Prerequisites

1. Access to the Mist Dashboard as a user with administrative privileges.
2. Access to the IronWiFi Management Console - Sign in or Open Account
3. RadSec enabled on your Network as detailed here (you will need to download the certificate bundle)
4. Passpoint profile installed on your device(s) - see here for the Passpoint installation information. The Passpoint profile can be generated by visiting the  Provisioning URL (OSU)  that is available on your Captive Portal setting page in IronWiFi Console

Log In to Mist Cloud as the user with Admin priviledges

Go to Organization > Settings

In the Mist Certificate section, click Add a RadSec certificate and add the Root CA and Intermediate CA to the RadSec Certificates:

Next, click on Add AP RadSec certificate and copy and paste into the relevant windows your RadSec certificate and the key (open the certificate and key in the text editor), click Save:

Go to Site > WLANs

Create new WLAN, set security type to WPA2 / Enterprise.

Set Passpoint to enabled, configure operators - add AT&T and Google, set Venue Name, open Advanced Settings and enter ironwifi.net as Domain Name and add AA146B0000 as Roaming Consortium ID, finally in the NAI Realm add ironwifi.net and set EAP Type to TTLS.

In Authentication Servers select RadSec and add radsec.ironwifi.com as Server Name.

Click Add Server and add your RadSec server IP. You can also add secondary RadSec server IP for redundancy. Use meaningful string for NAS Identifier.

Click on Save in the upper right corner and test connectivity after the SSID appears on your list.