Back to Blog
Integration Guides February 28, 2026 14 min read

How to Set Up Cloud RADIUS with Ubiquiti UniFi: Complete Guide

A practical, step-by-step guide to configuring WPA-Enterprise authentication on Ubiquiti UniFi access points using a Cloud RADIUS server. Covers RADIUS profiles, SSID setup, dynamic VLAN assignment, and troubleshooting common issues.

To set up RADIUS for Ubiquiti UniFi, create a RADIUS profile in the UniFi Network Controller with your RADIUS server's IP address, port, and shared secret. Then create a WPA-Enterprise wireless network that uses this RADIUS profile. UniFi access points will forward 802.1X authentication requests to the RADIUS server for per-user credential validation.

In This Guide

  1. Why Use RADIUS with UniFi?
  2. Prerequisites
  3. Configure IronWiFi RADIUS Server
  4. Create a RADIUS Profile in UniFi
  5. Set Up an SSID with WPA-Enterprise
  6. Dynamic VLAN Assignment
  7. Testing on Windows, Mac, iOS, and Android
  8. Wired 802.1X on UniFi Switches
  9. Troubleshooting

Ubiquiti UniFi is one of the most widely deployed access point platforms in small-to-medium business, education, and managed service provider environments. Its combination of capable hardware and an intuitive management interface makes it popular - but out of the box, most UniFi SSIDs rely on a shared pre-shared key (PSK) for authentication.

A shared password is a liability. Anyone who knows the key can join the network, and revoking access for a single person means changing the password for everyone. RADIUS-based WPA-Enterprise authentication solves this by giving each user or device their own credentials - or better yet, a unique certificate.

This guide walks through the complete process of connecting Ubiquiti UniFi access points to IronWiFi's Cloud RADIUS server, from initial setup through dynamic VLAN assignment and troubleshooting.

Why Use RADIUS with UniFi?

WPA-Personal (PSK) works fine for a home network, but it creates real problems in any multi-user environment:

  • No individual accountability: Everyone shares the same password, so you cannot identify who is connected or audit their activity
  • Difficult credential rotation: When someone leaves, you must change the PSK and redistribute it to every remaining user and device
  • No per-user policies: Bandwidth limits, VLAN assignments, and session timeouts cannot vary by user
  • Vulnerability to key sharing: A PSK inevitably leaks - written on whiteboards, shared in emails, saved in device profiles

WPA-Enterprise with RADIUS authentication eliminates all of these issues. Each user authenticates with unique credentials (username/password via PEAP, or client certificate via EAP-TLS), and the RADIUS server can return per-user attributes like VLAN assignment, bandwidth policies, and session limits.

Key Benefits of Cloud RADIUS with UniFi

  • Per-user authentication: Revoke access instantly without changing network-wide passwords
  • Dynamic VLAN assignment: Automatically place users on the correct network segment based on role
  • Certificate-based auth: Eliminate passwords entirely with EAP-TLS
  • Centralized management: One authentication policy across all UniFi sites
  • No server to maintain: Cloud RADIUS handles availability, redundancy, and updates

Prerequisites

Before starting the configuration, ensure you have the following:

  • UniFi access points running firmware 6.x or later (U6, U7, or any Wi-Fi 6/6E/7 model)
  • UniFi Network application version 7.x or later - either self-hosted, running on a Cloud Gateway (UCG-Ultra, UCG-Max), or Dream Machine (UDM, UDM-Pro, UDM-SE)
  • IronWiFi account - sign up for a free trial if you do not have one
  • Network connectivity: Your UniFi gateway must allow outbound UDP traffic on ports 1812 (authentication) and 1813 (accounting)

UniFi Built-in RADIUS vs. External RADIUS

UniFi Security Gateways include a built-in RADIUS server (Settings > Services > RADIUS), but it is limited to local user databases and lacks features like directory integration, certificate-based auth, and detailed logging. For production deployments, an external Cloud RADIUS server provides significantly more capability and reliability.

Official Configuration Guide Available

IronWiFi maintains a detailed, regularly updated Ubiquiti UniFi Configuration Guide in our Help Center with the latest screenshots and settings for UniFi Network v8 and v9. The steps below provide an overview — refer to the official guide for the most current instructions.

Step 1: Configure IronWiFi RADIUS Server

Start by setting up the authentication infrastructure in IronWiFi. This takes about five minutes.

  1. Log in to the IronWiFi console at console.ironwifi.com and navigate to Networks
  2. Create a new Network and give it a descriptive name (e.g., "Office-UniFi" or "Campus-WiFi"). The system will generate a RADIUS server IP address, port, and shared secret
  3. Add your UniFi gateway's public IP to the Network's NAS (Network Access Server) list. This is the IP address from which RADIUS requests will originate. If you have multiple sites, add each site's public IP
  4. Note the RADIUS server details: You will need the primary server IP, secondary server IP, authentication port (1812), accounting port (1813), and shared secret for the UniFi configuration
  5. Create user accounts under Users, or connect your identity provider (Azure AD, Google Workspace, Okta, LDAP) under Authentication Providers for automated user provisioning

Shared Secret Security

The shared secret authenticates communication between your UniFi gateway and the RADIUS server. Use a strong, random secret (minimum 16 characters). Never reuse secrets across different networks or vendors. The shared secret must match exactly on both sides - including any trailing spaces.

Step 2: Create a RADIUS Profile in UniFi

With the RADIUS server configured, create a RADIUS profile in the UniFi Network application that references it.

  1. Open the UniFi Network application and navigate to Settings > Profiles > RADIUS
  2. Click "Create New" to add a new RADIUS profile
  3. Enter a profile name (e.g., "IronWiFi-RADIUS")
  4. Add the Authentication Server:
    • IP Address: Enter the IronWiFi primary RADIUS server IP
    • Port: 1812
    • Shared Secret: Enter the shared secret from your IronWiFi network configuration
  5. Add the Accounting Server:
    • IP Address: Same IronWiFi RADIUS server IP
    • Port: 1813
    • Shared Secret: Same shared secret
  6. Enable "RADIUS assigned VLAN for wireless network" if you plan to use dynamic VLAN assignment (covered in a later section)
  7. Click Save

For high availability, add a secondary RADIUS server. IronWiFi provides a secondary server IP for this purpose - the UniFi controller will automatically failover if the primary is unreachable.

Step 3: Set Up an SSID with WPA-Enterprise

Now create a wireless network that uses the RADIUS profile for authentication.

  1. Navigate to Settings > WiFi and click "Create New"
  2. Enter the SSID name - this is the network name users will see on their devices
  3. Set Security Protocol to WPA2 Enterprise or WPA3 Enterprise
    • WPA2 Enterprise: Maximum device compatibility, supported by virtually all client devices
    • WPA3 Enterprise: Stronger encryption (192-bit), but requires client support (most 2022+ devices)
    • WPA2/WPA3 Enterprise (Transition): Best of both worlds - WPA3-capable devices use WPA3, others fall back to WPA2
  4. Select the RADIUS Profile you created in Step 2 from the dropdown
  5. Configure the VLAN - either assign a static VLAN or leave it to be assigned dynamically by RADIUS
  6. Click Save and wait for the configuration to provision to your access points
Security Protocol Encryption Compatibility Recommendation
WPA2 Enterprise AES-CCMP (128-bit) All devices Legacy environments
WPA3 Enterprise AES-GCMP (192-bit) 2022+ devices High-security environments
WPA2/WPA3 Transition Both supported All devices Most deployments

Step 4: Configure Dynamic VLAN Assignment

Dynamic VLAN assignment is one of the most valuable capabilities of RADIUS-based authentication. Instead of creating separate SSIDs for each department or access tier, a single SSID can place users on different VLANs based on their identity.

How It Works

When a user authenticates, the RADIUS server evaluates their group membership, role, or device type and returns VLAN assignment attributes in the Access-Accept response. The UniFi AP reads these attributes and places the user on the specified VLAN - all transparently to the user.

UniFi Configuration

  1. Create VLANs in UniFi: Navigate to Settings > Networks and create a network for each VLAN you want to use (e.g., Staff VLAN 10, Guest VLAN 20, IoT VLAN 30)
  2. Enable RADIUS VLAN in the profile: In your RADIUS profile (Settings > Profiles > RADIUS), ensure the "Enable RADIUS assigned VLAN for wireless network" checkbox is selected
  3. Configure RADIUS attributes in IronWiFi: For each user or group in IronWiFi, set the following reply attributes:
    • Tunnel-Type: VLAN (value 13)
    • Tunnel-Medium-Type: IEEE-802 (value 6)
    • Tunnel-Private-Group-ID: Your VLAN ID (e.g., 10, 20, 30)

Fallback Behavior

If the RADIUS server returns an Access-Accept without VLAN attributes, or if the VLAN ID does not exist on the UniFi network, the client falls back to the default VLAN configured on the SSID. Always configure a sensible default VLAN as a safety net.

Example VLAN Assignments

User Group VLAN ID Network Segment Access Level
IT Staff 10 Management Full access
Employees 20 Corporate Internal resources
Contractors 30 Restricted Internet + limited internal
IoT Devices 40 IoT Internet only, isolated
Guests 50 Guest Internet only

Simplify UniFi RADIUS Authentication

IronWiFi's Cloud RADIUS integrates seamlessly with Ubiquiti UniFi. Set up WPA-Enterprise with dynamic VLANs, certificate-based authentication, and directory integration - no on-premise servers required.

Start Free Trial Schedule a Demo

Trusted by 1,000+ organizations in 108 countries

Step 5: Testing Client Connections

After configuring the RADIUS profile and SSID, test the connection from each major client platform.

Windows 10/11

  1. Click the Wi-Fi icon and select your WPA-Enterprise SSID
  2. Windows will prompt for a username and password (PEAP/MSCHAPv2)
  3. Enter your IronWiFi user credentials
  4. On first connection, Windows may display a certificate trust dialog - verify the server certificate name matches your RADIUS configuration and click Connect
  5. Confirm the connection by checking your assigned IP address (it should match the expected VLAN subnet)

macOS

  1. Click the Wi-Fi icon in the menu bar and select the enterprise SSID
  2. Enter your username and password in the authentication dialog
  3. macOS will show a certificate trust prompt - click Continue, then enter your Mac password to trust the certificate
  4. The connection should complete. Check System Settings > Network > Wi-Fi for the assigned IP

iOS / iPadOS

  1. Open Settings > Wi-Fi and tap the enterprise SSID
  2. Enter your username and password
  3. iOS will display a "Certificate" screen - tap "Trust" to accept the RADIUS server certificate
  4. The device will connect and receive an IP from the appropriate VLAN

Android

  1. Open Settings > Network > Wi-Fi and tap the enterprise SSID
  2. Set EAP method to PEAP and Phase 2 authentication to MSCHAPv2
  3. Set CA certificate to "Use system certificates" or "Do not validate" for initial testing
  4. Enter your Identity (username) and Password
  5. Tap Connect

Certificate Validation on Android

Android versions 11 and later require explicit CA certificate configuration for WPA-Enterprise connections. Setting "Do not validate" works for testing but is not recommended for production. For proper security, deploy the RADIUS server's CA certificate to Android devices via MDM or the IronWiFi Enrollment Portal.

Bonus: Wired 802.1X on UniFi Switches

The same RADIUS profile can secure wired connections on UniFi switches. This ensures that only authenticated devices can access the network through Ethernet ports.

  1. Navigate to Settings > Networks and select the network you want to protect
  2. Enable 802.1X control on the port profile by navigating to the switch port settings
  3. Assign the same RADIUS profile you created for wireless authentication
  4. Choose the authentication mode:
    • Port-based: One device authenticates, and the port opens for all traffic
    • MAC-based: Each MAC address on the port must authenticate individually

Troubleshooting

When RADIUS authentication fails, the issue usually falls into one of a few categories. Work through these in order.

Authentication Failures (EAP Errors)

  • Shared secret mismatch: The most common cause. Compare the shared secret in UniFi (Settings > Profiles > RADIUS) character-by-character with the one in IronWiFi. Watch for trailing spaces or invisible characters
  • User not found: Verify the username exists in IronWiFi and is associated with the correct network. Check for typos and case sensitivity
  • Wrong password: Reset the user's password in IronWiFi and try again. PEAP/MSCHAPv2 is case-sensitive
  • NAS IP not registered: IronWiFi only accepts RADIUS requests from registered NAS IPs. Confirm your UniFi gateway's public IP is in the Network's NAS list

Connectivity Issues

  • Firewall blocking RADIUS: Ensure your firewall allows outbound UDP traffic from the UniFi gateway to the RADIUS server on ports 1812 and 1813
  • NAT issues: If your UniFi gateway is behind a NAT, the RADIUS server will see the NAT's public IP. Register that public IP as the NAS IP, not the gateway's private IP
  • DNS resolution: If using a RADIUS hostname instead of IP, verify DNS resolution from the UniFi gateway

VLAN Assignment Issues

  • VLAN not applied: Confirm "Enable RADIUS assigned VLAN" is checked in the RADIUS profile. Check that the RADIUS reply includes all three tunnel attributes (Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID)
  • VLAN does not exist: The VLAN ID returned by RADIUS must match a network configured in UniFi. If VLAN 30 does not exist in Settings > Networks, the client will fall back to the default VLAN
  • Trunk port configuration: Ensure the switch ports connecting your APs are configured as trunk ports carrying all relevant VLANs

Checking Logs

  • UniFi Events: Navigate to the Events section in the UniFi Network application. Filter by "WiFi" to see authentication successes and failures with specific error codes
  • IronWiFi Logs: Check the Authentication Log in the IronWiFi console for detailed RADIUS transaction records, including the exact reason for any rejections

Frequently Asked Questions

Yes. UniFi Network version 7.x and later supports WPA3-Enterprise when configured with an external RADIUS server. Select WPA3 Enterprise as the security protocol when creating your wireless network, and assign the RADIUS profile you configured with your Cloud RADIUS server details.

UniFi requires three RADIUS attributes for dynamic VLAN assignment: Tunnel-Type set to VLAN (value 13), Tunnel-Medium-Type set to IEEE-802 (value 6), and Tunnel-Private-Group-ID set to your target VLAN ID. You must also enable "RADIUS assigned VLAN" in the RADIUS profile settings.

Yes. IronWiFi Cloud RADIUS works with all UniFi gateways including Cloud Gateway Ultra, Cloud Gateway Max, and Dream Machine series. Configure IronWiFi's RADIUS server IP and shared secret in the UniFi RADIUS profile, and ensure your gateway's firewall allows outbound UDP traffic on ports 1812 and 1813.

Common causes include: mismatched shared secrets between UniFi and your RADIUS server, firewall rules blocking UDP ports 1812/1813, the RADIUS server not having the UniFi gateway's public IP in its allowed NAS list, or expired client certificates. Check the UniFi controller logs under Events for specific EAP failure codes.

In the UniFi Network application, go to Settings > Networks and enable RADIUS for the relevant network. Then navigate to the switch port profile settings and enable 802.1X authentication. Assign the RADIUS profile you created. UniFi switches support both port-based and MAC-based 802.1X for wired clients.

Tags: Ubiquiti UniFi RADIUS WPA-Enterprise 802.1X Dynamic VLAN Cloud RADIUS EAP-TLS Network Security Integration Guide