# UniFi

{% hint style="info" %}
RADIUS over TLS (RADSEC) has been added to **UniFi Network 8.4** and newer versions. Please have your controller and network devices **up-to-date** before following this guide.
{% endhint %}

{% hint style="warning" %}
Customers have reported **delays** between activating the RadSec feature on the Unify Dashboard and becoming functional.
{% endhint %}

## Prepare certificates

To establish a valid RadSec connection, your Access Points must trust the **RADIUS Server Certificate** and your RADIUS server must trust your **RadSec Client Certificate**. To achieve this,

1. Download the root certificate of the CA that has issued your active **RADIUS Server Certificate** as described [here](/admin-portal/settings/settings-server.md#download).\
   In this example SCEPman is used as Root CA and has issued the RADIUS server certificate. So, we download the root CA certificate from SCEPman portal:\
   \
   ![](/files/tAjUWLvKCPuOW2AdK2Hk)\
   Afterwards, please convert your certificate to Base-64. This can be easily done via Windows Certificate Export Wizard, OpenSSL or other tools:<br>

   <figure><img src="/files/wCApjeH4WorqBlQNEOZL" alt=""><figcaption></figcaption></figure>
2. Create a **RadSec Client Certificate** for your access points. If you are using **SCEPman Certificate Master**, the process is described [here](https://docs.scepman.com/certificate-deployment/certificate-master/client-certificate-pkcs-12).\
   In this example we generate a certificate in the format "PEM". Please note down the password, as we need this later.<br>

   <figure><img src="/files/okreyNHPTkEPBFEzD7ef" alt=""><figcaption></figcaption></figure>
3. Split the generated certificate into the private key (named "priv.key" in this example) and the certificate (named "clientcert.cer"). This can be easily done via a text editor:<br>

   <figure><img src="/files/RUOBDjngI1sZeSHHeRVE" alt=""><figcaption></figcaption></figure>
4. Add the root certificate of the CA that has issued the **RadSec Client Certificate** to your RADIUS instance as described [here](/admin-portal/settings/trusted-roots.md#add) and select **RadSec** under **Use for**.\
   In case the **RadSec Client Certificate** has been issued by SCEPman (this example) and you already trust the SCEPman Root CA for client authentication, simply edit the trusted SCEPman Root CA certificate and select **Both** under **Use for**:\ <br>

   <figure><img src="/files/mCgdLwsZO06WgDHJ2fC1" alt=""><figcaption></figcaption></figure>

## UniFi configuration

{% hint style="info" %}
Below settings are the necessary settings to establish a functional RadSec connection with our service. Configure any other settings at your discretion.
{% endhint %}

1. Navigate to your Unifi Network controller and open **Settings** **> Profiles > RADIUS**.
2. Create a new profile or update an existing one:<br>

   <figure><img src="/files/hMzXCQoYIwqWAYDvvfJB" alt=""><figcaption></figcaption></figure>
3. Fill in the required information:
   1. **RADIUS Assigned VLAN Support**: optional / if needed
   2. **RADIUS Settings**:
      1. **TLS**: Enable the checkbox.
      2. **Authentication Servers**:\
         \- **Server IP Address/es**: Provide the IP address of your [RadSec service endpoint](/admin-portal/settings/settings-server.md#properties).\
         \- **Port**: 2083.\
         \- **Shared Secret**: `radsec`.
      3. **Client Certificate**: Upload the **RadSec Client Certificate** (obtained from step 3 [here](#prepare-certificates)).
      4. **Private Key**: Upload the private key of your **RadSec Client Certificate** (obtained from step 3 [here](#prepare-certificates)).
      5. **Private Key Password**: as noted down.
      6. **CA Certificate**: Upload the Root certificate of the CA that has issued your **RADIUS Server Certificate** (obtained from step 1 [here](#prepare-certificates)).
      7. **Accounting**: Enable the checkbox.
      8. **RADIUS Accounting Server**:\
         \- **Server IP Address/es**: Provide the IP address of your [RadSec service endpoint](/admin-portal/settings/settings-server.md#properties).\
         \- **Port**: 2083\
         \- **Shared Secret**: `radsec`
      9. **Interim Update Interval**: optional / if needed<br>

         <figure><img src="/files/03D0itheastGjvfnu2Hc" alt=""><figcaption></figcaption></figure>
4. Assign this profile to the desired WiFi profile:<br>

   <figure><img src="/files/USqPiZSNFWcOdCrx1c0v" alt=""><figcaption></figcaption></figure>
5. Give your Access Points some time to apply the new configuration:\
   \
   ![](/files/CMCTBwZXYw7azez5f93J)

### Reference: UniFi Help Center

[UniFi Gateway - Configuring a RADIUS Server](https://help.ui.com/hc/en-us/articles/360015268353-UniFi-Gateway-Configuring-a-RADIUS-Server)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.radiusaas.com/configuration/access-point-setup/radsec-available/unifi.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.