In this tutorial you will be shown how to configure Unifi Controller and Windows Server for RADIUS Wifi access. Why is this useful? Well this allows us to just disable a user account in Active Directory after a termination and the previous employee will no longer have Wifi access. This will prevent Tech Support having to change the Wifi password every time an employee is terminated.
Prerequisites for this tutorial.
- Internal Unifi Controller, I myself am using a UDM-PRO for that function.
- You can use a Cloud Hosted Unifi Controller but you will need to open radius ports on your firewalls wan. Your network firewall should be configured to only allow incoming traffic from your Unifi Hosted Controllers IP address to access the Radius ports.
- Your Unifi equipment should be assigned static IP addresses outside your DHCP Scope. Once done write down the IP addresses alongside their model or unique name.
- Stand up a new physical or virtual server with Windows Server 2019.
- I called my new virtual server HDN-RADIUS. 1vcpu 4GBram 60GB HDD
- Install all updates on new Radius server
- Assign static IP address.
- Join new Radius server to the domain.
- At this point create a Backup or a Virtual Snapshot before moving forward with the tutorial.
- I am a firm believer on keeping AD\DC server clean. So do not configure these roles on that server.
Lets get started with installing the required Windows Server Roles!
We will be starting with the newly created Windows Server 2019 and installing the roles we need for radius to work with your Unifi Controller and its Wifi Access Points.
- Open your Windows Server Manager > Click Manage > Click Add Roles and Features.
- Click Next until you reach Server Roles. Enable The following.
- Active Directory Certificate Services
- Network Policy and Access Services
- Remote Access
- Once the items are selected and the prerequisites are approved click Next until you reach AD CS / Roles Services.
- Under Role Services select Certification Authority and click Next.
- Now within Remote Access and Role Services, select DirectAccess and VPN (RAS) and click Next.
- Now click Next all the way through and then Install the Roles and wait until you receive the message that all your roles are installed successfully. Once successful you can close the window.
Lets open up the firewall ports needed.
Here we are going to open up the firewall ports that we need for RADIUS to work with the Unifi Controller.
- From the RADIUS server search for Advanced in the task bar search menu and select Windows Defender Firewall with Advanced Security.
- Locate Inbound Rules > Right Click Inbound Rules > Select New Rule…
- Select Port and click Next.
- Select UDP and provide the Specific Local Ports you want opened which is Port 1812 and then click Next.
- Select Allow the connection and click Next.
- Check mark: Domain, Private and Public. Afterwards click Next.
- Give your Rule a name, I used Radius UDP 1812. Afterwards click Finish.
Lets Configure Active Directory Certificate Services
We are making progress. Here we will be configuring Active Directory Certificate Services, this will be needed for the desktops / laptops that connect to the RADIUS Wifi.
- Open up Window Server Manager. Click on the Flag and then locate Configure Active Directory Certificate Services.
- Under Credentials you will want to specify a Domain Admin Account, then click Next
- Within Role Services check the box for Certification Authority and click Next
- For Setup Type we will want to select the radio button for Enterprise CA, then click Next.
- Within CA Type select the radio button for Root CA and click Next.
- For Private Key we will be providing our own key so we can document it and have it handy. Select the radio button for Create a new private key and then click Next.
- Under Cryptography the defaults can stand as is. Go ahead and click Next.
- Double check your CA Name Settings. They should be similar to mine besides the domain name and server name that I am using of course. Afterwards click Next.
- Under Validity Period you can set your certificate to expire whenever. However my personal preference is 100 years so we do not have to bother with certificate expirations any time soon. Afterwards click Next.
- In Certificate Database section leave these paths the same and click Next.
- Review the Confirmation and select the Configure button.
- Once configured your Results should be Configuration Succeeded. Afterwards click close and we are done with the certification creation.
Lets configure our Network Policy Server
Here we will be configuring the security policies required for our Unifi Controller and Wifi Equipment to communicate with the Radius server and Active Directory / Domain Controller.
- Open Windows Server Manager click Tools > Select Network Policy Server.
- Now that we have Network Policy Server open click on NPS (Local). You should now see the option to change your Standard Configuration from the dropdown select RADIUS server for 802.1X wireless or Wired Connections. Move forward with clicking on Configure 802.1.X.
- Once the Configure 802.1X window is open select the Radio button for Secure Wireless Connections. Then click Next.
- You will be prompted with a screen to add your New RADIUS Client and here you will want to refer back to your list of equipment’s IP Addresses and Device Names.
- Friendly name use your Unifi Equipment’s model or unique name.
- For Address use the assigned static IP address you gave to the equipment.
- Now for Shared Secret, select the radio button for Manual. Type in a strong password and write it down. This password will be used in the Unifi Controller as well. Afterwards click OK.
- You will have to add all your Unifi Devices as clients to the RADIUS server. This will allow Authentication between the server and the Unifi Devices. Once done adding devices click Next.
- For Configure an Authentication Method, click on the dropdown window and select Microsoft: Protected EAP (PEAP) afterwards click Next.
- Under Specify User Groups I am going to add Domain Users to be allowed to access to the RADIUS Authentication. This gives permissions to every domain user to access the Unifi Wireless SSID. You can also create a security group in your AD server and add specific users for access under that group. Once you decide what your preference is click Next.
- All can remain the same under Configure Traffic Controls so continue through and click Next.
- With the following window you can click Finish.
- We are almost done with Network Policy Server. We will now have to register this new RADIUS server with Active Directory. Open Network Policy Server, right click on NPS (Local) and from the menu select Register server in Active Directory. Now we are finished with this section!
Lets create a Group Policy in your AD/DC server
Now this may vary from everyone AD configuration. I always have an OU where my users and computers would reside in and not within the default locations.
- Log into your AD/DC server and open up Group Policy Management. Right click on the OU where your domain users reside in and from the menu select New GPO. Afterwards Name that GPO with an identifiable name. I will be using Radius. then click the OK button.
- Locate and select your new Radius Policy. Under Security Filtering select the Add button and add Domain Users.
- Right click and Edit your new Radius Policy. Drill down this path Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
- Within Public Key Policies locate Certificate Services Client – Auto-enrollment. Right click the policy and click Properties.
- In the Certificate Services Client – Auto-enrollment Properties window change the Configuration Model to Enabled form the dropdown window. Afterwards check both boxes and click the OK button.
- Drill down this path Computer Configuration > Windows Settings > Security Settings > Public Key Policies. Locate the folder Automatic Certificate Request Settings. Right click it > find New > select Automatic Certificate Requests.
- You will be prompted to start the Wizard, just click Next.
- Select Computer and then click Next.
- Now click Finish. We have now completed the GPO for domain desktop and laptops to properly obtain a security certificate when they connect to the Unifi Wireless SSID.
Configuring your Unifi Controller and Wireless SSID to use Windows RADIUS Server.
We finally made it to the last few steps which are to configure the Unifi Controller and a Wireless SSID to use the Windows RADIUS Server.
- Log into your Unifi Controller. Locate and click the Gear Icon and then click Advanced Features.
- Scroll down and locate RADIUS section. Now click on Add RADIUS Profile.
- To keep it simple I am group to name this RADIUS profile my server name.
- Scroll down until you find RADIUS Settings and select the expand arrow button.
- Here you will add your RADIUS server’s static IP address and the Shared Secret you wrote down when configuring the Unifi Devices in the Network Policy Server. Keep the ports the same for both Authentication Servers and RADIUS Accounting Servers. Once done click Apply Changes button.
- Now we will move forward with configuring a new Wireless SSID. Locate and click on WiFi in the Unifi Controller.
- Locate the Wifi Section and click the Add New WiFi Network button.
- Name your SSID. Select your Internal network from the dropdown and then expand Advanced Tab by clicking the dropdown arrow.
- Scroll down until you find the Security section and expand it by clicking the drop down arrow.
- Here you will first select your security protocol WPA-2 Enterprise. Afterwards under RADIUS Profile, from the dropdown select the profile you recently named and created. Select PMF is Required and finally click the Apply Changes button.
That was exciting! We are finally finished. Your Unifi wireless access points should now be transmitting an SSID. To connect to this SSID you will have to use your domain User Name and Password. Go ahead and give it a shot.