Juniper Mist OpenRoaming with RadSec

In this article we will demonstrate how to configure Juniper Mist for the seamless and secure OpenRoaming connection using RadSec (Radius over TLS)

Prerequisites

  1. Access to the Mist Dashboard as a user with administrative privileges.
  2. Access to the IronWiFi Management Console - Sign in or Open Account
  3. RadSec enabled on your Network as detailed here (you will need to download the certificate bundle)
  4. OpenRoaming profile installed on your device(s) - see here for the Passpoint installation information. The OpenRoaming profile can be generated by visiting the  OSU Page here

Log In to Mist Cloud as the user with Admin privileges

Go to Organization > Settings

In the Mist Certificate section, click Add a RadSec certificate and add the Root CA and Intermediate CA to the RadSec Certificates:

Next, click on Add AP RadSec certificate and copy and paste into the relevant windows your RadSec certificate and the key (open the certificate and key in the text editor), click Save:

Go to Site > WLANs

Create new WLAN, set security type to WPA2 / Enterprise

 

Set Passpoint to enabled, configure operators - add AT&T and Google, set Venue Name, open Advanced Settings and enter ironwifi.net, apple.openroaming.net, google.openroaming.net, operoming.org, ciscooneid.openroaming.net as Domain Name and add AA146B0000, BAA2D00000, 5A03BA0000 as Roaming Consortium ID, finally in the NAI Realm add 1.ironwifi.net and set EAP Type to AKA, add 2.ironwifi.net and set EAP Type to TTLS.

 

In Authentication Servers select RadSec and add radsec.ironwifi.com as Server Name.

Click Add Server and add your RadSec server IP. You can also add secondary RadSec server IP for redundancy. Use meaningful string for NAS Identifier.

Click on Save in the upper right corner and test connectivity after the SSID appears on your list.