Here's how to set up a Ubiquiti U6 or U7-series AP for OpenRoaming.
Prerequisites
First check your current Ubiquiti UniFi configuration against the prerequisites at the Ubiquiti Help Center page: Setting Up Passpoint on UniFi Network.
Next, in your Network application, go to the Settings (the gear icon), then go to your 'WiFi' menu, select a network, and check that you have 'Passpoint' listed as an option in the 'Hotspot 2.0' option. If you do not, then your UniFi Network application or your UniFi AP may not be running the minimum required software/firmware.
Settings
RADIUS server
- Under the 'Settings' (the gear icon), go to 'Profiles', then select 'RADIUS'.
- Click 'New'. Provide a name. For the eduroam Europe proxy, you could use 'eduroam OpenRoaming Proxy'.
- Are you going to use Radsec? If so, select 'TLS'. You'll notice things change to add several more settings.
- Provide the IP address for the proxy. If you use Radsec, use port 2083 with secret 'radsec'. Click 'Add' to add it.
- You can contact the eduroam Ops Team for the eduroam Europe OpenRoaming proxy by emailing Paul Dekkers, who manages the proxy, and ask for the OR proxy details. The European eduroam OR proxy accepts both RADIUS (over UDP/1812) and RadSec (with eduPKI certificates, over TCP/2083).
- You can also contact eduroam UK for the UK proxy by emailingeduroamuk at jisc.ac.ukand asking for the OR proxy details. Like the eduroam Europe proxy, the UK proxy accepts both RADIUS and RadSec (with eduPKI certificates) traffic. - If you use Radsec, provide the 'Client Certificate', 'Private Key', 'Private Key Password' and 'CA Certificate' values. The 'Private Key Password' option is optional. You can use your eduPKI certificates here for the hosts in Step 4.
- Tick the option 'Accounting'. As an OpenRoaming visited site (ANP) you are required to send accounting packets.
- Click 'Apply Changes' to save the RADIUS server.
Network settings
- Under the 'Settings' (the gear icon), go to the 'WiFi' menu. Click 'Create New' to create a new network.
- Provide your SSID. Ignore the 'Password' option. Select the right 'Network' option to provide your VLAN you'll use.
- Select 'Manual' in the 'Advanced' option. Select 'Passpoint' in the 'Hotspot 2.0' option, there'll be new options available.
- The 'Venue Name', 'Venue Type', 'Network Type' and 'IP Address Type Availability' options are yours to select.
- Under 'NAI Realm', click 'Add' and fill in the 'Name' (the actual realm) and 'EAP Method' options. Under 'Sub-Methods', add the appropriate inner methods you can use. Click 'Save' to save the NAI realm.
Important: You will not have PEAP as an authentication type in 'EAP Method'. - In the 'Roaming Consortium List' option, add your appropriate RCOIs
- For example, use 'Settlement Free' (or something similar) as 'Name' and '5A03BA0000' in the 'Organization ID' field for the baseline 'Any identity' RCOI - In the '3GPP Cellular Network' options, you can add mobile networks that will be able to use OpenRoaming on your network.
- Under 'Country Name', enter the appropriate country and mobile network description, e.g. 'AT&T United States'.
- Under 'Country Code', enter the international dialcode (although this is not necessary).
- Under MCC and MNC, provide the necessary values for the network specified.
Important: Please read the mobile network wireless offload topic for more information on this. - In the 'Domain List', add your realm name, click 'Add' to add it.
- In the 'Operator Friendly Name', provide your company name. This setting is not your Operator-Name attribute value. There is no ability to set this for the network.
- Set all the other various options for the network.
- Under 'Security Protocol', choose the appropriate WPA Enterprise level (it should preselect 'WPA2 Enterprise').
- In the 'RADIUS Profile', select your RADIUS server you set up at the top.
- Choose the right value for the NAS ID.
- Click 'Add WiFi Network' to create the network.
Testing
Test your configuration with the following:
- Samsung identity - This is built into all recent Samsung Galaxy S series (and some Galaxy A series) phones, although the IdP can be spotty at times. Make sure that 'Hotspot 2.0' is enabled in the advanced Wi-Fi settings. The Wireless Broadband Alliance is aware and encouraging Samsung to fix this, so your mileage may vary
- Google identity - This is built into all recent Google devices, but it has to be enabled by selecting 'OpenRoaming' in the Wi-Fi networks settings. You will be asked to agree to the OpenRoaming Terms and Conditions. Google's IdP is pretty rock-solid based on recent statistics
- Cisco OpenRoaming app - This allows you to use either Google or Apple identities on either Android or iOS to connect to OpenRoaming networks. The app will prompt you to agree to the Terms and Conditions. This app still only sets a requested RCOI of 00-40-96.
- GlobalReach's Globalro.am app - This allows you to use Google, Apple or LinkedIn identities on either Android or iOS to connect to OpenRoaming networks. The app will prompt you to agree to the Terms and Conditions.
- geteduroam with your eduroam ID - Your eduroam CAT profile has to have OpenRoaming enabled (for the eduroam RCOIs above), and if you want to use the other RCOIs, have additional 'Additional HS2.0 Consortium OI' entries (one for each additional RCOI). Your IdP should support receiving traffic via the 'classic' eduroam route for OpenRoaming.
Successful testing behaviour should be to not prompt you for credentials. It should simply connect if the AP is configured correctly and, if you set a Splash Page above, display the Splash Page in your browser.
If it fails to connect, your upstream OpenRoaming proxy operator (eduroam Europe or eduroam UK) should be able to check if your traffic has made it to them. If it has, your AP is correctly configured (even if if fails to connect you to the AP). If you're using a Samsung and it categorically refuses to connect, it's likely that it's the Samsung IdP being temperamental. Try another method of testing (such as the Cisco OpenRoaming app).