Published using Google Docs
[Orion Setup Guide] Ubiquiti UniFi
Updated automatically every 5 minutes

Orion Setup Guide
Ubiquiti UniFi APs

Update your UniFi Network Application and AP Firmware

Orion uses Passpoint to auto-connect users to your network.  Passpoint requires UniFi Network version 8.4.54 or higher, and AP firmware 6.6.75 / 7.0.63 or higher.  Ensure your UniFi system is updated before proceeding.

Get your Orion RadSec Certificate Bundle

Download and extract your RadSec Certificate Bundle (radsec.zip) from the Orion Supply portal.  See our Help Center for instructions.

The radsec.zip archive should contain 3 important files (among other unused files):

File Name

File Purpose

cert.pem

Client Certificate

key.pem

Private Key

cacerts/bw.radsec.cacerts.pem

CA Certificate

You'll need these files when creating your RADIUS profile in UniFi.

Configure UniFi

Log into the UniFi cloud at https://unifi.ui.com/

Select your Site under Site Manager and ensure you are in the Network application:

RADIUS Profile

Orion provides two RADIUS over TLS (RadSec) servers for your use. These servers will handle all authentication, authorization and accounting (AAA) for users connecting to your Orion SSID.

As a first step, you'll create a RADIUS server profile for these endpoints. You can then use this profile when creating the Orion SSID.

In the sidebar, choose Settings > Profiles > RADIUS:


Click Create New.  A form to create your new RADIUS profile will appear.

Give the profile a Name, such as Orion-AAA.

RADIUS Assigned VLAN Support should be unchecked by default (wired and wireless).

Under RADIUS Settings:

  1. Check the box next to TLS
  2. Add an Authentication Server with IP 216.239.32.91, port 2083, secret radsec
  3. Add an Authentication Server with IP 216.239.34.91, port 2083, secret radsec
  4. Next to Client Certificate, click Upload
  1. Upload cert.pem  (from radsec.zip)
  1. Next to Private Key, click Upload
  1. Upload key.pem  (from radsec.zip)
  1. Private Key Password should be left blank.
  2. Next to CA Certificate, click Upload
  1. Upload bw.radsec.cacert.pem  (from radsec.zip)
  1. Check the box next to Accounting
  2. Add an Accounting Server with IP 216.239.32.91, port 2083, secret radsec
  3. Add an Accounting Server with IP 216.239.34.91, port 2083, secret radsec
  4. Check the box next to Interim Update Interval
  5. Set Interim Update Interval to 300 Seconds (5 minutes)

Click Apply Changes to create your new RADIUS Profile.

Orion SSID

Next you'll create a dedicated WPA2-Enterprise SSID for Orion:

In the sidebar, click Settings > WiFi.

Add a new Wi-Fi network named Orion.

Set Hotspot 2.0 to Passpoint.
(If you do not see the Passpoint option, check your AP and Network versions)

In the Passpoint fields that appear:

  1. Set Venue Name to a friendly name for your site
  2. Set Venue Type to a site that matches your site, or as Unspecified
  3. Set Network Type to Chargeable Public Network
  4. Set IPv4 and IPv6 Address Type Availability as appropriate for your network
  5. Add the Orion RCOI:
  1. Next to Roaming Consortium List, click Add
  2. Set Name to Orion
  3. Set Organization ID to F4F5E8F5F4
  4. Click Add (next to Organization ID)
  1. ⚠️  Orion does not use NAI realms, but older UniFi versions force you to add one.
    If your version of UniFi requires you to add an NAI realm:
  1. Next to NAI Realm, click Add
  2. Add a fake NAI Realm (realm name "foobar", type EAP-TLS).

Next we'll add the RADIUS parameters.  This includes selecting the RADIUS profile we created earlier, and setting your NAS ID properly.

IMPORTANT: Orion automatically names your Networks based on their NAS ID.  You should use one unique NAS ID for each unique Orion Network you operate.

Scroll down to the Security and RADIUS section:

  1. Security Protocol should be set to WPA2-Enterprise
  2. Under RADIUS Profile, select Orion-AAA
  3. Set NAS ID to Site Name (or Custom, if you prefer)

Click Add WiFi Network.  

Test your Orion Network


Your APs should now broadcast the Orion SSID.  Proceed to Test your Orion Network and qualify for more traffic.