Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities

MSRC / By MSRC Team / March 16, 2021

This guidance will help customers address threats taking advantage of the recently disclosed Microsoft Exchange Server on-premises vulnerabilities CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065, which are being exploited. We strongly urge customers to immediately update systems. Failing to address these vulnerabilities can result in compromise of your on-premises Exchange Server and, potentially, other parts of your internal network.

Mitigating these vulnerabilities and investigating whether an adversary has compromised your environment should be done in parallel. Applying the March 2021 Exchange Server Security Updates is critical to prevent (re)infection, but it will not evict an adversary who has already compromised your server. Based on your investigation, remediation may be required. This guide will help you answer these questions:

Microsoft will continue to monitor these threats and provide updated tools and investigation guidance to help organizations defend against, identify, and remediate associated attacks. We will update this guidance with new details and recommendations as we continue to expand our knowledge of these threats and the threat actors behind them, so come back to this page for updates.

How does the attack work?

Microsoft released security updates for four different on premises Microsoft Exchange Server zero-day vulnerabilities (CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065). These vulnerabilities can be used in combination to allow unauthenticated remote code execution on devices running Exchange Server. Microsoft has also observed subsequent web shell implantation, code execution, and data exfiltration activities during attacks. This threat may be exacerbated by the fact that numerous organizations publish Exchange Server deployments to the internet to support mobile and work-from-home scenarios.

In many of the observed attacks, one of the first steps attackers took following successful exploitation of CVE-2021-26855, which allows unauthenticated remote code execution, was to establish persistent access to the compromised environment via a web shell. A web shell is a piece of malicious code, often written in typical web development programming languages (e.g., ASP, PHP, JSP), that attackers implant on web servers to provide remote access and code execution to server functions. Web shells allow adversaries to execute commands and to steal data from a web server or use the server as launch pad for further attacks against the affected organization. Therefore, it is critical to not only immediately mitigate the vulnerabilities, but also remove any additional backdoors, such as web shells that attackers may have created.

Am I vulnerable to this threat?

If you are running Exchange Server 2010, 2013, 2016, or 2019 you must apply the March 2021 Security Update to protect yourself against these threats.

To determine if your Exchange Servers are vulnerable to this attack, the following methods can be used:

  • Using Microsoft Defender for Endpoint
  • Scanning your Exchange servers using Nmap

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint customers can use the threat analytics article in Microsoft 365 security center to understand their risk. This requires your Exchange Servers to be onboarded to Microsoft Defender for Endpoint. See instructions for onboarding servers that are not currently monitored.

Scanning using Nmap script

For servers not onboarded to Microsoft Defender for Endpoint, use this Nmap script to scan a URL/IP to determine vulnerability: http-vuln-cve2021-26855.nse.

How do I mitigate the threat?

The best and only complete mitigation for these threats is to update to a supported version of Exchange Server and ensure it is fully updated. If it’s not possible to immediately move to the current Exchange Server Cumulative Update and apply security updates, additional strategies for mitigation are provided below. These lesser mitigation strategies are only a temporary measure while you install the latest Cumulative Update and Security Updates.

Immediate temporary mitigations

The following mitigation options can help protect your Exchange Server until the necessary Security Updates can be installed. These solutions should be considered temporary, but can help enhance safety while additional mitigation and investigation steps are being completed.

  • Run EOMT.ps1 (Recommended) – The Exchange On-premises Mitigation Tool (EOMT.ps1) mitigates CVE-2021-26855 and attempts to discover and remediate malicious files. When run, it will first check if the system is vulnerable to CVE-2021-26855 and, if so, installs a mitigation for it. It then automatically downloads and runs Microsoft Safety Scanner (MSERT). This is the preferred approach when your Exchange Server has internet access.
  • Run ExchangeMitigations.ps1 – The ExchangeMitigations.ps1 script applies mitigations but doesn’t perform additional scanning. This is an option for Exchange Servers without internet access or for customers who do not want Microsoft Safety Scanner to attempt removing malicious activity it finds.

Applying the current Exchange Server Cumulative Update

The best, most complete mitigation is to get to a current Cumulative Update and apply all Security Updates. This is the recommended solution providing the strongest protection against compromise.

Apply security hotfixes to older Cumulative Updates

To assist organizations that may require additional time and planning to get to a supported Cumulative Update, security hotfixes have been made available. It’s important to note that applying these security hotfixes to older Cumulative Updates will mitigate against these specific Exchange vulnerabilities, but it will not address other potential security risks your Exchange Server may be vulnerable to. This approach is only recommended as a temporary solution while you move to a supported Cumulative Update.

Isolation of your Exchange Server

To reduce the risk of exploitation of the vulnerabilities, the Exchange Server can be isolated from the public internet by blocking inbound connections over port 443.

  • Blocking port 443 from receiving inbound internet traffic provides temporary protection until Security Updates can be applied, but it reduces functionality as it could inhibit work-from-home or other non-VPN remote work scenarios and does not protect against adversaries who may already be present in your internal network.
  • The most comprehensive way to complete this is to use your perimeter firewalls that are currently routing inbound 443 traffic to block this traffic. You can use Windows Firewall to accomplish this, but you will have to remove all inbound 443 traffic rules prior to blocking the traffic.

Have I been compromised?

To determine if your Exchange Servers have been compromised due to these vulnerabilities, multiple options have been made available:

  • Microsoft Defender for Endpoint
  • Publicly available tools published by Microsoft

If Microsoft Defender for Endpoint is not running, skip directly to the publicly available tools section. If it is running, we recommend that you follow both methods.

Microsoft Defender for Endpoint

  • Check the threat analytics article in Microsoft 365 security center to determine if any indications of exploitation are observed. The Analyst report tab in the Microsoft 365 Security Center threat analytics article contains a continuously updated detailed description of the threat, actor, exploits, and TTPs. On the Overview page, the Impacted assets section lists all impacted devices. The Related incidents section shows any alerts for detected exploitation or post-exploitation activity.
  • If you have devices that are flagged as impacted (see Impacted assets section) and have active alerts and incidents, click the incidents to further understand the extent of the attack.
  • Microsoft Defender for Endpoint blocks multiple components of this threat and has additional detections for associated malicious behaviors. These are raised as alerts in the Microsoft Defender Security Center. Additionally, Microsoft Defender for Endpoint prevents some critical behaviors observed in attacks, such as attempts to exploit the CVE-2021-27065 post-authentication file-write vulnerability that can be combined with CVE-2021-26855 to elevate privileges.
  • Microsoft Defender for Endpoint also detects post-exploitation activity, including some techniques that attackers use to maintain persistence on the machine. Note that alerts marked “Blocked” indicate that the detected threat is also remediated. Alerts marked “Detected” require security analyst review and manual remediation.

Publicly available tools published by Microsoft

The following tools have been made available by Microsoft to aid customers in investigating whether their Microsoft Exchange Servers have been compromised. We recommend customers to run both tools as part of their investigation:

Exchange On-Premises Mitigation Tool

Download and run EOMT.ps1 as an administrator on your Exchange Server to automatically run the latest version of Microsoft Safety Scanner (MSERT). MSERT discovers and remediates web shells, which are backdoors that adversaries use to maintain persistence on your server.

  • After completing the scan, EOMT.ps1 reports any malicious files it discovers and removes. If malicious files are discovered and removed by the tool, follow the web shell remediation workflow. If no malicious files are found, it will report “No known threats detected.”
  • If this initial scan does not find evidence of malicious files, a full scan can be run via “.\EOMT.ps1 -RunFullScan”. This may take a few hours or days, depending on your environment and the number of files on the Exchange Server.
  • If the script is unable to download Microsoft Safety Scanner (MSERT), you can download and copy MSERT manually to your Exchange Server. Run this executable directly as an administrator. Follow the on-screen instructions to run a Quick or Full scan. A new version of MSERT should be downloaded each time it is run to ensure it contains the latest protections

Test-ProxyLogon.ps1

Run the Test-ProxyLogon.ps1 script as administrator to analyze Exchange and IIS logs and discover potential attacker activity.

IMPORTANT: We recommend re-downloading this tool at a minimum of once per day if your investigation efforts span multiple days, as we continue to make updates to improve its usage and output.

Step 1 – Review script output to determine risk:

  • If the script does not find attacker activity, it outputs the message Nothing suspicious detected
  • If attacker activity was found, the script reports the vulnerabilities for which it found evidence of use and collects logs that it stores in the specified output path in the Test-ProxyLogonLogs directory. Continue following these steps for remediation. Below is an example of the output:

Step 2 – Investigate CVE-2021-27065:

  • If CVE-2021-27065 is detected, then investigate the logs specified for lines containing Set-OabVirtualDirectory. This indicates that a file was written to the server.
  • Investigate web server directories for new or recently modified .aspx files or other file types that may contain unusual <script> blocks.
    • This indicates an adversary may have dropped a web shell file. Below is an example of such a <script> block.
    • If yes, continue to continue to the web shell remediation workflow.

Step 3 – Investigate CVE-2021-26857:

  • If CVE-2021-26857 is detected, then investigate the collected logs labeled <servername>Cve-2021-26857.csv.

Step 4 – Investigate CVE-2021-26858:

  • If CVE-2021-26858 is detected, then investigate the collected logs labeled <servername>Cve-2021-26858.log.
  • Does the tool output any path other than *\Microsoft\ExchangeServer\V15\ClientAccess\OAB\Temp\*?

Step 5 – Investigate CVE-2021-26855:

  • If CVE-2021-26855 is detected, then investigate the collected logs labeled <servername>Cve-2021-26855.csv.
  • Does the tool output for AnchorMailbox contain Autodiscover.xml ONLY?
    • This indicates an attacker is scanning your infrastructure as a precursor to additional compromise.
    • If yes, continue to the scan remediation workflow.
  • Does the tool output for AnchorMailbox contain /ews/exchange.asmx?
    • This indicates an attacker may be exfiltrating your email.
    • If yes, inspect the Exchange web services (EWS) logs in \V15\Logging\EWS to verify if the adversary accessed a mailbox, and then proceed to the corresponding remediation workflow.

What remediation steps should I take?

  • The steps in Have I been compromised? section help establish the scope of possible exploitation: scanning, unauthorized email access, establishment of persistence via web shells, or post-exploitation activity.
    • Decide between restoring your Exchange Server or moving your mail services to the cloud. You can engage with FastTrack for data migration assistance for Office 365 customers with tenants of 500+ eligible licenses.
  • Follow applicable remediation workflows:
    • Was post-compromise activity related to credential harvesting or lateral movement detected by Microsoft Defender for Endpoint or during manual investigation?
      • Engage your incident response plan. Share the investigation details to your incident response team.
      • If you are engaging with CSS Security or Microsoft Detection and Response Team (DART), and you are a Microsoft Defender for Endpoint customer, see instructions for onboarding Windows Server to Microsoft Defender for Endpoint.
    • Were web shells detected?
      • Clean and restore your Exchange Server:
        • Preserve forensic evidence if your organization requires evidence preservation.
        • Disconnect the Exchange Server from the network, either physically or virtually via firewall rules.
        • Restart Exchange Server.
        • Stop W3WP services.
        • Remove any malicious ASPX files identified via the investigation steps above.
        • Delete all temporary ASP.NET files on the system using the following script:

iisreset /stop
$tempAspDir = "$env:Windir\Microsoft.NET\Framework64\$([System.Runtime.InteropServices.RuntimeEnvironment]::GetSystemVersion())\Temporary ASP.NET Files"
mkdir 'C:\forensicbackup'
Copy-Item -Recurse -Path $tempAspDir -Destination 'C:\forensicbackup'
rm -r -Force $tempAspDir
iisreset /start

  • Was mailbox access and exfiltration detected?
    • Disconnect Exchange Server from the network.
    • Apply Security Updates.
    • Run a full EOMT.ps1 scan via “.\EOMT.ps1 -RunFullScan”. Have I been compromised? for additional instructions for running EOMT.ps1.
    • Resume operation.
  • Was scan-only adversary behavior detected?
    • Disconnect Exchange Server from the network.
    • Apply Security Updates.
    • Resume operation.

How can I better protect myself and monitor for suspicious activity?

  • Additional protection and investigation capabilities are available if Microsoft Defender Antivirus and Microsoft Defender for Endpoint are running on the Exchange Server. If neither are yet installed, installing both now can provide additional protection moving forward and is strongly advised.
  • If you are an existing Microsoft Defender for Endpoint customer but have Exchange servers that are not onboarded, see instructions for onboarding Windows Server to Microsoft Defender for Endpoint.
  • If you are not an existing Microsoft Defender for Endpoint customer, Microsoft is making publicly available a 90-day Microsoft Defender for Endpoint trial offer exclusively to support commercial on-premises Exchange Server customers that require continuous investigation and additional post-compromise security event detection beyond what MSERT offers. Next, follow the steps for setting up Microsoft Defender for Endpoint and onboarding your Exchange Server.

Microsoft’s Detection and Response Team (DART) 
Microsoft 365 Defender Team

CSS Security Incident Response

This blog and its contents are subject to the Microsoft Terms of Use.  All code and scripts are subject to the applicable terms on Microsoft’s GitHub Repository (e.g., the MIT License).

Source :
https://msrc-blog.microsoft.com/2021/03/16/guidance-for-responders-investigating-and-remediating-on-premises-exchange-server-vulnerabilities/

One-Click Microsoft Exchange On-Premises Mitigation Tool – March 2021

MSRC / By MSRC Team / March 15, 2021 / CVE-2021-26855CVE-2021-26857CVE-2021-26858CVE-2021-27065partial mitigations

We have been actively working with customers through our customer support teams, third-party hosters, and partner network to help them secure their environments and respond to associated threats from the recent Exchange Server on-premises attacks. Based on these engagements we realized that there was a need for a simple, easy to use, automated solution that would meet the needs of customers using both current and out-of-support versions of on-premises Exchange Server.

Microsoft has released a new, one-click mitigation tool, Microsoft Exchange On-Premises Mitigation Tool to help customers who do not have dedicated security or IT teams to apply these security updates. We have tested this tool across Exchange Server 2013, 2016, and 2019 deployments. This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.

By downloading and running this tool, which includes the latest Microsoft Safety Scanner, customers will automatically mitigate CVE-2021-26855 on any Exchange server on which it is deployed. This tool is not a replacement for the Exchange security update but is the fastest and easiest way to mitigate the highest risks to internet-connected, on-premises Exchange Servers prior to patching.
We recommend that all customers who have not yet applied the on-premises Exchange security update:

  • Download this tool.
  • Run it on your Exchange servers immediately.
  • Then, follow the more detailed guidance here to ensure that your on-premises Exchange is protected.
  • If you are already using Microsoft Safety Scanner, it is still live and we recommend keeping this running as it can be used to help with additional mitigations.

Once run, the Run EOMT.ps1 tool will perform three operations:

Mitigate against current known attacks using CVE-2021-26855 using a URL Rewrite configuration.
Scan the Exchange Server using the Microsoft Safety Scanner.
Attempt to reverse any changes made by identified threats.

Before running the tool, you should understand:

  • The Exchange On-premises Mitigation Tool is effective against the attacks we have seen so far, but is not guaranteed to mitigate all possible future attack techniques. This tool should only be used as a temporary mitigation until your Exchange servers can be fully updated as outlined in our previous guidance.
  • We recommend this script over the previous ExchangeMitigations.ps1 script as it tuned based on the latest threat intelligence. If you have already started with the other script, it is fine to switch to this one.
  • This is a recommended approach for Exchange deployments with Internet access and for those who want to attempt automated remediation.
  • Thus far, we have not observed any impact to Exchange Server functionality when these mitigation methods are deployed.

For more technical information, examples, and guidance please review the GitHub documentation.

Microsoft is committed to helping customers and will continue to offer guidance and updates that can be found at https://aka.ms/exchangevulns.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS GUIDANCE. The Exchange On-premises Mitigation Tool is available through the MIT License, as indicated in the GitHub Repository where it is offered.

Source :
https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/

How to install and configure Unifi controller on Raspberry Pi?

How to install and configure Unifi controller on Raspberry Pi?

Written by Patrick Fromagetin How-To Tutorials

If you have already managed multiple Wi-Fi access points, you should know that this can be a nightmare …
But with good choices for hardware and a controller, this becomes easier.
It’s the main goal of the Unifi controller: manage most of the tasks on a wireless network to avoid issues.
It’s available on Raspberry Pi and I will show you how to install it.

How to install and configure Unifi controller on Raspberry Pi?
Start by adding the Ubiquiti server to the list of repositories for Raspberry Pi OS.
Then, the Unifi controller can be installed with apt and managed as a system service.

The installation is straightforward, you can install it like any Debian package.
But the access points configuration is not so easy and I saw no article explaining this.
As I’m using it at work, I can show you all the configuration steps with real access points and clients.

Before switching to Ubiquiti products, I remember having tested many brands to solve my issues, but none of them could not support over 10-20 users simultaneously (I even tested a fireproof model from D-Link, something like this one on Amazon ^^). So I definitely recommend trying Ubiquiti, this is cheap compared to other famous brands but works very well.
Let’s see how to do this!

Table of Contents

Ubiquiti Networks products

Ubiquiti Networks introduction

Ubiquiti Networks is an American company, selling hardware for wireless technologies like access points, routers and cameras.
They started with wireless devices, and they are now diversifying upon a broader range of products.
The latest innovative product concerns the solar technology, they help you to manage solar farms.

Anyway, the product that interests us today is a software: Unifi controller.
The goal of this product is to manage access points and wireless devices from a unique web interface.
From the interface, you can see all the access points and broadcast a unique SSID.
The controller will handle the roaming between access points and load distribution.

Raspberry Pi Course
Sale: 10% off today. Take it to the next level.
I’m here to help you get started on Raspberry Pi, and learn all the skills you need in the correct order.YES, I WANT TO IMPROVE

Why do I need these products?

These products target mainly companies and large areas but you can have the same needs at home if you get some issues with your Wi-Fi connection (rooms with no network, roaming, stability, etc.).
If you need over one access point to cover all the house, it could be interesting to install these products at home.

For example, let’s say you install three access points and the controller somewhere.
You’ll have only one Wi-Fi SSID in all the area (outdoor included).
And you can move from one side to another without disconnection.

Ubiquiti products

Ubiquiti products are distributed by resellers, but are also available on several e-commerce websites:

To test these products, you don’t need many things.
Just buy one or more access points and build your professional wireless network.
Here is the link: Ubiquiti Unifi AP on Amazon.

You have several packages available: Only one, 2 AP (access point), 4 AP, etc.
Choose the one you prefer, but there is not a big saving by taking big packs, so you can try with one or two, and order the others after.

If you have a PoE Switch (this one for example on Amazon), you can plug them only to the network cable. An Ubiquiti switch is not mandatory, this one from Cisco is cheaper for example. It depends on what you want to do with it and how many AP you have.

Whatever your choice, a PoE switch will make the installation easier
If you want to start without it, there is a last option.
Ubiquiti provides an adapter with the AP (power cord + network = PoE Network), but you need a power outlet and two RJ45 cables instead of only one cable for everything.
Here is the link to the PoE injector on Amazon, make sure to check the AP power requirements are they are not all the same (a Pro AP needs PoE-48 for example).

Unifi controller installation

Now that you understand what are the Unifi products, we can move to the controller installation.

Installation on Raspberry Pi OS

As for any tutorial on this site, you firstly need to install Raspberry Pi OS on your Raspberry Pi.
Any version will do the job (I’m doing it with Raspberry Pi OS Lite).
If you don’t know how to do this, read my article on How to install Raspberry Pi OS on your Raspberry Pi.

Once installed, update it and reboot:
sudo apt update
sudo apt upgrade
sudo reboot

And enable SSH access with:
sudo service ssh start
This way you can follow this tutorial from your computer (if needed, check this post to learn more about this).

Set a static IP address

As our Raspberry Pi will be like a server on our network, we need to use:

  • A wired connection
    If you want a fast Wi-Fi network, you need to have your controller and your access point on a good connection.
    So, I don’t recommend setting up the controller with a Wi-Fi connection (at home it’s probably ok).
  • A static IP address
    The Raspberry Pi will become an important node on your network, so we need to fix its IP.
    By default, the Raspberry Pi use the DHCP to get a random IP among those available.

For the static IP, you can either fix the IP in the DHCP server (your Internet router probably), or set a static IP in the Raspberry Pi configuration.

If you don’t know how to do this, I already explained it at the end of this article: Set a static IP address on your Raspberry Pi.

Master your Raspberry Pi in 30 days
Sale: 25% off today. Download the eBook.
Uncover the secrets of the Raspberry Pi in a 30 days challenge.GET IT NOW!

Unifi controller installation

Now we are ready to start the installation.
For these steps you have two choices:

  • Download and install directly the official Debian package from the website.
  • Add a new repository to manage the Unifi package with apt.

On the Ubiquiti downloads page you can find the Debian package to install the controller.
You can download it and install it on your Raspberry Pi.
But I don’t recommend it.

Because the Controller has many updates, about every month you have to download and install a new version manually.
There is a repository available and it’s easier to manage all updates with apt rather than doing everything manually.

  • Connect with SSH to your Raspberry Pi.
  • Add the repository in the apt configuration file:
    echo 'deb https://www.ui.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list
  • Add the key to the trusted keys:
    sudo wget -O /etc/apt/trusted.gpg.d/unifi-repo.gpg https://dl.ui.com/unifi/unifi-repo.gpg
    This allows us to use software from the previous repository
  • Run apt update to update the available packages list :
    sudo apt update
  • And finally, install the Unifi package:
    sudo apt install unifi
    Answer yes and wait a few seconds for the installation process to finish.

This is the end of the installation procedure, but your controller may not work yet.
You can check the service status with:
sudo service unifi status
If you get an error like this one on a fresh Raspberry Pi OS installation:

Starting Ubiquiti UniFi Controller: unifi
Cannot locate Java Home

Then you need to install Java to start the Unifi service.
Currently, the Unifier controller requires Java 8.
You may already have it from another application, but if you have this error, here is how to fix it:
sudo apt install openjdk-8-jre
And finally start the Unifi service:
sudo service unifi start
You can find more details about Java in this tutorial.

Check the status again if you want:

If everything is ok, you can move on to the next part to know how to use the software.You may also like:

Unifi controller configuration

First access

To access the web interface, go to https://<IP>:8443
For example, in my case it’s https://192.168.1.25:8443/
You’ll get a browser warning because we don’t have a secured certificate for the moment.

Accept the exception and move to the next page to configure everything you need to get started:

  • Step1: Start by giving a name to his controller and click on “Next”
  • Step 2: Choose if you want to enable the cloud interface (default) or not (advanced).
    It depends on what you are trying to do.
    If you are always on the same network (home or in a company), you don’t really need the cloud panel. But it can be useful for remote sites.
    • If you keep the default option, fill the form to create an Unifi account.
    • On the advanced option, you have a form like this:

      If you enable one option, you need to create a cloud account AND a local account.
      I don’t need it for my test, so I disable everything.
  • Step 3: Sign in or configure options.
    This step is also different depending on your choice in the previous step
    You may need to sign in your account, or just to configure two additional options (auto backup and auto-optimize).
    Keep them enabled if asked.
  • Step 4: Configure your devices.

    You can just skip this, it’s not required for now. You can add devices at anytime in the interface
  • Step5: You can finally configure your Wi-Fi settings now.

    You can also change this in the interface, so just pick something to get started.
  • Step6: Finally, you also need to review your settings and you are ready to go.

Good job! You will now be redirected to the web panel.
We can finally see it and configure more things if needed.

Web interface overview

Once logged in the web interface, you’ll get many submenus to manage everything.
For the moment, it should be pretty empty, but in the left bar you can see:

  • Dashboard: Here you can have a preview of your network performance (number of APs and clients).
    Most of this dashboard needs the Unifi Security Gateway, so it’s not an important page.
  • Statistics: In this page you can monitor clients and traffic in the whole network.
    For the moment, nothing here 🙂
  • Map: In this one you can upload a map of your building, and place all APs on it.
    This way you can know where they are and see the global Wi-Fi coverage (approximately).
  • Devices: This page shows you all the Unifi devices you have on your network.
    It’s the most important page, you will manage APs from here.
  • Clients: Same thing for the clients. You’ll see here all the connected clients with information about them (IP, AP, network usage, …):
  • Insights: Here you can see miscellaneous information.
    I’m using this mainly to see known clients (not connected now, but you can check the history, block or unblock them).
  • Events: This window shows you all the recent logs on your network
    This can be clients connections, AP upgrades, roaming, …
  • Alerts: Same thing with errors and warnings.
  • Settings: And this is the page where you’ll configure everything.
    We’ll use it to create the wireless network.
  • Chat support: If you need help from Unifi, you can ask for help here.

Now that you have visited the whole interface, we can move forward to configure the access point.

Add the first access point

Physical preparation

There are two possibilities for the access point cabling.

With a PoE switch:

  • Plug the access point to the POE Switch with an RJ45 cable.
  • Basically, that’s it.
    The status light should turn on and you can move to the next step.

Without PoE switch:

  • You must have a POE adapter like this:
    (it’s available on Amazon if you don’t have one with your access point: check it here).
  • Connect the LAN port to your switch or wall network socket.
  • Connect the POE port to the access point.
  • If the access point LED starts to blink, it’s ok.

Software configuration

Now that we powered on the access point, we can go back to the Unifi web interface for the next steps:

  • Access the web interface: https://IP:8443.
  • Click on “Devices” in the left menu.
  • You should now see your access point in the list:
    The controller is seeing it, but we need to tell that it’s an access point for this controller.
  • Click on “Adopt” at the end of the line.
    The adoption process starts, after a few seconds, you should get the “Connected” status.
  • If needed (probably), you can upgrade the AP firmware to the latest version by clicking “Upgrade”.
    Your access point will take a few minutes to download and update the firmware.

Anyway, the first access point is ready, and we can now create the wireless network (SSID).

You can click on the line to see and change other settings for the access point (on the right).

For example, you can set an alias for each access point to know which one is which.
In the properties window, click on the config tab and set an alias.

Change everything you want on the access point and move to the SSID creation.

Create your wireless network

Creating a wireless network is basically setting an SSID, a password and a security type.
You can do this in the “Settings” menu from the left bar:

  • In settings, click on “Wireless Networks”.
  • Then click on the “Create a new wireless network” button:
  • In the new window, choose an SSID, a security type and a password:
    Choose WPA-Personal for security, WEP is not secure.
    And prefer a long password (ideally a phrase from 15 to 30 characters).
  • Click “Save”.

The access points will restart with the new settings.
After a few seconds, the new wireless network is available for all your devices.

Connect to it and check that everything works fine.
By default, the Unifi controller will give you an IP address within your main network.
You have nothing else to do, but you can change it in Settings > LAN.

Then go back to the different menus to see information and statistics about your device.
Enjoy 🙂

Related questions

Do I need to keep the Raspberry Pi on? Not really. As soon as the Raspberry Pi stops, the controller is no longer available but the access point continue to work. You can still access the Wi-Fi network, but you lose controller’s features like roaming between APs.

Do the Unifi controller have advanced features you don’t talk about? Yes, a lot. I made a quick tutorial, but you can do a lot more: schedule downtimes, create guest access with VLAN or not, Radius with Active Directory, filter MAC address, block and unblock clients, etc …

How to reset an Unifi access point? If you lose access to an access point or have strange scenarios in the adoption process, you can reset it to factory defaults. To do this, use the reset button near the RJ45 socket. While the access point is on, let the button pressed for 10 seconds and then wait for the reset.

Conclusion

That’s it, you know how to install and configure an Unifi controller on your Raspberry Pi.
This controller is running perfectly on my Raspberry Pi (3B+ and 4).
I don’t know how many clients it would handle, but at home it’s more than enough.

If you have questions on this topic, leave a comment below and I’ll help you.
I’m using this software at work for five years now, so I may have the answer 😉

Source :
https://raspberrytips.com/unifi-controller-raspberry-pi/