Learn how to create a secure captive portal with Aruba Instant AP using Radius for user authentication. Step-by-step guide for network control.
Table of contents
Step 1 - Get Cloudi-Fi required URL
Step 2 - Get Radius information
Step 3 - Network configuration
Step 4 - Security configuration
Step 5 - Create a captive portal profile
Step 6 - Create an authentication server
Step 7 - Configure the access rules
Overview
Employing the authentication features of a Radius server enables you to enforce access control policies, optimise bandwidth allocation, and improve device identification and network management. The upcoming sections will guide you through setting up this configuration step by step.
Prerequisites
Before starting, ensure that you have the following prerequisites:
- An Aruba access point.
- Cloudi-Fi Radius IPs and Secret
- Access to the Aruba dashboard.
- Knowledge of your network’s IP addressing scheme.
- Permission to configure your firewall to allow specific ports."
Source | Destination | Port | Protocol | Action | Comment |
Guest subnet | Cloudi-Fi IPs | 1812-1813 | UDP | Allow | RADIUS traffic |
Guest subnet | Any | 80 | TCP | Allow | HTTP traffic |
Guest subnet | Any | 443 | TCP | Allow | HTTPS traffic |
Guest subnet | Any | 53 | UDP/TCP | Allow | DNS resolution |
* | * | * | * | Deny | To be adjusted according to your needs |
Step 1 - Get Cloudi-Fi required URL
- Location URL: this URL will be used to configure an External Captive Portal
- Access Cloudi-Fi administration > Select the location and choose Copy Splash page URI.
- Transform the URL as show below.
Step 2 - Get Radius information
To proceed with the setup, you'll require the Radius details, including Server IPs, Secret, and Ports:
- IPs address of the Radius servers
- Ports: UDP 1812 (Authentication) & 1813 (Accounting)
You can get the Secret by asking in the Chatbot, Cloudi-Fi’s Support team will provide you with the necessary information:
“What shared secret is used for the Radius server with Aruba? (Please save this confidential information securely, and do not share it publicly.)”
Step 3 - Network configuration
- On the Virtual controller interface, go to Configuration Networks
- Click on the « + » to create a new Network
- Name your Network, select "Wireless" as the type, and "Guest" as the Primary usage.
- Proceed to set your Vlan parameters (recommended: "Network assigned" and "Default" for Client IP and VLAN assignments).
Step 4 - Security configuration
- Splash page type: External
- Captive portal profile: Click on « + » to create a new portal
- Authentication server: Click on « + » to create a new authentication server
Step 5 - Create a captive portal profile
After selecting the '+' to generate a new captive portal profile, a pop-up window will appear.
- Type: RADIUS Authentication
- IP or hostname: login.cloudi-fi.net
- URL: the one that you’ve modified here
- Port: 443
- Use HTTPS: selected
- Captive Portal failure: Deny Internet
- Redirect URL: optional
Step 6 - Create an authentication server
- Enter the server information as following
- Select "Authentication" and "Captive Portal."
Step 7 - Configure the access rules
Once you’ve finished the security part, you can configure the Access rules
- Access Rules: Unrestricted
- Download roles: unselected
At this stage, your captive portal has been set up.
Step 8 - Add a certificate
The absence of a certificate could lead to display issues.
To add a certificate, go to Maintenance Certificates> click on Upload New Certificate.
A popup will show up on your screen, allowing you to add your certificate.
Troubleshooting
If you encounter issues with your captive portal, they may have various underlying causes.
Firewall problem
Firewall Concerns Before troubleshooting, ensure that the following firewall rules are enabled, as outlined in the prerequisites section.
If problems persist after configuring, follow these steps and share the following details with the Cloudi-Fi support team:
- Capture a web snapshot from your browser
- Share the captured data with Cloudi-Fi support
- Provide the URL of the captive portal configured on your Aruba device
- Share any User IDs encountering error pages
Certificate-related Problems
If you lack a valid or properly applied certificate, you need to add and configure the certificate:
Add the Certificate:
- Navigate to "Your Group" in the Group section, then "Organization," and select "Certificates."
- Right-click on the '+' icon to add a certificate.
- Specify the name as "Your_certificate_name."
- Choose "Server Certificate" as the type.
- Select "PEM" as the format.
- Enter the passphrase and retry the passphrase.
- Add the certificate file.
Apply the Certificate to the Portal:
- Go to "Your Group" in Group, then "Device" and "Security."
- Unlock Certificate Usage.
- Check and add "Your_certificate."
- Click "Save Setting."
Error after authentication on the page
If you encounter a Cloudi-Fi error page after connecting to the SSID instead of your captive portal, check if
- The URL transformed at the beginning is not misconfigured,
- Aruba APs do not receive requests from Cloudi-Fi.
Check the configuration of the Radius server:
- The IP address of RADIUS
- RADIUS port (default port 1812)
- The shared password.
- Perform a Radius test from the Aruba dashboard.
Check the availability of the RADIUS server:
If you encounter any issues or have any questions, please do not hesitate to contact our Support team.
What’s Next?
Please refer to this page for additional details regarding Aruba and Cloudi-Fi configurations.