Skip to main content

Cambium cnMaestro - OpenRoaming Configuration

Configure OpenRoaming on Cambium access points using the cnMaestro cloud management platform with IronWifi RADIUS authentication. This guide covers RADIUS server configuration, Hotspot 2.0 profile creation, NAI realm setup, and roaming consortium OIs for seamless global WiFi connectivity.

Quick Start

  1. Enable OpenRoaming in IronWifi Console and note RADIUS details
  2. Create RADIUS authentication and accounting servers in cnMaestro
  3. Create Hotspot 2.0 profile with OIs: 5A03BA0000, 5A03BA0200, 004096
  4. Create WLAN with WPA2-Enterprise and attach Hotspot 2.0 profile
  5. Assign WLAN to AP groups
  6. Verify client connections

Prerequisites

In Cambium:

  • Cambium cnMaestro account (cloud or on-premises)
  • Cambium access points with Hotspot 2.0 support:
    • XV series (XV2-2, XV3-8, etc.)
    • XE series (XE3-4, XE5-8, etc.)
  • Firmware 6.3+ (required for full Passpoint/Hotspot 2.0 support)
  • cnMaestro 3.0+ (for cloud management)

In IronWifi Console (complete these first):

  1. Create or select a Network in the IronWifi Console
  2. Enable OpenRoaming from the dropdown menu
  3. Note the RADIUS configuration details:
    • RADIUS Server IP
    • RADIUS Secret
    • Authentication Port: 1812
    • Accounting Port: 1813
    • NAI Realm: ironwifi.com

Optional: Enable RadSec

For RadSec (RADIUS over TLS):

  1. Enable RadSec from dropdown
  2. Download certificate bundle
  3. Extract certificates for AP configuration

cnMaestro Configuration

Step 1: Access cnMaestro

  1. Log in to cnMaestro (cloud.cambiumnetworks.com or on-premises)
  2. Navigate to your network/organization

Step 2: Configure RADIUS Server

  1. Navigate to Configure > RADIUS > Authentication

  2. Click Add RADIUS Server

  3. Configure:

    • Name: IronWifi
    • IP Address: Your IronWifi RADIUS IP
    • Port: 1812
    • Shared Secret: Your RADIUS secret
    • Timeout: 5 seconds
    • Retry Count: 3

  4. Click Save

Step 3: Configure RADIUS Accounting

  1. Go to RADIUS > Accounting
  2. Click Add Accounting Server
  3. Configure:
    • Name: IronWifi-Accounting
    • IP Address: Same as authentication
    • Port: 1813
    • Shared Secret: Same secret
  4. Click Save

Step 4: Create RADIUS Profile

  1. Go to RADIUS > Profiles
  2. Click Create Profile
  3. Configure:
    • Profile Name: IronWifi-Profile
    • Primary Authentication Server: IronWifi
    • Primary Accounting Server: IronWifi-Accounting
    • NAS Identifier: Your AP identifier
  4. Click Save

Hotspot 2.0 Configuration

Step 5: Create Hotspot 2.0 Profile

  1. Navigate to Configure > Hotspot 2.0
  2. Click Create Profile
  3. Configure General Settings:

Basic Information:

  • Profile Name: IronWifi-Passpoint
  • Status: Enabled

Network Information:

  • Internet Access: Yes
  • Network Type: Free public network
  • ASRA (Additional Step Required for Access): No

Venue Information:

  • Venue Group: Business
  • Venue Type: Unspecified
  • Venue Name: Your Location Name
  • Venue Language: eng

Step 6: Configure Domain Names

In Hotspot 2.0 profile:

Domain Name List:

ironwifi.net
openroaming.org

Step 7: Configure Operator

Operator Information:

  • Operator Friendly Name: IronWifi
  • Operator Language: eng

Step 8: Configure Roaming Consortium

Add Roaming Consortium Organization Identifiers (OIs):

OIDescription
5A03BA0000WBA OpenRoaming (Settled)
5A03BA0200WBA OpenRoaming (Settlement-free)
004096Cisco OpenRoaming

Step 9: Configure NAI Realm

  1. In Hotspot 2.0 profile, add NAI Realm:

    • Realm: ironwifi.com
    • EAP Method: EAP-TTLS
    • Inner Authentication Method: PAP
    • Credential Type: Username and Password

  2. Optionally add additional realm:

    • Realm: ironwifi.net
    • EAP Method: EAP-TTLS
    • Inner Authentication Method: MSCHAPv2

Step 10: Save Hotspot 2.0 Profile

  1. Review all settings
  2. Click Save

WLAN Configuration

Step 11: Create OpenRoaming WLAN

  1. Navigate to Configure > WLANs
  2. Click Add WLAN
  3. Configure Basic Settings:
    • WLAN Name: OpenRoaming
    • SSID: OpenRoaming
    • Status: Enabled
    • Broadcast SSID: Yes

Step 12: Configure Security

  1. In WLAN settings, go to Security
  2. Configure:
    • Security Mode: WPA2-Enterprise
    • Encryption: AES-CCMP
    • RADIUS Profile: IronWifi-Profile

Step 13: Enable Hotspot 2.0

  1. Go to Hotspot 2.0 section in WLAN
  2. Enable Hotspot 2.0
  3. Select Hotspot 2.0 Profile: IronWifi-Passpoint

Step 14: Configure VLAN (Optional)

  1. Go to VLAN section
  2. Configure appropriate VLAN for guest traffic

Step 15: Apply to AP Group

  1. Go to AP Groups
  2. Assign WLAN to appropriate AP group
  3. Configuration pushes to all APs in group

AP-Level Configuration (Alternative)

For per-AP configuration:

Access AP Directly

  1. Navigate to specific AP in cnMaestro
  2. Go to Configure > WLAN
  3. Override group settings if needed

AP CLI Configuration

If CLI access is needed:

# Configure RADIUS
radius-server host <IronWifi-IP> auth-port 1812 acct-port 1813 secret <secret>

# Configure WLAN with HS2.0
wlan OpenRoaming
  security wpa2-enterprise
  radius-server IronWifi
  hotspot20 enable
  hotspot20-profile IronWifi-Passpoint

Complete Configuration Summary

RADIUS Settings

SettingValue
Server IPIronWifi RADIUS IP
Auth Port1812
Acct Port1813
SecretYour RADIUS secret

WLAN Settings

SettingValue
SSIDOpenRoaming
SecurityWPA2-Enterprise
RADIUS ProfileIronWifi-Profile
Hotspot 2.0Enabled

Hotspot 2.0 Settings

SettingValue
InternetYes
Network TypeFree public
Domainironwifi.net
Roaming OIs5A03BA0000, 5A03BA0200, 004096
NAI Realmironwifi.com (EAP-TTLS)

Verification

Check cnMaestro Dashboard

  1. Go to Dashboard > Network Health
  2. Verify WLAN is active
  3. Check AP connectivity

Verify RADIUS Connectivity

  1. Go to Monitor > RADIUS
  2. Check authentication statistics
  3. Verify successful authentications

Check Hotspot 2.0 Status

  1. Go to Monitor > WLANs
  2. Verify Hotspot 2.0 is enabled
  3. Check ANQP responses

Test Client Connection

  1. Connect Passpoint-enabled device
  2. Verify automatic network discovery
  3. Check authentication in:
    • cnMaestro Client Monitor
    • IronWifi Console Logs

Troubleshooting

RADIUS Connection Issues

  1. Authentication Timeout

    • Verify RADIUS server IP is correct
    • Check firewall allows ports 1812/1813
    • Test network connectivity from AP

  2. Authentication Rejected

    • Verify shared secret matches
    • Check user credentials
    • Review IronWifi authentication logs

Hotspot 2.0 Issues

  1. Network Not Discovered

    • Verify Hotspot 2.0 is enabled
    • Check roaming consortium OIs
    • Ensure client supports Passpoint

  2. ANQP Query Failures

    • Verify domain name configuration
    • Check NAI realm settings
    • Review AP logs

  3. Connection Fails After Discovery

    • Check RADIUS authentication
    • Verify EAP method matches
    • Review error in client logs

cnMaestro Sync Issues

  1. Configuration Not Applied
    • Force configuration sync from cnMaestro
    • Check AP connectivity to cnMaestro
    • Verify AP firmware is compatible

Debug Steps

  1. Go to Troubleshoot > Logs
  2. Filter by AP or client MAC
  3. Review RADIUS and Hotspot 2.0 events

Common Errors

ErrorCauseSolution
RADIUS timeoutNetwork issueCheck firewall/connectivity
Auth rejectedWrong secretVerify RADIUS shared secret
No ANQP responseHS2.0 disabledEnable Hotspot 2.0
Realm not foundNAI mismatchCheck realm configuration
Profile sync failedcnMaestro issueRe-sync from dashboard

Best Practices

  1. Use AP Groups: Apply configuration via groups for consistency
  2. Monitor Regularly: Check cnMaestro dashboard for issues
  3. Firmware Updates: Keep AP firmware current
  4. Test Thoroughly: Verify with multiple device types
  5. Document Settings: Record all configuration details
  6. Plan Capacity: Ensure adequate coverage for Passpoint users