Nexudus Integration with IronWiFi – Detailed FAQ

1. How does authentication between IronWiFi and Nexudus work?

Captive Portal:

• Users connect to an open SSID and are redirected to a captive portal page.

• They enter their Nexudus credentials or voucher code.

• IronWiFi sends these credentials to Nexudus via API for validation and returns approval/rejection in real time.

• No dependency on IronWiFi’s local database in this flow.

WPA2-Enterprise (Passpoint) Authentication:

• Devices use stored credentials (from a Passpoint profile or Wi-Fi profile).

• IronWiFi verifies the stored credentials against Nexudus in real time but depends on its local database as well.

• Any profile updates in Nexudus are pushed to IronWiFi to maintain synchronization.

2. How often does Nexudus sync with IronWiFi?

• Nexudus updates user data (new attributes, expired memberships, disabled accounts) in IronWiFi’s database regularly.

• These updates typically occur in real time or near real time, ensuring that IronWiFi has up-to-date information for accurate access decisions.

3. What are the most common authentication issues?

• Certificate Trust Issues:
  Devices may fail to connect if they don’t trust the RADIUS server’s certificate.

• Account Status:
  If the user account in Nexudus is disabled or expired, IronWiFi’s real-time verification will fail.

• Mismatched Configurations:
  Captive portal vs. enterprise authentication can lead to confusion if not properly configured.

• Sync Delays:
  Rarely, updates may not be immediately reflected due to API timeouts or temporary network issues.

• Passpoint Profile and Nexudus credentials desynch
  

4. How does the captive portal method work in practice?

• SSID Setup:
  The Wi-Fi network is set to open (no WPA2 password).

• Portal Login:
  Users enter Nexudus credentials or a voucher code on a branded IronWiFi login page.

• Validation:
  IronWiFi sends credentials to Nexudus, which verifies the login and sends back an approval or rejection.

• Access Grant:
  Upon approval, IronWiFi grants temporary or permanent network access (MAC address whitelisting, etc.).

5. What’s the process for WPA2-Enterprise / Passpoint deployments?

• Profile Installation:
  Members receive a Passpoint profile that includes credentials (username, password, or certificate).

• Secure Connection:
  Devices connect using the profile (SSID is encrypted with WPA2/WPA3 Enterprise).

• Real-Time Validation:
  IronWiFi checks credentials stored in its database and synchronizes them with Nexudus updates.

• Fallback:
  If authentication fails, fallback to captive portal can be considered, but it’s not ideal for secure networks.

6. Why is it not recommended to mix captive portal and WPA2-Enterprise?

• Mixing these methods can cause confusion because:

  • Captive portal directly talks to Nexudus and bypasses local database checks.

  • Enterprise relies on local data + real-time checks.

• If the local database is out of sync, WPA2-Enterprise might fail even if captive portal works.

7. How can I troubleshoot authentication failures?

• Check IronWiFi Logs:

  • Logs show authentication attempts, success/failure, and error codes (e.g., password incorrect, certificate untrusted).

• Review Change Logs:

  • IronWiFi’s admin console logs Nexudus updates to show if user data was recently changed (like disabled accounts or updated profiles).

• Test with Known Working Credentials:

  • Use test accounts to isolate issues (credentials vs. network config).

• Verify Certificate Trust:

  • For enterprise connections, ensure devices trust the RADIUS certificate chain.

8. How are voucher codes handled?

• Creation:Nexudus admins create voucher codes for day passes, promotions, or visitor access.

• Login Flow:
  Users enter the voucher code on the captive portal.

• Verification:
  IronWiFi requests Nexudus API to confirm the voucher’s validity (usage limits, expiry).

• Access Grant:
  If valid, the device is allowed on the network for the specified duration.

9. What best practices ensure a smooth Nexudus integration?

✅ Test in Staging First:
Validate Passpoint profiles and captive portal login with test accounts.
✅ Separate Guest & Enterprise SSIDs:
Use different SSIDs for visitors vs. members.
✅ Monitor Logs & Changelogs:
Track authentication issues and recent Nexudus updates.
✅ Educate Users:
Instruct them on profile installation, especially for WPA2-Enterprise.
✅ Document Everything:
Keep configuration details, user guides, and logs organized.

10. What hardware or OS limitations should I consider?

• Passpoint Support:
  Works with most modern OSes (Windows, MacOS, iOS, Android) but requires user acceptance of wireless settings.

• Hardware Compatibility:
  List of compatible HW vendors is available on this page - https://help.ironwifi.com/portal/en/kb/ironwifi/hotspot-2-0-passpoint