Aruba Central - OpenRoaming with RadSec

Configure RadSec (RADIUS over TLS) on Aruba Central to enable secure OpenRoaming authentication with IronWifi. This guide covers certificate management, RadSec server configuration, and Hotspot 2.0 deployment for Aruba access points managed through Aruba Central cloud platform.

Prerequisites

In Aruba Central:

• Aruba Central account with managed access points
• Aruba access points with Hotspot 2.0 support
• Administrator access

In IronWifi Console (complete these first):

1. Create a Network and enable OpenRoaming
2. Enable RadSec on the network
3. Download the certificate bundle containing:
   • iw-rsa-root-ca.cert.pem - Root CA
   • iw-rsa-radsec-signing-ca.cert.pem - Intermediate CA
   • client.cert.pem - Client certificate
   • client.key.pem - Private key

RadSec Server Details

Setting	Value
Server	radsec.ironwifi.com
Port	2083
Protocol	TLS

Quick Start

1. Upload certificates to Aruba Central (Global Settings → Security)
2. Create RadSec authentication server with radsec.ironwifi.com:2083
3. Create WLAN with WPA2-Enterprise and assign the RadSec server
4. Enable Hotspot 2.0 with OpenRoaming OIs: 5A03BA0000, 5A03BA0200, 004096
5. Configure NAI realm: ironwifi.com
6. Deploy to access points

---

Aruba Central Configuration

Step 1: Upload Certificates

1. Log in to Aruba Central (central.arubanetworks.com)
2. Navigate to Global Settings > Security > Certificates
3. Click Add Certificate
4. Upload CA certificates:
   • Upload iw-rsa-root-ca.cert.pem as Root CA
   • Upload iw-rsa-radsec-signing-ca.cert.pem as Intermediate CA
5. Upload client certificate and key:
   • Upload client.cert.pem as client certificate
   • Upload client.key.pem as private key
   • Enter passphrase if required

Step 2: Create RadSec Authentication Server

1. Navigate to your Group > WLANs
2. Go to Security > Authentication Servers
3. Click Add Authentication Server
4. Configure:
   • Type: RadSec
   • Name: IronWifi-RadSec
   • Host: radsec.ironwifi.com
   • Port: 2083
   • RadSec CA Certificate: Select uploaded CA chain
   • RadSec Client Certificate: Select uploaded client certificate
   • RadSec Client Key: Select uploaded private key
5. Click Save

Step 3: Create Server Group

1. Go to Server Groups
2. Click Add Server Group
3. Configure:
   • Name: IronWifi-RadSec-Group
   • Add Server: IronWifi-RadSec
4. Click Save

Step 4: Create WLAN with Passpoint

1. Navigate to WLANs > Add WLAN
2. Configure basic settings:
   • Name/SSID: OpenRoaming
   • Type: Employee
   • Broadcast: Enabled

Step 5: Configure Security

In WLAN settings:

1. Go to Security tab
2. Configure:
   • Security Level: Enterprise
   • Key Management: WPA2-Enterprise
   • Authentication Server: IronWifi-RadSec-Group

Step 6: Enable Hotspot 2.0

1. In WLAN settings, go to Hotspot 2.0 section
2. Enable Hotspot 2.0
3. Configure:

Network Information:

• Internet Access: Enabled
• Network Type: Free public network
• Network Authentication: Online signup not required

Venue Information:

• Venue Group: Business
• Venue Type: Unspecified
• Venue Name: Your Location

Step 7: Configure Domain and Operator

Domain Names:

ironwifi.net
openroaming.org

Operator Information:

• Operator Friendly Name: IronWifi
• Language Code: eng

Step 8: Configure Roaming Consortium

Add Roaming Consortium OIs:

OI	Description
5A03BA0000	WBA OpenRoaming (Settled)
5A03BA0200	WBA OpenRoaming (Settlement-free)
004096	Cisco OpenRoaming

Step 9: Configure NAI Realm

1. Add NAI Realm configuration:
   • Realm: ironwifi.com
   • EAP Method: EAP-TTLS
   • Inner Authentication: PAP, MSCHAPv2
   • Credential Type: Username/Password

Step 10: Deploy Configuration

1. Review all settings
2. Click Save to save WLAN
3. Configuration automatically pushes to managed APs

---

Complete Configuration Summary

WLAN Settings

Setting	Value
SSID	OpenRoaming
Security	WPA2-Enterprise
Authentication	RadSec
RadSec Server	radsec.ironwifi.com:2083

Hotspot 2.0 Settings

Setting	Value
Internet	Enabled
Network Type	Free public
Domain	ironwifi.net
Roaming OIs	5A03BA0000, 5A03BA0200, 004096
NAI Realm	ironwifi.com (EAP-TTLS)

---

Group vs Site Configuration

Group-Level (Recommended)

Configure RadSec and Hotspot 2.0 at the group level for consistent deployment across all sites in the group.

Site-Level Override

For site-specific configurations:

1. Navigate to specific Site
2. Override group settings as needed
3. Upload site-specific certificates if required

---

Verification

Check WLAN Status

1. Go to Dashboard > Network Health
2. Verify WLAN is active on APs
3. Check for configuration errors

Monitor RadSec Connectivity

1. Navigate to Monitor > Security
2. Check RADIUS/RadSec connection status
3. Look for successful TLS handshakes

Test Client Connection

1. Connect Passpoint-enabled device
2. Verify automatic Passpoint connection
3. Check authentication in:
   • Aruba Central Client Monitor
   • IronWifi Console Authentication Logs

---

Troubleshooting

Certificate Issues

1. Certificate Upload Failed

   • Verify certificate format (PEM)
   • Check certificate chain completeness
   • Ensure private key matches certificate

2. TLS Handshake Failure

   • Verify CA certificates are correctly installed
   • Check certificate expiration dates
   • Ensure server name matches certificate CN/SAN

RadSec Connection Problems

1. Connection Timeout

   • Verify port 2083 is open outbound
   • Check firewall rules
   • Test connectivity to radsec.ironwifi.com

2. Authentication Rejected

   • Verify client certificate is valid
   • Check NAI realm configuration
   • Review IronWifi console logs

Hotspot 2.0 Issues

1. Network Not Discovered

   • Verify Hotspot 2.0 is enabled on WLAN
   • Check roaming consortium OIs
   • Ensure client device supports Passpoint

2. ANQP Query Failures

   • Review AP logs for GAS/ANQP errors
   • Verify domain and realm configuration
   • Check client Passpoint settings

Debug in Aruba Central

1. Go to Troubleshooting > Logs
2. Filter by AP or client
3. Look for RADIUS/RadSec events
4. Check authentication success/failure reasons

Common Errors

Error	Cause	Solution
TLS handshake failed	Certificate issue	Re-upload certificates
Connection refused	Port blocked	Open port 2083
Certificate expired	Outdated cert	Download new bundle
Unknown CA	Trust not configured	Install CA chain
Auth rejected	Wrong realm	Check NAI realm config

---

Best Practices

1. Group Configuration: Use group-level settings for consistency
2. Certificate Management: Track expiration dates, plan renewal
3. Monitoring: Set up alerts for RadSec failures
4. Testing: Verify with multiple device types
5. Documentation: Record all configuration settings
6. Backup: Export configuration before changes

Related Topics

• Aruba Passpoint Configuration
• Aruba IAP Configuration
• Aruba Mobility Controller
• OpenRoaming Overview