Ubiquiti Unifi / EdgeMax VPN Clients

(Thanks to Jonathan Schulenberg)

The Unifi Security Gateway, at least as of version 4.4.36.5146617, does not have PAP enabled by default This will cause RADIUS authentication to fail with Foxpass. It can be enabled but the procedure differs depending whether the Unifi Security Gateway is a standalone device or managed by a Unifi Controller.

1. Set up PAP RADIUS endpoint

Either download and run our RADIUS proxy or ask Foxpass to enable PAP on our cloud RADIUS servers for your account (after reading Is RADIUS secure?)

2. Installations that use the Unifi Controller

🚧

This section is only for locations that use the Unifi Controller

If you don't use the controller, skip to step 3.

The Unifi Controller, at least as of version 5.9.29-11384-1, does not allow you to enable PAP within the GUI. You must create a JSON file and upload it to the Controller as described in Ubiquiti Support article UniFi - USG Advanced Configuration.

  1. Either create a plain text file with your editor of choice, paste the below text into it and save as "config.gateway.json"; or, incorporate this section into your existing file. Validate that the JSON syntax is correct to avoid a provisioning loop.
{
    "vpn": {
        "l2tp": {
            "remote-access": {
                "authentication": {
                    "require": "pap"
                }
            }
        }
    }
}
  1. SSH to the Unifi Controller, not the Security Gateway, and login with controller administrator credentials.

  2. Change directory to <unifi_base>/data/sites/<site_ID>. See the above-linked support article on determining the <unifi_base> and <site_ID> values. For example, "cd /srv/unifi/data/sites/default"

root@UniFi-CloudKey:~# cd /srv/unifi/data/sites/default
root@UniFi-CloudKey:/srv/unifi/data/sites/default#
  1. Copy the file to the controller using a file transfer protocol of your choice, SCP for example.
root@UniFi-CloudKey:/srv/unifi/data/sites/default# scp [email protected]:/Users/username/Downloads/config.gateway.json ./
The authenticity of host '10.10.30.1 (10.10.30.1)' can't be established.
ECDSA key fingerprint is <redacted>.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.30.1' (ECDSA) to the list of known hosts.
Password:
config.gateway.json                                                                                                                                                      100%  186     0.2KB/s   00:00    
root@UniFi-CloudKey:/srv/unifi/data/sites/default#
  1. Adjust the file ownership and permissions. For example "chown unifi:unifi config.gateway.json" and "chmod o-r config.gateway.json"
# Before
root@UniFi-CloudKey:/srv/unifi/data/sites/default# ls -al
total 16
drwxr-x--- 3 unifi unifi 4096 Dec 31 17:59 .
drwxr-x--- 3 unifi unifi 4096 Dec 30 05:11 ..
-rw-r--r-- 1 root  root   186 Dec 31 17:59 config.gateway.json
drwxr-x--- 2 unifi unifi 4096 Dec 30 05:11 map
root@UniFi-CloudKey:/srv/unifi/data/sites/default# chown unifi:unifi config.gateway.json
root@UniFi-CloudKey:/srv/unifi/data/sites/default# chmod o-r config.gateway.json

# After
root@UniFi-CloudKey:/srv/unifi/data/sites/default# ls -al      
total 16
drwxr-x--- 3 unifi unifi 4096 Dec 31 17:59 .
drwxr-x--- 3 unifi unifi 4096 Dec 30 05:11 ..
-rw-r----- 1 unifi unifi  186 Dec 31 17:59 config.gateway.json
drwxr-x--- 2 unifi unifi 4096 Dec 30 05:11 map
  1. Logout
root@UniFi-CloudKey:/srv/unifi/data/sites/default# logout
  1. Force a Provision of the gateway from within the GUI (UniFi Controller Devices > USG > Config > Manage Device > Force provision).

3. Standalone Unifi Security Gateway or EdgeMax Router

These instructions are based in part on Ubiquiti Support article EdgeRouter - L2TP IPsec VPN Server

  1. SSH to the gateway and login with device administrator credentials.

  2. Enter configuration mode by typing "configure".

admin@ubnt:~$ configure
[edit]
admin@ubnt#
  1. Enable the use of PAP by typing "set vpn l2tp remote-access authentication require pap"
admin@ubnt# set vpn l2tp remote-access authentication require pap
[edit]
admin@ubnt#
  1. (Optional) View the candidate configuration with your change (line denoted with a leading plus character) by typing "show vpn".
admin@ubnt# show vpn
 ipsec {
     ipsec-interfaces {
         interface eth2
     }
     nat-networks {
         allowed-network 0.0.0.0/0 {
         }
     }
     nat-traversal enable
 }
 l2tp {
     remote-access {
         authentication {
             mode radius
             radius-server 10.10.10.10 {
                 key "<redacted>"
                 port 1812
             }
+            require pap
         }
         client-ip-pool {
             start 10.10.20.1
             stop 10.10.20.254
         }
         dns-servers {
             server-1 10.10.10.1
         }
         ipsec-settings {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret "<redacted>"
             }
             ike-lifetime 3600
         }
         outside-address 192.0.2.100
     }
 }
[edit]
admin@ubnt#
  1. Commit and save your configuration change by typing "commit ; save".
admin@ubnt# commit ; save
Saving configuration to '/config/config.boot'...
Done
[edit]
admin@ubnt#
  1. Exit and logout, respectively.
admin@ubnt# exit
exit
admin@ubnt:~$ logout

📘

Security notice

PAP (Password Authentication Protocol) is an insecure protocol. However, because these VPNs use L2TP on top of ipsec, the transmission is encrypted.