Aruba Instant IAPThis article describes the installation and configuration steps for Aruba Instant IAP. Our test was performed with Aruba AP-303-RW.
Aruba Instant IAP (Virtual Controller)
Aruba Instant IAP (Virtual Controller)
To configure via Aruba Instant IAP (Virtual Controller) please follow the instructions below.
Connecting
Connecting
Log in to Aruba IAP ( usually available at https://instant.arubanetworks.com:4343 or https://setmeup.arubanetworks.com:4343).
From the Info section check Master IP address ( in our case 192.168.1.8).
This IP address will be used later, after the initial setup, to connect to the Aruba AP.
In the Network section click New and configuration pop-up window will appear.
On the WLAN Settings tab set:
Name – SSID name of your WiFi network (visible to end-user), in our case ArubaWIFI
Primary usage – Guest
Click Next.
On the VLAN tab select:
Client IP assignment – Virtual Controller managed
Client VLAN assignment – Default
Click Next.
Go to the Security level tab.
Splash page type: External
Captive portal proxy server: blank
Captive portal profile: Select New and configure as explained below
WISPr: Disabled
MAC authentication: Disabled
Auth server 1: Radius
Auth server 2: blank
Reauth interval: 5 min
Accounting: Use authentication servers
Accounting mode: Authentication
Accounting interval: 0 min
Blacklisting: Disabled
Enforce DHCP: Disabled
Encryption: Disabled
As Captive portal profile select New and configure the following:
Name: StartHotspot
Type: RADIUS Authentication
IP or hostname: wifihotspot.io
URL: /login
Port: 443
Use https: Enabled
Captive portal failure: Deny internet
Automatic URL Whitelisting: Disabled
Server offload: Disabled
Prevent frame overlay: Disabled
Use VC IP in Redirect URL: Disabled
Click OK to save changes and continue with the configuration.
As Auth server 1 select New and configure following:
Select RADIUS
Name: Radius1
IP address: 13.92.228.228
RadSec: Disabled
Auth port: 1812
Accounting port: 1813
Shared key: contact our office
Timeout: 5
Retry count: 3
RFC 3576: Disabled
RFC 5997: Select Authentication and Accounting
NAS IP address: 1.0.0.0 (optional)
NASIdentifier: keep empty
Dead time: 5
DRP IP: keep empty
DRP mask: keep empty
DRP VLAN: keep empty
DRP Gateway: keep empty
Service type framed user: select Captive Portal
Click Ok.
Go to the Access tab and as Access Rules select Role-Based.
Under Roles click on New and enter Preauth as the name.
Click Ok to add.
Under Access Rules for Selected Roles click on the Plus icon to add a new rule.
Rule type: Access control
Service: Network any
Action: Allow
Destination: to domain name
Domain name: wifihotspot.io
Click Ok, then repeat the process to create a new rule.
Rule type: Access control
Service: Network any
Action: Allow
Destination: to domain name
Domain name: cdn.wifihotspot.io
Finally, we need to modify format of the mac addresses. This is possible only through CLI. Add the following rule to be able to connect to CLI SSH.
Rule type: Access control
Service: Network ssh
Action: Allow
Destination: to all destination
To connect to CLI SSH, we have used Putty.
Connect to the Master IP address, login with AP admin and pass ( admin / admin) and type these commands:
configure terminal
wlan ssid-profileĀ <type SSID name>
auth-pkt-mac-format delimiter –
end
commit apply
To add domains to walled garden, type these commands:
configure terminal
wlan walled-garden
white-list <wifihotspot.io>
white-list <cdn.wifihotspot.io>
white-list <starthotspot.com>
white-list <cdn.starthotspot.com>
white-list <cdnhotspot.azureedge.net>
white-list <t-msedge.net >
white-list <static.cloudflareinsights.com>
white-list <13.92.228.228>
white-list <13.90.247.200>
white-list <40.117.190.72>
end
commit apply
NOTE: When CLI SSH configuration is finished you will need to delete previously created SSH rule.