Skip to main content

Ubiquiti Data-Only Guide



Data-Only Mobile configuration requires the Passpoint protocol. Please ensure your Ubiquiti network is using UniFi Network Controller version 8.4.54 or higher and AP firmware version 6.6.77 or AP firmware version 7.0.66 or higher, depending on hardware release track.

Obtain RadSec Certificates

Each onboarded network requires a unique NAS-ID. For Ubiquiti networks, it is recommended to use the MAC address of the network controller as the NAS-ID.

Run the UniFi network controller locally or log into the cloud UniFi Site Manager.

Navigate to UniFi Devices, choose your Network Controller and copy the MAC Address.

Retrieve the MAC address of the network controller.

Use this NAS-ID in the Data-Only Onboarding flow and return to this guide after the network is onboarded and certificates have been delivered.

If updating from older RadSec certificates:

If early access certificates were previously deployed on the network, a Ubiquiti bug may prevent new certificates from propagating.
Restart all APs on the network after updating the certificates, and the new certificates should be applied.

Configure UniFi Network Controller

After retrieving onboarded certificates, configuring the network controller for Passpoint is a two-part process. First, create the RADIUS profile, then apply the profile to a newly created WiFi SSID called 'Helium'.

UniFi Settings screen within the UniFi Site Manager.

Create a RADIUS Profile

Configure a TLS connection to Helium Cloud AAA server (aka Radiator), which performs Authentication, Authorization, and Accounting for the end customers. Enabling RADIUS communication over TLS (RadSec) increases the level of security for authentication that is carried out across the cloud network.

In the sidebar, choose Settings, then Profiles, then RADIUS:

Open RADIUS profiles.

Press Create New.

Specify a profile name, for example "Helium Radsec".

Configure RADIUS properties:

Configure RADIUS settings.

  1. Under Radius Settings, check the TLS box.
    1. Press Upload next to Client Certificate, choose the path to <HotspotKey>.cer.
    2. Press Upload next to Private Key, choose the path to <HotspotKey>.pk.
      Keep Private Key Password empty.
    3. Press Upload next to CA Certificate, choose the path to data-only.ca.
Load the certificates from the network onboarding.

  1. Specify Authentication Servers:

    Add these three servers:

    1. Enter IP Address: 52.37.147.195 Port: 2083 Shared Secret: radsec. Click Add.
    2. Enter IP Address: 44.229.62.214 Port: 2083 Shared Secret: radsec. Click Add.
    3. Enter IP Address: 44.241.107.197 Port: 2083 Shared Secret: radsec. Click Add.
  2. Check the Accounting checkbox. RADIUS Accounting Server settings will appear.

  3. Specify the following Accounting Servers:

    1. Enter IP Address: 52.37.147.195 Port: 2083 Shared Secret: radsec. Click Add.
    2. Enter IP Address: 44.229.62.214 Port: 2083 Shared Secret: radsec. Click Add.
    3. Enter IP Address: 44.241.107.197 Port: 2083 Shared Secret: radsec. Click Add.
  4. Check Interim Update Interval box.

  5. Specify Interim Update Interval with 300 Sec, standard for the Helium Network.

Click Apply Changes to create the new RADIUS Profile.

Create The Helium SSID

Navigate to the Settings in the sidebar, choose WiFi, then press Create New

Create a new WiFi network.

Configure settings for the new network.

  1. Set the Name of the SSID to Helium. Leave the password blank.
  2. Set Advanced to Manual.
  3. Set Hotspot 2.0 to Passpoint. Passpoint settings will appear below.
  4. Specify Venue Name to a name for your site.
  5. Specify Venue Type with the option that best matches your site.
  6. Set Network Type to Chargeable Public Network
  7. Set IP Address Type Availability:
    1. IPv4 to Double NATed private IPv4.
    2. IPv6 to Unavailable
  8. Add NAI Realms with the following two entries:
    1. Name: freedomfi.com EAP Method: EAP-TLS Sub-Methods: Certificate.
    2. Name: hellohelium.com EAP Method: EAP-TLS Sub-Methods: Certificate.
  9. Add Domain List: freedomfi.com or leave your home domain, if any. Press Add.
Create a new WiFi network.

  1. Set Security Protocol to: WPA3 Enterprise

  2. Enter the NAS-ID used during onboarding to Helium in the Custom field of NAS-ID.

Identify the NAS ID using the MAC address.

  1. Choose Radius Profile: Helium Radsec

Press Add WiFi Network.

Your Helium SSID is all set up. Verify access by forgetting the existing network on your device and connecting to the new network using a device with a supported carrier, such as Helium Mobile.

Apply security settings to the network to ensure isolation from the existing network(s). See this Ubiquiti guide on network and client isolation for more information.