Skip to main content

Search

How can we help ?

Aruba - Mobility Controller deployment

Alexandre de THOMASSON
  • Updated

Step-by-step instructions to set up a Radius-based captive portal with Aruba Mobility Controller and Cloudi-Fi for user authentication.

By leveraging the authentication capabilities of a Radius server, you can enforce access control policies, allocate bandwidth effectively, and enhance device recognition and management across your network infrastructure. The following sections will provide step-by-step instructions to enable this powerful configuration.

Prerequisites:

Before starting, ensure that you have the following prerequisites:

  • An Aruba access point.
  • Admin access to the Aruba Mobility controller 
  • Cloudi-Fi Radius IPs and Secret  
  • Knowledge of your network’s IP addressing scheme.
  • Access to your firewall to allow several ports : 
Source Destination Port Protocol Action Comment
Guest subnet Cloudi-Fi IPs 1812-1813 UDP Allow RADIUS traffic
Guest subnet Any 80 TCP Allow HTTP traffic
Guest subnet Any 443 TCP Allow HTTPS traffic
Guest subnet Any 53 UDP/TCP Allow DNS resolution
* * * * Deny To be adjusted according to your needs

Step 1: Get Cloudi-Fi required URL

Location URL: this URL will be used to configure an External Captive Portal

Cloudi-Fi administration Locations Click on the menu button of the location and select Copy Splash page URI.

Transform the URI as follows.

 

 

Step 2: Get Radius information

You will need the Radius information (Server IPs, Secret, Ports) to proceed with the setup.

  1. IPs address of the Radius servers
  2. Ports: UDP 1812 (Authentication) & 1813 (Accounting)

You can get the Secret by asking in the Chatbot, Cloudi-Fi’s Support team will provide you with the necessary information.

Step 3: Network configuration

  1. Navigate to the "Configuration" section.
  2. Next, WLANs and then click the + sign to add a new WLAN. Configure with:
    1. Name (SSID): Choose an SSID Name
    2. Primary Usage: Guest
    3. Broadcast on: Choose the AP group where you want to Broadcast the SSID
    4. Forwarding mode: Tunnel
  3. VLANs
    1. VLAN: 1 (or choose your VLAN)
  4. Security:
    1. Set to ClearPass or other external Captive Portal
    2. Auth servers:
      1. Click and then again to create a new server, and configure it as:
        1. Radius
        2. Name: Cloudi-Fi_Primary (Cloudi-Fi_Secondary)
        3. IP address: Cloudi-Fi Radius IPs
        4. Auth port: 1812
        5. Accounting port: 1813
        6. Shared key: Shared by Support team
        7. Retype key: Shared by Support team
        8. Timeout: 5 (or higher)
    3. Host addressing: IPv4
    4. Host: login.cloudi-fi.net
    5. Page: Captive portal URL from the admin console without login.cloudi-fi.net 
    6. Redirect page: https://login.cloudi-fi.net/success.php Aruba Mibility Controller UI - WLAN captive portal security configuration

  5. Click Next and then Next again to complete.

Step 4: Firewall Whitelist

  1. Navigate to the "Roles & Policies" section
  2. Then Select the Aliases tab and click +. Configure with:
    1. IP Version: IPV4
    2. Name: Cloudi-Whitelist
    3. Description (Optional): Walled garden
    4. Items:

      Add these "name" entries:

      1. *.cloudi-fi.net

      2. fonts.googleapis.com

Aruba Controller interface: Configure walled garden

Step 5: L3 Captive portal

  1. Navigate to the "Authentication" section, then L3 Authentication and select Captive Portal Authentication 
  2. Select your ssid_ccpm_prof profile and edit it as:
    1. Default Role: guest (or custom)
    2. Default Guest Role: guest (or custom)
    3. Default pause: 0

    4. User Login: Enabled

    5. Logout popup window: Disabled

    6. Show Welcome page: Disabled

    7. Add Switch IP address in the redirection URL: Enabled

    8. Add user VLAN in redirection URL: Enabled

    9. Adding AP(s MAC address in redirection URL: Enabled

    10. Whitelist: Add "Cloudi-Whitelist" aliases
      Aruba admin console - Edit captive portal authentication profile

Click Submit.

Finally, click Pending Changes at the top and apply changes.

Step 6: Add SSL Certificate 

To resolve the "Your network is not private" warning message, you must address the issue by obtaining a valid SSL certificate from a trusted certificate authority (CA). This certificate will ensure the security and privacy of your network.

  1. Navigate to the "Configuration" section and select "System", then "Certificates"
  2. Import your public Certificate Screenshot
  3. Navigate to the "Configuration" section and select "System", then "More" and "General."
  4. Select the Certificate previously imported as the Captive portal Certificate

Troubleshooting:Screenshot

  1. The captive portal is not displayed

    1. Before beginning, please check that the following Firewall rules are active, as mentioned in the Solution prerequisites section.

      If you still encounter problems after following all the configuration steps, follow the steps below and provide it to the Cloudi-Fi support team:

      • Make a web capture of your browser
      • Share with the Cloudi-Fi support team
      • The URL of the captive portal configured on Aruba 
      • Capture HTTP
      • User ID facing the error page Aruba troubleshooting command lists
  2. Authentication fail or Error after authentication 

    1. Once connected to the SSID, if you notice a Cloudi-Fi error page instead of your captive portal. Check if: 

      1. The URL transformed at the beginning is not misconfigured, 

      2. Check the Radius Server configuration and connectivity

        1. Navigate to the "Diagnostics" section, then Tools and AAA Server Test
        2. Run a AAA Radius test on both Servers
        3. Authentication status should show Authentication SuccessfulScreenshot
        4. If Authentication Status is AAA server timeout, check the Radius IPs, Shared Secret and Firewall rules