RADIUS-Based MAC Authentication and 802.1X
RADIUS-based MAC Authentication (802.1X) allows you to use your database of MAC Addresses to authenticate wired and wireless clients connecting to your network.
Note: If you don't already have a RADIUS server configured with MAC addresses, or you have a small quantity of devices, consider using the MAC Access Control List option.
Configure a RADIUS Profile
- Navigate to Settings > Profiles > RADIUS.
- If using a UniFi Gateway, select the Default RADIUS profile.
- If using a third-party RADIUS server, select Create New.
- Create a new RADIUS User with the following settings:
-
Username & Password: MAC Address of the device
- Every User’s MAC Address must be formatted the same way: AABBCCDDEEFF (no separators)
-
VLAN ID: Optionally add a VLAN ID to assign the client. If it is left blank, the client will be assigned to the VLAN associated with the switch port or WiFi it is connected to.
- If a VLAN is added:
- Tunnel Type: None
- Tunnel Medium Type: None
- If no VLAN is added:
- Tunnel Type: 13
- Tunnel Medium Type: 6
- If a VLAN is added:
-
Username & Password: MAC Address of the device
Note: MAC-based authentication accounts can only be used for wireless and wired clients. L2TP remote access does not apply.
Apply the Profile
Wireless Devices
- Navigate to Settings > WiFi and select your WiFi
- In your WiFi Settings, enable RADIUS MAC Authentication.
- Select the MAC Address Format that matches the format you’ve used (see point 2.a.i, above)
Wired Devices
To apply this globally, go to Settings > Networks > Global Switch Settings. To individually configure a port, follow these steps:
- Navigate to Settings > Profiles > Ethernet Ports
-
Create a New Profile with the following settings:
- Primary Network: Default or another specific network
- 802.1X Control: MAC-based
- Navigate to a UniFi Switch’s Port Manager.
- UniFi Devices > Select a Switch > Port Manager
- Select your port.
- Select Ethernet Port Profile and choose the profile you’ve just built.
- Apply Changes.