UniFi Gateway - Configuring a RADIUS Server

UniFi Gateways come equipped with a built-in RADIUS server, which can be used with the 802.1X standard to provide secure authentications for VPNs and network access.

What is 802.1X?

The 802.1X standard is an access control standard for authenticating devices on a network. 802.1X has three components:

  • Supplicant: The device that is requesting access to the system services.
  • Authenticator: The port or device that sends messages to the Authentication Server before allowing system access.
  • Authentication Server: The external server (for example, a RADIUS server) that performs the authentication, indicating whether the supplicant is authorized to access system services.

A client device is authorized by a RADIUS server with 802.1X in the following process:

  1. The client device is prompted for credentials.
  2. The user inputs credentials.
  3. The client device sends a request on the data link layer to an authenticator to gain access to the network.
  4. The authenticator sends a message called a "RADIUS Access Request" to the RADIUS server.
  5. The RADIUS server returns one of three responses to the authenticator:
    1. Access-Reject: The user is denied access to the network.
    2. Access-Challenge: The user needs additional information to authenticate, such as secondary password, token, PIN, or card. This message is also used in more complex authentication where a secure tunnel is established between the user machine and RADIUS server.
    3. Access-Accept: The user is granted access to the network.

How to Enable the RADIUS Server

  1. Navigate to Settings > Profiles > RADIUS.
  2. Select the Default RADIUS Server to access its Settings.
  3. Select Enable.
  4. Adjust the rest of its settings, including:
    1. Secret: Pre-shared key provisioned to the authenticator device(s) and the RADIUS server. This provides authentication between the two, ensuring RADIUS message integrity.
    2. Authentication Port: The port through which RADIUS authentication messages are sent and received by authenticator and RADIUS server devices.
    3. Accounting Port: The port through which RADIUS accounting messages are sent and received by authenticator and RADIUS server devices.
    4. Accounting Interim Interval: Time (in ms) in which a RADIUS access request packet is sent with an Acct-Status-Type attribute with the value "interim-update". This update is sent to request the status of an active session. "Interim" records contain the current session duration and can provide information on data usage.
Note: The Radius server collects client information sent by the authenticator that can be used for accounting and network activity reporting. This information is sent when the user logs on and logs off, these are usually called accounting requests. For more information on radius accounting, see RFC2866.

How to Create Users in the Network Application

  1. Navigate to Settings > Profiles > RADIUS.
  2. Select Create a New RADIUS User.
    1. Username: Enter a unique username.
    2. Password: Enter the desired password.
    3. VLAN: Assign a RADIUS-authenticated client to a specific VLAN when using RADIUS-assigned VLANs (see below).
    4. Tunnel Type:  See RFC2868 section 3.1
    5. Tunnel Medium Type: See RFC2868 section 3.2

To authenticate devices based on MAC address, check out RADIUS-Based MAC Authentication and 802.1X.

How to Enable RADIUS Assigned VLAN

  1. Navigate to Settings > Profiles > RADIUS and select your profile.
  2. Enable RADIUS Assigned VLAN Support for the types of networks desired.
  3. Assign your Users to specific VLANs.
    1. For dynamic VLAN users, set the tunnel-type to (13) and the tunnel-medium-type to (6).

Note: If the user profile does not include a VLAN, the client will fall back to the untagged VLAN.

Was this article helpful?
232 out of 447 found this helpful