Wi-Fi employee access – Ubiquiti

In this topic, you will learn how to configure Ubiquiti access points to work together with Portnox™ Cloud and 802.1X RADIUS authentication for Wi-Fi connections.

Important: This guide provides general instructions for integrating Portnox Cloud with specific third-party devices. While we aim to provide helpful examples for commonly used models, configurations may vary across manufacturers, models, and environments. As a result, we cannot guarantee that these steps will work in every scenario. For questions or issues related to RADIUS setup – which is an industry standard and not specific to Portnox – or device-specific settings and troubleshooting, we recommend consulting the device manufacturer’s documentation and contacting their support team. While Portnox Support is happy to assist where possible, please note that detailed configuration of third-party devices is typically best handled by the manufacturer.

Create a RADIUS profile

In this section, you will create a RADIUS profile for Portnox™ Cloud RADIUS servers. You can then apply this profile to Wi-Fi configurations and Ethernet port profiles.

  1. In the Ubiquiti web interface, go to the Network tab, and in the left-hand side menu, click on the following menu options:  ⚙  > Profiles.

  2. In the right-hand side pane, click on the RADIUS tab, and then click on the Create New link to create a new RADIUS profile.

  3. Configure the new RADIUS profile:

    1. In the Name field, enter a name for this profile.
      Note: You will use this name when assigning the profile to Wi-Fi configurations and port profiles.
    2. In the RADIUS Assigned VLAN Support section, activate the Enable checkboxes for Wired Networks and Wireless Networks.
      Note: If you intend to use this RADIUS profile with only one type of networks, you can activate just one of these checkboxes.
    3. In the IP Address field, enter the IP address of the Portnox Cloud RADIUS server that you created earlier, in the Port field, enter the authentication port for this RADIUS server, and in the Shared Secret field, enter the shared secret for this server. Then, click on the Add button.
      Note: The Cloud RADIUS IP, the Authentication port, and the Shared Secret are all displayed after you create the Cloud RADIUS server.
    4. If you use two Cloud RADIUS servers in both regions, repeat the above steps for the second radius server.
    5. Activate the Accounting Servers checkbox.
    6. Repeat the above steps in the RADIUS Accounting Servers section, entering the same IP address and shared secret, and the Accounting port number from your Cloud RADIUS server configuration (for one or two servers, depending on your configuration).
Note: If you want to use RadSec to connect to Portnox Cloud RADIUS servers, modify the above configuration according to the instructions in the last section of this topic.

Optional: Create a RadSec profile

This is an optional task that modifies the previous task. Follow this task only if you want to connect to Portnox Cloud RADIUS servers using RadSec. Skip this task if you want to connect to Portnox Cloud RADIUS servers without RadSec.

  1. Install OpenSSL on your personal computer.

    OpenSSL is an open source library for converting certificates. You will need it to convert the certificate formats so that they are readable for Ubiquiti devices.

    • Windows: Download the relevant installation package from the Shining Light Productions website. For example, Win64 OpenSSL Light for Windows 64-bit systems. Then, follow the installer steps to install the package.
    • macOS: Install HomeBrew. Then, execute the command in Terminal: 
      brew install openssl
    • Ubuntu: 
      sudo apt install openssl libssl-dev
    • RedHat: 
      sudo dnf install openssl openssl-devel
      or 
      sudo yum install openssl openssl-devel
  2. Follow the steps in this section to download and install the self-onboarding certificate: Download and install the certificate.
    Note: After you download the certificate, you do not need to install it. Take note of the location where you downloaded the certificate.
  3. Follow the steps in this section to download the Cloud RADIUS root CA certificate: Download the root CA certificate from Portnox Cloud.
  4. Use OpenSSL to extract the private key and the client certificate from the self-onboarding certificate:

    Type the following commands in the Windows command line window or the macOS/Linux Terminal window:

    openssl pkcs12 -in self-onboarding-certificate.p12 -clcerts -nokeys -out clientCertificate.crt
    openssl pkcs12 -in self-onboarding-certificate.p12 -nocerts -nodes -out privateKey.pem

    When asked for an import password, press the Enter key (empty password).

    Note: On Windows, you may need to first change the directory to the installation directory of OpenSSL: C:\Program Files\OpenSSL-Win64\bin.
    Note: We recommend that you open the extracted files in a text editor of your choice and remove all of the content before the -----BEGIN CERTIFICATE----- line.
  5. Use OpenSSL to convert the root CA certificate into the Base64-encoded X.509 format:

    Type the following command in the Windows command line window or the macOS/Linux Terminal window:

    openssl x509 -in rootCertificate.cer -inform der -out rootCertificate.crt -outform pem
  6. In the Ubiquiti web interface, go to the Network tab, and in the left-hand side menu, click on the following menu options:  ⚙  > Profiles.

  7. In the right-hand side pane, click on the RADIUS tab, and then click on the Create New link to create a new RADIUS profile.

  8. Configure the new RADIUS profile:

    1. In the Name field, enter a name for this profile.
      Note: You will use this name when assigning the profile to Wi-Fi configurations and port profiles.
    2. In the RADIUS Assigned VLAN Support section, activate the Enable checkboxes for Wired Networks and Wireless Networks.
      Note: If you intend to use this RADIUS profile with only one type of networks, you can activate just one of these checkboxes.
    3. Activate the TLS checkbox.
    4. In the Client Certificate section, click on the Upload link and upload the client certificate that you prepared earlier (for example, clientCertificate.crt.
    5. In the Private Key section, click on the Upload link and upload the private key that you prepared earlier (for example, privateKey.pem. Leave the field Private Key Password empty.
    6. In the CA Certificate section, click on the Upload link and upload the root CA certificate that you prepared earlier (for example, rootCertificate.crt.
    7. In the IP Address field, enter the IP address of the Portnox Cloud RADIUS server that you created earlier, in the Port field, enter the authentication port for this RADIUS server, and in the Shared Secret field, enter the string radsec (not the actual shared secret). Then, click on the Add button.
      Note: The Cloud RADIUS IP, the Authentication port, and the Shared Secret are all displayed after you create the Cloud RADIUS server.
    8. If you use two Cloud RADIUS servers in both regions, repeat the above steps for the second radius server.
    9. Activate the Accounting Servers checkbox.
    10. Repeat the above steps in the RADIUS Accounting Servers section, entering the same IP address and string radsec as the shared secret, and the Accounting port number from your Cloud RADIUS server configuration (for one or two servers, depending on your configuration).

Create a Wi-Fi configuration for the 802.1X network

In this section, you will create a configuration for a Wi-Fi network with WPA2 Enterprise authentication (802.1X) and assign the RADIUS profile to this network.

Note: In this example, we used an unprotected Wi-Fi configuration for SSID DD8C19, as well as a working network configuration called VORLON.
  1. In the Ubiquiti web interface, go to the Network tab, and in the left-hand side menu, click on the following menu options:  ⚙  > WiFi.

  2. In the right-hand side pane, click on the Create New link to create a new Wi-Fi configuration.

  3. Complete the new Wi-Fi configuration:
    1. In the Advanced section, click on the Manual option. This will cause some of the fields to change and other fields to become active.

    2. In the Name field, enter the SSID for the new network.

    3. In the Network field, select your existing network configuration.

      Note: You can use the same network that was configured for your non-secured Wi-Fi. After testing the secured Wi-Fi configuration, you can delete the non-secured Wi-Fi configuration.
    4. In the Security Protocol field, select the WPA2 Enterprise option.

    5. In the RADIUS Profile field, select the name of the RADIUS profile that you created earlier for connection to Portnox Cloud RADIUS servers.

      Note: If you want this connection to use RadSec, select the RadSec profile that you created earlier.
    6. Configure any other fields as required for your environment, and then click on the Add WiFi Network button to add the new Wi-Fi configuration.

Result: Your Wi-Fi devices can now access the protected Wi-Fi network, using the Portnox Cloud RADIUS servers for authentication.