Back to Blog
Setup Guide March 2, 2026 7 min read

Cambium Networks RADIUS Setup Guide: Configure IronWiFi with cnMaestro

Learn how to configure WPA2-Enterprise 802.1X authentication on Cambium Networks access points using IronWiFi Cloud RADIUS and the cnMaestro cloud controller. This guide covers RADIUS server setup, WLAN profile configuration, AP group deployment, and troubleshooting.

To set up RADIUS for Cambium Networks, create a Cloud RADIUS profile in IronWiFi with your authentication sources, then in cnMaestro create a WLAN profile with WPA2-Enterprise security pointing to the IronWiFi RADIUS server IP on port 1812 with the shared secret. Assign the WLAN profile to your AP group and sync. The Cambium APs forward 802.1X authentication requests directly to IronWiFi, which validates credentials and returns accept or reject decisions.

Cambium Networks offers a range of enterprise Wi-Fi access points managed through the cnMaestro cloud controller. Whether you deploy cnPilot e-series or the newer XV and XE series APs, integrating an external RADIUS server enables enterprise-grade 802.1X authentication. This guide walks through connecting Cambium wireless to IronWiFi Cloud RADIUS for secure network access control.

Why Use RADIUS with Cambium Networks?

RADIUS authentication on Cambium APs provides:

  • Individual user credentials - Every person authenticates with their own identity
  • Certificate-based authentication - Deploy EAP-TLS for passwordless device authentication
  • Dynamic VLAN assignment - Segment users into VLANs based on role or device type
  • Centralized access control - Manage WiFi access from the IronWiFi console
  • Audit trails - Full visibility into who connected, when, and from where
  • Identity provider integration - Authenticate against Azure AD, Google Workspace, Okta, or LDAP

Prerequisites

  • cnMaestro access - Admin credentials for cnMaestro cloud or on-premises controller
  • Cambium APs - cnPilot, XV, or XE series access points managed by cnMaestro
  • IronWiFi account - Sign up for a free trial if you do not have one
  • Firewall access - Allow outbound UDP on ports 1812 and 1813 from your AP subnet to IronWiFi server IPs
  • A test client device - Laptop or phone that supports WPA2-Enterprise

AP-Direct RADIUS Communication

Unlike some vendors where a controller proxies RADIUS requests, Cambium APs communicate directly with the RADIUS server. This means each AP's public IP (or NAT gateway IP) must be registered as an authorized client in IronWiFi.

Step 1: Create a RADIUS Profile in IronWiFi

  1. Log into the IronWiFi Console at console.ironwifi.io and navigate to Networks.
  2. Create a new Network by clicking Add Network. Name it descriptively (e.g., "Cambium Corporate WiFi").
  3. Note the RADIUS server details:
    • Primary server: 35.174.127.31
    • Secondary server: 44.199.225.113
    • Authentication port: 1812
    • Accounting port: 1813
    • Shared secret: YOUR_SHARED_SECRET
  4. Add your AP source IPs as authorized clients. Since Cambium APs communicate directly with the RADIUS server, add the public IP or NAT gateway IP for each AP site.
  5. Configure authentication sources - Connect Azure AD, Google Workspace, Okta, or create local user accounts.

Step 2: Configure RADIUS in cnMaestro

  1. Log into cnMaestro and navigate to Configuration > WLAN.
  2. Click Add WLAN (or edit an existing WLAN profile).
  3. Under Security, set the mode to WPA2-Enterprise.
  4. In the RADIUS Server section, enter the primary server details:
    • Server IP: 35.174.127.31
    • Port: 1812
    • Shared Secret: YOUR_SHARED_SECRET
  5. Add a secondary RADIUS server for failover:
    • Server IP: 44.199.225.113
    • Port: 1812
    • Shared Secret: YOUR_SHARED_SECRET
  6. Enable RADIUS Accounting and configure it with the same server IPs on port 1813.

Shared Secret Must Match Exactly

The RADIUS shared secret in cnMaestro must match the secret in IronWiFi character-for-character. A mismatch causes RADIUS packets to be silently dropped with no error on the AP side.

Step 3: Create a WLAN with WPA2-Enterprise

  1. Set the SSID name (e.g., "CorpNet-Secure").
  2. Confirm WPA2-Enterprise is selected as the security mode.
  3. Configure VLAN settings: set a default VLAN and enable dynamic VLAN if you want RADIUS-based VLAN assignment.
  4. Set band selection (2.4 GHz, 5 GHz, or both).
  5. Save the WLAN profile.

Step 4: Deploy to AP Groups

  1. In cnMaestro, navigate to Configuration > AP Groups.
  2. Select the AP group where you want to deploy the enterprise SSID.
  3. Assign the WLAN profile you created to this AP group.
  4. Click Sync to push the configuration to all access points in the group. cnMaestro shows the sync status for each AP.
  5. Wait for all APs to report successful configuration sync before testing.

Dynamic VLAN Assignment

To enable RADIUS-based VLAN assignment, enable the dynamic VLAN option in the WLAN profile. In IronWiFi, configure three RADIUS attributes per user group: Tunnel-Type (64) = VLAN, Tunnel-Medium-Type (65) = IEEE-802, and Tunnel-Private-Group-ID (81) = your VLAN ID. Ensure the VLANs are trunked to the AP switch ports.

Step 5: Test Authentication

  1. On a test device, search for the configured SSID and select it.
  2. Enter the username and password (for PEAP) or select the certificate (for EAP-TLS).
  3. Accept the server certificate prompt on first connection.
  4. Once connected, verify the IP address and VLAN assignment.
  5. Check IronWiFi authentication logs under Logs > Authentication.
  6. In cnMaestro, check Monitor > Clients to verify the client shows as authenticated.

Troubleshooting

RADIUS Timeout (No Response)

  • Firewall rules - Verify UDP ports 1812 and 1813 are open from the AP subnet to the IronWiFi server IPs.
  • Source IP mismatch - Since Cambium APs send RADIUS directly, each AP's public IP must be registered in IronWiFi. If APs are behind NAT, use the NAT gateway IP.
  • Configuration not synced - Check cnMaestro sync status. If the WLAN profile has not been pushed to the APs, they will not have the RADIUS configuration.
  • Wrong server IP - Verify the RADIUS server IP in the WLAN profile matches what IronWiFi provided.

Authentication Rejected

  • Wrong credentials - Verify username and password in IronWiFi. Authentication is case-sensitive.
  • Shared secret mismatch - Re-enter the secret in both cnMaestro and IronWiFi.
  • Disabled account - Check user account status in IronWiFi.
  • EAP method mismatch - Ensure the client is configured for a supported EAP method (PEAP, EAP-TLS, EAP-TTLS).

Check AP Sync Status

After making changes in cnMaestro, always verify that the configuration has been successfully synced to the APs. An out-of-sync AP will not have the updated RADIUS settings, even though cnMaestro shows the correct configuration.

Ready to Secure Your Cambium Network?

Set up Cloud RADIUS with IronWiFi in minutes. No on-premises servers required.

Start Free Trial Schedule a Demo

Trusted by 1,000+ organizations across 108 countries

Frequently Asked Questions

Yes. Cambium cnMaestro supports external RADIUS servers for WPA2-Enterprise authentication. You configure the RADIUS server details within the WLAN profile settings under Configuration > WLAN. cnMaestro pushes the RADIUS configuration to all APs in the assigned AP group.

All current Cambium enterprise Wi-Fi access points support 802.1X with external RADIUS servers, including the XV series (XV2-2, XV3-8), cnPilot e-series (e410, e425H, e430H, e505), and the newer XE series. These APs can be managed through cnMaestro cloud or on-premises controller.

In cnMaestro cloud, navigate to Configuration > WLAN and create or edit a WLAN profile. Set the security mode to WPA2-Enterprise, then enter the IronWiFi RADIUS server IP address (primary and secondary), port 1812, and shared secret. Enable RADIUS accounting on port 1813. Apply the WLAN profile to your AP group to push the configuration.

Yes. Enable dynamic VLAN in the WLAN profile settings on cnMaestro. In IronWiFi, configure Tunnel-Type (64) = VLAN, Tunnel-Medium-Type (65) = IEEE-802, and Tunnel-Private-Group-ID (81) with the desired VLAN ID for each user group. The Cambium AP assigns the VLAN from the RADIUS Access-Accept response. The VLANs must be trunked to the AP switch ports.

Common causes include: (1) Firewall blocking UDP 1812/1813 from the AP subnet to the RADIUS server IPs. (2) The AP's public IP is not registered as an authorized client in IronWiFi. (3) Shared secret mismatch between cnMaestro and IronWiFi. (4) The WLAN profile has not been pushed to the AP group yet - check cnMaestro sync status. (5) Wrong RADIUS server IP. Check IronWiFi authentication logs for rejected or missing requests.

Tags: Cambium Networks cnMaestro RADIUS 802.1X WPA-Enterprise Cloud RADIUS cnPilot Network Security