Upgrade to SecurePass: Seamless, form-free WiFi
While configuring your hardware, enable SecurePass to unlock automatic, WPA3-secured roaming. It eliminates captive portal friction for your visitors and ensures they auto-connect at your venue and 80,000+ locations worldwide.
Overview
There are two methods to configure the Aruba APs. The first is via Aruba Central, a cloud-based service where you can configure and deploy. The second is via the web-based interface (GUI) that sits on the controller itself. Both methods are described below.
Configuring via Aruba Central
Log in to your Aruba Central application.
Select your Group at the top left, and then click Devices > Access Points. Click the Configure icon at the top right.
Under WLANs click on Add SSID and configure as per below:
| Name (SSID): | Guest WiFi |
| Band: | Choose as required |
Click Next and configure with the following:
| Client IP Assignment: | Choose as required |
| Client VLAN Assignment | Choose as required |
Click Next and configure with the following:
| Security Level: | Visitors |
| Type: | External Captive Portal |
Under Captive Portal Profile click + to add new and configure with the following:
| Name: | guestwifi |
| Type: | Radius Authentication |
| IP or Hostname: | *insert access_domain here* |
| URL: | /access/ |
| Port: | 443 |
| Use HTTPS: | Yes |
| Captive Portal Failure: | Deny Internet |
| Automatic URL Whitelisting: | Disabled |
| Use VC in Redirect URL: | Enabled |
| Redirect URL: | *insert redirect_url here* |
Click OK to Save.
Under Primary Server click + to add new and configure with the following:
| Name: | guestwifi-radius1 |
| Type: | Radius Authentication |
| IP Address/FQDN: | *insert radius_server here* |
| Shared Key: | *insert radius_secret here* |
| Retype Key: | *insert radius_secret here* |
| Auth Port: | 1812 |
| Accounting Port: | 1813 |
| Service Type Framed User: | MAC/Captive Portal |
| Dynamic Authorization: | Enabled |
| AirGroup CoA Port: | 3799 |
Click OK to Save.
Under Secondary Server click + to add new and configure with the following:
| Name: | guestwifi-radius2 |
| Type: | Radius Authentication |
| IP Address/FQDN: | *insert radius_server2 here* |
| Shared Key: | *insert radius_secret here* |
| Retype Key: | *insert radius_secret here* |
| Auth Port: | 1812 |
| Accounting Port: | 1813 |
| Service Type Framed User: | MAC/Captive Portal |
| Dynamic Authorization: | Enabled |
| AirGroup CoA Port: | 3799 |
Click OK to Save. Configure:
| Encryption: | Disabled |
| Key Management: | Open |
Under Advanced Settings
| Called Station ID Type: | MAC Address |
| Called Station ID Include SSID: | Enabled |
| Accounting: | Use authentication servers |
| Accounting Interval: | 4 min |
| Walled Garden: | Under Allowlist click + Add and enter the required domains, one by one. Please refer to this list. |
| Delimiter Character: | - |
Click Next and configure with the following:
| Access rules: | Role Based |
Under Roles click Add Role and then configure with the following:
| Name: | Preauth |
Click OK to Save.
Next, click on the Preauth role on the left and then edit the default rule named "Allow any to all destinations". Under Destination change "All destinations" to "To A Domain Name" and set: *insert access_domain here*.
Click OK to save.
You will now need to add a new rule for each of the domains you added to the Walled Garden list earlier, i.e.:
| Access Control / Network / Any / Allow / To a Domain Name: | *insert access_domain here* |
Click on OK to each one and then add the next until all are listed.
Finally, add the following rule:
| Access Control / Network / Any / Deny / To All Destinations |
Ensure the Deny rule is at the end of the list.
Finally, configure the following:
| Assign Pre-Authentication Role: | Preauth |
Click Finish to complete the setup.
Secure Wireless Configuration - PurpleConnex (Central)
Log in to your Aruba Central application.
Select your Group at the top left, and then click Devices > Access Points. Click the Configure icon at the top right.
Under WLANs click on Add SSID and configure as per below:
| Name (SSID): | PurpleConnex |
| Band: | Choose as required |
Click Next and configure with the following:
| Client IP Assignment: | Choose as required |
| Client VLAN Assignment | Choose as required |
Click Next and configure with the following:
| Security Level: | Enterprise |
| Key Management: | WPA2-Enterprise |
| Server Group: | Primary and Backup only |
Under Primary Server click + to add new and configure with the following:
| Name: | securewifi-radius1 |
| Server Type: | RADIUS |
| Radsec: | Enabled |
| IP Address/FQDN: | rad1-secure.purple.ai |
| Radsec Port: | 2083 |
Click OK to Save.
Under Secondary Server click + to add new and configure with the following:
| Name: | securewifi-radius2 |
| Server Type: | Radius Authentication |
| Radsec: | Enabled |
| IP Address/FQDN: | rad2-secure.purple.ai |
| Radsec Port: | 2083 |
Click OK to Save. Under Advanced Settings configure with:
| Called Station ID Type: | MAC Address |
| Called Station ID Include SSID: | Enabled |
| Accounting: | Use authentication servers |
| Accounting Interval: | 4 min |
Passpoint Service Profile
Click Manage Passpoint Services and then Add Profile.
Under Access Network configure with:
| Name: | securewifi |
| Domain Name: | securewifi.purple.ai |
| Internet: | Enabled |
| Operator Friendly Name: | Purple |
| Radius Location Data: | Enabled |
| Network Type: | free-public |
| IPv4: | public |
| Venue Name: | (whatever you wish) |
Under Identity Provider > NAI Realms click Add. Configure with:
| Realm Name: | securewifi.purple.ai |
| Home Realm: | Enabled |
| EAP Method 1: | eap-ttls |
| Authentication param 1: |
Click Add and set: ID: non-eap-inner-auth Value: non-eap-pap |
Click Save. and the close the Add Profile dialogue. Select the securewifi profile you just created under the Passpoint Server Profile select box.
Click Next and configure with the following:
| Access rules: | Unrestricted |
Click Next and then Finish to Save.
Configuring via Aruba Controller GUI
Start by logging into your Aruba Controller web interface.
WLAN
Click Configure > WLANs on the left and then click the + sign to add a new WLAN. Configure with:
| Name (SSID): | Guest WiFi (or whatever you wish) |
| Primary Usage: | Guest |
| Forwarding Mode: | Tunnel |
Click Next and configure with:
| VLAN: | 1 (or whatever you use) |
Click Next and configure with:
| Is this WLAN for internal or guest? | Guest |
Click Next and configure with:
| Captive Portal Type: | ClearPass or other external Captive Portal |
Under Auth servers click + then + again to create a new server. Configure with:
| Server type: | RADIUS |
| Name: | guest1 |
| IP Address: | *insert radius_server here* |
| Auth port: | 1812 |
| Accounting port: | 1813 |
| Shared key: | *insert radius_secret here* |
| Retype key: | as above |
| Timeout: | 5 |
Click Submit and then + again. Configure with:
| Server type: | RADIUS |
| Name: | guest2 |
| IP Address: | *insert radius_server2 here* |
| Auth port: | 1812 |
| Accounting port: | 1813 |
| Shared key: | *insert radius_secret here* |
| Retype key: | as above |
| Timeout: | 5 |
Click Submit and then configure the further options with:
| Host addressing: | IPv4 |
| Host: | *insert access_domain here* |
| Page: | /access/ |
Click Next and then Next again to complete the wizard.
Firewall
Next, click Roles & Policies on the left. Select the Aliases tab and click +. Configure with:
| IP Version: | IPv4 |
| Name: | guestwifi |
Under Items click + and add the required domains as per below. Please refer to this list.
| Rule Type: | Name |
| Domain Name: | *insert domain here* |
Click + again and do the same for all required domains.
Click Submit to save.
Captive Portal/RADIUS
Next, click Authentication on the left. Select the L3 Authentication tab and then click the Guest WiFi-cppm_prof entry. Configure with:
| Default Role: | guest |
| Default Guest Role: | guest |
| Redirect Pause: | 0 |
| User Login: | Enabled |
| Guest Login: | Disabled |
| Logout popup window: | Disabled |
| Use HTTP for authentication: | Enabled |
| Logon wait minimum wait: | 1 |
| Logon wait maximum wait: | 10 |
| Authentication Protocol: | PAP |
| Login page: | *insert access_url here* |
| Welcome page: | *insert redirect_url here* |
| Show Welcome page: | Enabled |
| Add switch IP in redirection URL: | Enabled |
| Adding APs MAC address in redirection URL: | Enabled |
| White List: | Add guestwifi from the list |
Click Submit to save. Next, select the AAA Profiles tab and click on Guest WiFi-aaa_prof. Configure with:
| Initial role: | Guest WiFi-guest-logon |
| RADIUS Interim Accounting: | Enabled |
Click Submit to save. Next, click on the RADIUS Accounting Server Group and configure with:
| RADIUS Accounting Server Group: | Guest WiFi-dot1_svg |
Click Submit to save. Next, select the Auth Servers tab and then All Servers > guest1. Leave all settings as they are except:
| Mode: | Enabled |
| MAC address delimiter: | Dash |
| Station ID Type: | AP MAC address |
| Station ID Delimiter: | Dash |
| Include SSID: | Enabled |
Click Submit to save and then do the same for the guest2 server.
Finally, click Pending Changes at the top and apply changes.
Secure Wireless Configuration - PurpleConnex (Controller)
Start by logging into your Aruba Controller web interface.
Click on Configuration > Authentication on the left menu. Click + under All Servers and configure with:
| Server type: | RADIUS |
| Name: | guest1-secure |
| IP Address: | rad1-secure.purple.ai |
| Auth port: | 1812 |
| Accounting port: | 1813 |
| Shared key: | *insert radius_secret here* |
| Retype key: | as above |
| Timeout: | 5 |
Click Submit and then + again. Configure with:
| Server type: | RADIUS |
| Name: | guest2-secure |
| IP Address: | rad2-secure.purple.ai |
| Auth port: | 1812 |
| Accounting port: | 1813 |
| Shared key: | *insert radius_secret here* |
| Retype key: | as above |
| Timeout: | 5 |
Click Submit. Under Advanced Settings configure with:
| Called Station ID Type: | MAC Address |
| Called Station ID Include SSID: | Enabled |
| Accounting: | Use authentication servers |
| Accounting Interval: | 4 min |
Click Configure > WLANs on the left and then click the + sign to add a new WLAN. Configure with:
| Name (SSID): | PurpleConnex |
| Forwarding Mode: | Tunnel |
Click Next and configure with:
| VLAN: | 1 (or whatever you use) |
Click Next and configure with:
| Key Management: | WPA2-Enterprise |
| Auth Servers: | Click + and select guest1-secure and guest2-secure |
Click Next and configure with:
| Default Role: | allow-all |
Click Finish. Next, click Configuration > System on the left. Click Profiles at the top and then the + next to Wireless LAN.
Scroll to ANQP Domain Name and click +. Configure with:
| Profile Name: | Purple-Domain |
| Domain Names: | securewifi.purple.ai |
Click Submit.
Scroll to ANQP NAI Realm and click +. Configure with:
| Profile Name: | Purple-Realm |
| Realm 1: | securewifi.purple.ai |
| EAP Method: | EAP-TTLS |
| Credential: | Username/Password |
Click Submit.
Scroll to ANQP Advertisement Profile and click +. Configure with:
| Profile Name: | Purple-AP |
Click Submit.
Next, go to Wireless LAN > Advertisement and click +. Beside the Purple-AP profile, click + and then assign the following:
| ANQP Domain Name: | Purple-Domain |
| ANQL NAI Realm: | Purple-Realm |
Click OK then Submit.
Next, go to Wireless LAN > Hotspot 2.0 and click +. Configure with:
| Profile Name: | Purple-HS20 |
| Advertise Hotspot 2.0: | Enabled |
| Access Network Type: | Free public network |
| Venue Type: | Select the closest venue industry from the list |
Click Submit.
Next, go to Wireless LAN > Hotspot 2.0. Beside the Purple-HS20 profile, click + and then select Purple-AP from the Advertisement dropdown.
Next, go to Wireless LAN > Virtual AP. Beside the profile you wish to use, click + and then select Purple-HS20 from the Hotspot 2.0 dropdown.
Finally, click Pending Changes at the top and apply changes.
Free Guest WiFi
Purple App
SecurePass
Splash Access