Aruba Networks (IAP virtual controller mode)

This guide will show how you can set your Aruba access points up to use the Amplespot.

This integration has been tested with the following devices:

  • IAP-204
  • IAP-205

According to Aruba documentation, integration shall also work with the following models. However, this has not been tested

  • IAP-105
  • RAP-3WN
  • AP220 Series
  • 130 Series
  • 110 Series
  • 100 Series
  • 270 Series
  • 175 Series
  • RAP-155
  • RAP-100 Series
  • RAP-3

It is strongly recommended to use the version (released on 2013-11-18) or later.  In previous versions, you may encounter problems in communication between the devices and Amplespot.

Important note:

For all RADIUS and Captive Portal, configuration settings visit R ADIUS SETTINGS CONFIGURATION PAGE

1. Add your Aruba Access Points to Amplespot Admin Dashboard

Head to your Amplespot account and if you haven't already, create Zones for your Access Points. Or you can use the default Zone and change your settings later.

Once you created all necessary Zones, note the MAC address(es) of your Aruba Access Point(s) together with their names.

Now head to Amplespot Admin Portal, click on Access Points in the left-hand menu and then on Add new Unmanaged Access Point

Select the Access Point make and model, type in MAC Address and Name, Select the Country and the Captive Portal Zone where you would like to add this Access Point. You will be able to your access point to other Zones later.

!! IMPORTANT!! Make sure that the name of the SSID used by the Captive Portal Zone you are selecting exactly corresponds to the name of SSID on your Aruba Access Point.

2. Create new Network on Aruba Controller

Open your Aruba network portal or login to the virtual controller and under Networks, click New

Enter the following settings:

  • Name - e.g Demo Guest WiFi
  • Usage - Guest

Click Next to continue

In the VLAN tab set the following:

  • Client IP assignment - Virtual Controller Managed
  • Client VLAN assignment - Default

Or you can use other settings depending on the layout of your environment. It is important that the clients get IP addresses via DHCP.Click Next to continue.

3. Create Captive Portal Configuration

In the Security tab 

  • Set the splash page type to External.
  • Under the Captive Portal Profile, select New:

Use the following configuration

  • Name: <e.g. Amplespot>
  • Type: RADIUS Authentication
  • IP or hostname:
  • URL: /arui
  • Port: 80 (443 if you want to use secure captive portal)
  • Use https: Disabled (enable if you want to use secure captive portal)
  • Captive Portal Failure: Deny internet
  • Automatic URL Whitelisting: Enabled

Click  OK to save changes

Set WISPr to Enabled

4. Create RADIUS Configuration

Under the Auth server 1, select New and set the following

  • Type: RADIUS
  • Name: <e.g amplespot-radius1 (there will be a second radius server as well)>
  • IP address: (see doc here)
  • Auth port: 1812
  • Acct port: 1813
  • Shared key: (see doc here)
  • Retype key: (as above)
  • Timeout: 5 sec
  • Retry count: 3
  • RFC 5997: Checked:Authentication ; Checked:Accounting
  • Service type framed user: Checked: Captive Portal

Click  OK to save.

Repeat this for Auth server 2, use settings from Auth Server 1 with exception of:

  • IP address: resolve the IP address of (or another server as per documentation)

Click  OK to save.

5. Set Walled Garden

Under the Walled garden click on Blacklist: 0 Whitelist: 0, the below screen will open.

Click New and enter the Walled Garden hostnames as listed here. The selection of hostnames depends on the login methods you want to make available to the WiFi users (email, facebook, google, twitter etc).

6. Complete Network Security

Check following settings on the Security tab

  • Load balancing: Disabled
  • Reauth interval: 0
  • Accounting: Use authentication servers
  • Accounting mode: Authentication
  • Accounting interval: 5 min
  • Shared key: <in amplespot admin portal>
  • Blacklisting: Disabled
  • Enforce DHCP: Enabled (recommended)
  • Disable if the uplink is: 3G/4G (recommended)
  • Encryption: Disabled

Click  Next to continue

On the Access Rules page set controls to Role-based (should be automatically created matching your SSID), and click New under Access rules.

Using the fields provided, create the following rules:

Access Control > Network > any > allow > to domain name > [domai names from Walled Garden hostnames as listed here. The selection of  domain names depends on the login methods you want to make available to the WiFi users (email, facebook, google, twitter etc).]

Once you created the rules, tick the Assign Pre-authentication role checkbox, make sure that it has your Role selected, and then click Finish.

You can set additional Role- or Network- based access restrictions on this page if this is required by your network topology or policies.

7. Use that CLI

Because there are no options to change these settings in the GUI, you will need to SSH into the Aruba Virtual Controller, which is done by entering the following:

<code>ssh root@DEVICE_IP

Replace DEVICE_IP with the IP address of your Aruba Virtual Controller, and login with your username and password that you used to log into the Aruba Virtual Controller's GUI.

Once you have established an SSH connection, enter the commands below, one by one:

<code># configure terminal<br># wlan ssid-profile "Demo WiFi"<br>(SSID Profile "Demo WiFi") # auth-pkt-mac-format delimiter -<br>(SSID Profile "Demo WiFi") # auth-pkt-mac-format upper-case delimiter -<br>(SSID Profile "Demo WiFi") # called-station-id include-ssid delimiter :<br>(SSID Profile "Demo WiFi") # end<br>(SSID Profile "Demo WiFi") # commit apply <br>
<code>(SSID Profile "Demo WiFi") # write mem