Aruba Central - Integration with Cloudi-Fi

Set up a Radius-based captive portal with Aruba Central and Cloudi-Fi for user authentication.

Use case:

This guide provides step-by-step instructions for integrating the Cloudi-Fi captive portal with Aruba Central Network. This setup enables Radius-based user authentication, ensuring a secure and seamless network access experience.

Aruba Central integration with Cloudi-Fi captive portal diagram

Prerequisites:

Before starting, ensure you have the following prerequisites:

• Administrator login credentials on HPE Greenlake
• Administrator login credentials to Cloudi-Fi administration GUI
• Cloudi-Fi Radius IPs and Secret
• Knowledge of your network’s IP addressing scheme
• Firewall
  • Before beginning, please check that the following Firewall rules are active on the site :
    • Allow HTTP and HTTPS traffic for captive portal redirection: Traffic on ports 80 (TCP) and 443 (TCP) is allowed to any destination,
    • Allow RADIUS traffic to Cloudi-Fi’s IPs for authentication and accounting: Traffic on ports 1812-1813 (UDP) is allowed to Cloudi-Fi’s IP addresses.
    • Allow DNS service for name resolution.
    • Allow the Syslog server for log collection to activate the compliance feature.

Step 1: Get the Cloudi-Fi required URL

Go to the "Location" section in the Cloudi-fi Admin interface.
Create New Location and enter the required details for the new location:

• Location Name
• Type (Redirect URL)
• Portal template
• Country 

Location URL: this URL will be used to configure an External Captive Portal

https://login.cloudi-fi.net/start/ch/ebd2egzrfgrg/lh/qgrzqrgegs/sp/spsomething.com

https://login.cloudi-fi.net/start/ch/ebd2egzrfgrg/lh/qgrzqrgegs/sp/sparuba.com

Step 2: Get Radius information

You will need the Radius information (Server IPs, Secret, Ports) to set up.

1. IPs address of the Radius servers
2. Ports: UDP 1812 (Authentication) & 1813 (Accounting)
3. The Secret (provided by Cloudi-Fi Support)

You can get the Secret by asking in the Chatbot, Cloudi-Fi’s Support team will provide you with the necessary information.

1. What is shared secret is used for the Radius server? (Please save this confidential information securely, and do not share it publicly.)

Step 3: Configure a group

Once on the Aruba Central interface, we suggest you group your devices by location for simplified management and configuration.

1. Start by selecting "Global" and then click on "Groups" located at the top left.
2. Proceed to create a new group by clicking the "+" symbol. We suggest generating a group for each specific location.
3. Assign a name to the group as "your_Group."
4. Choose "Access Point" to indicate that this group will encompass Access Points.
5. To continue, click the "Next" button.

You can adapt the configuration to your network and equipment by clicking “Add“.

Note: The access point architectures of both ArubaOS 8 and ArubaOS 10 are compatible.

Step 4: Create an SSID 

At this level, you’ll create a new SSID and configure it as a network for guests or employees.

To create a new SSID:

1. Navigate to Devices, then Access Points.
2. Enable config mode
3. Click on "Add SSID."
4. Name your SSID and then select "Next."
5. Configure your network preferences and click "Next" to proceed.

Step 5: Configure the SSID Security Level

1. Opt for the "Visitors" Security Level.
2. Pick the "External Captive Portal" type.

Step 6: Configure the Radius Server and the Captive Portal

1. Select the type “External Captive Portal. “
2. Click on the button "+".

   Name:	Give it a name
   IP or Hostname	login.cloudi-fi.net
   URL:	Paste your modified portal URL from “/start/ch“ to the end.
   Port	443
   HTTPS	Select: “Use HTTPS“ and “Automatic URL. Allow listing“ if available.
   Automatic URL. Allow listing	Select if available

3. Configure the primary and secondary Radius:
   1. You will need the server IPs.
   2. Select Primary Server
   3. Click on the "+" sign next to Primary Server.

      Server type	RADIUS
      Name	Select Primary
      IP Address/FQDN	Provided by Cloudi-Fi
      Share key	Provided by Cloudi-Fi
      Auth port	1812
      Accounting port	1813
      Retry count	3
      Timeout	5
      Service Type Framed User	MAC/Captive Portal
      Query Status of RADIUS Servers(RFC 5997)	Authentication and Accounting

   4. Add the "Secondary server" following the same configuration as the primary server.

Step 7: Configure the Access rules

1. Choose the "Role-based" access rules
2. Create a "Pre-authentication" role that should allow connections to a domain name:  login.cloudi-fi.net, before the authentication, allowing the end user to get the captive portal.
3. You must also select the option "Log".
4. Assign a pre-authentication role:
   1. Check and select the "Pre-authentication" you just created.
5. Click on “Next“ to finish.

Step 8: Configure the Syslog Server

Ensure you are part of the appropriate group before configuring the Syslog server.

1. Click on "Device", followed by "System" and then “Logging".
2. Put the Syslog IPs for Cloudi-Fi's server.
3. Then select "User" and "User-debug" as "Syslog Facility Levels" with debug level and warning or critical for everything else.

Step 9: Configure an SSL Certificate (Optional)

Certificates ensure data is transmitted privately, without modification, loss, or theft.

Adding a certificate to your Aruba controller can ensure a more secure Internet experience for your users.

We suggest creating a .PEM file containing your server, intermediate and root CA.

Important: the order of certificates is critical. The server certificate must be first, followed by intermediate certificates, and finally the root certificate.

If you have a key validation error, you should add you .key file at the top of your .PEM file.

To import a certificate into your group:

1. Click on “Organization“ on the left panel and then click on “Certificates“.
2. Add a new certificate by clicking“+“.

To ensure that the newly added certificate is recognised, applying it to the captive portal is necessary. Apply the following settings:

1. Go to Devices > Config > Security > Certificate usage > Certificate Usage
2. Click on "Portal Captive" and select "your_certificate" to apply for the added certificate.
3. After successfully adding and applying the certificate, connect to the SSID.

Step 10: Troubleshooting

1. Firewall problem
   1. Before beginning, please check that the following Firewall rules are active, as mentioned in the Solution prerequisites section.
   2. If you still encounter problems after following all the configuration steps, follow the steps below and provide it to the Cloudi-Fi support team:
   3. Make a web capture of your browser
   4. Share with the Cloudi-Fi support team
   5. The URL of the captive portal configured on Aruba
   6. User ID facing the error page Aruba troubleshooting command lists
2. Captive portal display issue before or after authentication

   1. The problem may be related to DHCP or DNS.

      • Check that your IP private address is valid.
      • Check that login.cloudi-fi.net is resolved.

      Assuming the DNS and IP address function correctly, you still have a captive portal problem.

   2. Type http://neverssl.com on your browser to apply the redirection on the portal.
   3. If the captive portal still does not appear, check the authorisations in "Access".
   4. Click on "Your_Group" > Device > Config > WLANs > Access > Rule
   5. Follow the path below and check if Cloudi-Fi's domains or IPs are authorized before authentication.
3. Error after authentication on the page
   1. Once connected to the SSID, if you notice a Cloudi-Fi error page instead of your captive portal
      1. Check the configuration of the Radius server:
         • The IP address of RADIUS • RADIUS port (default port 1812)
         • The shared password
      2. Check the availability of the RADIUS server:
         • In your Aruba central, Under Tools, click the Console tab. The Remote Console Session page is displayed, and the New Session tab is selected by default.
         • From the Device Type drop-down list, select the device type.
           • Select the device.
           • Enter the username and password, and click Create Session.
         • Ping <IP_RADIUS_Server ou FQDN>
         • Test the accessibility of the RADIUS server
           • Enter aaa test-server <server_name> username <user> password <oudhbdfga> authtype pap
             • If you have a “timeout “ as below, this is an Invalid Pre-shared key

What's next?

Aruba Central's Role Assignment Rule is a prominent feature that enables the dynamic allocation of roles to users based on specific criteria. This feature can be further enhanced through Radius filter IDs. By leveraging these capabilities, administrators can create highly granular access control policies that help to ensure network security, simplify network management, and enhance user productivity.

Cloudi-Fi facilitates administrators in defining user profiles, which can be seamlessly shared with Aruba Central via the Radius filter ID. This integration empowers administrators to establish customised roles and policies tailored to different user types. For example, two Role Assignment Rules can be implemented to assign the "Guest" or "Employee" role to users who connect through the captive portal. Employees may require access to specific applications or resources, while the Guest group may need limited privileges. With Aruba Central, administrators can create customized roles and policies for each group, ensuring that users have the appropriate level of access to network resources.