UniFi OS Consoles Wi-Fi Switching Camera Security Phone System Door Access Accessories UISP

UniFi Video is an obsolete product line.

This application and its related devices will no longer receive any manner of technical support, including functional and security updates. Additionally, there will be no further updates to Help Center content pertaining to UniFi Video.

UniFi - USW: Configuring Access Policies (802.1X) for Wired Clients

This article describes how to configure access policies (802.1X) on UniFi switches for wired clients. This article includes instructions on how to configure using the RADIUS server built-in to the UniFi Security Gateway and also UniFi Network configuration examples to point to your own authentication server. Every UniFi switch model is capable of authentication via 802.1X. The configuration does not change from model to model.

Note: Please complete the prerequisite configuration found in the UniFi - USG: Configuring RADIUS Server article before following this guide's instructions.

How to Enable the 802.1X Service on a Switch

Back to Top

This option is found on the switch properties panel under Config > Services in the Security section when selecting an individual switch from the "Devices" section of the UniFi Network application.

ATTENTION:Enabling access control is done a per switch basis. If this is not enabled, the switch will not be able to act as an authenticator to pass RADIUS messages to the RADIUS server.  

Differentiating 802.1X Port Modes

Back to Top

  • Auto: The port is unauthorized until a successful authentication exchange has taken place.
  • Force Unauthorized: The port ignores supplicant authentication attempts and does not provide authentication services to the client
  • Force Authorized: The port sends and receives normal traffic without client port-based authentication.
  • MAC-Based: This mode allows multiple supplicants connected to the same port to each authenticate individually. Each host connected to the port must authenticate separately in order to gain access to the network. The hosts are distinguished by their MAC addresses.

Working with Port Profiles

Back to Top

Using port profiles for rapid deployment is recommended instead of applying 802.1X policies manually on each port.

  1. Navigate to Settings > Profiles > Switch Ports.
  2. Create a new profile with the desired 802.1X control.

NOTE:When using dynamic VLAN assignment on RADIUS the port profile must include each VLAN desired for use.

How to Configure Fallback VLAN

Back to Top

The fallback VLAN is used when a client fails to authenticate with username and password or MAC authentication bypass. This setting is defined per-switch.

This option is found on the switch properties panel under Config > Services in the Security section when selecting an individual switch from the "Devices" section of the UniFi Network application. The Fallback option will appear once the 802.1X control option is enabled. 

UniFi Network Application Configuration for Non-USG RADIUS Server

Back to Top

  1. Navigate to Settings > Profiles > RADIUS.
  2. Create a new RADIUS Profile with the information for the external RADIUS server.

User Tip: Check out Microsoft's guide on how to administrate their NPS to manage RADIUS users, certificates, etc.   

Related Articles

UniFi - USG: Configuring RADIUS Server

Was this article helpful?
91 out of 213 found this helpful