UniFi - UAP: Configuring Access Policies for Wireless Clients


Overview


In this article, readers will have an understanding of how to configure access policies (WPA-E) on UniFi access points for wireless clients. 

NOTES:
Please complete the prerequisite configuration found in the UniFi - USG: Configuring RADIUS Server article before following this guide's instructions.
 
Devices used in this article:

Table of Contents


  1. Introduction
  2. Network Diagram
  3. Configuring WPA2-Enterprise
  4. Configuring MAC Filter
  5. Configuring RADIUS MAC Authentication
  6. Configuring a Non-USG RADIUS Server
  7. Related Articles

Introduction


Back to Top

The 802.1X standard has three components:

  • Authenticators: Specifies the port or device that is sending messages to the RADIUS server before permitting system access.
  • Supplicants: Specifies host connected to the port requesting access to the system services.
  • Authentication Server: Specifies the external server, for example, the RADIUS server that performs the authentication on behalf of the authenticator, and indicates whether the user is authorized to access system services. The Port Access Control folder contains links to the following pages that allow you to view and configure 802.1X features on the system.

RADIUS Authentication and Authorization:

The process in which a client device is authorized with 802.1X goes as follows:

1. The client device is prompted for credentials.

2. User inputs credentials.

3. The client device sends a request on the data link layer to an authenticator to gain access to the network. 

4. The authenticator device then sends a messaged called the "RADIUS Access Request" message to the configured RADIUS server.

NOTE: This message includes but is not limited to username, password, or certificate provided by the user for access.

5. The RADIUS server then returns one of three responses to the authenticator:

  • Access-Reject: The user entered is denied all access either based on inability to provide correct identification or the user has been removed from the RADIUS server.
  • Access-Challenge: The user needs additional information to authenticate such as secondary password, token, PIN, or card. This message is also used in more complex authentication where a secure tunnel is established between the user machine and RADIUS server.
  • Access-Accept: The user is granted access to the network.
NOTE: Additionally there may be other attributes passed on to the authenticator about the client including:
  • Static IP to be used for the client.
  • A specific address pool to be used for the client. 
  • Maximum time that a client can be authenticated.
  • Access list parameters
  • QoS specifics
  • VLAN ID to be used for the client (Dynamic VLAN).

Network Diagram


Back to Top

UAP-RADIUS.png


Configuring WPA2-Enterprise


Back to Top

NOTE: To continue with this section please ensure that a RADIUS server has been configured in the UniFi Controller. This can either be using the USG as a RADIUS server or by using a third-party server. 

1. Navigate to Settings > Wireless Networks

2. Select the wireless network that will have WPA2-Enterprise enabled. 

3. Select WPA Enterprise under security. 

4. Choose the desired RADIUS profile. 

NOTE: If the RADIUS profile has RADIUS assigned VLAN enabled the VLAN selection will be unconfigurable. 

5. Select Save after changes have been completed.


Configuring MAC Filter


1. Navigate to Settings > Wireless Networks

2. Select the wireless network that will have MAC Filter enabled. 

3. Select Enabled

4. Select whether the client devices added to the list will be blacklisted (not allowed) or whitelisted (only these clients can join the SSID).

5. Select Save after changes have been completed.

NOTES:
  • Add batch allows for bulk upload of MAC addresses. 
  • Add clients allows a selection of clients that are known to the UniFi Controller. 

Configuring RADIUS MAC Authentication


1. Navigate to Settings > Wireless Networks

2. Select the wireless network that will have RADIUS MAC Authentication enabled. 

3. Select Enabled

4. Choose a RADIUS profile for the SSID to use for MAC authentication.

5. Select the format to be passed as a username and password from the UAP to the authentication server.

NOTE: The USG RADIUS server must have this option formatted as shown above.

6. Select Save after changes have been completed. 


Configuring a Non-USG RADIUS Server


Back to Top

  1. Navigate to Settings > Profiles > RADIUS.
  2. Create a new RADIUS Profile with the information for the external RADIUS server. 

User Tip: Check out Microsoft's guide on how to administrate their NPS to manage RADIUS users, certificates, etc.    

Related Articles


Back to Top

UniFi - USG: Configuring RADIUS Server

UniFi - Troubleshooting RADIUS Authentication

UniFi - USW: Configuring Access Policies (802.1X) for Wired Clients


We're sorry to hear that!