Remain on firmware 7.3 to support Orion via UniFi.
Prerequisites
Confirm your UniFi device supports Passpoint
Orion Wifi requires Hotspot 2.0 ("Passpoint") capable Access Points. Not all UniFi APs are Passpoint capable.
Ensure your APs are Wi-Fi Alliance Passpoint certified before deploying Orion Wifi.
Deploy Orion Radsecproxy
Orion uses RadSec (RADIUS over TLS) to secure communications with your networking equipment.
UniFi does not support RadSec. To use Orion Wifi with UniFi, you'll need to deploy our Orion Radsecproxy container within your network. This lightweight proxy allows normal RADIUS-capable equipment (including UniFi) to communicate securely with Orion.
Follow the instructions in the Orion-radsecproxy README to deploy Orion-radsecproxy before configuring your UniFi APs.
Getting Started
To add Orion Wifi to your UniFi network, you will:
- Create the Orion RADIUS profile
- Create the Orion Hotspot 2.0 profile
- Configure new "Orion" SSID with these profiles
This guide walks you through each of these steps.
Log in to the UniFi Network application
To start the configuration process, log in to the Ubiquiti UniFi dashboard as an administrator.
Ensure you are in the Network application.
Enable the "Legacy" User Interface
Hotspot 2.0 settings are not yet available in the new UniFi User Interface. If you are using this interface, switch to the Legacy interface via Settings > System > Legacy Interface.
Create the Orion RADIUS Profile
Select Settings at the bottom left of the Dashboard.
Select Profiles from the Settings menu and click + Create New RADIUS Profile
The Create New RADIUS Profile page appears.
Enter a RADIUS Profile Name, such as “Orion_radius”. This is for your reference only.
Enter the IP Address, Port and Shared Secret below:
|
Name |
Value |
|
Host |
IP address of your Orion-radsecproxy container |
|
Port |
1812 (default) |
|
Shared Secret |
radsec |
If you’re using multiple radsecproxies for high availability, click + Add Auth Server to add each of them.
Click the box next to Enable accounting. The Accounting options appear below the RADIUS Auth Server section:
Check the box next to Enable Interim Update and change the value to 300 (seconds).
Enter the RADIUS Accounting Server values shown for the primary accounting server.
|
Name |
Value |
|
Host |
IP address of your Orion-radsecproxy container |
|
Port |
1813 (default) |
|
Shared Secret |
radsec |
If you’re using a high availability configuration, click + Add Accounting Server to add each RADIUS accounting server.
Click Save at the bottom left.
A message appears at the top right indicating that the RADIUS profile changes are saved.
Create the Orion Hotspot 2.0 Profile
Hotspot 2.0 allows devices to join the Orion network automatically. Hotspot 2.0 settings are applied to an existing or new SSID. When clients with matching Hotspot 2.0 parameters are in the SSID's coverage area, they will automatically attempt to connect.
Select Settings at the bottom left of the Dashboard.
Select Services.
You might see a message indicating that you need to connect a UniFiSecurity Gateway to enable the RADIUS configuration. Ignore that message and continue to the Hotspot2.0 configuration.
Click Hotspot 2.0 on the menu bar at the top of the page.
The Hotspot 2.0 page appears.
Click +Create New Hotspot 2.0 Profile.
The Create New Hotspot 2.0 Profile page appears.
Enter a Hotspot 2.0 Profile Name, such as “Orion_hotspot”. This is for your reference only.
Add Interworking Information
Expand Internetworking Information by clicking > next to it.
For Network Type, select Chargeable public network.
For Network Access, click the box next to Internet.
Add Roaming Consortium
Expand Roaming Consortium List by clicking > next to it.
For Name, enter “Orion”.
For Organization ID, enter the value below:
F4F5E8F5F4
Click +Add Roaming Consortium.
Add 3GPP Cellular Network Info
Expand 3GPP Cellular Network List by clicking > next to it.
Enter each Name, MCC and MNC in this table, clicking + ADD 3GPP CELLULAR NETWORK after each:
| Name | MCC | MNC |
|---|---|---|
| 310410 | 310 | 410 |
| 310280 | 310 | 280 |
| 310150 | 310 | 150 |
| 313100 | 313 | 100 |
Click Save at the bottom left.
A message appears at the top right indicating that the Hotspot 2.0 profile changes are saved.
Configure SSID with RADIUS profile and Hotspot 2.0 profile
You'll now configure a new Orion SSID using the profiles you just created.
Select Settings at the bottom left of the Dashboard.
The Settings menu appears.
Select Wireless Networks from the Settings menu and click + Create New Wireless Network.
The Create New Wireless Network page appears.
Enter Name/SSID. We recommend ‘Orion’.
For Security, select WPA Enterprise. RADIUS profile options appear so you can associate the RADIUS profile with the wireless LAN.
Select the RADIUS Profile you created, “Orion_radius”.
Click the box next to Enable Hotspot 2.0.
Select the Hotspot 2.0 profile you created, “Orion_hotspot”.
Click Save at the bottom left.
A message appears at the top right indicating that the wireless network changes are saved.
Troubleshoot the Ubiquiti UniFi configuration
If you see errors or problems while installing and testing the Cisco wireless LAN controller configuration, here are some ways to validate the configuration and look for errors.
Most problems occur during setup. One way to test whether the setup is correct is to go through the steps again. Another is to look at the primary components of the SSID, RADIUS, and Hotspot 2.0 setup that directly impact connectivity to radsecproxy and Orion Wifi.
RCOI and EAP settings
If the Roaming Consortium OI (RCOI) and EAP method aren’t set correctly, mobile devices can’t automatically connect (which is intended). If radsecproxy logs are showing an attempt to connect but failing, it means radsecproxy IP addresses are probably correct in the RADIUS Authentication and Accounting settings, but the EAP settings could be wrong.
Review Configure the wireless LAN and make sure your configuration is correct.
RADIUS service
If the IP addresses, ports, or secrets used for the primary and secondary servers are wrong, the RADIUS server can’t be contacted. In this situation, radsecproxy logs can’t be generated, because traffic isn’t passing to the wireless LAN controller from radsecproxy.
If no new logs are coming in, it means the SSID isn’t passing traffic to radsecproxy. If this is the case, you should check the RADIUS configuration.
Review Configure a secure RADIUS connection and make sure your configuration is correct.