How to configure 802.1X authentication on Ubiquiti access points (through UniFi) using Cloudi-Fi as the RADIUS provider.
Prerequisites
Before starting, ensure that you have the following prerequisites:
- Cloudi-Fi Radius IPs and Secret
- Access to UniFi dashboard.
- Knowledge of your network’s IP addressing scheme.
- Access to your firewall to allow several ports:
| Source | Destination | Port | Protocol | Action | Comment |
| 802.1x subnet | Cloudi-Fi IPs | 1815 | UDP | Allow | RADIUS traffic |
| 802.1x subnet | Any | 80 | TCP | Allow | HTTP traffic |
| 802.1x subnet | Any | 443 | TCP | Allow | HTTPS traffic |
| 802.1x subnet | Any | 53 | UDP/TCP | Allow | DNS resolution |
| * | * | * | * | Deny | To be adjusted according to your needs |
1. Get Radius information
You will need the Radius information (Server IPs, Secret, Ports) to proceed with the setup.
| Parameter | Description |
| RADIUS IPs | Provided by Cloudi-Fi |
| Ports | UDP 1815 (Authentication) |
| Shared Secret | Obtain via the Cloudi-Fi chatbot or Support team |
You can get the Secret by asking in the Chatbot. Cloudi-Fi’s Support team will provide you with the necessary information.
What shared secret is used for the Radius server for 802.1X for Ubiquiti?
Please save this confidential information securely, and do not share it publicly.
2. Get the Cloudi-Fi NAS-ID
You must create or use a Cloudi-Fi location and retrieve its NAS-ID (Hash key).
This configuration depends on your Cloudi-Fi deployment. Please refer to a technical Cloudi-Fi representative before proceeding.
- Log in to the Cloudi-Fi admin console.
- Go to Location.
- Create a new location if needed and fill in:
- Location name
- Type (Redirect URL)
- Country
- Save.
- Click the location you created.
- Go to Network parameters and copy the Hash key — this will be used as the NAS-ID.
3. Configure the Radius Server
Under "Settings > Networks > Radius Servers - Click on Create New"
Provide:
- A name to identify the server (eg. "Cloudi-Fi NAC Server")
- The support where you may have 802.1X authentication
- Write the IP address of the server, the port and the shared secret - Click on "Add" to validate all informations
Accounting informations can be added with the same informations.
4. Configure the SSID
Under "Settings > WiFi - Create a new SSID"
At this level, you’ll create a new SSID and configure it as a network for managed devices.
- Name your SSID
- Assign the appropriate Network VLAN for your corporate traffic
- Broadcast the SSID on all APs or a specific group of APs (It depends on your infrastructure)
- Select "Standard" as Application
- Select the Radio bands you want to broadcast the SSID
- Select "Manual" as Advanced settings
- Select "WPA2/WPA3 Enterprise" as Security Protocol
- Select the Radius Server you have created in the Radius profile list.
- Select "PMF" as Optional if your infrastructure still relies with WPA2 devices.
- Select "Custom" as NAS-ID and paste the Hash-key you have copy at the step 2.
- Click on "Apply Changes" to validate your configuration
5. Validation
After completing the configuration:
- Connect a test client to the SSID
- The client should be prompted for 802.1X credentials
- Successful authentication should appear in "Client Devices"
- Filter with "Status" = Online / "Connection" = WiFi