Skip to main content

General Data-Only Guide

This guide provides a high-level, brand-agnostic walkthrough of how to set up Hotspot 2.0 (Passpoint) for Helium. While specific steps vary across vendors—Aruba, Cisco Meraki, Ruckus, Fortinet, Extreme, Ubiquiti, etc.—the Hotspot 2.0 (Passpoint) setup follows the same general workflow:

1. Hotspot 2.0 / Passpoint Enablement

  1. Enable the Feature: Look for a toggle or option labeled "Hotspot 2.0," "Passpoint," or "HS2.0" on your AP or WLAN controller.
  2. NAI Realms: For Helium Mobile, two realms must be configured:
    • freedomfi.com (EAP Method: EAP-TLS, Sub-Methods: Certificate)
    • hellohelium.com (EAP Method: EAP-TLS, Sub-Methods: Certificate)

2. SSID Profile

  1. Create a New SSID (e.g., named Helium) or modify an existing one.
  2. Security: Configure WPA3-Enterprise for 802.1X/EAP.
  3. Passpoint Advertising: Under advanced or manual settings, enable Hotspot 2.0/Passpoint mode.
  4. Venue & Network Type: Some platforms allow specification of a venue name/type. Use Chargeable Public Network as type.
  5. IP Address Type Availability: If the controller supports it, set IPv4 to Double NATed private IPv4 and IPv6 to Unavailable.
  6. Add Realms: Input freedomfi.com and hellohelium.com with EAP Method EAP-TLS and Sub-Method Certificate.
  7. Domain List: Include the domain names freedomfi.com and hellohelium.com in the domain list. If there are existing Passpoint configurations, the Helium domains may be omitted in favor of those domains.
  8. NAS-ID: Enter the NAS-ID used during Helium Self-Serve or Helium Plus onboarding. Typically the MAC address of the network controller or an AP on the onboarded network.

3. AAA and RADIUS / RadSec Integration

Hotspot 2.0 deployments with Helium use RADIUS over TLS (RadSec) for secure authentication.

  1. Create RADIUS Profile: RadSec (RADIUS over TLS) must be supported, or the network must have the ability to run a RadSec proxy within it.
  • Enable TLS and upload the Client Certificate, Private Key, and CA Certificate provided by the Helium Self-Serve onboarding or Helium Plus representative.
  • Enter the RadSec Servers and shared secrets:
    • 52.37.147.195:2083 (Shared Secret: radsec)
    • 44.229.62.214:2083 (Shared Secret: radsec)
    • 44.241.107.197:2083 (Shared Secret: radsec)
  • Enable RADIUS Accounting and configure the same servers.
    • 52.37.147.195:2083 (Shared Secret: radsec)
    • 44.229.62.214:2083 (Shared Secret: radsec)
    • 44.241.107.197:2083 (Shared Secret: radsec)
  • Set an Interim Update Interval of 300 seconds.

4. Network & Firewall Rules

  1. Domains & Ports: Whitelist or allow traffic to any AAA endpoints used by the network. RadSec uses TCP port 2083.
  2. Walled Garden: If the controller enforces pre-auth access, ensure Helium IP ranges are reachable during AAA transactions.

5. VLAN Assignments

  1. Designate VLAN: Decide which VLAN or subnet handles Passpoint traffic. Provide DHCP, DNS, and other essential services.
  2. Isolation: Follow best practices to segment Hotspot 2.0 traffic from internal resources.

6. Testing

  1. Client Device: Use a smartphone or laptop known to support Hotspot 2.0. It should discover and automatically connect to the newly configured SSID.
  2. Logs & Controller: Review logs for successful EAP authentication events.
  3. Connectivity: Verify that a connected device obtains the expected IP address, can access the internet, and is properly accounted for in RADIUS logs.

Best Practices

  • Keep AP Firmware Updated: Use a version that fully supports Passpoint (HS2.0) features.
  • Segment Traffic: A dedicated VLAN or subnet for Passpoint traffic enhances security.
  • Test Multiple OSes: Different end-user devices can behave differently with Passpoint.
  • Monitor Logs: Authentication or certificate issues typically appear in RADIUS or controller logs.