UniFi – USW: Configuring Access Policies (802.1X) for Wired Clients

This article describes how to configure access policies (802.1X) on UniFi switches for wired clients. This article includes instructions on how to configure using the RADIUS server built-in to the UniFi Security Gateway and also UniFi Network configuration examples to point to your own authentication server. Every UniFi switch model is capable of authentication via 802.1X. The configuration does not change from model to model.

Note: Please complete the prerequisite configuration found in the UniFi – USG: Configuring RADIUS Server article before following this guide’s instructions.

How to Enable the 802.1X Service on a Switch

This option is found on the switch properties panel under Config > Services in the Security section when selecting an individual switch from the “Devices” section of the UniFi Network application.

ATTENTION:Enabling access control is done a per switch basis. If this is not enabled, the switch will not be able to act as an authenticator to pass RADIUS messages to the RADIUS server.  

Differentiating 802.1X Port Modes

  • Auto: The port is unauthorized until a successful authentication exchange has taken place.
  • Force Unauthorized: The port ignores supplicant authentication attempts and does not provide authentication services to the client
  • Force Authorized: The port sends and receives normal traffic without client port-based authentication.
  • MAC-Based: This mode allows multiple supplicants connected to the same port to each authenticate individually. Each host connected to the port must authenticate separately in order to gain access to the network. The hosts are distinguished by their MAC addresses.

Working with Port Profiles

Using port profiles for rapid deployment is recommended instead of applying 802.1X policies manually on each port.

  1. Navigate to Settings > Profiles > Switch Ports.
  2. Create a new profile with the desired 802.1X control.

NOTE:When using dynamic VLAN assignment on RADIUS the port profile must include each VLAN desired for use.

Source :