Unifi auth to pfSense RADIUS?

Anyone know if this is possible? Clearly the biggest security hole on any LAN is the WPApersonal password. I would love to ditch WPA and only use RADIUS for those needing whole LAN wifi access. But I don’t want to run RADIUS from the cli.
One customer’s setup: Unifi controller in the cloud and site with Unifi APs behind a Netgate 7100.
Is it possible to have RADIUS look to AD for user credentials? I tried following the OpenVPN/Radius vid instructions to set it up, but it ain’t working!

Tom, if this is a thing, a video would be fab!

It’s possible, it’s a bit complex not sure when I will do video on it.

Thanks Tom; is there another method you would prefer?

Yes, that WiFi not be part of any secure networks.

What i have is maybe not what you are looking for but it would be an awesome video for Tom or Jay to make.

My WPA2-Enterprise or WPA2-EAP PEAP network:

I have a pfSense router. I have Freeradius in a Proxmox ct with a MariaDB backend for Radius users and user groups. Every user group is assigned a vlan id. If i put user Bob in Guest 1 group with a surten vlan id he will be put in that vlan wen he logs in on my wifi network.

I have 4 separate wlan networks (vlan’s):
WLAN1 - Open / captive portal
WLAN2 - private
WLAN3 - Guests 1
WLAN4 - Guests 2

Any of the WLAN networks have different security rules, limitations and so on tailored for purpose of the users of that WLAN subnet in pfSense.

I use one wifi ssid for these dynamic assigned vlans to users so depending on who is logging in i can assign a vlan to the user by putting this user in one of the user groups i made in de database. The other ssid i use is for the open / captive portal network WLAN1.

The connections with the Freeradius server is over a TLS connection. For this i use a CA and server certificate created in pfSense cert manager.

afbeelding