Overview
In this article, readers will have an understanding of how to configure access policies (WPA-E) on UniFi access points for wireless clients.
- UniFi Access Point
- UniFi Controller
- UniFi Security Gateway (if using USG as RADIUS Server)
- Or third-party RADIUS Server
Table of Contents
- Introduction
- Network Diagram
- Configuring WPA2-Enterprise
- Configuring MAC Filter
- Configuring RADIUS MAC Authentication
- Configuring a Non-USG RADIUS Server
- Related Articles
Introduction
The 802.1X standard has three components:
- Authenticators: Specifies the port or device that is sending messages to the RADIUS server before permitting system access.
- Supplicants: Specifies host connected to the port requesting access to the system services.
- Authentication Server: Specifies the external server, for example, the RADIUS server that performs the authentication on behalf of the authenticator, and indicates whether the user is authorized to access system services. The Port Access Control folder contains links to the following pages that allow you to view and configure 802.1X features on the system.
RADIUS Authentication and Authorization:
The process in which a client device is authorized with 802.1X goes as follows:
1. The client device is prompted for credentials.
2. User inputs credentials.
3. The client device sends a request on the data link layer to an authenticator to gain access to the network.
4. The authenticator device then sends a messaged called the "RADIUS Access Request" message to the configured RADIUS server.
5. The RADIUS server then returns one of three responses to the authenticator:
- Access-Reject: The user entered is denied all access either based on inability to provide correct identification or the user has been removed from the RADIUS server.
- Access-Challenge: The user needs additional information to authenticate such as secondary password, token, PIN, or card. This message is also used in more complex authentication where a secure tunnel is established between the user machine and RADIUS server.
- Access-Accept: The user is granted access to the network.
- Static IP to be used for the client.
- A specific address pool to be used for the client.
- Maximum time that a client can be authenticated.
- Access list parameters
- QoS specifics
- VLAN ID to be used for the client (Dynamic VLAN).
Network Diagram
Configuring WPA2-Enterprise
1. Navigate to Settings > Wireless Networks
2. Select the wireless network that will have WPA2-Enterprise enabled.
3. Select WPA Enterprise under security.
4. Choose the desired RADIUS profile.
5. Select Save after changes have been completed.
Configuring MAC Filter
1. Navigate to Settings > Wireless Networks
2. Select the wireless network that will have MAC Filter enabled.
3. Select Enabled
4. Select whether the client devices added to the list will be blacklisted (not allowed) or whitelisted (only these clients can join the SSID).
5. Select Save after changes have been completed.
- Add batch allows for bulk upload of MAC addresses.
- Add clients allows a selection of clients that are known to the UniFi Controller.
Configuring RADIUS MAC Authentication
1. Navigate to Settings > Wireless Networks
2. Select the wireless network that will have RADIUS MAC Authentication enabled.
3. Select Enabled
4. Choose a RADIUS profile for the SSID to use for MAC authentication.
5. Select the format to be passed as a username and password from the UAP to the authentication server.
6. Select Save after changes have been completed.
Configuring a Non-USG RADIUS Server
- Navigate to Settings > Profiles > RADIUS.
- Create a new RADIUS Profile with the information for the external RADIUS server.
Related Articles
UniFi - USG: Configuring RADIUS Server
UniFi - Troubleshooting RADIUS Authentication
UniFi - USW: Configuring Access Policies (802.1X) for Wired Clients