Skip to content

UniFi Controller — eduroam Setup

This guide covers creating an eduroam RADIUS profile and Wi-Fi network on a UniFi Network controller (tested on Network 8.4.x).

Prerequisites

  • FreeRADIUS is installed and operational at your institution
  • The KENET NRO team has provided you with the shared secret for your RADIUS client
  • Your UniFi controller can reach your FreeRADIUS server on UDP 1812 (auth) and UDP 1813 (accounting)

Step 1 — Navigate to the RADIUS Section

Open the UniFi Network Settings (gear icon, bottom-left of the sidebar):

  1. Click the Settings gear icon
  2. Click Profiles in the left sidebar
  3. Click the RADIUS tab at the top
  4. Click Create New

UniFi — Navigate to RADIUS Profiles

Step 2 — Create the eduroam RADIUS Profile

Fill in the new profile form:

Step Field Value
Name eduroam
RADIUS Assigned VLAN Support — Wired Networks Enabled ✓
RADIUS Assigned VLAN Support — Wireless Networks Enabled ✓
Authentication Servers Enter your FreeRADIUS server details
Authentication Port 1812
Shared Secret Your RADIUS shared secret (e.g. welcome-kenet)
Click Add Adds the auth server to the list
Accounting Enabled ✓
RADIUS Accounting Server IP Same FreeRADIUS server IP
Accounting Port 1813
Accounting Shared Secret Same shared secret
Click Add Adds the accounting server
Click Apply Changes Saves the profile

UniFi — eduroam RADIUS Profile settings

The shared secret must match the secret configured for the UniFi controller in FreeRADIUS clients.conf.

Step 3 — Create the eduroam Wi-Fi Network

Go to WiFi in the left sidebar and click Create New:

Step Field Value
Name (SSID) eduroam — must be exactly this
Advanced Switch to Manual to reveal all options

UniFi — eduroam WiFi Network — name and advanced settings

Scroll down to the security settings:

Step Field Value
Security Protocol WPA2 Enterprise
RADIUS Profile Select the eduroam profile created in Step 2
Click Apply Changes Saves the network — SSID starts broadcasting

UniFi — eduroam WiFi Network — security and RADIUS profile

After applying changes, the eduroam SSID will be broadcast on all configured APs.

FreeRADIUS Client Entry

Add the UniFi controller's source IP as a RADIUS client in /etc/freeradius/3.0/clients.conf:

client unifi-controller {
    ipaddr     = <UniFi_controller_IP>
    secret     = <shared_secret>
    shortname  = unifi-eduroam
    nas_type   = other
}

Validate and reload:

freeradius -XC
systemctl reload freeradius

Verification

  1. Connect a test device to the eduroam SSID
  2. Authenticate with institutional credentials (user@institution.ac.ke)
  3. Confirm Access-Accept in the FreeRADIUS log:
tail -f /var/log/freeradius/radius.log
  1. Confirm the location appears on the eduroam map at eduroam.ac.ke