UniFi — USG/UDM: Configuring RADIUS Server

This article describes how to configure the RADIUS server on the USG and UDM models. This server can be used for wired, wireless, and L2TP remote access authentication types. The configuration of the RADIUS server is the same for all authentication types.

Table of Contents

Introduction

The 802.1X standard has three components:

• Authenticators: Specifies the port or device that is sending messages to the RADIUS server before permitting system access.
• Supplicants: Specifies host connected to the port requesting access to the system services.
• Authentication Server: Specifies the external server, for example, the RADIUS server that performs the authentication on behalf of the authenticator, and indicates whether the user is authorized to access system services. The Port Access Control folder contains links to the following pages that allow you to view and configure 802.1X features on the system.

RADIUS Authentication and Authorization:

The process in which a client device is authorized with 802.1X goes as follows:

1. The client device is prompted for credentials.

2. User inputs credentials.

3. The client device sends a request on the data link layer to an authenticator to gain access to the network.

4. The authenticator device then sends a messaged called the «RADIUS Access Request» message to the configured RADIUS server.

5. The RADIUS server then returns one of three responses to the authenticator:

• Access-Reject: The user entered is denied all access either based on inability to provide correct identification or the user has been removed from the RADIUS server.
• Access-Challenge: The user needs additional information to authenticate such as secondary password, token, PIN, or card. This message is also used in more complex authentication where a secure tunnel is established between the user machine and RADIUS server.
• Access-Accept: The user is granted access to the network.

Ubiquiti Unifi RADIUS Authentication Configuration

Do you have a Ubiquiti Unifi wireless system setup for wireless access? Ubiquiti offers really great “enterprisey” products for the price that are very fully featured. I like the Unifi products for providing fully featured wireless configurations both at home and in an office setting. If you have a wireless network that you want to configure for enhanced security in the environment and especially to make use of a centralized identity source like Active Directory, setting up Ubiquiti Unifi RADIUS authentication is the way to go. Using RADIUS, you can tie in your Ubiquiti environment to Active Directory for using your identities stored there for additional authentication capabilities. Let’s take a look at Ubiquiti Unifi RADIUS authentication configuration and see how it can easily be accomplished.

Requirements for setting up RADIUS authentication for Ubiquiti Unifi

• Setting up a new wireless network on the Unifi controller
• Configuring a new RADIUS profile in the Unifi controller
• Configuring a RADIUS server (for the purposes of this post, using Microsoft’s Network Policy Server (NPS) role)
• Configuring RADIUS client in NPS including AD group, authentication method, certificate, etc
• Configuring a Network Policy for wireless clients

RADIUS authentication can be intimidating for those that have not configured it before, however, with only a few steps, we can get a basic RADIUS configuration configured without issue.

Let’s take a look and step through each of these to configure RADIUS authentication for wireless clients.

Setting up a new wireless network on the Unifi Controller

The first step we will take is setting up a new wireless network in our Unifi controller UI. To use RADIUS, we will create a new wireless network that is WPA Enterprise enabled on the Security setting.

Once you select the WPA Enterprise setting, you need to Create new RADIUS profile.

In the Create new RADIUS profile dialog box, name the profile and set the addresses for both the RADIUS Auth Server and the Accounting server (will be the same in most deployments, especially using NPS).

In the Password/Shared Secret, enter the shared password that will be used by the Unifi APs to authenticate with the RADIUS server.

Install the Network Policy Server (NPS) Role

In my environment, I have a Windows Server 2019 server that I have installed the Network Policy and Access Services role on.

Accept the additional role services that may be needed during the installation. You will most likely need to reboot your server after the installation (or I like to do this as a best practice) to ensure all services are squared away.

Configuring RADIUS Clients in NPS

Once you have the NPS server running on your Windows Server, you will need to setup your RADIUS clients. The clients in this case will be the Unifi APs that will be accessing your RADIUS server.

This is a step that typically trips a lot of would be configurations up. Pay attention to detail here. Make sure you have the correct IPs that are assigned to the management of the wireless APs. Also, make sure you enter the shared key for the RADIUS clients correctly.

To add a RADIUS client, right-click the RADIUS Clients folder and select New. ***Note*** You will need to do this for each Unifi AP that you want to be able to perform RADIUS authentication.

In the properties of your RADIUS client, you enter the IP address/DNS name and also the Shared secret.

Configuring a Network Policy for Wireless Clients

Once you have the RADIUS clients (Unifi APs) added to your RADIUS clients of the NPS server, you are ready to create the Network Policy. The network policy is essentially the requirements of the connection.

The policy is checked to see whether or not the user attempting to authenticate matches the policy requirements. This might include Windows group membership and other requirements.

First, create the new policy. By default it will create as enabled and granting access, but make sure you have the options selected here that you want in the Overview tab.

On the Conditions tab, you set the Conditions that you want to match such as Windows group membership.

There are many others including:

• Machine groups
• User groups
• Day and time restrictions
• IP address
• Allowed EAP types

On the Constaints tab, the authentication methods is the configuration we want to give attention to. Make sure you have the options configured as below. On EAP types we want to use:

• Microsoft: Protected EAP (PEAP)

Click the Edit button to edit the properties of the Microsoft PEAP option.

Select the certificate to use with PEAP. If you don’t have a certificate available, you can generate a self-signed certificate by using the PowerShell command:

Once you have the certificate configured, the Network Policy configuration is basically complete. If you have any other options you want to tweak, you can make those changes. However, I like to start out basic in case there is any troubleshooting in general with connectivity that needs to be performed.

This is an Android device. I have selected the EAP method of PEAP. Under identity, this is where you place your Active Directory user. A note here, you don’t have to prepend the NETBIOS domain name in front, only the username. Then enter the AD password.

Troubleshooting Unifi RADIUS authentication

There are several troubleshooting areas that I will mention where generally problems can creep in.

• Make sure you have the correct IP address for the Unifi APs
• Make sure you have typed the shared secret password correctly between the Unifi RADIUS profile and the shared secret that is configured for the RADIUS clients configured for your APs in NPS.
• Make sure Windows firewall is allowing RADIUS connections (UDP 1812,1813)
• Make sure if you have scoped the configuration down to a Windows group, the user you are authenticating with is actually a member of that group
• Check the event logs on the NPS server for NPS events
• Use the NTRadPing tool to troubleshoot connectivity

Wrapping Up

Setting up RADIUS authentication in your Ubiquiti Unifi environment is fairly straightforward. Generally speaking, the details is where generally most admins are tripped up in configuring this.

With RADIUS troubleshooting, it is usually something small that will cause authentication to fail. Usually issues with the RADIUS client or shared secret will cause issues. Using the troubleshooting list above however, generally you can find the culprit.

How to Configure Windows 2012 NPS for Radius Authentication with Ubiquiti Unifi

In a corporate environment shared key encryption is rarely used due to the problems associated with distributing the appropriate keys. In the corporate wireless world many organisations prefer to use 802.1x or Radius authentication so that their users can log on to the wireless networks with their domain credentials.

I was recently asked to set up just s system with Unifi access points and controllers on Windows Server 2012 with Microsofts own Radius solution NPS (or Network Policy Server) and 802.1x. There is plenty of information out there but I found that some of it was out of date and others were missing some fairly key components. So I present this tutorial to hopefully helps others get this up and running as quickly as possible.

The Unifi system was running 4.8.18, and obviously may change a little as things progress. The network I was working on looking like the following:

• Windows Server 2012 Active Directory – 192.168.1.50
• Ubuntu Server 14.04LTS Unifi Controller – 192.168.1.60
• Floor 1 Unifi AP – 192.168.1.250
• Floor 2 Unifi AP – 192.168.1.251
• Floor 3 Unifi AP – 192.168.1.252

As part of this project we wanted to turn on the following:

• Windows Server 2012 Network Policy Server – 192.168.1.55

The client also provided the server it’s own server certificate to allow clients to authenticate, and we installed that too.

I will assume you already have Active Directory installed, and you have a server ready to install Network Policy Server which is joined to the appropriate domains.

Oh and feel free to click on any of the screenshots for a bigger picture!

Step 1 – OPTIONAL – Install a Trusted Certificate for Authentication

Update 16 July 2016: An emailer has suggested that if you’ve got an enterprise Windows Certificate Services server setup you shouldn’t need to manually import a certificate, you should be able to do it quite happily via the usual certificate request process. Thanks Anon for the clarification suggestion 🙂

In this particular example the customer had a full and proper PKI infrastructure so they wanted to provide a certificate on the Radius/NPS server which clients could authenticate with. You don’t need to do this step, but if not you’ll have to get users to accept the certificate when they connect or otherwise distribute the certificate.

Download the certificate (in this case a .p12) and double click to install and you’ll probably want to install it on the “Local Machine” as opposed to the “Current User”, and click “Next”:

Type the password as appropriate for the file and click “Next”:

Leave the default on the next screen and click “Next”:

Then click “Finish”

And you should get a message like the following:

Step 2 – Install Microsoft Network Policy Server for Radius & 802.1x

From the Server Manager click “Add Roles or Features”

Make sure “Role-based or feature-based installation” is selected and click “Next”

Select the appropriate server in the next screen and click “Next”

Click on “Network Policy and Access Services”:

A box like this should pop up, click on “Add Features”:

Then click “Next”:

And click “Next” again:

And yet again, click “Next”:

And then click “Install”:

The Wizard should happily go away and install the NPS role for you. When it’s finished press “Close”:

Step 3 – Configure NPS for Unifi Authentication

Next we have to set up our server to allow domain authentication via 802.1x for our wireless clients. Click on Start and find the icon for Network Policy Server and click on it:

On the window that opens up drop down to “RADIUS Server for 802.1x Wireless or Wired Connections” and then click “Configure NAP”:

Make sure “Secure Wireless Connections” is highlighted, give it a sensible name and click “Next”:

The next screen is where we will add the details for all our Unifi access points, so click “Add”:

You will want to fill in the client area like this, note our “IP addresses” and “Shared Secret”. You’ll probably want to make the “Shared Secret” some complex string, but for this example I’ve just used “Password123!”. You need to type this into the Unifi controller for each AP. When complete click “Ok”:

When you’ve completed the process for the rest of your access points your screen will probably look like this, when you’re happy click “Next”:

On the next screen you want to drop down the EAP type to “Microsoft: Protected EAP (PEAP)”, and then click “Configure”:

On this screen you will want to select the certificate you want to present to the clients connecting over Wifi. Since in Option 1 I installed a given certificate just for this purpose this is what I need to select, and make sure “Enable Fast Reconnect” is ticked. When you’re happy with it click “Ok”:

Then click “Next”:

The next screen lets us select which groups we want to allow to authenticate wirelessly, click “Add” and find your appropriate group(s) and when you’re happy click “Next”:

Click “Next” on the following screen since we’re happy with the defaults:

On the next screen click “Finish”:

Next we need to disable some insecure options. Under Policies, Network Policies, right click “Secure Wireless Connections” and click “Properties”:

Click on the Constraints tab:

By default we have some insecure methods enabled:

Make sure they are all unchecked, like this and click “Ok”:

Well done! Your NPS server should be ready to go.

Step 3 – Configure Unifi to use NPS

WARNING: Your access points will likely have to re-provision at the end of this step. This means anyone connected to the APs will lose connectivity, if in doubt do it out of hours.

The previous Step was most certainly the biggest one, on Unifi it’s quick and easy.

Logon to your controller as normal and click on “Settings”:

Click on “Create New Wireless Network” or edit an existing one. Fill in the Wireless Network like this, make sure you select WPA-Enterprise and fill in the IP Address and Share Secret of the appropriate details, in our example it looks like the below. When you’re happy click “Save”:

At this point we found that the APs restarted, but not to worry if you’ve come this far it’s obviously going to be ok.

Step 4 – Connect Clients to Unifi Network

Now all that is configuered, you should be ready to attach your clients to the wireless network.

In the optional first step we installed a certificate specifically to allow the Radius server to be trusted by our clients. If you’ve got a proper PKI in place then all your devices should trust the Radius server already, so your steps below may be slightly different than mine (I deliberately didn’t install the certificate for testing purposes).

If you search for wireless networks the network you’ve added should show up, click on it:

Now enter your network details as normal and click Join:

If you DON’T have the certificate trusted by the end point you’ll get a warning like this, click on “Show Certificate” to make sure it’s as it should be:

That screen should look something like this (please note I’ve deleted some bits):

You can check that it’s how it should be, and this process will let you install the certificate so it will never ask you again for it.

But again if you’re using a properly trusted certificate by your end point you shouldn’t see this communication!

Once you’re connected you should have data like the following, notice it says 802.1X at the bottom:

Well done, you’ve got your Unifi using Radius authentication!