Environment Details:

Unifi WLC –

Domain Controller –

Install the NPS Role on the Domain Controller (or another server) and register it within Active Directory. You should also install and setup AD CS for PEAP authentication.

First, lets look at the Active Directory setup, I have created 3 security groups for each of the 3 VLANs I have created in my infrastructure:

Here are the VLANs created on the switch:

NPS Setup

The way the Unifi controller works with RADIUS is slightly different to other vendors. Each AP needs to be configured as a RADIUS client rather that just the Controller.

Now, create all your AP’s as RADIUS clients within the Network Policy Server MMC snap-in:

You must ensure the RADIUS client is the same for all of the AP’s. Otherwise this will not function properly as you can only configure a single secret in the Unifi Controller.

You should now see the clients in the list:

Now we need to create the policies for each of the VLANs within NPS. Right click ‘Network Policies’ under ‘Policies’ and select ‘New’.

You will see a screen to set the name of the policy:

Set the name and click Next, you will be asked to set the conditions:

Click on the ‘Add’ button and select ‘User Groups’:

Click ‘Add Groups…’ and select the group that corresponds to the policy you are creating. Click ‘OK’, you should see the group in the list now:

Click ‘Next’ and ensure ‘Access Granted’ is selected and click ‘Next’ again.

You will come to a screen that asks about Authentication Methods:

Here, I will select ‘Add…’ under EAP Types and select ‘PEAP’.

Click ‘Next’ to continue.

You can setup constraints if you would like to. For example setting timeout values or access only at certain times of the day.

Click ‘Next’ to continue. You will be presented with the final settings page:

Under ‘Standard’, click ‘Add…’

You need to set the following values:

Termination-Action: RADIUS-Request

Tunnel-Medium-Type: 802

Tunnel-Pvt-Group-ID: VLAN-ID

Tunnel-Type: VLAN

It should look like this:

Click ‘Next’ and then ‘Finish’

You should repeat creating the RADIUS Policies for each Groups you have created in AD. Making sure to select the correct Group and set the correct VLAN ID within the Settings.

In my case, I have all 3 policies created:

Ensure that the policies are at the top of the processing order. If you have any users that are in multiple groups, the first match will be used and that VLAN will be assigned.

We are all done on NPS for now!

Unifi Setup

Within the Unifi dashboard, go into ‘Settings’ > ‘Advanced Features’ and then scroll down to ‘Add RADIUS Profile’

Give the profile a name and turn on the ‘Enable Wireless’ option:

Under ‘RADIUS Settings’, set the IP address and Secret for the NPS Server. You should also configure accounting here so we can read the logs back on the NPS server:

Note: Ensure your Firewall settings on the NPS server allow this inbound connection

Click on ‘Apply Changes’ to save the profile.

Now, we need to create a new Wireless Network and assign the RADIUS Profile. Or you can edit an existing Wireless Network.

Still within Settings, click ‘WiFi’ and then ‘Add New WiFi Network’:

Enable the Network and give it a name:

Under ‘Advanced’ > ‘Security’ change the Security Protocol to ‘WPA-2 Enterprise’

Below that, set the RADIUS Profile you setup before:

Change other settings to your liking and then click ‘Add WiFi Network’ to complete.

Note: The configuration on the switchports the APs are connected to, need to be trunks and allow the VLANs you are dynamically assigning. For example:

interface GigabitEthernet1/0/11
 switchport trunk allowed vlan 201-205
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 201 
 switchport mode trunk

You should now be able to test a user account in one of the AD groups with the Wireless network. You should be dynamically assigned the VLAN that corresponds to the group the user is part of:


Leave a Reply

Avatar placeholder

Your email address will not be published.