Skip to main content

Aerohive (Extreme) - Passpoint Configuration

Configure Passpoint (Hotspot 2.0) on Aerohive/Extreme Networks access points to enable automatic WiFi authentication through IronWifi's cloud RADIUS service. This eliminates manual network selection and provides WPA2/WPA3-Enterprise security without splash pages.

Overview

Aerohive Networks (now part of Extreme Networks) supports Hotspot 2.0/Passpoint through:

  • ExtremeCloud IQ - Cloud-managed platform
  • HiveManager NG - On-premises management
  • ExtremeCloud IQ - Site Engine - Enterprise management

Prerequisites

In Aerohive/Extreme:

  • Aerohive/Extreme access points with Hotspot 2.0 support
  • HiveOS 10.x or later
  • ExtremeCloud IQ account or HiveManager NG

In IronWifi Console (complete these first):

  1. Log in to IronWifi Management Console
  2. Navigate to Networks > select your network
  3. Enable Passpoint from dropdown
  4. Note configuration details:
    • RADIUS Server IP
    • RADIUS Secret
    • Authentication Port: 1812
    • Accounting Port: 1813
    • NAI Realm: ironwifi.com

ExtremeCloud IQ Configuration

Step 1: Configure RADIUS Server

  1. Log in to ExtremeCloud IQ (extremecloudiq.com)
  2. Navigate to Configure > Common Objects > Authentication
  3. Click RADIUS Server > Add
  4. Configure:
    • Name: IronWifi-RADIUS
    • Server IP/Hostname: Your IronWifi RADIUS IP
    • Authentication Port: 1812
    • Accounting Port: 1813
    • Shared Secret: Your RADIUS secret
    • Confirm Secret: Re-enter secret
  5. Click Save

Step 2: Create RADIUS Server Group

  1. Go to RADIUS Server Group > Add
  2. Configure:
    • Name: IronWifi-Group
    • Server Selection: By sequence
  3. Add IronWifi-RADIUS server to group
  4. Click Save

Step 3: Create AAA Profile

  1. Go to AAA Client Settings > Add
  2. Configure:
    • Name: IronWifi-AAA
    • RADIUS Server Group: IronWifi-Group
    • Authentication Method: 802.1X
  3. Click Save

Step 4: Configure Hotspot 2.0 Profile

  1. Navigate to Configure > Common Objects > Wireless
  2. Click Hotspot 2.0 > Add
  3. Configure General Settings:

Network Information:

  • Profile Name: IronWifi-Passpoint
  • Internet Access: Yes
  • Network Type: Free public network
  • Authentication Type: Terms and conditions acceptance

Venue Information:

  • Venue Group: Business
  • Venue Type: Unspecified
  • Venue Name: Your Location Name

Step 5: Configure Domain and Operator

In the same Hotspot 2.0 profile:

Domain Names:

ironwifi.net
openroaming.org

Operator Information:

  • Friendly Name: IronWifi
  • Language Code: eng

Step 6: Configure Roaming Consortium

Add Roaming Consortium OIs:

OIDescription
5A03BA0000OpenRoaming Settled
004096OpenRoaming Settlement-Free
AA146B0000Cityroam (if applicable)

Step 7: Configure NAI Realm

  1. In Hotspot 2.0 profile, find NAI Realm section
  2. Add realm configuration:
    • Realm: ironwifi.com
    • EAP Method: EAP-TTLS
    • Inner Authentication: PAP, MSCHAPv2
    • Credential Type: Username/Password

Step 8: Create Network Policy

  1. Navigate to Configure > Network Policies
  2. Click Add Network Policy
  3. Configure:
    • Policy Name: Passpoint-Policy
    • SSID: OpenRoaming (or your preferred name)
    • SSID Broadcast: Enabled

Step 9: Configure SSID Security

In the Network Policy:

  1. Go to Wireless section
  2. Configure:
    • Authentication: WPA2-Enterprise
    • Key Management: 802.1X
    • Encryption: AES-CCMP

Step 10: Assign Hotspot 2.0 Profile

  1. In Network Policy, find Hotspot 2.0 section
  2. Select IronWifi-Passpoint profile
  3. Enable Hotspot 2.0

Step 11: Deploy Configuration

  1. Navigate to Configure > Devices
  2. Select target access points
  3. Click Update Device > Upload and Activate
  4. Wait for configuration to apply

HiveManager NG Configuration

Configure RADIUS

  1. Log in to HiveManager NG
  2. Go to Configuration > Authentication > RADIUS Servers
  3. Click Add
  4. Configure:
    • Name: IronWifi
    • IP Address: IronWifi RADIUS IP
    • Auth Port: 1812
    • Accounting Port: 1813
    • Shared Secret: Your secret

Configure Hotspot 2.0

  1. Go to Configuration > Wireless > Hotspot 2.0
  2. Click Add Profile
  3. Configure all Hotspot 2.0 settings similar to ExtremeCloud IQ

Create SSID Profile

  1. Go to Configuration > Wireless > SSIDs
  2. Create new SSID with:
    • WPA2-Enterprise security
    • RADIUS authentication
    • Hotspot 2.0 profile assigned

CLI Configuration (Advanced)

For advanced users, use HiveOS CLI:

RADIUS Configuration

radius-server IronWifi
  server-address 1.2.3.4
  server-port 1812
  accounting-port 1813
  shared-secret encrypted your-secret-here

RADIUS Group

radius-server-group IronWifi-Group
  member IronWifi
  selection-method sequential

AAA Profile

aaa-profile IronWifi-AAA
  radius-server-group IronWifi-Group
  authentication-method dot1x

Hotspot 2.0 Profile

hotspot20-profile IronWifi-Passpoint
  internet-access enable
  network-type free-public
  venue-group business
  venue-type unspecified

  domain-name ironwifi.net
  domain-name openroaming.org

  operator-name eng "IronWifi"

  roaming-consortium-oi 5A03BA0000
  roaming-consortium-oi 004096

  nai-realm ironwifi.com
    eap-method eap-ttls
    inner-auth pap
    inner-auth mschapv2

SSID Profile

ssid-profile Passpoint-SSID
  ssid OpenRoaming
  security wpa2-enterprise
  aaa-profile IronWifi-AAA
  hotspot20-profile IronWifi-Passpoint

Apply to Interface

interface wifi0
  ssid-profile Passpoint-SSID

Verification

ExtremeCloud IQ

  1. Go to Monitor > Devices
  2. Select access point
  3. Check Wireless status
  4. Verify SSID is broadcasting
  5. Check client connections

Check Hotspot 2.0 Status

  1. Go to Monitor > Clients
  2. Filter by SSID
  3. Verify Passpoint client connections

CLI Verification

# Show RADIUS status
show radius-server-status

# Show Hotspot 2.0 config
show hotspot20-profile

# Show wireless status
show interface wifi0

# Show connected clients
show station

Test Connection

Device Requirements

  • Passpoint-capable device (iOS 7+, Android 6+, Windows 10+)
  • Passpoint profile installed or OpenRoaming profile

Connection Process

  1. Ensure device Passpoint is enabled
  2. Device discovers Passpoint network via ANQP
  3. Automatic connection based on credentials
  4. Verify in IronWifi Console > Logs

Troubleshooting

Network Not Discovered

  1. Verify Hotspot 2.0 enabled on SSID
  2. Check ANQP responses: 
    show hotspot20-anqp-stats
  3. Verify beacon frames include Interworking IE
  4. Test with different client devices

Authentication Failures

  1. Test RADIUS connectivity:

    test radius server IronWifi username testuser

  2. Check RADIUS server status:

    show radius-server-status

  3. Review authentication logs in ExtremeCloud IQ

  4. Verify NAI realm matches IronWifi configuration

Connection Drops

  1. Check signal strength - Ensure adequate coverage
  2. Review AP logs for disconnection reasons
  3. Verify VLAN configuration - Ensure proper network access
  4. Check session timeout settings

Common Errors

ErrorCauseSolution
RADIUS timeoutNetwork issueCheck firewall, verify IP
Auth rejectedWrong credentialsVerify realm, check user
No ANQP responseHS2.0 disabledEnable Hotspot 2.0 on SSID
Certificate errorTLS mismatchUpdate AP firmware

Best Practices

  1. Firmware Updates: Keep HiveOS updated for best Passpoint support
  2. Testing: Verify with multiple device types before production
  3. Monitoring: Use ExtremeCloud IQ dashboards for visibility
  4. Redundancy: Configure backup RADIUS servers
  5. Documentation: Record all configuration settings
  6. Security: Use strong RADIUS secrets, enable accounting