Virtual Controller (Master Aruba iAP)
CONFIGURATION GUIDE
The purpose of the following manual is to describe the necessary configuration of the Aruba Instant equipment for integration with the Octopus Platform.
1- Pre-requisites
If there is a firewall in the network that might block the traffic, you will need to allow access to some domains to enable user's authentication:
Radius Servers:
Primary: <IP_Radius_1> 1812 and 1813 UDP ports
Secondary: <IP_Radius_2> 1812 and 1813 UDP ports
Splash Portal server:
Domain <captive_portal_domain> 80 and 443 TCP ports
For the operation of the Guest and Enterprise modules configuration, it will be necessary to previously contract the Octopus platform licenses with the respective modules.
2- Guest module configuration
2.1 WLAN configuration and certificate import
First of all you will have to import the certificates that will be used in the controller, for this in the configuration is necessary to access to Maintenance> Certificates, and click on Upload New Certificate and fill in the values:
Certificate file to upload: select the .pem file provided
Certificate type: Captive portal server.
Certificate format: PAM (.pem .cert or .crt)
Passphrase: leave blank.
Retype Passphrase: leave blank.
Once you have filled in all the fields, click on the Upload Certificate button and verify that it has been downloaded correctly:
Check in CLI that the certificate has been successfully added by executing the show cert command
2.2 WLAN Settings
To edit a specific Network in the Virtual Controller graphical interface. Go to Networks and edit the WLAN of your choice or create a new one. After opening a new tab with the configuration Wizard, follow the steps below:
Name (SSID): SSID that the APs will radiate.
Primary usage: Guest
2.3 VLAN
Client IP assignment: select the option depending on the network design (DHCP assigned by the Virtual Controller or by another network element).
Client VLAN assignment: add the VLAN that will be assigned to the SSID.
2.4 Security
To set up the captive portal configuration, please access to Security tab and perform the following configuration.
Splash page type: External
Captive portal profile: añadir un nuevo Captive Portal Profile con la siguiente configuración:
Name: WIFI
Type: Radius Authentication
IP or hostname: <captive_portal_domain>
URL: /login/hotspot/arubaiap
Port: 443
Use https: Enabled
Captive portal failure: Deny internet
Automatic URL whitelisting: Disabled
Redirect URL: leave it blank to be able to manage the redirection web site from WiFi platform.
Auth server 1: add a new Radius Server with the following parameters:
Type: RADIUS
Name: RADIUS1
IP address: <IP_Radius_1>
Auth port: 1812
Acct port: 1813
Shared key: <Secret>
Retype key: <Secret>
Auth server 2: add a new Radius Server profile and add the following parameters:
Type: RADIUS
Name: RADIUS2
IP address: <IP_Radius_2>
Auth port: 1812
Acct port: 1813
Shared key: <Secret>
Retype key: <Secret>
Reauth interval: 24 hrs
Accounting: Use authentication servers
Accounting mode: Authentication
Accounting interval: 10 min
Blacklisting: Disabled
2.5 Access
Finally, the role must be configured in Access.
Select the option role-based (more control option)
In the "Roles" window, create a new role called Preauth.
Add a new access rule into this role for each domain listed in the walled garden with the following configuration:
Rule type: Access control
Service: Network - any
Action: allow
Destination: to domain name
Domain name: <captive_portal_domain>
Assign pre-authenticaction role: select the role Preauth
If you wish to add extra domains (Social Networks, Paypal, etc...) they can be consulted from the following link.
2.6 Dynamic Radius Proxy (DRP)
The option Dynamic Radius Proxy allows to send all the access requests to the Radius Server using the Virtual Controller IP address instead of the IP of each access point.
To enable this configuration access to System > General and enable the option Dynamic Radius Proxy
Once this option is enabled all requests sent to the Radius server will be sent by default with the Virtual Controller's IP, however you can modify this default IP to set any other IP even if it is not the Virtual Controller's IP.
To change the IP with which messages are sent to the Radius server, edit the SSID and in the Security tab edit the Radius server configuration by modifying the following parameters:
2.7 Authorized MAC Addresses
In order to allow the users to authenticate themselves in the captive portal correctly, it is necessary to identify the NAS that will send the authentication requests to the Radius Server. In Aruba Instant, it is required to add the MAC address of every access point that will radiate the configured SSID.
These MAC addresses can be obtained from the Access Point tab of the Instant main window.
For information on how to add the MAC address of each AP as an authorized NAS on the platform, please refer to the following link Locations
3- Enterprise module configuration
In order to integrate the configurations of this module with the platform, it is necessary to contract the Octopus Wifi Enterprise Module.
3.1 Captive portal + MAC Authentication configuration
To enable MAC Authentication it is necessary to edit the WLAN created and enable this option. To do so, go to Networks and edit the WLAN on which you want to enable MAC Authentication. In the configuration wizard go to the Security tab and modify the following parameters:
MAC Authenticaiton: Enabled
Delimitir character: :
After these changes are performed, click Next and then click on the Finish button to save this configuration.
3.2 MAC Authentication configuration
To create an SSID dedicated only to MAC Authentication validation, go to Networks and edit the WLAN of your choice or create a new one. After opening a new tab with the configuration wizard, follow the steps below:
Name (SSID): configure the SSID for example Mac_Auth_Guest.
Primary usage: Guest
Then click on Next
Client IP assignment: select the option depending on the network design (DHCP assigned by the Virtual Controller or by another network element).
Client VLAN assignment: add the VLAN to be associated with the SSID.
Continue by clicking on Next
Splash page type: None
MAC authentication: Enable
Link the radius servers created in point 2.4 of this guide
We continue with Next
Once this is done, click Finish.
3.3 Configuration of “Access Profiles” funtionality in the Octopus Platform
Through the Octopus platform it is possible to configure a series of reply attributes of the Access-Accept packages, grouped in the so-called Access Profiles. These Access Profiles allow you to activate a series of functionalities in Aruba Central. Although the most common and proprietary Aruba radius dictionaries are available, below is a list of some of the most interesting ones:
Attribute | Description | Format |
|---|---|---|
Idle-timeout | Maximum inactivity time. If the user does not transfer any data on the network during this time, the session will be terminated and the user will have to re-authenticate. | Seconds |
Aruba-User-Vlan | Assignment of a previously created VLAN in Aruba Central |
|
Aruba-User-Role | Assignment of a previously created Role in Aruba Central |
|
Reply-Message | Useful for troubleshooting functions, as it allows to identify associated elements of the Octopus Wifi platform, such as an access profile, access method, location, ... |
|
Example of an Access Profile configuration with the attributes explained above:
For more information on how to create an Access Profile in Octopus Platform go to Access profiles