UniFi Gateway - Configuring RADIUS Server

2023-09-23 20:00:34 UTC

This article describes how to configure the RADIUS server on the USG and UDM models. This server can be used for wired, wireless, and L2TP remote access authentication types. The configuration of the RADIUS server is the same for all authentication types. 

Introduction

The 802.1X standard has three components:

  • Authenticators: Specifies the port or device that is sending messages to the RADIUS server before allowing system access.
  • Supplicants: Specifies host connected to the port requesting access to the system services.
  • Authentication Server: Specifies the external server, for example, the RADIUS server that performs the authentication on behalf of the authenticator, and indicates whether the user is authorized to access system services. The Port Access Control folder contains links to the following pages that allow you to view and configure 802.1X features on the system.

USW-RADIUS.png

A client device is authorized with 802.1X in the following process:

1. The client device is prompted for credentials.

2. User inputs credentials.

3. The client device sends a request on the data link layer to an authenticator to gain access to the network. 

4. The authenticator device then sends a message called the "RADIUS Access Request" message to the configured RADIUS server.

5. The RADIUS server then returns one of three responses to the authenticator:

  • Access-Reject: The user entered is denied all access either based on inability to provide correct identification or the user has been removed from the RADIUS server.
  • Access-Challenge: The user needs additional information to authenticate such as secondary password, token, PIN, or card. This message is also used in more complex authentication where a secure tunnel is established between the user machine and RADIUS server.
  • Access-Accept: The user is granted access to the network.

How to Enable RADIUS Server

  1. Navigate to Settings > Profiles > RADIUS.
  2. Enable the RADIUS server under the "Server" tab. 
  • Secret: Pre-shared key provisioned to the authenticator devices and the RADIUS server. This provides authentication between the two types of devices ensuring RADIUS message integrity.
  • Authentication port: The port RADIUS authentication messages are sent to and received by authenticator and RADIUS server devices.
  • Accounting Port: The port RADIUS accounting messages are sent to and received by authenticator and RADIUS server devices.
  • Accounting Interim Interval: Time (ms) in which a RADIUS access request packet is sent with an Acct-Status-Type attribute with the value "interim-update". This update is sent to request the status of an active session. "Interim" records contain the current session duration and can provide information on data usage. 
NOTE: The Radius server collects client information sent by the authenticator that can be used for accounting and network activity reporting. This information is sent when the user logs on and logs off, these are usually called accounting requests. For more information on radius accounting, see RFC2866.

How to Create Users in the Network Application

  1. Navigate to Settings > Profiles > RADIUS
  2. Create user accounts under the "User" tab. 
  • Username: Enter a unique username for a user to enter.
  • Password: Enter the desired password for a user to enter.
  • VLAN: Field used for assigning a RADIUS-authenticated client to a specific VLAN when using RADIUS-assigned VLANs.
  • Tunnel Type:  See RFC2868 section 3.1
  • Tunnel Medium Type: See RFC2868 section 3.2

To authenticate devices based on MAC address, use the MAC address as the username and password under client creation. This entry should convert lowercase letters to uppercase, and also remove colons or periods from the MAC address.

NOTE: MAC-based authentication accounts can only be used for wireless and wired clients. L2TP remote access does not apply.

How to Enable RADIUS Assigned VLAN

  1. Navigate to Settings > Profiles > RADIUS.
  2. Under the profile select "Enable RADIUS assigned VLAN..." for the types of networks desired.
  3. Navigate to Settings > Profiles > RADIUS > Users.
    1. For dynamic VLAN users, set the tunnel-type to (13) and the tunnel-medium-type to (6).

ATTENTION: If the user profile does not include a VLAN, the client will fall back to the untagged VLAN.

Was this article helpful?
155 out of 291 found this helpful