Skip to main content

Ubiquiti Data-Only Guide



Data-Only Mobile configuration requires the Passpoint protocol. Please ensure your Ubiquiti network is using UniFi Network Controller version 8.4.54 or higher and AP firmware version 6.6.77 or AP firmware version 7.0.66 or higher, depending on hardware release track.

Obtain RadSec Certificates From The Helium Onboarding Portal

Download preview RadSec Certificates: early_access_certs.zip

Unzip the following files from the archive:

  • early_acc_cert.pem
  • early_acc_key.pem
  • early_acc_ca.pem
note

These certificates are for early access only and will expire on January 25, 2025.

Configure UniFi Network Controller

Configuring the network controller for Passpoint is a two-part process. First, create the RADIUS profile, then apply the profile to a newly created WiFi SSID called 'Helium'.

Run the UniFi network controller locally or log into the cloud UniFi Site Manager.

UniFi Settings screen within the UniFi Site Manager.

Create a RADIUS Profile

Configure a TLS connection to Helium Cloud AAA server (aka Radiator), which performs Authentication, Authorization and Accounting for the end customers. Enabling RADIUS communication over TLS (RadSec) increases the level of security for authentication that is carried out across the cloud network.

In the sidebar, choose Settings, then Profiles, then RADIUS:

Open RADIUS profiles.

Reminder

These configurations are for early access. Server addresses and keys will change in the near future.

Press Create New.

Specify a profile name, for example "Helium Radsec".

Configure RADIUS properties:

Configure RADIUS settings.
  1. Check TLS box.

  2. Specify Authentication Servers IP Address:

    Add these three servers:

    1. Enter IP Address: 52.37.147.195 Port: 2083 Shared Secret: radsec. Click Add.
    2. Enter IP Address: 44.229.62.214 Port: 2083 Shared Secret: radsec. Click Add.
    3. Enter IP Address: 44.241.107.197 Port: 2083 Shared Secret: radsec. Click Add.
  3. Press Upload next to Client Certificate, choose the path to early_acc_cert.pem.

  4. Press Upload next to Private Key, choose the path to early_acc_key.pem.
    Keep Private Key Password empty.

  5. Press Upload next to CA Certificate, choose the path to early_acc_ca.pem.

Load the keys from the early_access_certificates.zip file .

  1. Check the Accounting checkbox. RADIUS Accounting Server settings will appear.

  2. Specify the following Accounting Servers:

    1. Enter IP Address: 52.37.147.195 Port: 2083 Shared Secret: radsec. Click Add.
    2. Enter IP Address: 44.229.62.214 Port: 2083 Shared Secret: radsec. Click Add.
    3. Enter IP Address: 44.241.107.197 Port: 2083 Shared Secret: radsec. Click Add.
RADIUS accounting server settings.

  1. Check Interim Update Interval box.
  2. Specify Interim Update Interval with 300 Sec, standard for the Helium Network.

Click Apply Changes to create the new RADIUS Profile.

Create The Helium SSID

Navigate to the Settings on sidebar, choose WiFi then press Create New

Create a new WiFi network.

Configure settings for the new network.

  1. Set the Name of the SSID to Helium. Leave the password blank.
  2. Set Advanced to Manual.
  3. Set Hotspot 2.0 to Passpoint. Passpoint settings will appear below.
  4. Specify Venue Name to a name for your site.
  5. Specify Venue Type with the option that best matches your site.
  6. Set Network Type to Chargeable Public Network
  7. Set IP Address Type Availability:
    1. IPv4 to Double NATed private IPv4.
    2. IPv6 to Unavailable
  8. Add NAI Realms with the following two entries:
    1. Name: freedomfi.com EAP Method: EAP-TLS Sub-Methods: Certificate.
    2. Name: hellohelium.com EAP Method: EAP-TLS Sub-Methods: Certificate.
  9. Add Domain List: freedomfi.com or leave your home domain, if any. Press Add.
Create a new WiFi network.

  1. Set Security Protocol to: WPA3 Enterprise

  2. Specify a NAS-ID matching the MAC address of your network controller or representative AP. This value should be equal to the one specified during onboarding to Helium network.

    note

    A NAS-ID matching the on-chain onboarding is not applicable for early access.

    In a new tab, navigate to UniFi Devices, choose your Network Controller and copy the MAC Address.

Retrieve the MAC address of the network controller.

Paste the MAC address to the Custom field of NAS-ID.

Identify the NAS ID using the MAC address.

  1. Choose Radius Profile: Helium Radsec

Press Add WiFi Network.

Your Helium SSID is all set up. Verify access by forgetting the existing network on your device and connecting to the new network using a device with a supported carrier, such as Helium Mobile.

Apply security settings to the network to ensure isolation from the existing network(s). See this Ubiquiti guide on network and client isolation for more information.