Skip to main content
Skip to main content

OpenRoaming Troubleshooting

Overview

This guide covers common issues with OpenRoaming deployments using IronWiFi, including federation connectivity, RadSec certificate problems, roaming failures across providers, and device-specific behavior. OpenRoaming builds on Passpoint, so issues may span both layers.

Quick Reference

SymptomLikely CauseSection
RadSec connection failsCertificate or firewall issueRadSec Connectivity Issues
Device does not auto-connectRoaming consortium OI mismatchRoaming Failures
Authentication rejected during roamingFederation routing or credential issueFederation Authentication Errors
Intermittent roaming dropsRadSec timeout or DNS resolutionIntermittent Connectivity
Certificate errors in logsExpired or untrusted RadSec certificateCertificate Issues
ANQP query failuresAP configuration incompleteAP Configuration Issues

RadSec Connectivity Issues

RadSec Connection Refused

Symptoms: The access point or RADIUS proxy cannot establish a RadSec (RADIUS over TLS) connection to IronWiFi.

Diagnostic Steps:

  1. Verify network connectivity:
  1. Check firewall rules:
DirectionProtocolPortDestination
OutboundTCP2083
radsec.ironwifi.com
OutboundTCP443
*.ironwifi.com
(for certificate validation)
  1. Verify DNS resolution:
warning

Some corporate firewalls perform TLS inspection (MITM) that breaks RadSec mutual authentication. Exclude 

radsec.ironwifi.com
from any TLS inspection policies.

RadSec TLS Handshake Failure

Symptoms: TCP connection succeeds but the TLS handshake fails with errors like 

ssl_error_handshake_failure
or 
certificate_unknown
.

Resolution:

  1. Check client certificate:

    • The RadSec client (your AP or RADIUS proxy) must present a valid client certificate
    • The certificate must be signed by a CA that IronWiFi trusts
    • Download the correct client certificate from the IronWiFi Console: Navigate to Networks > select network > RadSec tab

  2. Verify certificate chain:

  1. Check TLS version compatibility:

    • IronWiFi requires TLS 1.2 or higher
    • Older equipment may default to TLS 1.0/1.1 which is rejected

  2. Verify the server certificate trust:

    • Your RadSec client must trust the IronWiFi RadSec server certificate
    • Install the IronWiFi CA certificate in your client's trust store

RadSec Connection Drops

Symptoms: RadSec connection establishes successfully but drops periodically, causing authentication failures.

Causes and Solutions:

CauseSolution
TCP keepalive not configuredEnable TCP keepalive on the RadSec client (interval: 30 seconds)
Firewall idle timeoutSet firewall idle timeout for port 2083 to at least 300 seconds
NAT session expiryEnsure NAT devices maintain the session; use keepalive to prevent expiry
Client certificate expiring soonCheck certificate validity and renew before expiration
Network instabilityImplement RadSec reconnection logic with exponential backoff
tip

Configure both primary and secondary RadSec endpoints on your access point or RADIUS proxy for redundancy. If the primary connection drops, the client should automatically fail over to the secondary.

Roaming Failures

Device Does Not Discover OpenRoaming Network

Symptoms: A user with valid OpenRoaming credentials from their home provider does not see or auto-connect to your OpenRoaming-enabled network.

Diagnostic Checklist:

  1. Verify Passpoint/Hotspot 2.0 is enabled on the AP:

    • Log in to your AP controller
    • Confirm Hotspot 2.0 is enabled on the SSID
    • Check that the SSID broadcasts ANQP advertisements

  2. Verify Roaming Consortium OI:

    • The AP must advertise the correct OpenRoaming OI
    • Standard OpenRoaming OIs: 
      5A03BA0000
      (settled), 
      004096
      (unsettled)
    • Verify in the AP configuration that these OIs are included

  3. Verify NAI realm configuration:

    • The NAI realm must include the correct EAP methods
    • For OpenRoaming: 
      EAP-TLS
      and/or 
      EAP-TTLS

  4. Check ANQP response:

    • Use a WiFi analyzer to verify the AP responds to ANQP queries
    • Verify the domain name list includes your authorized domain

Roaming User Fails to Authenticate

Symptoms: A roaming user's device discovers the network and attempts to connect, but authentication is rejected.

Resolution:

  1. Check the federation routing in IronWiFi:

    • Navigate to Networks > select network > OpenRoaming tab
    • Verify that OpenRoaming federation is enabled
    • Confirm the RadSec connection to the OpenRoaming hub is active

  2. Review authentication logs:

    • Navigate to Logs > Authentication Logs
    • Filter by the time range when the roaming attempt occurred
    • Look for the roaming user's realm (the domain after 
      @
      in their identity)

  3. Common federation routing errors:

ErrorCauseFix
no matching realm
Incoming realm not routedVerify OpenRoaming federation is active in network settings
proxy timeout
Home IdP unreachableIssue is with the user's home identity provider; nothing to fix on your side
access reject from proxy
Home IdP rejected credentialsThe user needs to verify credentials with their home provider
certificate chain untrusted
RadSec cert not in federation trustVerify your RadSec certificate is issued by a WBA-trusted CA
  1. Verify WBA (Wireless Broadband Alliance) federation status:
    • Your IronWiFi account must be registered with the WBA OpenRoaming federation
    • Contact IronWiFi support to verify your federation enrollment status

Local Users Cannot Connect After OpenRoaming Enabled

Symptoms: Enabling OpenRoaming on a network causes existing local users to lose connectivity.

Resolution:

  1. Verify the SSID configuration supports both local and roaming users:
    • The SSID should accept both local RADIUS authentication and federated OpenRoaming authentication
  2. Check that the NAI realm includes your local realm in addition to OpenRoaming realms
  3. Verify the RADIUS server configuration has not been overwritten by RadSec settings:
    • Local users should still authenticate via standard RADIUS
    • Roaming users authenticate via RadSec/federation

Federation Authentication Errors

Realm Routing Failures

Symptoms: Authentication logs show realm-based routing errors for roaming users.

Understanding Realm Routing:

Common Issues:

  1. Realm not found in federation:

    • The user's home provider may not be part of the OpenRoaming federation
    • The user should contact their home provider to verify OpenRoaming participation

  2. Realm routing loop:

    • Check that your network is not routing requests for your own realm through the federation
    • Local realm requests should be handled locally, not proxied

  3. Timeout waiting for home IdP:

    • The home identity provider is slow or unreachable
    • IronWiFi's RADIUS proxy has a federation timeout (default: 10 seconds)
    • If timeouts are frequent for a specific realm, the issue is on the home IdP side

Attribute Filtering Issues

Symptoms: Roaming user connects but does not receive expected VLAN, bandwidth, or session attributes.

Resolution:

  1. Understand attribute precedence for roaming users:

    • The home IdP may send reply attributes in the Access-Accept
    • Your local network policy may also define attributes
    • Local policy attributes typically override home IdP attributes

  2. Configure local policies for roaming users:

    • Create a group in IronWiFi specifically for OpenRoaming users
    • Assign bandwidth limits, VLAN, and session attributes to this group
    • This ensures consistent policy regardless of what the home IdP sends

Certificate Issues

RadSec Certificate Expired

Symptoms: RadSec connections fail with 

certificate has expired
errors in logs.

Resolution:

  1. Check the certificate expiration date:
  1. Generate a new certificate request or download a renewed certificate:
    • Navigate to Networks > select network > RadSec tab
    • Download the new client certificate
    • Install it on your AP or RADIUS proxy
    • Restart the RadSec service
warning

Set a calendar reminder to renew RadSec certificates at least 30 days before expiration. An expired certificate immediately stops all authentication for the affected network.

Certificate Chain Incomplete

Symptoms: TLS handshake fails with 

unable to verify certificate chain
or 
unknown CA
.

Resolution:

  1. Ensure the full certificate chain is installed on the RadSec client:

    • Client certificate
    • Intermediate CA certificate(s)
    • Root CA certificate (in the trust store)

  2. Verify the chain:

  1. Some APs require the chain to be in a single PEM file. Concatenate in order:

WBA Trust Anchor Issues

Symptoms: Your RadSec certificate is valid but the OpenRoaming hub rejects it because it is not issued by a WBA-trusted Certificate Authority.

Resolution:

  1. OpenRoaming requires certificates issued by a WBA-approved CA
  2. Self-signed or internally-issued certificates are not accepted in the federation
  3. Contact IronWiFi support to obtain a properly issued RadSec certificate for OpenRoaming
  4. Verify your certificate includes the correct Extended Key Usage (EKU) for RadSec: 
    • id-kp-serverAuth
      for server certificates
    • id-kp-clientAuth
      for client certificates

Intermittent Connectivity

Periodic Authentication Failures for Roaming Users

Symptoms: Roaming users experience periodic failures (every few minutes/hours) followed by successful reconnection.

Causes and Solutions:

CauseSolution
RadSec connection flappingCheck network stability; enable TCP keepalive
DNS TTL too shortUse a stable DNS resolver; increase TTL for RadSec endpoints
Session-Timeout causing re-authIncrease 
Session-Timeout
for OpenRoaming user group
OCSP/CRL lookup delaysCache CRL locally; use OCSP stapling if available
Home IdP intermittent failuresOut of your control; ensure retry logic is in place

Slow Roaming Between APs

Symptoms: Device takes a long time to roam between access points on the same OpenRoaming network, causing brief connectivity gaps.

Resolution:

  1. Enable 802.11r (Fast BSS Transition) on your APs if supported
  2. Enable 802.11k (Neighbor Reports) to help devices make better roaming decisions
  3. Ensure all APs in the roaming domain use the same RADIUS configuration
  4. Verify the PMK (Pairwise Master Key) caching is configured on the AP controller
  5. Reduce RADIUS re-authentication on roam by enabling session caching

AP Configuration Issues

ANQP Configuration Errors

Symptoms: Devices do not discover the network as OpenRoaming-capable.

Vendor-Specific ANQP Verification:

Refer to the vendor-specific OpenRoaming guides for detailed configuration:

VendorGuide
Cisco MerakiMeraki OpenRoaming
Ubiquiti UniFiUniFi OpenRoaming
ArubaAruba RadSec
RuckusRuckus RadSec
MikroTikMikroTik OpenRoaming
CambiumCambium OpenRoaming
TP-Link OmadaTP-Link OpenRoaming
TeltonikaTeltonika OpenRoaming
Mist (Juniper)Mist RadSec
FortiGateFortiGate RadSec

Common ANQP Configuration Mistakes:

  1. Missing Roaming Consortium OI -- The OpenRoaming OI must be advertised. Without it, devices cannot identify the network as OpenRoaming-capable.
  2. Wrong NAI Realm EAP methods -- The realm must list the EAP methods you actually support.
  3. Domain Name mismatch -- The domain name in ANQP must match your registered OpenRoaming domain.
  4. Venue Info missing -- While optional, missing venue info may cause issues with some device implementations.

RADIUS and RadSec Dual Configuration

Symptoms: AP needs to handle both local RADIUS authentication and federated RadSec for OpenRoaming.

Recommended Architecture:

Some APs support dual configuration natively (RADIUS for local, RadSec for federation). Others require a RADIUS proxy. Check your AP vendor documentation for the recommended approach.

Diagnostic Commands

Verifying RadSec Connectivity

Checking OpenRoaming AP Advertisement

Use a WiFi scanning tool to verify the AP broadcasts the correct information:

  1. Roaming Consortium OIs -- Should include 
    5A03BA0000
    and/or 
    004096
  2. NAI Realm -- Should list supported EAP methods
  3. Domain Name -- Should match your registered OpenRoaming domain
  4. Hotspot 2.0 Indication -- Must be present in the beacon/probe response

IronWiFi Console Diagnostics

  1. Authentication Logs: Navigate to Logs > Authentication Logs -- filter by realm to see federation traffic
  2. RadSec Status: Navigate to Networks > select network > RadSec tab -- view connection status
  3. Federation Status: Check whether the OpenRoaming hub connection is active

Was this page helpful?