How-To: Enable Cloud RADIUS with Entra ID Authentication in Ubiquiti Unifi

Learn how to securely log into your Ubiquiti Unifi network using Cloud RADIUS with Entra ID authentication.

Introduction - How to Protect Your Ubiquiti Unifi Network with Cloud RADIUS

Having a single Wi-Fi password for your network is a security nightmare. It’s impossible to know who has access to your network, and it’s nearly impossible to change the password regularly without causing major outages. The best way to secure your Ubiquiti Unifi network is to use WPA-Enterprise with either certificates or individual user accounts for authentication.

To protect your Ubiquiti Unifi network using certificates or Entra ID accounts, you will need a RADIUS server to handle authentication requests. EZRADIUS is a cloud-based RADIUS as a Service that integrates directly with Entra ID to provide secure authentication for your Ubiquiti Unifi network without needing to manage any RADIUS servers or infrastructure. Simply add EZRADIUS as a RADIUS server in your Ubiquiti Unifi Controller, and your users can log in using either passwordless certificates or their Entra ID username and password.

Overview of RADIUS Authentication with EZRADIUS

Video Guides - How to Set Up Cloud RADIUS in Your Ubiquiti Unifi Network

Want to follow along with step-by-step instructions? Check out our end-to-end YouTube video guides to follow along with setting up Cloud RADIUS in your Ubiquiti Unifi Network.

Prerequisites for Setting Up Cloud RADIUS for Ubiquiti Unifi

How to Create an EZRADIUS Subscription

An EZRADIUS billing subscription is required to create your cloud-based RADIUS server for your Ubiquiti Unifi network. If you do not already have an EZRADIUS subscription, follow this guide to create one.

Create an EZRADIUS Subscription

How to Set Up User Credentials for Cloud RADIUS

If you haven’t configured your authentication method yet, make sure to set that up before proceeding. This ensures that your users can authenticate properly when they connect to your Ubiquiti Unifi network.

How to Set Up Passwordless Certificate Authentication with RADIUS

Certificates are the best way to authenticate users or devices without the need for any passwords. Simply connect to the network and the certificate will handle the authentication for you. This is the most secure and user-friendly way to authenticate users in your Ubiquiti Unifi network.

While EZRADIUS supports any X.509 certificate such as ADCS and Microsoft Cloud PKI, the easiest way to create and manage certificates for your users is to use Keytos EZCA, a cloud-based PKI service that integrates directly with EZRADIUS. It only takes a few minutes to get started with EZCA and begin issuing certificates for passwordless Wi-Fi access in your Ubiquiti Unifi network.

Deploy Passwordless Certificates

How to Set Up Entra ID Users to Authenticate with RADIUS

Don’t want to manage certificates? No problem! You can authenticate your existing Entra ID users using their username and password without needing to manage any PKI infrastructure.

Note that if you have conditional access policies set up in Entra ID (such as MFA), you will need to add an exception for EZRADIUS in order for username/password authentication to work. View this page for more details on adding this exception.

Configure Conditional Access Exception

How to Set Up Local Users to Authenticate with RADIUS

Have legacy devices or non-Entra ID users? You can also create local users directly in EZRADIUS and authenticate them using their username and password. Check out this page for more information on creating local users in EZRADIUS or letting your Entra ID users self-register local RADIUS accounts if needed.

Create Local RADIUS Users

How to Set Up Your Cloud RADIUS Access Policies for Entra ID Authentication

An EZRADIUS Access Policy defines how EZRADIUS will authenticate users when they connect to your Ubiquiti Unifi network. You will need to create at least one access policy in EZRADIUS before you can connect your Ubiquiti Unifi network to EZRADIUS.

How to Create a Passwordless Certificate Access Policy

A certificate access policy allows you to accept X.509 certificates for authentication and determine which users or devices are allowed to connect to your Ubiquiti Unifi network. View this guide to learn how to create a certificate access policy in EZRADIUS if you have not already done so.

Create Certificate Access Policy

How to Create an Entra ID Username and Password Access Policy

An Entra ID username and password access policy allows you to authenticate your Entra ID users using their existing credentials. View this guide to learn how to create an Entra ID username and password access policy in EZRADIUS if you have not already done so.

Create Entra ID Password Access Policy

How to Create a Local Username and Password Access Policy

A local username and password access policy allows you to authenticate users that you have created directly in EZRADIUS. View this guide to learn how to create a local username and password access policy in EZRADIUS if you have not already done so.

Create Local User Access Policy

Step-by-Step Guide to Setting Up Cloud RADIUS for Ubiquiti Unifi

The following steps will guide you through the process of setting up Cloud RADIUS for your Ubiquiti Unifi network using EZRADIUS.

How to Add EZRADIUS as a RADIUS Server in Ubiquiti Unifi

Now that you have your EZRADIUS subscription and access policy set up, you can add EZRADIUS as a RADIUS server in your Ubiquiti Unifi Controller.

How to Add a Cloud RADIUS Server to Ubiquiti Unifi

Navigate to your Ubiquiti Unifi Controller.
Click on Network on the top menu.
From the left-hand menu select Settings.
Scroll down to the RADIUS section and click Create New.
In the Add RADIUS Server dialog, enter the following details for your RADIUS server:
- Name: Enter something like EZRADIUS
- RADIUS Assigned VLAN Support: Select what type of networks you want to use with EZRADIUS, wireless and/or wired.
- Leave TLS unchecked as this guide is for Classic RADIUS authentication and not RadSec.

How to Get Your EZRADIUS Server IP Addresses for Ubiquiti Unifi RADIUS

You can get your EZRADIUS Server IP addresses from the EZRADIUS dashboard. These IP addresses are needed to configure your network controller to communicate with the EZRADIUS service.

Navigate to the EZRADIUS Policies page from the left-hand menu.
At the top of the Policies page, you will find the EZRADIUS Server IP addresses. Copy one of the IP addresses from the region closest to your network controller (you’ll add the others later).

How to Add EZRADIUS Server IP Addresses to Ubiquiti Unifi

Now that you have your first EZRADIUS Server IP address, you can add it to your Ubiquiti Unifi Controller.

Update the IP Address field with the EZRADIUS Server IP address you copied earlier.
Leave the Port as the default of 1812.

How to Get Your EZRADIUS Shared Secret for Ubiquiti Unifi RADIUS

When you added your public IP address to your EZRADIUS policy, a shared secret was automatically generated for you. This shared secret is used to authenticate your network controller (RADIUS client) to the EZRADIUS server.

In the EZRADIUS portal, navigate to the EZRADIUS Policies page from the left-hand menu.
Scroll down to your RADIUS policy and find the Classic RADIUS Allowed IP Addresses section.
For your public IP address, click on the eye icon to reveal the shared secret.

How to Add the EZRADIUS Shared Secret to Ubiquiti Unifi

Now that you have your EZRADIUS shared secret, you can add it to your Ubiquiti Unifi Controller.

Back in the Ubiquiti Unifi Controller, set the Shared Secret to the shared secret that corresponds to your IP Address from EZRADIUS.
Click Add to save this IP address.
Make sure repeat these steps to add one IP address from each EZRADIUS region to ensure high availability for your RADIUS authentication.

How to Configure RADIUS Accounting in Ubiquiti Unifi

Accounting logs contain information about user sessions and can be useful for auditing and troubleshooting. You can optionally enable RADIUS Accounting in your Ubiquiti Unifi Controller to send accounting logs to EZRADIUS. From there EZRADIUS can forward the logs to your SIEM and make them available in Audit Logs.

Check the Accounting Servers box to optionally send RADIUS Accounting logs to EZRADIUS.
Use the default Port of 1813 for accounting.
Use the same Shared Secret as the RADIUS Servers.
Click Add to save your RADIUS accounting server.

How to Save Your RADIUS Configuration in Ubiquiti Unifi

Now that you’ve added the EZRADIUS servers and accounting (if desired), you can save your RADIUS configuration.

Leave Interim Update Interval unchecked.
Finally, click Add to save your RADIUS Server.

How to Add a Cloud RadSec Server to Ubiquiti Unifi

Navigate to your Ubiquiti Unifi Controller.
Click on Network on the top menu.
From the left-hand menu select Settings.
Scroll down to the RADIUS section and click Create New.
In the Add RADIUS Server dialog, enter the following details for your RADIUS server:
- Name: Enter something like EZRADIUS RadSec
- RADIUS Assigned VLAN Support: Select what type of networks you want to use with EZRADIUS, wireless and/or wired.

How to Create a RadSec Certificate and Private Key for Ubiquiti Unifi

A RadSec Client Certificate is required to authenticate your network controller (RADIUS client) to the EZRADIUS server over a secure TLS connection. You can create a RadSec Client Certificate using EZCA or a 3rd Party Certificate Authority.

How to Create a RadSec Client Certificate Using EZCA

EZRADIUS is integrated with EZCA to make it easy to generate a new RadSec Certificate directly in your browser.

In the EZRADIUS dashboard, from the left-hand menu click on Create RadSec Certificate.
Under the Issuing CA dropdown, select the EZCA Certificate Authority you previously added to your EZRADIUS policy. If you just have one, it will be selected by default.
Optionally add Tags for your certificate to help identify it later.
Keep the Subject Name as CN=radsec.
Enter at least one IP address of your network controller in the IP Address field and click Add. This field isn’t used for RadSec authentication so even if you have a dynamic IP, you can still proceed with your current IP.
In the Certificate Location dropdown, select Generate Locally.
Click on Request Certificate. It will take a few seconds to generate the certificate.
Click on Download Full Certificate.
This will download 2 files. The .key file is the private key and the .pem file is the certificate.

How to Create a RadSec Client Certificate Using a 3rd Party Certificate Authority

Refer to your PKI documentation for creating a new RadSec Client Certificate. You will need both the certificate (.pem) and the private key (.key) files.

How to Upload a RadSec Certificate to Ubiquiti Unifi

Now that you’ve created your RadSec Client Certificate and Private Key, you can upload them to your Ubiquiti Unifi Controller.

Back in your Ubiquiti Unifi Controller, configure the RadSec TLS Settings:
- TLS: Check this box to use RadSec.
- Client Certificate: Upload the .pem RadSec certificate file you created earlier.
- Private Key: Upload the .key RadSec private key file you created earlier.
- If your private key is password protected, enter your Private Key Password.

How to Get the RadSec CA Certificate from EZRADIUS

The RadSec CA Certificate is used by your network controller to verify the identity of the EZRADIUS server when establishing a secure TLS connection. You can download the RadSec CA Certificate directly from the EZRADIUS dashboard.

Navigate to the EZRADIUS Policies page from the left-hand menu.
Click Download RadSec CA Certificate and save it to your local machine. It should be named radsec_ca.cer, or similar.

How to Upload the RadSec CA Certificate to Ubiquiti Unifi

Now that you have your RadSec CA Certificate (radsec_ca.cer), you can upload it to your Ubiquiti Unifi Controller.

Beck in your Ubiquiti Unifi Controller, in the RadSec TLS Settings update CA Certificate and upload the RadSec CA certificate file you downloaded earlier (radsec_ca.cer).

How to Get Your EZRADIUS Server IPs for Ubiquiti Unifi for RadSec

You can get your EZRADIUS Server IP addresses from the EZRADIUS dashboard. These IP addresses are needed to configure your network controller to communicate with the EZRADIUS service.

Navigate to the EZRADIUS Policies page from the left-hand menu.
At the top of the Policies page, you will find the EZRADIUS Server IP addresses. Copy one of the IP addresses from the region closest to your network controller (you’ll add the others later).

How to Add EZRADIUS RADIUS Servers in Ubiquiti Unifi for RadSec

Now that you have your first EZRADIUS Server IP address, you can add it to your Ubiquiti Unifi Controller for RadSec.

Update IP Address with an IP address closest to your Ubiquiti Unifi Controller from the EZRADIUS Server IP addresses (you’ll add the others later).
Set the Port to 2083 which is the port used for RadSec.
For the Shared Secret enter radsec, as required by the Radsec RFC.
Click Add to save this IP address.
Repeat for one IP address from each region if your instance supports multiple regions for higher availability.

How to Configure RADIUS Accounting in Ubiquiti Unifi for RadSec

Check the Accounting Servers box to optionally send RADIUS Accounting logs to EZRADIUS.
Use the same IP Addresses and Port (2083) as the RADIUS Servers.
Leave Interim Update Interval unchecked.
Click Add to save your RADIUS Server.
Click Add to save your RADIUS Server to the Ubiquiti Unifi Controller.

How to Add a RADIUS Server to a Ubiquiti Unifi Network

Now that you have added EZRADIUS as a RADIUS server within Unifi, you can add it to your network so that when users connect to that network, they will be authenticated via EZRADIUS.

How to Add RADIUS to a Ubiquiti Unifi Wi-Fi Network

Navigate to the WiFi menu on the left.
Click the Create New button (or edit an existing network).
Enter the SSID for your network.
Leave the password field empty.
Select if you want a specific VLAN for this network.
Under Advanced, select Manual.
Scroll down to Security Protocol and select WPA3 Enterprise (if you have legacy devices or passwords Select “WPA2 Enterprise”).
Under RADIUS Profile, select the profile you created earlier.
Click on Create or Apply Changes.
Done!

How to Add a RADIUS Server to a Ubiquiti Unifi Wired Network

It’s easy to leverage your EZRADIUS RADIUS server to authenticate users connecting to your Ubiquiti Unifi wired network using 802.1X authentication. Follow the steps below to enable RADIUS authentication on your Ubiquiti Unifi Switch(es).

How to Enable RADIUS Authentication in a Ubiquiti Unifi Switch

In the left-hand menu, click Unifi Devices.
Select your switch from the list of devices and click on the Settings gear icon.
Under the Advanced tab, uncheck Global Switch Settings.
Enable 802.1X Control.
For RADIUS Profile, select the EZRADIUS profile you created earlier.
Click Apply Changes to save your configuration.

How to Create an Ethernet Port Profile for RADIUS Authentication in Ubiquiti Unifi

This step is only necessary if you want to create a reusable Ethernet Port Profile for RADIUS authentication. You can also enable 802.1X directly on individual switch ports without creating a port profile.

From the Unifi Settings page, scroll down to the Ethernet Port Profiles section.
Click on Create New.
Fill out the following fields:
- Name: Enter a name for your Ethernet Port Profile (e.g., EZRADIUS Authentication).
- Tagged VLAN Management: Set to Block All unless you want to use a specific VLAN.
- 802.1X Control: Set to Auto.

How to Assign the Ethernet Port Profile to Switch Ports in Ubiquiti Unifi

From the left-hand menu, click Ports.
Select the first port you want to configure for RADIUS authentication.
Under Advanced switch to Manual mode.
Click the Ethernet Port Profile box.
From the port profile list, select the Ethernet Port Profile you created earlier.
Click Apply Changes to save your configuration.
Done!

How to Configure Your Devices to Use Cloud RADIUS with Ubiquiti Unifi

Don't Forget to Configure Your Devices

Now that you have set up Cloud RADIUS for your Ubiquiti Unifi network, there are a few more steps to ensure your users’ devices can connect seamlessly. By default, devices won’t be able to connect using Cloud RADIUS until you configure the appropriate network profile and RADIUS CA certificate. Make sure to follow the instructions below to push the necessary configurations to your users’ devices.

How to Push the RADIUS CA Certificate and Wi-Fi Profile Using Microsoft Intune

Follow these Intune step-by-step guides to push the required CA certificate and Wi-Fi profile to your users’ devices so they can seamlessly connect to your Ubiquiti Unifi network using Cloud RADIUS.

Microsoft Intune Guide

How to Push the RADIUS CA Certificate and Wi-Fi Profile Using Jamf Pro

Follow these Jamf Pro step-by-step guides to push the required CA certificate and Wi-Fi profile to your users’ devices so they can seamlessly connect to your Ubiquiti Unifi network using Cloud RADIUS.

Jamf Pro Guide

How to Manually Configure the RADIUS CA Certificate and Wi-Fi Profile on Your Devices

Follow these manual configuration step-by-step guides to manually configure the required CA certificate and Wi-Fi profile on your users’ devices so they can connect to your Ubiquiti Unifi network using Cloud RADIUS.

Manual Configuration Guide

How to Troubleshoot Cloud RADIUS Issues in Ubiquiti Unifi

Not able to connect to your Ubiquiti Unifi network after setting up EZRADIUS? Refer to this troubleshooting guide to help diagnose and resolve common issues when using Cloud RADIUS with Ubiquiti Unifi.

Troubleshooting Guide

We also have a detailed video guide to help you troubleshoot common Cloud RADIUS issues with Ubiquiti Unifi below: