Google Orion Compatibility

microbot · April 21, 2024, 6:13pm

Hello, I am have been looking at Alta Labs but have always been wondering if they are compatible with the Passpoint protocol so I could use Google Orion or if so does Google Orion work?

Thanks

Alta-Jeff · April 22, 2024, 3:14pm

@microbot Yes, they are! We are working on a KB article to explain how to configure it, but in the meantime, I can DM you an example power-user config that should work.

isaac · April 22, 2024, 5:53pm

@Alta-Jeff Please DM me too! Thanks.

Alta-Jeff · April 22, 2024, 6:18pm

I did message you privately, can you let me know if you don’t see it?

-Jeff

benmott · May 14, 2024, 2:33am

Can you also DM me the config @Alta-Jeff
Thanks!

Alta-Jeff · May 14, 2024, 2:35pm

Sure @benmott

SimeonOnSecurity · May 27, 2024, 12:13am

I’ve written a guide on it, not sure what the rules on this form are for posting links. But if you dm me I can send it to you as well.

microbot · May 27, 2024, 7:32pm

Don’t know how to DM here would you be able to send it too me?

isaac · March 31, 2025, 6:37pm

@Alta-Jeff, since March 19th my Alta APs have not allowed any connections to Google Orion. Is there an issue with the Radsec proxy?

Alta-Jeff · March 31, 2025, 7:36pm

Can you look at logs from the AP? It’s also worth reaching out to Google directly, as I’m unaware of any issues on our end, but I know they were planning on enforcing a stricter certificate policy.

benmott · May 2, 2025, 12:11am

Having the same issue. March 19th stopped checking in with Google

benmott · May 2, 2025, 12:55am

Logs look like there is a cert issue: @Alta-Jeff any ideas?
May 2 00:23:40 OpenWrt daemon.warn radsecproxy[2746]: verify error: num=2:unable to get issuer certificate:depth=4:CN=Buttonwood Radsec CA,O=Buttonwood,C=US
May 2 00:23:40 OpenWrt daemon.warn radsecproxy[2746]: Issuer=CN=openroaming.org,OU=Openroaming,O=Cisco Systems, Inc.,L=San Jose,ST=California,C=US
May 2 00:23:40 OpenWrt daemon.err radsecproxy[2746]: tlsconnect: SSL connect to 216.239.32.91 failed: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
May 2 00:23:40 OpenWrt daemon.err radsecproxy[2746]: tlsconnect: SSL connect to 216.239.32.91 (216.239.32.91 port 2083) failed

Alta-Jeff · May 2, 2025, 3:09am

Google may have updated their CA certificates. Can you download their bundle and set it up again?

-Jeff

benmott · May 2, 2025, 12:46pm

I updated the certificates from the Orion bundle and still have this error. I updated the bw.radsec…., OpenRoaming, cert, and key entries since it created a new set while generating. Are those all the Orion entries or are some yours custom certificates? There are a few other certificates in the config listed but I didn’t change those.

Alta-Jeff · May 2, 2025, 3:17pm

None of those certificates are related to our infrastructure at all - it is purely Google infrastructure (and it looks like they are leveraging openroaming, etc.)

You’ll want to make sure that you only include the certificates that come in their latest bundle, nothing old. Also make sure that they are included in the same order they would be included in an ASCII-sorted order (i.e. if the cert name is 0.pem, then it would go before a.pem, etc.)

isaac · June 4, 2025, 4:31pm

I did get this working again. You’ll have to enter your own certs and keys of course.

{

"radsec": {

"tls": {

"default": {

"cacerts": {

"0de90ce2.0":

"-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----",

"238d1594.0":

"-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----",

"572c865c.0":

"-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----",

"e9f4548c.0":

"-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----",

"bw.radsec.cacert.pem":

"-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----",

"openroaming.root.cacert.pem":

"-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----"

},

"cert":

"-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----",

"key":

"-----BEGIN EC PRIVATE KEY-----

-----END EC PRIVATE KEY-----"

}

},

"realms": {

"*": {

"servers": [ "216.239.34.91" ],

"tls": "default"

}

}

},

"hostapd": "

hs20=1

disable_dgaf=1

hs20_oper_friendly_name=eng:Orion

interworking=1

access_network_type=2

internet=1

roaming_consortium=F4F5E8F5F4

anqp_3gpp_cell_net=310,410;310,280;310,150;313,100

radius_acct_interim_interval=300

venue_name=eng:XXXXXX

nas_identifier=XXXXXX

domain_name=orionwifi.com

"

}

MrWiFi · July 16, 2025, 5:50pm

Hi isaac, WayFi Wireless is another option that supports 250+ carriers worldwide including paid offload like Orion and they support the AP6’s.

system · January 12, 2026, 5:51pm

This thread has been automatically closed due to inactivity. If you believe you have the same issue, please create a new post describing your issue. Feel free to link to this post for context if desired.