Ubiquiti Data-Only Guide
Data-Only Mobile configuration requires the Passpoint protocol. Please ensure your Ubiquiti network is using UniFi Network Controller version 8.4.54 or higher and AP firmware version 6.6.77 or AP firmware version 7.0.66 or higher, depending on hardware release track.
Obtain RadSec Certificates From The Helium Onboarding Portal
Download preview RadSec Certificates: early_access_certs.zip
Unzip the following files from the archive:
early_acc_cert.pem
early_acc_key.pem
early_acc_ca.pem
These certificates are for early access only and will expire on January 25, 2025.
Configure UniFi Network Controller
Configuring the network controller for Passpoint is a two-part process. First, create the RADIUS profile, then apply the profile to a newly created WiFi SSID called 'Helium'.
Run the UniFi network controller locally or log into the cloud UniFi Site Manager.
Create a RADIUS Profile
Configure a TLS connection to Helium Cloud AAA server (aka Radiator), which performs Authentication, Authorization and Accounting for the end customers. Enabling RADIUS communication over TLS (RadSec) increases the level of security for authentication that is carried out across the cloud network.
In the sidebar, choose Settings, then Profiles, then RADIUS:
These configurations are for early access. Server addresses and keys will change in the near future.
Press Create New.
Specify a profile name, for example "Helium Radsec".
Configure RADIUS properties:
-
Check TLS box.
-
Specify Authentication Servers IP Address:
Add these three servers:
- Enter IP Address:
52.37.147.195
Port:2083
Shared Secret:radsec
. Click Add. - Enter IP Address:
44.229.62.214
Port:2083
Shared Secret:radsec
. Click Add. - Enter IP Address:
44.241.107.197
Port:2083
Shared Secret:radsec
. Click Add.
- Enter IP Address:
-
Press Upload next to Client Certificate, choose the path to
early_acc_cert.pem
. -
Press Upload next to Private Key, choose the path to
early_acc_key.pem
.
Keep Private Key Password empty. -
Press Upload next to CA Certificate, choose the path to
early_acc_ca.pem
.
-
Check the Accounting checkbox. RADIUS Accounting Server settings will appear.
-
Specify the following Accounting Servers:
- Enter IP Address:
52.37.147.195
Port:2083
Shared Secret:radsec
. Click Add. - Enter IP Address:
44.229.62.214
Port:2083
Shared Secret:radsec
. Click Add. - Enter IP Address:
44.241.107.197
Port:2083
Shared Secret:radsec
. Click Add.
- Enter IP Address:
- Check Interim Update Interval box.
- Specify Interim Update Interval with 300 Sec, standard for the Helium Network.
Click Apply Changes to create the new RADIUS Profile.
Create The Helium SSID
Navigate to the Settings on sidebar, choose WiFi then press Create New
Configure settings for the new network.
- Set the Name of the SSID to
Helium
. Leave the password blank. - Set Advanced to Manual.
- Set Hotspot 2.0 to
Passpoint
. Passpoint settings will appear below. - Specify Venue Name to a name for your site.
- Specify Venue Type with the option that best matches your site.
- Set Network Type to
Chargeable Public Network
- Set IP Address Type Availability:
- IPv4 to
Double NATed private IPv4
. - IPv6 to
Unavailable
- IPv4 to
- Add NAI Realms with the following two entries:
- Name:
freedomfi.com
EAP Method:EAP-TLS
Sub-Methods:Certificate
. - Name:
hellohelium.com
EAP Method:EAP-TLS
Sub-Methods:Certificate
.
- Name:
- Add Domain List:
freedomfi.com
or leave your home domain, if any. Press Add.
-
Set Security Protocol to:
WPA3 Enterprise
-
Specify a NAS-ID matching the MAC address of your network controller or representative AP. This value should be equal to the one specified during onboarding to Helium network.
noteA NAS-ID matching the on-chain onboarding is not applicable for early access.
In a new tab, navigate to UniFi Devices, choose your Network Controller and copy the MAC Address.
Paste the MAC address to the Custom field of NAS-ID.
- Choose Radius Profile:
Helium Radsec
Press Add WiFi Network.
Your Helium SSID is all set up. Verify access by forgetting the existing network on your device and connecting to the new network using a device with a supported carrier, such as Helium Mobile.
Apply security settings to the network to ensure isolation from the existing network(s). See this Ubiquiti guide on network and client isolation for more information.