Skip to main content

Search

Cloudi-Fi Knowledge Base

Aruba Instant deployment

Alexandre de THOMASSON
  • Updated

Describes how to configure your Aruba Instant Access Points to activate the Cloudi-Fi splash page feature.

Use case

By leveraging the authentication capabilities of a Radius server, you can enforce access control policies, allocate bandwidth effectively, and enhance device recognition and management across your network infrastructure. The following sections will provide step-by-step instructions to enable this powerful configuration.

Aruba AP deployment with Cloudi-Fi captive portal.png

Prerequisites

Before starting, ensure that you have the following prerequisites:

  • Access to Cloudi-Fi's admin console
  • Cloudi-Fi Radius IPs and Secret.
  • Access to the Aruba.
  • Knowledge of your network’s IP addressing scheme.
  • Access to your firewall to allow several ports:
Source Destination Port Protocol Action Comment
Guest subnet Cloudi-Fi IPs 1812-1813 UDP Allow RADIUS traffic
Guest subnet Any 80 TCP Allow HTTP traffic
Guest subnet Any 443 TCP Allow HTTPS traffic
Guest subnet Any 53 UDP/TCP Allow DNS resolution
* * * * Deny To be adjusted according to your needs

 

1. Get Cloudi-Fi required URL

Go to the "Location" section in the Cloudi-fi Admin interface.
Create New Location and enter the required details for the new location:

  • Location Name
  • Type (Redirect URL)
  • Portal template
  • Country 

Location URL: this URL will be used to configure an External Captive Portal

  • Access the Cloudi-Fi administration console
  • Select the location
  • Click on the menu button for the location
  • Select "Copy Splash page URL"

Aruba Instant Deployement_Cloudi-Fi Get captive portal url.png

Transform the URL as follows:

Cloudi-Fi

https://login.cloudi-fi.net/start/ch/ebd2egzrfgrg/lh/qgrzqrgegs/sp/spsomething.com

Aruba Instant

https://login.cloudi-fi.net/start/ch/ebd2egzrfgrg/lh/qgrzqrgegs/sp/sparuba.com

 

2. Get Radius information

Start by accessing the chatbot interface and request your Radius information (server IPs, secrets, Ports). After that, make sure to copy and securely store the Radius secret.

You can get the Secret by asking in the Chatbot. Cloudi-Fi’s Support team will provide you with the necessary information. 

Cloudi-Fi - Get Radius secret for Aruba

  • What shared secret is used for the Radius server with Aruba AP? (Please save this confidential information securely, and do not share it publicly).

 

3. Create the Cloudi-Fi Radius server

This server will authorize the Aruba controller after the user provides his credentials to Cloudi-Fi.

In the top right corner of the Aruba Instant Controller GUI, go to Security Authentication Server New.

  • IP Address: 87.98.173.68
  • Auth Port: 1812
  • Accounting port: 1813
  • Shared key: provided by the Cloudi-Fi support team
  • Service type framed user: tick Captive Portal
  • Click on “OK

Aruba Instant deployement-captive portal - Radius configuration.png

 

4. Create an external captive portal

Note: The Captive Portal feature can be enabled in two different ways with Aruba, depending on your infrastructure:

In this section, we will configure the URL where the user is redirected to be authenticated.
Go to Security External Captive Portal New

  • Type: RADIUS Authentication
  • IP or hostname: login.cloudi-fi.net
  • URL: your dedicated URL is provided in the Cloudi-Fi administration portal
  • Port: 443
  • Use Https: Enabled
  • Captive Portal failure: Deny Interne
  • All other settings are Disabled
  • Click on OK

Aruba Instant deployement-create an external captive portal

 

5. Create a Pre-Authentication role

This role will be assigned to users not authenticated yet in the Cloudi-Fi portal.

This role will authorise a non-authenticate user to access external resources needed for the authentication.

For example, we allow the user to access Facebook to use his Facebook account to log in.

Go to Security Role New Name it CloudiFi_pre-auth

Create rules as below:

  • Rule type: Access control
  • Service: Network
  • Action: Allow
  • Destination: to the domain name
    • login.cloudi-fi.net
    • login-cn.cloudi-fi.net
    • guest-api-v1.cloudi-fi.net
    • cdn.cloudi-fi.net
    • Click on ”OK

Domain name: depending authentification module available on your captive portal, you need to add different URLs.

The Cloudi-Fi Support team will provide you the needed URL if necessary.

Aruba Instint Deployement_Cloudi-Fi_add the Cloudi-Fi domains.png

 

6. WLAN creation

In the Controller GUI Dashboard, click on "+" in the Network section to add a new WLAN.

  • Name: CloudiFi-Guest 
  • Primary usage: Guest 
  • Click Next

Aruba instant deployment-Create New WLAN.png

These choices depend on your network infrastructure (if you have a dedicated DHCP server, if you need to assign users in a VLAN...)

Else, you can let default choices.

  • Click “Next”

Aruba instant deployment-Create New VLAN.png

In the Security tab:

  • Splash page type: External
  • Captive portal profile: Cloudi-Fi
  • WISPr: Disabled
  • MAC authentication: Disabled
  • Auth server1: Cloudi-Fi Radius
  • Reauth interval: this timer shall equal the lifetime session configured in Cloudi-Fi portal 
  • All other options must be disabled
  • Click Next

Aruba instant deployment-configure security.png

In the Access tab:

  • Choice: Role-based

  • Select: SSID_NAME_Profile (except if you want to restrict some specific resources)

  • Tick and assign:  pre_authentication role (created earlier)

  • Click “Finish”

Aruba instant deployment- Allow Cloudi-Fi domains.png

 

7. Captive Portal certificate on Aruba controller

A public certificate has to be deployed on the controller to bring up a secured channel between the guest device and the Aruba controller. Without this certificate, guests will receive "Untrusted Certificate" error messages after they authenticate on the Cloudi-Fi portal.

 Once you get a public certificate, you must put all certificate material in a single file in x509 ( aka PEM ) or PKCS12 format.

The AP’s certificate must be first, followed by the certificate chain in order, and then followed by the private key for the certificate. For example, with a root CA, a single intermediate CA, and a root CA, the PEM or PKCS12 file must contain the following parts in this order:

  • Server Certificate
  • Intermediate CA
  • Root CA
  • Private key

Once done, upload the certificate under Maintenance Certificates.

Aruba instant deployment Aruba-upload certificate.png

Aruba Controller will create a DNS record corresponding to your server certificate's common name.
And finally, reboot the Access Point.

 

Troubleshooting

If you’re facing issues with your captive portal, it may have several root causes.

Firewall problem

Before beginning, please check that the following Firewall rules are active, as mentioned in the Solution prerequisites section.

if problems persist after configuring, follow these steps and share the following details with the Cloudi-Fi support team:

Aruba trouble-shooting order lists

Certificates issues

If the certificate is not valid or not applied correctly, you need to add the certificate and apply it to the captive portal.

Error certificates not valid cloudi-Fi integration Aruba.png

Add the certificate

  •  Server Certificate
  •  Intermediate CA
  •  Root CA
  •  Private key

Once done, upload the certificate under Maintenance Certificates.

Aruba Instant deployment_upload certificates and check paraphrase.png

Apply the certificate to the portal:

Captive portal display issue before or after authentication

The problem may be related to DHCP or DNS.

  • Check that your IP address is valid.
  • Check that login.cloudi-fi.net is resolved.

Assuming the DNS and IP address function correctly, you still have a captive portal problem.

  • You must type http://neverssl.com on your browser to apply the redirection on the portal.
  • If the captive portal still does not appear, check the authorizations in “Access. “
  • Click on “Your_Group“ > Device > Config > WLANs > Access > Rule
  • Follow the path below and check if Cloudi-Fi’s domains or IPs are authorized before authentication.

Error after authentication on the page

Once connected to the SSID, if you notice a Cloudi-Fi error page instead of your captive portal. Check if: 

  • The URL transformed at the beginning is not misconfigured, 
  • Radius does not receive requests from Cloudi-Fi.

Check the configuration of the Radius server

  • The IP address of RADIUS 
  • RADIUS port (default port 1812)
  • The shared password.

Check the availability of the RADIUS server

  • In your Aruba Central, under Tools, click the Console tab. The Remote Console Session page is displayed, and the New Session tab is selected by default.
  • From the Device Type drop-down list, select the device type.
    • Select the device.
    • Enter the username and password, and click Create Session.
  • Ping <IP_RADIUS_Server ou FQDN>
  • Test the accessibility of the RADIUS server
    • Enter aaa test-server <server_name> username <user> password <oudhbdfga> authtype pap,

Test authentification

To conduct this test, connect to the SSID, then try to authenticate yourself on the captive portal page and check that the authentication process is successful.

If you have any questions, don't hesitate to contact us - How to contact your support?

 

What’s next?

Please refer to this page for additional details regarding Aruba and Cloudi-Fi configurations.