Skip to main content
Skip to main content

Migration Guide

This guide walks you through migrating from an existing RADIUS solution to IronWiFi. Whether you are moving from Cisco ISE, FreeRADIUS, Microsoft NPS, or another RADIUS server, the process follows the same pattern: export your current data, set up IronWiFi, import users, test in parallel, and cut over.

Migration Overview

Typical migration timeline:

PhaseDurationActivities
Assessment1-2 daysDocument current setup, export data
IronWiFi setup1-2 daysCreate Networks, configure policies
User import1 dayImport users, verify attributes
Parallel testing3-7 daysRun both systems, validate
Cutover1-2 hoursSwitch access points to IronWiFi

Phase 1: Assess Your Current Environment

Before migrating, document what you have today.

Inventory checklist

Gather this information from your current RADIUS deployment:

  • User accounts -- Total count, usernames, email addresses, group memberships
  • Authentication methods -- PEAP-MSCHAPv2, EAP-TLS, PAP, MAC auth, etc.
  • RADIUS policies -- Bandwidth limits, session timeouts, VLAN assignments, time restrictions
  • Network equipment -- Access point models, controllers, switch configurations
  • Certificates -- CA certificates, server certificates, client certificates (for EAP-TLS)
  • Identity provider integrations -- Active Directory, LDAP, Azure AD, Okta
  • Captive portals -- Splash pages, customizations, authentication providers
  • Accounting/reporting -- Data retention requirements, compliance needs

Export your user data

From Cisco ISE

Export users from Cisco ISE's internal identity store:

  1. Navigate to Administration > Identity Management > Identities > Users
  2. Click Export to download the user list as CSV
  3. Note group memberships under Identity Groups
  4. Document authorization policies under Policy > Policy Sets

Key fields to capture:

From FreeRADIUS

Export users from the FreeRADIUS database:

From Microsoft NPS

Export NPS configuration and user data:

  1. Open Network Policy Server console
  2. Right-click NPS (Local) > Export Configuration to save as XML
  3. For user accounts stored in Active Directory, export with PowerShell:
  1. Document Network Policies under Policies > Network Policies -- note conditions, constraints, and RADIUS attributes for each policy

Map your policies

Create a mapping table between your current RADIUS policies and IronWiFi equivalents:

Current PolicyCurrent SettingIronWiFi Equivalent
Bandwidth limit
WISPr-Bandwidth-Max-Down := 5000000
Group reply attribute: 
WISPr-Bandwidth-Max-Down
Session timeout
Session-Timeout := 3600
Group reply attribute: 
Session-Timeout
VLAN assignment
Tunnel-Private-Group-ID := 100
Group reply attributes: 
Tunnel-Type
, 
Tunnel-Medium-Type
, 
Tunnel-Private-Group-ID
Time restriction
Login-Time := Mo-Fr0800-1700
User check attribute: 
Login-Time
Concurrent sessions
Simultaneous-Use := 1
User check attribute: 
Simultaneous-Use

IronWiFi uses standard RADIUS attributes, so most policies translate directly. See Attributes for the complete attribute reference.

Phase 2: Set Up IronWiFi

Create your account and Networks

  1. Register at console.ironwifi.com/register
  2. Create a Network for each region where you have access points
  3. Note the RADIUS server IPs, ports, and shared secret for each Network

See the Quick Start Guide for detailed setup instructions.

Configure Groups and Policies

Recreate your existing policies as IronWiFi Groups:

  1. Navigate to Users > Groups
  2. Create groups matching your current policy structure
  3. Add the corresponding RADIUS attributes to each group

Example: Recreating a "Standard Employee" policy:

  1. Create a group named "Standard Employee"
  2. Add reply attributes: 
    • Session-Timeout := 28800
      (8-hour session limit)
    • WISPr-Bandwidth-Max-Down := 10000000
      (10 Mbps download)
    • WISPr-Bandwidth-Max-Up := 5000000
      (5 Mbps upload)
    • Tunnel-Type := VLAN
    • Tunnel-Medium-Type := IEEE-802
    • Tunnel-Private-Group-ID := 100

See Groups for complete configuration options.

Set Up Identity Provider Integration

If your current RADIUS server authenticates against an external identity provider, configure the equivalent in IronWiFi:

Current IntegrationIronWiFi Solution
Active Directory (on-premises)Connector for AD sync
Microsoft Entra ID (Azure AD)SCIM provisioning or Connector
Google WorkspaceConnector for Google sync
OktaSCIM provisioning or Connector
LDAPConnector for LDAP sync
tip

If you currently authenticate against Active Directory using PEAP-MSCHAPv2, you can continue the same authentication flow with IronWiFi. Set up a Connector to sync AD users, and they will authenticate with their existing AD credentials.

Configure Captive Portals (if applicable)

If you are migrating a guest WiFi deployment with a captive portal:

  1. Navigate to Captive Portals in the IronWiFi Console
  2. Create a new captive portal linked to your Network
  3. Configure authentication methods (email, social login, vouchers)
  4. Customize the splash page to match your current branding
  5. Note the splash page URL and walled garden settings

See the Quick Start Guide for captive portal setup.

Phase 3: Import Users

Preparing your user data

Format your exported user data into a CSV file with these columns:

warning

If your current system stores only password hashes (NT-Password, MD5, etc.), you cannot migrate the plaintext passwords. Users will need to set new passwords, or you should connect IronWiFi to the same identity provider (AD, LDAP) so passwords continue to work.

Importing via the Console

For smaller deployments (under 100 users):

  1. Navigate to Users
  2. Click Add User for each user
  3. Enter username, email, and password
  4. Assign the appropriate group
  5. Click Save

Importing via the API

For larger deployments, use the REST API to automate user creation:

Example batch import script:

note

The API has a rate limit of 100 requests per minute. Add a brief delay between requests for large imports. See Rate Limiting for details.

Using Identity Provider Sync

If you are connecting to an identity provider instead of importing users manually, the sync handles user creation automatically:

  1. Configure the Connector or SCIM provisioning
  2. Run the initial sync
  3. Verify users appear in the IronWiFi Console
  4. Assign groups to synced users

Phase 4: Parallel Testing

Run IronWiFi alongside your existing RADIUS server before cutting over. This lets you validate that authentication works correctly without disrupting production.

Test strategy

  1. Reconfigure a test access point to point to IronWiFi's RADIUS servers
  2. Connect test devices and verify:
    • Authentication succeeds with correct credentials
    • Authentication fails with incorrect credentials
    • VLAN assignment works correctly
    • Bandwidth limits are applied
    • Session timeouts behave as expected
    • Captive portal redirects work (if applicable)
  3. Compare results between IronWiFi and your current system

Validation checklist

TestExpected ResultPass?
Valid user authenticatesAccess-Accept
Invalid password rejectedAccess-Reject
Disabled user rejectedAccess-Reject
VLAN assigned correctlyCorrect 
Tunnel-Private-Group-ID
in reply
Bandwidth limit appliedRate limiting active after authentication
Session timeout enforcedSession ends after configured duration
Accounting data recordedSessions appear in IronWiFi Reports
Captive portal redirectsSplash page loads correctly
EAP-TLS with client certCertificate authentication succeeds

Extending the parallel run

If initial tests pass, expand gradually:

  1. Add more access points to IronWiFi over several days
  2. Monitor Reports for unexpected rejections
  3. Set up monitoring for the IronWiFi RADIUS servers
  4. Keep your old RADIUS server running as a fallback

Phase 5: Cutover

Pre-cutover checklist

  • All users imported or synced to IronWiFi
  • Groups and policies recreated and tested
  • Parallel testing completed successfully for at least 3 days
  • Monitoring configured for IronWiFi RADIUS servers
  • Rollback plan documented (old RADIUS server details saved)
  • Maintenance window communicated to users

Cutover procedure

  1. Schedule during low-usage hours -- Early morning or weekend
  2. Reconfigure all access points to use IronWiFi RADIUS servers:
    • Update Primary RADIUS server IP and port
    • Update Backup RADIUS server IP and port
    • Update shared secret
    • Keep accounting configuration updated too
  3. Verify authentication -- Connect a test device from each location
  4. Monitor reports -- Watch for rejections in the IronWiFi Console for the first hour
  5. Confirm success -- All users connecting without issues

Rollback plan

If critical issues arise during cutover:

  1. Revert access point RADIUS settings to the old server
  2. Investigate failures in IronWiFi authentication reports
  3. Resolve the issue and schedule another cutover attempt
warning

Keep your old RADIUS server running and accessible for at least 2 weeks after cutover. This gives you a fast rollback option while you validate the new setup in production.

Source-Specific Notes

Migrating from Cisco ISE

  • ISE authorization policies map to IronWiFi Groups with reply attributes
  • ISE identity groups map to IronWiFi Groups
  • ISE profiling policies (device type detection) can be replicated using MAC-based attributes
  • ISE guest portals map to IronWiFi Captive Portals
  • ISE posture assessment is not available in IronWiFi -- evaluate whether you need it

Migrating from FreeRADIUS

  • FreeRADIUS 
    radcheck
    and 
    radreply
    tables map directly to IronWiFi user check and reply attributes
  • FreeRADIUS 
    radgroupcheck
    and 
    radgroupreply
    map to IronWiFi Group attributes
  • Custom FreeRADIUS modules (e.g., 
    rlm_python
    , 
    rlm_perl
    ) need to be replaced with IronWiFi API integrations or webhooks
  • FreeRADIUS 
    unlang
    policies need to be recreated as IronWiFi attribute-based rules

Migrating from Microsoft NPS

  • NPS Network Policies map to IronWiFi Groups
  • NPS Connection Request Policies are handled automatically by IronWiFi's RADIUS infrastructure
  • If NPS authenticates against Active Directory, set up an IronWiFi Connector for AD sync
  • NPS RADIUS client configurations (access points) need to be updated to point to IronWiFi
  • NPS accounting logs are replaced by IronWiFi Reports

Post-Migration Tasks

After a successful cutover:

  1. Monitor closely for 2 weeks -- Check authentication reports daily for unexpected rejections
  2. Update documentation -- Record IronWiFi RADIUS server details in your network documentation
  3. Set up long-term monitoring -- Configure monitoring and alerting
  4. Decommission old server -- After 2-4 weeks of stable operation, decommission the old RADIUS server
  5. Train your team -- Ensure network administrators know how to manage users and policies in the IronWiFi Console

Was this page helpful?