RADIUS Configuration
Configure how network devices communicate with Warden
RADIUS Basics
RADIUS (Remote Authentication Dial-In User Service) is the protocol your network devices use to authenticate users through Warden. When a user tries to connect, the device sends their credentials to Warden via RADIUS, and Warden responds with Accept or Reject.
Configuring Your Network Device
Every network device that sends RADIUS requests needs to be configured with:
RADIUS Server IP
Warden's IP address. If Warden is behind a load balancer or NAT, use the external IP.
Shared Secret
Must match exactly what you configured in Warden for this host or host group.
Timeout
How long to wait for a response. 30 seconds minimum, 60+ if using 2FA push.
Retries
Number of retry attempts. 1-3 is typical. Higher retries with 2FA can cause duplicate pushes.
Timeout and Retry Settings
Getting timeouts right is critical, especially with two-factor authentication. Here's what we recommend:
The #1 2FA problem: Default timeouts (usually 5-10 seconds) are way too short for push notifications. Users don't have time to pull out their phone before the request times out. Set both Warden and device timeouts to 60+ seconds for push-based 2FA.
See our detailed RADIUS timeout guide for vendor-specific instructions and more scenarios.
RADIUS Shared Secrets
The shared secret encrypts user passwords in RADIUS packets and validates that requests come from authorized devices. A few critical points:
- Use strong secrets - At least 16 random characters
- Unique per host/group - If one is compromised, others are safe
- Match exactly - Case-sensitive, watch for trailing spaces
- Avoid special characters - Some devices have issues with certain symbols
Good secrets:
Xk9mP2nQ8vL4wY6j
7hR3tB5nM9kL2pW4
Avoid:
password123
CompanyName2024
Use Warden's "Generate Secret" button to create cryptographically random secrets.
EAP Methods
EAP (Extensible Authentication Protocol) is used for 802.1X authentication. Warden supports the common EAP methods:
RADIUS Accounting
RADIUS accounting tracks user sessions - when they connect, disconnect, and how much data they transfer. Configure your devices to send accounting data to Warden on port 1813.
What Gets Logged
- Session start and stop times
- User identity and calling station (MAC address)
- Data transfer (bytes in/out)
- Disconnect reason
This data powers the dashboard analytics and audit reports. Even if you don't need accounting data now, enabling it is good practice.
Vendor-Specific Attributes (VSAs)
Beyond standard RADIUS attributes, many vendors support their own attributes for advanced features. Warden can return VSAs as part of Access-Accept responses.
Common VSA Uses
- Assign users to specific VLANs
- Set bandwidth limits
- Apply ACLs or firewall policies
- Enable/disable features on the network device
Configure VSAs in your policy response attributes or at the group level.
Vendor Configuration Examples
Copy-paste these examples to configure your network devices to use Warden as a RADIUS server. Replace the IP address and shared secret with your values.
radius server WARDEN address ipv4 10.1.1.100 auth-port 1812 acct-port 1813 key YourSharedSecret timeout 30 aaa new-model aaa authentication login default group radius local aaa authorization network default group radius aaa accounting network default start-stop group radius
radius server WARDEN address ipv4 10.1.1.100 auth-port 1812 acct-port 1813 key YourSharedSecret aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting dot1x default start-stop group radius dot1x system-auth-control interface GigabitEthernet1/0/1 switchport mode access authentication port-control auto dot1x pae authenticator
access
radius-server
10.1.1.100
port 1812;
secret "YourSharedSecret";
source-address 10.1.1.1;
timeout 30;
{{ '}' }}
{{ '}' }}
profile WARDEN-AUTH
authentication-order radius;
radius
authentication-server 10.1.1.100;
accounting-server 10.1.1.100;
{{ '}' }}
{{ '}' }}
{{ '}' }}
system
authentication-order [ radius password ];
{{ '}' }}
set access radius-server 10.1.1.100 port 1812 set access radius-server 10.1.1.100 secret "YourSharedSecret" set access radius-server 10.1.1.100 source-address 10.1.1.1 set access radius-server 10.1.1.100 timeout 30 set access profile WARDEN-AUTH authentication-order radius set access profile WARDEN-AUTH radius authentication-server 10.1.1.100 set access profile WARDEN-AUTH radius accounting-server 10.1.1.100 set system authentication-order radius password
access
radius-server
10.1.1.100
port 1812;
secret "YourSharedSecret";
source-address 10.1.1.1;
timeout 30;
{{ '}' }}
{{ '}' }}
profile WARDEN-AUTH
authentication-order radius;
radius
authentication-server 10.1.1.100;
{{ '}' }}
{{ '}' }}
{{ '}' }}
system
authentication-order [ radius password ];
{{ '}' }}
set access radius-server 10.1.1.100 port 1812 set access radius-server 10.1.1.100 secret "YourSharedSecret" set access radius-server 10.1.1.100 source-address 10.1.1.1 set access radius-server 10.1.1.100 timeout 30 set access profile WARDEN-AUTH authentication-order radius set access profile WARDEN-AUTH radius authentication-server 10.1.1.100 set system authentication-order radius password
radius-server host 10.1.1.100 key "YourSharedSecret" radius-server timeout 30 aaa authentication login privilege-mode aaa authentication console login radius local aaa authentication console enable radius local aaa authorization commands radius local aaa accounting exec start-stop radius
radius-server host 10.1.1.100 key plaintext "YourSharedSecret" radius-server host 10.1.1.100 timeout 30 aaa authentication login ssh-login group radius local aaa accounting all-mgmt start-stop group radius
configure radius primary server 10.1.1.100 1812 client-ip auto shared-secret YourSharedSecret configure radius timeout 30 enable radius enable radius-accounting
radius-server host 10.1.1.100 auth-port 1812 acct-port 1813 default key YourSharedSecret radius-server timeout 30 aaa authentication login default radius local aaa authentication enable default radius local aaa accounting exec default start-stop radius
config user radius
edit "WARDEN"
set server "10.1.1.100"
set secret YourSharedSecret
set timeout 30
set auth-type auto
next
end
config user group
edit "RADIUS-USERS"
set member "WARDEN"
next
end
set shared server-profile radius WARDEN server primary server 10.1.1.100 set shared server-profile radius WARDEN server primary port 1812 set shared server-profile radius WARDEN server primary secret YourSharedSecret set shared server-profile radius WARDEN timeout 30 set shared server-profile radius WARDEN retries 3
In the UniFi Controller:
- Go to Settings → Profiles → RADIUS
- Click Create New RADIUS Profile
- Enter:
- IP Address: 10.1.1.100
- Port: 1812
- Shared Secret: YourSharedSecret
- Apply to your network under Settings → Networks
/radius add address=10.1.1.100 secret=YourSharedSecret service=login timeout=30s /user aaa set use-radius=yes
Troubleshooting RADIUS
No Response / Timeout
- Check firewall rules (UDP 1812/1813 must be open)
- Verify the host IP in Warden matches the actual source IP
- Make sure Warden is running and healthy
- Check for NAT - the source IP might be translated
Access Reject (but credentials are correct)
- Shared secret mismatch - copy-paste to avoid typos
- User not in an allowed group for the policy
- 2FA required but not provided
- Account disabled or expired
Intermittent Failures
- Timeout too short (especially with 2FA)
- Network latency between device and Warden
- Device sending from multiple IPs (high-availability setup)
Use NAC Tracer to see exactly what happens during each authentication attempt.
What's Next?
- Add hosts with proper RADIUS configuration
- Configure response attributes
- Set up two-factor authentication