Skip to main content

Ubiquiti UniFi - Passpoint Configuration

Configure Passpoint (Hotspot 2.0) on Ubiquiti UniFi access points to enable automatic WiFi authentication through IronWifi's cloud RADIUS service. This provides seamless WPA2/WPA3-Enterprise connections without manual network selection or splash pages.

Prerequisites

In UniFi:

  • UniFi access points with Hotspot 2.0 support (see table below)
  • UniFi Network Controller 6.0 or later
  • Administrator access

In IronWifi Console (complete these first):

  1. Create a Network and note the RADIUS details
  2. Enable Passpoint on the network
  3. Configure realm, operator name, and domain settings

Supported Hardware

SeriesModels
UniFi 6U6-LR, U6-Pro, U6-Lite, U6-Mesh, U6-Enterprise
UniFi 5UAP-AC-Pro, UAP-AC-HD, UAP-AC-SHD
UniFi 6EAll WiFi 6E models

UniFi Controller Configuration

Step 1: Create RADIUS Profile

  1. Open UniFi Network Application
  2. Go to Settings > Profiles > RADIUS
  3. Click Create New
  4. Configure:
    • Name: IronWifi-RADIUS
    • Authentication Server: IronWifi RADIUS IP
    • Port: 1812
    • Shared Secret: Your RADIUS secret
    • Accounting: Enable
    • Accounting Server: Same as authentication
    • Accounting Port: 1813

Step 2: Create Wireless Network

  1. Go to Settings > WiFi
  2. Click Create New
  3. Configure basic settings:
    • Name/SSID: Your Passpoint network name
    • Security Protocol: WPA2/WPA3 Enterprise
    • RADIUS Profile: Select IronWifi-RADIUS

Step 3: Enable Hotspot 2.0

  1. In the WiFi network settings, scroll to Hotspot 2.0
  2. Enable Hotspot 2.0
  3. Configure:

Network Settings

  • Access Network Type: Free Public Network (or appropriate type)
  • Internet Access: Enabled
  • Venue Group: Business (or appropriate)
  • Venue Type: Unspecified Business

Operator Settings

  • Operator Friendly Name: Your organization name
  • Domain Names: ironwifi.net

Roaming Consortium

Add the following OIs:

5A03BA0000  (WBA OpenRoaming)
004096      (Cisco OpenRoaming)

NAI Realm

  • Realm: ironwifi.com (or your realm)
  • EAP Methods: EAP-TTLS, EAP-TLS
  1. Click Apply Changes

Configuration via UniFi API

For automation or advanced configuration:

{
  "name": "Passpoint-Network",
  "security": "wpaeap",
  "wpa_mode": "wpa2",
  "radius_profile_id": "<radius_profile_id>",
  "hotspot2conf": {
    "enabled": true,
    "access_network_type": 2,
    "internet": true,
    "venue_group": 2,
    "venue_type": 0,
    "domain_names": ["ironwifi.net"],
    "operator_names": [{"lang": "eng", "name": "IronWifi"}],
    "roaming_consortium_list": ["5A03BA0000", "004096"],
    "nai_realm_list": [{
      "realm": "ironwifi.com",
      "eap_methods": [
        {"method": 21, "auth_ids": [[2, 4], [5, 7]]},
        {"method": 13}
      ]
    }]
  }
}

OpenRoaming Configuration

To enable OpenRoaming on UniFi:

  1. Navigate to the Hotspot 2.0 settings
  2. Add OpenRoaming consortium OIs:
    • 5A03BA0000 - WBA OpenRoaming Settled
    • 5A03BA0200 - WBA OpenRoaming Settlement-free
  3. Configure NAI realm for OpenRoaming authentication
  4. Enable in IronWifi console under Networks > OpenRoaming

Testing Passpoint

From iOS

  1. Ensure Passpoint profile is installed
  2. Device should automatically discover and connect
  3. Check Settings > Wi-Fi for Passpoint indicator

From Android

  1. Enable Wi-Fi
  2. Device should auto-discover Passpoint network
  3. Check connection in Wi-Fi settings

Verification Commands

On UniFi Controller:

# SSH to access point
ssh ubnt@<AP_IP>

# Check Hotspot 2.0 status
iwinfo

# View connected Passpoint clients
cat /proc/net/wireless

Troubleshooting

Network Not Discovered

  1. Verify Hotspot 2.0 is enabled in network settings
  2. Check AP firmware is up to date
  3. Ensure client device supports Passpoint
  4. Verify domain names and realm configuration

Authentication Fails

  1. Check RADIUS connectivity from UniFi
  2. Verify shared secret matches IronWifi configuration
  3. Review authentication logs in IronWifi console
  4. Ensure NAI realm matches user credentials

Clients Don't Auto-Connect

  1. Verify Passpoint profile is installed on client
  2. Check roaming consortium OIs match
  3. Ensure credential realm matches NAI realm
  4. Review client device Passpoint settings

Intermittent Connectivity

  1. Check for AP firmware updates
  2. Verify RADIUS timeout settings
  3. Review access point logs
  4. Check for channel interference

Best Practices

  1. Use unique SSID - Don't overlap with regular networks
  2. Test thoroughly - Verify with multiple device types
  3. Monitor logs - Track authentication success/failures
  4. Update firmware - Keep APs on latest stable version
  5. Document configuration - Record all settings for troubleshooting