Skip to main content

Ubiquiti Conversion Guide



Data-Only Mobile configuration requires the Passpoint protocol. Please ensure your Ubiquiti network is using UniFi Network Controller version 8.4.54 or higher and AP firmware version 6.6.77 or AP firmware version 7.0.66 or higher, depending on hardware release track.

Obtain RadSec Certificates

Each onboarded network requires a unique NAS-ID. For Ubiquiti networks, it is recommended to use the MAC address of the network controller as the NAS-ID.

Run the UniFi network controller locally or log into the cloud UniFi Site Manager.

Navigate to UniFi Devices, choose your Network Controller and copy the MAC Address.

Retrieve the MAC address of the network controller.

Use this NAS-ID in the WiFi Conversion Onboarding flow and return to this guide after the network is onboarded and certificates have been delivered.

If updating from older RadSec certificates:

If early access certificates were previously deployed on the network, a Ubiquiti bug may prevent new certificates from propagating.
Restart all APs on the network after updating the certificates, and the new certificates should be applied.

Configure UniFi Network Controller

After retrieving certificates, configuration is a two-part process: create the RADIUS profile, then apply it to a new WiFi SSID named Helium.

UniFi Settings screen within the UniFi Site Manager.

Create a RADIUS Profile

Configure a TLS connection to Helium Cloud AAA server (aka Radiator), which performs Authentication, Authorization, and Accounting for the end customers. Enabling RADIUS communication over TLS (RadSec) increases the level of security for authentication that is carried out across the cloud network.

In the sidebar, choose Settings, then Networks, then scroll to the bottom to Radius Servers.


Settings > Networks > Radius Servers.

Click Create New.

Specify a profile name, for example "Helium RadSec".

Configure RADIUS properties:

  1. Under Radius Settings, check the TLS box.
    1. Click Upload next to Client Certificate, choose the path to cert.pem.
    2. Click Upload next to Private Key, choose the path to key.pem. Leave the Private Key password empty.
    3. Click Upload next to CA Certificate, choose the path to ca.pem.
Load the certificates from the network onboarding.

  1. Specify Authentication Servers:

    Add these three servers:

    1. Enter IP Address: 52.37.147.195 Port: 2083 Shared Secret: radsec. Click Add.
    2. Enter IP Address: 44.229.62.214 Port: 2083 Shared Secret: radsec. Click Add.
    3. Enter IP Address: 44.241.107.197 Port: 2083 Shared Secret: radsec. Click Add.

  2. Check the Accounting checkbox. RADIUS Accounting Server settings will appear.

note

If the Accounting Servers checkbox is greyed out as in the image below, create the RADIUS profile with only the Authentication Servers, save, then reopen and edit the profile to add Accounting Servers. This is a current Ubiquiti UI bug.

Accounting checkbox greyed out—workaround: save and reopen the RADIUS profile.


  1. Specify the following Accounting Servers:

  2. Enter IP Address: 52.37.147.195 Port: 2083 Shared Secret: radsec. Click Add.

  3. Enter IP Address: 44.229.62.214 Port: 2083 Shared Secret: radsec. Click Add.

  4. Enter IP Address: 44.241.107.197 Port: 2083 Shared Secret: radsec. Click Add.

  5. Check Interim Update Interval box.

  6. Set Interim Update Interval to 300 seconds (standard for the Helium Network).

Configure RADIUS settings.

Click Apply Changes to create the new RADIUS profile.

Create the Helium SSID

Navigate to Settings in the sidebar, choose WiFi, then click Create New

Create a new WiFi network.

Configure settings for the new network.

  1. Set the Name of the SSID to Helium. Leave the password blank.
  2. Under Application select Hotspot.
  3. Under Hotspot Type select Passpoint. Passpoint settings will appear below.
  4. Specify Venue Name to a name for your site.
  5. Specify Venue Type with the option that best matches your site.
  6. Set Network Type to Chargeable Public Network
  7. Set IP Address Type Availability:
    1. IPv4 to Double NATed private IPv4.
    2. IPv6 to Unavailable
  8. Add NAI Realms with the following two entries:
    1. Name: freedomfi.com EAP Method: EAP-TLS Sub-Methods: Certificate.
    2. Name: hellohelium.com EAP Method: EAP-TLS Sub-Methods: Certificate.
  9. In Domain List, add freedomfi.com (or your home domain if applicable). Click Add.
Create a new WiFi network.

  1. Set Security Protocol to: WPA3 Enterprise

  2. Choose External RADIUS Profile: Helium RadSec.

Set to WPA3 Enterprise.

  1. Under NAS ID Enter the NAS-ID used during Helium onboarding in the Custom field of NAS-ID.
Identify the NAS ID using the MAC address.

  1. Ensure Client Device Isolation is checked for secure networking. See the Ubiquiti guide on network and client isolation for more information.

Click Add WiFi Network.

Your Helium SSID is now configured. To verify, forget the existing network on your device and connect to the new network with a device that has a supported carrier, such as Helium Mobile.

Video Walkthrough