To set up RADIUS for Ubiquiti UniFi, create a RADIUS profile in the UniFi Network Controller with your RADIUS server's IP address, port, and shared secret. Then create a WPA-Enterprise wireless network that uses this RADIUS profile. UniFi access points will forward 802.1X authentication requests to the RADIUS server for per-user credential validation.
In This Guide
Ubiquiti UniFi is one of the most widely deployed access point platforms in small-to-medium business, education, and managed service provider environments. Its combination of capable hardware and an intuitive management interface makes it popular - but out of the box, most UniFi SSIDs rely on a shared pre-shared key (PSK) for authentication.
A shared password is a liability. Anyone who knows the key can join the network, and revoking access for a single person means changing the password for everyone. RADIUS-based WPA-Enterprise authentication solves this by giving each user or device their own credentials - or better yet, a unique certificate.
This guide walks through the complete process of connecting Ubiquiti UniFi access points to IronWiFi's Cloud RADIUS server, from initial setup through dynamic VLAN assignment and troubleshooting.
Why Use RADIUS with UniFi?
WPA-Personal (PSK) works fine for a home network, but it creates real problems in any multi-user environment:
- No individual accountability: Everyone shares the same password, so you cannot identify who is connected or audit their activity
- Difficult credential rotation: When someone leaves, you must change the PSK and redistribute it to every remaining user and device
- No per-user policies: Bandwidth limits, VLAN assignments, and session timeouts cannot vary by user
- Vulnerability to key sharing: A PSK inevitably leaks - written on whiteboards, shared in emails, saved in device profiles
WPA-Enterprise with RADIUS authentication eliminates all of these issues. Each user authenticates with unique credentials (username/password via PEAP, or client certificate via EAP-TLS), and the RADIUS server can return per-user attributes like VLAN assignment, bandwidth policies, and session limits.
Key Benefits of Cloud RADIUS with UniFi
- Per-user authentication: Revoke access instantly without changing network-wide passwords
- Dynamic VLAN assignment: Automatically place users on the correct network segment based on role
- Certificate-based auth: Eliminate passwords entirely with EAP-TLS
- Centralized management: One authentication policy across all UniFi sites
- No server to maintain: Cloud RADIUS handles availability, redundancy, and updates
Prerequisites
Before starting the configuration, ensure you have the following:
- UniFi access points running firmware 6.x or later (U6, U7, or any Wi-Fi 6/6E/7 model)
- UniFi Network application version 7.x or later - either self-hosted, running on a Cloud Gateway (UCG-Ultra, UCG-Max), or Dream Machine (UDM, UDM-Pro, UDM-SE)
- IronWiFi account - Talk to Sales
Trusted by 1,000+ organizations in 108 countries
Step 5: Testing Client Connections
After configuring the RADIUS profile and SSID, test the connection from each major client platform.
Windows 10/11
- Click the Wi-Fi icon and select your WPA-Enterprise SSID
- Windows will prompt for a username and password (PEAP/MSCHAPv2)
- Enter your IronWiFi user credentials
- On first connection, Windows may display a certificate trust dialog - verify the server certificate name matches your RADIUS configuration and click Connect
- Confirm the connection by checking your assigned IP address (it should match the expected VLAN subnet)
macOS
- Click the Wi-Fi icon in the menu bar and select the enterprise SSID
- Enter your username and password in the authentication dialog
- macOS will show a certificate trust prompt - click Continue, then enter your Mac password to trust the certificate
- The connection should complete. Check System Settings > Network > Wi-Fi for the assigned IP
iOS / iPadOS
- Open Settings > Wi-Fi and tap the enterprise SSID
- Enter your username and password
- iOS will display a"Certificate" screen - tap"Trust" to accept the RADIUS server certificate
- The device will connect and receive an IP from the appropriate VLAN
Android
- Open Settings > Network > Wi-Fi and tap the enterprise SSID
- Set EAP method to PEAP and Phase 2 authentication to MSCHAPv2
- Set CA certificate to"Use system certificates" or"Do not validate" for initial testing
- Enter your Identity (username) and Password
- Tap Connect
Certificate Validation on Android
Android versions 11 and later require explicit CA certificate configuration for WPA-Enterprise connections. Setting"Do not validate" works for testing but is not recommended for production. For proper security, deploy the RADIUS server's CA certificate to Android devices via MDM or the IronWiFi Enrollment Portal.
Bonus: Wired 802.1X on UniFi Switches
The same RADIUS profile can secure wired connections on UniFi switches. This ensures that only authenticated devices can access the network through Ethernet ports.
- Navigate to Settings > Networks and select the network you want to protect
- Enable 802.1X control on the port profile by navigating to the switch port settings
- Assign the same RADIUS profile you created for wireless authentication
- Choose the authentication mode:
- Port-based: One device authenticates, and the port opens for all traffic
- MAC-based: Each MAC address on the port must authenticate individually
Troubleshooting
When RADIUS authentication fails, the issue usually falls into one of a few categories. Work through these in order.
Authentication Failures (EAP Errors)
- Shared secret mismatch: The most common cause. Compare the shared secret in UniFi (Settings > Profiles > RADIUS) character-by-character with the one in IronWiFi. Watch for trailing spaces or invisible characters
- User not found: Verify the username exists in IronWiFi and is associated with the correct network. Check for typos and case sensitivity
- Wrong password: Reset the user's password in IronWiFi and try again. PEAP/MSCHAPv2 is case-sensitive
- NAS IP not registered: IronWiFi only accepts RADIUS requests from registered NAS IPs. Confirm your UniFi gateway's public IP is in the Network's NAS list
Connectivity Issues
- Firewall blocking RADIUS: Ensure your firewall allows outbound UDP traffic from the UniFi gateway to the RADIUS server on the assigned RADIUS ports
- NAT issues: If your UniFi gateway is behind a NAT, the RADIUS server will see the NAT's public IP. Register that public IP as the NAS IP, not the gateway's private IP
- DNS resolution: If using a RADIUS hostname instead of IP, verify DNS resolution from the UniFi gateway
VLAN Assignment Issues
- VLAN not applied: Confirm"Enable RADIUS assigned VLAN" is checked in the RADIUS profile. Check that the RADIUS reply includes all three tunnel attributes (Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID)
- VLAN does not exist: The VLAN ID returned by RADIUS must match a network configured in UniFi. If VLAN 30 does not exist in Settings > Networks, the client will fall back to the default VLAN
- Trunk port configuration: Ensure the switch ports connecting your APs are configured as trunk ports carrying all relevant VLANs
Checking Logs
- UniFi Events: Navigate to the Events section in the UniFi Network application. Filter by"WiFi" to see authentication successes and failures with specific error codes
- IronWiFi Logs: Check the Authentication Log in the IronWiFi console for detailed RADIUS transaction records, including the exact reason for any rejections
Frequently Asked Questions
Yes. UniFi Network version 7.x and later supports WPA3-Enterprise when configured with an external RADIUS server. Select WPA3 Enterprise as the security protocol when creating your wireless network, and assign the RADIUS profile you configured with your Cloud RADIUS server details.
UniFi requires three RADIUS attributes for dynamic VLAN assignment: Tunnel-Type set to VLAN (value 13), Tunnel-Medium-Type set to IEEE-802 (value 6), and Tunnel-Private-Group-ID set to your target VLAN ID. You must also enable"RADIUS assigned VLAN" in the RADIUS profile settings.
Yes. IronWiFi Cloud RADIUS works with all UniFi gateways including Cloud Gateway Ultra, Cloud Gateway Max, and Dream Machine series. Configure IronWiFi's RADIUS server IP and shared secret in the UniFi RADIUS profile, and ensure your gateway's firewall allows outbound UDP traffic on the RADIUS ports assigned in your IronWiFi Console.
Common causes include: mismatched shared secrets between UniFi and your RADIUS server, firewall rules blocking the assigned RADIUS UDP ports, the RADIUS server not having the UniFi gateway's public IP in its allowed NAS list, or expired client certificates. Check the UniFi controller logs under Events for specific EAP failure codes.
In the UniFi Network application, go to Settings > Networks and enable RADIUS for the relevant network. Then navigate to the switch port profile settings and enable 802.1X authentication. Assign the RADIUS profile you created. UniFi switches support both port-based and MAC-based 802.1X for wired clients.
Daniel Konecny
Founder & CEO, IronWiFi
Daniel founded IronWiFi to make enterprise WiFi authentication simple and secure. With deep expertise in RADIUS, 802.1X, and cloud infrastructure, he writes about practical network security for IT teams managing thousands of devices.
About the author