UniFi Tutorials

How to configure Windows Server and UDM-PRO UniFi Controller for RADIUS VPN access

In this tutorial you will be shown how to configure Windows Server and UDM-PRO UniFi Controller for RADIUS VPN access. Why is this useful? Well this allows us to just disable a user account in Active Directory after a termination and the previous employee will no longer have VPN access to the network. This will prevent Tech Support having to manually remove VPN users every time an employee is terminated.

Prerequisites for this tutorial.

  1. Internal Unifi Controller and Firewall, I myself am using a UDM-PRO for that function.
  2. Your Unifi equipment should be assigned static IP addresses outside your DHCP Scope. Once done write down the IP addresses alongside their model or unique name.
  3. Stand up a new physical or virtual server with Windows Server 2019.
    • I called my new virtual server HDN-RADIUS. 1vcpu 4GBram 60GB HDD
    • Install all updates on new Radius server
    • Assign static IP address.
    • Join new Radius server to the domain.
    • At this point create a Backup or a Virtual Snapshot before moving forward with the tutorial.
    • I am a firm believer on keeping AD\DC server clean. So do not configure these roles on that server.

Lets get started with installing the required Windows Server Roles!

We will be starting with the newly created Windows Server 2019 and installing the roles we need for radius to work with your Unifi Controller and RADIUS VPN access.

  1. Open your Windows Server Manager > Click Manage > Click Add Roles and Features.
  2. Click Next until you reach Server Roles. Enable The following.
    • Active Directory Certificate Services
    • Network Policy and Access Services
    • Remote Access
  3. Once the items are selected and the prerequisites are approved click Next until you reach AD CS / Roles Services.
  4. Under Role Services select Certification Authority and click Next.
  5. Now within Remote Access and Role Services, select DirectAccess and VPN (RAS) and click Next.
  6. Now click Next all the way through and then Install the Roles and wait until you receive the message that all your roles are installed successfully. Once successful you can close the window.

 

 

Lets open up the firewall ports needed.

Here we are going to open up the firewall ports that we need for RADIUS to work with the UDM-Pro Unifi Controller.

  1. From the RADIUS server search for Advanced in the task bar search menu and select Windows Defender Firewall with Advanced Security.
  2. Locate Inbound Rules > Right Click Inbound Rules > Select New Rule
  3. Select Port and click Next.
  4. Select UDP and provide the Specific Local Ports you want opened which is Port 1812 and then click Next.
  5. Select Allow the connection and click Next.
  6. Check mark: Domain, Private and Public. Afterwards click Next.
  7. Give your Rule a name, I used Radius UDP 1812. Afterwards click Finish.

 

Lets Configure Active Directory Certificate Services

We are making progress. Here we will be configuring Active Directory Certificate Services, this will be needed for the for your devices to be able to authenticate with the RADIUS Server

  1. Open up Window Server Manager. Click on the Flag and then locate Configure Active Directory Certificate Services.
  2. Under Credentials you will want to specify a Domain Admin Account, then click Next
  3. Within Role Services check the box for Certification Authority and click Next
  4. For Setup Type we will want to select the radio button for Enterprise CA, then click Next.
  5. Within CA Type select the radio button for Root CA and click Next.
  6. For Private Key we will be providing our own key so we can document it and have it handy. Select the radio button for Create a new private key and then click Next.
  7. Under Cryptography the defaults can stand as is. Go ahead and click Next.
  8. Double check your CA Name Settings. They should be similar to mine besides the domain name and server name that I am using of course. Afterwards click Next.
  9. Under Validity Period you can set your certificate to expire whenever. However my personal preference is 100 years so we do not have to bother with certificate expirations any time soon. Afterwards click Next.
  10. In Certificate Database section leave these paths the same and click Next.
  11. Review the Confirmation and select the Configure button.
  12. Once configured your Results should be Configuration Succeeded. Afterwards click close and we are done with the certification creation.

Lets configure our Network Policy Server

Here we will be configuring the security policies required for our Unifi Controller and our UDM-Pro Firewall to communicate with the Radius server and Active Directory / Domain Controller to allow those VPN connections.

  1. Open Windows Server Manager click Tools > Select Network Policy Server.
  2. Now that we have Network Policy Server window opened. Locate and Right Click on RADIUS Clients, followed by clicking on New to add a new client.
  3. Here with the window New RADIUS Client , you will want to refer back to your list of equipment’s IP Addresses and Device Names.
    • Friendly name use your UDM-Pro Equipment’s unique name.
    • For Address use the assigned static IP address of your firewall
    • Now for Shared Secret, select the radio button for Manual. Type in a strong password and write it down. This password will be used in the UDM-Pro’s Unifi Controller as well and then click OK. 
  4. Now back on the Network Policy Server window Locate Policies and expand that to reveal Connection Request Policies. Right Click that and then click New
  5. Once the new Connection Request Policy window is open type in a policy name. I will be using UniFi VPN Access. Afterwards click Next.
  6.   On this next step click on the Add.. button.
  7.   Now with the selection for a condition window is open. Locate and click on Client Friendly Name. Then click Add… 
  8.   With this next step type in the hostname of your appliance, in my case for me it is UDMPRO. Then click on OK.
  9.  Now you should be back to The New Connection Request Policy window and click Next 4 times bypassing all the other prompts until you see the Finish button. Click on Finish.
  10. You should be back on the Network Policy Server window. Locate Network Policies under Policies. Right Click Network Policies and then click New.

  11.   In the New Network Policy window. Type in your Policy Name and then click Next.
  12.   Now your going to click the Add Button to specify a Condition. 
  13. The condition we will be selecting is User Groups and applying Domain Users. Now you can specify a new group that you created yourself just for VPN users as well.  
  14.   Now that my VPN users group is added click Next.
  15. Keep Access granted selected and click Next.

  16.   On the next window Make sure that we have the follow checked and then click Next all the way to the end and then click Finish.
  17.  We are almost done with Network Policy Server. We will now have to register this new RADIUS server with Active Directory. Open Network Policy Server, right click on NPS (Local) and from the menu select Register server in Active Directory. Now we are finished with this section!

Configuring your UniFi Controller and UDM-Pro Network to use Windows RADIUS Server for VPN Access.

We finally made it to the last few steps which are to configure the UniFi Controller and UDM-Pro network for Windows RADIUS Server VPN access. 

  1. Log into your Unifi Controller. Locate and click the Gear Icon and then click Advanced Features
  2. Scroll down and locate RADIUS section. Now click on Add RADIUS Profile

  3. To keep it simple I am group to name this RADIUS profile as my server name. 
  4. Scroll down until you find RADIUS Settings and select the expand arrow button.
  5. Here you will add your RADIUS server’s static IP address and the Shared Secret you wrote down when configuring the Unifi Devices in the Network Policy Server. Keep the ports the same for both Authentication Servers and RADIUS Accounting Servers. Once done click Apply Changes button.
  6. Now we will move forward with configuring Unifi VPN Access. Locate and click on Networks in the UDM-Pro Unifi Controller. 
  7.  Click on Add New Network Button.
  8. Name your new VPN network. I’m calling it RADIUS VPN Access. Locate the section called Virtual Private Network [VPN] and click on the arrow dropdown. Select Advanced for VPN Setup followed by clicking on Remote Access to reveal additional setting options. 
  9.  Now we are going to review and apply some setting changes for this VPN Access. Make sure to generate a strong pre shared secret, you will not need this for future vpn access. Select the Wan IP address to use for your incoming VPN access. Scroll down to User Access and change the User Access List [RADIUS Profile] from default to the Radius VPN Profile you created. 

  10.  Scroll down and expand the section for Advanced. For your internal VPN Subnet, click Auto Generate for new address range for your VPN users. Afterwards locate and select, Require Strong Authentication.  Then we can finally click on the Add Network button to complete the entire setup.

That was exciting! We are finally finished. On your windows computer create a new VPN connection pointing to your Unifi Firewalls Wan IP and you will be prompted to type in your domain username and password. 

How To Configure your Unifi Controller to use Windows RADIUS for Wireless Access

I hope this article was helpful, if you have any questions, please feel free to contact me. If you would like to be notified of when I create a new post, you can subscribe to my blog alert.


Discover more from Patrick Domingues

Subscribe to get the latest posts sent to your email.

author avatar
Patrick Domingues

6 Comments

  1. How does the certificate authority play within the RADIUS authentication profile? Do the endpoints need a machine certificate or simply need the root certificate installed in the root store?

  2. Hi patrick,
    i’ve followed your guide on my setup (winserver 2019 as AD and UDM-PRO) but i’ve a problem to connecton from windows 10 clients.
    1) my UDM-PRO is updated with the network app 7.2.95 with a newer interface than you have screnshotted on your guide
    2) my UDM-PRO has configured a VPN site-to-site from early 2021 an is working very good, same as the AD
    3) my UDP-PRO has client VPN access configured with user-passwords but i want to integrate with AD

    My questions:
    A) Could you please share the correct and exact settings to put in win10 vpn client? is L2TP with certificate? With this windows say “security level found and elaboration error during the negations”
    B) could you please share if the default UDM-PRO RADIUS PROFILE should be enabled and not paused (the entering the profile says “radius server”) and if the shared key should be the same as the NPS shared key?

    Thanks in advance

    1. Hello Fabio,

      There have been some changes on the UDM-Pro since the creation of this tutorial. Switch into classic mode and select Enable RADIUS assigned VLAN for wired network. Enter NPS information and password.
      Enter – RADIUS Auth Server
      Enable – Accounting
      Enable – Interim Update
      Enter – RADIUS Accounting Server

      Direct yourself to Networks find your VPN Server and make sure your NPS radius profile is selected with Require MS-CHAP v2 selected.

      I actually setup the windows 10 vpn as automatically select connection it does use l2tp with certificate. Authentication uses EAP-maschapv2 with with the checkbox selected Microsoft CHAP version 2. Regardless of these manual settings you should be able to just select vpn type as automatic, sign in type username and password.

  3. Could you provide information for the AD CS element if you have already been running CA for an internal series of certificates?
    I am unable to launch the original AD CS post installation configuration wizard to setup the RADIUS certificate.

  4. Patrick,
    Thank you for sharing this valuable knowledge (which I CANNOT find anywhere else).
    I’m on UniFi OS UDM 3.0.13 and Network 7.3.76.
    Networks version 7.3.76 has made some changes to setting up New Networks.
    RADIUS is now found under “Profiles” near the bottom.
    VPN is not found anywhere on the “New Network” page.
    I switched to “Legacy View” and was able to complete Step 8.
    Step 9 and after are not to be found.

Leave a Comment

Stay Informed

Receive instant notifications when new content is released.