1
cambiumnetworks.com
©2020 Cambium Networks, Ltd. | 3800 Golf Road, Suite 360 | Rolling Meadows, IL 60008
DEPLOYMENT GUIDE
Introduction
This document describes about the step by
step instruction for integrating Google’s Orion
Wi-Fi with Cambium Enterprise Wi-Fi Access
Points.
Sign up for Orion Wi-Fi
As a pre-request step, need to create Orion
Wi-Fi account by following steps
• Enter your google account or you can use
your corporate email address , instructions
are mentioned
• In my example I have used my Gmail id for
creating a Orion account, please find the
below screen prints
Cambium Enterprise Wi-Fi and
Google Orion Wi-Fi Deployment Guide
Contents
1 Introduction
1 Sign up for Orion Wi-Fi
3 Download RadSec Certificates from Orion
4 Create Ubuntu VM for installing proxy RadSec
6 Passpoint configuration in cnMaestro
10 Create AP Group and attach the same to Enterprise Wi-Fi AP
11 Validating with a wireless client by connecting to Orion WLAN
13 CLI configuration of Orion Wi-Fi
2
cambiumnetworks.com
©2020 Cambium Networks, Ltd. | 3800 Golf Road, Suite 360 | Rolling Meadows, IL 60008
DEPLOYMENT GUIDE
Cambium Networks and Orion Wi-Fi Integration
Read and Accept the Terms of Service Agreement
Enter the basic business information to create the account
3
cambiumnetworks.com
©2020 Cambium Networks, Ltd. | 3800 Golf Road, Suite 360 | Rolling Meadows, IL 60008
DEPLOYMENT GUIDE
Cambium Networks and Orion Wi-Fi Integration
You will get an Orion login page and click on “configure your network”,
which will redirect you to the documentation page
Download RadSec Certificates from Orion
Next step is to download the RadSec Certificates from your Orion account, so that you can install a
RadSec proxy and connect to Orion RadSec server.
https://docs.google.com/document/u/1/d/e/2PACX-1vSInmW7BBvl9LxNpOTavwYhAxs8beRI
lETp3W-1979b8BabV2HX7931QC4xc1j9GqVf_Zy0sye/pub#h.cf7ovk570ms3
Click on “Orion Settings” tab and click “Generate RadSec Certificate Bundle”
for generating RadSec certificate bundle
4
cambiumnetworks.com
©2020 Cambium Networks, Ltd. | 3800 Golf Road, Suite 360 | Rolling Meadows, IL 60008
DEPLOYMENT GUIDE
Cambium Networks and Orion Wi-Fi Integration
Click on “Download RadSec Certificate Bundle” and save to your local PC
Create Ubuntu VM for installing proxy RadSec
Create an Ubuntu VM and spawn a docker container for running RadSec. Note down the IP address of the VM, so
that can be configured as the radius server in WLAN profile. And proxy RadSec running as a container in Ubuntu
VM will initiate a RadSec connection to the Orion Radius server for TLS authentication.
Click the below URL for opening the RadSec Deployment and configuration
https://docs.google.com/document/d/e/2PACX-1vSl84bfdCireGISY87ZQxZfzq4-J1RVxhlx6zl2NnqO6A
cvZkdxu7ojD02qB1-B5xdPlktICvH4t0ar/pub
5
cambiumnetworks.com
©2020 Cambium Networks, Ltd. | 3800 Golf Road, Suite 360 | Rolling Meadows, IL 60008
DEPLOYMENT GUIDE
Cambium Networks and Orion Wi-Fi Integration
Please follow the below git commands to get the RadSec container and initialize the same in Ubuntu VM
RadSec proxy will establish the TCP connection with Orion RadSec IP address using port number 2083.
If your organization firewall is blocking the port please request your IT department to unblock it.
Troubleshooting RadSec connection
6
cambiumnetworks.com
©2020 Cambium Networks, Ltd. | 3800 Golf Road, Suite 360 | Rolling Meadows, IL 60008
DEPLOYMENT GUIDE
Cambium Networks and Orion Wi-Fi Integration
If your organization is blocking the port or not able to reach the external RadSec,
then you will see the below error
Navigate to “Configuration” -> “WLANs and AP Groups” for creating a new WLAN
Passpoint configuration in cnMaestro
7
cambiumnetworks.com
©2020 Cambium Networks, Ltd. | 3800 Golf Road, Suite 360 | Rolling Meadows, IL 60008
DEPLOYMENT GUIDE
Cambium Networks and Orion Wi-Fi Integration
Configure the SSID and Security as “WAP2 Enterprise (802.1x)”
Configure the AAA server as the local Ubuntu VM that is running the RadSec proxy server.
8
cambiumnetworks.com
©2020 Cambium Networks, Ltd. | 3800 Golf Road, Suite 360 | Rolling Meadows, IL 60008
DEPLOYMENT GUIDE
Cambium Networks and Orion Wi-Fi Integration
Configure the Passpoint with below settings
9
cambiumnetworks.com
©2020 Cambium Networks, Ltd. | 3800 Golf Road, Suite 360 | Rolling Meadows, IL 60008
DEPLOYMENT GUIDE
Cambium Networks and Orion Wi-Fi Integration
Save the WLAN configuration
10
cambiumnetworks.com
©2020 Cambium Networks, Ltd. | 3800 Golf Road, Suite 360 | Rolling Meadows, IL 60008
DEPLOYMENT GUIDE
Cambium Networks and Orion Wi-Fi Integration
Navigate to “configuration” -> “WLANs and AP Group” -> click “New AP Group”
Create AP Group and attach the same to Enterprise Wi-Fi AP
Navigate to “configuration” -> “WLANs and AP Group” -> click “New AP Group”
11
cambiumnetworks.com
©2020 Cambium Networks, Ltd. | 3800 Golf Road, Suite 360 | Rolling Meadows, IL 60008
DEPLOYMENT GUIDE
Cambium Networks and Orion Wi-Fi Integration
Select the AP group configuration to the respective AP by navigating -> Manage -> Specific device ->
Configuration and in AP group drop down, select the newly created AP Group.
Validating with a wireless client by connecting to Orion WLAN
Follow the below link to download the profile to AP
https://docs.google.com/document/d/e/2PACX-1vQhbx-
MIqc_7Tmsp5SrJ435JlDhEbz7y0x8gtCiZAcErg-kTlCqbhWuTLf6SeiFTf52DMreoXa7im-
W/pub#h.n2jmq2da97p
After installing the profile, the wireless device should be connecting to the Orion Wireless LAN
12
cambiumnetworks.com
©2020 Cambium Networks, Ltd. | 3800 Golf Road, Suite 360 | Rolling Meadows, IL 60008
DEPLOYMENT GUIDE
Cambium Networks and Orion Wi-Fi Integration
Login to your Orion account and confirm “Manage Network” should show the APs
13
cambiumnetworks.com
©2020 Cambium Networks, Ltd. | 3800 Golf Road, Suite 360 | Rolling Meadows, IL 60008
DEPLOYMENT GUIDE
Cambium Networks and Orion Wi-Fi Integration
For reference, please find the CLI configuration for Orion Wi-Fi, radius server is pointing to the Ubuntu VM
CLI configuration of Orion Wi-Fi
wireless wlan 1
ssid OrionWiFi
no shutdown
vlan 12
security wpa2-enterprise
no protected-mgmt-frames
passphrase $crypt$1$MATOIvimGr0WhHYcqQYU/MyOQchlnP/W
band both
dtim-interval 1
max-associated-client 127
proxy-arp
network-policy-id 0
mac-authentication policy deny
radius-server authentication host 1 172.20.10.59
radius-server authentication secret 1 $crypt$1$U2gc7eq8oDcCYl8kN/5PhZRKNR637dGz
radius-server called-sta-id AP-MAC:SSID
radius-server rad-attr service-type 1
radius-server accounting host 1 172.20.10.59
radius-server accounting secret 1 $crypt$1$YM1Ff7J/7rmXJiGn1XSCqsxeIs7QxRTf
radius-server accounting interim-update-interval 1800
radius-server accounting mode start-interim-stop
radius-server accounting acct-on
passpoint
passpoint interworking internet
passpoint interworking access-network-type chargeable-public
passpoint interworking venue-group 6
passpoint interworking venue-type 4
passpoint roam-cons F4F5E8F5F4
passpoint anqp nai-realm 1 name Orion-Realm
passpoint anqp nai-realm 1 eap 1 method eap-tls
passpoint anqp nai-realm 1 eap 1 auth 1 inner-auth-eap certicate
passpoint anqp domain-names orionwi.com
no guest-access
!
