How to Enable RADIUS with Radsec Authentication in Ubiquiti Unifi

Prerequisites for Setting Up Entra ID Authentication With RADIUS in Ubiquiti Unifi

  1. Registering the application in your tenant
  2. Creating Cloud Radius Instance
  3. Being a Subscription Owner or Network Administrator or Log Reader

Introduction - How RADIUS Authentication Works in Ubiquiti Unifi and EZRADIUS

For your Ubiquiti network to authenticate users with Entra ID, you need to enable RADIUS authentication and connect it to a RADIUS service that supports Entra ID. You can do it with regular RADIUS which uses the IP address and a share secret to authenticate your Unifi network with the RADIUS server, or you can use RadSec (or radius over TLS) which is a protocol that provides RADIUS over TLS giving you all the RADIUS features but with TLS around it. In this guide, we setup RADIUS with RadSec in Ubiquiti Unifi using EZRADIUS. How RADIUS Authentication Works with Ubiquiti Unifi and EZRADIUS

What are the Different Types of Entra ID Authentication for Network?

When using Entra ID for network authentication, you can choose between two types of authentication: EAP-TLS (Certificate Based Authentication), and EAP-TTLS (Password Based Authentication). EAP-TLS is the most secure and convenient method of authentication, as it uses certificates to authenticate users meaning that the user does not have to enter their password or do anything. If you are using an MDM, you can use it to distribute the certificates to the user and setup automatic wifi authentication. EAP-TTLS is a password-based authentication method that allows your users to authenticate with their Entra ID username and password (Note: You might have to do some changes to enable EAP-TTLS with Entra ID).

How to Enable RADIUS Radsec Authentication in WPA-Enterprise In Your Ubiquiti Unifi Network - Step by Step (Using EZCA CA)

  1. Go to your EZRADIUS dashboard.
  2. Click on “Policies” on the left menu.
  3. In your EZRADIUS Policy Click on Enable RadSec. How to Enable RadSec in EZRADIUS
  4. Now in the Radsec Section, you will add your EZCA CAs by selecting them from the dropdown and clicking on “Add CA”. How to Add RadSec CA in EZRADIUS for Unifi Cloud RADIUS
  5. Now Scroll to the top of your policy and click on “Save Changes”. How to Save RadSec Changes in EZRADIUS
  6. Go to your Ubiquiti Unifi Controller.
  7. Click on “Network” on the top menu. Ubiquiti Unifi Controller Network Settings
  8. Click on “Profiles” on the left menu.
  9. Click on the “RADIUS” button. How to Setup RADIUS Authentication in Ubiquiti Unifi Controller Network Profiles
  10. Click on “Create New”.
    How to Create New RADIUS Profile in Ubiquiti Unifi Controller
  11. In the “Profile Name” field, enter a name for your RADIUS profile.
  12. Click on the “Wireless Networks” and/or “Wired Networks” checkbox based on where you want this profile to be used. How to Setup Cloud RADIUS over Radsec Profile in Ubiquiti Unifi Controller
  13. Click the TLS checkbox.
  14. In another Tab, go to your EZRADIUS dashboard and copy the “RADIUS Server IP” from the “Policies” page (You can repeat this step for the three IPs for higher availability, if your instance supports multiple regions we recommend 1 IP from each region). How to Setup Cloud RADIUS Profile in Ubiquiti Unifi Controller
  15. From the same section, we are also going to download the RadSec CA Certificate by clicking on the “Download RadSec CA Certificate” button. How to Add RADIUS Server for Entra ID in Meraki Network
  16. Now we will go back to the Ubiquiti Unifi Controller and paste the “RADIUS Server IP” in the “RADIUS Server” field.
  17. In the “Port” field, enter “2083”.
  18. In the “Shared Secret” field, enter “radsec”. Note: Since Radsec uses certificate authentication, the shared secret is not used for authentication but is required by the Unifi Controller and the Radsec RFC requires it to be “radsec”.
  19. Click on Add. How to Setup Cloud RADIUS with Radsec Profile in Ubiquiti Unifi Controller
  20. Repeat the steps for the other IPs in the EZRADIUS portal. This is not required but it can give you higher availability.
  21. Now we have to create the certificate that will be used to authenticate the Unifi Controller with the RADIUS server. In the EZRADIUS dashboard, click on “Create Radsec Certificate” on the left menu.
  22. Enter at least one IP address of your Unifi Controller in the “IP Address” field and click Add. How to Create Radsec Certificate in for cloud RADIUS in EZRADIUS
  23. In the certificate location dropdown, select the “generate locally” option.
  24. Click on “Request Certificate”. How to Create cloud radius Radsec Certificate in for cloud RADIUS in EZRADIUS
  25. Click on “Download Full Certificate”. How to Download Radsec Certificate in EZRADIUS
  26. This is going to download 2 files the “.key” file is the private key and the “.pem” file is the certificate. How to Download Radsec Certificate in EZRADIUS
  27. Now we are going to upload the files to the Unifi Controller. Go back to the Unifi Controller and click on “Upload” on the “Client Certificate” field and select the certificate file (in my case radsec sample.pem). How to Setup Radsec certificate in Ubiquiti Unifi Controller
  28. Click on “Upload” on the “Private Key” field and select the private key file (in my case radsec sample.key). How to Setup Radsec certificate private key in Ubiquiti Unifi Controller
  29. If you have protected the private key with a password, you will have to enter it in the “Private Key Password” field.
  30. Then we have to upload the Radsec CA Certificate that we downloaded earlier from the EZRADIUS server details section. Click on “Upload” on the “CA Certificate” field and select the certificate file. How to Setup Radsec CA certificate trust in Ubiquiti Unifi Controller
  31. If you want to enable Accounting (It gives you more information about each session such as data used, connection time, etc.), you can do so by clicking on the “Accounting” checkbox and enabling it.
  32. Add the same IPs and Shared Secrets for Accounting and port for accounting. How to Setup Cloud RADIUS Accounting Profile in Ubiquiti Unifi Controller
  33. Click on “Apply Changes” In the bottom left. How to Add RADIUS Server for Entra ID in Ubiquiti Unifi Controller
  34. Now that we have added the RADIUS server, we need to go to the “Wifi” menu on the left. How to Add RADIUS Server for Entra ID in Ubiquiti Unifi WIFI Controller
  35. Click the “Create New” button. How to Add RADIUS Server for Entra ID in Ubiquiti Unifi WIFI Controller
  36. Enter the “SSID” for your network.
  37. Leave the password field empty.
  38. Select if you want a specific VLAN for this network.
  39. In “Advanced” Select “Manual”. How to Add Entra ID Authentication in Ubiquiti Unifi WIFI Controller
  40. Scroll down to “Security Protocol” and select “WPA3 Enterprise” (if you have legacy devices or passwords Select “WPA2 Enterprise”).
  41. In RADIUS Profile, select the profile you created earlier. How to Add Entra ID RADIUS Authentication in Ubiquiti Unifi WIFI Controller
  42. Click on “Apply Changes”. How to Add Entra ID Authentication in Ubiquiti Unifi WIFI Controller

Connecting Your Devices to Your Ubiquiti Unifi Network with Entra ID Authentication

Now that we have setup your Ubiquiti Unifi network with RADIUS authentication, you can connect your devices to your network using Entra ID by either using EAP-TLS or EAP-TTLS. If you are using EAP-TLS, you can use an MDM to distribute the certificates to your devices (if you are using EZCA, you can also create a self-service user certificate to test). If you are using EAP-TTLS with password you might have to setup your device for EAP-TTLS PAP Authentication to be able to test your network using your Entra ID username and password.