Cisco Meraki - OpenRoaming Configuration

Configure OpenRoaming on Cisco Meraki wireless networks with IronWifi RADIUS authentication and Hotspot 2.0. This guide covers RADIUS server configuration, roaming consortium OI setup, NAI realm configuration, and optional Cisco OpenID integration through the Meraki Dashboard.

Quick Start

1. Enable OpenRoaming in IronWifi Console and note RADIUS details
2. Configure RADIUS servers in Meraki Dashboard
3. Enable Hotspot 2.0 on SSID
4. Add roaming consortium OIs: 5A03BA0000, 5A03BA0200, 004096
5. Configure NAI realms for ironwifi.com
6. Optionally enable Cisco OpenID for dual authentication

Prerequisites

In Meraki:

• Meraki MR series access points
• Meraki Dashboard access
• Advanced license for Hotspot 2.0 features

In IronWifi Console (complete these first):

1. Create or select a Network in the IronWifi Console
2. Enable OpenRoaming from the dropdown menu
3. Configure roaming type (Settled or Settlement-free)
4. Note the RADIUS server details (IP address, port, and shared secret)

OpenRoaming Overview

Meraki provides native OpenRoaming support through:

• Cisco OpenID - Built-in Cisco identity provider integration
• Custom OpenRoaming - Integration with external providers like IronWifi

Meraki Dashboard Configuration

Step 1: Configure RADIUS

1. Log in to Meraki Dashboard
2. Navigate to Wireless > Access Control
3. Select your SSID
4. Under RADIUS servers:
   • Host: IronWifi RADIUS IP
   • Port: 1812
   • Secret: Your RADIUS secret
5. Enable RADIUS accounting (port 1813)

Step 2: Enable Hotspot 2.0

1. Go to Wireless > Configure > Hotspot 2.0
2. Select your SSID
3. Enable Hotspot 2.0

Step 3: Configure OpenRoaming Settings

General:

• Access Network Type: Public with fee / Free
• Internet: Yes
• ASRA: No

Venue Information:

• Venue Group: Business
• Venue Type: Unspecified

Operator:

• Friendly Name: Your organization
• Domain Name: ironwifi.net

Step 4: Add Roaming Consortium OIs

Click Add for each OI:

5A03BA0000  - WBA OpenRoaming (Settled)
5A03BA0200  - WBA OpenRoaming (Settlement-free)
004096      - Cisco OpenRoaming

Step 5: Configure NAI Realms

Add NAI realms for authentication:

Realm 1: ironwifi.com

• EAP Method: EAP-TTLS
• Inner Auth: PAP, MSCHAPv2

Realm 2: openroaming.net

• EAP Method: EAP-TTLS, EAP-TLS

Realm 3: google.com (for Google account users)

• EAP Method: EAP-TTLS

Save configuration.

Cisco OpenID Integration

Meraki supports native Cisco OpenRoaming via OpenID:

Enable Cisco OpenID

1. In Hotspot 2.0 settings, find Cisco OpenID
2. Enable Cisco OpenRoaming
3. This automatically configures:
   • Cisco consortium OIs
   • Default NAI realms
   • RADIUS proxy to Cisco cloud

Combine with IronWifi

You can use both Cisco OpenID and IronWifi:

1. Enable Cisco OpenID for Cisco identity users
2. Add IronWifi RADIUS for your organization's users
3. Configure appropriate NAI realms for each

Testing OpenRoaming

Meraki Dashboard

1. Go to Wireless > Monitor > Clients
2. Look for clients connecting via Passpoint/OpenRoaming
3. Check authentication method in client details

Test Clients

iOS:

• Users with Apple ID should auto-connect
• Or install OpenRoaming profile from IronWifi

Android:

• Enable Passpoint in WiFi settings
• Sign in with Google account
• Device auto-connects to OpenRoaming networks

Manual Test:

• Configure WiFi manually with EAP-TTLS
• Use realm credentials (user@ironwifi.com)

API Configuration

Configure OpenRoaming via Meraki API:

import meraki

dashboard = meraki.DashboardAPI(api_key)

# Get network ID
networks = dashboard.organizations.getOrganizationNetworks(org_id)
network_id = networks[0]['id']

# Configure Hotspot 2.0
ssid_config = {
    "dot11r": {
        "enabled": True
    },
    "hotspot20": {
        "enabled": True,
        "networkAccessType": "Public with fee",
        "internetAccess": True,
        "venue": {
            "group": "Business",
            "type": "Unspecified"
        },
        "operator": {
            "name": "IronWifi"
        },
        "domains": ["ironwifi.net", "openroaming.net"],
        "roamingConsortiumOis": [
            "5A03BA0000",
            "5A03BA0200",
            "004096"
        ],
        "naiRealms": [
            {
                "realm": "ironwifi.com",
                "methods": [
                    {"method": "EAP-TTLS", "innerMethods": ["PAP"]}
                ]
            }
        ]
    }
}

dashboard.wireless.updateNetworkWirelessSsid(
    network_id,
    ssid_number,
    **ssid_config
)

Troubleshooting

Clients Not Discovering Network

1. Verify Hotspot 2.0 is enabled
2. Check AP firmware is current
3. Ensure client supports Passpoint
4. Verify roaming consortium OIs

Authentication Failures

1. Check RADIUS:
   • Dashboard > Wireless > RADIUS test
2. Review logs:
   • Dashboard > Network-wide > Event log
3. IronWifi logs:
   • Check authentication attempts
4. Verify NAI realm matches user credentials

OpenID Not Working

1. Ensure Cisco OpenID is enabled
2. Check organization license includes OpenRoaming
3. Verify user has valid Cisco/OpenRoaming identity
4. Contact Meraki support for OpenID issues

Slow Connection Times

1. Enable 802.11r for fast roaming
2. Check RADIUS timeout settings
3. Verify AP locations for coverage
4. Review channel utilization

Best Practices

1. Use 802.11r (Fast BSS Transition) with OpenRoaming
2. Enable RADIUS failover for reliability
3. Monitor usage via Dashboard analytics
4. Keep firmware updated on all MR APs
5. Test with multiple identity providers

Related Topics

• OpenRoaming Overview - Main OpenRoaming configuration guide
• Passpoint Overview - Understanding Passpoint technology
• Meraki Passpoint - Passpoint configuration details
• Meraki RADIUS Configuration - General RADIUS setup
• RadSec Overview - Understanding RadSec technology