This article describes how to configure the RADIUS server on the UniFi Security Gateway. This server can be used for wired, wireless, and L2TP remote access authentication types. The configuration of the RADIUS server is the same for all authentication types.
Table of Contents
- Network Diagram
- How to Enable RADIUS Server on USG
- How to Create Users in the Controller
- How to Configure MAC-Based RADIUS Accounts
- How to Enable RADIUS Assigned VLAN
- Related Articles
The 802.1X standard has three components:
- Authenticators: Specifies the port or device that is sending messages to the RADIUS server before permitting system access.
- Supplicants: Specifies host connected to the port requesting access to the system services.
- Authentication Server: Specifies the external server, for example, the RADIUS server that performs the authentication on behalf of the authenticator, and indicates whether the user is authorized to access system services. The Port Access Control folder contains links to the following pages that allow you to view and configure 802.1X features on the system.
RADIUS Authentication and Authorization:
The process in which a client device is authorized with 802.1X goes as follows:
1. The client device is prompted for credentials.
2. User inputs credentials.
3. The client device sends a request on the data link layer to an authenticator to gain access to the network.
4. The authenticator device then sends a messaged called the "RADIUS Access Request" message to the configured RADIUS server.
NOTE: This message includes but is not limited to username, password, or certificate provided by the user for access.
5. The RADIUS server then returns one of three responses to the authenticator:
- Access-Reject: The user entered is denied all access either based on inability to provide correct identification or the user has been removed from the RADIUS server.
- Access-Challenge: The user needs additional information to authenticate such as secondary password, token, PIN, or card. This message is also used in more complex authentication where a secure tunnel is established between the user machine and RADIUS server.
- Access-Accept: The user is granted access to the network.
NOTE: Additionally there may be other attributes passed on to the authenticator about the client including:
How to Enable RADIUS Server on USG
- Navigate to Settings > Services > RADIUS.
- Enable the RADIUS server under the "Server" tab.
- Secret: Pre-shared key provisioned to the authenticator devices and the RADIUS server. This provides authentication between the two types of devices ensuring RADIUS message integrity.
- Authentication port: The port in which RADIUS authentication messages are to be sent and received by authenticator and RADIUS server devices.
- Accounting Port: The port in which RADIUS accounting messages are to be sent and received by authenticator and RADIUS server devices.
- Accounting Interim Interval: Time in milliseconds in which a RADIUS access request packet is sent with an Acct-Status-Type attribute with the value "interim-update". This update is sent to request the status of an active session. "Interim" records contain report the current session duration and can provide information on data usage.
NOTE: The RADIUS server runs on the USG when this option is enabled.
How to Create Users in the Controller
- Navigate to Settings > Services > RADIUS
- Create user accounts under the "User" tab.
- Username: Enter a unique username for a user to enter.
- Password: Enter the desired password for a user to enter.
- VLAN: Field used for assigning a RADIUS authenticated client to a specific VLAN when using RADIUS assigned VLANs.
- Tunnel Type: See RFC2868 section 3.1
- Tunnel Medium Type: See RFC2868 section 3.2
NOTE: User accounts can be used for wired, wireless, and L2TP authentication types.
How to Configure MAC-Based RADIUS Accounts
To authenticate devices based on MAC address use the MAC address as the username and password under client creation. This entry should convert lowercase letters to uppercase, and also remove colons or periods from the MAC address.
NOTE: MAC-based authentication accounts can only be used for wireless and wired clients. L2TP remote access does not apply.
How to Enable RADIUS Assigned VLAN
- Navigate to Settings > Profiles > RADIUS
- Under the profile select "Enable RADIUS assigned VLAN..." for both wired and wireless if desired.
- Navigate to Settings > Services > RADIUS > Users.
- Each user that will utilize dynamic VLAN must have tunnel-type set to (13), and tunnel-medium-type set to (6).
ATTENTION: If the user profile does not include a VLAN the client will fall back to the untagged VLAN.