LogoLogo
LogoLogo
  • Welcome
  • Details
  • Configuration
    • Getting Started
      • Generic Guide
      • Scenario-based Guides
        • Microsoft Cloud PKI
        • SCEPman PKI
    • Access Point Setup
      • RadSec
        • Aruba
        • FortiNet
        • Juniper Mist
        • Meraki
        • MikroTik
        • Ruckus
        • UniFi
      • RADIUS
        • ExtremeCloud IQ CoPilot
        • Meraki
        • Sophos UTM
        • UniFi
    • Server Certificate Renewal
  • Admin Portal
    • Home
    • Insights
      • Rule Engine
      • Logs
    • Users
    • Settings
      • Server Settings
      • Trusted Certificates
      • Proxy Settings
      • Permissions
      • User Settings
      • Rules
        • General Structure
        • WiFi
        • LAN
        • VPN
      • Log Exporter
        • Teams
        • Log Analytics
        • Generic Webhook
        • Examples
    • My Invited Users
  • Profile Deployment
    • Microsoft Intune
      • Server Trust
      • WiFi Profile
        • Windows
        • iOS/iPadOS & macOS
        • Android
      • Wired Profile
        • Windows
        • macOS
    • Jamf Pro
      • Server Trust
      • WiFi Profile
      • Wired Profile
    • Google Workspace
      • Server Trust
      • WiFi Profile
  • Other
    • Troubleshooting
    • FAQs
      • General
      • Log & Common Errors
      • MAC Authentication
      • Blast-RADIUS Vulnerability
      • OCSP Soft-fail Consequences
      • Security & Privacy
    • REST API
      • External Monitoring
    • Changelog
  • Licensing
    • Azure Marketplace
  • Support & Service Level
  • RADIUSaaS Website
Powered by GitBook
On this page
  • Prepare certificates
  • UniFi configuration
  • Reference: UniFi Help Center

Was this helpful?

  1. Configuration
  2. Access Point Setup
  3. RadSec

UniFi

Last updated 3 months ago

Was this helpful?

RADIUS over TLS (RADSEC) has been added to UniFi Network 8.4 and newer versions. Please have your controller and network devices up-to-date before following this guide.

Customers have reported delays between activating the RadSec feature on the Unify Dashboard and becoming functional.

Prepare certificates

To establish a valid RadSec connection, your Access Points must trust the RADIUS Server Certificate and your RADIUS server must trust your RadSec Client Certificate. To achieve this,

  1. Download the root certificate of the CA that has issued your active RADIUS Server Certificate as described . In this example SCEPman is used as Root CA and has issued the RADIUS server certificate. So, we download the root CA certificate from SCEPman portal: Afterwards, please convert your certificate to Base-64. This can be easily done via Windows Certificate Export Wizard, OpenSSL or other tools:

  2. Create a RadSec Client Certificate for your access points. If you are using SCEPman Certificate Master, the process is described . In this example we generate a certificate in the format "PEM". Please note down the password, as we need this later.

  3. Split the generated certificate into the private key (named "priv.key" in this example) and the certificate (named "clientcert.cer"). This can be easily done via a text editor:

  4. Add the root certificate of the CA that has issued the RadSec Client Certificate to your RADIUS instance as described and select RadSec under Use for. In case the RadSec Client Certificate has been issued by SCEPman (this example) and you already trust the SCEPman Root CA for client authentication, simply edit the trusted SCEPman Root CA certificate and select Both under Use for:

UniFi configuration

Below settings are the necessary settings to establish a functional RadSec connection with our service. Configure any other settings at your discretion.

  1. Navigate to your Unifi Network controller and open Settings > Profiles > RADIUS.

  2. Create a new profile or update an existing one:

  3. Fill in the required information:

    1. RADIUS Assigned VLAN Support: optional / if needed

    2. RADIUS Settings:

      1. TLS: Enable the checkbox.

      2. Private Key Password: as noted down.

      3. Accounting: Enable the checkbox.

      4. Interim Update Interval: optional / if needed

  4. Assign this profile to the desired WiFi profile:

Reference: UniFi Help Center

Authentication Servers: - Server IP Address/es: Provide the IP address of your . - Port: 2083. - Shared Secret: radsec.

Client Certificate: Upload the RadSec Client Certificate (obtained from step 3 ).

Private Key: Upload the private key of your RadSec Client Certificate (obtained from step 3 ).

CA Certificate: Upload the Root certificate of the CA that has issued your RADIUS Server Certificate (obtained from step 1 ).

RADIUS Accounting Server: - Server IP Address/es: Provide the IP address of your . - Port: 2083 - Shared Secret: radsec

Give your Access Points some time to apply the new configuration:

UniFi Gateway - Configuring a RADIUS Server
here
here
here
here
RadSec service endpoint
RadSec service endpoint
here
here