Skip to main content

Mist (Juniper) - Passpoint Configuration

Configure Passpoint (Hotspot 2.0) on Juniper Mist AI-driven access points to enable automatic WiFi authentication through IronWifi's cloud RADIUS service. This eliminates manual network selection and provides WPA2/WPA3-Enterprise security across your wireless infrastructure.

Supported Platforms

  • Mist Cloud - Cloud-managed wireless
  • Mist AP Series - AP12, AP32, AP33, AP34, AP41, AP43, AP45, AP61, AP63

Prerequisites

In Mist:

  • Mist organization with APs deployed
  • Mist APs with firmware supporting Hotspot 2.0
  • Network connectivity to IronWifi RADIUS servers

In IronWifi Console (complete these first):

  1. Log in to IronWifi Management Console
  2. Navigate to Networks > select your network
  3. Enable Passpoint
  4. Note the following:
    • Primary RADIUS Server IP
    • Secondary RADIUS Server IP
    • RADIUS Secret
    • NAI Realm (e.g., ironwifi.com)
    • Roaming Consortium OIs

Mist Cloud Configuration

Mist Dashboard Configuration

Step 1: Configure RADIUS Server

  1. Log in to Mist Dashboard (manage.mist.com)
  2. Navigate to Organization > WLAN Templates or Site > WLANs
  3. Go to RADIUS Servers section
  4. Click Add Server
  5. Configure Authentication Server:
    • IP Address: IronWifi RADIUS IP
    • Port: 1812
    • Secret: Your RADIUS secret
  6. Add Accounting Server:
    • IP Address: IronWifi RADIUS IP
    • Port: 1813
    • Secret: Your RADIUS secret

Step 2: Create WLAN

  1. Go to Site > WLANs (or WLAN Template)
  2. Click Add WLAN
  3. Configure:
    • SSID: Passpoint
    • Security: WPA2/WPA3-Enterprise (802.1X)
    • RADIUS Authentication: Select IronWifi servers
    • RADIUS Accounting: Enable and select servers

Step 3: Enable Hotspot 2.0

  1. In WLAN settings, find Hotspot 2.0 section
  2. Toggle Enable Hotspot 2.0

Step 4: Configure Hotspot 2.0 Settings

Network Information:

  • Internet Access: Yes
  • Network Type: Free public network
  • Additional Step Required: No (or as needed)

Venue Information:

  • Venue Group: Business
  • Venue Type: Unspecified Business
  • Venue Name: Your Location Name

Operator Information:

  • Operator Friendly Name: Your Organization
  • Language: English (eng)

Step 5: Configure Domain

  1. In Hotspot 2.0 settings, find Domain Name
  2. Add: ironwifi.net

Step 6: Configure Roaming Consortium

  1. Find Roaming Consortium section
  2. Add OIs:
    • 5A03BA0000 (OpenRoaming Settled)
    • 004096 (OpenRoaming Settlement-Free)

Step 7: Configure NAI Realm

  1. Find NAI Realm List section

  2. Click Add NAI Realm

  3. Configure:

    • NAI Realm: ironwifi.com
    • Encoding: UTF-8
    • EAP Method: EAP-TTLS
    • Authentication: Credentials (Username/Password)
    • Inner Authentication: PAP

  4. Save the WLAN configuration

Advanced Configuration

3GPP Cellular Information

For carrier WiFi integration:

  1. In Hotspot 2.0 settings, find 3GPP Cellular Network Information
  2. Add MCC/MNC pairs: 
    MCC: 310, MNC: 410
    MCC: 311, MNC: 480

WAN Metrics

Configure WAN link characteristics:

  1. Enable WAN Metrics
  2. Configure:
    • Link Status: Up
    • Symmetric Link: Yes
    • At Capacity: No
    • Downlink Speed: 100 Mbps
    • Uplink Speed: 50 Mbps
    • Downlink Load: 0
    • Uplink Load: 0

Connection Capability

Define available network services:

ProtocolPort NumberStatus
TCP80Open
TCP443Open
TCP5060Open
UDP5060Open
ESP-Open

Operating Class

Configure supported frequencies:

  1. Find Operating Class
  2. Enable classes for your deployment:
    • Class 81: 2.4 GHz
    • Class 115: 5 GHz (channels 36-48)
    • Class 121: 5 GHz (channels 100-140)
    • Class 124: 5 GHz (channels 149-161)

OpenRoaming Configuration

Enable OpenRoaming

For full OpenRoaming support:

  1. In Hotspot 2.0 settings

  2. Add both OpenRoaming OIs:

    5A03BA0000 (Settled)
    004096 (Settlement-Free)

  3. Configure NAI realm for OpenRoaming:

    • Realm: ironwifi.com
    • EAP Method: EAP-TTLS or EAP-TLS

RCOI Configuration

If using specific Roaming Consortium:

  1. Add your organization's RCOI
  2. Configure matching realm

WLAN Template Configuration

For multi-site deployments:

Create Template

  1. Go to Organization > WLAN Templates
  2. Click Create Template
  3. Configure Passpoint WLAN as above
  4. Save template

Apply to Sites

  1. Go to Organization > Site Configuration
  2. Select sites
  3. Apply WLAN template
  4. Push configuration

Troubleshooting

Network Not Discovered by Devices

  1. Verify Hotspot 2.0 Status

    • Check WLAN settings show HS2.0 enabled
    • Verify AP firmware supports Passpoint

  2. Check GAS/ANQP

    • Devices should query ANQP
    • APs should respond with configuration

  3. Client Requirements

    • Device must support Passpoint
    • Passpoint must be enabled on device

Authentication Failures

  1. RADIUS Connectivity

    • Verify AP can reach RADIUS server
    • Check firewall rules for UDP 1812/1813

  2. Credential Issues

    • Verify NAI realm matches
    • Check EAP method configuration
    • Review IronWifi logs

  3. Certificate Issues (for EAP-TLS)

    • Verify certificate is valid
    • Check CA trust chain

Mist Dashboard Diagnostics

  1. Go to Insights > Client Events
  2. Filter by client or WLAN
  3. Look for:
    • Association events
    • Authentication events
    • RADIUS responses

AP Diagnostics

  1. Select AP in dashboard
  2. Go to Utilities > AP Troubleshoot
  3. Run packet capture for RADIUS traffic
  4. Check AP logs for errors

Monitoring

Mist Analytics

Track Passpoint usage:

  1. SLE (Service Level Expectations)

    • Monitor authentication success rate
    • Track connection times

  2. Client Insights

    • View Passpoint client associations
    • Check device types and capabilities

  3. RADIUS Analytics

    • Monitor authentication requests
    • Track failure reasons

IronWifi Monitoring

  1. Log in to IronWifi Console
  2. Navigate to Logs > Authentication
  3. Filter by network/realm
  4. Review success and failure events

Best Practices

  1. Use Templates: For consistent multi-site deployment
  2. Test Thoroughly: Verify with multiple device types
  3. Monitor SLEs: Track authentication success rates
  4. Firmware Updates: Keep APs on latest firmware
  5. Redundancy: Configure multiple RADIUS servers
  6. Documentation: Document your Passpoint configuration