Aruba Networks (IAP virtual controller mode)
This guide will show how you can set your Aruba access points up to use the Amplespot.
This integration has been tested with the following devices:
According to Aruba documentation, integration shall also work with the following models. However, this has not been tested
- AP220 Series
- 130 Series
- 110 Series
- 100 Series
- 270 Series
- 175 Series
- RAP-100 Series
It is strongly recommended to use the version 126.96.36.199-188.8.131.52_40930 (released on 2013-11-18) or later. In previous versions, you may encounter problems in communication between the devices and Amplespot.
For all RADIUS and Captive Portal, configuration settings visit R ADIUS SETTINGS CONFIGURATION PAGE
1. Add your Aruba Access Points to Amplespot Admin Dashboard
Once you created all necessary Zones, note the MAC address(es) of your Aruba Access Point(s) together with their names.
Now head to Amplespot Admin Portal, click on Access Points in the left-hand menu and then on Add new Unmanaged Access Point
Select the Access Point make and model, type in MAC Address and Name, Select the Country and the Captive Portal Zone where you would like to add this Access Point. You will be able to your access point to other Zones later.
!! IMPORTANT!! Make sure that the name of the SSID used by the Captive Portal Zone you are selecting exactly corresponds to the name of SSID on your Aruba Access Point.
2. Create new Network on Aruba Controller
Open your Aruba network portal or login to the virtual controller and under Networks, click New
Enter the following settings:
- Name - e.g Demo Guest WiFi
- Usage - Guest
Click Next to continue
In the VLAN tab set the following:
- Client IP assignment - Virtual Controller Managed
- Client VLAN assignment - Default
Or you can use other settings depending on the layout of your environment. It is important that the clients get IP addresses via DHCP.Click Next to continue.
3. Create Captive Portal Configuration
In the Security tab
- Set the splash page type to External.
- Under the Captive Portal Profile, select New:
Use the following configuration
- Name: <e.g. Amplespot>
- Type: RADIUS Authentication
- IP or hostname: cp.amplespot.com
- URL: /arui
- Port: 80 (443 if you want to use secure captive portal)
- Use https: Disabled (enable if you want to use secure captive portal)
- Captive Portal Failure: Deny internet
- Automatic URL Whitelisting: Enabled
Click OK to save changes
Set WISPr to Enabled
4. Create RADIUS Configuration
Under the Auth server 1, select New and set the following
- Type: RADIUS
- Name: <e.g amplespot-radius1 (there will be a second radius server as well)>
- IP address: (see doc here)
- Auth port: 1812
- Acct port: 1813
- Shared key: (see doc here)
- Retype key: (as above)
- Timeout: 5 sec
- Retry count: 3
- RFC 5997: Checked:Authentication ; Checked:Accounting
- Service type framed user: Checked: Captive Portal
Click OK to save.
Repeat this for Auth server 2, use settings from Auth Server 1 with exception of:
- IP address: resolve the IP address of r2.amplespot.com (or another server as per documentation)
Click OK to save.
5. Set Walled Garden
Under the Walled garden click on Blacklist: 0 Whitelist: 0, the below screen will open.
Click New and enter the Walled Garden hostnames as listed here. The selection of hostnames depends on the login methods you want to make available to the WiFi users (email, facebook, google, twitter etc).
6. Complete Network Security
Check following settings on the Security tab
- Load balancing: Disabled
- Reauth interval: 0
- Accounting: Use authentication servers
- Accounting mode: Authentication
- Accounting interval: 5 min
- Shared key: <in amplespot admin portal>
- Blacklisting: Disabled
- Enforce DHCP: Enabled (recommended)
- Disable if the uplink is: 3G/4G (recommended)
- Encryption: Disabled
Click Next to continue
On the Access Rules page set controls to Role-based (should be automatically created matching your SSID), and click New under Access rules.
Using the fields provided, create the following rules:
Access Control > Network > any > allow > to domain name > [domai names from Walled Garden hostnames as listed here. The selection of domain names depends on the login methods you want to make available to the WiFi users (email, facebook, google, twitter etc).]
Once you created the rules, tick the Assign Pre-authentication role checkbox, make sure that it has your Role selected, and then click Finish.
You can set additional Role- or Network- based access restrictions on this page if this is required by your network topology or policies.
7. Use that CLI
Because there are no options to change these settings in the GUI, you will need to SSH into the Aruba Virtual Controller, which is done by entering the following:
Replace DEVICE_IP with the IP address of your Aruba Virtual Controller, and login with your username and password that you used to log into the Aruba Virtual Controller's GUI.
Once you have established an SSH connection, enter the commands below, one by one:
<code># configure terminal<br># wlan ssid-profile "Demo WiFi"<br>(SSID Profile "Demo WiFi") # auth-pkt-mac-format delimiter -<br>(SSID Profile "Demo WiFi") # auth-pkt-mac-format upper-case delimiter -<br>(SSID Profile "Demo WiFi") # called-station-id include-ssid delimiter :<br>(SSID Profile "Demo WiFi") # end<br>(SSID Profile "Demo WiFi") # commit apply <br>
<code>(SSID Profile "Demo WiFi") # write mem