Aruba Controller

CONFIGURATION GUIDE

The purpose of the following manual is to describe the configuration required on Aruba Mobility Controllers for integration with Octopus Platform.

 

1- Pre-requisites

  • If there is a firewall in the network that might block the traffic, you will need to allow access to some domains to enable user's authentication:

    • Radius Servers:

      • Primary: <IP_Radius_1> 1812 and 1813 UDP ports

      • Secondary: <IP_Radius_2> 1812 and 1813 UDP ports

    • Splash Portal server: 

      • Domain <captive_portal_domain> 80 and 443 TCP ports

  • For the operation of the Guest and Enterprise modules configuration, it will be necessary to previously contract the Octopus platform licenses with the respective modules.

2- Guest module configuration

2.1 WLAN - Wizard Configuration

There is the possibility that the guest WLAN where the captive portal is to be applied is already created, or on the contrary, it may have to be created from scratch, which is explained below to integrate with the portal and the Radius server.

First, access to the menu Configuration > Wizards > Campus WLAN

A configuration wizard will be displayed and described below:

  • First, the new AP Group must be created, which will contain the APs of the installation with the desired name. You can also edit an already created AP Group / WLAN by simply selecting it and following the wizard.

  • Create the WLAN that will be radiated by the access points and type the SSID that will be visible to the wireless users.

  • Select the Tunnel mode as Forwarding mode, or the configuration mode you find convenient in the network.

  • Type the VLAN linked to the Wireless LAN depending on the client's network configuration.

  • Select the Guest mode.

  • Select the option Captive portal with authentication via credentials (username and password) provided by user to create a new Captive Portal Profile which will be configured in the following sections after the Wizard is done.

  • In the next window is not necessary to do any configuration because you will not use the internal captive portal of the controller.

Then, add two new Radius Server. To perform the configuration, click on the Add button and fill up all the parameters as shown below:

  • Servidor 1:

    • Name: RADIUS1

    • IP address: <IP_Radius_1>

    • Auth. port: 1812

    • Acct. port: 1813

    • Shared key: <Secret>

    • Retype key: <Secret>

  • Servidor 2:

    • Name: RADIUS2

    • IP address: <IP_Radius_2>

    • Auth. port: 1812

    • Acct. port: 1813

    • Shared key: <Secret>

    • Retype key: <Secret>



Select the role that is assigned to the users that connect to the new wireless network that is being configured.

  • Pre-authentication role: Select the role XX-guest-logon for the pre-authenticated users.

  • Authenticated role: Select the role guest for the authenticated users.

  • Finally, review the configuration and click finish.

2.2  Walled Garden

The next step is to configure all the domains that the users will be able to visit without being authenticated in the captive portal.

Access to Advanced Services > Stateful Firewall > Destinations:

Within this configuration tab, add a new group, and within this group, add all domains to which the client can have access prior to authentication by adding a new rule for each domain.

If you wish to add extra domains (Social Networks, Paypal, etc...) they can be consulted from the following link.

2.3  Captive Portal

To perform all the configuration related to the captive portal, it is necessary to access to the authentication profile created in the wizard. Access to Security > Authentication > L3 Authentication.

Then click on the Captive Portal Authentication profile added before, whose name will be SSID_name-cp_prof. The SSID_name will be the one you configured in the wizard.

Once the configuration window is displayed, please perform the following configuration:

  • Default Role: guest

  • Default Guest Role: guest

  • Authentication protocol: PAP

  • Login page: https://<captive_portal_domain>/login/hotspot/aruba

  • Welcome page: deactivate this option to disable the internal welcome page of Aruba. 

  • Add switch IP address in the redirection URL: check this box.

  • Adding user vlan in redirection URL: check this option. 

  • White List: Select the Walled Garden configured before in section 2.

  • Redirect URL: leave it blank to be able to manage the redirection web site from WIFI platform.

2.4  Radius Server

To perform the configuration of the Radius Sever that will receive the user's authentication requests, acces to Security > Authentication > Servers. Inside the Radius Server menu select the two Radius added with the wizard and modify the following parameters:

  • Servidor Radius 1:

    • Called-Station-ID

      • csid_type: ap-name

      • Include_ssid: disable

      • csid_delimiter: colon

  • Servidor Radius 2:

    • Called-Station-ID

      • csid_type: ap-name

      • Include_ssid: disable

      • csid_delimiter: colon

2.5  AAA Profile

The next step in setting up the OmniAccess Controller is to update the parameters of the AAA profile created through the wizard.

To do this, go to Security > Authentication > AAA Profiles and select the profile you created. Then configure this profile with the following settings.

  • RADIUS Interim Accounting: Enable this option

 

Finally, within the configuration of the AAA profile also add the Radius server for Accounting.



  • To do this, access the RADIUS Accounting Server Group in the profile created and select the server group that includes the Radius added in the wizard from the drop-down menu. XXX_srvgrp-xxx

  • After finishing all the configuration you must apply all the changes made and click on the Save Configuration button.

 

2.6  Wireless - AP Installation Settings

Finally, it is necessary to apply the configuration in the access points that will radiate the WLAN. Access to Configuration > Wireless > AP Installation and select the APs that you want to include in the corresponding AP group. 


To apply the configuration on the access points, click on Apply and reboot.

2.7 Additional settings

Validation in safe mode 

In order to make the whole process safe, the idea is to load a certificate in the driver so that we don't miss any certificate errors.

To do this, in the configuration, go to Management > Certificates, Upload tab and fill in the values:



  • Certificate Name: <certificate name>

  • Certificate Filename: Select the .PEM file that we will provide.

  • Passphrase y Retype Passphrase: Leave blank.

  • Certificate Format: PEM

  • Certificate Type: Server Cert

 

Once you have filled in all the fields, press the Upload button and verify that it appears correctly in the list:

Save the configuration. Once the changes have been saved, please go to Management > General and in WebUI Management Authentication Method and Captive Portal Certificate, select the created certificate:

Apply changes and save settings.

Check in CLI that the fqdn entry has been created correctly.

It must be taken into account that if in any case the configuration of the controller was accessed through the DNS securelogin.arubanetworks.com, now it must be done through the IP address or new subdomain associated to the certificate: securelogin.xxxxxx.xxx

2.8  Authorized MAC Addresses

For user validation to work correctly, it is necessary to identify the NAS that will be able to make authentication requests to the Radius Server. In this case the name of each of the APs must be added. As name you must leave the MAC of the AP and do not change it, since the radius server only interprets a MAC format.

This MAC address is easily accessible under Monitoring > Al Access Points.

 

For information on how to add the MAC address of each AP as an authorized NAS on the platform, please refer to the following link Locations

3- Enterprise module configuration

In order to integrate the configurations of this module with the platform, it is necessary to contract the Octopus Wifi Enterprise Module.

3.1  Captive portal + MAC Authentication configuration

In order to enable MAC authentication it will be necessary to create a new L2 Authentication Profile.

To do this go to Security > Authentication > L2 Authentication: In the sub-menus select MAC Authentication and add a new MAC Authentication profile.

Una vez creado el profile se debe configurar únicamente el parámetro Delimiter como dash, el resto de parámetros se deben dejar configurados tal y como vienen por defecto

Then in Security > Authentication > AAA Profiles, select the profile created for guest WiFi.

To enable MAC Authentication the same process must be performed with the Radius server that will be used to authenticate users by their MAC.

To do this in the profile select MAC Authentication Server Group and select from the drop-down list the server group that includes the Radius server added in the wizard

 

Select the MAC Authentication profile created earlier.

To do this click on MAC Authentication within the AAA Profile created and within the dropdown select the profile created previously and apply the changes.

3.2 MAC Authentication configuration

To create an SSID dedicated only to MAC Authentication go to the Configuration > Wizards > Campus WLAN section and create a new AP Group

And configure it with the settings specified in section 2.1.

In order to enable MAC authentication it will be necessary to create a new L2 Authentication Profile. To do this go to Security > Authentication > L2 Authentication:

In the sub-menus select MAC Authentication and add a new MAC Authentication profile.

 

 

Once the profile has been created, only the Delimiter parameter must be configured as dash, the rest of the parameters must be left configured as they are by default.

 

 

Then in Security > Authentication > AAA Profiles, select the profile created for guest WiFi.

To enable MAC Authentication the same process must be done with the Radius server that will be used to authenticate users by their MAC. To do this, select MAC Authentication Server Group in the profile and select from the drop-down menu the server group that includes the Radius created in section 2.1 (radius) added in the wizard.

Select the MAC Authentication profile created earlier.

To do this click on MAC Authentication within the AAA Profile created and within the dropdown select the profile created previously and apply the changes.

3.3 Configuration of “Access Profiles” funtionality in the Octopus Platform

Through the Octopus platform it is possible to configure a series of reply attributes of the Access-Accept packages, grouped in the so-called Access Profile. These Access Profiles allow to activate a series of functionalities in the Aruba Controller. Although the most common and proprietary Aruba radius dictionaries are available, below is a list of some of the most interesting ones:

 

Attribute

Description

Format

Attribute

Description

Format

Idle-timeout

Maximum inactivity time. If the user does not transfer any data on the network during this time, the session will be terminated and the user will have to re-authenticate.

Seconds

Aruba-User-Vlan

Assignment of a previously created VLAN on the Aruba Controller

 

Aruba-User-Role

Assignment of a previously created Role in the Aruba Controller

 

Reply-Message

Useful for troubleshooting functions, since it allows to identify associated elements of the Octopus platform, such as an access profile, access method, location, ...

 

 

Example of an Access Profile configuration with the attributes explained above:

 

For more information on how to create an Access Profile in Octopus Platform go to Access profiles