WayFi Setup Guide: Aruba Wireless LAN Controller Configuration

Learn how to configure your Aruba Wireless LAN Controller to integrate seamlessly with WayFi’s RADIUS over TLS (RadSec) and Hotspot 2.0 (Passpoint) network. This step-by-step guide ensures secure and smooth connectivity for your wireless environment.

Build Aruba WayFi Passpoint SSID

The following steps will configure your Aruba Mobility Controller and AP to broadcast an SSID with the required Passpoint and RADIUS configuration to support WayFi Wireless offload.

To start, log in to your Mobility Controller GUI in your browser. This will be our starting point for all steps below.

In the following instructions, only mandatory fields are listed. All other values not mentioned should be left at default.

Deploy RadSec Proxy

You must install a RadSec Proxy to forward RADIUS traffic (1812/1813) securely to WayFi’s RadSec servers (port 2083).

Set up the RadSec Proxy VM:

• Deploy a Linux VM with a static IP address

• Install Docker

• Obtain the certificate bundle from WayFi Support:

  • cert.pem

  • key.pem

  • wayfi.radsec.cacert.pem

• Run the WayFi RadSec Proxy container, configured to:

  • Listen on ports 1812/1813

  • Forward RADIUS to:

    • 24.144.66.102:2083 (Primary)

    • 178.128.133.4:2083 (Secondary)

Once your proxy is live, proceed with Aruba configuration.

Build RADIUS Authentication Servers

1. Click on Configuration, then Authentication in the left menu column.

2. Click the + in the All Servers box to add a server.

3. Enter:

   • Name: WayFi-Proxy-1

   • Type: RADIUS

   • IP Address: Static IP of the RadSec Proxy VM

4. Click Submit

5. Click on the server name in the table to configure details:

   • Auth Port: 1812

   • Acct Port: 1813

   • Shared Key: radsec

   • NAS-ID: MAC address of the AP, in format AA-BB-CC-DD-EE-FF

6. Click Submit

7. Click Pending Changes (top right), then Deploy Changes

Note: Redundancy is good. If you deploy two RadSec proxy containers on separate hosts, repeat the above steps for a second server named WayFi-Proxy-2.

Build WLAN

1. Click the arrow next to Mobility Controller (top-left), and select the controller you want to configure.

2. Click Configuration > WLAN in the left menu.

3. Click the + in the bottom-left to add a new WLAN.

4. Enter:

   • SSID Name: .WayFi Cellular Booster

   • Broadcast on AP Group: All APs

   • Forwarding Mode: Tunnel (or Bridge, based on your needs)

5. Click Next

   • VLAN: LAN (or your VLAN of choice)

6. Click Next

   • Key Management: WPA2-Enterprise

   • Auth Servers: Click + and select WayFi-Proxy-1 (and WayFi-Proxy-2, if available)

7. Click Next

   • Default Role: allow-all

8. Click Finish

Link AAA Profile for RADIUS Accounting Server Group

1. Go to Configuration > Authentication

2. Click on AAA Profiles in the top menu

3. Click the + next to AAA, then the + next to WayFi_AAA_Prof

4. Under RADIUS Accounting Server Group, select WayFi-Proxy-1

5. Click Submit, then Pending Changes > Deploy Changes

Build ANQP Profile

Domain Name

1. Go to Configuration > System

2. Click Profiles in the top menu

3. Click the + next to Wireless LAN, scroll to ANQP Domain Name

4. Click the + on the right side

5. Enter:

   • Profile Name: WayFi_Domain

   • Domain Names:

     • wayru.io

     • hellohelium.com

     • freedomfi.com

     • openroaming.org

     • apple.openroaming.net

     • google.openroaming.net

     • ciscooneid.openroaming.net

     • samsung.openroaming.net

6. Click Submit, then Pending Changes > Deploy Changes

NAI Realm

1. Scroll to ANQP NAI Realm, click +

2. Enter:

   • Profile Name: WayFi_Realm

   • Realm 1: hellohelium.com — EAP Method: EAP-TTLS — Credential Type: Certificate

   • Realm 2: freedomfi.com — EAP-TTLS

   • Realm 3: wayru.io — EAP-TTLS

3. Click Submit, then Pending Changes > Deploy Changes

Roaming Consortium OI (RCOI)

1. Scroll to ANQP Roaming Consortium, click +

2. Enter:

   • Profile Name: WayFi_RCOI

   • OI Values:

     • f4f5e8f5f4

     • baa2d00000

     • 00500f

     • 5a03ba0000

     • 004096

3. Click Submit, then Pending Changes > Deploy Changes

3GPP PLMNIDs

1. Scroll to ANQP 3GPP Cell Network, click +

2. Enter:

   • Profile Name: WayFi_3GPP

   • MCC/MNCs:

     • 311,180

     • 313,100

     • 310,280

     • 310,410

     • 310,150

3. Click Submit, then Pending Changes > Deploy Changes

Build Advertisement Profile

1. Scroll to Advertisement Profile, click +

2. Enter:

   • Profile Name: WayFi_Adv_Prof

3. Click Submit, then Pending Changes > Deploy Changes

Link ANQP Profiles to Advertisement Profile

1. Go to Wireless LAN > Advertisement, click +

2. Click the + next to WayFi_Adv_Prof

3. One-by-one, assign:

   • ANQP Domain Name → WayFi_Domain

   • ANQP NAI Realm → WayFi_Realm

   • ANQP Roaming Consortium → WayFi_RCOI

   • ANQP 3GPP → WayFi_3GPP

4. Click OK

5. Click Submit, then Pending Changes > Deploy Changes

Important: Add each parameter individually and deploy after each step.

Build Hotspot 2.0 Profile

1. Go to Wireless LAN > Hotspot 2.0, click +

2. Enter:

   • Profile Name: WayFi_HS20

   • Advertise Hotspot 2.0 Capability: Enabled

   • Access Network Type: Public chargeable

   • Venue Group: Assembly

   • Venue Type: Assembly-Restaurant

   • RADIUS Chargeable User Identity (RFC4372): Enabled

   • RADIUS Location Data (RFC5580): Enabled

3. Click Submit, then Pending Changes > Deploy Changes

Link Advertisement Profile to Hotspot 2.0 Profile

1. Go to Hotspot 2.0, click the + next to WayFi_HS20

2. Click on Advertisement

3. Select WayFi_Adv_Prof from the dropdown

4. Click Submit, then Pending Changes > Deploy Changes

Link Hotspot 2.0 Profile to Virtual AP

1. Go to Wireless LAN > Virtual AP, click +

2. Click the + next to your VAP profile (e.g., WayFi_VAP)

3. Click on Hotspot 2.0

4. Select WayFi_HS20 from the dropdown

5. Click Submit, then Pending Changes > Deploy Changes

.

Additional Settings

1. Interim Update Interval:

   • Navigate to Configuration > Accounting and set it to 300 seconds.

2. Chargeable User Identity (CUI):

   • Navigate to your RADIUS settings and enable Chargeable-User-Identity (CUI).

Troubleshooting

1. Verify RADIUS settings, NAS IDs, and certificates.

2. Confirm that your AP is broadcasting the .WayFi Cellular Booster SSID.

3. Test connectivity with Passpoint-enabled devices.

4. Check logs for RADIUS or Hotspot 2.0 errors.

By completing this guide, your Aruba Wireless LAN Controller will be fully integrated with WayFi, offering secure and seamless connectivity for your network.

FAQs

1. What is RadSec?
RadSec (RADIUS over TLS) is a secure protocol for encrypted network authentication.

2. What version of ArubaOS is required?
ArubaOS 6.4.x or later is required for RadSec and Hotspot 2.0 compatibility.

3. How do I obtain WayFi certificates?
Contact WayFi support to request the RadSec certificate bundle.

4. Why assign profiles for Hotspot 2.0?
Profiles like Domain Name, NAI Realm, and Roaming Consortium enable advanced Passpoint functionality.

5. Can I use the 6GHz band with WayFi?
Passpoint is optimized for 2.4GHz and 5GHz bands.

6. How do I troubleshoot RadSec issues?
Check RADIUS server configurations, NAS-ID settings, and logs for errors.