Setup Cypress Glen Wireless Printing

Cypress Glen’s WiFi is configured to allow wireless printing to residents’ WiFi enabled printers from anywhere on the network.

Overview

At the highest level, conceptually, the following is happening:

  1. The printer connects to an unsecured wireless network that only allows whitelisted MAC addresses to connect.
  2. The resident’s WiFi enabled device (computer, phone, tablet) connects to a WPA2-Enterprise network with a preconfigured username and password.
  3. The resident’s WiFi enabled device (via the username) and the printer (via its MAC Address) are configured to operate on the same VLAN so that they can communicate.

Using this document

If you want to…. ...use section(s):
Setup a new resident for wireless printing
  • “Allow a new resident to connect to this network”
  • “Allow a new printer or device to connect, or verify the settings of an existing device”
Replace a resident’s printer or IoT device
  • “Replace an existing printer on the network”
Add a new printer or IoT device to an existing resident’s network
  • “Allow a new printer or device to connect, or verify the settings of an existing device”
Change a resident’s WPA2-Enterprise login password
  • “Change an existing resident’s password”
Setup an existing resident’s equipment after they move to a new room
  • “Update sign-in information if a resident moves to another room”

Network Configuration

Unsecured, MAC-whitelisted network “Cypress Glen Resident WiFi”

Cypress Glen Resident WiFi is a fully functional wireless network that can be used by both printers and user devices alike, so long as the printer or device’s MAC address has been whitelisted. It is preferred, however, to only allow printers to connect to this unsecured network. Users should connect their devices (phones, laptops, tablets) to the WPA2-Enterprise secured “Cypress Glen Resident”.

Configuration

The network is configured in the Unifi Controller under Settings → Wireless Networks. Find the Cypress Glen Resident WiFi network in the list and click edit to edit or view its settings.

  • Security: Open
  • User Group: Resident
  • Enable RADIUS MAC authentication: checked
  • RADIUS Profile: Default
  • MAC Address Format: aa:bb:cc:dd:ee:ff
  • Allow Empty Password: unchecked

The User Group for “Resident” is set to allow 25 Mbps down and 10 Mbps upload speed.

Note that because the MAC Address Format is specified in lowercase, all MAC addresses entered while configuring printers (below) must be entered in lowercase as well.

Allow a new printer or device to connect, or verify the settings of an existing device

  1. Obtain the MAC address from the printer or device in question. If the printer or device has multiple network cards, be sure to use the WiFi adapter.
  2. In the Unifi Controller, navigate to Cypress Glen’s Site and then to the Settings (gear in lower left).
  3. Click on Services → RADIUS
  4. Sort the list of RADIUS users by name alphabetically (click on the name header) and search for the MAC address. If the MAC address is already listed, proceed to step 7. Otherwise, proceed to step 5.
  5. Click “Create new user” at the bottom of the page
  6. Create the user with the following settings:
    1. Name: The MAC address with colon separators, in lowercase.
    2. Password: The MAC address with colon separators, again, in lowercase.
    3. VLAN: The VLAN ID for the user that will use this printer or device. Find the resident’s existing network in the Networks tab, and use the VLAN for that network. See Procedure → VLAN Networks for more information. For example, if resident Bob Johnson at Apt W203 already has a network, then it will be in the Networks section of the Unifi Controller prefixed with cg203w. Find this network, and use the VLAN associated with it.
    4. Tunnel: It should get set automatically. The setting should be 13 and 6.
  7. Double check that the username and password are both the MAC address in lowercase, with colon separators (:) and that the VLAN ID matches that of the user that will be connecting to this printer or device.
  8. Click Save. After saving, the router will automatically reprovision to accept the new settings. This should take about 1-3 minutes.
  9. After waiting 1-3 minutes for the router to provision, connect the printer or device to the unsecured “Cypress Glen Resident WiFi” network and verify connectivity. For printers, print a test page from one of the resident’s WiFi enabled devices (make sure it is not plugged into ethernet while you test). For other devices (Alexa, Google Home, etc) verify that the resident’s WiFi enabled device can communicate with the device through its associated app or web page.
    1. If the printer or device does not connect, try power cycling it.

Replace an existing printer on the network

Only follow these instructions if the resident is not going to continue using their existing printer after replacing it with the new printer. If they plan to use the new printer and the old printer simultaneously, follow the instructions above to add a new printer to the network. Otherwise, the old printer will cease to function after setting up the new printer.

  1. In the Unifi Controller, go to Settings → Services → RADIUS
  2. Find the existing printer in the list of users, then click edit.
  3. Change the username and password to the MAC address of the new printer, in lowercase with colon separators (:)
  4. Leave the VLAN ID as-is. It should already be configured correctly.
  5. Click Save, and wait for the router to provision to accept the changes.
  6. After waiting 1-3 minute sfor the router to provision, connect the printer as detailed in step 9 in the above section.

WPA2-Enterprise secured network “Cypress Glen Resident”

This network is what all WiFi enabled user devices should connect to. This includes smartphones, laptops, and tablets. Other devices, such as printers or IoT devices like Amazon Echo, Google Home, etc. should connect to the unsecured, MAC-whitelisted network as described above.

Configuration

The network is configured in the Unifi Controller under Settings → Wireless Networks. Find the Cypress Glen Resident network in the list and click edit to edit or view its settings.

  • Security: WPA Enterprise
  • RADIUS Profile: Default
  • WPA Mode: WPA2 Only, AES/CCMP Only
  • Group Rekey Interval: 3600 seconds

Allow a new resident to connect to this network

  1. Create a new VLAN Network as laid out in the named section below (Procedure → Network Configuration → VLAN Networks).
  2. Create a RADIUS User as laid out in the named section below (Procedure → Network Configuration → RADIUS Users).

Change an existing resident’s password

  1. On the Unifi Controller, in Settings → Services → RADIUS, find the resident’s RADIUS user and click “edit”.
  2. Change the password and verify with the resident that you have entered the password exactly as described. \ Click Save. After saving, the router will need to provision, which will take 1-3 minutes.
  3. After waiting 1-3 minutes for the router to reprovision, disconnect the user from the Cypress Glen Resident network and set the device to forget the saved credentials (or to forget the entire network if forgetting the credentials is not readily available). Do this for each device, then reconnect the devices using the username and new password.

Update sign-in information if a resident moves to another room

  1. Following the username naming scheme outlined in this document, take note of the resident’s existing username and the username that they will use for their new room.
  2. In the Unifi Controller, in Settings → Services → RADIUS, find the resident’s existing username and delete it.
  3. Search for the username for the new room in the list as well. If it exists, delete it.
  4. In Settings → Networks, find the resident’s existing VLAN Network and delete it.
  5. Search for the VLAN network for the new room in the list as well. If it exists, delete it.
  6. Setup a new user according to the section above (“Allow a new resident to connect to this network”)
  7. For each connected printer or IoT device, update the VLAN ID for each associated RADIUS user to that of the VLAN ID for the new network configured in step 6.
  8. After making these changes, wait 1-3 minutes for the router to provision before attempting to verify connectivity.
  9. After waiting 1-3 minutes for the router to reprovision, disconnect the user’s WiFi enabled devices from the Cypress Glen Resident network and set the device to forget the saved credentials (or to forget the entire network if forgetting the credentials is not readily available). Do this for each device, then reconnect the devices using the new username and password.

VLAN Networks

Each residence at Cypress Glen will have its own VLAN network that allows a resident’s devices to connect to their WiFi enabled printers and IoT devices from anywhere on campus. This VLAN is unique, based on the room number, for each residence and the credentials to connect to it should not be shared with other residents.

Setup a new VLAN, or verify or change settings of an existing VLAN

  1. In the Unifi Controller, navigate to Settings → Networks.
  2. Search for the VLAN network according to the naming scheme in this document. If it exists, click edit to verify or change settings as necessary. Otherwise continue to step 3.
  3. Click “Create a new network” and create the network with the following settings:
    1. Name: The name of the resident
    2. Purpose: Corporate
    3. Network Group: LAN
    4. VLAN: see Gateway/Subnet below
    5. Gateway/Subnet: Choose an unused subnet, preferably in the 10.10.###.1/24 range. To find an unused subnet in this range, sort the list of Networks (Settings → Networks) by VLAN.
      1. ex) If the last 10.10.###.1/24 subnet is 10.10.38.1/24, then you should choose 10.10.39.1/24 as the subnet for this new network.
      2. Once you have chosen an unused subnet, enter it into the Gateway/Subnet field for the new network.
      3. The VLAN ID will be based on the third octet of this subnet. Add the third octet of the subnet to 3000 to calculate the VLAN ID for the new network. Continuing with the example, the new VLAN ID would be 3039 (3000+39). Enter this VLAN ID into the VLAN field above.
    6. Domain name: leave empty
    7. DHCP Mode: DHCP Server
    8. DHCP Range: automatically filled in
    9. Leave the remaining fields as-is
  4. Click Save
  5. Add the subnet from 3e to the “Networks” firewall group.
    1. Click “Routing and Firewall” in the left sidebar.
    2. Click “Groups” near the top.
    3. Click “Edit” in the row with the name “Networks”.
    4. Scroll down to the bottom and click “+ Add”.
    5. Type in the subnet from 3e, ending in a 0 instead of a 1 (i.e. 10.10.38.0/24).
    6. Click Save.

RADIUS Users

There are two types of RADIUS users for Cypress Glen’s network configuration- users for printers and IoT devices that do not support WPA-2 Enterprise connections, and users for each residence. RADIUS users for printers and IoT devices will be configured when setting up said printers or IoT devices. Users for residences will be configured once for each resident that wishes to have wireless printing enabled.

  • A resident will only ever have one RADIUS user for their room/residence.
  • A resident can have any number of associated RADIUS users, one for each of their connected printers or IoT devices.
  • A RADIUS user for a printer or IoT device can only be accessed by a single RADIUS user following the instructions laid out in this document.
  • The VLAN ID for the residence must match the VLAN ID for its connected printers and IoT Devices to operate as expected.

Bulk import RADIUS users from configuration file

When adding a lot of residents simultaneously, it may be quicker to add all the associated RADIUS users from a JSON configuration file instead of manually adding them one-by-one.

Refer to Procedure - Bulk import RADIUS users to Unifi Controller for specific instructions.

Manually configure Windows network connection

  1. Open Network and Sharing Center
  2. Click “Set up a new connection or network”
  3. Click “Manually connect to a wireless network” then click Next
  4. Enter network details then click Next:
    1. Network name: Cypress Glen Resident
    2. Security type: WPA2-Enterprise
    3. Encryption type: AES
    4. Security Key: blank
    5. Check “Start this connection automatically
    6. Do not check “connect even if the network is not broadcasting”
  5. Click “Change connection settings”
    1. Alternatively, go to Network and Sharing Center → Manage Wireless Networks → find the network and double click the Cypress Glen Resident network.
  6. On the Security tab, click Settings
  7. Uncheck “Verify the server’s identity by validating the certificate”
  8. Click Configure and uncheck “Automatically use my Windows logon name and password”
  9. Click OK
  10. Back on the Wireless Network Properties window, click on Advanced Settings
  11. Check “Specify authentication mode”
  12. Select “User authentication” from the dropdown
  13. Click “Save Credentials” button and specify the user’s username and password for the Cypress Glen Resident network
  14. Click OK on the Advanced Properties window, then again on the Wireless Network Properties Window, then click Close on the “Manually connect to a wireless network” window.
  15. (Optionally) Remove Cypress Glen Resident WiFi network from list of known networks
  16. Connect to Cypress Glen Resident network

Troubleshooting

Computer fails to connect to WPA2-Enterprise network

If the computer fails to connect to the WPA2-Enterprise network, verify that you have entered the username and password correctly. If it continues to present issues, especially if it is an older Windows device (Win7 or older), proceed to manually configure the network connection as documented above in Procedure → Network Configuration → Manually configure Windows network connection.

The cause of this issue is most likely that the computer is trying to verify the server’s certificate and that the server’s certificate is non-existent or self-signed and so the certificate has not been signed by a trusted root authority. You can verify that this is the case by going to Event Viewer → Windows Logs → System; look for errors with event ID 36882 whose event time corresponds to the connection attempt.

Printer fails to connect to unsecured, MAC-whitelisted network

If the printer fails to connect, power cycle the printer and try reconnecting. If it still fails to connect, follow the steps above in Procedure → Network Configuration → Unsecured, MAC-whitelisted network [...] → Allow a new printer to connect, or verify [...].

Additional Information

Username and VLAN network naming scheme

Usernames for the WPA2-Enterprise secured network and for VLANs will be the same for each residence, as specified:

  • Take note of the resident’s room number, and optionally the street name if they are in a cabin
  • Note: All letters are lowercase.
  • Use the prefix cg
  • Append the room (or street) number followed by a room letter (if applicable) after the prefix. Ex) Room A301 becomes 301a
  • For cabins (anything with a street name), append the first letters of each word in the street name (including the word “Street” or “Lane”, etc) after the street number. Ex) 205C Hickory Street becomes 205chs

Examples

  • Room A301 will have a username and VLAN name of cg301a
  • 205C Hickory St will have a username and VLAN name of cg205chs
  • 300 Francis Asbury Lane will have a username and VLAN name of cg300fal

Some residences that were part of the initial configuration may be missing the letter for “street” or “lane”, etc. at the end of their username or VLAN name. Please refer to the CG Residents Usernames sheet for an accurate and up-to-date list.

References

CG Residents Usernames (Spreadsheet)

Cypress Glenn WiFi Chart (PDF)

Procedure - Bulk import RADIUS users to Unifi Controller

Discard
Save
Draft
Was this article helpful?
Edit Page New Page Revisions Page Settings

Previous Page

Left

Next Page

Right

On this page

Review Changes ← Back to Content
Message Status Space Raised By Last update on