How to Configure 802.1X and RADIUS for Ubiquiti UniFi

The Ubiquiti UniFi platform provides UniFied and easily controlled network infrastructure including various hardware devices, such as routers, switches, and Ubiquiti access points, as well as UniFi RADIUS servers. UniFi products are commonly used, and come with many benefits including integrations with common third-party solutions used for network security.

Using 802.1X authentication with UniFi and a Cloud RADIUS server makes the network even safer by ensuring that only authorized devices and people can connect.

How Does Ubiquiti UniFi 802.1X Authentication With RADIUS Work?

802.1X is an IEEE standard and a key part of network security. It verifies the identity of people or devices before they enter a network and keeps people who aren’t supposed to be there from getting in. In a Ubiquiti UniFi setup, 802.1X works together with a RADIUS (Remote Authentication Dial-In User Service) server. Users can choose to either use the built-in UniFi RADIUS server, or an external one. Here are the steps:

1. A client device (the supplicant) attempts to connect to a UniFi Wi-Fi network or switch port.
2. The UniFi access point or switch (the authenticator) blocks full network access and forwards the client’s credentials to the RADIUS server.
3. The RADIUS server verifies the client’s identity (using username/password, digital certificates, or other methods) and tells the UniFi device whether to allow access.
4. If authentication is successful, the device gains network access, often with dynamic VLAN assignment or other RADIUS policies applied.

This approach greatly improves security by preventing unauthorized access, making it ideal for environments with sensitive data.

Key Components of 802.1X Authentication

Three main components make 802.1X authentication work:

• Supplicants
• Authenticators
• Authentication servers

Supplicants are devices that want to connect, like computers or smartphones. Authenticators, on the other hand, control who can join the network. The authentication server, which usually uses RADIUS, verifies the user’s information, which completes the three-way handshake.

RADIUS facilitates a safe and centralized authentication method by linking the authenticator and the supplicant. It manages the verification process to improve network security, serving as the guardian of user credentials. Organizations may track user access, enforce regulations, and keep a centralized database of user data by utilizing RADIUS. The main idea behind 802.1X is that supplicants, authenticators, and servers work together to make a strong authentication system that takes network security to a whole new level.

Benefits of Implementing 802.1X With a RADIUS Server for UniFi

There are many perks for UniFi network managers using 802.1X with a RADIUS server. First, it ensures that only verified and authorized devices can get in, lowering the risk of security threats and unauthorized access. 802.1X gives administrators more control over who can access what, such as giving different devices or groups of users different jobs and rights. This simplifies network management and regulatory compliance. Also, 802.1X is a flexible and scalable security system that can adapt to new network technologies and protect the network from new dangers.

How To Set up a RADIUS Server for Ubiquiti UniFi

RADIUS adds an extra layer of identity verification to Ubiquiti UniFi, making networks safer by centralizing the authentication of people or devices trying to connect to a network.

Here’s how to set up a RADIUS server for Ubiquiti UniFi.

Installing and Configuring RADIUS Server Software

Install and set up the RADIUS server software before using the Ubiquiti UniFi RADIUS login. Ubiquiti UniFi works with multiple kinds of RADIUS servers, such as the UniFi RADIUS server, on-prem, or third-party cloud RADIUS options. While Microsoft’s Network Policy Server (NPS) is one of the most commonly used, its downsides include configuration challenges, scalability issues, and installation complexity.

Before selecting a RADIUS server for UniFi, administrators should consider other RADIUS servers that better meet network needs and avoid NPS constraints, such as the Cloud RADIUS from SecureW2.

Establishing Communication Between Ubiquiti UniFi and a RADIUS Server

Once the RADIUS server is configured, the next critical step is to ensure that Ubiquiti UniFi devices and the Cloud RADIUS service communicate effectively.

1. Make sure to set up RADIUS clients using the UniFi Network dashboard.
2. Ensure UniFi devices are correctly connected to the network and that the Cloud RADIUS server is operational and accessible.
3. Check that other requirements for authentication, such as EAP-TLS, are supported and set up correctly on both ends.

The complexity of this process can vary depending on your choice of RADIUS server. With SecureW2 Cloud RADIUS, the entire process is simplified and user-friendly.

How To Configure 802.1X on a Ubiquiti UniFi Access Point With Cloud RADIUS

Configuring 802.1X on Ubiquiti UniFi Access Points enables certificate-based authentication to prevent unauthorized access. Let’s look at how to configure SecureW2 Cloud RADIUS with 802.1X on the Ubiquiti UniFi Access Point (AP).

Configure UniFi AP for Certificate-Based RADIUS Authentication

You can enable EAP-TLS authentication on your existing Ubiquiti infrastructure by creating a new RADIUS profile using the SecureW2 Cloud RADIUS service.

1. Go to Settings > Profiles in your UniFi access point.
2. Click Create New Radius Profile.
3. For Profile Name, enter the relevant profile name.
4. For VLAN Support, check the box for Enable RADIUS assigned VLAN for wireless network.
5. Open a new browser tab/window, and log into your SecureW2 Management Portal.
6. Go to RADIUS Management > RADIUS Configuration.
7. Copy the information for Primary IP Address, Port, and Shared Secret (to your clipboard or somewhere handy), and paste respectively into the Create New Radius Profile form for IP Address, Port, and Password/Shared Secret.
8. Click Save.

Set up an Open SSID on UniFi

With Cloud RADIUS, we will set up an open onboarding SSID that redirects users to a BYOD self-enrollment portal. It helps to issue certificates automatically to the connected devices.

1. Navigate to Settings > Wireless Networks > Create New Wireless Network.
2. Enter the name of the SSID in the NAME/SSID section.
3. Under Enabled, check the box to Enable this wireless network.
4. Under Security, select the radio button for Open.
5. Under Guest Policy, select the box “Apply guest policies (captive portal, guest authentication, access).”
6. Click Save.

If Ubiquiti does not support the URL’s sub-domains, we recommend you set up a local webserver with a rewritten URL that redirects users to the SecureW2 landing page.

Add the Webserver URL to “Redirect using hostname”

1. Navigate to Settings > Guest Control > Guest Policies.
2. Check the Box “Enable Guest Portal”.
3. Under Authentication –> Choose No Authentication.
4. Check the Box “Redirect using hostname“.
5. Click Save.

Add the ACLs

The User needs to limit this SSID so it can be used only for self-service certificate enrollment and device network access configuration. For more information about SSID contact our expert support engineers.

1. Navigate to Settings > Guest Control > Guest Policies.
2. Check the Box “Enable Guest Portal“.
3. Under Access Control → Pre-Authorization > add the ACLs (hostname or IPV4).
4. Click on Apply.

Create a Secure SSID

You must create a new wireless network connection in the UniFi network console and set the security to WPA2-Enterprise. After setting up the new RADIUS profile in the network, you can enjoy the benefits of better security and enhanced user experience.

1. From your UniFi Network console, go to Settings > Wireless Networks.
2. Click Create New Wireless Network.
3. For Name/SSID, enter the name of the SSID.
4. For Enabled, check the box for Enable this wireless network.
5. For Security, select the radio button for WPA-Enterprise.
6. For RADIUS Profile, click the dropdown and select the RADIUS profile you created.
7. Click Save.

Modernizing Ubiquiti UniFi: Elevating Security With SecureW2 Cloud RADIUS

Ubiquiti hardware comes with its own UniFi RADIUS server. That option provides authentication, authorization, and accounting (AAA) benefits, but may fall short in some situations. Solutions like Cloud RADIUS from SecureW2 offer strong protection against cyberattacks that result in credential theft and come with full integration capabilities. Cloud RADIUS delivers modern network security and integrates seamlessly with Ubiquiti UniFi to enable stronger, certificate-based authentication.

Unlike traditional RADIUS setups, Cloud RADIUS reduces risks from legacy methods by replacing passwords with digital certificates. Certificates verify both user and device context in real time, aligning with Zero Trust Network Security principles. This passwordless framework eliminates reliance on LDAP/AD servers and supports direct integration with Azure AD (Microsoft Entra ID), Okta, and Google Workspace, integrating with existing policies for secure authentication.

SecureW2 Cloud RADIUS delivers more secure, efficient, and user-friendly network access, addressing the challenges of modern security without the overhead of on-premises infrastructure.

Ready to eliminate passwords and modernize your Ubiquiti UniFi RADIUS server and other aspects of network security? Request a demo today to see how passwordless solutions from SecureW2 can transform your network authentication.