Learn how to create a secure captive portal with Aruba Instant AP using Radius for user authentication. This is a step-by-step guide for network control.
Overview
Employing the authentication features of a Radius server enables you to enforce access control policies, optimize bandwidth allocation, and improve device identification and network management. The upcoming sections will guide you through setting up this configuration step by step.
Prerequisites
Before starting, ensure that you have the following prerequisites:
- An Aruba access point.
- Cloudi-Fi Radius IPs and Secret
- Access to the Aruba dashboard.
- Knowledge of your network’s IP addressing scheme.
- Permission to configure your firewall to allow specific ports."
Source | Destination | Port | Protocol | Action | Comment |
Guest subnet | Cloudi-Fi IPs | 1812-1813 | UDP | Allow | RADIUS traffic |
Guest subnet | Any | 80 | TCP | Allow | HTTP traffic |
Guest subnet | Any | 443 | TCP | Allow | HTTPS traffic |
Guest subnet | Any | 53 | UDP/TCP | Allow | DNS resolution |
* | * | * | * | Deny | To be adjusted according to your needs |
Step 1 - Get Cloudi-Fi required URL
Go to the "Location" section in the Cloudi-fi Admin interface.
Create New Location and enter the required details for the new location:
- Location Name
- Type (Redirect URL)
- Portal template
- Country
Location URL: this URL will be used to configure an External Captive Portal
- Access the Cloudi-Fi administration console
- Select the location
- Click on the menu button for the location
- Select "Copy Splash page URL"
Transform the URL as follows:
Cloudi-Fi
https://login.cloudi-fi.net/start/ch/ebd2egzrfgrg/lh/qgrzqrgegs/sp/spsomething.com
Aruba Instant AP
https://login.cloudi-fi.net/start/ch/ebd2egzrfgrg/lh/qgrzqrgegs/sp/sparuba.com
Step 2 - Get Radius information
To proceed with the setup, you'll require the Radius details, including Server IPs, Secret, and Ports:
- IPs address of the Radius servers
- Ports: UDP 1812 (Authentication) & 1813 (Accounting)
You can get the Secret by asking in the Chatbot, Cloudi-Fi’s Support team will provide you with the necessary information:
“What shared secret is used for the Radius server with Aruba? (Please save this confidential information securely, and do not share it publicly.)”
Step 3 - Network configuration
- On the Virtual controller interface, go to Configuration Networks
- Click on the « + » to create a new Network
- Name your Network, select "Wireless" as the type, and "Guest" as the Primary usage.
- Proceed to set your VLAN parameters (recommended: "Network assigned" and "Default" for Client IP and VLAN assignments).
Step 4 - Security configuration
- Splash page type: External
- Captive portal profile: Click on « + » to create a new portal
- Authentication server: Click on « + » to create a new authentication server
Step 5 - Create a captive portal profile
A pop-up window will appear after selecting the '+' to generate a new captive portal profile.
- Type: RADIUS Authentication
- IP or hostname: login.cloudi-fi.net
- URL: the one that you’ve modified here
- Port: 443
- Use HTTPS: selected
- Captive Portal failure: Deny Internet
- Redirect URL: optional
Step 6 - Create an authentication server
- Enter the server information as following
- Select "Authentication" and "Captive Portal."
Step 7 - Configure the access rules
Once you’ve finished the security part, you can configure the Access rules
- Access Rules: Unrestricted
- Download roles: unselected
your captive portal has been set up at this stage.
Step 8 - Add a certificate
The absence of a certificate could lead to display issues.
To add a certificate, go to Maintenance Certificates> and click on Upload New Certificate.
A popup will show up on your screen, allowing you to add your certificate.
Troubleshooting
If you encounter issues with your captive portal, they may have various underlying causes.
Firewall problem
Firewall Concerns Before troubleshooting, ensure that the following firewall rules are enabled, as outlined in the prerequisites section.
If problems persist after configuring, follow these steps and share the following details with the Cloudi-Fi support team:
- Capture a web snapshot from your browser
- Share the captured data with Cloudi-Fi support
- Provide the URL of the captive portal configured on your Aruba device
- Share any User IDs encountering error pages
Certificate-related Problems
If you lack a valid or properly applied certificate, you need to add and configure the certificate:
Add the Certificate:
- Navigate to "Your Group" in the Group section, then "Organization," and select "Certificates."
- Right-click on the '+' icon to add a certificate.
- Specify the name as "Your_certificate_name."
- Choose "Server Certificate" as the type.
- Select "PEM" as the format.
- Enter the passphrase and retry the passphrase.
- Add the certificate file.
Apply the Certificate to the Portal:
- Go to "Your Group" in Group, then "Device" and "Security."
- Unlock Certificate Usage.
- Check and add "Your_certificate."
- Click "Save Setting."
Error after authentication on the page
If you encounter a Cloudi-Fi error page after connecting to the SSID instead of your captive portal, check if
- The URL transformed at the beginning is not misconfigured,
- Aruba APs do not receive requests from Cloudi-Fi.
Check the configuration of the Radius server:
- The IP address of RADIUS
- RADIUS port (default port 1812)
- The shared password.
- Perform a Radius test from the Aruba dashboard.
Check the availability of the RADIUS server:
If you encounter any issues or have any questions, please do not hesitate to contact our Support team.
What’s Next?
Please take a look at this page for additional details regarding Aruba and Cloudi-Fi configurations.