Aruba Instant IAP

This article describes the installation and configuration steps for Aruba Instant IAP. Our test was performed with Aruba AP-303-RW.

Aruba Instant IAP (Virtual Controller)

 

To configure via Aruba Instant IAP (Virtual Controller) please follow the instructions below.

Connecting

Log in to Aruba IAP ( usually available at https://instant.arubanetworks.com:4343 or https://setmeup.arubanetworks.com:4343).

From the Info section check Master IP address ( in our case 192.168.1.8).
This IP address will be used later, after the initial setup, to connect to the Aruba AP.

In the Network section click New and configuration pop-up window will appear.
On the WLAN Settings tab set:

Name – SSID name of your WiFi network (visible to end-user), in our case ArubaWIFI
Primary usage – Guest

Click Next.

On the VLAN tab select:

Client IP assignment – Virtual Controller managed
Client VLAN assignment – Default

Click Next.

Go to the Security level tab.

Splash page type: External
Captive portal proxy server: blank
Captive portal profile: Select New and configure as explained below
WISPr: Disabled
MAC authentication: Disabled
Auth server 1: Radius
Auth server 2: blank
Reauth interval: 5 min
Accounting: Use authentication servers
Accounting mode: Authentication
Accounting interval: 0 min
Blacklisting: Disabled
Enforce DHCP: Disabled
Encryption: Disabled

As Captive portal profile select New and configure the following:

Name: StartHotspot
Type: RADIUS Authentication
IP or hostname: wifihotspot.io
URL: /login
Port: 443
Use https: Enabled
Captive portal failure: Deny internet
Automatic URL Whitelisting: Disabled
Server offload: Disabled
Prevent frame overlay: Disabled
Use VC IP in Redirect URL: Disabled

Click OK to save changes and continue with the configuration.

As Auth server 1 select New and configure following:

Select RADIUS
Name: Radius1
IP address: 13.92.228.228
RadSec: Disabled
Auth port: 1812
Accounting port: 1813
Shared key: contact our office
Timeout: 5
Retry count: 3
RFC 3576: Disabled
RFC 5997: Select Authentication and Accounting
NAS IP address: 1.0.0.0 (optional)
NASIdentifier: keep empty
Dead time: 5
DRP IP: keep empty
DRP mask: keep empty
DRP VLAN: keep empty
DRP Gateway: keep empty
Service type framed user: select Captive Portal

Click Ok.

Go to the Access tab and as Access Rules select Role-Based.
Under Roles click on New and enter Preauth as the name.
Click Ok to add.

Under Access Rules for Selected Roles click on the Plus icon to add a new rule.

Rule type: Access control
Service: Network any
Action: Allow
Destination: to domain name
Domain name: wifihotspot.io

Click Ok, then repeat the process to create a new rule.

Rule type: Access control
Service: Network any
Action: Allow
Destination: to domain name
Domain name: cdn.wifihotspot.io

Finally, we need to modify format of the mac addresses. This is possible only through CLI. Add the following rule to be able to connect to CLI SSH.

Rule type: Access control
Service: Network ssh
Action: Allow
Destination: to all destination

To connect to CLI SSH, we have used Putty.

Connect to the Master IP address, login with AP admin and pass ( admin / admin) and type these commands:

configure terminal
wlan ssid-profileĀ <type SSID name>
auth-pkt-mac-format delimiter –
end
commit apply


To add domains to walled garden, type these commands:

configure terminal
wlan walled-garden
white-list <wifihotspot.io>
white-list <cdn.wifihotspot.io>
white-list <starthotspot.com>
white-list <cdn.starthotspot.com>
white-list <cdnhotspot.azureedge.net>
white-list <t-msedge.net >
white-list <static.cloudflareinsights.com>
white-list <13.92.228.228>
white-list <13.90.247.200>
white-list <40.117.190.72>
end
commit apply

NOTE: When CLI SSH configuration is finished you will need to delete previously created SSH rule.

Updated on January 16, 2023

Was this article helpful?