Home Knowledge Base SecureW2 Documentation RADIUS MAC Authentication with Ubiquiti Unifi Access Points

RADIUS MAC Authentication with Ubiquiti Unifi Access Points

Introduction

This guide demonstrates the authentication process of devices based on their respective physical MAC addresses using Media Access Control (MAC). Once the source MAC address is identified, the switch generates an access-request message, with the user/machine’s MAC address as the identity, and sends it to the RADIUS server. The RADIUS server performs MAC authentication after getting the access-request message.

The RADIUS authentication server determines whether to grant access to the user/device and specifies the level of access the client should receive. After making this decision, the RADIUS server transmits the access-accept, allowing the user/machine to access the network. 

If you are interested in setting up EAP-TLS Authentication, you can find the relevant instructions and resources at the following link: How to Set Up Passwordless RADIUS Authentication with an Ubiquiti Unifi Access Point

Creating a Core Provider in SecureW2

Core Providers manage digital identities that help organizations to authenticate their users or employees and grant or revoke access permissions as needed. Follow the steps below to create a Core Provider in the JoinNow Management Portal and configure it for MAC Authentication:

  1. Log in to the JoinNow Management Portal.
  2. Navigate to Integration Hub > Core Platforms.
  3. Click Add.
  4. In the Name and Description fields, enter a suitable name and description for your core provider.
  5. From the Type drop-down list, select MAC Authentication.

  6. Click Save.
  7. The page refreshes and displays the Configuration and Groups tabs.
  8. Select the Groups tab.
  9. Click Add group.

  10. On the displayed pop-up window, in the Name field, enter a name for your group.
  11. In the Description field, enter a suitable description for your group.
  12. Click Save.
  13. Select the Configuration tab.
  14. Click Add Device.
  15. On the displayed pop-up window, in the MAC Address field, enter the MAC address of the device that you want to authenticate.
  16. From the Group Name drop-down list, select the group name you created earlier.
  17. In the Description field, enter a suitable description for your device.

  18. Click Save.
  19. Click Update.

Policy Management

JoinNow Management offers policy-based management to facilitate VLAN-based segmentation. The policies to be configured are: 

Creating a Policy Workflow

A Policy Workflow grants a user access to defined resources. To create a policy workflow, perform the following steps:

  1. Navigate to Policy Management > Policy Workflows.
  2. Click Add Policy Workflow.
  3. In the Name and Display Description fields, enter a name and a suitable description for your policy workflow.
  4. Click Save.
  5. The page refreshes, and the Conditions tab is displayed. 
  6. Select the Conditions tab.
  7. From the Core Provider drop-down list, select the core provider you created with the MAC Authentication type.
  8. In the Groups field, select the group you created earlier.

  9. Click Update.

Creating a Network Policy

The purpose of a network policy is to specify how Cloud RADIUS will authorize access to a particular user role. To create and configure the Network policy, perform the following steps:

  1. Navigate to Policy Management > Network.
  2. Click Add Network Policy.
  3. In the Name and Display Description fields, enter a name and a suitable description for your network policy.
  4. Click Save.
  5. The page refreshes and displays the Conditions and Settings tabs.
  6. Select the Conditions tab.
  7. In the Conditions section, select Match All or Match Any based on your requirement to set authentication criteria. In the case explained here, we are selecting Match All.
  8. Click the Add rule and select the role you want to assign to this network policy. It is essential to select the appropriate policy workflow, as it triggers the network policy. This menu offers various rules that you can select based on your business requirements.


  9. Click Save.
  10. The Policy Workflow option appears under the Conditions tab.
  11. From the Policy Workflow Equals drop-down list, select the policy workflow you created earlier.

  12. Select the Settings tab.
    1. From the Access drop-down list, select any one of the options to allow or deny authentication requests. The default value is “Allow”.
    2. To configure MFA, select the checkbox to enable MFA.
    3. From the Perform MFA Using drop-down list, select a Core Provider for MFA.
    4. Click Add Attribute.
      1. From the Dictionary drop-down list, select an option:
        • Radius: IETF This is what we will use for the following attributes, as we are using standard RADIUS attributes for VLAN assignment.
        • Custom: Used for any VSAs (Vendor-Specific Attributes).
    5. From the Attribute drop-down, select Filter-Id.

      NOTE: Filter-Id is created on your access point to form a VLAN range.

    6. In the Value field, enter the VLAN filter-ID you wish to connect to.

    7. Click Save.

Configuring MAC-based RADIUS Authentication in Unifi

Follow the steps below to set up MAC-based Authentication using Unifi:

  1. Log in to the Unifi Portal. 
  2. On the left pane, select Profiles.
  3. Click Create New RADIUS Profile.
  4. In the New RADIUS Profile page, for the Name field, enter the name of your RADIUS profile.
  5. Under the RADIUS Assigned VLAN Support section, select the Enable checkbox for Wireless Networks.
  6. In the RADIUS Settings section, for Authentication Servers, enter the IP Address, Port and Shared Secret. From the JoinNow Management Portal (navigate to RADIUS > RADIUS Configuration), copy the IP Address, Port, and Shared Secret and paste them into the IP Address, Port, and Shared Secret fields in the Unifi.

    NOTE: The details of the RADIUS profile must be from the Organization in which the MAC-based authentication IDP was created in the Creating a Core Provider in SecureW2 section.

  7. After entering the RADIUS details, click Add.
  8. Click Apply Changes.
More Ubiquiti Explainers