Aruba Instant IAP

This article describes the installation and configuration steps for Aruba Instant IAP. Our test was performed with Aruba AP-303-RW.

Aruba Instant IAP (Virtual Controller)

 

To configure via Aruba Instant IAP (Virtual Controller) please follow the instructions below.

Connecting

Log in to Aruba IAP ( usually available at https://instant.arubanetworks.com:4343 or https://setmeup.arubanetworks.com:4343).

From the Info section check Master IP address ( in our case 192.168.1.8).
This IP address will be used later, after the initial setup, to connect to the Aruba AP.

In the Network section click New and configuration pop-up window will appear.
On the WLAN Settings tab set:

Name – SSID name of your WiFi network (visible to end-user), in our case ArubaWIFI
Primary usage – Guest

Click Next.

On the VLAN tab select:

Client IP assignment – Virtual Controller managed
Client VLAN assignment – Default

Click Next.

Go to the Security level tab.

Splash page type: External
Captive portal proxy server: blank
Captive portal profile: Select New and configure as explained below
WISPr: Disabled
MAC authentication: Disabled
Auth server 1: Radius
Auth server 2: blank
Reauth interval: 5 min
Accounting: Use authentication servers
Accounting mode: Authentication
Accounting interval: 0 min
Blacklisting: Disabled
Enforce DHCP: Disabled
Encryption: Disabled

As Captive portal profile select New and configure the following:

Name: StartHotspot
Type: RADIUS Authentication
IP or hostname: wifihotspot.io
URL: /login
Port: 443
Use https: Enabled
Captive portal failure: Deny internet
Automatic URL Whitelisting: Disabled
Server offload: Disabled
Prevent frame overlay: Disabled
Use VC IP in Redirect URL: Disabled

Click OK to save changes and continue with the configuration.

As Auth server 1 select New and configure following:

Select RADIUS
Name: Radius1
IP address: 13.92.228.228
RadSec: Disabled
Auth port: 1812
Accounting port: 1813
Shared key: contact our office
Timeout: 5
Retry count: 3
RFC 3576: Disabled
RFC 5997: Select Authentication and Accounting
NAS IP address: 1.0.0.0 (optional)
NASIdentifier: keep empty
Dead time: 5
DRP IP: keep empty
DRP mask: keep empty
DRP VLAN: keep empty
DRP Gateway: keep empty
Service type framed user: select Captive Portal

Click Ok.

Go to the Access tab and as Access Rules select Role-Based.
Under Roles click on New and enter Preauth as the name.
Click Ok to add.

Under Access Rules for Selected Roles click on the Plus icon to add a new rule.

Rule type: Access control
Service: Network any
Action: Allow
Destination: to domain name
Domain name: wifihotspot.io

Click Ok, then repeat the process to create a new rule.

Rule type: Access control
Service: Network any
Action: Allow
Destination: to domain name
Domain name: cdn.wifihotspot.io

Finally, we need to modify format of the mac addresses. This is possible only through CLI. Add the following rule to be able to connect to CLI SSH.

Rule type: Access control
Service: Network ssh
Action: Allow
Destination: to all destination

To connect to CLI SSH, we have used Putty.

Connect to the Master IP address, login with AP admin and pass ( admin / admin) and type these commands:

configure terminal
wlan ssid-profileĀ <type SSID name>
auth-pkt-mac-format delimiter –
end
commit apply


To add domains to walled garden, type these commands:

configure terminal
wlan walled-garden
white-list <wifihotspot.io>
white-list <cdn.wifihotspot.io>
white-list <starthotspot.com>
white-list <cdn.starthotspot.com>
white-list <cdnhotspot.azureedge.net>
white-list <t-msedge.net >
white-list <static.cloudflareinsights.com>
white-list <13.92.228.228>
white-list <13.90.247.200>
white-list <40.117.190.72>
end
commit apply

NOTE: When CLI SSH configuration is finished you will need to delete previously created SSH rule.

How to get Public SSL certificate and import to Aruba IAP

This SSL certificate is created with private CA (using OpenSSL), you may get it done using public CA.

1. Generate CSR for FQDN of captive portal. (for example, the url of our captive portal is login.wifihotspot.io , this should be resolvable by DNS of client devices)

2. Submit this CSR to CA (public/private)

3. CA will provide you (depending on the encoding format) probably a .crt file and .key file

4. These files can be opened in notepad. You will see begin certificate — end certificate in .crt file and Begin private key, End private key in .key file.

5. Combine both these files. Simply copy .key file content to .crt file like below

—–BEGIN CERTIFICATE—–
MIIDqzCCApOgAwIBAgIJAMmKxQ6aKcBzMA0GCSqGSIb3DQEBCwUAMHUxCzAJBgNV
upub3KvnMEtPMUHPs4GsmyhiL0TOjVcdWc2ScPgYrgcv/1Pcbh7qErQsd/q+iMYK
nNmUIlWCTIT1fQTdgqSq5uXFoNan3mpf06cyPESG1Q==
—–END CERTIFICATE—–
—–BEGIN RSA PRIVATE KEY—–
MIIEpQIBAAKCAQEAvw1jGLQcFOYExHQUUEhovsEwuVEvkcrBbJymvld+y3NhZMp6
OkeJrPtXItZRIt7PLS+a+iwJvlEKAWimmH9U4eSKRZAaK6t+fjrx2OzXMkcb8tDD
JP8KP/mR3bPuoQT8U8jGJUKqEdwa2mrgv4kW775fdAyOCri/vnrEOpk=
—–END RSA PRIVATE KEY—–

6. Go to Maintenance > Certificates. Select the captive portal, format should be CER, and upload the newly updated file. You have to enter the password for the private key, just enter any password you like, and upload.

Updated on December 21, 2023

Was this article helpful?