Unifi 802.1x Implementation

ableman · December 6, 2024, 5:13pm

Hi all, my team is working on migrating from a flat network to multiple VLANs to segment off different departments. We currently have the following Unifi devices:

UDM Pro
1x USW Pro Aggregation
3x USW 48
1x USW 24 PoE
1x USW Flex Mini
1x U6+
2x U6 Lite
2x AC LR

We have the following networks created:

192168.1.1/24 (LAN)
- Inherited this, going to switch to 10.35.1.0/24
10.35.5.0/24 VLAN ID 5
10.35.10.0/24 VLAN ID 10
10.35.15.0/24 VLAN ID 15
10.35.20.0/24 VLAN ID 20
10.35.25.0/24 VLAN ID 25
10.35.30.0/24 VLAN ID 20
10.35.35.0/24 VLAN ID 35
10.35.40.0/24 VLAN ID 40

The plan was going to be setting VLANs on the switch ports for wired connections, and using the “Virtual Network Override” for wireless connections to assign devices to different Networks.

The problem we ran into was that we did what I mentioned above and we ran into a few main problems:

Some networks would not assign IP addresses, devices got the 169.254 ip self assigned
APs kept cutting in and out
Some devices struggled to connect to the WiFi after using the “Virtual Network Override” feature.

Any help would be greatly appreciated as I am not seeing anything obvious in the Network configurations and there were no firewall rules

LTS_Tom · December 7, 2024, 11:31am

A guess would be that some of the access points don’t have their ports they are plugged into set to “Allow All” in the port manager under “Tagged VLAN Management”

ableman · December 9, 2024, 2:04pm

@LTS_Tom, thank you for getting back to me on this!

I just checked, and all APs have “Allow All” for their “Tagged VLAN Management” setting, and have LAN as their “Native VLAN/Network”

Also, here is a screenshot of how the Networks are set up. They are all identical with the exception of the IP ranges obviously. Any other thoughts on what could be going wrong?

LTS_Tom · December 9, 2024, 6:05pm

Maybe not having the ports the switches are plugged into not set to “Allow All”

I will also note that I have done no testing with the Virtual Network Override option. I generally only setup two SSID’s one for business things and the other for everything else and each simply goes to their own VLAN.

ableman · December 10, 2024, 9:47pm

@LTS_Tom Thank you again for you response. I checked and all ports all the way up the the firewall are set to “Allow All”

If I cannot get this to work, what would your recommendation be to segment off departments to limit spread in the event of a cybersecurity incident?

LTS_Tom · December 11, 2024, 12:01am

For security, I would not rely on network location to grant asset access. Instead, I would prioritize user permissions and device authentication, aligning with Zero Trust principles as laid out by NIST.
(Maybe I should do a video on that)

ableman · December 11, 2024, 1:42pm

@LTS_Tom Thank you for the redirect, I will dig into that.