yet another it blog

802.1x authentication with Unifi controller and Ubiquiti access points

Ubiquiti Logo

Ubiquiti seems to be common hardware around homelab users on reddit.

I also decided to go with Ubiquiti some years ago as I were interested on the enterprise grade hardware and software they offer for marginal price compared to big vendors like HP, Ruckus, Cisco Meraki etc…

I have also used Ubiquiti on customer installations to provide reliable and cost effective wireless network infrastructure.

As I already do have PKI infrastructure set up on my lab I decided to make one SSID available to test workstations and use certificate based authentication.

This guide assumes you already have computer and user certificates enrolled.

Let’s start with network policy server role installation for RADIUS clients.

NPS Role installation

After NPS role is installed we can continue setting up RADIUS. You should already have computer certificate enrolled to server where you installed NPS role. I am using computer certificate auto enrollment for all my servers and workstations on LAB domain, and have this policy defined in default domain policy.

Start Network Policy Server management under Windows Administrative Tools

Start Menu NPS

We start by adding new RADIUS client to the network policy server.

I named this Unifi-Controller. Use IP-Address of the controller.

Type in a shared secret, we will use this later when we setup Unifi controller.

NPS Shared secret

Then let’s create new connection request policy. I named mine RP-Ubiquiti.

Leave type as Unspecified and click next.

Connection request policy

Under conditions add new condition as NAS Port Type and set value as Wireless IEEE 802.11

Leave rest of the settings as default.


Now let’s create network policy setting. Again I named mine as NP-Ubiquiti.

Leave type as unspecified and click next.

Policy name

Next we will add some conditions.

I am using windows group to define users who should have access to WLAN.

Also add NAS Port Type Wireless IEEE 802.11 as with connection request policy


On next page leave specify access permission as access granted.

Under authentication methods clear all settings and on EAP types click on Add

Select Microsoft smart card or other certificate

Authentication method

Select EAP type we just selected and click on edit.

Authentication methods

Select computer certificate that has been enrolled to the NPS machine and click on OK.

Authentication methods certificate select

That’s it for the network policy server. Now let’s change some settings on Unifi controller.

Log-in to Unifi controller and create new RADIUS profile under profiles.

Fill-in policy server address and same shared secret we used on client settings.

Select enable accounting and fill-in details as you did for auth server.

Ubiquiti RADIUS profile

Next let’s create new Wireless network or edit existing one.

Select WPA Enterprise as security type and for radius profile select profile we created on last step.

Ubiquiti RADIUS profile

Thats it for Unifi. Now let’s try to connect with user certificate.

On workstation select the network and instead of using username/password click on Connect using a certificate.

Connecting to certificate based WLAN

On network policy server we can see user successfully granted access to network.

NPS Eventlog Tagged , , , ,

8 thoughts on “802.1x authentication with Unifi controller and Ubiquiti access points

  • Hi,
    Did it mean we have to setup AD first? Or we have to had AD first?


  • hello,

    what is with private phones? they dont trust my internal certificate. so how to get them into the system without a certificate warning?


    1. Hi,

      You would need to use MDM to deploy certificates to mobile devices.
      As connecting phones are private I strongly recommend creating separate guest network with own PSK secured SSID.

    1. Depends on use case. On shared computers computer certificates and on assigned devices I prefer user certificates. Mostly it has been user certs. Devices are normally connected to docks and wired connection and connect automatically with user certificate to WiFi when in meeting rooms etc.

  • Hello,

    Just wondered if it would make sense not to auto enroll certificates to clients ( so that we can have control over which computers will be able to connect ) to prevent unauthorized access even user credentials are exposed? ( ok there is a trade off of manual certification at client computers but in case we ignore that )

Leave a Reply

Your email address will not be published. Required fields are marked *