Ubiquiti UniFi setup guide

UDM / Cloud Key / Network Application

Applies to: UniFi is controller-managed. RADIUS profiles are configured once in the UniFi Network Application and then attached to switch profiles and SSIDs. Examples use the UI (Network 8.x) paths. UniFi as of Network 8.x supports CoA but not Message-Authenticator on every model; the Edge injects Message-Authenticator on the inner hop, so this is not a blocker.

Wired — RADIUS server, 802.1X and MAB

Settings -> Profiles -> RADIUS -> Create new RADIUS profile.

Profile name:        Arbiter
Wireless network:    (leave default)
Authentication servers:
  IP: 10.10.10.10  Port: 1812  Secret: ARBITER_PSK
  IP: 10.10.10.11  Port: 1812  Secret: ARBITER_PSK
Accounting servers:  (mirror the auth servers, port 1813)
Accounting interval: 600
Update on:           Accounting (so re-auth attributes apply)

RADIUS-assigned VLAN for wired: enabled

Switch port profile:
  Settings -> Profiles -> Switch ports -> New port profile
  Name: Arbiter 802.1X
  PoE: as needed
  802.1X control: Auto
  802.1X MAB fallback: enabled
  RADIUS profile: Arbiter

Wireless — 802.1X SSID

Settings -> WiFi -> Create new network -> WPA Enterprise.

SSID name:           Corp
Network:             Corp VLAN
Security:            WPA2 Enterprise
RADIUS profile:      Arbiter
Advanced -> RADIUS MAC authentication: off (for 802.1X SSID)
Advanced -> VLAN override (RADIUS):  on

Guest SSID — open with captive portal redirect

UniFi has its own guest portal feature, but to keep Arbiter the source of truth, use an open SSID with RADIUS MAC authentication and the Arbiter-hosted portal in the walled garden.

SSID name:           Guest
Security:            Open
RADIUS MAC authentication: enabled  ->  Profile: Arbiter
MAC auth format:     aabbccddeeff (lowercase, no separators)

Settings -> Guest control -> Pre-authorisation access:
  acme-7f3-guest.arbiter.ie

Arbiter returns on the MAB Access-Accept:
  Tunnel-Private-Group-Id = <holding VLAN>
  WISPr-Redirection-URL    = https://acme-7f3-guest.arbiter.ie/

DHCP relay to Edge

UDM/UXG gateways. Settings -> Networks -> edit network -> DHCP Mode: DHCP Relay.

DHCP Mode:    Relay
DHCP server:  10.0.0.5
Additional:   10.10.10.10
Additional:   10.10.10.11

AAA dead-server detection

Optional but recommended. UniFi exposes RADIUS retry / timeout / dead time on the profile. Configure so a server is declared dead after roughly 30 seconds across four attempts, then held dead for 3 minutes before retrying.

RADIUS profile -> Advanced:
  Retry:     4         # 4 attempts before declaring dead
  Timeout:   8         # ~30s overall (8s per-attempt x 4 attempts)
  Dead time: 3         # minutes held dead before retry

CoA listener

UDP/3799 by default. Enabled on the RADIUS profile.

RADIUS profile -> Advanced -> Allow accounting CoA: enabled