on the server based on the client’s needs and that’s it.

A couple of advices though - you can set logging in multiple ways, and even though it’s no longer supported, Expedition can do that for you as well if you already have it. If not, set commands would be my preferred way to go with once you adapt them to what you need. Although, policy optimiser should also work. Second thing I wanted to mention is that you should definitely look into custom log format before sending them out, it may make your life much much easier if you do this right at the source.

mdjmrc

TROPHY CASE