UniFi / Ubiquiti setup

Setting up Ubiquiti RADIUS with Foxpass

🚧

Ubiquiti access points are not compatible with EAP-TTLS (name/password auth) when the password check is delegated to a third party (e.g. Google Workspace, Azure AD/Entra ID, Okta, etc.) Please ask Ubiquiti to add support for a configurable RADIUS timeout -- the default of 1 second is not enough time.

We have heard that Unifi 6 and 7 might have a longer timeout, but we have not confirmed this.

Many Foxpass customers use wireless access products by Ubiquiti. You are in good hands.

The Ubiquiti setup is very straight-forward.

1. Set your Foxpass password

In Foxpass, go to the "Password" settings page and enter a password.

2. Create a "RADIUS Client" entry on Foxpass

Visit this page: https://console.foxpass.com/settings/radius/. Create a RADIUS client for this site's public IP address.

📘

Note: Please provide the public IP address where traffic from the access points will egress.

Note the secret that was generated.

Then click on the "RADIUS Servers" tab on that page and note our RADIUS IP addresses (EAP-TTLS at the top, EAP-TLS at the bottom) and the "secret" that was created for that entry.

3. Create a RADIUS profile

In your Ubiquiti settings, go to "Profiles"

Click "Create new" under "RADIUS"

  • Name: Foxpass RADIUS
  • Enable Wireless Networks
  • Authentication Servers - IP Address: (from above step), Port: 1812, Password/Shared Secret: (from above step). Click Add.
  • Add a second Foxpass RADIUS server IP address. Same shared secret and port.
  • Click "Apply Changes"
RADIUS Profile

RADIUS Profile

🚧

Access points will reboot after step 4

Consider whether this is the best time to have your access points reboot en-masse

4. Create a test SSID

In your Ubiquiti go to Settings > WiFi

  • Name/SSID: Foxpass
  • Click Manual for "Advanced" option.
Configure WiFi Network

Configure WiFi Network

  • Security Protocol - WPA2 Enterprise or WPA3 Enterprise depending on your use case.
  • RADIUS profile - Select the Foxpass RADIUS profile configured earlier in Step 3.
  • Click Add Wifi Network.
Add WiFi Network

Add WiFi Network

5. Try it out

For EAP-TTLS connection on your device, select and follow appropriate documentation link under wi-fi connections and then try to connect.

Download Config

Download Config

  • Click on the (SSID) that you have configured in Ubiquiti.
Connect to Network

Connect to Network

  • Connect to your new network, and enter your username and password and Click Ok.
Enter Credentials

Enter Credentials

  • You will be connected to your network and you can see successful/unsuccessful logs on the RADIUS logs page.
RADIUS logs

RADIUS logs

For EAP-TLS connection on your device, select and follow appropriate documentation link under EAP-TLS and then try to connect.


Known Issues

  1. UniFi devices can exhibit instability when multiple RADIUS server IP addresses are configured. This includes strange behavior and performance issues due to timeouts and server switching. You can configure UniFi devices with a single RADIUS server IP address to ensure stable performance.
  2. Typically UniFi defaults to 2 seconds for RADIUS timeouts and retries three times, leading to increased connection instability and latency.

Troubleshooting Steps

  • Verify RADIUS Client Entry: Ensure the RADIUS client is correctly created on the RADIUS settings page in Foxpass with the proper public IP address.
  • Check RADIUS Server Configuration: Confirm the RADIUS server IP addresses and secrets are accurately configured in the UniFi dashboard. For EAP-TTLS, RADIUS Servers and for EAP-TLS, EAP-TLS enabled RADIUS Servers are correctly noted from the RADIUS Settings page.
  • Check RADIUS logs page for any errors.