terraform-provider-unifi/docs/resources/wlan.md

page_title, subcategory, description

page_title	subcategory	description
unifi_wlan Resource - terraform-provider-unifi		The unifi_wlan resource manages wireless networks (SSIDs) on UniFi access points. This resource allows you to create and manage WiFi networks with various security options including WPA2, WPA3, and enterprise authentication. You can configure features such as guest policies, minimum data rates, band steering, and scheduled availability. Each WLAN can be customized with different security settings, VLAN assignments, and client options to meet specific networking requirements.

unifi_wlan (Resource)

The unifi_wlan resource manages wireless networks (SSIDs) on UniFi access points.

This resource allows you to create and manage WiFi networks with various security options including WPA2, WPA3, and enterprise authentication. You can configure features such as guest policies, minimum data rates, band steering, and scheduled availability.

Each WLAN can be customized with different security settings, VLAN assignments, and client options to meet specific networking requirements.

Example Usage

variable "vlan_id" {
  default = 10
}

data "unifi_ap_group" "default" {
}

data "unifi_user_group" "default" {
}

resource "unifi_network" "vlan" {
  name    = "wifi-vlan"
  purpose = "corporate"

  subnet       = "10.0.0.1/24"
  vlan_id      = var.vlan_id
  dhcp_start   = "10.0.0.6"
  dhcp_stop    = "10.0.0.254"
  dhcp_enabled = true
}

resource "unifi_wlan" "wifi" {
  name       = "myssid"
  passphrase = "12345678"
  security   = "wpapsk"

  # enable WPA2/WPA3 support
  wpa3_support    = true
  wpa3_transition = true
  pmf_mode        = "optional"

  network_id    = unifi_network.vlan.id
  ap_group_ids  = [data.unifi_ap_group.default.id]
  user_group_id = data.unifi_user_group.default.id
}

Schema

Required

• name (String) The SSID (network name) that will be broadcast by the access points. Must be between 1 and 32 characters long.
• security (String) The security protocol for the wireless network. Valid values are:
  • wpapsk - WPA Personal (PSK) with WPA2/WPA3 options
  • wpaeap - WPA Enterprise (802.1x)
  • open - Open network (no encryption)
• user_group_id (String) The ID of the user group that defines the rate limiting and firewall rules for clients on this network.

Optional

• ap_group_ids (Set of String) IDs of the AP groups that should broadcast this SSID. Used to control which access points broadcast this network.
• bss_transition (Boolean) Enable BSS Transition Management to help clients roam between APs more efficiently. Defaults to true.
• fast_roaming_enabled (Boolean) Enable 802.11r Fast BSS Transition for seamless roaming between APs. Requires client device support. Defaults to false.
• hide_ssid (Boolean) When enabled, the access points will not broadcast the network name (SSID). Clients will need to manually enter the SSID to connect.
• is_guest (Boolean) Mark this as a guest network. Guest networks are isolated from other networks and can have special restrictions like captive portals.
• l2_isolation (Boolean) Isolates wireless clients from each other at layer 2 (ethernet) level. When enabled, devices on this WLAN cannot communicate directly with each other, improving security especially for guest networks or IoT devices. Each client can only communicate with the gateway/router. Defaults to false.
• mac_filter_enabled (Boolean) Enable MAC address filtering to control network access based on client MAC addresses. Works in conjunction with mac_filter_list and mac_filter_policy.
• mac_filter_list (Set of String) List of MAC addresses to filter in XX:XX:XX:XX:XX:XX format. Only applied when mac_filter_enabled is true. MAC addresses are case-insensitive.
• mac_filter_policy (String) MAC address filter policy. Valid values are:
  • allow - Only allow listed MAC addresses
  • deny - Block listed MAC addresses Defaults to deny.
• minimum_data_rate_2g_kbps (Number) Minimum data rate for 2.4GHz devices in Kbps. Use 0 to disable. Valid values: 1000, 2000, 5500, 6000, 9000, 11000, 12000, 18000, 24000, 36000, 48000, and 54000
• minimum_data_rate_5g_kbps (Number) Minimum data rate for 5GHz devices in Kbps. Use 0 to disable. Valid values: 6000, 9000, 12000, 18000, 24000, 36000, 48000, and 54000
• multicast_enhance (Boolean) Enable multicast enhancement to convert multicast traffic to unicast for better reliability and performance, especially for applications like video streaming.
• network_id (String) ID of the network (VLAN) for this SSID. Used to assign the WLAN to a specific network segment.
• no2ghz_oui (Boolean) When enabled, devices from specific manufacturers (identified by their OUI - Organizationally Unique Identifier) will be prevented from connecting on 2.4GHz and forced to use 5GHz. This improves overall network performance by ensuring capable devices use the less congested 5GHz band. Common examples include newer smartphones and laptops. Defaults to true.
• passphrase (String, Sensitive) The WPA pre-shared key (password) for the network. Required when security is not set to open.
• pmf_mode (String) Protected Management Frames (PMF) mode. It cannot be disabled if using WPA3. Valid values are:
  • required - All clients must support PMF (required for WPA3)
  • optional - Clients can optionally use PMF (recommended when transitioning from WPA2 to WPA3)
  • disabled - PMF is disabled (not compatible with WPA3) Defaults to disabled.
• proxy_arp (Boolean) Enable ARP proxy on this WLAN. When enabled, the UniFi controller will respond to ARP requests on behalf of clients, reducing broadcast traffic and potentially improving network performance. This is particularly useful in high-density wireless environments. Defaults to false.
• radius_profile_id (String) ID of the RADIUS profile to use for WPA Enterprise authentication (when security is 'wpaeap'). Reference existing profiles using the unifi_radius_profile data source.
• schedule (Block List) Time-based access control configuration for the wireless network. Allows automatic enabling/disabling of the network on specified schedules. (see below for nested schema)
• site (String) The name of the UniFi site where the wireless network should be created. If not specified, the default site will be used.
• uapsd (Boolean) Enable Unscheduled Automatic Power Save Delivery to improve battery life for mobile devices. Defaults to false.
• wlan_band (String) Radio band selection. Valid values:
  • both - Both 2.4GHz and 5GHz (default)
  • 2g - 2.4GHz only
  • 5g - 5GHz only Defaults to both.
• wpa3_support (Boolean) Enable WPA3 security protocol. Requires security to be set to wpapsk and PMF mode to be enabled. WPA3 provides enhanced security features over WPA2.
• wpa3_transition (Boolean) Enable WPA3 transition mode, which allows both WPA2 and WPA3 clients to connect. This provides backward compatibility while gradually transitioning to WPA3. Requires security to be set to wpapsk and wpa3_support to be true.

Read-Only

• id (String) The unique identifier of the wireless network in the UniFi controller.

Nested Schema for schedule

Required:

• day_of_week (String) Day of week. Valid values: sun, mon, tue, wed, thu, fri, sat.
• duration (Number) Duration in minutes that the network should remain active.
• start_hour (Number) Start hour in 24-hour format (0-23).

Optional:

• name (String) Friendly name for this schedule block (e.g., 'Business Hours', 'Weekend Access').
• start_minute (Number) Start minute (0-59). Defaults to 0.

Import

Import is supported using the following syntax:

# import from provider configured site
terraform import unifi_wlan.mywlan 5dc28e5e9106d105bdc87217

# import from another site
terraform import unifi_wlan.mywlan bfa2l6i7:5dc28e5e9106d105bdc87217