UniFi - USW: Configuring Access Policies (802.1X) for Wired Clients


Overview


In this article readers will have an understanding of how to configure access policies (802.1X) on UniFi switches for wired clients. This article includes instructions on how to configure using the RADIUS server built-in to the UniFi Security Gateway and also controller configuration examples to point to your own authentication server.

NOTES & REQUIREMENTS:
Please complete the prerequisite configuration found in the UniFi - USG: Configuring RADIUS Server article before following this guide's instructions.
 
Every UniFi switch model is capable of authentication via 802.1X. The configuration does not change from model to model. Devices used in this article:
  • UniFi Switch
  • UniFi Security Gateway

Table of Contents

  1. Introduction
  2. Network Diagram
  3. How to Enable the 802.1X Service on a Switch
  4. Differentiating 802.1X Port Modes
  5. How to Configure Fallback VLAN
  6. Controller Configuration for Non-USG RADIUS Server
  7. Related Articles

Introduction


Back to Top

The 802.1X standard has three components:

  • Authenticators: Specifies the port or device that is sending messages to the RADIUS server before permitting system access.
  • Supplicants: Specifies host connected to the port requesting access to the system services.
  • Authentication Server: Specifies the external server, for example, the RADIUS server that performs the authentication on behalf of the authenticator, and indicates whether the user is authorized to access system services. The Port Access Control folder contains links to the following pages that allow you to view and configure 802.1X features on the system.

RADIUS Authentication and Authorization:

The process in which a client device is authorized with 802.1X goes as follows:

1. The client device is prompted for credentials.

2. User inputs credentials.

3. The client device sends a request on the data link layer to an authenticator to gain access to the network. 

4. The authenticator device then sends a messaged called the "RADIUS Access Request" message to the configured RADIUS server.

NOTE: This message includes but is not limited to username, password, or certificate provided by the user for access.

5. The RADIUS server then returns one of three responses to the authenticator:

  • Access-Reject: The user entered is denied all access either based on inability to provide correct identification or the user has been removed from the RADIUS server.
  • Access-Challenge: The user needs additional information to authenticate such as secondary password, token, PIN, or card. This message is also used in more complex authentication where a secure tunnel is established between the user machine and RADIUS server.
  • Access-Accept: The user is granted access to the network.
NOTE: Additionally there may be other attributes passed on to the authenticator about the client including:
  • Static IP to be used for the client.
  • A specific address pool to be used for the client. 
  • Maximum time that a client can be authenticated.
  • Access list parameters
  • QoS specifics
  • VLAN id to be used for the client (Dynamic VLAN).

Network Diagram


Back to Top

USW-RADIUS.png


How to Enable the 802.1X Service on a Switch


Back to Top

  1. This option is found on the switch properties panel under "Services" when selecting an individual switch from the "Devices" section of the controller. 

ATTENTION: Enabling access control is done a per switch basis. If this is not enabled, the switch will not be able to act as an authenticator to pass RADIUS messages to the RADIUS server.  

Differentiating 802.1X Port Modes


Back to Top

  • Auto: The port is unauthorized until a successful authentication exchange has taken place.
  • Force Unauthorized: The port ignores supplicant authentication attempts and does not provide authentication services to the client
  • Force Authorized: The port sends and receives normal traffic without client port-based authentication.
  • MAC-Based: This mode allows multiple supplicants connected to the same port to each authenticate individually. Each host connected to the port must authenticate separately in order to gain access to the network. The hosts are distinguished by their MAC addresses. 

Working with Port Profiles


Back to Top

Using port profiles for rapid deployment is recommended instead of applying 802.1X policies manually on each port. 

  1. Navigate to Settings > Profiles > Switch Ports.
  2. Create a new profile with the desired 802.1X control.

NOTE: When using dynamic VLAN assignment on RADIUS the port profile must include each VLAN desired for use. 

How to Configure Fallback VLAN


Back to Top

The fallback VLAN is used when a client fails to authenticate with username and password or MAC authentication bypass. This setting is defined per-switch.

  1. This option is found on the switch properties panel under "Services" when selecting an individual switch from the "Devices" section of the controller. Controller version 5.9 required.


Controller Configuration for Non-USG RADIUS Server


Back to Top

  1. Navigate to Settings > Profiles > RADIUS.
  2. Create a new RADIUS Profile with the information for the external RADIUS server. 

User Tip: Check out Microsoft's guide on how to administrate their NPS to manage RADIUS users, certificates, etc.    

Related Articles


UniFi - USG: Configuring RADIUS Server

UniFi - Troubleshooting RADIUS Authentication


We're sorry to hear that!