Posted on

Managing RADIUS Authentication with UniFi

Tags

At a time when almost every gadget is “smart” and telecommuting is changing how we work, managing a corporate network is more difficult than ever.  Fortunately, as networks increase in complexity, the range of tools available to network administrators continues to expand as well. At Ubiquiti, we are constantly working to empower our customers by making it easier to integrate our product with these technologies. 

One of these tools we have been able to better integrate with our UniFi products is RADIUS Authentication. While by no means a new technology, its utility has grown over recent years. Many corporate networks use RADIUS- and for good reason. As BYOD is here to stay it is hard to imagine a world where RADIUS Authentication doesn’t have a place.

UniFi and RADIUS work well together. UniFi allows you to manage your network in every location no matter how remote and with RADIUS you can use the same login at each site.

In this blog post I’ll explain how RADIUS works then show you how to integrate it with UniFi.

What is RADIUS Authentication?

RADIUS (Remote Authentication Dial In User Service) is a popular network protocol that provides for the AAA (Authentication, Authorization, and Accounting) needs of modern IT environments. RADIUS equips administrators with the means to better manage network access by helping to provide a greater degree of security, control and monitoring. In basic terms, RADIUS allows remote users connecting to wireless networks to identify themselves and subsequently receive access to what they require.

radius2

When RADIUS-backed authentication is initiated, an authentication request and credentials are sent from the user’s device to the RADIUS client. The RADIUS client forwards this request on to the RADIUS authentication server to check against pre-defined rules/a user accounts database. An accepting-response is sent back to the users device via the client if the request meets the necessary requirements. The accounting feature if enabled, provides administrators with additional information like session length and bandwidth.

With UniFi, our Access Points/UniFi Switch once configured can also act as the RADIUS client to help authenticate users/devices with the the RADIUS authentication servers. Setting up your RADIUS configuration on your network may take quite a bit of time- but incorporating it into UniFi is simple.

I setup two servers (Linux and Windows) on my home network to act as authentication servers- and was able to confirm that only two steps are required to integrate a working RADIUS configuration with a UniFi-managed network. These are:

  1. Define the Access Points/UniFi Switch as RADIUS Clients on your RADIUS Server and create a shared secret/password to be added into UniFi Settings.
  2. Add your RADIUS Server/RADIUS Proxy Server to your network in the UniFi Controller.

I’ll show you how to do both in detail- through a Windows Server RADIUS Configuration through NPS as well as a Ubuntu Linux Authentication server.

Microsoft Windows Server 2012 R2

RADIUS Configurations in Windows can be set up through the Network Policy Server (NPS) which is a feature you can add to your Windows Server installation through NAP. In many networks, Windows NPS is a good choice as it integrates with users/rights associated with Active Directory.

nap

To demonstrate, I set up a new Windows Server 2012 R2 VM to act as my authentication server.

Once you’ve configured your NPS server as a RADIUS server, your UAP/US can be added as a RADIUS Client by right-clicking “RADIUS Clients” and selecting “New”.

client

To add my UAP-AC-PRO as a client, I entered the device’s IP address and gave it the friendly name “apradius1” and manually entered a “Shared Secret”. The Shared Secret is used to verify that the RADIUS client is allowed to process auth-requests through the RADIUS server. In larger environments, it may be wise to set up a “Shared Secrets template” to save some time instead of adding each individually.

To finalize the server configuration, I verified the necessary ports were opened (1812 for Authorization, 1813 for Accounting) to allow the server to receive request.

Note: If you run into any issues authenticating to the wireless network using PEAP like I did, I simply needed to import a certificate to my server for Server Authentication purposes. It then worked without a hitch.

Linux FreeRADIUS Configuration

To setup and test a Linux RADIUS authentication server, I installed the latest version of Ubuntu (16.10) on a VM. While Ubuntu doesn’t natively support RADIUS functionality, there’s a great open-source option FreeRADIUS readily available to Linux admins as a binary package. FreeRADIUS is one of the most popular options out there- and it makes sense- it’s free and makes setting up FreeRADIUS a pretty easy process even for Linux amateurs like myself. (See their in-depth and helpful guide here)

Here’s a brief walkthrough of the steps I had to take to get my Ubuntu FreeRADIUS server working with my UniFi APs in my network.

First, I installed FreeRADIUS using the following command:

$ sudo apt-get install freeradius

Next, I opened the default ports used for RADIUS Authentication (1812) and Accounting (1813). After creating these necessary firewall exceptions, I was ready to configure the server.

To add an AP as a client, you will need to edit the clients.conf configuration file. My clients.conf file was in the /etc/freeradius directory.

To add my AP, I followed the instructions in this file. I added my UAP-AC-PRO, which again I named “apradius1”. Attached to this client, I provided the IP address of the AP as well as the secret. This is what I put into the Clients.conf file:

client apradius1 {
       ipaddr = 192.168.1.139
       secret = secret1234
}

The only other file I had to edit was the Users file in the same directory to provide an account credentials to test with. If not for testing purposes, administrators will likely not want to create accounts and input the plain-text password.

A number of modules can be used to check user credentials against an encrypted user DB. For example, many admins integrate FreeRADIUS with LDAP by adding on the LDAP component to FreeRADIUS (see resources here). For simplicity’s sake however, I simply added a fake users credentials to allow me to test the RADIUS function.

Adding a RADIUS Server to UniFi Settings

To configure your UniFi managed network, simply open your controller and complete the following steps:

  • Go to Settings > Wireless Networks
  • Create a new network or modify an existing Network by clicking “Edit”.
  • Select “WPA Enterprise” under security
  • Under “RADIUS Auth Server” enter the IP Address of the RADIUS or RADIUS Proxy Server
  • Enter the port used by RADIUS Server for authorization, by default 1812
  • In the password field, enter the shared secret you assigned to the access point as a radius client.

Optional steps- only needed for RADIUS Accounting Functionality:

  • Click “+RADIUS Accounting Server”
  • Add IP, Port (1813 by default) and Shared Secret for accounting on RADIUS Server.  

unifi-settings

To complete my RADIUS configuration in my UniFi Controller, I followed these steps and selected the network “TurtleRA1”, chose “WPA Enterprise” under security and under “RADIUS Auth Server” added the IP address of my RADIUS authentication server. I entered port 1812, and for the Password field, the shared secret I had created earlier. I clicked “Save” to apply the changes.

Authenticating Client Devices with EAP Method

After you have finished configuration-test whether everything works by connecting a device to the RADIUS network. Connecting to an AP with RADIUS functionality enabled will prompt you to select the EAP method. Select any method you have authorized on your RADIUS server. 

To test my new RADIUS setup, I connected my mobile phone to my new network “TurtleRA1”.

 

I selected PEAP (Protected Extensible Authentication Protocol), as I had already verified it was enabled on my RADIUS server.

 

After entering test credentials, I clicked “Save”. The AP authenticated with the RADIUS server allowing my device to connect successfully.

 

Setting up RADIUS with UniFi has never been easier. Stay tuned in future weeks as we’ll be adding to our RADIUS-related documentation. These articles will provide added guidance on setting up accounting, troubleshooting failed authentication requests and more. 

Additional Resources

10 thoughts on “Managing RADIUS Authentication with UniFi”

  1. Would be lovely if the UniFi controller software could provide its own RADIUS server option – and be able to manage wifi users from that SPOG.

    1. I agree! The controller could have a Radius server with local users. At least with support to the basics for small deployments where there is no IT staff to give support.

  2. Hi Andrew,

    I’m running into PEAP authentication issues as you mentioned, but my Windows Server VM is also my DC, root CA, and Network Access Protection server. I’ve used this same VM to authenticate RADIUS with a DD-WRT router in the past with no issues, it’s only with UBNT & the ACLite AP that I’m at a dead-end. What do you recommend for “re-importing” a certificate?

    Many thanks,

    John

  3. You guys are bragging about this radius feature and how amazing it is with a BYOD environment when in fact it’s nearly unusable because the framed-ip-address packet is not being sent from the unifi ap’s, and after years of people asking for this to change it has been ignored.

    1. I too have had to spend more money and time to get around the framed-ip-address packet not being included in the radius information, so I feel your pain.

      I’m sure it’s on their to-do list at some point, I just wish it were sooner!

  4. Unifi security router requires radius for remote user (VPN) auth because the UI has no provision for entering a simple user account or two – this is a drag for the small site customer (many of your end-users are entering enterprise gear realm through the Ubiquiti brand and products. The UniFi Cloud Key and UniFi Controller software should include a built-in RADIUS server with an option to use a different radius server should one happen to have one already running if they are an enterprise. The lack of a radius server built into the distro makes little sense, at least include it in UniFi or a method in the UniFi UI for setting up a couple of remote user accounts to support clients using a VPN to get into the network remotely.

  5. This seems to work well as I migrate from Sophos AP’s that use a controller that does all that auth to the radius server. Now I setup each AP instead of one controller on the radius server and it seems to work perfect without having to change anything on my current radius server other than adding the ap’s as clients. Smooth migration with Vlan’s on cisco switches.

  6. Used Unifi across 3 VLAN’s with 3 separate SSID and AAA done via Freeradius package on PF sense / Netgate SG2220. The management network is authenticated by MAC Id only and the wireless supplicants must use pre-registered credentials. Works well and would suit a small office ?

    Above method suited a single site but cannot be scaled. Can anyone recommend a Captive Portal with email authentication then leading to automated credentials from Freeradius?

    UNIFI solution is excellent but they make you work for it ( Polar opposite of the managed Cisco experience!)

Comments are closed.