Introduction - How RADIUS Authentication Works in Ubiquiti Unifi and EZRADIUS
For your Ubiquiti network to authenticate users with Entra ID, you need to enable RADIUS authentication and connect it to a RADIUS service that supports Entra ID. This guide will show you how to enable RADIUS authentication in WPA-Enterprise with Ubiquiti Unifi and EZRADIUS.
What are the Different Types of Entra ID Authentication for Network?
When using Entra ID for network authentication, you can choose between two types of authentication: EAP-TLS (Certificate Based Authentication), and EAP-TTLS (Password Based Authentication). EAP-TLS is the most secure and convenient method of authentication, as it uses certificates to authenticate users meaning that the user does not have to enter their password or do anything. If you are using an MDM, you can use it to distribute the certificates to the user and setup automatic wifi authentication. EAP-TTLS is a password-based authentication method that allows your users to authenticate with their Entra ID username and password (Note: You might have to do some changes to enable EAP-TTLS with Entra ID).
How to Enable RADIUS Authentication in WPA-Enterprise In Your Ubiquiti Unifi Network - Video Version
How to Enable RADIUS Authentication in WPA-Enterprise In Your Ubiquiti Unifi Network - Step by Step
Go to your Ubiquiti Unifi Controller.
Click on “Network” on the top menu.
Click on “Profiles” on the left menu.
Click on the “RADIUS” button.
Click on “Create New”.
In the “Profile Name” field, enter a name for your RADIUS profile.
If you want to use VLAN assignment with your RADIUS authentication, check the “VLAN” box for Wired and/or Wireless Networks.
In another Tab, go to your EZRADIUS dashboard and copy the “RADIUS Server IP” from the “Policies” page (You can repeat this step for the three IPs for higher availability).
From your Policy Details, Copy the “Shared Secret” you setup for this client IP Address (In this case, my IP address is 34.2.2.1)
Now we will go back to the Ubiquiti Unifi Controller and paste the “RADIUS Server IP” in the “RADIUS Server” field.
In the “Port” field, enter “1812”.
In the “Shared Secret” field, paste the “Shared Secret” you copied from EZRADIUS.
Click on Add.
Repeat the steps for the other two IPs.
If you want to enable Accounting (It gives you more information about each session such as data used, connection time, etc.), you can do so by clicking on the “Accounting” checkbox and enabling it.
Add the same IPs and Shared Secrets for Accounting Except the port is 1813 instead of 1812.
Click on “Apply Changes” In the bottom left.
Now that we have added the RADIUS server, we need to go to the “Wifi” menu on the left.
Click the “Create New” button.
Enter the “SSID” for your network.
Leave the password field empty.
Select if you want a specific VLAN for this network.
In “Advanced” Select “Manual”.
Scroll down to “Security Protocol” and select “WPA3 Enterprise” (if you have legacy devices or passwords Select “WPA2 Enterprise”).
In RADIUS Profile, select the profile you created earlier.
Click on “Apply Changes”.
Connecting Your Devices to Your Ubiquiti Unifi Network with Entra ID Authentication
Now that we have setup your Ubiquiti Unifi network with RADIUS authentication, you can connect your devices to your network using Entra ID by either using EAP-TLS or EAP-TTLS. If you are using EAP-TLS, you can use an MDM to distribute the certificates to your devices (if you are using EZCA, you can also create a self-service user certificate to test). If you are using EAP-TTLS with password you might have to setup your device for EAP-TTLS PAP Authentication to be able to test your network using your Entra ID username and password.