This is a writeup of the UBNT article for setting up client access to the VPN L2TP server on the USG using the new Radius capability: https://help.ubnt.com/hc/en-us/articles/115005445768
The new wizards automatically setup the neccessary firewall openings for L2TP. Allowed internal networks are set to 0.0.0.0/0 which allows a client to access any IP range within your LAN. Updating these to proper ranges require CLI, if you are not fine with that.
First start and setup the built-in Radius service. If you run the controller in a container, you need to expose the ports to the host.
Create your user of choice and give it a password. Tag it for the specific usage tunnel type.
Choose a network range which is close to your LAN as some clients cannot route traffic to your local address range unless it falls wihtin /8. This step is important if you are using an iPhone or equivalent and not setting it up using the proper profile utility and instead is setting things up from the iPhone UI.
Here I’m using my local DNS service, since I want access to my internal LAN services.