Ubiquiti UniFi
UDM / Cloud Key / Network Application
Examples assume two Edge appliances at 10.10.10.10 and 10.10.10.11, a tenant PSK shown as ARBITER_PSK and a guest portal URL of https://acme-7f3-guest.arbiter.ie/. Substitute your own values from the Arbiter portal.
For the universal context (architecture, AAA dead-server tuning, DHCP relay intent), see the Network devices overview.
Wired: RADIUS server, 802.1X and MAB
Settings -> Profiles -> RADIUS -> Create new RADIUS profile.
Profile name: Arbiter
Wireless network: (leave default)
Authentication servers:
IP: 10.10.10.10 Port: 1812 Secret: ARBITER_PSK
IP: 10.10.10.11 Port: 1812 Secret: ARBITER_PSK
Accounting servers: (mirror the auth servers, port 1813)
Accounting interval: 600
Update on: Accounting (so re-auth attributes apply)
RADIUS-assigned VLAN for wired: enabled
Switch port profile:
Settings -> Profiles -> Switch ports -> New port profile
Name: Arbiter 802.1X
PoE: as needed
802.1X control: Auto
802.1X MAB fallback: enabled
RADIUS profile: ArbiterWireless: 802.1X SSID
Settings -> WiFi -> Create new network -> WPA Enterprise.
SSID name: Corp
Network: Corp VLAN
Security: WPA2 Enterprise
RADIUS profile: Arbiter
Advanced -> RADIUS MAC authentication: off (for 802.1X SSID)
Advanced -> VLAN override (RADIUS): onGuest SSID: open with captive portal redirect
UniFi has its own guest portal feature, but to keep Arbiter the source of truth, use an open SSID with RADIUS MAC authentication and the Arbiter-hosted portal in the walled garden.
SSID name: Guest
Security: Open
RADIUS MAC authentication: enabled -> Profile: Arbiter
MAC auth format: aabbccddeeff (lowercase, no separators)
Settings -> Guest control -> Pre-authorisation access:
acme-7f3-guest.arbiter.ie
Arbiter returns on the MAB Access-Accept:
Tunnel-Private-Group-Id = <holding VLAN>
WISPr-Redirection-URL = https://acme-7f3-guest.arbiter.ie/DHCP relay to Edge
UDM/UXG gateways. Settings -> Networks -> edit network -> DHCP Mode: DHCP Relay.
DHCP Mode: Relay
DHCP server: 10.0.0.5
Additional: 10.10.10.10
Additional: 10.10.10.11AAA dead-server detection
Optional but recommended. UniFi exposes RADIUS retry / timeout / dead time on the profile. The RADIUS target is a local Edge appliance on your LAN, so keep it tight: a server is declared dead after roughly 5 seconds across a couple of attempts, then held dead briefly before retrying.
RADIUS profile -> Advanced:
Retry: 2 # attempts before declaring dead
Timeout: 2 # ~5s overall across the attempts
Dead time: 1 # minute held dead before retryCoA listener
UDP/3799 by default. Enabled on the RADIUS profile.
RADIUS profile -> Advanced -> Allow accounting CoA: enabledNotes
- WISPr-Redirection-URL is the most portable redirect attribute across UniFi firmware versions; Arbiter prefers it for UniFi MAB redirects.
- Some older UniFi switch models do not honour RADIUS-assigned VLANs reliably; check Ubiquiti's compatibility matrix before relying on dynamic VLAN on switch ports.
Verify the integration
Once the device is configured, validate against the Arbiter portal rather than the vendor's own RADIUS test tooling. Vendor tools confirm reachability but not policy outcomes. See the validation checklist on the overview page.
Need help?
Onboarding kit not behaving as expected? Email support@arbiter.ie with the device model, firmware version and the syntax you tried. We can usually identify the difference within a working day.