WiFi-based check-in: Aruba virtual controller
Last updated
Last updated
Before you configure the controller make sure you have set up your RADIUS server and have purchased a license.
Use the guide below to configure your Aruba virtual controller and the external Captive Portal with RADIUS authentication.
Sign in to the Aruba Administration console at https://instant.arubanetworks.com:4343 and type your email and pin-code.
Go to Network > Edit and open the settings of a network that you should configure to use the Captive Portal with RADIUS authentication. Our example network is aruba qa.
Configure Client IP & VLAN Assignment. In our example, we keep the default settings.
From the Splash page type drop-down list, select External.
From the Captive portal profile drop-down list, select your network. In our example, the network is qa.
From the Auth server 1 drop-down list, select your network.
Set Accounting to Use authentication servers.
Set Encryption to Disabled.
Number | Description |
1 | The Captive portal profile Edit button |
Next to Captive portal profile, click Edit.
From the Type drop-down list, select Radius Authentication.
In the IP or hostname text box, type http://XYZ.spaces.nexudus.com, where XYZ is the default domain name you can find in Settings > Webiste > General on your Nexudus account.
In the URL text box, type /en/splash.
In the Port text box, type 443.
From the Use https drop-down list, select Enabled.
From the Captive Portal failure drop-down list, select Deny internet.
From the Automatic URL Whitelisting drop-down list, select Enabled.
Leave the Redirect URL text box empty.
Number | Description |
1 | The Auth server 1 Edit button |
Next to Auth server 1, click Edit.
In the IP address text box, type the IP address you want to allow access to.
In the Auth port text box, type 5701.
In the Accounting port text box, type 5702.
In the Shared key text box, type your personal key.
Click the Walled garden tab and enter the values from the RADIUS server.
Number | Description |
1 | The Walled Garden tab |
2 | The Whitelist section |
Add all IP addresses and host-names above, including http://XYZ.spaces.nexudus.com/ to the whitelist.
By default, your Aruba controller intercepts HTTPS traffic to all external servers breaking SSL connections. To prevent this, we need to create a new role permitting TCP connections to port 443 on external servers, for example, splash.ironwifi.com, google.com, or facebook.com.
Select the Assign pre-authentication role checkbox.
From the drop-down list, select create role.
Create new roles that you can see in the screenshots.
Click Finish to apply new settings.
Number | Description |
1 | New role added |
2 | Defining access rules for a role |
3 | Assigning pre-authentication role |
Number | Description |
1 | New role added |
2 | Defining access rules for a role |
3 | Assigning pre-authentication role |
4 | The Finish button |
To fix the SSL error, you need to replace the default invalid certificate.
You can generate a valid SSL certificate for free here. You can let the page generate a request to sign a certificate for you. You can also visit this page for detailed instructions on how to generate a request manually. Don't use a wildcard SSL certificate.
Copy the content of the downloaded files certificate.crt, ca_bundle.crt and private.key to a single file: aruba.pem.
Upload this file to your Aruba IAP and then do the following:
Click on Maintenance > Certificates.
From the Certificate type drop-down list, select Captive portal server.
From the Certificate format drop-down list, select PAM.
Click Upload Certificate to apply new settings.
Number | Description |
1 | The Certificates tab |
2 | Certificate type and format drop-down lists |
3 | The Upload Certificate button |