UniFi Tutorials

How to configure Windows Server and Unifi Controller for RADIUS Wifi access

In this tutorial you will be shown how to configure Unifi Controller and Windows Server for RADIUS Wifi access. Why is this useful? Well this allows us to just disable a user account in Active Directory after a termination and the previous employee will no longer have Wifi access. This will prevent Tech Support having to change the Wifi password every time an employee is terminated.

 

 

Prerequisites for this tutorial.

  1. Internal Unifi Controller, I myself am using a UDM-PRO for that function.
    • You can use a Cloud Hosted Unifi Controller but you will need to open radius ports on your firewalls wan. Your network firewall should be configured to only allow incoming traffic from your Unifi Hosted Controllers IP address to access the Radius ports.
  2. Your Unifi equipment should be assigned static IP addresses outside your DHCP Scope. Once done write down the IP addresses alongside their model or unique name.
  3. Stand up a new physical or virtual server with Windows Server 2019.
    • I called my new virtual server HDN-RADIUS. 1vcpu 4GBram 60GB HDD
    • Install all updates on new Radius server
    • Assign static IP address.
    • Join new Radius server to the domain.
    • At this point create a Backup or a Virtual Snapshot before moving forward with the tutorial.
    • I am a firm believer on keeping AD\DC server clean. So do not configure these roles on that server.

Lets get started with installing the required Windows Server Roles!

We will be starting with the newly created Windows Server 2019 and installing the roles we need for radius to work with your Unifi Controller and its Wifi Access Points. 

  1. Open your Windows Server Manager > Click Manage > Click Add Roles and Features. 
  2. Click Next until you reach Server Roles. Enable The following.
    • Active Directory Certificate Services
    • Network Policy and Access Services
    • Remote Access

  3. Once the items are selected and the prerequisites are approved click Next until you reach AD CS / Roles Services.
  4. Under Role Services select Certification Authority and click Next.
  5. Now within Remote Access and Role Services, select DirectAccess and VPN (RAS) and click Next.
  6. Now click Next all the way through and then Install the Roles and wait until you receive the message that all your roles are installed successfully. Once successful you can close the window.

 

 

Lets open up the firewall ports needed.

Here we are going to open up the firewall ports that we need for RADIUS to work with the Unifi Controller. 

  1. From the RADIUS server search for Advanced in the task bar search menu and select Windows Defender Firewall with Advanced Security.
  2. Locate Inbound Rules > Right Click Inbound Rules > Select New Rule
  3. Select Port and click Next.
  4. Select UDP and provide the Specific Local Ports you want opened which is Port 1812 and then click Next.
  5. Select Allow the connection and click Next.
  6. Check mark: Domain, Private and Public. Afterwards click Next.
  7. Give your Rule a name, I used Radius UDP 1812. Afterwards click Finish.

 

Lets Configure Active Directory Certificate Services

We are making progress. Here we will be configuring Active Directory Certificate Services, this will be needed for the desktops / laptops that connect to the RADIUS Wifi. 

  1. Open up Window Server Manager. Click on the Flag and then locate Configure Active Directory Certificate Services.
  2. Under Credentials you will want to specify a Domain Admin Account, then click Next
  3. Within Role Services check the box for Certification Authority and click Next
  4. For Setup Type we will want to select the radio button for Enterprise CA, then click Next.
  5. Within CA Type select the radio button for Root CA and click Next.
  6. For Private Key we will be providing our own key so we can document it and have it handy. Select the radio button for Create a new private key and then click Next.
  7. Under Cryptography the defaults can stand as is. Go ahead and click Next.
  8. Double check your CA Name Settings. They should be similar to mine besides the domain name and server name that I am using of course. Afterwards click Next.
  9. Under Validity Period you can set your certificate to expire whenever. However my personal preference is 100 years so we do not have to bother with certificate expirations any time soon. Afterwards click Next.
  10. In Certificate Database section leave these paths the same and click Next.
  11. Review the Confirmation and select the Configure button.
  12. Once configured your Results should be Configuration Succeeded. Afterwards click close and we are done with the certification creation. 

Lets configure our Network Policy Server

Here we will be configuring the security policies required for our Unifi Controller and Wifi Equipment to communicate with the Radius server and Active Directory / Domain Controller.

  1. Open Windows Server Manager click Tools > Select Network Policy Server.
  2. Now that we have Network Policy Server open click on NPS (Local). You should now see the option to change your Standard Configuration from the dropdown select RADIUS server for 802.1X wireless or Wired Connections. Move forward with clicking on Configure 802.1.X.
  3. Once the Configure 802.1X window is open select the Radio button for Secure Wireless Connections. Then click Next.
  4. You will be prompted with a screen to add your New RADIUS Client and here you will want to refer back to your list of equipment’s IP Addresses and Device Names.
    • Friendly name use your Unifi Equipment’s model or unique name.
    • For Address use the assigned static IP address you gave to the equipment.
    • Now for Shared Secret, select the radio button for Manual. Type in a strong password and write it down. This password will be used in the Unifi Controller as well. Afterwards click OK. 
  5. You will have to add all your Unifi Devices as clients to the RADIUS server. This will allow Authentication between the server and the Unifi Devices. Once done adding devices click Next.
  6. For Configure an Authentication Method, click on the dropdown window and select Microsoft: Protected EAP (PEAP) afterwards click Next.
  7. Under Specify User Groups I am going to add Domain Users to be allowed to access to the RADIUS Authentication. This gives permissions to every domain user to access the Unifi Wireless SSID. You can also create a security group in your AD server and add specific users for access under that group. Once you decide what your preference is click Next.
  8. All can remain the same under Configure Traffic Controls so continue through and click Next.
  9. With the following window you can click Finish. 
  10. We are almost done with Network Policy Server. We will now have to register this new RADIUS server with Active Directory. Open Network Policy Server, right click on NPS (Local) and from the menu select Register server in Active Directory. Now we are finished with this section!

 

Lets create a Group Policy in your AD/DC server

Now this may vary from everyone AD configuration. I always have an OU where my users and computers would reside in and not within the default locations.

  1. Log into your AD/DC server and open up Group Policy Management. Right click on the OU where your domain users reside in and from the menu select New GPO. Afterwards Name that GPO with an identifiable name. I will be using Radius. then click the OK button.
  2. Locate and select your new Radius Policy. Under Security Filtering select the Add button and add Domain Users
  3. Right click and Edit your new Radius Policy. Drill down this path Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
  4. Within Public Key Policies locate Certificate Services Client – Auto-enrollment. Right click the policy and click Properties
  5. In the Certificate Services Client – Auto-enrollment Properties window change the Configuration Model to Enabled form the dropdown window. Afterwards check both boxes and click the OK button.
  6. Drill down this path Computer Configuration > Windows Settings > Security Settings > Public Key Policies. Locate the folder Automatic Certificate Request Settings. Right click it > find New > select Automatic Certificate Requests.   
  7. You will be prompted to start the Wizard, just click Next.
  8. Select Computer and then click Next.
  9. Now click Finish. We have now completed the GPO for domain desktop and laptops to properly obtain a security certificate when they connect to the Unifi Wireless SSID. 

Configuring your Unifi Controller and Wireless SSID to use Windows RADIUS Server.

We finally made it to the last few steps which are to configure the Unifi Controller and a Wireless SSID to use the Windows RADIUS Server. 

  1. Log into your Unifi Controller. Locate and click the Gear Icon and then click Advanced Features
  2. Scroll down and locate RADIUS section. Now click on Add RADIUS Profile

     

  3. To keep it simple I am group to name this RADIUS profile my server name. 
  4. Scroll down until you find RADIUS Settings and select the expand arrow button.
  5. Here you will add your RADIUS server’s static IP address and the Shared Secret you wrote down when configuring the Unifi Devices in the Network Policy Server. Keep the ports the same for both Authentication Servers and RADIUS Accounting Servers. Once done click Apply Changes button.
  6. Now we will move forward with configuring a new Wireless SSID. Locate and click on WiFi in the Unifi Controller. 
  7. Locate the Wifi Section and click the Add New WiFi Network button.
  8. Name your SSID. Select your Internal network from the dropdown and then expand Advanced Tab by clicking the dropdown arrow.
  9. Scroll down until you find the Security section and expand it by clicking the drop down arrow.
  10. Here you will first select your security protocol WPA-2 Enterprise. Afterwards under RADIUS Profile, from the dropdown select the profile you recently named and created. Select PMF is Required and finally click the Apply Changes button. 

That was exciting! We are finally finished. Your Unifi wireless access points should now be transmitting an SSID. To connect to this SSID you will have to use your domain User Name and Password. Go ahead and give it a shot. 

How To Auto Deploy RADIUS WiFi With Group Policy

Windows devices can’t connect to RADIUS 802.1X Wifi

Advanced VPN Configuration: How to configure Windows Server and UDM-PRO UniFi Controller for RADIUS VPN access

I hope this article was helpful, if you have any questions, please feel free to contact me. If you would like to be notified of when I create a new post, you can subscribe to my blog alert.

46 Comments

  1. Hi there

    I would like to know is you have to add all your devices to the NPS? With the Aruba Virtual Controlled i only had to add the controllers IP to the NPS.

  2. Hi Patrick I was just referring to the Aruba Controller, but the rest is on the UniFi Controller settings for NPS

  3. Hi Patrick

    Great walkthrough!! I am following now and have a question……… in my deployment there is a secondary site with a different subnet for the switches/AP’s, there is a site to site link but will I need to add NPS, RADIUS and CA on the DC at the remote site?

    Thanks

    1. Hello Marc,

      If you have a site to site vpn you will just need to point the settings to the existing servers. Make sure your firewall isn’t dropping its packets. You may need to allow traffic for the IP’s of those servers over vpn.

      1. Hi Patrick,

        Thanks for the great tutorial. Regarding remote site, does it mean that I should not install the NPS and CA? What do you mean by pointing settings to the existing servers which I assume is the main site?

        Thanks in advance

  4. I’m afraid this will not work for Android 11 and above devices as you cannot bypass the “do not verify” anymore. Maybe certificates have to be converted?

  5. Thanks Patrick – this works perfectly for Windows 11, but we can’t get seem to get any Windows 10 devices to connect – just keeps saying ‘unable to connect’. Would you have any advice on this? Thanks in advance.

  6. Thanks for the tutorial. It works great with my domain computers. Do you know how I would connect iPhones which are are not part of the domain?

    1. I am not sure with iPhones, do you have the option to “Do not validate” certificate? You can also try adding the Mac Address in the user AD account the “Verify Caller-Id:” field on the Dial-In tab in Active Directory. The other option is to transfer the certificate to the phone.

  7. Hi Patrick
    I have a question for you, I have a Aruba wifi authentication with Radius and AD, but I want to deny devices that do not join the domain. How to configure it. Can you help me?
    Thank you so much

  8. Hi Patrick,

    Thank you for excellent explanation.

    Please, Can I use a windows server OS 2016 an on-prem unifi 7.3.7 version to implement this?

  9. Hello patrick! Thanks for a very good article. Please help me, I want to enter the ID address of the students into the AD, so that when they connect from their devices, they would click on Wi-Fi and they would be asked for an ID number instead of a password, and after they enter their ID, there was a connection to Wi-Fi. How can I do it?

  10. Hello again. I set up everything as you described, but when I connect to the access point, type in the username and password from my domain, it says failed to connect. What could be the problem, please help. If you have time I can open remote access to my Active directory! THNKS!

  11. Great content, wish I had seen it before that would have helped a lot. It works in my situation but I found one pitfall. All my AP’s and switches are on the same management subnet. For the Wi-Fi I created a separate network. Radius is now working like a charm, but all clients are connecting to the management subnet. Is this normal behaviour or can this be changed?
    If I reconfigure the same Wi-Fi with WPA2, the clients are connecting to the Wi-Fi network.

  12. Great explanation! Is there a way to use the cert to authenticate instead of AD credentials? I would like to limit the devices able to connect to ones with a certificate we deploy via GPO and no need for them to put in username and password. We have over 200 devices that would have to connect and I’m not thrilled about using mac filtering.

    1. Depends, it could be the DNS set on the wifi not pushing the dc dns to the clients or the server is blocking the wifi vlan if it is not in the same lan as the DC or DC lan cannot see wifi vlan / Vis versa.

  13. Hi Patrick
    Very good tutorial , thank you . Do you know if is possible to use same radius to validate different Domain Group for the specific SSID
    Thanks

  14. Very nice walkthrough, i have one issue – devices such as iphones dosent connet. Any idea ?

  15. Hi I have almost setup I have 24 AP’s and controlled by UDM Pro do I need to add all of my AP’s IP address on Radius Client?

  16. Hello Patrick,
    We have a deployment and using the Radius Server on the Dream MAchine Pro only, do you have any suggestion so that we only require to use a user account per a sigle device to join the wifi ssid. Actually we can use the same user an password to connect many devices. We would like to restrict one user account per a single device. Is this possible? We are not deployed a Radius in Windows Server.
    Kindly advice.
    Thank you

  17. Hello Patrick,

    If I am running my APs and controller through a “Third Party Gateway” can I still set up and run WPA-2 Enterprise? I followed the tutorial and have exhausted most of my additional troubleshooting

    1. Hello Billy,
      You can, with exposing the radius port for traffic however you will want to only allow specific incoming IP to the port and do NOT expose to the entire wan. Best route would be to use a vpn from 3rd party controller and to your network that has the radius server.

  18. Hello Patrick,

    thanks for GREAT tutorial…works like a charm.
    I have a question on You:
    We have 3 different sites (different countries) with different domain in forest (two-way trust)

    I want to achieve if user from domain abc.def would be able to come to our location domain ghi.jkl and still be able to log with credential from his domain (abc.def)
    Can we somehow group NPS servers from each location and be able to login via radius on all three location with his home account?

    Thanks for tips!

    1. 1.Establish Two-Way Trusts: Since you have different domains in a forest and you mentioned two-way trusts, ensure that these trusts are correctly configured and working. This allows users from one domain to be authenticated in another domain.
      2.Configure NPS Servers: Each domain should have its own NPS servers. Configure these NPS servers to handle RADIUS authentication requests. The NPS servers in each domain will be responsible for processing the authentication requests of users from their respective domains.
      3.Cross-Domain RADIUS Configuration:

    2. Configure each NPS server to recognize the RADIUS clients (like VPN servers, wireless access points, etc.) from other domains. This might involve adding RADIUS clients in the NPS configuration and specifying shared secrets for each.
    3. Ensure that the NPS servers in each domain are configured to forward authentication requests to the correct domain. This can be done by setting up connection request policies that identify where a user account is located based on the domain suffix or other attributes and forward the request to the appropriate domain for authentication.
    4. 4.Grouping NPS Servers: For easier management, you can group NPS servers using Remote RADIUS Server Groups. This allows you to configure multiple NPS servers to provide fault tolerance and load balancing.

  19. Hello Patrick,

    Great tutorial Thanks you.

    Just a question. I already have a certtificate services runing on my AD ..

    Do I need to install one on the radius server or not ?

    Thx for your answer

    1. If you already have Certificate Services running on your Active Directory (AD), you might not need to install a separate one on the RADIUS server, depending on your specific setup and if it provides shared certificate services.

  20. I found the solution, I install an AD CS service but say that this one is a secondary certification server (Subordinate CA).

    And all’s work for me 😉

    Thanks !

  21. Hey Patrick,

    with Android 11 or above you cant connect to those WPA2 enterprise Networks because you cant select that you dont wanna validate the certificate in you WLAN options on your phone. So i wanted to create a open Hotspot with radius auth. but i dont get it running. I set up everything but just always get error messages () when trying to enter credentials in the portal. I d love to see if you d create a sheet for a hotspot.

    Thanks 😀

Leave a Comment

Stay Informed

Receive instant notifications when new content is released.