Step-by-step instructions on how to set up a Radius-based captive portal with Aruba Mobility Controller and Cloudi-Fi for user authentication.
Use case
By leveraging the authentication capabilities of a Radius server, you can enforce access control policies, allocate bandwidth effectively, and enhance device recognition and management across your network infrastructure. The following sections will provide step-by-step instructions to enable this powerful configuration.
Prerequisites
Before starting, ensure that you have the following prerequisites:
- An Aruba access point.
- Admin access to the Aruba Mobility controller
- Cloudi-Fi Radius IPs and Secret
- Knowledge of your network’s IP addressing scheme.
- Access to your firewall to allow several ports :
Source |
Destination |
Port |
Protocol |
Action |
Comment |
Guest subnet |
Cloudi-Fi IPs |
1812-1813 |
UDP |
Allow |
RADIUS traffic |
Guest subnet |
Any |
80 |
TCP |
Allow |
HTTP traffic |
Guest subnet |
Any |
443 |
TCP |
Allow |
HTTPS traffic |
Guest subnet |
Any |
53 |
UDP/TCP |
Allow |
DNS resolution |
* |
* |
* |
* |
Deny |
To be adjusted according to your needs |
1. Get Cloudi-Fi required URL
Go to the "Location" section in the Cloudi-fi Admin interface.
Create New Location and enter the required details for the new location:
- Location Name
- Type (Redirect URL)
- Portal template
- Country
Location URL: this URL will be used to configure an External Captive Portal
- Access the Cloudi-Fi administration console
- Select the location
- Click on the menu button for the location
- Select "Copy Splash page URL"
Transform the URL as follows:
Cloudi-Fi
https://login.cloudi-fi.net/start/ch/ebd2egzrfgrg/lh/qgrzqrgegs/sp/spsomething.com
Aruba Mobility Controller
https://login.cloudi-fi.net/start/ch/ebd2egzrfgrg/lh/qgrzqrgegs/sp/spvcaruba.com
2. Get Radius information
You will need the Radius information (Server IPs, Secret, Ports) to proceed with the setup.
- IPs address of the Radius servers
- Ports: UDP 1812 (Authentication) & 1813 (Accounting)
- The Secret (provided by Cloudi-Fi Support)
You can get the Secret by asking in the Chatbot, Cloudi-Fi’s Support team will provide you with the necessary information.
- What shared secret is used for the Radius server with Aruba? (Please save this confidential information securely, and do not share it publicly.)
3. Network configuration
Navigate to the "Configuration" section.
Next, WLANs and then click the + sign to add a new WLAN. Configure with:
- Name (SSID): Choose an SSID Name
- Primary Usage: Guest
- Broadcast on: Choose the AP group where you want to Broadcast the SSID
- Forwarding mode: Tunnel
VLANs
- VLAN: 1 (or choose your VLAN)
Security:
- Set to ClearPass or other external Captive Portal
- Auth servers:
- Click + and then + again to create a new server, and configure it as:
- Radius
- Name: Cloudi-Fi_Primary (Cloudi-Fi_Secondary)
- IP address: Cloudi-Fi Radius IPs
- Auth port: 1812
- Accounting port: 1813
- Shared key: Shared by the Support team
- Retype key: Shared by the Support team
- Timeout: 5 (or higher)
- Click + and then + again to create a new server, and configure it as:
- Host addressing: IPv4
- Host: login.cloudi-fi.net
- Page: Captive portal URL from the admin console without login.cloudi-fi.net
- Redirect page: https://login.cloudi-fi.net/success.php
- Click Next and then Next again to complete.
4. Firewall whitelist
Navigate to the "Roles & Policies" section
Then Select the Aliases tab and click +. Configure with:
- IP Version: IPV4
- Name: Cloudi-Whitelist
- Description (Optional): Walled garden
- Items: Add these "name" entries
- *.cloudi-fi.net
- fonts.googleapis.com
5. L3 Captive portal
- Navigate to the "Authentication" section, then L3 Authentication and select Captive Portal Authentication
- Select your ssid_ccpm_prof profile and edit it as:
- Default Role: guest (or custom)
- Default Guest Role: guest (or custom)
- Default pause: 0
- User Login: Enabled
- Guest Login: Enabled
- Logout popup window: Disabled
- Show Welcome page: Disabled
- Add Switch IP address in the redirection URL: Enabled
- Add user VLAN in redirection URL: Enabled
- Adding AP MAC address in redirection URL: Enabled
- Add a controller interface in the redirection URL: Your certificate FQDN
- Whitelist: Add "Cloudi-Whitelist" aliases
Click Submit.
Finally, click Pending Changes at the top and apply changes.
6. Add SSL certificate
To resolve the "Your network is not private" warning message, you must address the issue by obtaining a valid SSL certificate from a trusted certificate authority (CA). This certificate will ensure the security and privacy of your network.
- Navigate to the "Configuration" section and select "System", then "Certificates"
- Import your public Certificate
- Navigate to the "Configuration" section and select "System", then "More" and "General."
- Select the Certificate previously imported as the Captive portal Certificate
Troubleshooting
The captive portal is not displayed
- Before beginning, please check that the following Firewall rules are active, as mentioned in the Solution prerequisites section. If you still encounter problems after following all the configuration steps, follow the steps below and provide it to the Cloudi-Fi support team:
- Make a web capture of your browser
- Share with the Cloudi-Fi support team
- The URL of the captive portal configured on Aruba
- User ID facing the error page Aruba troubleshooting command lists
Authentication fail or Error after authentication
- Once connected to the SSID, if you notice a Cloudi-Fi error page instead of your captive portal. Check if:
- The URL transformed at the beginning is not misconfigured,
- Check the Radius Server configuration and connectivity
- Navigate to the "Diagnostics" section, then Tools and AAA Server Test
- Run a AAA Radius test on both Servers
- Authentication status should show Authentication Successful
- If the Authentication Status is AAA server timeout, check the Radius IPs, Shared Secret and Firewall rules
If you encounter any issues or have any questions, please do not hesitate to contact our Support team.