Super tutorial! If I can add a little note here. During the creation of your GPO you added the AD group to the GPO, which is good. Authenticated users was still in there and it actually overrules your AD group because the GPO will automatically be applied to any authenticated user/computer in that OU. In order to prevent this and only apply the GPO to any computer within the AD group , you have to go to the "Delegate" tab in your GPO => Click "Advanced" (bottom right) => Click "Authenticated users" => Deselect "Apply Group Policy"

Nice tutorial but you should check your ports. 1812 is used for auth, 1813 is accounting. 1645 and 1646 are old ports (pre RFC standardization) which should not be used/needed.

This is how all tech videos should be done! 5/5. Keep up the good work. Thank you, Alex!

Having less knowledge on networking, your tutorial gives me more understanding of where I need to click and look for my System Administration tasks. Thanks mate

This video was very good, but there are a few things that I had to change. No, you don't need the Remote Access Server role installed. It won't keep it from working, but it's not related either. In the video, PEAP is chosen for authentication on the NPS role. If you choose this, users will be prompted for username / password. Instead, you want Smart Card or other certificate. I'm not sure how it worked in the demo unless Smart Card or other certificate was also in the list at a higher priority?? As others have shared, the ports are wrong for UniFi controller to connect to the NPS Server. Authentication is on port 1812 & 1645. Accounting is 1813 & 1646. Otherwise, great explainer and got me up and running on RADIUS. Thanks!

First video showing that USG is not mandatory when configuring UniFi APs with RADIUS server. Very helpful.

I haven't had time to test this but I've built out a few RADIUS controlled wifi networks, but my first with Unifi this week. I'm used to only adding the controller of a wifi system to the RADIUS clients but I think that's what I was missing when my config wasn't working. This a great tutorial from start to finish. Thanks for taking the time to demonstrate and share this.

Alex, thank you for this video! My first watch through I overconfidently skipped the part at 5:04 and spent the next hour troubleshooting the RADIUS config. Thanks for highlighting all steps.

I think there's an error when creating the RADIUS server entries in Unifi. The second auth server at 1813 should not work since that's the accounting port. The first accounting server at 1812 should not work since that's the auth port. So auth should be fine but accounting may retry until it hits the second entry, depending how Unifi does failover.

Than kyou, this went over a lot of prerequisites that a lot of other guides fail to mention

Fantastic video - was having trouble getting this configured for a while. Super clear and easy to follow, thanks so much for saving me from any more headaches! :D

You mentioned at 7:51 you mentioned jotting down a KEY. Where do you put this key for the cert? Or did you mean something related to the same key used for the Ubiquiti side?

it's really nice video and allow me to ask one question, why you don't use smart card or certificates when you create NPS policy? I though that it's going to authenticate computer account with Certificate? I noticed that you just choose PEAP instead? why do we need remote access windows feature to install together with NPS and CA?

Thanks for this. I'm going to be setting the same up at home and since I haven't installed in radius for 15 odd years it's a good refresh.

I knew this was possible just couldn't figure it out! Thank you so much for taking the time and making this video super easy to follow along. I hope you keep it up. Best wishes!

Thanks for the great video. Works like a champ. In the video you didn't configure the Remote Access role. Why do we need to install it anyways? Does the Radius need any services of this role?

Have you ever tried this using UAPs at a different site and subnet than the RADIUS server (but connected via site-to-site VPN)? I'm finding that it doesn't work at the remote sites and I'm reading that the UAPs always send the packets over WAN and not the VPN... I've seen where people had this issue and only could get it to work by exposing the RADIUS ports publicly and using the public IP in the Unifi controller. Not crazy about that idea... hoping ubiquity fixes this in an update one day...

Worked perfectly! Saved me hours of work! Thank you for doing this Alex

Hi Alexander, this video helped me a lot configuring RADIUS with Unifi network for our enterprise. Thank you for the instruction. Grts Lars

Thank you sir for the great video I have a query, If I follow this tutorial how could I achieve the requirement to setup Radius server for Wireless Users Authentication. I need to set up RADIUS for our Wireless Access Points (APs). The challenge I'm facing is RADIUS server is separate machine and I need guidance on how to properly link the AD with the RADIUS server which the requirement is to create on Separate machine. Could anyone help me understand the additional steps involved in configuring RADIUS server and how to integrate the AD and RADIUS? (Does the Radius Server could be the Domain User and then it integrate as well? What would be the configuration at AD and Radius for integration) I would appreciate a detailed breakdown of the additional configurations needed on both ends. If you have any documents, guidelines, or videos that could walk me through the process, that would be immensely helpful. I’ve been unable to find the right resources so far.

great video, thanks for sharing!!. trying to set this up but on user accounts, how do set up the auto enrollment bits for the user accounts?

Great video! However, I did run into a roadblock. We aren't on-prem and are using Azure, therefore, I am unable to set group policies. Do you have a guide on doing this in Azure?

Well done mate! Straight forward & to the point. Keep up the good work!

Very useful video, extremely useful to prevent personal devices connecting to the WiFi eating bandwidth.

Excellent!! but i can't use this way in my company, because we has 40% Macintosh for UI/UX.

This was wonderful and easy to follow. Thank you!

Great video, just what I needed. Still I have a question, why do you need Remote Access role in this case? You left that one unconfigured. Thanks!

The certificate you created and used it through gpo for windows clients.. can it be for smartphones without any huddles ?

great video thanks to him I just configured authorization via RADIUS I have one question - can I configure a WIFI network for guests without a Unifi gateway?

Hello, I have configured the radius server and it works. On the session I have the button to connect but I also have the possibility of entering another login / mdp how to prevent this? THANKS

worked like a charm, thank you.. but why did you install Remote Access Role, you never touched on it or configured it.

Awesome Video. Thanks for this. This was exactly what I was looking for.

Wow. Very impressive. Very good tutorial with all the steps that are really understandable.

You sir .... are a legend. Take that W bro.

Firewall rules are already added automatically for NPS. But I had to add them manually again for some reason.

Can you make a video on how to set up 802.1X with Unify switches?

Great video Alex...worked perfect! As you suggested, I would like to have Radius installed in a utility Win 19/22 server. Do I need to have the CA installed in the same server? I already have CA role installed in the Primary domain controller server.

Hello, Please I would like to know, when configuring the Radius Client in the AD DS server, in the video you add the IP address of the Unified Access Point. I want to know if instead of adding the APs, you add the IP of the unified controller that contains those APs. If this is possible, how do we proceed? What are the prerequisites?

Thanks for the video! It has helped me enormously. Could you show how it works with the certificate on the switches from Unifi? So the wired version instead of the wireless? I would like to allow or disallow clients the same way on the LAN on the switch. Unfortunately, my computer always tells me that it can't authenticate. I just can't get anywhere.

Hi just one Question, what if the domain has a CA Authority Root already...? Kind Regards!

@Alexander I have been fiddling around with this. We do have a UNIFI controller running and already an old RADIUS profile but I wanted to shift it to our application server (rather than the DC as you mentioned). Everything works fine up until the moment I want to register the NPS with the active directory. That option is greyed out. The server is member of the domain (duh) and member of the RAS and IAS Servers group in AD. I am logged in as Domain Admin. Am I missing something here? Greetz!

My azure certificate wizard does not have Enterprise CA as an option, only Standard CA (Enterprise CA is grayed out and I cannot select it). Do I have to join the new server VM to Azure AD first? I run my unifi controller on an Azure VM ubuntu server. I placed the new windows server in the same resource group on Azure.

can you show what certificates are installed on radius server and the client (manually with csr request)....and what certificates does gpolicy push?

Thanks for the video. what about devices that are Azure AD joined only?

appeciate your efforts , the linux pc is the unifi wireless ap kindly update , there is not require any physical AP

Hi there, is there anyways to add printers under the LDAP in Windows Server 2016?. Your reply is very much appreciated

Hi, I just followed your guide. It's great, thank you. However, the SSID is not showing up on my android. Haven't tried iphone yet. Only my 802.1X networks are not showing up. Do you by chance have a guide or any info on how to get that setup?

Hi Thanks for great tutorial. Why are you creating the GPO (12:21)? Do I have to do that? BR

GREAT VIDEO , I WANTED TO SET THE Wi-Fi authentication to prompt for a username and password of users on the domain

Curious why you need RAS installed? working on setting up Unifi to use our existing PKI environment. it has been working previously with a Cisco WLC. we didn't need the RAS role for that in the past. Thanks!

hi, perfect video. So only the certificate on the system and then the Clients can connect to the wifi without any password?

What about non domain-bound devices, like connecting an iPhone to the WiFi?

Great video, Is there a way you can use this for mobile phones? e.g adding a mac to a radius server?

How does this work with non-windows clients, like Chromebooks that may not have a computer account in AD?

Thank you for the video! How would I authenticate domain user instead of domain computer? Would I need a different type to certificate?

Is it possible to authenticate domain users without adding the computer as member of the group, but instead, users within the domain controller?

Hi, nice tutorial, in this case your authenticating computers, but, is it the same to authenticate users over L2TP when logging from outside the premises?

Hello There. Thank you for the video. Really helpful. Just curious to know what hardware are you using for your lab to host VM's?

Hello Alexander, thank you for the video. it worked for me ! I have one question please, can i use a users group instead of using group of PCs ?

hi, thanks for sharing it. if i want to put my radius server in a perimeter network, whats port i need to forward? i want to put a radius server in a azure or aws and i did forward 1812 udp but it dont auth my wifi. could you help me please? tks again

i follow step by step but does'nt work. Problem is. i have firewall.. what we do in control panel whether i need firewall configuratiion. Normal unify network is working but via radius server not

Very well done! Thanks for the good work.

Very good video. I followed it but I get this error: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

How do I configure it for user account instead of computer account

Awesome video! Could you do one for those of us who are using a windows server vm with aadds? I have a S2S vpn connection from a vnet in azure to my udm pro. Do I still need the remote access role for this?

So I was able to get RADIUS Auth working for VPN, but I have never gotten this to work, your video showed me what I was missing....However I have a question, can I run this on the same Policy server as the VPN Auth? or should I use a different server for this service>

Is there anyway to create a GPO that I can apply to users instead of computers?

Can you set this up to use Azure AD auth via the NPS server for a VPN in Ubuiqiti

Hey I can manege to fix 902 but not with VPN at the same time. I dont understand what im doing wrong

This video is very good. I have a question, will work if I don’t install AD CS service?

I can't seem to find the part where you configure the 'Direct Access and VPN (RAS)' after adding the 3 services. What options should be selected? Thx!

I got lost at 11:46 since I don't have active directory. Do you have a link that I can follow for workgroup servers? Also, would this method work to authenticate Android phones with EAP2-Enterprise too?

I dont usually comments but man u r too good

what about setting multisite authentication for sites having their own authentication server but fail over

Love this, thank you so much helped out alot.

You isntall RAD and not configure it. Why its installed?

How do I install the certificate on a tablet ? or MAC?

Nice Video tx! How to you do for Smartphones since they wont' show up in AD? Also: you focus on "how to do it" but do not explaining why and what are things for... like - why a certificates : isn't the fact that the computer is in the right AD group enough? - and in Unifi you said "you need to activate "accounting" "... but why and what is that for? explainations like that tx!

Cool! Now with dynamic vlans please...

i have issue with radius server, client not reconnecting after restart

So i need to apply Radius profile for each AP or Switch? Am I correct? Switch i mean Wired Auth. What if i would like to use dynamic Vlans for specific ADgroup, lets say ive got marketing, HR where there is totally different subnet assigned on each department.? Can solve it somehow?

How does client get to connect if they don't have the certificate?

I did everything step by step but the WiFi clients are unable to connect to the WiFi.

Are you adding the IP of each Ubiquity Access Point in the RADIUS Clients or are you adding the IP of the UniFi Controller?

Sir Alexander the video is excellent. Hower, Can we use this gpo on users??

Nice tutorial. What if I'll use same server for RADIUS and for Unifi controller? Is it Possible?

will this worn on phones to connect to wifi?

very good explanation, thank you

I think It should ask to enter the username and password (from AD account) before you can get in to the WIFI

Thanks for the video Alex. Is it possible to perform the authentication by username instead of by computername?

Can I just use a self generated cert from Powershell or do I need a CA?

Why puting same server 2 times on diferente ports ? It not enough first port?

Hi can you do a update version with azure ad ?

Excellent, very useful

Apart from the fact that I have smoke coming out of my ears, great video! BTW I emailed you yesterday. Please can you reply on way or t'other? Thanks

would this process be the same when configuring Windows RADIUS authentication on USG?

Thank you for your Tutorial! We created AD Groups and issued certificates for users. All working just fine, MAC OS receiving their certificates via intune, the only problem we do have is first user login for Windows domain systems. We have to pass authentication process for them first on trusted network, so they can receive their user certificates. Do you know any workaround how to bypass this step, so users will be able to grab their certificate during their first login?

FYI, you do not need the remote access role installed. Just NPS. I am not sure why every guide is adding this unnecessary step.

Top! you helped me a lot! tnaks!

great video thank you so much!!!!