This article describes the installation and configuration steps for Aruba devices. Our test was performed with Aruba AP-303-RW.

Aruba IAP’s can be configured in two ways.
The first method is via the web-based Aruba Instant IAP (Virtual Controller) interface. The second method is via Aruba Central, a cloud-based service where you can manage all your AP’s.

Aruba Instant IAP (Virtual Controller)

To configure via Aruba Instant IAP (Virtual Controller) please follow instructions below.


Log in to Aruba IAP ( usually available at or

In the Network section click New and configuration pop-up window will appear.
On the WLAN Settings tab set:

Name – SSID name of your WiFi network (visible to end-user), in our case ArubaWIFI
Primary usage – Guest

Click Next.

On the VLAN tab select:

Client IP assignment – Virtual Controller managed
Client VLAN assignment – Default

Click Next.

Go to the Security level tab.

Splash page type: External
Captive portal proxy server: blank
Captive portal profile: Select New and configure as explained below
WISPr: Disabled
MAC authentication: Disabled
Auth server 1: Radius
Auth server 2: blank
Reauth interval: 5 min
Accounting: Use authentication servers
Accounting mode: Authentication
Accounting interval: 0 min
Blacklisting: Disabled
Enforce DHCP: Disabled
Encryption: Disabled

As Captive portal profile select New and configure the following:

Name: StartHotspot
Type: RADIUS Authentication
IP or hostname:
URL: /login
Port: 443
Use https: Enabled
Captive portal failure: Deny internet
Automatic URL Whitelisting:
Server offload: Disabled
Prevent frame overlay: Disabled
Use VC IP in Redirect URL: Disabled

Click OK to save changes and continue with the configuration.

As Auth server 1 select New and configure following:

Name: Radius1
IP address:
RadSec: Disabled
Auth port: 1812
Accounting port: 1813
Shared key: (contact our office)
Timeout: 5
Retry count: 3
RFC 3576: Disabled
RFC 5997: Select Authentication and Accounting
NAS IP address: (optional)
NAS Identifier: keep empty
Dead time: 5
DRP IP: keep empty
DRP mask: keep empty
DRP VLAN: keep empty
DRP Gateway: keep empty
Service type framed user: select Captive Portal

Click Ok.

Go to the Access tab and as Access Rules select Role-Based.
Under Roles click on New and enter Preauth as the name.
Click Ok to add.

Under Access Rules for Selected Roles click on the Plus icon to add a new rule.

Rule type: Access control
Service: Network any
Action: Allow
Destination: to domain name
Domain name:

Finally, we need to modify format of the mac addresses. This is possible only through CLI. Add the following rule to be able to connect to CLI SSH.

Rule type: Access control
Service: Network ssh
Action: Allow
Destination: to all destination

To connect to CLI SSH, we have used Putty.
Login with AP admin and pass and type these commands:

configure terminal
wlan ssid-profile <ssid>
auth-pkt-mac-format delimiter –
commit apply

NOTE: When CLI SSH configuration is finished you will need to delete previously created SSH rule.


Aruba Central

Log in to your account on Aruba Central portal.

From the menu on the left, under Wireless Configuration, select Networks.

Click Create New and configure the following:

Type – Wireless
Name (SSID) – ArubaWiFi
Primary Usage – Guest

Click Next and continue configuration.

Client IP Assignment – Virtual Controller Assigned

Click Next and continue configuration.

Splash Page Type – External

Captive Portal Profile
– Press … and set following.

Name: StartHotspot
Type: Radius Authentication
IP or Hostname:
URL: /login
Port: 443
Use HTTPS: Yes
Captive Portal Failure: Deny Internet
Automatic URL Whitelisting: Unticked
Redirect URL: leave blank

Click Save.

Encryption: Disabled
MAC Authentication: Disabled
Primary Server: Press + … and set following:

Name: StartHotspot1
IP Address:
Shared Key: (contact our office)
Retype Key: as above

Other values should be left at default settings.

Click Save.

Accounting: Use accounting servers
Accounting Mode: Authentication
Accounting Interval: 5 min

Walled Garden:
Under Whitelist click and type following domains:

Under Reauth Interval set 24 hrs

Click Next.

Access Rules: Role-Based
Under Role click on New and enter Preauth as the Name.
Click Ok.
Under Access Rules for Selected Roles click on the Plus icon.

Add a new rule one by one for each of the following:

Access Control / Network / Any / Allow / To a Domain Name:
Access Control / Network / Any / Allow / To a Domain Name:
Access Control / Network / Any / Allow / To a Domain Name:

Click on Save to each one and then add the next until all are listed.

Finally, add the following rule:

Access Control / Network / Any / Deny / To All Destinations

Under the Role on the left choose default_wired_port_profile, select Assign Pre-authentication Role and select Preauth.

Updated on February 17, 2020

Was this article helpful?