Skip to main content

Ubiquiti UniFi - OpenRoaming Configuration

Configure OpenRoaming on UniFi access points with IronWifi RADIUS authentication and Hotspot 2.0. This guide covers RADIUS profile creation, WPA2/WPA3 Enterprise security, roaming consortium OI configuration, NAI realm setup, and deployment through the UniFi Network Application.

Prerequisites

In UniFi:

  • UniFi access points with Hotspot 2.0 support
  • UniFi Network Controller 7.0 or later (for full OpenRoaming support)
  • Administrator access

In IronWifi Console (complete these first):

  1. Create a Network and note the RADIUS details
  2. Enable OpenRoaming on the network
  3. Configure roaming type (Settled or Settlement-free)

Quick Start

  1. Create RADIUS profile in UniFi with IronWifi server details
  2. Create WPA2-Enterprise WiFi network
  3. Enable Hotspot 2.0 with these Roaming Consortium OIs:
    • 5A03BA0000 (WBA Settled)
    • 5A03BA0200 (WBA Settlement-free)
    • 004096 (Cisco)
  4. Configure NAI realm: ironwifi.com
  5. Apply changes and test

UniFi Controller Configuration

Step 1: Create RADIUS Profile

  1. Open UniFi Network Application
  2. Go to Settings > Profiles > RADIUS
  3. Create new profile:
    • Name: IronWifi-OpenRoaming
    • Server IP: IronWifi RADIUS address
    • Port: 1812
    • Secret: Your RADIUS secret
    • Enable Accounting

Step 2: Create Wireless Network

  1. Go to Settings > WiFi
  2. Click Create New
  3. Configure:
    • Name: OpenRoaming (or your preferred SSID)
    • Security: WPA2/WPA3 Enterprise
    • RADIUS Profile: IronWifi-OpenRoaming

Step 3: Configure Hotspot 2.0

  1. In WiFi network settings, enable Hotspot 2.0
  2. Configure:

Network Settings:

  • Access Network Type: Free Public Network
  • Internet Access: Enabled

Operator Settings:

  • Operator Name: Your organization
  • Domain: ironwifi.net

Roaming Consortium (Critical for OpenRoaming): Add these OIs:

5A03BA0000   (WBA Settled)
5A03BA0200   (WBA Settlement-free)
004096       (Cisco)

NAI Realm: Add realms for OpenRoaming identity providers:

Realm: ironwifi.com
  EAP Methods: EAP-TTLS, EAP-TLS

Realm: openroaming.net
  EAP Methods: EAP-TTLS, EAP-TLS

Realm: google.com
  EAP Methods: EAP-TTLS, EAP-TLS
  1. Save configuration

Step 4: Deploy Configuration

  1. Review settings
  2. Click Apply Changes
  3. Wait for APs to provision

Advanced: RadSec Configuration

For encrypted RADIUS (recommended for production):

Enable RadSec in IronWifi

  1. Go to Networks > your network
  2. Enable RadSec
  3. Download certificate bundle

UniFi RadSec (requires custom configuration)

UniFi doesn't natively support RadSec. Options:

  1. Use RADIUS proxy with RadSec support
  2. Configure via SSH/config files (advanced)
  3. Use standard RADIUS with secure network

Testing OpenRoaming

Test with Mobile Device

  1. iOS: Install OpenRoaming profile or use Apple ID
  2. Android: Enable Passpoint, sign in with Google account
  3. Device should auto-discover and connect

Verify in UniFi

  1. Go to Clients
  2. Find connected OpenRoaming client
  3. Check authentication method shows 802.1X/EAP

Verify in IronWifi

  1. Check Authentication Logs
  2. Look for successful authentications
  3. Verify realm matches OpenRoaming identity

Configuration via API

import requests

base_url = "https://unifi-controller:8443"
api_key = "your-api-key"

# Configure Hotspot 2.0 with OpenRoaming
wifi_config = {
    "name": "OpenRoaming",
    "security": "wpaeap",
    "radius_profile_id": "radius_profile_id",
    "hotspot2conf": {
        "enabled": True,
        "internet": True,
        "access_network_type": 2,
        "domain_names": ["ironwifi.net", "openroaming.net"],
        "roaming_consortium_list": [
            "5A03BA0000",
            "5A03BA0200",
            "004096"
        ],
        "nai_realm_list": [
            {
                "realm": "ironwifi.com",
                "eap_methods": [{"method": 21}, {"method": 13}]
            },
            {
                "realm": "openroaming.net",
                "eap_methods": [{"method": 21}, {"method": 13}]
            }
        ],
        "operator_names": [{"lang": "eng", "name": "IronWifi"}]
    }
}

Troubleshooting

Devices Don't Auto-Connect

  1. Verify Hotspot 2.0 is enabled
  2. Check roaming consortium OIs are correct
  3. Ensure client has valid OpenRoaming credentials
  4. Test with known-good OpenRoaming device

Authentication Failures

  1. Check RADIUS connectivity
  2. Verify IronWifi authentication logs
  3. Ensure NAI realm is configured
  4. Check user credentials or identity provider

"No Networks Found" on Client

  1. Verify AP is broadcasting Hotspot 2.0
  2. Check 802.11u beacons with WiFi analyzer
  3. Ensure client Passpoint is enabled
  4. Move closer to access point

Intermittent Connections

  1. Check for multiple SSIDs on same channel
  2. Verify RADIUS timeout settings
  3. Review AP logs for errors
  4. Check for firmware updates

Best Practices

  1. Use dedicated SSID for OpenRoaming
  2. Keep firmware updated on all APs
  3. Monitor authentication logs regularly
  4. Test with multiple devices (iOS, Android)
  5. Configure both settled and settlement-free OIs

OpenRoaming Benefits

With OpenRoaming configured:

  • Users with Google, Apple, Microsoft accounts connect automatically
  • Guests don't need to register or enter passwords
  • Enterprise users roam to your network seamlessly
  • All connections are WPA2/WPA3 Enterprise secured