Step-by-step instructions to set up a Radius-based captive portal with Aruba Mobility Controller and Cloudi-Fi for user authentication.
By leveraging the authentication capabilities of a Radius server, you can enforce access control policies, allocate bandwidth effectively, and enhance device recognition and management across your network infrastructure. The following sections will provide step-by-step instructions to enable this powerful configuration.
Prerequisites:
Before starting, ensure that you have the following prerequisites:
- An Aruba access point.
- Admin access to the Aruba Mobility controller
- Cloudi-Fi Radius IPs and Secret
- Knowledge of your network’s IP addressing scheme.
- Access to your firewall to allow several ports :
Source | Destination | Port | Protocol | Action | Comment |
Guest subnet | Cloudi-Fi IPs | 1812-1813 | UDP | Allow | RADIUS traffic |
Guest subnet | Any | 80 | TCP | Allow | HTTP traffic |
Guest subnet | Any | 443 | TCP | Allow | HTTPS traffic |
Guest subnet | Any | 53 | UDP/TCP | Allow | DNS resolution |
* | * | * | * | Deny | To be adjusted according to your needs |
Step 1: Get Cloudi-Fi required URL
Location URL: this URL will be used to configure an External Captive Portal
Cloudi-Fi administration Locations Click on the menu button of the location and select Copy Splash page URI.
Transform the URI as follows.
Step 2: Get Radius information
You will need the Radius information (Server IPs, Secret, Ports) to proceed with the setup.
- IPs address of the Radius servers
- Ports: UDP 1812 (Authentication) & 1813 (Accounting)
You can get the Secret by asking in the Chatbot, Cloudi-Fi’s Support team will provide you with the necessary information.
Step 3: Network configuration
- Navigate to the "Configuration" section.
- Next, WLANs and then click the + sign to add a new WLAN. Configure with:
- Name (SSID): Choose an SSID Name
- Primary Usage: Guest
- Broadcast on: Choose the AP group where you want to Broadcast the SSID
- Forwarding mode: Tunnel
- VLANs
- VLAN: 1 (or choose your VLAN)
- Security:
- Set to ClearPass or other external Captive Portal
- Auth servers:
- Click + and then + again to create a new server, and configure it as:
- Radius
- Name: Cloudi-Fi_Primary (Cloudi-Fi_Secondary)
- IP address: Cloudi-Fi Radius IPs
- Auth port: 1812
- Accounting port: 1813
- Shared key: Shared by Support team
- Retype key: Shared by Support team
- Timeout: 5 (or higher)
- Click + and then + again to create a new server, and configure it as:
- Host addressing: IPv4
- Host: login.cloudi-fi.net
- Page: Captive portal URL from the admin console without login.cloudi-fi.net
- Redirect page: https://login.cloudi-fi.net/success.php
-
Click Next and then Next again to complete.
Step 4: Firewall Whitelist
- Navigate to the "Roles & Policies" section
- Then Select the Aliases tab and click +. Configure with:
- IP Version: IPV4
- Name: Cloudi-Whitelist
- Description (Optional): Walled garden
- Items:
Add these "name" entries:
-
*.cloudi-fi.net
-
fonts.googleapis.com
-
Step 5: L3 Captive portal
- Navigate to the "Authentication" section, then L3 Authentication and select Captive Portal Authentication
- Select your ssid_ccpm_prof profile and edit it as:
- Default Role: guest (or custom)
- Default Guest Role: guest (or custom)
- Default pause: 0
-
User Login: Enabled
-
Logout popup window: Disabled
-
Show Welcome page: Disabled
-
Add Switch IP address in the redirection URL: Enabled
-
Add user VLAN in redirection URL: Enabled
-
Adding AP(s MAC address in redirection URL: Enabled
-
Whitelist: Add "Cloudi-Whitelist" aliases
Click Submit.
Finally, click Pending Changes at the top and apply changes.
Step 6: Add SSL Certificate
To resolve the "Your network is not private" warning message, you must address the issue by obtaining a valid SSL certificate from a trusted certificate authority (CA). This certificate will ensure the security and privacy of your network.
- Navigate to the "Configuration" section and select "System", then "Certificates"
- Import your public Certificate
- Navigate to the "Configuration" section and select "System", then "More" and "General."
- Select the Certificate previously imported as the Captive portal Certificate
Troubleshooting:
- The captive portal is not displayed
-
Before beginning, please check that the following Firewall rules are active, as mentioned in the Solution prerequisites section.
If you still encounter problems after following all the configuration steps, follow the steps below and provide it to the Cloudi-Fi support team:
- Make a web capture of your browser
- Share with the Cloudi-Fi support team
- The URL of the captive portal configured on Aruba
- Capture HTTP
- User ID facing the error page Aruba troubleshooting command lists
-
- Authentication fail or Error after authentication
-
Once connected to the SSID, if you notice a Cloudi-Fi error page instead of your captive portal. Check if:
- The URL transformed at the beginning is not misconfigured,
-
Check the Radius Server configuration and connectivity
- Navigate to the "Diagnostics" section, then Tools and AAA Server Test
- Run a AAA Radius test on both Servers
- Authentication status should show Authentication Successful
- If Authentication Status is AAA server timeout, check the Radius IPs, Shared Secret and Firewall rules
-