Welcome to Purple Support

Aruba (Controller-based)

  • Updated

Overview

There are two methods to configure the Aruba APs. The first is via Aruba Central, a cloud-based service where you can configure and deploy. The second is via the web-based interface (GUI) that sits on the controller itself. Both methods are described below.

Configuring via Aruba Central

Log in to your Aruba Central application.

Select your Group at the top left, and then click Devices > Access Points. Click the Configure icon at the top right.

Under WLANs click on Add SSID and configure as per below:

Name (SSID): Guest WiFi
Band: Choose as required

Click Next and configure with the following:

Client IP Assignment: Choose as required
Client VLAN Assignment Choose as required

Click Next and configure with the following:

Security Level: Visitors
Type: External Captive Portal

Under Captive Portal Profile click + to add new and configure with the following:

Name: guestwifi
Type: Radius Authentication
IP or Hostname: *insert access_domain here*
URL: /access/
Port: 443
Use HTTPS: Yes
Captive Portal Failure: Deny Internet
Automatic URL Whitelisting: Disabled
Use VC in Redirect URL: Enabled
Redirect URL: *insert redirect_url here*

Click OK to Save.

Under Primary Server click + to add new and configure with the following:

Name: guestwifi-radius1
Type: Radius Authentication
IP Address/FQDN: *insert radius_server here*
Shared Key: *insert radius_secret here*
Retype Key: *insert radius_secret here*
Auth Port: 1812
Accounting Port: 1813
Service Type Framed User: MAC/Captive Portal
Dynamic Authorization: Enabled
AirGroup CoA Port: 3799

Click OK to Save.

Under Secondary Server click + to add new and configure with the following:

Name: guestwifi-radius2
Type: Radius Authentication
IP Address/FQDN: *insert radius_server2 here*
Shared Key: *insert radius_secret here*
Retype Key: *insert radius_secret here*
Auth Port: 1812
Accounting Port: 1813
Service Type Framed User: MAC/Captive Portal
Dynamic Authorization: Enabled
AirGroup CoA Port: 3799

Click OK to Save. Configure:

Encryption: Disabled
Key Management: Open

Under Advanced Settings

Called Station ID Type: MAC Address
Called Station ID Include SSID: Enabled
Accounting: Use authentication servers
Accounting Interval: 4 min
Walled Garden: Under Allowlist click + Add and enter the required domains, one by one. Please refer to this list.

Click Next and configure with the following:

Access rules: Role Based

Under Roles click Add Role and then configure with the following:

Name: Preauth

Click OK to Save.

Next, click on the Preauth role on the left and then edit the default rule named "Allow any to all destinations". Under Destination change "All destinations" to "To A Domain Name" and set: *insert access_domain here*.

Click OK to save.

You will now need to add a new rule for each of the domains you added to the Walled Garden list earlier, i.e.:

Access Control / Network / Any / Allow / To a Domain Name: *insert access_domain here*

Click on OK to each one and then add the next until all are listed.

Finally, add the following rule:

Access Control / Network / Any / Deny / To All Destinations

Ensure the Deny rule is at the end of the list.

Finally, configure the following:

Assign Pre-Authentication Role: Preauth


Click Finish to complete the setup.

Configuring via Aruba Controller GUI

Start by logging into your Aruba Controller web interface.

WLAN

Click Configure > WLANs on the left and then click the + sign to add a new WLAN. Configure with:

Name (SSID): Guest WiFi (or whatever you wish)
Primary Usage: Guest
Forwarding Mode: Tunnel

Click Next and configure with:

VLAN: 1 (or whatever you use)

Click Next and configure with:

Is this WLAN for internal or guest? Guest

Click Next and configure with:

Captive Portal Type: ClearPass or other external Captive Portal

Under Auth servers click + then + again to create a new server. Configure with:

Server type: RADIUS
Name: guest1
IP Address: *insert radius_server here*
Auth port: 1812
Accounting port: 1813
Shared key: *insert radius_secret here*
Retype key: as above
Timeout: 5

Click Submit and then + again. Configure with:

Server type: RADIUS
Name: guest2
IP Address: *insert radius_server2 here*
Auth port: 1812
Accounting port: 1813
Shared key: *insert radius_secret here*
Retype key: as above
Timeout: 5

Click Submit and then configure the further options with:

Host addressing: IPv4
Host: *insert access_domain here*
Page: /access/

Click Next and then Next again to complete the wizard.

Firewall

Next, click Roles & Policies on the left. Select the Aliases tab and click +. Configure with:

IP Version: IPv4
Name: guestwifi

Under Items click + and add the required domains as per below. Please refer to this list.

Rule Type: Name
Domain Name: *insert domain here*

Click + again and do the same for all required domains.

Click Submit to save.

Captive Portal/RADIUS

Next, click Authentication on the left. Select the L3 Authentication tab and then click the Guest WiFi-cppm_prof entry. Configure with:

Default Role: guest
Default Guest Role: guest
Redirect Pause: 0
User Login: Enabled
Guest Login: Disabled
Logout popup window: Disabled
Use HTTP for authentication: Enabled
Logon wait minimum wait: 1
Logon wait maximum wait: 10
Authentication Protocol: PAP
Login page: *insert access_url here*
Welcome page: *insert redirect_url here*
Show Welcome page: Enabled
Add switch IP in redirection URL: Enabled
Adding APs MAC address in redirection URL: Enabled
White List: Add guestwifi from the list

Click Submit to save. Next, select the AAA Profiles tab and click on Guest WiFi-aaa_prof. Configure with:

Initial role: Guest WiFi-guest-logon
RADIUS Interim Accounting: Enabled

Click Submit to save. Next, click on the RADIUS Accounting Server Group and configure with:

RADIUS Accounting Server Group: Guest WiFi-dot1_svg

Click Submit to save. Next, select the Auth Servers tab and then All Servers > guest1. Leave all settings as they are except:

Mode: Enabled
MAC address delimiter: Dash
Station ID Type: AP MAC address
Station ID Delimiter: Dash
Include SSID: Enabled

Click Submit to save and then do the same for the guest2 server.

Finally, click Pending Changes at the top and apply changes.

 

To enable our SecurePass WiFi solution please complete the steps below. This enables a secure, seamless WiFi connection for repeat users.

Secure WLAN Configuration

Log in to your Aruba Central application.

Select your Group at the top left, and then click Devices > Access Points. Click the Configure icon at the top right.

Under WLANs click on Add SSID and configure as per below:

Name (SSID): SecurePass
Band: Choose as required

Click Next and configure with the following:

Client IP Assignment: Choose as required
Client VLAN Assignment Choose as required

Click Next and configure with the following:

Security Level: Enterprise
Key Management: WPA2-Enterprise
Server Group:  Primary and Backup only

 

Under Primary Server click + to add new and configure with the following:

Name: securewifi-radius1
Server Type: RADIUS
Radsec: Enabled
IP Address/FQDN: rad1-secure.purple.ai
Radsec Port: 2083

Click OK to Save.

Under Secondary Server click + to add new and configure with the following:

Name: guestwifi-radius2
Server Type: Radius Authentication
Radsec: Enabled
IP Address/FQDN: rad2-secure.purple.ai
Radsec Port: 2083

Click OK to Save. Configure:

Encryption: Disabled
Key Management: Open

Under Advanced Settings

Called Station ID Type: MAC Address
Called Station ID Include SSID: Enabled
Accounting: Use authentication servers
Accounting Interval: 4 min
Walled Garden: Under Allowlist click + Add and enter the required domains, one by one. Please refer to this list.

Passpoint Service Profile

Click Manage Passpoint Services and then Add Profile.

Under Access Network configure with:

Name: securewifi
Domain Name: securewifi.purple.ai
Internet: Enabled
Operator Friendly Name: Purple
Radius Location Data: Enabled
Network Type: free-public
IPv4: public
Venue Name: (whatever you wish)

Under Identity Provider > NAI Realms click Add. Configure with:

Realm Name: securewifi.purple.ai
Home Realm: Enabled
EAP Method 1: eap-ttls
Authentication param 1:

Click Add and set:

ID: non-eap-inner-auth

Value: non-eap-pap

Under Roaming Consortium configure with:

Roaming Consortium OI 1: 5A03BA0000
Roaming Consortium OI 2: 004096

Click Save. and the close the Add Profile dialogue. Select the securewifi profile you just created under the Passpoint Server Profile select box.

Click Next and configure with the following:

Access rules: Unrestricted

Click Next and then Finish to Save.

Configuration Complete

The configuration is now complete.

Share online:
Was this article helpful?
0 out of 0 found this helpful