Network device onboarding

Ubiquiti UniFi

UDM / Cloud Key / Network Application

Applies to: UniFi is controller-managed. RADIUS profiles are configured once in the UniFi Network Application and then attached to switch profiles and SSIDs. Examples use the UI (Network 8.x) paths. UniFi as of Network 8.x supports CoA but not Message-Authenticator on every model; the Edge injects Message-Authenticator on the inner hop, so this is not a blocker.

Examples assume two Edge appliances at 10.10.10.10 and 10.10.10.11, a tenant PSK shown as ARBITER_PSK and a guest portal URL of https://acme-7f3-guest.arbiter.ie/. Substitute your own values from the Arbiter portal.

For the universal context (architecture, AAA dead-server tuning, DHCP relay intent), see the Network devices overview.

Wired: RADIUS server, 802.1X and MAB

Settings -> Profiles -> RADIUS -> Create new RADIUS profile.

Profile name:        Arbiter
Wireless network:    (leave default)
Authentication servers:
  IP: 10.10.10.10  Port: 1812  Secret: ARBITER_PSK
  IP: 10.10.10.11  Port: 1812  Secret: ARBITER_PSK
Accounting servers:  (mirror the auth servers, port 1813)
Accounting interval: 600
Update on:           Accounting (so re-auth attributes apply)

RADIUS-assigned VLAN for wired: enabled

Switch port profile:
  Settings -> Profiles -> Switch ports -> New port profile
  Name: Arbiter 802.1X
  PoE: as needed
  802.1X control: Auto
  802.1X MAB fallback: enabled
  RADIUS profile: Arbiter

Wireless: 802.1X SSID

Settings -> WiFi -> Create new network -> WPA Enterprise.

SSID name:           Corp
Network:             Corp VLAN
Security:            WPA2 Enterprise
RADIUS profile:      Arbiter
Advanced -> RADIUS MAC authentication: off (for 802.1X SSID)
Advanced -> VLAN override (RADIUS):  on

Guest SSID: open with captive portal redirect

UniFi has its own guest portal feature, but to keep Arbiter the source of truth, use an open SSID with RADIUS MAC authentication and the Arbiter-hosted portal in the walled garden.

SSID name:           Guest
Security:            Open
RADIUS MAC authentication: enabled  ->  Profile: Arbiter
MAC auth format:     aabbccddeeff (lowercase, no separators)

Settings -> Guest control -> Pre-authorisation access:
  acme-7f3-guest.arbiter.ie

Arbiter returns on the MAB Access-Accept:
  Tunnel-Private-Group-Id = <holding VLAN>
  WISPr-Redirection-URL    = https://acme-7f3-guest.arbiter.ie/

DHCP relay to Edge

UDM/UXG gateways. Settings -> Networks -> edit network -> DHCP Mode: DHCP Relay.

DHCP Mode:    Relay
DHCP server:  10.0.0.5
Additional:   10.10.10.10
Additional:   10.10.10.11

AAA dead-server detection

Optional but recommended. UniFi exposes RADIUS retry / timeout / dead time on the profile. The RADIUS target is a local Edge appliance on your LAN, so keep it tight: a server is declared dead after roughly 5 seconds across a couple of attempts, then held dead briefly before retrying.

RADIUS profile -> Advanced:
  Retry:     2         # attempts before declaring dead
  Timeout:   2         # ~5s overall across the attempts
  Dead time: 1         # minute held dead before retry

CoA listener

UDP/3799 by default. Enabled on the RADIUS profile.

RADIUS profile -> Advanced -> Allow accounting CoA: enabled

Notes

  • WISPr-Redirection-URL is the most portable redirect attribute across UniFi firmware versions; Arbiter prefers it for UniFi MAB redirects.
  • Some older UniFi switch models do not honour RADIUS-assigned VLANs reliably; check Ubiquiti's compatibility matrix before relying on dynamic VLAN on switch ports.

Verify the integration

Once the device is configured, validate against the Arbiter portal rather than the vendor's own RADIUS test tooling. Vendor tools confirm reachability but not policy outcomes. See the validation checklist on the overview page.

Need help?

Onboarding kit not behaving as expected? Email support@arbiter.ie with the device model, firmware version and the syntax you tried. We can usually identify the difference within a working day.

All network device guidesAll guides