Overview
There are two methods to configure the Aruba APs. The first is via Aruba Central, a cloud-based service where you can configure and deploy. The second is via the web-based interface (GUI) that sits on the controller itself. Both methods are described below.
Configuring via Aruba Central
Log in to your Aruba Central application.
Select your Group at the top left, and then click Devices > Access Points. Click the Configure icon at the top right.
Under WLANs click on Add SSID and configure as per below:
Name (SSID): | Guest WiFi |
Band: | Choose as required |
Click Next and configure with the following:
Client IP Assignment: | Choose as required |
Client VLAN Assignment | Choose as required |
Click Next and configure with the following:
Security Level: | Visitors |
Type: | External Captive Portal |
Under Captive Portal Profile click + to add new and configure with the following:
Name: | guestwifi |
Type: | Radius Authentication |
IP or Hostname: | *insert access_domain here* |
URL: | /access/ |
Port: | 443 |
Use HTTPS: | Yes |
Captive Portal Failure: | Deny Internet |
Automatic URL Whitelisting: | Disabled |
Use VC in Redirect URL: | Enabled |
Redirect URL: | *insert redirect_url here* |
Click OK to Save.
Under Primary Server click + to add new and configure with the following:
Name: | guestwifi-radius1 |
Type: | Radius Authentication |
IP Address/FQDN: | *insert radius_server here* |
Shared Key: | *insert radius_secret here* |
Retype Key: | *insert radius_secret here* |
Auth Port: | 1812 |
Accounting Port: | 1813 |
Service Type Framed User: | MAC/Captive Portal |
Dynamic Authorization: | Enabled |
AirGroup CoA Port: | 3799 |
Click OK to Save.
Under Secondary Server click + to add new and configure with the following:
Name: | guestwifi-radius2 |
Type: | Radius Authentication |
IP Address/FQDN: | *insert radius_server2 here* |
Shared Key: | *insert radius_secret here* |
Retype Key: | *insert radius_secret here* |
Auth Port: | 1812 |
Accounting Port: | 1813 |
Service Type Framed User: | MAC/Captive Portal |
Dynamic Authorization: | Enabled |
AirGroup CoA Port: | 3799 |
Click OK to Save. Configure:
Encryption: | Disabled |
Key Management: | Open |
Under Advanced Settings
Called Station ID Type: | MAC Address |
Called Station ID Include SSID: | Enabled |
Accounting: | Use authentication servers |
Accounting Interval: | 4 min |
Walled Garden: | Under Allowlist click + Add and enter the required domains, one by one. Please refer to this list. |
Click Next and configure with the following:
Access rules: | Role Based |
Under Roles click Add Role and then configure with the following:
Name: | Preauth |
Click OK to Save.
Next, click on the Preauth role on the left and then edit the default rule named "Allow any to all destinations". Under Destination change "All destinations" to "To A Domain Name" and set: *insert access_domain here*.
Click OK to save.
You will now need to add a new rule for each of the domains you added to the Walled Garden list earlier, i.e.:
Access Control / Network / Any / Allow / To a Domain Name: | *insert access_domain here* |
Click on OK to each one and then add the next until all are listed.
Finally, add the following rule:
Access Control / Network / Any / Deny / To All Destinations |
Ensure the Deny rule is at the end of the list.
Finally, configure the following:
Assign Pre-Authentication Role: | Preauth |
Click Finish to complete the setup.
Configuring via Aruba Controller GUI
Start by logging into your Aruba Controller web interface.
WLAN
Click Configure > WLANs on the left and then click the + sign to add a new WLAN. Configure with:
Name (SSID): | Guest WiFi (or whatever you wish) |
Primary Usage: | Guest |
Forwarding Mode: | Tunnel |
Click Next and configure with:
VLAN: | 1 (or whatever you use) |
Click Next and configure with:
Is this WLAN for internal or guest? | Guest |
Click Next and configure with:
Captive Portal Type: | ClearPass or other external Captive Portal |
Under Auth servers click + then + again to create a new server. Configure with:
Server type: | RADIUS |
Name: | guest1 |
IP Address: | *insert radius_server here* |
Auth port: | 1812 |
Accounting port: | 1813 |
Shared key: | *insert radius_secret here* |
Retype key: | as above |
Timeout: | 5 |
Click Submit and then + again. Configure with:
Server type: | RADIUS |
Name: | guest2 |
IP Address: | *insert radius_server2 here* |
Auth port: | 1812 |
Accounting port: | 1813 |
Shared key: | *insert radius_secret here* |
Retype key: | as above |
Timeout: | 5 |
Click Submit and then configure the further options with:
Host addressing: | IPv4 |
Host: | *insert access_domain here* |
Page: | /access/ |
Click Next and then Next again to complete the wizard.
Firewall
Next, click Roles & Policies on the left. Select the Aliases tab and click +. Configure with:
IP Version: | IPv4 |
Name: | guestwifi |
Under Items click + and add the required domains as per below. Please refer to this list.
Rule Type: | Name |
Domain Name: | *insert domain here* |
Click + again and do the same for all required domains.
Click Submit to save.
Captive Portal/RADIUS
Next, click Authentication on the left. Select the L3 Authentication tab and then click the Guest WiFi-cppm_prof entry. Configure with:
Default Role: | guest |
Default Guest Role: | guest |
Redirect Pause: | 0 |
User Login: | Enabled |
Guest Login: | Disabled |
Logout popup window: | Disabled |
Use HTTP for authentication: | Enabled |
Logon wait minimum wait: | 1 |
Logon wait maximum wait: | 10 |
Authentication Protocol: | PAP |
Login page: | *insert access_url here* |
Welcome page: | *insert redirect_url here* |
Show Welcome page: | Enabled |
Add switch IP in redirection URL: | Enabled |
Adding APs MAC address in redirection URL: | Enabled |
White List: | Add guestwifi from the list |
Click Submit to save. Next, select the AAA Profiles tab and click on Guest WiFi-aaa_prof. Configure with:
Initial role: | Guest WiFi-guest-logon |
RADIUS Interim Accounting: | Enabled |
Click Submit to save. Next, click on the RADIUS Accounting Server Group and configure with:
RADIUS Accounting Server Group: | Guest WiFi-dot1_svg |
Click Submit to save. Next, select the Auth Servers tab and then All Servers > guest1. Leave all settings as they are except:
Mode: | Enabled |
MAC address delimiter: | Dash |
Station ID Type: | AP MAC address |
Station ID Delimiter: | Dash |
Include SSID: | Enabled |
Click Submit to save and then do the same for the guest2 server.
Finally, click Pending Changes at the top and apply changes.
Secure WLAN Configuration
Log in to your Aruba Central application.
Select your Group at the top left, and then click Devices > Access Points. Click the Configure icon at the top right.
Under WLANs click on Add SSID and configure as per below:
Name (SSID): | SecurePass |
Band: | Choose as required |
Click Next and configure with the following:
Client IP Assignment: | Choose as required |
Client VLAN Assignment | Choose as required |
Click Next and configure with the following:
Security Level: | Enterprise |
Key Management: | WPA2-Enterprise |
Server Group: | Primary and Backup only |
Under Primary Server click + to add new and configure with the following:
Name: | securewifi-radius1 |
Server Type: | RADIUS |
Radsec: | Enabled |
IP Address/FQDN: | rad1-secure.purple.ai |
Radsec Port: | 2083 |
Click OK to Save.
Under Secondary Server click + to add new and configure with the following:
Name: | guestwifi-radius2 |
Server Type: | Radius Authentication |
Radsec: | Enabled |
IP Address/FQDN: | rad2-secure.purple.ai |
Radsec Port: | 2083 |
Click OK to Save. Configure:
Encryption: | Disabled |
Key Management: | Open |
Under Advanced Settings
Called Station ID Type: | MAC Address |
Called Station ID Include SSID: | Enabled |
Accounting: | Use authentication servers |
Accounting Interval: | 4 min |
Walled Garden: | Under Allowlist click + Add and enter the required domains, one by one. Please refer to this list. |
Passpoint Service Profile
Click Manage Passpoint Services and then Add Profile.
Under Access Network configure with:
Name: | securewifi |
Domain Name: | securewifi.purple.ai |
Internet: | Enabled |
Operator Friendly Name: | Purple |
Radius Location Data: | Enabled |
Network Type: | free-public |
IPv4: | public |
Venue Name: | (whatever you wish) |
Under Identity Provider > NAI Realms click Add. Configure with:
Realm Name: | securewifi.purple.ai |
Home Realm: | Enabled |
EAP Method 1: | eap-ttls |
Authentication param 1: |
Click Add and set: ID: non-eap-inner-auth Value: non-eap-pap |
Under Roaming Consortium configure with:
Roaming Consortium OI 1: | 5A03BA0000 |
Roaming Consortium OI 2: | 004096 |
Click Save. and the close the Add Profile dialogue. Select the securewifi profile you just created under the Passpoint Server Profile select box.
Click Next and configure with the following:
Access rules: | Unrestricted |
Click Next and then Finish to Save.
Configuration Complete
The configuration is now complete.