Introduction
This guide outlines the configuration steps to enable an external captive portal on the Aruba IAP platform.
The following guide has been developed using an Aruba wireless network consisting of the following components:
- Access Point (AP): Model APIN0205
- Software: Aruba Instant Virtual Controller 6.5.1.0-4.3.1.2_58595
Requirements
You should have a venue equipped with at least one network device (AP) properly configured to broadcast the wireless network SSID.
Authentication Server (RADIUS)
-
Navigate to "Security > Authentication Servers" and create a new server with the following custom parameters:
-
Select RADIUS.
- Name: coffeebean-radius-primary
- IP address: Use the RADIUS server IP appropriate for your environment/region.
- Shared key: Enter the provided shared secret.
- Retype key: Confirm the provided shared secret.
-
- Repeat the process to create a secondary authentication server named "coffeebean-radius-secondary" for redundancy.
Roles (Walled Garden)
Go to "Security > Roles" and create a new role labeled “coffeebean-pre-auth”. This role will serve as the pre-authentication rule (Walled Garden) for the captive portal.
For each walled garden domain you wish to enable on your captive portal, add the following rule: Allow any to domain <domain.com>. For example:
- Allow any to domain socialidnow.com
Captive Portal
Access "Security > External Captive Portal" and set up a new portal with the following custom settings:
- Name: coffeebean-captive-portal
- Type: RADIUS Authentication
- IP or hostname: Utilize the provided captive portal hostname (e.g.: wifi.socialidnow.com)
- URL: Use the provided captive portal URL (e.g.: /portals/cbt-aruba-iap-lab/auth)
- Port: 80
- Use https: Disabled
- Redirect URL: Utilize the provided captive portal redirect URL (e.g.: http://wifi-staging.socialidnow.com/portals/cbt-aruba-iap-lab)
WLAN
Create a new Network with the following settings:
WLAN Settings
- Name: your SSID name
- Primary Usage: Guest
VLAN Settings
- Client IP assignment: Virtual Controller managed
- Client VLAN assignment: Default
Security Settings
- Splash page type: External
- Captive portal profile: Choose the captive portal created earlier (e.g.: coffeebean-captive-portal).
- Auth Server 1: Select the primary authentication server created earlier (e.g.: coffeebean-radius-primary).
- Auth Server 2: Select the secondary authentication server created earlier (e.g.: coffeebean-radius-secondary).
- Accounting: Use authentication servers
- Accounting mode: Authentication
- Accounting interval: 5 min.
- Walled garden: Since this walled garden does not accept HTTPS-based URLs, leave it empty as the walled garden will be based on Access Rules.
Access Settings
Choose “Role-based” control.
Select the pre-authentication role created earlier (e.g.: coffeebean-pre-auth) and enable the “Assign pre-authentication role” option.
Customer Parameters
Here's a summary of customer-specific parameters:
Basic Settings
- IP or hostname: Utilize the provided captive portal hostname.
- URL: Use the provided captive portal URL.
- Redirect URL: Utilize the provided captive portal redirect URL.
- Roles (Walled Garden): Refer to our documentation for the list of hostnames to allow for unauthenticated users.
- Authentication Server (RADIUS):
- IP Address: Use the RADIUS server IP appropriate for your environment/region.
- Shared Key: Enter the provided shared secret.
- Auth Port: Use the RADIUS server authentication port appropriate for your environment/region.
- Accounting Port: Use the RADIUS server accounting port appropriate for your environment/region.