UniFi - USW: Configuring Access Policies (802.1X) for Wired Clients


Overview


In this article readers will have an understanding of how to configure access policies (802.1X) on UniFi switches for wired clients. This article includes instructions on how to configure using the RADIUS server built-in to the UniFi Security Gateway and also controller configuration examples to point to your own authentication server.

NOTES & REQUIREMENTS:
Every model UniFi switch is capable of authentication via 802.1X. The configuration does not change from model to model. Devices used in this article:
  • UniFi Switch
  • UniFi Security Gateway

Table of Contents


1. Introduction

2. Network Diagram

3. How to Enable RADIUS Server on USG

4. How to Create Users in Controller

5. How to Configure MAC-Based RADIUS Authentication

6. How to Configure RADIUS Assigned VLAN

7. How to Configure Fallback VLAN

8. Controller Configuration for Non-USG RADIUS Server

9. How to Enable the 802.1X Service on a Switch

10. Differentiating 802.1X Port Modes

11. Using Port Profiles


Introduction


Back to Top

The 802.1X standard has three components:

  • Authenticators: Specifies the port or device that is sending messages to the RADIUS server before permitting system access.
  • Supplicants: Specifies host connected to the port requesting access to the system services.
  • Authentication Server: Specifies the external server, for example, the RADIUS server that performs the authentication on behalf of the authenticator, and indicates whether the user is authorized to access system services. The Port Access Control folder contains links to the following pages that allow you to view and configure 802.1X features on the system.

RADIUS Authentication and Authorization:

The process in which a client device is authorized with 802.1X goes as follows:

1. The client device is prompted for credentials.

2. User inputs credentials.

3. The client device sends a request on the data link layer to an authenticator to gain access to the network. 

4. The authenticator device then sends a messaged called the "RADIUS Access Request" message to the configured RADIUS server.

NOTE: This message includes but is not limited to: username, password, or certificate provided by the user for access.

5. The RADIUS server then returns one of three responses to the authenticator:

  • Access-Reject: The user entered is denied all access either based on inability to provide correct identification or the user has been removed from the RADIUS server.
  • Access-Challenge: The user needs additional information to authenticate such as secondary password, token, PIN, or card. This message is also used in more complex authentication where a secure tunnel is established between the user machine and RADIUS server.
  • Access-Accept: The user is granted access to the network.
NOTE: Additionally there may be other attributes passed on to the authenticator about the client including:
  • Static IP to be used for the client.
  • A specific address pool to be used for the client. 
  • Maximum time that a client can be authenticated.
  • Access list parameters
  • QoS specifics
  • VLAN id to be used for the client (Dynamic VLAN).

Network Diagram


Back to Top

1.png


How to Enable RADIUS Server on USG


Back to Top

  1. Navigate to Settings > Services > RADIUS
  2. Enable the RADIUS server under the "Server" tab. 

  • Secret: Pre-shared key provisioned to the authenticator devices and the RADIUS server. This provides authentication between the two types of devices ensuring RADIUS message integrity.
  • Authentication port: The port in which RADIUS authentication messages are to be sent and received by authenticator and RADIUS server devices.
  • Accounting Port: The port in which RADIUS accounting messages are to be sent and received by authenticator and RADIUS server devices.
  • Accounting Interim Interval: Time in milliseconds in which a RADIUS access request packet is sent with an Acct-Status-Type attribute with the value "interim-update". This update is sent to request the status of an active session. "Interim" records contain report the current session duration and can provide information on data usage. 
NOTE: The RADIUS server runs on the USG when this option is enabled.

How to Create Users in Controller


Back to Top

  1. Navigate to Settings > Services > RADIUS
  2. Create user accounts under the "User" tab. 

  • Username: Enter a unique username for a user to enter.
  • Password: Enter the desired password for a user to enter.
  • VLAN: Field used for assigning a RADIUS authenticated client to a specific VLAN when using RADIUS assigned VLANs.
  • Tunnel Type:  See RFC2868 section 3.1
  • Tunnel Medium Type: See RFC2868 section 3.2

How to Configure MAC-Based RADIUS Authentication


Back to Top

To authenticate devices based on MAC address use the MAC address as the username and password under client creation. This entry should convert lowercase letters to uppercase, and also remove colons or periods from the MAC address. 


How to Configure RADIUS Assigned VLAN


Back to Top

  1. Navigate to Settings > Profiles > RADIUS
  2. Under the profile select "Enable RADIUS assigned VLAN for wired network."
  3. Navigate to Settings > Services > RADIUS > Users.
    1. Each user that will utilize dynamic VLAN must have tunnel-type set to (13), and tunnel-medium-type set to (6).
ATTENTION: If the user profile does not include a VLAN the client will fall back to the untagged VLAN configured on the switch port. 

 


How to Configure Fallback VLAN


Back to Top

The fallback VLAN is used when a client fails to authenticate with username and password or MAC authentication bypass. This setting is defined per-switch.

  1. This option is found on the switch properties panel under "Services" when selecting an individual switch from the "Devices" section of the controller. Controller version 5.9 required.

 


Controller Configuration for Non-USG RADIUS Server


Back to Top

  1. Navigate to Settings > Profiles > RADIUS.
  2. Create a new RADIUS Profile with the information for the external RADIUS server. 

User Tip: Check out Microsoft's guide on how to administrate their NPS to manage RADIUS users, certificates, etc.    

How to Enable the 802.1X Service on a Switch


Back to Top

  1. This option is found on the switch properties panel under "Services" when selecting an individual switch from the "Devices" section of the controller. 

ATTENTION: Enabling access control is done a per switch basis. If this is not enabled, the switch will not be able to act as an authenticator to pass RADIUS messages to the RADIUS server.  

Differentiating 802.1X Port Modes


Back to Top

  • Auto: The port is unauthorized until a successful authentication exchange has taken place.
  • Force Unauthorized: The port ignores supplicant authentication attempts and does not provide authentication services to the client
  • Force Authorized: The port sends and receives normal traffic without client port-based authentication.
  • MAC-Based: This mode allows multiple supplicants connected to the same port to each authenticate individually. Each host connected to the port must authenticate separately in order to gain access to the network. The hosts are distinguished by their MAC addresses. 

Working with Port Profiles


Back to Top

Using port profiles for rapid deployment is recommended instead of applying 802.1X policies manually on each port. 

  1. Navigate to Settings > Profiles > Switch Ports.
  2. Create a new profile with the desired 802.1X control.

NOTE: When using dynamic VLAN assignment on RADIUS the port profile must include each VLAN desired for use. 

We're sorry to hear that!