RadSec / RADIUS Settings for WayFi: Complete Configuration Guide

Configuring RadSec (RADIUS over TLS) for your WayFi wireless network can enhance security and streamline connectivity for users. This guide provides detailed, step-by-step instructions to ensure your wireless network is set up correctly, whether your wireless controller supports RadSec natively or requires additional configuration.

Determine RadSec Support

The first step in setting up RadSec for your WayFi network is determining whether your wireless controller supports RADIUS over TLS (RadSec). Here’s how to verify:

1. Check Controller Documentation: Review your wireless controller’s user manual or official documentation for any mention of TLS or RadSec support in the RADIUS settings.

2. Inspect Settings: Access your controller’s settings interface and look for options like "TLS" or "RadSec." If found, your controller supports RadSec.

If your controller supports RadSec, proceed to the next section. If it doesn’t, skip to the My Wireless Controller Does Not Support RadSec section.

My Wireless Controller DOES Support RadSec

Obtain Your RadSec Certificates

RadSec requires certificates for authentication. Follow these steps to acquire them:

1. Open a Ticket: Submit a request on the WayFi Discord or contact your assigned representative.

2. Register NASIDs: Ensure the NASID (Network Access Server Identifier) for each location is registered in advance.

Once you receive the certificates, continue with configuration.

Configure RadSec in Your Wireless Controller

Use the following steps to integrate the RadSec certificates and configure RADIUS settings for your WayFi SSID:

Upload Certificates

Upload or paste the contents of the provided certificates into the designated fields on your wireless controller:

• CA Certificate: wayfi.radsec.cacert.pem

• Client Certificate: cert.pem

• Client Private Key: key.pem

Set RADIUS Settings

For both Authentication and Accounting, apply the following settings:

• Primary Server IP: 24.144.66.102

• Primary Server Port: 2083

• Shared Secret: radsec

• RadSec Server Name (if needed): radius.wayfiwireless.com

• Backup Server IP: 178.128.133.4

• Backup Server Port: 2083

• Shared Secret: radsec

• RadSec Server Name (if needed): radius2.wayfiwireless.com

Save and apply the settings. Your controller is now ready to use RadSec.

My Wireless Controller DOES NOT Support RadSec

If your wireless controller lacks RadSec support, WayFi offers a solution.

Obtain a Custom RadSecproxy Instance

Contact WayFi support to request a free custom RadSecproxy instance. This proxy acts as an intermediary, translating RadSec requests for controllers that don’t natively support it.

Download and Deploy RadSecproxy

1. Download the Proxy: Access and download the RadSecproxy from its official repository.

2. Configure the Proxy: Follow the instructions in the README documentation to set up RadSecproxy as an intermediary.

3. Apply RADIUS Settings: Update your WayFi SSID to point to the proxy:

   • Authentication Server IP: (Your RadSecproxy IP)

   • Authentication Server Port: 1812

   • Accounting Server IP: (Your RadSecproxy IP)

   • Accounting Server Port: 1813

   • Shared Secret: radsec

With these steps complete, your RadSecproxy is fully configured.

SSID / WiFi Name

For optimal performance, it’s recommended to use the SSID .WayFi Cellular Booster. While you can use any name, this SSID ensures faster device approval and connection times.

Hotspot 2.0 (Passpoint) Configuration

Enable Hotspot 2.0 for your WayFi SSID to simplify roaming and enhance connectivity. Use the following settings:

Network Type

Set the network type to Chargeable Public.

Domains

Configure these domains for roaming:

• wayru.io

• hellohelium.com

• freedomfi.com

• openroaming.org

• apple.openroaming.net

• google.openroaming.net

• ciscooneid.openroaming.net

• samsung.openroaming.net

NAI Realms

Set the following NAI Realms with Certificate, EAP-TTLS:

• *wayru.io

• *hellohelium.com

• *freedomfi.com

Roaming Consortium OI (RCOI)

Add these values for roaming support:

• 8c1f646810

• f4f5e8f5f4

• baa2d00000

• 00500f

• 5a03ba0000

• 004096

3GPP PLMNID (MCC,MNC)

Specify the following MCC (Mobile Country Code) and MNC (Mobile Network Code) combinations in order of priority. If your controller limits the number of entries, convert them to wlan.mncXXX.mccXXX.3gppnetwork.org format:

• 311,180

• 313,100

• 310,280

• 310,410

• 310,150

NAS Identifier

For optimal network management and security, set the NASID of your Access Points (APs) to match the MAC address of one AP at the location. This approach minimizes trackable entities and simplifies administration.

If your platform doesn’t support this configuration, contact WayFi support for assistance.

Interim-Update Interval

Set the Accounting Interim-Update Interval to a minimum of 5 minutes (300 seconds). This ensures timely updates on session accounting.

Chargeable User Identity (CUI)

Enable the Chargeable-User-Identity (CUI) attribute in your RADIUS Authentication and Accounting packets. Check your vendor’s documentation for specific steps to activate this feature.

Final Steps

Once all configurations are complete, your AP should begin broadcasting the new WayFi SSID. Set up a test device to verify connectivity and confirm that the network is functioning as intended.

Frequently Asked Questions (FAQs)

1. What is RadSec, and why is it important?

RadSec (RADIUS over TLS) provides encrypted communication for RADIUS authentication and accounting, ensuring data security and privacy.

2. How do I know if my wireless controller supports RadSec?

Check your wireless controller’s documentation or look for TLS or RadSec options in its RADIUS settings.

3. What if my controller doesn’t support RadSec?

You can deploy a custom RadSecproxy provided by WayFi to enable RadSec functionality.

4. Why should I use the .WayFi Cellular Booster SSID?

Using this SSID speeds up device approval and ensures seamless connectivity.

5. What is Hotspot 2.0, and why should I enable it?

Hotspot 2.0 simplifies roaming and connectivity by allowing devices to connect to WiFi networks without manual intervention.

6. What is a NAS Identifier, and why is it necessary?

The NASID helps identify network access servers and minimizes trackable entities, improving privacy and administrative efficiency.

With this comprehensive guide, your WayFi network will be secure, efficient, and ready for seamless connectivity. For additional support, reach out to WayFi representatives or visit the official WayFi Discord.