Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!
Branding
Branding Branding
Login Check our Prices

Integrate RADIUS and MAC Authentication With Ubiquiti Unifi Access Points

Introduction

This guide demonstrates the authentication process of devices based on their respective physical MAC addresses using Media Access Control (MAC). Once the source MAC address is identified, the switch generates an access-request message, with the user/machine’s MAC address as the identity, and sends it to the RADIUS server. The RADIUS server performs MAC authentication after getting the access-request message.

The RADIUS authentication server determines whether to grant access to the user/device and specifies the level of access the client should receive. After making this decision, the RADIUS server transmits the access-accept, allowing the user/machine to access the network.

If you are interested in setting up EAP-TLS Authentication, you can find the relevant instructions and resources at the following link: How to Set Up Passwordless RADIUS Authentication with an Ubiquiti Unifi Access Point

Creating an Identity Provider in SecureW2

Identity providers (IdPs) manage digital identities that help organizations to authenticate their users or employees and grant or revoke access permissions as needed. Follow the below steps to create an Identity Provider in JoinNow Management Portal and configure it for MAC Authentication:

  1. Log in to the JoinNow MultiOS Management Portal.
  2. Navigate to Identity Management > Identity Providers.
  3. Click Add Identity Provider.
  4. In the Name field, enter a name for your IdP.
  5. In the Description field, enter a suitable description for your IdP.
  6. From the Type drop-down list, select MAC Authentication.
  7. Click Save.
  8. The page refreshes and displays the Configuration and Groups tabs.
  9. Select the Groups tab.
  10. Click Add group.
  11. On the displayed pop-up window, in the Name field, enter a name for your group.
  12. In the Description field, enter a suitable description for your group.
  13. Click Save.
  14. Select the Configuration tab.
  15. Click Add Device.
  16. On the displayed pop-up window, in the MAC Address field, enter the MAC address of the device that you want to authenticate.
  17. From the Group Name drop-down list, select the group name you created earlier.
  18. In the Description field, enter a suitable description for your device.
  19. Click Save.
  20. Click Update.

Set up Role policy and Network policy

JoinNow Management offers policy-based management to facilitate VLAN-based segmentation. The policies to be configured are:

  • Role Policy
  • Network Policy

A Roles policy grants a user access to defined resources. To add a Role policy, perform the following steps:

  1. Log in to the JoinNow MultiOS Management Portal.
  2. Navigate to Policy Management > Roles Policies.
  3. Click Add Role.
  4. In the Name field, enter a name for your role policy.
  5. In the Display Description field, enter a suitable description for your role policy.
  6. Click Save.
  7. The page refreshes and the Conditions tab is displayed.
  8. Select the Conditions tab.
  9. In the Conditions section, from the Identity Provider drop-down list, select the IdP you created with the MAC Authentication type.
  10. In the Attribute/Groups section, in the Attribute field, retain ANY.
  11. In the Groups field, select the group you created earlier.
  12. Click Update.

The purpose of a network policy is to specify how Cloud RADIUS will authorize access to a particular user role. To create and configure the Network policy, perform the following steps:

  1. Navigate to Policy Management > Network Policies.
  2. Click Add Network Policy.
  3. In the Name field, enter a name for your network policy.
  4. In the Display Description field, enter a suitable description for your network policy.
  5. Click Save.
  6. The page refreshes and displays the Conditions and Settings tabs.
  7. Select the Conditions tab.
  8. In the Conditions section, select Match All or Match Any based on your requirement to set authentication criteria. In the case explained here, we are selecting Match All.
  9. Click Add rule.
  10. Expand Identity and select the Role option.
  11. Click Save.
  12. The Role option appears under the Conditions tab.
  13. From the Role Equals drop-down list, select the role policy you created earlier.
  14. Select the Settings tab.
  15. Click Add Attribute.
  16. From the Dictionary drop-down list, select an option: Radius:IETF or Custom.
  17. From the Attribute drop-down list, select Filter-Id.NOTE: Filter-Id is created on your access point to form a VLAN range.
  18. In the Value field, enter the VLAN filter-ID you wish to connect to.
  19. Click Save.

Configuring MAC-based RADIUS Authentication in Unifi

Follow the below steps to set up MAC-based Authentication using Unifi:

  1. Log in to the Unifi Portal.
  2. On the left pane, select Profiles.
  3. Click Create New RADIUS Profile.
  4. In the New RADIUS Profile page, for the Name field, enter the name of your RADIUS profile.
  5. Under the RADIUS Assigned VLAN Support section, select the Enable checkbox for Wireless Networks.
  6. In the RADIUS Settings section, for Authentication Servers, enter the IP AddressPort and Shared Secret. From the JoinNow MultiOS Management Portal (navigate to RADIUS > RADIUS Configuration), copy the IP AddressPort, and Shared Secret and paste them into the IP AddressPort, and Shared Secret fields in the Unifi.NOTE: The details of the RADIUS profile must be from the Organization in which MAC-based authentication IDP was created in the Creating an Identity Provider in SecureW2 section.
  7. After entering the RADIUS details, click Add.
  8. Click Apply Changes.

Schedule a Demo

Sign up for a quick demonstration and see how SecureW2 can make your organization simpler, faster, and more secure.

Schedule Now

Pricing Information

Our solutions scale to fit you. We have affordable options for organizations of any size. Click here to see our pricing.

Check Pricing