Ruckus One Carrier Offload Configuration Guide for OpenRoaming and Passpoint for WayFi Wireless

Ruckus One Configuration Guide for WayFi Wireless Offload

This article walks you through configuring a Hotspot 2.0 (Passpoint) SSID on Ruckus One for use with the WayFi Wireless roaming and carrier offload network. This includes identity provider setup, proxy RADIUS configuration, and advanced wireless and network control settings.

⚠️ Important: RadSec Support on Ruckus One

Ruckus One does not support RadSec (RADIUS over TLS) natively.

To ensure secure RADIUS communication, you must use a RADIUS proxy:

• Option A: WayFi hosts the RadSecproxy for you (recommended)

• Option B: You self-host the proxy using WayFi’s guidance

Your controller will use regular RADIUS (ports 1812 and 1813) to talk to the proxy, which forwards requests securely via RadSec to WayFi’s infrastructure.

Getting Started

Before you begin, make sure you have:

• Access to your Ruckus One cloud dashboard

• The MAC address of one access point at the site (used as NAS ID)

• Proxy IPs and shared secret provided by WayFi (or your own deployment

• A list of required realms, domains, PLMNs, and OIs from WayFi

Step 1: Create the SSID

• Go to Wi-Fi Networks

• Click Add Network

• Enable Hotspot 2.0

• Set the SSID to .WayFi Cellular Booster

Step 2: Configure Hotspot 2.0 Operator

Click Add next to Wi-Fi Operator, then enter:

• Profile Name: WayFi

• Domain:

  • *wayfiwireless.com

• Operator Friendly Name:

  • Language: English

  • Friendly Name: WAYFIWIRELESS

Click Add to save.

Step 3: Configure Hotspot 2.0 Identity Provider

Click Add next to Identity Provider, then complete the following sections:

Network Identifier

• Profile Name: WAYFIWIRELESS

NAI Realms with EAP-TTLS

Add each of the following realms and configure them with EAP-TTLS:

• *wayru.io

• *hellohelium.com

• *freedomfi.com

NAI Realms for discovery only

Add the following realms without any EAP methods configured:

• openroaming.org

• apple.openroaming.net

• google.openroaming.net

• ciscooneid.openroaming.net

• samsung.openroaming.net

Add PLMN IDs

Click Add PLMN and enter each MCC/MNC combination:

• 311 / 180

• 313 / 100

• 310 / 280

• 310 / 410

• 310 / 150

Add Roaming Consortium OIs

Click Add OI and enter:

• 8c1f646810

• f4f5e8f5f4

• baa2d00000

• 00500f

• 5a03ba0000

• 004096

AAA Settings

Authentication Server

• Profile Name: WayFi Proxy Auth

• IP Address: (Provided by WayFi or your proxy)

• Port: 1812

• Shared Secret: radsec

Accounting Server

• Profile Name: WayFi Proxy Accounting

• IP Address: (Provided by WayFi or your proxy)

• Port: 1813

• Shared Secret: radsec

Click Next, then Add to complete the identity provider setup.

Step 4: VLAN Tab

• VLAN Pooling: Disabled

• VLAN ID: 1 (or your assigned VLAN)

• Proxy ARP: Enabled

Step 5: Hotspot 2.0 Tab

• Accounting Interim Updates: 5 minutes

• Internet Access: Enabled

• Access Network Type: Chargeable Public

• IPv4 Address Type: Port-restricted address & single NATed address (Choose what is most accurate for the given location/venue)

Step 6: Network Control Tab

• DNS Proxy: Disabled

• Wi-Fi Calling: Disabled

• Client Isolation: Enabled

• Isolate Packets: Unicast

• VRRP/HSRP Support: Disabled

• Client Isolation Allowlist by Venue: Disabled

• Anti-spoofing: Enabled

  • ARP Request Rate Limit: 15 ppm

  • DHCP Request Rate Limit: 15 ppm

• Application Recognition & Control: Enabled

• External Syslog Logging: Optional

Step 7: Radio Tab

• Hide SSID: Disabled

• Max Clients per Radio: 100

• Load Balancing Between Radios: Enabled

• Load Balancing Between APs: Enabled

• BSS Min Rate (2.4 & 5 GHz): 12 Mbps

• OFDM Only (Disable 802.11b): Enabled

Step 8: Networking Tab

• Agile Multiband (AMB): Enabled

• 802.11k Neighbor Reports: Enabled

• 802.11d: Enabled

• 802.11r Fast BSS Transition: Enabled

  • Mobility Domain ID: 1

• Airtime Decongestion: Optional (Recommended)

• OCE: Optional (Recommended)

Step 9: Advanced Tab

Transient Client Management

• Enabled

  • Join Wait Time: 30 seconds

  • Join Expire Time: 300 seconds

  • Join Wait Threshold: 10 clients

Optimized Connectivity Experience (OCE)

• Enabled

  • Broadcast Probe Response Delay: 15 ms

  • Association Rejection Threshold: -75 dBm

Additional Options

• GTK Rekey: Enabled

• Multicast Filter: Enabled

• Multicast Rate Limiting: Disabled (Auto disabled with Multicast Filter being Enabled)

• AP Host Name in Beacon: Disabled

• Wi-Fi 6/7: Enabled

• Multi-Link Operation (MLO): Disabled (Client devices don't support this feature well yet)

• BSS Priority: High

• DTIM Interval: 3 (set in advanced radio settings if exposed) (Highly recommended due to iOS/MacOS issues)

Step 10: RADIUS Options

• NAS ID Mode: User-defined

• Custom NAS ID: Use lowercase MAC address of one AP (e.g., aabbccddeeff)

• NAS Request Timeout: 20 seconds

• NAS Max Retries: 3

• NAS Reconnect Primary: 5 minutes

• Called Station ID: WLAN BSSID

Final Notes

Your network is now fully configured for WayFi Wireless offload with Hotspot 2.0, EAP-TTLS support, OpenRoaming realms, and secure RADIUS integration via proxy.

Need Help?

WayFi Wireless can:

• Host and manage your RADIUS proxy

• Assist you with your own proxy setup

• Review your Ruckus configuration

Introduction to Ruckus One Configuration

Configuring a hotspot 2.0 (Passpoint) SSID on Ruckus One can significantly enhance your wireless service management, especially when integrating with the Wayfi wireless roaming and carrier offload network. This guide will walk you through the necessary steps to ensure a seamless setup, covering key components such as identity provider setup, proxy radius configuration, and advanced options for wireless and network control.