Juniper Mist - OpenRoaming with RadSec

Configure RadSec (RADIUS over TLS) on Juniper Mist access points for secure OpenRoaming authentication with IronWifi. This guide covers certificate upload to Mist cloud, RadSec authentication server configuration, WLAN creation, and Hotspot 2.0 deployment through the Mist Dashboard.

Quick Start

1. Enable RadSec and OpenRoaming in IronWifi Console
2. Download certificate bundle
3. Upload certificates to Mist Dashboard (Organization > Settings)
4. Create RadSec authentication with radsec.ironwifi.com:2083
5. Create WLAN with Hotspot 2.0 and OpenRoaming OIs
6. Deploy to sites

Prerequisites

In Juniper Mist:

• Juniper Mist organization with access points deployed
• Mist firmware supporting RadSec
• Access to Organization Settings for certificate management

In IronWifi Console (complete these first):

1. Create or select a Network in the IronWifi Console
2. Enable OpenRoaming from the dropdown menu
3. Enable RadSec from the dropdown menu
4. Download the certificate bundle (ZIP file containing Root CA, Intermediate CA, client certificate, and private key)

---

Mist Dashboard Configuration

Step 1: Upload Certificates

1. Log in to Mist Dashboard (manage.mist.com)
2. Navigate to Organization > Settings
3. Find Certificates section
4. Upload the following certificates:
   • Root CA certificate (iw-rsa-root-ca.cert.pem)
   • Intermediate CA certificate (iw-rsa-radsec-signing-ca.cert.pem)
   • Client certificate (client.cert.pem)
5. Upload private key (client.key.pem)

Step 2: Create RadSec Configuration

1. Navigate to Organization > WLAN Templates (or Site WLANs)
2. Go to RADIUS configuration
3. Select RadSec as the authentication method

Step 3: Configure RadSec Server

In RADIUS settings:

1. Authentication Type: RadSec
2. Click Add Server
3. Configure:
   • Server Name: radsec.ironwifi.com
   • Port: 2083
   • Certificate: Select uploaded client certificate
   • CA Certificate: Select uploaded CA chain

Step 4: Configure WLAN with Passpoint

1. Go to WLANs
2. Create new WLAN or edit existing
3. Configure:
   • SSID: OpenRoaming
   • Security: WPA2-Enterprise
   • RADIUS: Select RadSec configuration

Step 5: Enable Hotspot 2.0

1. In WLAN settings, find Hotspot 2.0 section
2. Enable Hotspot 2.0
3. Configure:

Network Information:

• Internet Access: Yes
• Network Type: Free public network

Venue Information:

• Venue Group: Business
• Venue Type: Unspecified

Domain Name:

• Add: ironwifi.net

Roaming Consortium:

• Add: 5A03BA0000 (WBA OpenRoaming Settled)
• Add: 5A03BA0200 (WBA OpenRoaming Settlement-free)
• Add: 004096 (Cisco OpenRoaming)

NAI Realm:

• Realm: ironwifi.com
• EAP Type: TTLS

Step 6: Advanced Settings

In Hotspot 2.0 Advanced Settings:

Operator Information:

• Friendly Name: Your Organization
• Language: eng

Domain Names:

ironwifi.net
openroaming.org

---

Complete Configuration Summary

WLAN Settings

Setting	Value
SSID	OpenRoaming
Security	WPA2-Enterprise
Authentication	RadSec
RadSec Server	radsec.ironwifi.com:2083

Hotspot 2.0 Settings

Setting	Value
Internet	Yes
Network Type	Free public
Domain	ironwifi.net
Roaming OIs	5A03BA0000, 5A03BA0200, 004096
NAI Realm	ironwifi.com (EAP-TTLS)

---

Site-Level Configuration

For per-site RadSec configuration:

1. Navigate to Site > WLANs
2. Create site-specific WLAN
3. Configure RadSec with site-specific certificates if needed
4. Override organization settings as required

---

Verification

Check WLAN Status

1. Go to Site > WLANs
2. Verify WLAN is active
3. Check for any configuration errors

Monitor RadSec Connectivity

1. Go to Insights > Events
2. Filter for RADIUS events
3. Look for successful RadSec connections

Test Client Connection

1. Connect Passpoint-enabled device
2. Verify automatic connection
3. Check authentication in:
   • Mist Dashboard (Client events)
   • IronWifi Console (Authentication logs)

---

Troubleshooting

RadSec Connection Issues

1. Certificate Problems

   • Verify all certificates uploaded correctly
   • Check certificate validity dates
   • Ensure CA chain is complete

2. Network Connectivity

   • Verify AP can reach radsec.ironwifi.com
   • Check port 2083 is allowed outbound
   • Test TLS connectivity

3. Configuration Issues

   • Verify RadSec server address
   • Check certificate selection
   • Review WLAN configuration

Authentication Failures

1. Check NAI Realm

   • Verify realm matches IronWifi configuration
   • Check EAP method is correct

2. Review Logs

   • Mist Dashboard > Insights > Events
   • IronWifi Console > Logs > Authentication

3. Verify Passpoint Settings

   • Check roaming consortium OIs
   • Verify domain names

Debug Steps

1. Go to Site > Access Points
2. Select affected AP
3. View Events for detailed logs
4. Check for RadSec or RADIUS errors

Common Errors

Error	Cause	Solution
"TLS handshake failed"	Certificate issue	Re-upload certificates
"Connection timeout"	Network/firewall	Check port 2083 access
"Authentication rejected"	Wrong realm/config	Verify NAI realm settings
"Certificate expired"	Outdated cert	Download new certificates

---

Best Practices

1. Use Organization Templates: For consistent multi-site deployment
2. Certificate Management: Track expiration dates
3. Monitor Regularly: Check RadSec connectivity
4. Test Thoroughly: Verify with multiple device types
5. Document Configuration: For support and audit

Related Topics

• OpenRoaming Overview - Main OpenRoaming configuration guide
• RadSec Overview - Understanding RadSec technology
• Mist Passpoint - Passpoint configuration details
• Passpoint Overview - Understanding Passpoint technology