Captive Portal
      Back to home
      1. Help Center
      2. Access Point Instructions
      3. Captive Portal

      Aruba Virtual Controller & Captive Portal

      Access Point Instructions for Aruba Virtual Controller

      This page explains basic configuration for Aruba Virtual Controller and external Captive Portal with RADIUS authentication.

      Sign-in to the Aruba Administration console 

      portal1

      Navigate to Network -> Edit and open configuration settings of a network that should be protected with a Captive Portal with RADIUS authentication - Aruba as in our example.

      portal2

      Configure the Client IP & VLAN Assignment. In our example, we keep the default settings.

      portal3

      Navigate to the Security tab and configure Security Level:

      Splash page type: External

      Captive portal profile: QA in our example

      Auth server 1: QA in our case

      Accounting: Use authentication servers

      Encryption: Disabled

      portal4

      Click on the Edit button next to the Captive portal profile. Find the Splash page URL in the IronWiFi Console -> Captive Portal settings page, for example, https://europe-west1.ironwifi.com/api/pages/r-3wcpj-eezn3-b32pa/

      Type: Radius Authentication

      IP or hostname: europe-west1.ironwifi.com

      (extract hostname from the Splash page URL)

      URL: /api/pages/r-3wcpj-eezn3-b47pa/

      (URL from the Splash page URL)

      Port: 443

      Use https: Enabled

      Captive Portal failure: Deny internet

      Automatic URL Whitelisting: Enabled

      Redirect URL: empty

      portal5

      Click on the Edit button next to the Auth server. Find the RADIUS server information in the IronWiFi Console, for example, IP 81.89.56.92, Authentication port 5701, Accounting port 5702.

      IP address: 11.22.33.44

      (assigned RADIUS server IP address)

      Auth port: 12345

      (designated RADIUS server authentication port)

      Accounting port: 12345

      (assigned RADIUS server accounting port)

      Shared key: ***********

      (assigned RADIUS server secret)

      portal6

      Click on the Walled garden link and enter values from the IronWiFi console:

      White list: all IP addresses and host-names that should an unauthorized client have access to.

      portal7

      Create a default role that will permit access to all destinations.

      allow all

      Create a pre-authentication role. At a minimum, allow access to the captive portal server.

      allow cp_only

      Aruba controller will intercept HTTPS traffic to all external servers breaking SSL connections. To prevent this, you can create a new Role permitting TCP connections to port 443 on external servers - splash.ironwifi.com, europe-west2.ironwifi.com, google.com, facebook.com, etc.

      Enable the Assign pre-authentication role and select create a role. Click on the Finish button to apply new settings.

      To fix the SSL error, you will need to replace the default invalid certificate.

      You can generate a valid SSL certificate for free on this URL - [https://www.sslforfree.com/]. You can let the page create a certificate signing request for you, or visit the following page for detailed instructions on how to generate a request manually - [https://community.arubanetworks.com/t5/Controller-less-WLANs/How-to-Create-a-Certificate-for-Instant-Captive-Portal-using/ta-p/277025].

      Don't use a wildcard SSL certificate, we recommend using a subdomain - for example aruba.yourdomain.com.

      Copy content of downloaded files certificate.crt, ca_bundle.crt, and private.key to a single file (aruba.pem).

      Upload this file to your Aruba IAP - click on Maintenance -> Certificates.

      Certificate type: Captive portal server certificate

      Certificate format: PAM

      Click on the Upload Certificate button to apply new settings.