MikroTik Conversion Guide

Prerequisites

RouterOS v7 device running CAPsMAN 2 (tested on 7.18.1)
RadSecProxy container running in your network.
For self-serve, CLI wallet prepared for onboarding: https://docs.helium.com/mobile/data-only-onboarding/
For Helium Plus, certificates ( ca.pem, cert.pem, key.pem ) supplied by the Helium Plus team and copied into the RadSecProxy directory.
UDP ports 1812/1813 open between MikroTik and the RadSecProxy host.
Bridge interface already created and used as the datapath for Wi-Fi traffic.

High-Level Steps

Deploy the RadSecProxy container and note its IP.
Create a RADIUS profile that points to the RadSecProxy.
Build a Wi-Fi configuration profile for the Helium Passpoint SSID.
Apply the profile to an interface (or create a virtual AP).
Verify operation and troubleshoot, if necessary.

1. Deploy RadSecProxy

At time of writing, RouterOS does not support RadSec natively, download the RadSecProxy container and run it in a Docker.

Un-zip and untar the Helium_RadSec_Docker.tar.gz file into the directory of your choice on the host machine. This will unpack the following items:
1. Dockerfile - The docker instructions on how to build the container
2. Radsecproxy.conf - The radsecproxy config file is pre-populated to connect to Helium Network AAA servers
3. docker-compose.yml - File to start and stop the container as a daemon.

tar -xvzf  Helium_RadSec_Docker.tar.gz

Into the same directory copy the 3 certificates obtained from Helium Network
1. ca.pem - the root CA certificate
2. cert.pem - the user certificate
3. key.pem - the key file matched to the certificate
Start the container using:

sudo docker compose up -d

If/when needed, stop the container using:

sudo docker compose down

Once the container is running, make sure you can ping it from the MikroTik router.

2. Add a RADIUS Profile

In RADIUS add a new entry:

Field	Value
Comment	`Helium AAA`
Service	`wireless`
Address	IP_of_RadSecProxy
Protocol	`udp`
Secret	`mysecret`
Authentication Port	`1812` (default)
Accounting Port	`1813` (default)
Timeout	`300 s`
Enabled	☑︎

3. Create a AP Configuration Profile

Navigate to WiFi → Configuration and click Add (+).

Configuration Tab

Field	Value
Name	`helium-passpoint`
Enabled	☑︎
Mode	`ap`
SSID	`Helium`

Channel Tab

Select the band and channel width appropriate for your deployment. Leave Frequency blank for automatic channel selection.

Security Tab

Check WPA2 or WPA3 EAP under Authentication Types.

EAP Tab

Check EAP Accounting to be enabled.

AAA Tab

Paste a MAC address of the WAN interface (usually ether1 by default) from menu Interfaces. Or enter the NAS-ID provided during Helium Plus onboarding.

Datapath Tab

Setting	Value
Bridge	`bridge1` (or the bridge used for LAN)

Interworking Tab

Fill in as shown:

4. Attach the Profile to an Interface

Assign the configuration profile to the desired WiFi interface. Either click New (this will create a virtual AP) or Edit an existing master interface.

Make sure to select a correct 5/2.4 interface according to the band defined in the configuration profile.

Enable it on the General tab.

5. Verification

Confirm that the Helium SSID is visible.
In logs, watch for successful radius authentication messages.
On the RadSecProxy host use docker logs -f radsecproxy to ensure TCP/TLS sessions are established.
On a compatible handset, ensure automatic connection with the carrier profile.

Prerequisites​

High-Level Steps​

1. Deploy RadSecProxy​

2. Add a RADIUS Profile​

3. Create a AP Configuration Profile​

Configuration Tab​

Channel Tab​

Security Tab​

EAP Tab​

AAA Tab​

Datapath Tab​

Interworking Tab​

4. Attach the Profile to an Interface​

5. Verification​