MFA for VPN / Wi-Fi

Ubiquiti Wi-Fi

Integrate Ubiquiti Wi-Fi with idemeum Passwordless MFA to enable passwordless login.

Sep 22, 2022 3 min read
Ubiquiti Wi-Fi

Capabilities overview

We can integrate Ubiquiti Wi-Fi with idemeum Cloud Radius infrastructure. When users will be connecting to company Wi-Fi, they can login with Passwordless MFA instead of typing a username and password.

In this integration guide, we will be setting up idemeum Cloud Radius and connecting it with Ubiquiti Wi-Fi deployment. You can learn more about idemeum Cloud Radius service here.

Set up the integration in idemeum

Create Ubiquiti Wi-Fi application

  • Navigate to idemeum admin portal
  • Access Applications and then search for Ubiquiti WiFi Radius application
  • Click Add app
  • Enter the following information:
    • Client IP - this is the IP address from which Radius requests will be originating. Typically this is the external IP address of your WAN interface.
    • Advance Options - only applicable when you have multiple Radius applications configured for the same network. The public IP address for these Radius applications will be the same. Hence to differentiate between requests, you need to specify NAS IP addresses for each client.
💡
The shared secret is generated post saving the application. Click Edit of Ubiquiti WiFi Radius app in the My applications tab to copy the Shared secret. You will later use it in the Ubiquiti configuration. This secret allows your Ubiquiti wireless gateway to authenticate using idemeum Cloud Radius infrastructure.
  • Click Save to save the Ubiquiti application

Entitle Ubiquiti Wi-Fi application

Before users can access applications you need to make sure you entitle applications to them. In idemeum admin portal navigate to the Entitlements section to assign applications to your employees.

Set up the integration in Ubiquiti

  • Access the Ubiquiti dashboard at https://unifi.ui.com
  • Access Settings -> Profiles -> Radius
  • Click Create New RADIUS Profile
Now you will need to use idemeum Cloud Radius IP address that you can check here.

idemeum Cloud Radius IP addresses
  • Enter Name
  • Enable profile for Wireless networks
  • Enter the IP address of idemeum Cloud Radius and the secret that you generated earlier in idemeum. For port use port 1812. (Click Edit of Ubiquiti WiFi Radius app in the My applications tab to copy the Shared secret)
  • Click Add then Apply changes
  • Access Settings -> WiFi and choose the Wi-Fi that you want to secure with Passwordless MFA
  • Scroll down to Security section
  • Choose WPA2 Enterprise and select the Radius profile that you created before
  • Apply changes

Passcode login (EAP PEAP)

This option doesn't involve the creation/import of any profile nor requires importing a client certificate. As PEAP establishes an outer TLS tunnel via MSCHAPv2 (includes username and password), end-users need to key in the 3-letter passcode in the password field shared by the admin.

💡
Default passcode that is used - mfa

Users will able to connect in the following way:

  1. Connect to the company Wi-Fi network
  2. If idemeum Radius server certificate is not imported on a client device, there will be a pop-up to accept the certificate.
  3. The user will be prompted for a username and password. The user will type the email address and mfa passcode.
  4. Users will receive an idemeum push notification to a mobile device.
  5. Once approved with biometrics user will be connected to the network.
Published by
idemeum team
idemeum team
You might also like
Table of Contents
Great! Next, complete checkout for full access to idemeum integrations.
Welcome back! You've successfully signed in.
You've successfully subscribed to idemeum integrations.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.