Revolutionary “Connectivity Service”! Wi-Fi/VPN connection is made super easy with “UniFi Identity”[الحرف الأول ب]- Watch the Internet

The “UniFi Identity” software/service offered for Ubiquiti’s UniFi series is interesting. Simply put, it’s a function that allows you to control each user’s Wi-Fi and VPN connections, but it’s very easy to set up, with only 2-3 steps for the administrator to implement the settings, and one click of a button. It’s an amazing feature.

It also achieves both “enhanced security” and “easy configuration,” which were contradictory, and is also simple and secure. In addition, there is also a cloud version of UniFi Identity Enterprise that includes functions such as device management and workflow, which can be said to bring innovation to networking equipment for small and medium-sized enterprises.

Radius? Wireguard? Automatically handles annoying settings

In a sense, UniFi Identity can be described as “connectivity as a service.”

What you need to do as an administrator is enable the feature and specify who should be allowed to connect and what connections. That's it. More specifically, you can invite users, specify whether you want to allow them to connect to your Wi-Fi or VPN, and automatically deploy Wi-Fi or VPN connections to only those users.

You can provide Wi-Fi and VPN connectivity by simply turning on the feature and granting users permission.

Previously, the initial steps were to register an SSID to connect to, set up a RADIUS server for user authentication, and add users. If you also wanted to use a VPN, you would need to select a protocol, start a VPN server, register users for authentication, distribute certificates to users to connect, and perform a variety of other settings. However, with UniFi Identity, all of these annoying setups are done automatically behind the scenes.

In other words, anyone can easily implement user-based Wi-Fi/VPN connection control with just a few clicks.

Furthermore, the paid cloud version of UniFi Identity Enterprise can be linked to external authentication functions such as Entra ID and Google Workspace, as well as workflow functions that implement user management (leave requests and purchase orders), and help desk ticket processing functions. The system can be further expanded by providing devices, device management and access control (attendance) that can be integrated with intercom devices and card readers sold separately.

UniFi Identity Enterprise for more advanced features

One of the appeals of Ubiquiti products is the ability to enjoy a DIY network, but UniFi Identity gives the impression that the more advanced functions can now be used by a wider range of users.

UniFi Identity Plans

UniFi Identity Overview

Now, let's take a more specific look at what UniFi Identity is.

UniFi Identity is a software for UniFi gateways (routers) that provides the following functions: As mentioned above, there is a free version and a paid version, but the free version is a local software that runs on the gateway and can be used for free without any special license.

UniFi Identity Overview

There are many UniFi gateways on sale, and the available functions and required versions vary by model, so please refer to the link below for details, but please refer to the link below for details, but please refer to the UniFi Dream Router and UniFi Dream, which have appeared in this magazine in the past, and the UniFi Cloud Gateway Ultra, etc.

▼ Explanation from Ubiquiti
UniFi Identity Overview

If you're using a compatible device, a tab called “Identity Settings” will appear in the “Administrators & Users” section of “OS Settings”, where you can select the functions you want to use. Additionally, the “Users” and “Groups” tabs allow you to manage which users and groups can use this feature.

There are many functions that can be used as shown in the general diagram above, but functions such as “One-Click Electric Vehicle Charging” and “Entry/Exit Control by Phone” require separate compatible devices (depending on the model). A separate Wi-Fi access point.) The most commonly used options are “One-Click Wi-Fi” and “One-Click VPN.”

UniFi Identity User Management Screen

Try setting up Wi-Fi/VPN with one click

Now, let's take a look at the specific setup method. However, the setup is very easy, as shown in the image below.

All the administrator has to do is “Run the job” and “Register the user and allow the job”. The necessary settings will now be registered automatically.

For example, One-Click Wi-Fi automatically applies the following settings:

• SSID: UniFi Identity
• Wi-Fi band: 2.4GHz + 5GHz (band steering)
• Security Protocol: WPA2 Enterprise
• Radius settings
  • Secret: Automatically generated
  • RADIUS user: uid-[اسم المستخدم]([email protected] to [email protected])
  • RADIUS User Password: Auto-generated

A connection called “UniFi Identity” is automatically created in the WPA2 enterprise settings.

The RADIUS configuration used for WPA2 Enterprise authentication is also created automatically.

Additionally, if you are using a VPN server, the following settings will be applied automatically:

• VPN Type: WireGuard
• Name: UCG-Ultara (in this example it was UniFi Cloud Gateway Ultra)
• Private Key: Automatically generated
• Public Key: Automatically generated
• Server Address: WAN Side Address: 51820
• client
  • Customer Name: Username + Device Name (Goro Tanaka's mobile phone)
  • Interface IP address: Automatically assigned (192.168.3.2)
  • Public Key: Automatically generated
  • IP Gateway: Auto Configuration
  • DNS Server: Automatic Configuration

VPN server is automatically configured by WireGuard

Previously, administrators had to configure these settings correctly, but now everything is “deployed” automatically.

Setting up users is also simple. Install the app by clicking the link in the invitation email, and for the first time, you will have to set up two-factor authentication by setting a password from the account creation screen.

When you log in to the app with this account, you will see icons for One-Click Wi-Fi and One-Click VPN that have been approved by your administrator. All the SSIDs, username, password, etc. required to connect are already set, so with a simple click, the connection will be established along with the device's Wi-Fi and VPN functions.

Allow users to Wi-Fi only

Users only see Wi-Fi with one tap in their apps.

Since users and administrators also don't know the different passwords unless they investigate them, there is no need to worry about Wi-Fi or VPN passwords being leaked due to human error. Moreover, to log in to the app, two-factor authentication using UniFi Verifi app, SNS authentication, passkey (using Windows Hello), etc. is required, which prevents unintended users from connecting.

This means you can easily create an advanced Wi-Fi/VPN environment by skipping many annoying tasks like general design and settings.

You can verify your account and password, but they are set automatically so you usually don't need to know them.

UniFi Identity Enterprise manages identities in the cloud.

The on-premises version of UniFi Identity is quite adequate, but if you upgrade to the cloud version of UniFi Identity Enterprise, you can use even more useful functions.

UniFi Identity Cloud Version

First, it's compatible with large-scale environments. The paid UniFi Identity Enterprise plan (currently available in the US only, previewed in Japan) lets you manage multiple sites (locations) and up to 1,000 users.

It is also possible to collaborate with external ID providers, using Active Directory, LDAP, Microsoft 365 (Entra ID), Google Workspace, etc. as an authentication platform, or conversely, using UniFi Identity users to connect to Microsoft 365 and Google Workspace.

It is possible to authenticate using an external ID provider.

Single sign-on to external services can also be performed from accounts managed by UniFi Identity.

I tried setting up Google Workspace single sign-on, but the information needed for setup (sign-in URL, certificate, etc.) was clearly displayed on the screen, and I couldn't access it from the Setup Help. It's designed to be fairly easy to set up, with a setup guide that includes the actual values ​​to set.

The setup instructions page is excellent. Although it is in English, it contains step-by-step configuration instructions with site-specific configuration information included. You can set up SSO by following the steps above.

In addition, it has a rich logging function that records detailed information such as connection failure. This allows you to check details such as the user, device, and access point that the connection failed to.

With the ability to use these functions, it will be easy to consider introducing them even in medium-sized or larger environments.

There are also a lot of logs. You can check who is trying to connect from which device, which service, which access point, and what kind of error occurred.

Provides various additional functions.

In addition, additional functionality is provided that uses the ID management functions and software (agents) installed on the device, allowing you to do the following:

Workflow and Applications

Workflow applications such as leave requests and purchase requisitions can be created without code. A manager can be assigned as a user property, and the request will be notified to the manager, who will then decide whether to approve it or not.

It is a complete no-code application environment, and you can use the form editor to place parts such as text and reference registered users. It is also possible to set conditions in the workflow, such as changing the workflow path depending on the size of the payment amount.

It is possible to configure workflows that use account information. You can also configure complex things using conditional branching etc.

The workflow that has been sent to you. It can be approved on the web workspace page or smartphone app.

Device Management

It can collect information about devices on the network, including data such as operating system version and installed software (features must be enabled separately).

It also has MDM functionality, and by enrolling Windows devices (Pro version required) or Mac devices, it is possible to lock, configure, apply policies and install software remotely.

Device status can be checked.

Ability to apply policies and lock remotely

Provide experimental features

In addition, lab functions currently under development have been pre-released, including “Presence”, which allows work to be managed in conjunction with access control devices such as UniFi Intercom, and “Presence”, which allows temporarily opening the access door by registering visitors. “Visitors” are also pre-released, as well as functions for linking to external applications (Slack) (e.g., ticket notifications for the help desk, etc.).

Although it requires use with hardware, it is intended to provide different functions.

In this way, with Enterprise, it becomes possible to use it as an application server, which goes beyond being a simple communication device. Depending on the idea, it may be possible to perform complex processing alongside business applications.

It's interesting, but I have some concerns about the paid service…

As mentioned earlier, I have already used the UniFi Identity installed in Ubiquiti's UniFi series, and I can say that it is a very interesting function.

I was impressed by the ease of the free version, but I was also surprised by the versatility of the Enterprise version. Ultimately, identity management becomes the core of an organization's system management, so I would like to commend the author's suggestion in this regard.

On the other hand, I personally have concerns about the Enterprise version being offered and the potential for fees. The good thing about the UniFi series is that the controller and other items are free, which helps keep monthly costs down (although currency exchange has been a big factor lately…).

UniFi Identity Enterprise this time is a cloud service for businesses, as the name suggests, so it can't be helped, but it's increasingly paid and subscription-based, so it won't be out of reach for individual enthusiasts and I would pray like that.