This article describes how to configure access policies (802.1X) on UniFi switches for wired clients. This article includes instructions on how to configure using the RADIUS server built-in to the UniFi Security Gateway and also UniFi Network configuration examples to point to your own authentication server. Every UniFi switch model is capable of authentication via 802.1X. The configuration does not change from model to model.
Note: Please complete the prerequisite configuration found in the UniFi - USG: Configuring RADIUS Server article before following this guide's instructions.
- How to Enable the 802.1X Service on a Switch
- Differentiating 802.1X Port Modes
- How to Configure Fallback VLAN
- UniFi Network Application Configuration for Non-USG RADIUS Server
- Related Articles
How to Enable the 802.1X Service on a Switch
This option is found on the switch properties panel under Config > Services in the Security section when selecting an individual switch from the "Devices" section of the UniFi Network application.
Differentiating 802.1X Port Modes
- Auto: The port is unauthorized until a successful authentication exchange has taken place.
- Force Unauthorized: The port ignores supplicant authentication attempts and does not provide authentication services to the client
- Force Authorized: The port sends and receives normal traffic without client port-based authentication.
- MAC-Based: This mode allows multiple supplicants connected to the same port to each authenticate individually. Each host connected to the port must authenticate separately in order to gain access to the network. The hosts are distinguished by their MAC addresses.
Working with Port Profiles
Using port profiles for rapid deployment is recommended instead of applying 802.1X policies manually on each port.
- Navigate to Settings > Profiles > Switch Ports.
- Create a new profile with the desired 802.1X control.
How to Configure Fallback VLAN
The fallback VLAN is used when a client fails to authenticate with username and password or MAC authentication bypass. This setting is defined per-switch.
This option is found on the switch properties panel under Config > Services in the Security section when selecting an individual switch from the "Devices" section of the UniFi Network application. The Fallback option will appear once the 802.1X control option is enabled.
UniFi Network Application Configuration for Non-USG RADIUS Server
- Navigate to Settings > Profiles > RADIUS.
- Create a new RADIUS Profile with the information for the external RADIUS server.