Aerohive (Extreme) wireless controller - Passpoint configuration

In this guide we describe how to configure your Aerohive (Extreme) devices to work with Passpoint profiles, OpenRoaming and SIM card authentication


  1. Access to the ExtremeCloud Dashboard as a user with administrative privileges.
  2. Information about the assigned RADIUS servers (Server IP address, port numbers, shared secrets):
    1. Email or document that contains this information


    2. Access to the IronWiFi Management Console - Sign in or Open Account


Log in to the ExtremeCloud console as admin.  For existing environments with additional users, log in as a user with administrative privileges.

The ExtremeCloud Dashboard appears. Your access points are displayed.


: There are a number of options you can set. Only the options that require your input are shown. Default values are used for options that don’t need adjustment.


Configure the wireless LAN

To configure the wireless LAN, you create a network policy (profile), an SSID, and RADIUS servers.

Create a network policy

  1. Click Configure in the menu bar on the left of the Dashboard.

  2. Select Network Policies.

    The Network Policy page appears.

    Ubiquiti passpoint configuration  67
  3. Click Add Network Policy.

    The Network Policies New Policy page appears. The Policy Details tab is open.

  4. Under What type of policy are you creating?, leave the box checked next to Wireless. Uncheck the boxes next to Switches and Routing.
  5. Enter a Policy Name, such as “IronWiFi_network_policy”.
  6. Click Save on the bottom right.

    The Wireless Networks page appears.

Create an SSID

  1. Click Configure in the menu bar on the left of the dashboard.
  2. Select Network Policies under Configure.
  3. Select Wireless Networks at the top.
  4. Click + to create an SSID.
  5. Select All other Networks (standard).

    Ubiquiti passpoint configuration  68
    A page appears where you’ll define the SSID and authentication settings.

  6. Enter an SSID Name for internal purposes, such as “IronWiFi_Secure_WiFi” and a Broadcast Name that your clients will see. The names can be the same.
  7. For SSID Usage, select Enterprise. (The default is Private Pre-Shared Key.)
    In the field Key Management select WPA2-802.1X and as Encryption Method chose CCMP (AES)

Add RADIUS authentication servers to the network policy

It’s important to set up a secure RADIUS connection between the wireless LAN controller and IronWiFi.

To add RADIUS authentication servers to your network policy, you create a server group and then add servers to the group.

  1. Still on the Wireless Networks page, scroll down to Authentication Settings.
  2. Under Authenticate via RADIUS Server, click + to add a RADIUS server group.

    The Configure RADIUS Servers dialog box appears.
  3. Enter a RADIUS Server Group Name, such as “IronWiFi_radius_group”.
  4. Click Settings to the right of the server group description.

The Select RADIUS Settings dialog box appears.

5.  Change the Accounting interim update interval to 300 (seconds).
6.  Click Save RADIUS Settings on the bottom right.

You return to the Configure RADIUS Servers dialog box.

7.  Click + under External RADIUS Server to add a RADIUS server to the server group.

The dialog box expands to display a New External RADIUS Server section.

8.  Enter the Name, such as “Primary_radius”.
9.  Click + next to IP/Host Name.

IronWiFi (5)
10.  Select IP Address.

The New IP Address or Host Name dialog box appears.
IronWiFi (4)
11.   Enter the object Name, such as “Primary”.
12.   Enter the Primary RADIUS IP Address (from the Console) in IP Address.
13.   Click Save IP Object on the bottom right.

You return to the New External RADIUS Server section. You see the name of the object you created in the IP/Host Name field.

IronWiFi (3)

14.   Enter the Shared Secret from the Console
15.   Click Save External RADIUS on the bottom right.
 You return to the Configure RADIUS Servers page where you see the server you added         (Primary_radius).
16.   Check the box next to the server you added. This indicates you want to add it to the server group.
17.   Click Save RADIUS on the bottom right to save your RADIUS configuration.
You return to the Authenticate via RADIUS Server section of the Wireless Networks page. You see the RADIUS server group and server you created.


18.   Repeat steps 7-17 to add the secondary RADIUS server for high availability. The secondary RADIUS IP address is from the Console
19.   Click Save on the bottom right to save your network policy configuration.

You return to the Wireless Networks page where you see the SSID you created.


Assign the SSID to the network policy

  1. Still on the Wireless Networks page, select the SSID by clicking the checkbox next to the SSID .


  2. Click Next on the bottom right. Clicking Next assigns the selected SSID to the network policy.

The network policy configuration is complete.

Configure Hotspot 2.0


Hotspot 2.0 allows mobile devices to join a WiFi network automatically via Passpoint when the devices enter the Hotspot 2.0 area.

You’ll use the supplemental CLI option to configure Hotspot 2.0. When you enable supplemental CLI, you enter the commands into the GUI. For that reason, we recommend composing the commands in a text file beforehand so you have them ready when enabling the supplemental CLI.

Compose your CLI

Create a text file with the commands that link your network policy to Hotspot 2.0.

1.  Create a hotspot profile with a profile name “IronWiFi-profile”, anqp domain ID, and network type.

anqp-domain-id default is 0, which means that the ANQP information is unique to this access point. A network type of 1 indicates a private network.
hotspot profile IronWiFi-profile
hotspot profile IronWiFi-profile anqp-domain-id 0
hotspot profile IronWiFi-profile network-type 1 access-internet

2.  Configure the operator name “IronWiFi-Operator” and the language (English).
hotspot profile IronWiFi-profile operator-name IronWiFi-Operator language-code eng

3.  Configure the hotspot to support IPv4 with a single NAT private IPv4 address by configuring ip-type ipv4 3. ipv6 0 indicating that IPv6 is not available.
hotspot profile IronWiFi-profile ip-type ipv4 3 ipv6 0

4.  Configure the domain name.
hotspot profile IronWIFi-profile domain-name

5.  Create the NAI-realm “IronWiFi-Realm” by specifying these parameters:

Encoding type—”0” (the default)
EAP method—”21” for EAP-TTLS
Inner authentication—”4” for MS-chapv2
hotspot profile IronWiFi-profile nai-realm IronWiFi-Realm encoding-type 0
hotspot profile IronWiFi-profile nai-realm IronWiFi-Realm eap-method 21 inner-auth 4

  6.  Configure IronWiFi SSID to use WPA2-AES 802.1X authentication.
 security-object IronWiFi security protocol-suite wpa2-aes-8021x

   7.  Apply the IronWiFi-profile hotspot profile to the SSID.
ssid Secure_WiFi hotspot-profile IronWiFi-profile

   8.  Save the configuration.
save configuration

Enable the supplemental CLI

  1. Select Global Settings on the top right of the Dashboard under your user icon.

  2. On the left side of the Dashboard, click VIQ Management under Administration.

    The VIQ Management page appears.

   3.  Verify that Supplemental CLI is ON. If not, enable it.

Add the Hotspot 2.0 configuration to the network policy

  1. Click Configure in the menu bar on the left of the Dashboard.

  2. Select Network Policies.

    The Network Policy page appears.

    You see the network policy you created, “IronWiFi_network_policy”.

    Ubiquiti passpoint configuration  74
  3. Click the name of the SSID you created.

    The Wireless Network page appears.

    IronWiFi (6)
  4. Click Additional Settings in the top menu bar.

    The DNS Server page appears.

  5. Under Policy Settings in the menu bar on the left, click Supplemental CLI.

    The Supplemental CLI page appears.

  6. Verify that Supplemental CLI is ON. If not, enable it
  7. Enter a Name, such as “Hotspot”.
  8. Paste the CLI commands in your text file into the CLI Commands box.

    Ubiquiti passpoint configuration  76
  9. Click Save on the bottom right.
    A message appears on the top left indicating that the supplemental CLI was saved.

  10. Click Next.
    The Apply the network policy to selected devices page appears.

  11. Click Eligible to display your access points.

    IronWiFi (8)

  12. Select your access points by checking the box next to them in the Status column.

  13. Click Upload on the bottom right.
    The Device Update dialog box appears.

  14. Under Update Network Policy and Configuration, select Complete Configuration Update. (Delta Configuration Update is the default; you want a complete update.)

  15. Click Perform Update on the bottom right of the dialog box to save your configuration.

    The access points are rebooted (this can take a few minutes). You see a message on the upper left indicating that the devices are successfully deployed.