Go to Network > Edit and open the settings of a network that you should configure to use the Captive Portal with RADIUS authentication. Our example network is aruba qa.
Configuring WLAN
Configure Client IP & VLAN Assignment. In our example, we keep the default settings.
Configuring Client IP & VLAN Assignment
To configure the Security Level
From the Splash page type drop-down list, select External.
From the Captive portal profile drop-down list, select your network. In our example, the network is qa.
From the Auth server 1 drop-down list, select your network.
Set Accounting to Use authentication servers.
Set Encryption to Disabled.
To edit the Captive portal profile
Editing Captive portal profile
Number
Description
1
The Captive portal profileEdit button
Next to Captive portal profile, click Edit.
From the Type drop-down list,select Radius Authentication.
In the IP or hostname text box, type http://XYZ.spaces.nexudus.com, where XYZ is the default domain name you can find in Settings > Webiste > General on your Nexudus account.
In the URL text box, type /en/splash.
In the Port text box, type 443.
From the Use https drop-down list, select Enabled.
From the Captive Portal failure drop-down list, select Deny internet.
From the Automatic URL Whitelisting drop-down list, select Enabled.
Leave the Redirect URL text box empty.
To edit the Auth server 1
Editing Auth server 1
Number
Description
1
The Auth server 1Edit button
Next to Auth server 1, click Edit.
In the IP address text box, type the IP address you want to allow access to.
In the Auth port text box, type 5701.
In the Accounting port text box, type 5702.
In the Shared key text box, type your personal key.
Adding required IP addresses and host names to the whitelist
Click the Walled garden tab andenter the values from the RADIUS server.
By default, your Aruba controller intercepts HTTPS traffic to all external servers breaking SSL connections. To prevent this, we need to create a new role permitting TCP connections to port 443 on external servers, for example, splash.ironwifi.com, google.com, or facebook.com.
To create a new role
Select the Assign pre-authentication role checkbox.
From the drop-down list, select create role.
Create new roles that you can see in the screenshots.
Click Finish to apply new settings.
Allowing access to https
Number
Description
1
New role added
2
Defining access rules for a role
3
Assigning pre-authentication role
Allowing TCP on port 443
Number
Description
1
New role added
2
Defining access rules for a role
3
Assigning pre-authentication role
4
The Finish button
Replacing the SSL certificate
To fix the SSL error, you need to replace the default invalid certificate.
You can generate a valid SSL certificate for free here. You can let the page generate a request to sign a certificate for you. You can also visit this page for detailed instructions on how to generate a request manually. Don't use a wildcard SSL certificate.
Copy the content of the downloaded files certificate.crt, ca_bundle.crt and private.key to a single file: aruba.pem.
Upload this file to your Aruba IAP and then do the following:
Click on Maintenance > Certificates.
From the Certificate type drop-down list, select Captive portal server.
From the Certificate format drop-down list, select PAM.
