FreeRadius Configured with Unifi (3 Access Points)
-
Hello; I am trying to setup freeRadius using MAC Auth (WPA2) with 3 Unifi Access Points. I have installed freeRadius on pfSense and the NAS / Clients section I have entered in one of my unifi access point IP with a shared secret password. Then under Interface, i have left is as defeat as a * for the IP and 1812\auth.
On the Unifi side, I have created a Radius profile with the pfsense interface IP and port of the radius server and then i enabled Radius MAC Auth under one of my SSID's and selected the Radius profile i just made.
When i try connecting one of my wifi devices to this SSID, it does not connect to wifi ((1) Login incorrect (Failed retrieving values required to evaluate condition))
The only way I can connect is if i manually add the device MAC into the user section of Radius; but I am not 100% sure if it should work that way. My understanding is any device that tries to connect to that SSID, will talk to radius in pfSense and will make a connection and then later on, i can edit that user and have it go to a different VLAN if wanted.
Not sure what I am missing with this setup, any help would be awesome!!
-
Hmm, if you set MAB auth then I'd expect it to only authorise known MAC addresses. But that shouldn't be required for WPA2/Ent AFAIK.
It has been a while since I set that up though.
-
@stephenw10 so for known MAC addresses, I would assume that’s any mac coming from the bad client (access point)? I have the bad client setup as well. I couldn’t imagine that I would have to enter each Mac in manually as a user for any devices that connect.
I am using Mac auth via wpa2 just for vlan management as I don’t want to have too many SSIDs for each vlan.
-
You might be better with PPSK?
https://forum.netgate.com/topic/183241/unifi-aps-ppsk-functionI've never used that myself though.
-
@stephenw10 thanks, I happened to come across that last night and it works good.. my only concern is when I updrade to a 6ghz band access point then I would need to move over to wpa3 and that does not support PPSK (as far as I know). I am just trying to see what method should I move forward with.