This article discusses how to use VLANs with UniFi Network wireless products. Find a link to an introductory article on VLANs in the Related Articles below, as well as how to use VLANs on UniFi switching and routing devices.
Table of Contents
UniFi Device Management
Begin by adopting the UniFi wireless device over the native, or untagged, VLAN. This will be the continued requirement. That being said, L3 management is supported, so the UniFi Network Controller can remote. See more about that in the UniFi - Device Adoption Methods for Remote UniFi Controllers article.
As of Controller software version 5.8, access points and switches can be set to tagged VLANs. After the device is adopted over the untagged VLAN, define a tagged management VLAN to use. This is found under the device Properties window (from the Devices page click on the device to reveal the Properties Panel). Select Config (gear icon) > Services > Management VLAN.
How to Configure VLANs on UniFi Access Points (UAP)
There can be upwards of one tagged VLAN per SSID, and 4 SSIDs per radio. The VLAN that an SSID uses can be set by going to Settings > Wireless Networks > Advanced Options. The advanced options area is shown either when a new wireless network (SSID) is created, or when existing SSID is edited. VLANs can be used on standard or guest SSIDs.
Currently, the only VLAN that cannot be tagged to an SSID is 1, although that may change in the future, once the ability to define a management VLAN to all UAPs is expanded.
Within the UniFi Network Controller RADIUS controlled VLANs can be used with UniFi APs and Switches. Instead of defining a VLAN, enable this within the RADIUS profile. Find this section under Settings > Profiles. Below is an example of the RADIUS profile section.
Set the following RADIUS attributes in the RADIUS server for each user or group, based on the RADIUS configuration:
- Tunnel-Type = 13,
- Tunnel-Medium-Type = 6,
- Tunnel-Private-Group-Id = "149" # <=== add your vlan id for each user.
At the time of writing, one known limitation with RADIUS controlled VLANs is that a VLAN ID can't be shared between RADIUS users and a static VLAN assignment on another SSID on that access point. So, if SSID1 has a static VLAN assignment of 10, and SSID2 is configured for RADIUS controlled VLANs, the users on SSID2 cannot use the VLAN ID of 10, but they can use any other VLAN ID. If there were a 3rd SSID that also used RADIUS controlled VLANs, the same VLAN IDs could be used as those used for the users on SSID 2 (except for 10). This applies on a per-UAP basis. Disabling the wireless network on the controller is sufficient to avoid the static VLAN overlap while transitioning to dynamic VLAN.