How To Set Up Ubiquiti Unifi For RADIUS Authentication?

RADIUS (Remote Authentication Dial-In User Service) allows users to connect to a wireless network and identify themselves to the network to access their work resources. It’s a network protocol supports AAA( Authentication, Authorization, and Accounting) and provides security, control, and thorough monitoring of your network’s users and devices, offering administrators better network management.

The 802.1X authentication protocol allows network authentication via digital certificates to connect to the RADIUS server for better protection from malware, credential theft, and MITM attacks. Like most enterprise-grade access points, Unifi Access Points are compatible with X.509 certificate-based authentication through a RADIUS server on a WPA2-Enterprise network. It also supports VLAN in case of a device failure to authenticate to a network.

Read on if you are looking at a guide to configure your Ubiquiti Unifi Access point with a RADIUS server for 802.1X authentication.

How Does RADIUS Wi-Fi Authentication Work?

When a user places a RADIUS authentication request to a network, the request and credentials are forwarded from the user’s device. The RADIUS server sends this request to the server and performs a check for existing policies or user credentials on the database. Once the user/device is authenticated via the client-server, an acceptance response is sent back to the user device.

What Is The Ubiquiti Unifi Wi-Fi Solution?

Ubiquiti Unifi solutions help you manage your wifi network through routers, access points, switches, and base stations. Ubiquiti Unifi Wifi offers the utmost compatibility, is scalable to large organizations, and offers varied customizations. It helps you view and manage the devices on your network. You can look at the users and devices on your network in real-time and troubleshoot network issues.

What are the Advantages of Setting up 802.1X in a Ubiquiti Unifi System?

If you are a network admin, deploying 802.1X on Ubiquiti Unifi points is a great start. It would ensure that only authorized users access the network, thus lowering the risks of threats or malicious intent. 802.1X helps you set up network access control, where you can assign  RADIUS clients access and privileges.  It also makes things safe and gives administrators more control over who can access what. 

802.1X quickly adapts to newer technologies to protect your network from evolving and imminent threats, and you can scale it as per your growing needs. As we look at how to set up Ubiquiti UniFi with a RADIUS authentication server, these benefits show how important 802.1X security is for making modern network systems safer.

How to Configure Unifi For 802.1X RADIUS Server Authentication

The Ubiquiti Unifi RADIUS support allows a third-party  RADIUS server to configure a network for digital certificates with the EAP-TLS protocol using the 802.1X network authentication protocol. This article will explain how to use your existing network with Cloud RADIUS specifically. Here is what you need to get started with RADIUS configuration: 

Prerequisites To Set Up RADIUS Authentication on the Unifi Access Point

  1. Create a RADIUS profile on SecureW2’s Cloud RADIUS to enable EAP-TLS authentication on the Ubiquiti infrastructure.
  1. Next, create an onboarding SSID to issue digital certificates to managed user devices connected to the network using our Managed Device Gateway APIs. This would also redirect BYODs to a self-enrollment portal.
  1. Finally, create a new wireless network in the Unifi console and set it to WPA2 Enterprise. Upon completion, you can enjoy a secure and user-friendly wifi connectivity experience.

Configure Unifi AP for RADIUS authentication

Cloud RADIUS supports certificate-based authentication only through the EAP-TLS protocol. This section discusses configuring a RADIUS profile for self-enrollment of BYODs for digital certificates. You can enable EAP-TLS authentication on your existing Ubiquiti infrastructure by creating a new RADIUS profile using SecureW2 Cloud RADIUS service.

  1. From the Unifi Network console, go to Settings>Wireless network, and click on Create New Wireless Network. 
  1. For name/SSID, enter a name.
  2. Select the Enable the wireless network check box.
  3. Select Open for security purposes.
  4. Select the Apply guest policies check box.
  1. Go to Settings> Guest control to configure the SSID to redirect the users to  SecureW2 onboarding page.
  2. Select the Apply guest policies box. 

Now, let us configure the SSID to redirect users securely to the SecureW2 onboarding page.

  1. Go to Settings> Guest Control
  1. Update the details.

Configuring MAC-based RADIUS authentication

This section will take you through the steps to create and configure an identity provider for MAC authentication. MAC authentication, also known as MAC auth bypass, allows RADIUS clients that don’t support certificate-based authentication (such as some IoTS) to authenticate using their MAC addresses instead. 

  1. Log in to the JoinNow MultiOS Management Portal. 
  2. Go to Identity Management > Identity Providers
  3. Click Add Identity Provider
  4. Enter the name of the identity provider in the Field name.
  5.  For the Description field, enter the suitable description for the identity provider. 
  6. From the Type drop-down list, select MAC Authentication. 
  1. Click Save to refresh the page.
  2.  Select the Conditions tab
  3. Click Add Device
  4. For the MAC Address field, type the device’s MAC Address you need to authenticate.
  1. Click Save and Update.

Configuring Unifi Access Points to Communicate with Cloud RADIUS

  1. Log in to the Unifi Portal. 
  2. On the left pane, select Profiles. 
  3. Click Create New RADIUS Profile. 
  4. In the New RADIUS Profile page, for the Name field, enter the name of your RADIUS profile. 
  5. Under the RADIUS Assigned VLAN Support section, select the Enable checkbox for Wireless Networks.
  1. In the RADIUS Settings section, for Authentication Servers, enter the IP Address, Port and Shared Secret. From the JoinNow MultiOS Management Portal (navigate to RADIUS > RADIUS Configuration), copy the IP Address, Port, and Shared Secret and paste them into the IP Address, Port, and Shared Secret fields in the Unifi.
  1. Enter the RADIUS details and click ADD.
  1. Click Apply Changes.

Set Up an Open SSID on Unifi

With Cloud RADIUS, we will set up an open onboarding SSID that helps users to redirect to BYOD self-enrollment portal. It helps to issue certificates automatically to the connected devices.

  1. Navigate to Settings > Wireless Networks > Create New Wireless Network.
  2. Enter the name of the SSID in the NAME/SSID section.
  3. Under Enabled, check the box to Enable this wireless network.
  4. Under Security, select the radial button for Open.
  5. Under Guest Policy, select “Apply guest policies (captive portal, guest authentication, access).”
  6. Click Save.

Ubiquite does not support the URL’s sub-domains. We recommend you set up a local webserver with a rewritten URL that helps users be directed to the SecureW2 landing page.

Add the webserver URL to “Redirect using the hostname”:

  1. Navigate to Settings > Guest Control > Guest Policies.
  2. Check the Box “Enable Guest Portal”.
  3. Under Authentication –> Choose No Authentication.
  4. Check the Box “Redirect using hostname“.
  5. Click Save.

 

Add the ACLs:

An Access Control List (ACL) prevents a BYOD from accessing unauthorized resources before they are securely onboarded to a network. The ACL creates a list of resources users can navigate for secure authentication. The User needs to limit this SSID, it can be used only for self-service certificate enrollment and device network access configuration. For more information about SSID contact our expert support engineers.

  1. Navigate to Settings > Guest Control > Guest Policies.
  2. Check the Box “Enable Guest Portal“.
  3. Under Access Control → Pre-Authorization > add the ACLs (hostname or IPV4).
  4. Click on Apply.

 

Create a secure SSID

We will set up the SSID that users will use for network authentication daily. This SSID will use 802.1x with the RADIUS server we added to the RADIUS Profile. Suppose you are setting this up with Cloud RADIUS. In that case, this SSID will use EAP-TLS, a passwordless authentication method using digital x.509 certificates.

  1. From your UniFi Network console, go to Settings > Wireless Networks.
  2. Click Create New Wireless Network.
  3. For Name/SSID, enter the name of the SSID.
  4. For Enabled, check the box for Enable this wireless network.
  5. For Security, select the radial button for WPA Enterprise.
  6. For the RADIUS Profile, click the dropdown and select the RADIUS profile you created.
  7. Click Save.

Users who enroll for a certificate using your secure SSID are redirected to your SecureW2 landing page. They enter their login credentials, and a client is deployed on their device, installing the Wi-Fi certificate and appropriate network settings to authenticate via EAP-TLS. Their device is then migrated to your secure SSID.

Deploy Ubiquiti with SecureW2 For a Seamless Network Solution

SecureW2’s certificate-based solution for your users and devices removes the requirement of maintaining an on-premise RADIUS server like a Network Policy Server (NPS). Our Cloud RADIUS integrates with any identity provider like Azure AD (Entra ID), Okta, and Google, so you can seamlessly shift to 802.1X without significant infrastructure changes. 

At SecureW2, our support team will guide you through the Cloud RADIUS setup for more efficiency and prevent misconfiguration. If you have an existing Ubiquiti Unifi infrastructure, you can easily set up the Cloud RADIUS for an improved and secure network.

Click here for an entirely Cloud-based passwordless solution for your organizational security. 

Anusha Harish

Anusha is a copywriter with a passion for telling stories through her writing. With a law degree and keen research skills, she writes articles to help customers make informed decisions. She is a movie buff and a bookworm. She can be found tucked away with a book and a cup of coffee when she is not reading and writing for work.