Introduction
This guide outlines the steps required to set up an external captive portal on the Aruba Controller platform.
This guide is based on an Aruba wireless network comprising the following components:
- AP: Model APIN0205
- Controller: Model 7005
- Software: ArubaOS 6.5.4.1
Requirements
To follow this guide, you need a venue with at least one network device (AP) configured to broadcast the wireless network SSID.
Walled Garden
- Navigate to "Advanced Services > Stateful Firewall > Destination" and create a group called "coffeebean-wg".
- Add an entry with type "name" for each walled garden domain you want to enable on your captive portal.
RADIUS Servers
- Go to "Security > Authentication > Servers".
- Select the group "RADIUS server".
- Create a new entry named "coffeebean-radius-primary-server" with the following parameters
- Host: RADIUS server host or IP based on your environment/region.
- Key: Shared secret provided.
- Auth Port: 1812
- Acct Port: 1813
- Repeat the process to create a server named "coffeebean-radius-secondary-server" for the secondary RADIUS server host.
Server Group
- Navigate to "Security > Authentication > Servers".
- Click on "Server Group" and create a new group named "coffeebean-radius".
- Add the RADIUS servers "coffeebean-radius-primary-server" and "coffeebean-radius-secondary-server" to the group.
Authenticated User Role
- Go to "Security > Access Control > User Roles".
- Create a user role named "coffeebean-auth" with default parameters.
- Add the following "Firewall Policies" rules:
- ra-guard
- dhcp-acl
- dns-acl
- http-acl
- https-acl
- icmp-acl
- v6-dhcp-acl
- v6-dns-acl
- v6-http-acl
- v6-https-acl
- V6-icmp-acl
Captive Portal
- Go to "Security > Authentication > L3 Authentication".
- Click on "Captive Portal Authentication".
- Create a new entry named "coffeebean-captive-portal" with the following parameters:
- Default Role: coffeebean-auth
- Default Guest Role: coffeebean-auth
- Redirect Pause: 10 seconds
- User Login: Checked
- Use HTTP for authentication: Checked
- Login page: Captive portal login URL (e.g.: http://wifi-staging.socialidnow.com/portals/cbt-aruba-lab/auth)
- Welcome page: Captive portal welcome URL (e.g.: http://wifi-staging.socialidnow.com/portals/cbt-aruba-lab)
- Show welcome page: Checked
- Add switch IP address in redirection URL: Checked
- White List: Add coffeebean-wg
Server Group (Captive Portal)
In the Captive Portal "Server Group" section, select the "coffeebean-radius" group as the "Server Group".
Pre-Auth User Role
- Go to "Security > Access Control > User Roles".
- Create a user role named "coffeebean-preauth".
- Set Captive Portal Profile to "coffeebean-captive-portal".
- Add the following "Firewall Policies" rules:
- ra-guard
- logon-control
- captiveportal
- v6-logon-control
- captiveportal6
AAA Profile
- Go to "Security > Authentication > AAA Profile".
- Create a new profile named "coffeebean-aaa-profile".
- Set Initial Role to "coffeebean-preauth".
RADIUS Accounting Server Group
Under "RADIUS Accounting Server Group", select the "coffeebean-radius" group as the "RADIUS Accounting Server Group".
AP Configuration
- Go to "Wireless > AP Configuration".
- Create a new "AP Group" named "coffeebean-ap-group".
Virtual AP
Within the AP Group, navigate to "Wireless LAN > Virtual AP" and create a new "Virtual AP" named "coffeebean-virtual-ap".
AAA Profile (Virtual AP)
Under the Virtual AP settings, go to "AAA" and select the "coffeebean-aaa-profile" as the "AAA Profile".
SSID Profile (Virtual AP)
Within the Virtual AP settings, go to "SSID" and create a new SSID Profile named "coffeebean-ssid". Set your Network Name (SSID).
Customer Parameters
Here is a summary of the customer-specific parameters:
Basic Settings
- Login page: Captive portal login URL.
- Welcome page: Captive portal welcome URL.
- Walled Garden: Refer to our documentation for a list of hostnames allowed for unauthenticated users.
- RADIUS Server:
- Host: RADIUS server host or IP based on your environment/region.
- Key: Shared secret provided.
- Auth Port: RADIUS server authentication port according to your environment/region.
- Acct Port: RADIUS server accounting port according to your environment/region.