Aruba Central OpenRoaming configuration with RadSec

Aruba Central OpenRoaming configuration with RadSec

Prerequisites

  1. Access to the Aruba Central dashboard as a user with administrative privileges.
  2. Access to the IronWiFi Management Console - Sign in or Open Account
  3. RadSec enabled on your Network as detailed here (you will need to download the certificate bundle)
  4. OpenRoaming profile installed on your device(s) - see here for the Passpoint installation information. The OpenRoaming profile can be generated by visiting the  OSU Page here.
Extract the zip file containing the 2 CA certificartes, Client Certificate and the Client Key.
Concatenate the Client Certificate and Client Key, either using cat command in linux or simply copying and pasting the key below the Client Certificate in the text editor and save the resulting file as new file with .pem extension.




Log into your Aruba Central, go to Global > Organization > Network Structure > Certificates.
Click on + to add new entry, add IW Root CA and IW RadSec Signing CA as CA Certificate.



Add concatenated Client Certificate + Key as Server Certificate.


Go to Device > Access Point > Security, Click + to add Authentication Server

Add desired name, tick Radsec, enter IP address from IronWiFi Console, Save.


Scroll down to Certificate Usage and select certificates you have added previously as per screenshot below:



Go to WLANs tab and add a new SSID.

Give it a name and click Next


Select appropriate VLAN in section 2 and in section 3 set Security Level to Enterprise and select the RadSec server you have added previously as your Primary Server



Click on Advanced Settings and scroll down. Enable Called Station ID Include SSID, in Accounting subsection pick Use Authentication Servers and set interval to 10 minutes.

Click on Manage Passpoint Services to add Passpoint Profile

Give the profile a suitable name, in Access Network section add ironwifi.net as Domain Name, enable Internet, Radius Location Data and Radius Chargeable User Identity. Select Network Type as free-public.
Select the suitable venue and network parameters to reflect your local setup.

In Identity Provider section, add ironwifi.net as the Realm Name, enable Home Realm set EAP Method as eap-ttls and add pap and mschapv2 as non-eap-inner auth

In Roaming Consortium add aa146b0000 and 5a03ba0000, click Save and close the Passpoint Profile pop-up


Select the profile you have just created

Clcik next, make sure Unrestricted is selected



Click Save.




    • Related Articles

    • Juniper Mist OpenRoaming with RadSec

      Prerequisites Access to the Mist Dashboard as a user with administrative privileges. Access to the IronWiFi Management Console - Sign in or Open Account RadSec enabled on your Network as detailed here (you will need to download the certificate ...
    • Using RadSec Secure Radius on Fortigate

      Enable RadSec support in IronWiFi Console and obtain your RadSec Certificate Bundle Go to this link to enable RadSec on your account and download your secure certificate bundle. Configure Fortigate / FortiAP to use IronWiFi Secure RadSec Servers This ...
    • MikroTik ROS v7 OpenRoaming with RadSec

      Due to the changes in RouterOS firmware, RadSec stopped working in the version 7.15 (and later). If you want to use RadSec, our recommendation is to use ROs 7.14.3 Sign in to the IronWiFi Management Console Go to Networks -> Select the network you ...
    • Meraki - OpenRoaming configuration

      Prerequisites Access to the Meraki Dashboard as a user with administrative privileges. Supported Meraki device - this solution works with all devices of the MR series. Information about the assigned RADIUS servers (Server IP address, port numbers, ...
    • Ubiquiti Unifi - OpenRoaming Configuration

      This guide is for Network version 8.4.x and above ONLY. Ubiquiti has recently reintroduced Passpoint feature into their codebase. Further information about Unifi and Passpoint can be found on the Unifi website: Unifi Passpoint Prerequisites Access to ...