Aruba

This article describes the installation and configuration steps for Aruba devices. Our test was performed with Aruba AP-303-RW.

Aruba IAP’s can be configured in two ways.
The first method is via the web-based Aruba Instant IAP (Virtual Controller) interface. The second method is via Aruba Central, a cloud-based service where you can manage all your AP’s.

Aruba Instant IAP (Virtual Controller)

To configure via Aruba Instant IAP (Virtual Controller) please follow instructions below.

Connecting

Log in to your Aruba IAP.

Go to the WLAN Settings tab and set:

Name – SSID name of your WiFi network (visible to end-user), in our case ArubaWIFI
Primary usage – Guest

Click Next.

On the VLAN tab select:

Client IP assignment – Virtual Controller managed
Client VLAN assignment – Default

Click Next.

Go to the Security level tab.

As Splash page type select External.
As Captive portal profile select New and configure following:

Name: StartHotspot
Type: RADIUS Authentication
IP or hostname: connect.starthotspot.com
URL: /login
Port: 443
Use https: Enabled
Captive portal failure: Deny internet
Automatic URL Whitelisting:
Disabled
Server offload: Disabled
Prevent frame overlay: Disabled
Use VC IP in Redirect URL: Disabled


Click OK to save changes and continue with the configuration.

WISPr select Disabled.
MAC authentication select Disabled.
Auth server 1 select New and configure following:

Select RADIUS
Name: Radius1
IP address: 13.92.228.228
RadSec: Disabled
Auth port: 1812
Accounting port: 1813
Shared key: (contact our office)
Timeout: 5
Retry count: 3
RFC 3576: Disabled
RFC 5997: Select Authentication and Accounting
NAS IP address: 1.0.0.0 (optional)
NAS Identifier: keep empty
Dead time: 5
DRP IP: keep empty
DRP mask: keep empty
DRP VLAN: keep empty
DRP Gateway: keep empty
Service type framed user: select Captive Portal

Click Ok.

Go to the Access tab and as Access Rules select Role-Based.
Under Roles click on New and enter Preauth as the name.
Click Ok to add.

Under Access Rules for Selected Roles click on the Plus icon to add a new rule.

Rule type: Access control
Service: Network any
Action: Allow
Destination: to domain name
Domain name: connect.starthotspot.com

Finally, we need to modify format of the mac addresses. This is possible only through CLI. Add the following rule to be able to connect to CLI SSH using Putty.

Rule type: Access control
Service: Network ssh
Action: Allow
Destination: to all destination

To connect to CLI SSH, we have used Putty.
Login with AP admin and pass and type these commands:

configure terminal
wlan ssid-profile <ssid>
auth-pkt-mac-format delimiter –
end
commit apply

When CLI SSH configuration is finished you will need to delete previously created SSH rule.

 

Aruba Central

Log in to your account on Aruba Central portal.

From the menu on the left, under Wireless Configuration, select Networks.

Click Create New and configure the following:

Type – Wireless
Name (SSID) – ArubaWiFi
Primary Usage – Guest

Click Next and continue configuration.

Client IP Assignment – Virtual Controller Assigned

Click Next and continue configuration.

Splash Page Type – External

Captive Portal Profile
– Press … and set following.

Name: StartHotspot
Type: Radius Authentication
IP or Hostname: connect.starthotspot.com
URL: /login
Port: 443
Use HTTPS: Yes
Captive Portal Failure: Deny Internet
Automatic URL Whitelisting: Unticked
Redirect URL: leave blank

Click Save.

Encryption: Disabled
MAC Authentication: Disabled
Primary Server: Press + … and set following:

Name: StartHotspot1
IP Address: 13.92.228.228
Shared Key: (contact our office)
Retype Key: as above

Other values should be left at default settings.

Click Save.


Accounting:
Accounting: Use accounting servers
Accounting Mode: Authentication
Accounting Interval: 5 min

Walled Garden:
Under Whitelist click and type following domains:

connect.starthotspot.com
cdn.starthotspot.com
starthotspot.com

Advanced:
Under Reauth Interval set 24 hrs

Click Next.

Access Rules: Role-Based
Under Role click on New and enter Preauth as the Name.
Click Ok.
Under Access Rules for Selected Roles click on the Plus icon.

Add a new rule one by one for each of the following:

Access Control / Network / Any / Allow / To a Domain Name: connect.starthotspot.com
Access Control / Network / Any / Allow / To a Domain Name: cdn.starthotspot.com
Access Control / Network / Any / Allow / To a Domain Name: starthotspot.com

Click on Save to each one and then add the next until all are listed.

Finally, add the following rule:

Access Control / Network / Any / Deny / To All Destinations

Under the Role on the left choose default_wired_port_profile, select Assign Pre-authentication Role and select Preauth.

Updated on October 10, 2019

Was this article helpful?