How-To: Enable RADIUS with Entra ID Authentication in Ubiquiti Unifi

Prerequisites for Setting Up Entra ID Authentication With RADIUS in Ubiquiti Unifi

1. You have registered the Keytos Entra ID applications in your tenant
2. You have an active EZRADIUS plan
3. You are an Owner or Network Administrator on your plan
4. You have created a Cloud RADIUS Network Policy with your public IP address registered

Introduction - How RADIUS Authentication Works in Ubiquiti Unifi and EZRADIUS

Skip directly to the guide

For your Ubiquiti network to authenticate users with Entra ID, you need to enable RADIUS authentication and connect it to a RADIUS service that supports Entra ID. This guide will show you how to enable RADIUS authentication in WPA-Enterprise with Ubiquiti Unifi and EZRADIUS.

1. A user/device attempts to connect to the network, usually a WiFi network using WPA Enterprise.
2. The network controller sends a RADIUS authentication request to the EZRADIUS server using RadSec (RADIUS over TLS).
3. EZRADIUS receives the request and matches it against a RADIUS policy, which controls how to handle the request.
4. If the policy is configured with Microsoft Entra ID, EZRADIUS verifies the username + password.
5. If the policy is configured with Microsoft Intune, EZRADIUS verifies the compliance of the device.
6. EZRADIUS sends the authentication response back to the network controller.
7. Logs of the authentication are sent to a SIEM solution for monitoring and analysis.

What are the Different Types of Entra ID Authentication for Network?

When using Entra ID for network authentication, you can choose between two types of authentication:

1. EAP-TLS (Certificate Based Authentication)
2. EAP-TTLS (Password Based Authentication)

EAP-TLS is the most secure and convenient method of authentication, as it uses certificates to authenticate users meaning that the user does not have to enter their password or do anything. It also speeds up the authentication process because EZRADIUS can validate the certificate instantly without needing to do a full login check with Entra ID. If you are already using an MDM like Intune, it’s easy to distribute certificates and setup automatic WiFi authentication. If you don’t, no problem. This remainder of this guide will get you up and running with username + password.

EAP-TTLS is a password-based authentication method that allows your users to authenticate with their Entra ID username and password when connecting to a network.

How to Enable RADIUS Authentication in WPA-Enterprise In Your Ubiquiti Unifi Network - Video Version

Check out one of our YouTube videos for a visual step-by-step guide for setting up EZRADIUS with your Ubiquiti Unifi Network.

• EAP-TLS Certificate Authentication
• Entra ID Username/Password Authentication

How to Enable RADIUS Authentication in WPA-Enterprise In Your Ubiquiti Unifi Network - Step by Step

The following steps will guide you through the process of enabling RADIUS authentication in your Ubiquiti Unifi network.

How to Add EZRADIUS as a RADIUS Server in Ubiquiti Unifi

1. Navigate to your Ubiquiti Unifi Controller.

2. Click on Network on the top menu.

   

3. From the left-hand menu select Settings.

   

4. Scroll down to the RADIUS section and click Create New.

   

5. In the Add RADIUS Server dialog, enter the following details for your RADIUS server:

   • Name: Enter something like EZRADIUS
   • RADIUS Assigned VLAN Support: Select what type of networks you want to use with EZRADIUS, wireless and/or wired.
   • Leave TLS unchecked as this guide is for Classic RADIUS authentication and not RadSec.
   

How to Get Your EZRADIUS Server IP Addresses for Ubiquiti Unifi RADIUS

You can get your EZRADIUS Server IP addresses from the EZRADIUS dashboard. These IP addresses are needed to configure your network controller to communicate with the EZRADIUS service.

1. Navigate to the EZRADIUS Policies page from the left-hand menu.

2. At the top of the Policies page, you will find the EZRADIUS Server IP addresses. You will need one from each region.

   

How to Add EZRADIUS Server IP Addresses to Ubiquiti Unifi

Now that you have your EZRADIUS Server IP addresses, you can add them to your Ubiquiti Unifi Controller.

1. Update the IP Address with a EZRADIUS Server IP address which is closest to your Ubiquiti Unifi Controller (you’ll add the others later).

2. Leave the Port as the default of 1812.

   

How to Get Your EZRADIUS Shared Secret for Ubiquiti Unifi RADIUS

When you added your public IP address to your EZRADIUS policy, a shared secret was automatically generated for you. This shared secret is used to authenticate your network controller (RADIUS client) to the EZRADIUS server.

1. Navigate to the EZRADIUS Policies page from the left-hand menu.

2. Scroll down to your RADIUS policy and find the Classic RADIUS Allowed IP Addresses section.

3. For your public IP address, click on the eye icon to reveal the shared secret.

   

How to Add the EZRADIUS Shared Secret to Ubiquiti Unifi

1. Back in the Ubiquiti Unifi Controller, set the Shared Secret to the shared secret that corresponds to your IP Address from EZRADIUS.

2. Click Add to save this IP address.

   

3. Repeat for one IP address from each region if your instance supports multiple regions for higher availability.

How to Configure RADIUS Accounting in Ubiquiti Unifi

Accounting logs contain information about user sessions and can be useful for auditing and troubleshooting. You can optionally enable RADIUS Accounting in your Ubiquiti Unifi Controller to send accounting logs to EZRADIUS. From there EZRADIUS can forward the logs to your SIEM and make them available in Audit Logs.

1. Check the Accounting Servers box to optionally send RADIUS Accounting logs to EZRADIUS.

2. Use the default Port of 1813 for accounting.

3. Use the same Shared Secret as the RADIUS Servers.

4. Leave Interim Update Interval unchecked.

5. Click Add to save your RADIUS Server.

   

6. Finally, click Add to save your RADIUS Server.

   

How to Set Up a Wifi Network in Ubiquiti Unifi with RADIUS

Now that you have added the RADIUS server, you will need to add it to a WiFi network so that when users connect to that network, they will be authenticated via EZRADIUS.

1. Navigate to the WiFi menu on the left.

   

2. Click the Create New button.

   

3. Enter the SSID for your network.

4. Leave the password field empty.

5. Select if you want a specific VLAN for this network.

6. Under Advanced, select Manual.

   

7. Scroll down to Security Protocol and select WPA3 Enterprise (if you have legacy devices or passwords Select “WPA2 Enterprise”).

8. Under RADIUS Profile, select the profile you created earlier.

   

9. Click on Create or Apply Changes.

   

How to Manage your EZRADIUS Access Policies for Ubiquiti Unifi RADIUS

Now that RADIUS is enabled in your network controller, ensure that you have at least one RADIUS policy. Refer to the policy documentation for guidance.

Manage RADIUS Policies

How to Connect Your Devices to Your Ubiquiti Unifi Network

Now that you have set up your Ubiquiti Unifi network with RADIUS authentication, you can connect your devices to your network using Entra ID by either using EAP-TLS (certificates) or EAP-TTLS (Entra Username/Password).

How to Connect Devices to Ubiquiti Unifi Network with Entra ID Authentication

If you are using EAP-TLS certificates, you can use an MDM to distribute the certificates to your devices via SCEP.

Set up MDM to distribute certificates and WiFi profiles →

If you are using EAP-TTLS with passwords you may have to setup your device for EAP-TTLS PAP Authentication to be able to test your network using your Entra ID username and password.

How to Connect Devices to Ubiquiti Unifi Network with Certificate Authentication

If you are using EAP-TTLS with passwords you may have to setup your device for EAP-TTLS PAP Authentication to be able to test your network using your Entra ID username and password. You can also use an MDM to push WiFi profiles to your devices.

Set up MDM to distribute WiFi profiles →