Ubiquiti | Managing VLANs with RADIUS NPS and UniFi Access Points

I have elegantly demonstrated how to set up a WPA Enterprise architecture using PEAP-MSCHAPv2 🤢 and EAP-TLS 🥰. The configuration works seamlessly. However, in my network, there are different user profiles for Wi-Fi access, each requiring access to specific VLANs. So, how can we ensure that certain users are directed to the ADMINS VLAN, while others are assigned to the USERS VLAN?

There are two strategies to achieve this: the first involves multiple SSID configurations (one for each VLAN), requiring a separate RADIUS server for each VLAN management. However, this approach can become complex and unwieldy. The more efficient solution is to leverage RADIUS attributes such as Tunnel-Private-Group-ID, Tunnel Medium Type, and Tunnel Type to enable dynamic VLAN assignment. By doing so, we can manage all the VLANs from a single NPS server, and users will only need to connect to a single SSID. In this guide, we will delve into this latter method.

For the duration of this guide, let's establish the following assumptions:
- We have successfully configured either a functional PEAP-MSCHAPv2 or EAP-TLS setup.
- The VLANs have been properly established within our network.

Network diagram showing dynamic VLAN assignment on a RADIUS architecture between a WiFi supplicant, an authenticator and a RADIUS server

UniFi Network Server

We need to configure several settings within the UniFi Network Server. Let's take a closer look at the process.

In this scenario, let's consider a setup with three distinct networks: 192.168.1.0/24 designated for Servers and WiFi access points, 192.168.10.0/24 allocated for Users, and 192.168.100.0/24 specifically reserved for Administrators.

Within the RADIUS profile, activate RADIUS Assigned VLAN Support for Wireless Networks:

Ensure that your VLANs are accurately configured:

UniFi Network Server network configuration interface

Authentication Server (NPS)

Open the Network Policy Server Console:

Windows Run window with 'nps.msc' in the Open field

You should establish two separate Network Policies: one dedicated to the ADMINS and another for the USERS.

Click New in the Network Policies folder:

Screenshot of adding a new Network Policy in the Ubiquiti Wi-Fi RADIUS setup

Give a name to the Policy:

Screenshot of naming the Network Policy in the Ubiquiti Wi-Fi RADIUS setup

Click Add to specify the condition:

Screenshot of adding a condition to the Network Policy in the Ubiquiti Wi-Fi RADIUS setup

Select User Groups, and click Add Groups…:

Screenshot of selecting User Groups and adding groups to the Network Policy in the Ubiquiti Wi-Fi RADIUS setup

Add an Active Directory group of users, such as Domain Admins for ADMINS:

Screenshot of adding an Active Directory group to the Network Policy in the Ubiquiti Wi-Fi RADIUS setup

Click Next:

Screenshot of proceeding to the next step in the Network Policy setup

Select Access granted:

Screenshot of selecting Access granted in the Network Policy setup

In the Configure Settings section, you can eliminate the pre-existing entry for Framed-Protocol PPP and then proceed to click on Add…:

Screenshot of the Configure Settings section

Now, let's proceed to add these three entries:
- Tunnel-Type: Virtual LANs (VLAN)
- Tunnel-Pvt-Group-ID: Set to 100 for ADMINS or 10 for USERS
- Tunnel-Medium-Type: 802 (including all 802 media along with Ethernet canonical format)