UniFi Network - 802.1X Control (Advanced)
This article describes how to configure 802.1X Control on UniFi switches to authenticate wired client devices.
Requirements & Notes
- A UniFi gateway or UniFi Gateway Console is required to run RADIUS.
- A third-party RADIUS server can be used by creating a new RADIUS profile.
- 802.1X Control mode 'Auto' requires the usage of a third-party RADIUS server.
- The fallback VLAN is used when a client device fails to authenticate.
Configuring MAC-Based Authentication
1. Enable 802.1X Control for all or individual UniFi switches and optionally specify the Fallback VLAN.
- All - Settings > Networks > Global Switch Settings > 802.1X Control
- Individual - UniFi Devices > select switch > Settings > Advanced > 802.1X Control
2. Select the Default RADIUS profile when using a UniFi gateway or Create New RADIUS profile when using a third-party RADIUS server.
3. Create the RADIUS users that match the MAC addresses of the wired clients.
Settings > Profiles > RADIUS > Default > Create New RADIUS User
- Username - Mac address in capital letters without any dashes or colons, for example ABCDEF123456.
- Password - Mac Address in capital letters without any dashes or colons, for example ABCDEF123456.
- VLAN ID - 0
- Tunnel Type - None
- Tunnel Medium Type - None
4. Create a new Port Profile and select MAC-based under the Advanced settings.
Settings > Profiles > Switch Ports > Create New Port Profile
- Native Network - Default or specific network
- Allowed Networks - None
- Voice Network - None
- 802.1X Control (Advanced) - MAC-based
5. Apply the 802.1X Control profile to the port(s) on the UniFi switch where a wired client device is connected.
UniFi Devices > select switch > Ports > Port Manager > select port(s) > Port Profile