Wired access – Ubiquiti

In this topic, you will learn how to configure Ubiquiti switch ports to work together with Portnox™ Cloud and 802.1X RADIUS authentication for Ethernet connections.

Warning: We tested this configuration on a Ubiquiti Dream Router and the Ubiquiti USW-Lite-8-PoE switch, but we cannot guarantee that it will cover every Ubiquiti product and version. Also, the configuration is generic and may not fit every single environment. Therefore, to get the most accurate and current configuration guidance on 802.1X configuration, we strongly recommend that you refer to the documentation provided by Ubiquiti on these topics for your particular device models.

Create a RADIUS profile

In this section, you will create a RADIUS profile for Portnox™ Cloud RADIUS servers. You can then apply this profile to Wi-Fi configurations and Ethernet port profiles.

  1. In the Ubiquiti web interface, go to the Network tab, and in the left-hand side menu, click on the following menu options:  ⚙  > Profiles.

  2. In the right-hand side pane, click on the RADIUS tab, and then click on the Create New link to create a new RADIUS profile.

  3. Configure the new RADIUS profile:

    1. In the Name field, enter a name for this profile.
      Note: You will use this name when assigning the profile to Wi-Fi configurations and port profiles.
    2. In the RADIUS Assigned VLAN Support section, activate the Enable checkboxes for Wired Networks and Wireless Networks.
      Note: If you intend to use this RADIUS profile with only one type of networks, you can activate just one of these checkboxes.
    3. In the RADIUS Settings > Authentication Servers section, in the IP Address field, enter the IP address of the Portnox Cloud RADIUS server that you created earlier, in the Port field, enter the authentication port for this RADIUS server, and in the Shared Secret field, enter the shared secret for this server. Then, click on the Add button.
      Note: The Cloud RADIUS IP, the Authentication port, and the Shared Secret are all displayed after you create the Cloud RADIUS server.
    4. If you use two Cloud RADIUS servers in both regions, repeat the above steps for the second radius server.
    5. Activate the Enable checkbox next to the Accounting label.
    6. Repeat the above steps in the RADIUS Accounting Servers section, entering the same IP address and shared secret, and the Accounting port number from your Cloud RADIUS server configuration (for one or two servers, depending on your configuration).

Create or edit a network configuration

In this section, you will create or edit a configuration for a network with 802.1X authentication and assign the RADIUS profile to this network.

  1. In the Ubiquiti web interface, go to the Network tab, and in the left-hand side menu, click on the following menu options:  ⚙  > Networks.

  2. In the right-hand side pane, in the Global Switch Settings section, activate the 802.1X Control checkbox, in the RADIUS Profile field, select the RADIUS profile that you just created, and optionally in the Fallback VLAN field, select a network (if you have one) for devices that fail RADIUS authentication. Then, click on the Apply Changes button.

    In this example, we used a VORLON network for devices that successfully authenticate with RADIUS and a QUARANTINE network for devices that fail RADIUS authentication.

Create a port profile for 802.1X authentication

In this section, you will create a profile for Ethernet ports with 802.1X authentication. You can later assign this port profile to specific switch ports.

  1. In the Ubiquiti web interface, go to the Network tab, and in the left-hand side menu, click on the following menu options:  ⚙  > Profiles.

  2. In the right-hand side pane, in the Ethernet Ports tab (active by default), click on the Create New link to create a new port profile.

  3. In the New Ethernet Port Profile pane, enter the name for this port profile, then click on the Manual option in the Advanced section to activate manual configuration, and select the Auto option in the 802.1X Control field. Then, configure other fields as required for your environment, and click on the Add button.

    Note: Options available in the 802.1X Control field are:

    • Force Authorized: Every client is treated as authenticated. Effectively, this means no authentication at all.

    • Force Unauthorized: Every client is treated as authenticated. Effectively, this means that no client can connect to this port.

    • MAC-Based: The switch fakes an 802.1X challenge for clients, allowing clients without 802.1X support to connect using MAC address bypass authentication.

    • Auto: The port requires clients to authenticate using the 802.1X protocol.

Create a port profile for MAC address bypass (MAB) authentication

In this section, you will create a profile for Ethernet ports with MAC address bypass (MAB) authentication. You can later assign this port profile to specific switch ports.

Note: You only need to create a port profile for MAB authentication if you intend to authenticate IoT devices using Portnox Cloud MAC-based accounts.
  1. In the Ubiquiti web interface, go to the Network tab, and in the left-hand side menu, click on the following menu options:  ⚙  > Profiles.

  2. In the right-hand side pane, in the Ethernet Ports tab (active by default), click on the Create New link to create a new port profile.

  3. In the New Ethernet Port Profile pane, enter the name for this port profile, then click on the Manual option in the Advanced section to activate manual configuration, and select the MAC-Based option in the 802.1X Control field. Then, configure other fields as required for your environment, and click on the Add button.

Assign a port profile to a switch port

In this section, you will assign a port profile to a specific port on your switch.

  1. In the Ubiquiti web interface, go to the Network tab, and in the left-hand side menu, click on the Ports menu option and in the top-left corner of the right-hand side pane, select the switch that you want to configure. Then, click on the port that you want to configure.
    Note: In the following screenshot, we already have port 1 connected to the router and port 2 configured for 802.1X access.

    Important: In this example, we used the USW-Lite-8-PoE switch. However, not all Ubiquiti devices support port-based 802.1X authentication. For example, the Dream Router does not support wired 802.1X authentication for its Ethernet ports. Make sure that your selected Ubiquiti device supports port-based 802.1X authentication. If unsure, consult Ubiquiti documentation or contact your Ubiquiti sales or support representative.
  2. In the port configuration pane, scroll down to the Ethernet Port Profile field, and activate the checkbox. Then, select the port profile that you created earlier.

    Note: In this example, we selected the profile for 802.1X authentication but you can also assign the MAC address bypass profile to a port (if you created one).
  3. Configure other fields as required for your environment and click on the Apply Changes button.