Ubiquiti Wi-Fi
Capabilities overview
We can integrate Ubiquiti Wi-Fi with idemeum Cloud Radius infrastructure. When users will be connecting to company Wi-Fi, they can login with Passwordless MFA instead of typing a username and password.
In this integration guide, we will be setting up idemeum Cloud Radius and connecting it with Ubiquiti Wi-Fi deployment. You can learn more about idemeum Cloud Radius service here.
Set up the integration in idemeum
Create Ubiquiti Wi-Fi application
- Navigate to idemeum admin portal
- Access
Applications
and then search forUbiquiti WiFi Radius
application - Click
Add app
- Enter the following information:
- Client IP - this is the IP address from which Radius requests will be originating. Typically this is the external IP address of your WAN interface.
- Advance Options - only applicable when you have multiple Radius applications configured for the same network. The public IP address for these Radius applications will be the same. Hence to differentiate between requests, you need to specify NAS IP addresses for each client.
- Click
Save
to save the Ubiquiti application
Entitle Ubiquiti Wi-Fi application
Before users can access applications you need to make sure you entitle applications to them. In idemeum admin portal navigate to the Entitlements section to assign applications to your employees.
Set up the integration in Ubiquiti
- Access the Ubiquiti dashboard at
https://unifi.ui.com
- Access
Settings
->Profiles
->Radius
- Click
Create New RADIUS Profile
idemeum Cloud Radius IP addresses
- Enter
Name
- Enable profile for Wireless networks
- Enter the IP address of idemeum Cloud Radius and the secret that you generated earlier in idemeum. For port use port
1812
. (Click Edit of Ubiquiti WiFi Radius app in the My applications tab to copy the Shared secret)
- Click
Add
thenApply changes
- Access
Settings
->WiFi
and choose the Wi-Fi that you want to secure with Passwordless MFA
- Scroll down to
Security
section - Choose
WPA2 Enterprise
and select the Radius profile that you created before
- Apply changes
Passcode login (EAP PEAP)
This option doesn't involve the creation/import of any profile nor requires importing a client certificate. As PEAP establishes an outer TLS tunnel via MSCHAPv2 (includes username and password), end-users need to key in the 3-letter passcode in the password field shared by the admin.
Users will able to connect in the following way:
- Connect to the company Wi-Fi network
- If idemeum Radius server certificate is not imported on a client device, there will be a pop-up to accept the certificate.
- The user will be prompted for a username and password. The user will type the email address and mfa passcode.
- Users will receive an idemeum push notification to a mobile device.
- Once approved with biometrics user will be connected to the network.