Overview
There are two methods to configure the Aruba IAP's. The first is via the web-based interface (GUI) that sits on the IAP itself. The second is via Aruba Central, a cloud-based service where you can manage all your IAP's. Both methods are described below.
Configuring via Aruba Instant GUI (Virtual Controller)
Log in to your Aruba (Master) IAP.
Under Network at the top left, click on New.
Configure with:
Name (SSID): | Guest WiFi (or whatever you wish) |
Primary usage: | Guest |
Click Next and configure with:
Client IP assignment: | Virtual Controller managed |
Client VLAN assignment: | Default (unless you have a custom VLAN set up) |
Click Next and configure with:
Splash page type: | External |
Captive portal profile: | Click the dropdown and choose New. Configure with: |
Name: | guestwifi |
Type: | Radius Authentication |
IP or hostname: | *insert access_domain here* |
URL: | /access/ |
Port: | 443 |
Use https: | Enabled |
Captive portal failure: | Deny internet |
Automatic URL whitelisting: | Disabled |
Redirect URL: | *insert redirect_url here* |
Click OK to save.
Configure Auth server 1: Click the dropdown and choose New. Configure with:
Type: | RADIUS |
Name: | guestwifi1 |
IP address: | *insert radius_server_ip here* |
Auth port: | 1812 |
Acct port: | 1813 |
Shared key: | *insert radius_secret here* |
Retype key: | as above |
Click OK to save.
Configure Auth server 2: Click the dropdown and choose New. Configure with:
Type: | RADIUS |
Name: | guestwifi2 |
IP address: | *insert radius_server2_ip here* |
Auth port: | 1812 |
Acct port: | 1813 |
Shared key: | *insert radius_secret here* |
Retype key: | as above |
Click OK to save.
Reauth interval: | 24 hrs |
Accounting: | Enabled |
Accounting mode: | Authentication |
Accounting interval: | 3 min |
Blacklisting: | Disabled |
Walled garden: | Click the link "Blacklist: 0 Whitelist: 0" and add all the required domains one by one. Please refer to this list. |
Press OK when all the domains have been added.
Click Next and configure with:
Access Rules: | Role-based |
Under Roles click New and enter Preauth as the name
Under Access Rules for Preauth click New and add the following rule for each of the domains you added earlier:
Rule type: | Access control |
Service: | Network - any |
Action: | Allow |
Destination: | to domain name |
Domain name: | *insert domain here* |
Assign pre-authentication role: select Preauth
Click Finish to complete the setup.
Configuring via Aruba Central
Log in to your Aruba Central account at https://portal.central.arubanetworks.com.
Under Wireless Configuration on the left, choose Networks.
Click on Create New and configure as per below:
Type: | Wireless |
Name (SSID): | Guest WiFi |
Primary Usage: | Guest |
Click Next and configure with the following:
Client IP Assignment: | Virtual Controller Assigned |
Click Next and configure with the following:
Splash Page Type: | External |
Captive Portal Profile: | Choose New... and configure with: |
Name: | guestwifi |
Type: | Radius Authentication |
IP or Hostname: | *insert access_domain here* |
URL: | /access/ |
Port: | 443 |
Use HTTPS: | Yes |
Captive Portal Failure: | Deny Internet |
Automatic URL Whitelisting: | Unticked |
Redirect URL: | *insert redirect_url here* |
Click Save
WISPr: | Disabled |
Encryption: | Disabled |
MAC Authentication: | Disabled |
Authentication Server 1: | Choose New... and configure with: |
Name: | guestwifi1 |
IP Address: | *insert radius_server_ip here* |
Shared Key: | *insert radius_secret here* |
Retype Key: | as above |
All other values should be left at their defaults.
Click Save Server
Configure Authentication Server 2: Choose New... and configure with:
Name: | guestwifi2 |
IP Address: | *insert radius_server2_ip here* |
Shared Key: | *insert radius_secret here* |
Retype Key: | as above |
All other values should be left at their defaults.
Click Save Server
Load Balancing: | Disabled |
Reauth Interval: | 24 hrs |
Accounting: | Enabled |
Accounting Mode: | Authentication |
Accounting Interval: | 3 min |
Blacklisting: | Disabled |
Walled Garden: | Click on 0 blacklist, 0 whitelist and configure with: Under Whitelist click on New and enter the required domains, one by one. Please refer to this list. |
Click Next
Access Rules: | Role Based |
Under Role click on New and enter Preauth as the Name. Click Ok to add.
Now, under Access Rules for Selected Roles click on the Plus icon
You will need to add a new rule one by one for each of the domains you added earlier:
Access Control / Network / Any / Allow / To a Domain Name: | *insert domain here* |
Click on Save to each one and then add the next until all are listed.
Finally, add the following rule:
Access Control / Network / Any / Deny / To All Destinations |
Now, under the Role on the left, choose default_wired_port_profile, and tick the box Assign Pre-authentication Role and select Preauth.
Click Finish to complete the setup.