Ubiquiti Unifi and 802.1x

Overview

As many will know, 802.1x is an authentication method often deployed as part of the WPA Enterprise authentication method for wireless networks or used on switches at the access layer of the network to authenticate client endpoints. I have deployed this in the past on Cisco network equipment using ACS and ISE backed off to Active Directory but I’ve never seen it done on the Ubiquiti Unifi stack. This article documents my attempt.

The Lab

The lab consists of a Unifi UDM Pro (1.7.2 at the time of writing), a couple of UAP-nanoHD wireless access points, some Unifi Flex Mini switches (which are absolutely awesome for the price) and a USW-16-POE Gen2 switch gluing everything together.

802.1x at 10,000 Feet

At a high level, the 802.1x framework consists of three components:

  • A Supplicant – this is the client device that wants to attach to the network.
  • An Authenticator – this is a network device such as a switch or WAP that will allow network access once authentication is complete.
  • An Authentication Server – this is the server or authentication platform that evaluates the credentials submitted by the supplicant and instructs the authenticator to grant or deny access to the network.

Communication between the authenticator and authentication server is transmitted using the RADIUS protocol.

Because this is a lab environment, I’m going to make use of the RADIUS authentication server built into the Unifi Controller hosted on the UDM Pro so I can concentrate on the Unifi element. I should also point out that instructions listed here are done using the Classic Unifi Controller Settings menu, not the new beta settings.

Enabling the Unifi Radius Server

Log into the Unifi Controller and click the Settings icon.

Click on the Services tab.

A number of new options are presented across the top of the screen including RADIUS so select this option and then click the Server option which appears underneath.

Select the Enable RADIUS Server option.

Enter a memorable but secure password in the Secret field. This will be required later on. I’m going to use an uber secret err … secret of “PASSWORD” as this is a lab.

Leave the Authentication and Accounting ports at their default values (1812/1813).

Leave all other settings as default and press Apply Changes to save settings.

Define a RADIUS User

Log into the Unifi Controller and click the Settings icon.

Click on the Services tab.

A number of new options are presented across the top of the screen including RADIUS so select this option and then click the User option which appears underneath.

Click on the Create New User button.

Enter a name for this new user in the Name field. I’m going with “user” for now.

Enter a password for this user in the Password field. Again, I’m going with the super secret “PASSWORD” but in your case, this should be something memorable but secure!

Leave the other settings at their defaults and click the Save button.

Note: Testing showed that BOTH username and password selected here are CaSe SeNsItIvE. Don’t let this catch you out when trying to connect later on.

Wifi SSID and Enterprise (802.1x) Definition

Log into the Unifi Controller and click the Settings icon.

Browse to the Wireless Networks tab.

Click the Create New Wireless Network button.

Enter a name for this new wireless network in the Name/SSID field. I’m calling mine 802.1x

Make sure the Enabled checkbox is checked.

Set the Security radio button to WPA Enterprise.

A new option called Radius Profile appears prefilled with Default. I’m going to accept this for now.

At this stage, clicking the Save button is enough to complete the setup although there are additional settings under the Advanced drop down menu which may be useful.

Connecting a Wireless Device

At this stage, I’m ready to connect a Wireless Device. My implement of torture is a Dell Latitude laptop running a standalone (i.e. not on an AD Domain) version of Windows 10 Professional.

Click on the Network icon down in the bottom right hand corner of the Windows task bar near the clock and if everything is going to plan, you’ll see the SSID for the wireless network created earlier in the process.

Click on the name of your SSID, mine was 802.1x and press Connect.

Windows 10 will warn probably warn you about certificates at this point advising you not to connect if you weren’t expecting a certificate prompt from the network. As we are, press OK to continue.

At this stage, you should now receive a prompt for credentials. Enter the Username and Password you created when setting up the RADIUS user and remember that both username and password are case sensitive!

You should now be connected to your new Wireless SSID having authenticated via 802.1x.

Congratulations!

Validation

The obvious validation for proving you have a valid connection is to run the ipconfig command from a powershell or cmd prompt. If you have an IP address in your usual range then all is well.

You can also browse to Clients from the left hand menu in the Unifi dashboard, filter by Wireless clients and then if you filter columns and select 802.1x identity, you should see your wireless device connected and authenticated with the username listed that you created earlier.

Conclusion

Hopefully this is enough to get you started with 802.1x and Unifi. I will put an article together at some point in the future regarding 802.1x, Unifi wired connections and RADIUS assigned VLANs but until then, thanks for viewing this post and please leave any comments below.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.