# WiFi-based check-in: Aruba virtual controller

### Setup

Before you configure the controller make sure you have set up your [RADIUS server and have purchased a license](/platform/settings/integrations-and-apps-1/wifi-based-check-in/setting-up-wifi-based-check-in-using-radius-servers.md).

### Configuring Aruba Controller

Use the guide below to configure your Aruba virtual controller and the external Captive Portal with RADIUS authentication.

Sign in to the Aruba Administration console at [https://instant.arubanetworks.com:4343](https://instant.arubanetworks.com:4343/) and type your email and pin-code.

![Accessing the administration console](/files/-LhGowQLuiZNnSBL4U3t)

Go to **Network** > **Edit** and open the settings of a network that you should configure to use the Captive Portal with RADIUS authentication. Our example network is **aruba qa**.

![Configuring WLAN](/files/-LhGoxwc3Br4nuBR13x-)

Configure **Client IP & VLAN Assignment**. In our example, we keep the default settings.

![Configuring Client IP & VLAN Assignment](/files/-LhGozS4ZG-qPP_2yQjt)

### To configure the **Security Level**

1. From the **Splash page type** drop-down list, select **External**.
2. From the **Captive portal profile** drop-down list, select your network. In our example, the network is **qa**.
3. From the **Auth server 1** drop-down list, select your network.
4. Set **Accounting** to **Use authentication servers**.
5. Set **Encryption** to **Disabled**.

### To edit the Captive portal profile

![Editing Captive portal profile](/files/-LhGp0elv68NW05Jn-PB)

| Number | Description                                    |
| ------ | ---------------------------------------------- |
| 1      | The **Captive portal profile** **Edit** button |

1. Next to **Captive portal profile**, click **Edit.**
2. From the **Type** drop-down list, select **Radius Authentication**.
3. In the **IP or hostname** text box, type [http://XYZ.spaces.nexudus.com](http://xyz.spaces.nexudus.com/en/splash), where **XYZ** is the default domain name you can find in **Settings** > **Webiste** > **General** on your Nexudus account.
4. In the **URL** text box, type */en/splash*.
5. In the **Port** text box, type *443*.
6. From the **Use https** drop-down list, select **Enabled**.
7. From the **Captive Portal failure** drop-down list, select **Deny internet**.
8. From the **Automatic URL Whitelisting** drop-down list, select **Enabled**.
9. Leave the **Redirect URL** text box empty.

### To edit the Auth server 1

![Editing Auth server 1](/files/-LhGpH5_KIqRAuy5UUI9)

| Number | Description                           |
| ------ | ------------------------------------- |
| 1      | The **Auth server 1** **Edit** button |

1. Next to **Auth server 1**, click **Edit**.
2. In the **IP address** text box, type the IP address you want to allow access to.
3. In the **Auth port** text box, type 5701.
4. In the **Accounting port** text box, type 5702.
5. In the **Shared key** text box, type your personal key.

### Adding required IP addresses and host names to the whitelist

Click the **Walled garden** tab and enter the values from the RADIUS serve&#x72;**.**

![Whitelisting IP addresses and host names](/files/-LhGp4Skp6Q-ZnMX9z0_)

| Number | Description               |
| ------ | ------------------------- |
| 1      | The **Walled Garden** tab |
| 2      | The **Whitelist** section |

Add all IP addresses and host-names above, including [http://XYZ.spaces.nexudus.com](http://xyz.spaces.nexudus.com/en/splash)/ to the whitelist.

### Creating new roles

By default, your Aruba controller intercepts HTTPS traffic to all external servers breaking SSL connections. To prevent this, we need to create a new role permitting TCP connections to port 443 on external servers, for example, splash.ironwifi.com, google.com, or facebook.com.

### **To create a new role**

* Select the **Assign pre-authentication role** checkbox.
* From the drop-down list, select **create role**.&#x20;
* Create new roles that you can see in the screenshots.&#x20;
* Click **Finish** to apply new settings.

![Allowing access to https](/files/-LhGpUcymRWnIAUITcUg)

| Number | Description                       |
| ------ | --------------------------------- |
| 1      | New role added                    |
| 2      | Defining access rules for a role  |
| 3      | Assigning pre-authentication role |

![Allowing TCP on port 443](/files/-LhGpXSZem6ONzZgr3o1)

| Number | Description                       |
| ------ | --------------------------------- |
| 1      | New role added                    |
| 2      | Defining access rules for a role  |
| 3      | Assigning pre-authentication role |
| 4      | The **Finish** button             |

### Replacing the SSL certificate

To fix the SSL error, you need to replace the default invalid certificate.

You can generate a valid SSL certificate for free [here](https://www.sslforfree.com/). You can let the page generate a request to sign a certificate for you. You can also visit [this page](https://community.arubanetworks.com/t5/Controller-less-WLANs/How-to-Create-a-Certificate-for-Instant-Captive-Portal-using/ta-p/277025) for detailed instructions on how to generate a request manually. Don't use a wildcard SSL certificate.

{% hint style="info" %}
Copy the content of the downloaded files **certificate.crt**, **ca\_bundle.crt** and **private.key** to a single file: **aruba.pem**.
{% endhint %}

Upload this file to your Aruba IAP and then do the following:

* Click on **Maintenance** > **Certificates**.
* From the **Certificate type** drop-down list, select **Captive portal server**.
* From the **Certificate format drop-down** list, select PAM.
* Click **Upload Certificate** to apply new settings.

![Entering a valid SSL certificate](/files/-LhGpt7yekK7Rij9zz2Y)

| Number | Description                                 |
| ------ | ------------------------------------------- |
| 1      | The **Certificates** tab                    |
| 2      | Certificate type and format drop-down lists |
| 3      | The **Upload Certificate** button           |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://legacydocs.nexudus.com/platform/settings/integrations-and-apps-1/wifi-based-check-in/setting-up-wifi-based-check-in-using-radius-servers/network-based-check-in-aruba-virtual-controller.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.