Overview
There are two methods to configure the Aruba IAPs. The first is via Aruba Central, a cloud-based service where you can configure and deploy. The second is via the web-based interface (GUI) directly on the IAP Virtual Controller. Both methods are described below.
Configuring via Aruba Central
Log in to your Aruba Central application.
Select your Group at the top left, and then click Devices > Access Points.
Under WLANs click on Add SSID and configure as per below:
Name (SSID): | Guest WiFi |
Band: | Choose as required |
Click Next and configure with the following:
Client IP Assignment: | Choose as required |
Client VLAN Assignment | Choose as required |
Click Next and configure with the following:
Security Level: | Visitors |
Type: | External Captive Portal |
Under Captive Portal Profile click + to add new and configure with the following:
Name: | guestwifi |
Type: | Radius Authentication |
IP or Hostname: | *insert access_domain here* |
URL: | /access/ |
Port: | 443 |
Use HTTPS: | Yes |
Captive Portal Failure: | Deny Internet |
Automatic URL Whitelisting: | Disabled |
Use VC in Redirect URL: | Enabled |
Redirect URL: | *insert redirect_url here* |
Click OK to Save.
Under Primary Server click + to add new and configure with the following:
Name: | guestwifi-radius1 |
Type: | Radius Authentication |
IP Address/FQDN: | *insert radius_server here* |
Shared Key: | *insert radius_secret here* |
Retype Key: | *insert radius_secret here* |
Auth Port: | 1812 |
Accounting Port: | 1813 |
Service Type Framed User: | MAC/Captive Portal |
Dynamic Authorization: | Enabled |
AirGroup CoA Port: | 3799 |
Click OK to Save.
Under Secondary Server click + to add new and configure with the following:
Name: | guestwifi-radius2 |
Type: | Radius Authentication |
IP Address/FQDN: | *insert radius_server2 here* |
Shared Key: | *insert radius_secret here* |
Retype Key: | *insert radius_secret here* |
Auth Port: | 1812 |
Accounting Port: | 1813 |
Service Type Framed User: | MAC/Captive Portal |
Dynamic Authorization: | Enabled |
AirGroup CoA Port: | 3799 |
Click OK to Save.
Encryption: | Disabled |
Key Management: | Open |
Under Advanced Settings
Called Station ID Type: | MAC Address |
Called Station ID Include SSID: | Enabled |
Accounting: | Use authentication servers |
Accounting Interval: | 4 min |
Walled Garden: | Under Allowlist click + Add and enter the required domains, one by one. Please refer to this list. |
Click Next and configure with the following:
Access rules: | Role Based |
Under Roles click Add Role and then configure with the following:
Name: | Preauth |
Click OK to Save. Next, click on the Preauth role on the left and then edit the default rule named "Allow any to all destinations". Under Destination change "All destinations" to "To A Domain Name" and set: *insert access_domain here*. Click OK to save.
You will now need to add a new rule for each of the domains you added to the Walled Garden list earlier, i.e.:
Access Control / Network / Any / Allow / To a Domain Name: | *insert access_domain here* |
Click on OK to each one and then add the next until all are listed.
Finally, add the following rule:
Access Control / Network / Any / Deny / To All Destinations |
Ensure the Deny rule is at the end of the list.
Finally, configure the following:
Assign Pre-Authentication Role: | Preauth |
Click Finish to complete the setup.
Configuring via Aruba Instant GUI (Virtual Controller)
Log in to your Aruba (Master) IAP.
Under Network at the top left, click on New.
Configure with:
Name (SSID): | Guest WiFi (or whatever you wish) |
Primary usage: | Guest |
Click Next and configure with:
Client IP assignment: | Virtual Controller managed |
Client VLAN assignment: | Default (unless you have a custom VLAN set up) |
Click Next and configure with:
Splash page type: | External |
Captive portal profile: | Click the dropdown and choose New. Configure with: |
Name: | guestwifi |
Type: | Radius Authentication |
IP or hostname: | *insert access_domain here* |
URL: | /access/ |
Port: | 443 |
Use https: | Enabled |
Captive portal failure: | Deny internet |
Automatic URL whitelisting: | Disabled |
Redirect URL: | *insert redirect_url here* |
Click OK to save.
Configure Auth server 1: Click the dropdown and choose New. Configure with:
Type: | RADIUS |
Name: | guestwifi1 |
IP address: | *insert radius_server_ip here* |
Auth port: | 1812 |
Acct port: | 1813 |
Shared key: | *insert radius_secret here* |
Retype key: | as above |
Click OK to save.
Configure Auth server 2: Click the dropdown and choose New. Configure with:
Type: | RADIUS |
Name: | guestwifi2 |
IP address: | *insert radius_server2_ip here* |
Auth port: | 1812 |
Acct port: | 1813 |
Shared key: | *insert radius_secret here* |
Retype key: | as above |
Click OK to save.
Reauth interval: | 24 hrs |
Accounting: | Enabled |
Accounting mode: | Authentication |
Accounting interval: | 3 min |
Blacklisting: | Disabled |
Walled garden: | Click the link "Blacklist: 0 Whitelist: 0" and add all the required domains one by one. Please refer to this list. |
Press OK when all the domains have been added.
Click Next and configure with:
Access Rules: | Role-based |
Under Roles click New and enter Preauth as the name
Under Access Rules for Preauth click New and add the following rule for each of the domains you added earlier:
Rule type: | Access control |
Service: | Network - any |
Action: | Allow |
Destination: | to domain name |
Domain name: | *insert domain here* |
Assign pre-authentication role: select Preauth
Click Finish to complete the setup.