Computers

Ubiquiti Unifi RADIUS Authentication Configuration

Ubiquiti Unifi RADIUS Authentication Configuration tutorial including Unifi controller config NPS role install and configuration as well as SSL cert config

Do you have a Ubiquiti Unifi wireless system setup for wireless access? Ubiquiti offers really great “enterprisey” products for the price that are very fully featured. I like the Unifi products for providing fully featured wireless configurations both at home and in an office setting. If you have a wireless network that you want to configure for enhanced security in the environment and especially to make use of a centralized identity source like Active Directory, setting up Ubiquiti Unifi RADIUS authentication is the way to go. Using RADIUS, you can tie in your Ubiquiti environment to Active Directory for using your identities stored there for additional authentication capabilities. Let’s take a look at Ubiquiti Unifi RADIUS authentication configuration and see how it can easily be accomplished.

Requirements for setting up RADIUS authentication for Ubiquiti Unifi

  • Setting up a new wireless network on the Unifi controller
  • Configuring a new RADIUS profile in the Unifi controller
  • Configuring a RADIUS server (for the purposes of this post, using Microsoft’s Network Policy Server (NPS) role)
  • Configuring RADIUS client in NPS including AD group, authentication method, certificate, etc
  • Configuring a Network Policy for wireless clients

RADIUS authentication can be intimidating for those that have not configured it before, however, with only a few steps, we can get a basic RADIUS configuration configured without issue.

Let’s take a look and step through each of these to configure RADIUS authentication for wireless clients.

Setting up a new wireless network on the Unifi Controller

The first step we will take is setting up a new wireless network in our Unifi controller UI. To use RADIUS, we will create a new wireless network that is WPA Enterprise enabled on the Security setting.

Once you select the WPA Enterprise setting, you need to Create new RADIUS profile.

Create-a-new-RADIUS-enabled-wireless-network-in-the-Unifi-controller-software
Create a new RADIUS enabled wireless network in the Unifi controller software

In the Create new RADIUS profile dialog box, name the profile and set the addresses for both the RADIUS Auth Server and the Accounting server (will be the same in most deployments, especially using NPS).

In the Password/Shared Secret, enter the shared password that will be used by the Unifi APs to authenticate with the RADIUS server.

Creating-a-new-RADIUS-profile-in-the-Unifi-Controller
Creating a new RADIUS profile in the Unifi Controller
New-Unifi-wireless-network-has-been-created-with-RADIUS-enabled
New Unifi wireless network has been created with RADIUS enabled

Install the Network Policy Server (NPS) Role

In my environment, I have a Windows Server 2019 server that I have installed the Network Policy and Access Services role on.

Accept the additional role services that may be needed during the installation. You will most likely need to reboot your server after the installation (or I like to do this as a best practice) to ensure all services are squared away.

Install-the-Network-Policy-Server-role-on-your-Windows-Server
Install the Network Policy Server role on your Windows Server

Configuring RADIUS Clients in NPS

Once you have the NPS server running on your Windows Server, you will need to setup your RADIUS clients. The clients in this case will be the Unifi APs that will be accessing your RADIUS server.

This is a step that typically trips a lot of would be configurations up. Pay attention to detail here. Make sure you have the correct IPs that are assigned to the management of the wireless APs. Also, make sure you enter the shared key for the RADIUS clients correctly.

To add a RADIUS client, right-click the RADIUS Clients folder and select New. ***Note*** You will need to do this for each Unifi AP that you want to be able to perform RADIUS authentication.

Adding-a-new-RADIUS-client-to-the-Network-Policy-Server
Adding a new RADIUS client to the Network Policy Server

In the properties of your RADIUS client, you enter the IP address/DNS name and also the Shared secret.

Configuring-the-Unifi-APs-as-RADIUS-clients
Configuring the Unifi APs as RADIUS clients

Configuring a Network Policy for Wireless Clients

Once you have the RADIUS clients (Unifi APs) added to your RADIUS clients of the NPS server, you are ready to create the Network Policy. The network policy is essentially the requirements of the connection.

The policy is checked to see whether or not the user attempting to authenticate matches the policy requirements. This might include Windows group membership and other requirements.

First, create the new policy. By default it will create as enabled and granting access, but make sure you have the options selected here that you want in the Overview tab.

Create-a-new-Network-Policy-for-the-RADIUS-authentication-of-Unifi-AP-connected-users
Create a new Network Policy for the RADIUS authentication of Unifi AP connected users

On the Conditions tab, you set the Conditions that you want to match such as Windows group membership.

There are many others including:

  • Machine groups
  • User groups
  • Day and time restrictions
  • IP address
  • Allowed EAP types
Set-the-conditions-for-authentication
Set the conditions for authentication

On the Constaints tab, the authentication methods is the configuration we want to give attention to. Make sure you have the options configured as below. On EAP types we want to use:

  • Microsoft: Protected EAP (PEAP)

Click the Edit button to edit the properties of the Microsoft PEAP option.

Under-constraints-you-can-set-the-Windows-group-memberships-for-Unifi-RADIUS
Under constraints you can set the Windows group memberships for Unifi RADIUS

Select the certificate to use with PEAP. If you don’t have a certificate available, you can generate a self-signed certificate by using the PowerShell command:

new-selfsignedcertificate -dnsname "yourserver FQDN goes here" -KeyLength 2048 -CertStoreLocation cert:LocalMachineMy -NotAfter (Get-Date).AddYears(20)
Edit-PEAP-properties-and-select-the-self-signed-certificate-for-encryption
Edit PEAP properties and select the self-signed certificate for encryption

Once you have the certificate configured, the Network Policy configuration is basically complete. If you have any other options you want to tweak, you can make those changes. However, I like to start out basic in case there is any troubleshooting in general with connectivity that needs to be performed.

This is an Android device. I have selected the EAP method of PEAP. Under identity, this is where you place your Active Directory user. A note here, you don’t have to prepend the NETBIOS domain name in front, only the username. Then enter the AD password.

Setup-the-connection-on-a-mobile-device
Setup the connection on a mobile device

Troubleshooting Unifi RADIUS authentication

There are several troubleshooting areas that I will mention where generally problems can creep in.

  • Make sure you have the correct IP address for the Unifi APs
  • Make sure you have typed the shared secret password correctly between the Unifi RADIUS profile and the shared secret that is configured for the RADIUS clients configured for your APs in NPS.
  • Make sure Windows firewall is allowing RADIUS connections (UDP 1812,1813)
  • Make sure if you have scoped the configuration down to a Windows group, the user you are authenticating with is actually a member of that group
  • Check the event logs on the NPS server for NPS events
  • Use the NTRadPing tool to troubleshoot connectivity

Wrapping Up

Setting up RADIUS authentication in your Ubiquiti Unifi environment is fairly straightforward. Generally speaking, the details is where generally most admins are tripped up in configuring this.

With RADIUS troubleshooting, it is usually something small that will cause authentication to fail. Usually issues with the RADIUS client or shared secret will cause issues. Using the troubleshooting list above however, generally you can find the culprit.

Subscribe to VirtualizationHowto via Email 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com and has over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, Brandon has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family.

Related Articles

5 Comments

  1. If you generate self-signed certification using this comand
    new-selfsignedcertificate -dnsname “yourserver FQDN goes here” -KeyLength 2048 -CertStoreLocation cert:LocalMachineMy -NotAfter (Get-Date).AddYears(20)
    it won’t work. Because Andorid 10 or later version won’t accept this certificate and if you try to install certfificate manually, it will report “Private key required to install a certificate”.

    1. Alexander,

      Thank you for your comment. I haven’t tested this in a while, so definitely good to know if you are seeing issues with self-signed certs in the later versions of Android. It is always best to use real SSL certs. If I can find some time to circle back to this, it would be great to replace with a LetsEncrypt certificate in the steps for testing which should work fine.

      Brandon

      1. hey Brandon, great post indeed!

        I’m going to setup a radius server along our Ubiquiti environment, bear in mind I do not have an Unifi Security Gateway but a Meraki as main firewall, however, all switches are Ubiquiti, I see some issues with Android newer versions posted by Alexander, have you planned to makes some tests again ?

        hey I will be glad to post back here my results a soon I made the changes
        thanks!

  2. Hi, thank you for your post.
    I have a question, Do I need to share the CA with the clients? Or is downloaded automatically.
    and if the users need to be added to the domain?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.