UniFi Network - 802.1X Control (Advanced)

This article describes how to configure 802.1X Control on UniFi switches to authenticate wired client devices. 

Requirements & Notes

• A UniFi gateway or UniFi Gateway Console is required to run RADIUS.
• A third-party RADIUS server can be used by creating a new RADIUS profile.
• 802.1X Control mode 'Auto' requires the usage of a third-party RADIUS server.
• The fallback VLAN is used when a client device fails to authenticate.

Configuring MAC-Based Authentication

1. Enable 802.1X Control for all or individual UniFi switches and optionally specify the Fallback VLAN.

• All - Settings > Networks > Global Switch Settings > 802.1X Control
• Individual - UniFi Devices > select switch > Settings > Advanced > 802.1X Control

2. Select the Default RADIUS profile when using a UniFi gateway or Create New RADIUS profile when using a third-party RADIUS server.

3. Create the RADIUS users that match the MAC addresses of the wired clients.

Settings > Profiles > RADIUS > Default > Create New RADIUS User

• Username - Mac address in capital letters without any dashes or colons, for example ABCDEF123456.
• Password - Mac Address in capital letters without any dashes or colons, for example ABCDEF123456.
• VLAN ID - 0
• Tunnel Type - None
• Tunnel Medium Type - None

4. Create a new Port Profile and select MAC-based under the Advanced settings.

Settings > Profiles > Switch Ports > Create New Port Profile

• Native Network - Default or specific network
• Allowed Networks - None
• Voice Network - None
• 802.1X Control (Advanced) - MAC-based

5. Apply the 802.1X Control profile to the port(s) on the UniFi switch where a wired client device is connected.

UniFi Devices > select switch > Ports > Port Manager > select port(s) > Port Profile