RADIUS-Based MAC Authentication and 802.1X

RADIUS-based MAC Authentication (802.1X) allows you to use your database of MAC Addresses to authenticate wired and wireless clients connecting to your network.

Note: If you don't already have a RADIUS server configured with MAC addresses, or you have a small quantity of devices, consider using the MAC Access Control List option.

Configure a RADIUS Profile

1. Navigate to Settings > Profiles > RADIUS.
   
   1. If using a UniFi Gateway, select the Default RADIUS profile.
   2. If using a third-party RADIUS server, select Create New.
2. Create a new RADIUS User with the following settings:
   
   1. Username & Password: MAC Address of the device
      
      1. Every User’s MAC Address must be formatted the same way (ex., aabbccddeeff, aa-bb-cc-dd-ee-ff, aa:bb:cc:dd:ee:ff, or AABBCCDDEEFF)
      2. For UniFi Gateways, the MAC address format must be AABBCCDDEEFF for both the username and password.
   2. VLAN ID: 0
   3. Tunnel Type: None
   4. Tunnel Medium Type: None

Note: MAC-based authentication accounts can only be used for wireless and wired clients. L2TP remote access does not apply.

Apply the Profile

Wireless Devices

1. Navigate to Settings > WiFi and select your WiFi
2. In your WiFi Settings, enable RADIUS MAC Authentication.
   
   1. Select the MAC Address Format that matches the format you’ve used (see point 2.a.i of Configure a RADIUS Profile, above)

Wired Devices

To apply this globally, go to Settings > Networks > Global Switch Settings. To individually configure a port, follow these steps:

1. Navigate to Settings > Profiles > Ethernet Ports
2. Create a New Profile with the following settings:
   
   1. Primary Network: Default or another specific network
   2. 802.1X Control: MAC-based
3. Navigate to a UniFi Switch’s Port Manager.
   
   1. UniFi Devices > Select a Switch > Port Manager
4. Select your port.
5. Select Ethernet Port Profile and choose the profile you’ve just built.
6. Apply Changes.