Aruba Instant IAP

This article describes the installation and configuration steps for Aruba Instant IAP. Our test was performed with Aruba AP-303-RW.

Aruba Instant IAP (Virtual Controller)


To configure via Aruba Instant IAP (Virtual Controller) please follow the instructions below.


Log in to Aruba IAP ( usually available at or

From the Info section check Master IP address ( in our case
This IP address will be used later, after the initial setup, to connect to the Aruba AP.

In the Network section click New and configuration pop-up window will appear.
On the WLAN Settings tab set:

Name – SSID name of your WiFi network (visible to end-user), in our case ArubaWIFI
Primary usage – Guest

Click Next.

On the VLAN tab select:

Client IP assignment – Virtual Controller managed
Client VLAN assignment – Default

Click Next.

Go to the Security level tab.

Splash page type: External
Captive portal proxy server: blank
Captive portal profile: Select New and configure as explained below
WISPr: Disabled
MAC authentication: Disabled
Auth server 1: Radius
Auth server 2: blank
Reauth interval: 5 min
Accounting: Use authentication servers
Accounting mode: Authentication
Accounting interval: 0 min
Blacklisting: Disabled
Enforce DHCP: Disabled
Encryption: Disabled

As Captive portal profile select New and configure the following:

Name: StartHotspot
Type: RADIUS Authentication
IP or hostname:
URL: /login
Port: 443
Use https: Enabled
Captive portal failure: Deny internet
Automatic URL Whitelisting: Disabled
Server offload: Disabled
Prevent frame overlay: Disabled
Use VC IP in Redirect URL: Disabled

Click OK to save changes and continue with the configuration.

As Auth server 1 select New and configure following:

Name: Radius1
IP address:
RadSec: Disabled
Auth port: 1812
Accounting port: 1813
Shared key: contact our office
Timeout: 5
Retry count: 3
RFC 3576: Disabled
RFC 5997: Select Authentication and Accounting
NAS IP address: (optional)
NASIdentifier: keep empty
Dead time: 5
DRP IP: keep empty
DRP mask: keep empty
DRP VLAN: keep empty
DRP Gateway: keep empty
Service type framed user: select Captive Portal

Click Ok.

Go to the Access tab and as Access Rules select Role-Based.
Under Roles click on New and enter Preauth as the name.
Click Ok to add.

Under Access Rules for Selected Roles click on the Plus icon to add a new rule.

Rule type: Access control
Service: Network any
Action: Allow
Destination: to domain name
Domain name:

Click Ok, then repeat the process to create a new rule.

Rule type: Access control
Service: Network any
Action: Allow
Destination: to domain name
Domain name:

Finally, we need to modify format of the mac addresses. This is possible only through CLI. Add the following rule to be able to connect to CLI SSH.

Rule type: Access control
Service: Network ssh
Action: Allow
Destination: to all destination

To connect to CLI SSH, we have used Putty.

Connect to the Master IP address, login with AP admin and pass ( admin / admin) and type these commands:

configure terminal
wlan ssid-profileĀ <type SSID name>
auth-pkt-mac-format delimiter –
commit apply

To add domains to walled garden, type these commands:

configure terminal
wlan walled-garden
white-list <>
white-list <>
white-list <>
white-list <>
white-list <>
white-list <>
white-list <>
commit apply

NOTE: When CLI SSH configuration is finished you will need to delete previously created SSH rule.

Updated on July 30, 2021

Was this article helpful?