Configuring WPA2 Enterprise with RADIUS on UniFi

I recently set up WPA2 Enterprise on our home UniFi network. WPA2 Enterprise (also known as WPA2-802.1x) offers several key advantaged on WPA(2) Personal, the two main ones being, able to authenticate the access point using TLS certificates, and support unique credentials per client (supplicant).

The theory

802.1X is an IEEE standard for port-based network access control (PBAC) and uses the Extensible Authentcation Protocl (EAP) to negotiate the credentials. 802.1X works for both LAN and WLAN, therefore you can authenticate both Wi-Fi and ethernet clients plugged into a switch on your network.

EAP itself is merely a framewor and does not defined any authentication mechanisms or encryption schemes. In my case, I am using PEAP-MSCHAPv2. PEAP is a separate separate standard developed by Microsoft (and others) which encapsulates EAP in a TLS tunnel, providing both encryption and authentication. Inside PEAP, MSCHAPv2 is used to perform the challenge-handshake. While MSCHAPv2 is considered completely broken as brute-force attacks can recover the keys 100% of the time, this is okay as the handshake is done inside PEAP. PEAP-MSCHAPv2 is the most popular and widely supported configuration, partially due to it being the only EAP configuration supported by Microsoft Windows.

EAP defined three parties in the authentication process:

  • supplicant - the device that wants to connect to the network
  • authenticator - an access point ot switch
  • authentication server - in our case a FreeRADIUS server on the th UniFi Security Gateway (USG)

The setup

The setup itself is relatively straightforward.

Configuring FreeRADIUS

The first step is to enable the RADIUS server in Settings > Gateway > RADIUS. The shared secret can be as long as you want, as it is only used for the authenticators to talk to the RADIUS server. Once enabled, you can create a new user. These credentials that are entered when you connect to the network. You can can also set a VLAN ID for the user, so that when the user connects, they will automatically be put into the correct VLAN network. Make sure you enable RADIUS assigned VLAN IDs in Settings > Configuration Profiles > RADIUS.

If you would like to install a custom TLS certificate for the RADIUS server, you can do so and upload the certificate to /etc/freeradius/certs on the USG. Restart the FreeRADIUS server when complete with service freeradius restart.

Creating the networks

This should be pretty self explanatory. We create a new network with a VLAN ID, then create a Wi-Fi network using WPA Enterprise and our RADIUS profile.

Result

I have successfully connected my Mac, iPhone, Apple Watch, and HomePods. The Apple TV however, requries a MDM profile.

Leo Xiong

Leo Xiong

Just Another Fantastic Auckland living in Sydney.
Sydney, Australia