WayFi Setup Guide for Cambium cnMaestro

Cambium Networks

Overview

This guide provides step-by-step instructions to integrate WayFi Wireless with Cambium Enterprise Wi-Fi Access Points (APs). Cambium does not natively support RADIUS over TLS (RadSec), so a RadSec proxy is required to securely relay AAA traffic between the Cambium APs and WayFi’s RadSec servers.

WayFi’s RadSec Authentication Servers:

• Primary Server: IP: 24.144.66.102, Port: 2083

• Secondary Server: IP: 178.128.133.4, Port: 2083

Prerequisites

1. cnMaestro Access: Admin access to Cambium's cnMaestro cloud or on-premises controller.

2. Ubuntu VM: A Linux VM to host the RadSec proxy.

3. RadSec Certificate Bundle:

   • wayfi.radsec.cacert.pem: CA Certificate

   • cert.pem: Client Certificate

   • key.pem: Private Key

4. Docker Installed: Ensure Docker is installed on the Ubuntu VM.

Steps to Configure

Step 1: Deploy the RadSec Proxy

WayFi can provide a radsec proxy docker instance for you. Just ask.

1. Set Up the Ubuntu VM:

   • Create a VM with Docker installed.

   • Assign a static IP address to the VM.

2. Obtain WayFi Certificates:

   • Download the RadSec certificate bundle from WayFi support.

   • Extract the files: cert.pem, key.pem, and wayfi.radsec.cacert.pem.

3. Deploy and Configure RadSec Proxy:

   • Deploy the RadSec proxy on the Ubuntu VM.

   • Configure the proxy to route RADIUS traffic to WayFi’s servers (24.144.66.102 and 178.128.133.4).

   • Verify the proxy is running and listening on ports 1812 (authentication) and 1813 (accounting).

Step 2: Configure a Wireless LAN (WLAN) in cnMaestro

1. Create a WLAN:

   • Navigate to Configuration > WLANs and AP Groups > WLANs.

   • Click Create WLAN.

2. General Settings:

1. SSID: Enter .WayFi Cellular Booster

2. Broadcast SSID: Enable.

3. Activate on Radio: Enable for 2.4GHz and 5GHz only.

3. Security Settings:

   • Security: Set to WPA2 Enterprise (802.1X).

   • For RADIUS Authentication Server:

• Server IP: Enter the static IP of the VM hosting the RadSec proxy.

• Auth Port: 1812.

• Shared Secret: Enter radsec.

• For RADIUS Accounting Server:

• Server IP: Same as above.

• Accounting Port: 1813.

• Shared Secret: Enter radsec.

3. NAS ID Configuration:

   • Navigate to Advanced Settings in the WLAN configuration.

   • NAS ID:

     • Set the NAS ID to the MAC address of the AP managing the site (e.g., AA-BB-CC-DD-EE-FF). All upper, - delineated.

     • This ensures accurate identification in WayFi’s system.

3. Save and Deploy:

   • Save the WLAN configuration and deploy it to the AP group.

Step 3: Enable Hotspot 2.0 (Passpoint)

1. Enable Hotspot 2.0 (Passpoint):

   • Navigate to Configuration > WLANs and AP Groups > WLANs.

   • Edit the WayFi WLAN.

   • Enable Hotspot 2.0 under Passpoint Settings.

Step 4: Assign WLAN to AP Group

1. Navigate to Configuration > WLANs and AP Groups.

2. Click + New AP Group and assign the WayFi WLAN to the group.

3. Attach the AP group to your Enterprise Wi-Fi APs:

   • Go to Manage > Specific Device > Configuration.

   • Select the new AP group from the dropdown.

4. Save and deploy the configuration.

Step 5: Upgrade AP Firmware

1. Navigate to Manage > Access Points in cnMaestro.

2. Select the APs and initiate the firmware upgrade.

3. Ensure the APs are running the latest firmware that supports Hotspot 2.0.

Additional Recommendations

1. Network and Client Isolation:

   • Enable isolation to prevent clients from communicating directly with each other.

2. Disable Multicast Traffic:

   • Minimize unnecessary network overhead.

3. Disable 6GHz Band:

   • Enable only 2.4GHz and 5GHz bands for compatibility.

Validation

1. Confirm Configuration:

   • Verify that all settings in cnMaestro match the required configuration.

2. Broadcast SSID:

   • Ensure the WayFi SSID is active and broadcasting.

3. Test Connectivity:

   • Use a Passpoint-enabled device to confirm seamless connectivity.

4. Check RadSec Proxy Logs:

   • Monitor the proxy logs to confirm successful RADIUS communication.

Troubleshooting

RadSec Proxy Issues

• Verify the proxy is running and listening on ports 1812 and 1813.

• Check the proxy logs for connection errors.

Authentication Errors

• Ensure the NAS ID matches the MAC address of one of the AP's at the location.

• Confirm the RADIUS settings (IP, port, shared secret).

Hotspot 2.0 Configuration

• Verify domains, RCOI, and 3GPP PLMNIDs are correctly configured.

By following this guide, your Cambium Enterprise APs will be fully integrated with WayFi’s secure RadSec and Hotspot 2.0 network. For additional assistance, contact WayFi Support.

1. Passpoint Settings:

   • Access Network Type: Chargeable Public.

   • Venue Group: Choose an appropriate venue group (e.g., Shopping Mall).

   • Venue Type: Select an appropriate venue type (e.g., Business).

   • Domain Name:

     • Add the following domains:

       1. wayru.io

       2. hellohelium.com

       3. freedomfi.com

       4. openroaming.org

       5. apple.openroaming.net

       6. google.openroaming.net

       7. ciscooneid.openroaming.net

       8. samsung.openroaming.net

1. Roaming Consortium OI (RCOI):

   • Add the following values:

     • 8c1f646810

     • f4f5e8f5f4

     • baa2d00000

     • 00500f

     • 5a03ba0000

     • 004096

1. 3GPP PLMNIDs:

   • Add the following MCC/MNC values:

     • 311,180

     • 313,100

     • 310,280

     • 310,410

     • 310,150