Aruba Instant IAP

This article describes the installation and configuration steps for Aruba Instant IAP. Our test was performed with Aruba AP-303-RW.

Aruba Instant IAP (Virtual Controller)


To configure via Aruba Instant IAP (Virtual Controller) please follow the instructions below.


Log in to Aruba IAP ( usually available at or

From the Info section check Master IP address ( in our case
This IP address will be used later, after the initial setup, to connect to the Aruba AP.

In the Network section click New and configuration pop-up window will appear.
On the WLAN Settings tab set:

Name – SSID name of your WiFi network (visible to end-user), in our case ArubaWIFI
Primary usage – Guest

Click Next.

On the VLAN tab select:

Client IP assignment – Virtual Controller managed
Client VLAN assignment – Default

Click Next.

Go to the Security level tab.

Splash page type: External
Captive portal proxy server: blank
Captive portal profile: Select New and configure as explained below
WISPr: Disabled
MAC authentication: Disabled
Auth server 1: Radius
Auth server 2: blank
Reauth interval: 5 min
Accounting: Use authentication servers
Accounting mode: Authentication
Accounting interval: 0 min
Blacklisting: Disabled
Enforce DHCP: Disabled
Encryption: Disabled

As Captive portal profile select New and configure the following:

Name: StartHotspot
Type: RADIUS Authentication
IP or hostname:
URL: /login
Port: 443
Use https: Enabled
Captive portal failure: Deny internet
Automatic URL Whitelisting: Disabled
Server offload: Disabled
Prevent frame overlay: Disabled
Use VC IP in Redirect URL: Disabled

Click OK to save changes and continue with the configuration.

As Auth server 1 select New and configure following:

Name: Radius1
IP address:
RadSec: Disabled
Auth port: 1812
Accounting port: 1813
Shared key: contact our office
Timeout: 5
Retry count: 3
RFC 3576: Disabled
RFC 5997: Select Authentication and Accounting
NAS IP address: (optional)
NASIdentifier: keep empty
Dead time: 5
DRP IP: keep empty
DRP mask: keep empty
DRP VLAN: keep empty
DRP Gateway: keep empty
Service type framed user: select Captive Portal

Click Ok.

Go to the Access tab and as Access Rules select Role-Based.
Under Roles click on New and enter Preauth as the name.
Click Ok to add.

Under Access Rules for Selected Roles click on the Plus icon to add a new rule.

Rule type: Access control
Service: Network any
Action: Allow
Destination: to domain name
Domain name:

Click Ok, then repeat the process to create a new rule.

Rule type: Access control
Service: Network any
Action: Allow
Destination: to domain name
Domain name:

Finally, we need to modify format of the mac addresses. This is possible only through CLI. Add the following rule to be able to connect to CLI SSH.

Rule type: Access control
Service: Network ssh
Action: Allow
Destination: to all destination

To connect to CLI SSH, we have used Putty.

Connect to the Master IP address, login with AP admin and pass ( admin / admin) and type these commands:

configure terminal
wlan ssid-profileĀ <type SSID name>
auth-pkt-mac-format delimiter –
commit apply

To add domains to walled garden, type these commands:

configure terminal
wlan walled-garden
white-list <>
white-list <>
white-list <>
white-list <>
white-list <>
white-list < >
white-list <>
white-list <>
white-list <>
white-list <>
commit apply

NOTE: When CLI SSH configuration is finished you will need to delete previously created SSH rule.

How to get Public SSL certificate and import to Aruba IAP

This SSL certificate is created with private CA (using OpenSSL), you may get it done using public CA.

1. Generate CSR for FQDN of captive portal. (for example, the url of our captive portal is , this should be resolvable by DNS of client devices)

2. Submit this CSR to CA (public/private)

3. CA will provide you (depending on the encoding format) probably a .crt file and .key file

4. These files can be opened in notepad. You will see begin certificate — end certificate in .crt file and Begin private key, End private key in .key file.

5. Combine both these files. Simply copy .key file content to .crt file like below


6. Go to Maintenance > Certificates. Select the captive portal, format should be CER, and upload the newly updated file. You have to enter the password for the private key, just enter any password you like, and upload.

Updated on March 20, 2024

Was this article helpful?