Prerequisites
- Access to the Aruba Central dashboard as a user with administrative privileges.
- Access to the IronWiFi Management Console - Sign in or Open Account
- RadSec enabled on your Network as detailed here (you will need to download the certificate bundle)
- OpenRoaming profile installed on your device(s) - see here for the Passpoint installation information. The OpenRoaming profile can be generated by visiting the OSU Page here.
Extract the zip file containing the 2 CA certificartes, Client Certificate and the Client Key.
Concatenate the Client Certificate and Client Key, either using cat command in linux or simply copying and pasting the key below the Client Certificate in the text editor and save the resulting file as new file with .pem extension.
Log into your Aruba Central, go to Global > Organization > Network Structure > Certificates.
Click on + to add new entry, add IW Root CA and IW RadSec Signing CA as CA Certificate.
Add concatenated Client Certificate + Key as Server Certificate.
Go to Device > Access Point > Security, Click + to add Authentication Server
Add desired name, tick Radsec, enter IP address from IronWiFi Console, Save.
Scroll down to Certificate Usage and select certificates you have added previously as per screenshot below:
Go to WLANs tab and add a new SSID.
Give it a name and click Next
Select appropriate VLAN in section 2 and in section 3 set Security Level to Enterprise and select the RadSec server you have added previously as your Primary Server
Click on Advanced Settings and scroll down. Enable Called Station ID Include SSID, in Accounting subsection pick Use Authentication Servers and set interval to 10 minutes.
Click on Manage Passpoint Services to add Passpoint Profile
Give the profile a suitable name, in Access Network section add ironwifi.net as Domain Name, enable Internet, Radius Location Data and Radius Chargeable User Identity. Select Network Type as free-public.
Select the suitable venue and network parameters to reflect your local setup.
In Identity Provider section, add ironwifi.net as the Realm Name, enable Home Realm set EAP Method as eap-ttls and add pap and mschapv2 as non-eap-inner auth
In Roaming Consortium add aa146b0000 and 5a03ba0000, click Save and close the Passpoint Profile pop-up
Select the profile you have just created
Clcik next, make sure Unrestricted is selected
Click Save.