Describes how to configure your Aruba Instant Access Points to activate the Cloudi-Fi splash page feature.
Use case
By leveraging the authentication capabilities of a Radius server, you can enforce access control policies, allocate bandwidth effectively, and enhance device recognition and management across your network infrastructure. The following sections will provide step-by-step instructions to enable this powerful configuration.
Prerequisites
Before starting, ensure that you have the following prerequisites:
- Access to Cloudi-Fi's admin console
- Cloudi-Fi Radius IPs and Secret.
- Access to the Aruba.
- Knowledge of your network’s IP addressing scheme.
- Access to your firewall to allow several ports:
Source | Destination | Port | Protocol | Action | Comment |
Guest subnet | Cloudi-Fi IPs | 1812-1813 | UDP | Allow | RADIUS traffic |
Guest subnet | Any | 80 | TCP | Allow | HTTP traffic |
Guest subnet | Any | 443 | TCP | Allow | HTTPS traffic |
Guest subnet | Any | 53 | UDP/TCP | Allow | DNS resolution |
* | * | * | * | Deny | To be adjusted according to your needs |
1. Get Cloudi-Fi required URL
Go to the "Location" section in the Cloudi-fi Admin interface.
Create New Location and enter the required details for the new location:
- Location Name
- Type (Redirect URL)
- Portal template
- Country
Location URL: this URL will be used to configure an External Captive Portal
- Access the Cloudi-Fi administration console
- Select the location
- Click on the menu button for the location
- Select "Copy Splash page URL"
Transform the URL as follows:
Cloudi-Fi
https://login.cloudi-fi.net/start/ch/ebd2egzrfgrg/lh/qgrzqrgegs/sp/spsomething.com
Aruba Instant
https://login.cloudi-fi.net/start/ch/ebd2egzrfgrg/lh/qgrzqrgegs/sp/sparuba.com
2. Get Radius information
Start by accessing the chatbot interface and request your Radius information (server IPs, secrets, Ports). After that, make sure to copy and securely store the Radius secret.
- IPs address of the Radius servers
- Ports: UDP 1812 (Authentication) & 1813 (Accounting)
- The Secret (provided by Cloudi-Fi Support)
You can get the Secret by asking in the Chatbot. Cloudi-Fi’s Support team will provide you with the necessary information.
- What shared secret is used for the Radius server with Aruba AP? (Please save this confidential information securely, and do not share it publicly).
3. Create the Cloudi-Fi Radius server
This server will authorize the Aruba controller after the user provides his credentials to Cloudi-Fi.
In the top right corner of the Aruba Instant Controller GUI, go to Security Authentication Server New.
- IP Address: 87.98.173.68
- Auth Port: 1812
- Accounting port: 1813
- Shared key: provided by the Cloudi-Fi support team
- Service type framed user: tick Captive Portal
- Click on “OK”
4. Create an external captive portal
Note: The Captive Portal feature can be enabled in two different ways with Aruba, depending on your infrastructure:
In this section, we will configure the URL where the user is redirected to be authenticated.
Go to Security External Captive Portal New
- Type: RADIUS Authentication
- IP or hostname: login.cloudi-fi.net
- URL: your dedicated URL is provided in the Cloudi-Fi administration portal
- Port: 443
- Use Https: Enabled
- Captive Portal failure: Deny Interne
- All other settings are Disabled
- Click on OK
5. Create a Pre-Authentication role
This role will be assigned to users not authenticated yet in the Cloudi-Fi portal.
This role will authorise a non-authenticate user to access external resources needed for the authentication.
For example, we allow the user to access Facebook to use his Facebook account to log in.
Go to Security Role New Name it CloudiFi_pre-auth
Create rules as below:
- Rule type: Access control
- Service: Network
- Action: Allow
- Destination: to the domain name
-
- login.cloudi-fi.net
- login-cn.cloudi-fi.net
- guest-api-v1.cloudi-fi.net
- cdn.cloudi-fi.net
- Click on ”OK”
Domain name: depending authentification module available on your captive portal, you need to add different URLs.
The Cloudi-Fi Support team will provide you the needed URL if necessary.
6. WLAN creation
In the Controller GUI Dashboard, click on "+" in the Network section to add a new WLAN.
- Name: CloudiFi-Guest
- Primary usage: Guest
- Click Next
These choices depend on your network infrastructure (if you have a dedicated DHCP server, if you need to assign users in a VLAN...)
Else, you can let default choices.
- Click “Next”
In the Security tab:
- Splash page type: External
- Captive portal profile: Cloudi-Fi
- WISPr: Disabled
- MAC authentication: Disabled
- Auth server1: Cloudi-Fi Radius
- Reauth interval: this timer shall equal the lifetime session configured in Cloudi-Fi portal
- All other options must be disabled
- Click Next
In the Access tab:
-
Choice: Role-based
-
Select: SSID_NAME_Profile (except if you want to restrict some specific resources)
-
Tick and assign: pre_authentication role (created earlier)
-
Click “Finish”
7. Captive Portal certificate on Aruba controller
A public certificate has to be deployed on the controller to bring up a secured channel between the guest device and the Aruba controller. Without this certificate, guests will receive "Untrusted Certificate" error messages after they authenticate on the Cloudi-Fi portal.
Once you get a public certificate, you must put all certificate material in a single file in x509 ( aka PEM ) or PKCS12 format.
The AP’s certificate must be first, followed by the certificate chain in order, and then followed by the private key for the certificate. For example, with a root CA, a single intermediate CA, and a root CA, the PEM or PKCS12 file must contain the following parts in this order:
- Server Certificate
- Intermediate CA
- Root CA
- Private key
Once done, upload the certificate under Maintenance Certificates.
Aruba Controller will create a DNS record corresponding to your server certificate's common name.
And finally, reboot the Access Point.
Troubleshooting
If you’re facing issues with your captive portal, it may have several root causes.
Firewall problem
Before beginning, please check that the following Firewall rules are active, as mentioned in the Solution prerequisites section.
if problems persist after configuring, follow these steps and share the following details with the Cloudi-Fi support team:
- Capture a web snapshot from your browser
- Share with the Cloudi-Fi support team
- Provide the URL of the captive portal configured on your Aruba device
- Share any User IDs encountering error pages
Aruba trouble-shooting order lists
Certificates issues
If the certificate is not valid or not applied correctly, you need to add the certificate and apply it to the captive portal.
Add the certificate
- Server Certificate
- Intermediate CA
- Root CA
- Private key
Once done, upload the certificate under Maintenance Certificates.
Apply the certificate to the portal:
Captive portal display issue before or after authentication
The problem may be related to DHCP or DNS.
- Check that your IP address is valid.
- Check that login.cloudi-fi.net is resolved.
Assuming the DNS and IP address function correctly, you still have a captive portal problem.
- You must type http://neverssl.com on your browser to apply the redirection on the portal.
- If the captive portal still does not appear, check the authorizations in “Access. “
- Click on “Your_Group“ > Device > Config > WLANs > Access > Rule
- Follow the path below and check if Cloudi-Fi’s domains or IPs are authorized before authentication.
Error after authentication on the page
Once connected to the SSID, if you notice a Cloudi-Fi error page instead of your captive portal. Check if:
- The URL transformed at the beginning is not misconfigured,
- Radius does not receive requests from Cloudi-Fi.
Check the configuration of the Radius server
- The IP address of RADIUS
- RADIUS port (default port 1812)
- The shared password.
Check the availability of the RADIUS server
- In your Aruba Central, under Tools, click the Console tab. The Remote Console Session page is displayed, and the New Session tab is selected by default.
- From the Device Type drop-down list, select the device type.
- Select the device.
- Enter the username and password, and click Create Session.
- Ping <IP_RADIUS_Server ou FQDN>
- Test the accessibility of the RADIUS server
- Enter aaa test-server <server_name> username <user> password <oudhbdfga> authtype pap,
Test authentification
To conduct this test, connect to the SSID, then try to authenticate yourself on the captive portal page and check that the authentication process is successful.
If you have any questions, don't hesitate to contact us - How to contact your support?
What’s next?
Please refer to this page for additional details regarding Aruba and Cloudi-Fi configurations.