How-To: Enable RADIUS with RadSec Authentication in Ubiquiti Unifi

Radsec is a protocol that provides RADIUS over TLS giving you all the RADIUS features but with TLS around it This guide will show you how to enable RADIUS in Ubiquiti Unifi devices.

Prerequisites for Setting Up Entra ID Authentication With RADIUS in Ubiquiti Unifi

Before you begin, ensure the following prerequisites are met:

The Keytos Entra applications are registered in your tenant
You have created a EZRADIUS subscription
You are a Subscription Owner or Network Administrator on your subscription
You have a certificate authority which issues certificates to your network devices (such as EZCA).

Introduction - How RADIUS Authentication Works in Ubiquiti Unifi and EZRADIUS

Skip directly to the guide

For your Ubiquiti network to authenticate users with Entra ID, you need to enable RADIUS authentication and connect it to a RADIUS service that supports Entra ID. You can do it with Classic RADIUS which uses the IP address and a share secret to authenticate your Unifi network with the RADIUS server, or you can use RadSec (RADIUS over TLS) which is a protocol that provides RADIUS over TLS giving you all the RADIUS features but with TLS around it.

How RADIUS Authentication Works with network controllers and EZRADIUS

A user/device attempts to connect to the network, usually a WiFi network using WPA Enterprise.
The network controller sends a RADIUS authentication request to the EZRADIUS server using RadSec (RADIUS over TLS).
EZRADIUS receives the request and matches it against a RADIUS policy, which controls how to handle the request.
If the policy is configured with Microsoft Entra ID, EZRADIUS verifies the username + password.
If the policy is configured with Microsoft Intune, EZRADIUS verifies the compliance of the device.
EZRADIUS sends the authentication response back to the network controller.
Logs of the authentication are sent to a SIEM solution for monitoring and analysis.

What are the Different Types of Entra ID Authentication for RADIUS?

When using Entra ID for network authentication, you can choose between two types of authentication:

EAP-TLS (Certificate Based Authentication)
EAP-TTLS (Password Based Authentication)

EAP-TLS is the most secure and convenient method of authentication, as it uses certificates to authenticate users meaning that the user does not have to enter their password or do anything. It also speeds up the authentication process because EZRADIUS can validate the certificate instantly without needing to do a full login check with Entra ID. If you are already using an MDM like Intune, it’s easy to distribute certificates and setup automatic WiFi authentication. If you don’t, no problem. This remainder of this guide will get you up and running with username + password.

EAP-TTLS is a password-based authentication method that allows your users to authenticate with their Entra ID username and password when connecting to a network.

How to Enable RADIUS Radsec Authentication in WPA-Enterprise In Your Ubiquiti Unifi Network - Step by Step

The following steps will guide you through the process of enabling RADIUS RadSec authentication in your Ubiquiti Unifi network.

How to Turn On RadSec in EZRADIUS

EZRADIUS allows you to selectively enable Classic RADIUS and/or RadSec for your cloud RADIUS server. The first step is to enable RadSec and optionally configure certificate (EAP-TLS) authentication.

Begin by navigating to your EZRADIUS dashboard.
In the left-hand menu, click on Policies.
If you’re creating a new policy, enter a Policy Name.
In your EZRADIUS Policy click on Enable RadSec. You can keep Classic RADIUS enabled if you want to have both options available.

How to Set Your Authorized Certificate Authorities for RadSec

RadSec requires your network controllers to have certificates issued to them, which are used for the underlying TLS tunnel. In this step you will add your Certificate Authority (CA) so EZRADIUS knows which certificates to trust.

From the Certificate Source dropdown, select EZCA.
Select your EZCA Instance URL, or check Private EZCA Instance if applicable.
From the EZCA CA dropdown, select your Certificate Authority. If you have both a Root and Issuing CA in a 2-tier hierarchy, you’ll need to add both.
Click Add CA.
Repeat for each CA in your certificate chain (Root plus Issuing CA).
Scroll to the top of your policy and click on Save Changes.

Begin by downloading your CA certificate to your local machine. Ensure it’s Base64 encoded.
From the Certificate Source dropdown, select Local CA.
Click Upload Certificate and select your downloaded CA certificate file.
Scroll to the top of your policy and click on Save Changes.

How to Enable RadSec in a Ubiquiti Unifi Controller

Now that RadSec is enabled and you have all the certificates + server details, you can configure RadSec in your Ubiquiti Unifi Controller.

Navigate to your Ubiquiti Unifi Controller.
Click on Network on the top menu.
From the left-hand menu select Settings.
Scroll down to the RADIUS section and click Create New.
In the Add RADIUS Server dialog, enter the following details for your RADIUS server:
- Name: Enter something like EZRADIUS RadSec
- RADIUS Assigned VLAN Support: Select what type of networks you want to use with EZRADIUS, wireless and/or wired.

How to Create a RadSec Certificate and Private Key for Ubiquiti Unifi

A RadSec Client Certificate is required to authenticate your network controller (RADIUS client) to the EZRADIUS server over a secure TLS connection. You can create a RadSec Client Certificate using EZCA or a 3rd Party Certificate Authority.

EZRADIUS is integrated with EZCA to make it easy to generate a new RadSec Certificate directly in your browser.

In the EZRADIUS dashboard, from the left-hand menu click on Create RadSec Certificate.
Under the Issuing CA dropdown, select the EZCA Certificate Authority you previously added to your EZRADIUS policy. If you just have one, it will be selected by default.
Optionally add Tags for your certificate to help identify it later.
Keep the Subject Name as CN=radsec.
Enter at least one IP address of your network controller in the IP Address field and click Add. This field isn’t used for RadSec authentication so even if you have a dynamic IP, you can still proceed with your current IP.
In the Certificate Location dropdown, select Generate Locally.
Click on Request Certificate. It will take a few seconds to generate the certificate.
Click on Download Full Certificate.
This will download 2 files. The .key file is the private key and the .pem file is the certificate.

Refer to your PKI documentation for creating a new RadSec Client Certificate. You will need both the certificate (.pem) and the private key (.key) files.

How to Upload a RadSec Certificate to Ubiquiti Unifi

Now that you’ve created your RadSec Client Certificate and Private Key, you can upload them to your Ubiquiti Unifi Controller.

Back in your Ubiquiti Unifi Controller, configure the RadSec TLS Settings:
- TLS: Check this box to use RadSec.
- Client Certificate: Upload the .pem RadSec certificate file you created earlier.
- Private Key: Upload the .key RadSec private key file you created earlier.
- If your private key is password protected, enter your Private Key Password.

How to Get the RadSec CA Certificate for Ubiquiti Unifi

The RadSec CA Certificate is used by your network controller to verify the identity of the EZRADIUS server when establishing a secure TLS connection. You can download the RadSec CA Certificate directly from the EZRADIUS dashboard.

Navigate to the EZRADIUS Policies page from the left-hand menu.
Click Download RadSec CA Certificate and save it to your local machine. It should be named radsec_ca.cer, or similar.

How to Upload the RadSec CA Certificate to Ubiquiti Unifi

Now that you have your RadSec CA Certificate (radsec_ca.cer), you can upload it to your Ubiquiti Unifi Controller.

Beck in your Ubiquiti Unifi Controller, in the RadSec TLS Settings update CA Certificate and upload the RadSec CA certificate file you downloaded earlier (radsec_ca.cer).

How to Get Your EZRADIUS Server IPs for Ubiquiti Unifi for RadSec

You can get your EZRADIUS Server IP addresses from the EZRADIUS dashboard. These IP addresses are needed to configure your network controller to communicate with the EZRADIUS service.

Navigate to the EZRADIUS Policies page from the left-hand menu.
At the top of the Policies page, you will find the EZRADIUS Server IP addresses. You will need one from each region.

How to Add EZRADIUS RADIUS Servers in Ubiquiti Unifi for RadSec

Now that you have your EZRADIUS Server IP addresses, you can add them to your Ubiquiti Unifi Controller for RadSec.

Update IP Address with an IP address closest to your Ubiquiti Unifi Controller from the EZRADIUS Server IP addresses (you’ll add the others later).
Set the Port to 2083 which is the port used for RadSec.
For the Shared Secret enter radsec, as required by the Radsec RFC.
Click Add to save this IP address.
Repeat for one IP address from each region if your instance supports multiple regions for higher availability.

How to Configure RADIUS Accounting in Ubiquiti Unifi for RadSec

Accounting logs contain information about user sessions and can be useful for auditing and troubleshooting. You can optionally enable RADIUS Accounting in your Ubiquiti Unifi Controller to send accounting logs to EZRADIUS. From there EZRADIUS can forward the logs to your SIEM and make them available in Audit Logs.

Check the Accounting Servers box to optionally send RADIUS Accounting logs to EZRADIUS.
Use the same IP Addresses and Port (2083) as the RADIUS Servers.
Leave Interim Update Interval unchecked.
Click Add to save your RADIUS Server.
Click Add to save your RADIUS Server to the Ubiquiti Unifi Controller.

How to Set Up a Wifi Network in Ubiquiti Unifi with RADIUS RadSec

Now that you have added the RADIUS server, you will need to add it to a WiFi network so that when users connect to that network, they will be authenticated via EZRADIUS.

Navigate to the WiFi menu on the left.
Click the Create New button.
Enter the SSID for your network.
Leave the password field empty.
Select if you want a specific VLAN for this network.
Under Advanced, select Manual.
Scroll down to Security Protocol and select WPA3 Enterprise (if you have legacy devices or passwords Select “WPA2 Enterprise”).
Under RADIUS Profile, select the profile you created earlier.
Click on Create or Apply Changes.

How to Manage your EZRADIUS Access Policies for Ubiquiti Unifi RadSec

Now that RADIUS is enabled in your network controller, ensure that you have at least one RADIUS policy. Refer to the policy documentation for guidance.

Manage RADIUS Policies

How to Troubleshoot RadSec Issues in Ubiquiti Unifi with EZRADIUS

If your Ubiquiti Unifi devices are not able to authenticate with EZRADIUS using RadSec, it can be tricky to troubleshoot. Due to the TLS tunnel in RadSec, if the authentication fails we do not know who to attribute the logs to and EZRADIUS will not log the authentication attempt in your Audit Logs. To get around this, you can temporarily enable Classic RADIUS authentication in your EZRADIUS policy and add your public IP address(es). This way, EZRADIUS can route the request to your subscription and you can see the failed authentication attempts in EZRADIUS Audit Logs and troubleshoot the issue. Once you have resolved the issue, you can safely disable Classic RADIUS authentication.

Connecting Your Devices to Your Ubiquiti Unifi Network with Entra ID Authentication

Now that we have setup your Ubiquiti Unifi network with RADIUS authentication, you can connect your devices to your network using Entra ID by either using EAP-TLS or EAP-TTLS. If you are using EAP-TLS, you can use an MDM to distribute the certificates to your devices (if you are using EZCA, you can also create a self-service user certificate to test). If you are using EAP-TTLS with password you might have to setup your device for EAP-TTLS PAP Authentication to be able to test your network using your Entra ID username and password.

(Note: You might have to do some changes to enable EAP-TTLS with Entra ID).