Controller Based WLANs

How do I set up public Wi-Fi access with the captive portal on the Aruba controller?

Aruba Employee

Product and Software: This article applies to Aruba 600, 3000, and M3 series controllers and ArubaOS 3.4.1 and later.

Note: Public Wi-Fi access is supported in beta with ArubaOS 3.4.1.0 and will not be generally available until ArubaOS 5.0.

This article provides a quick cheat sheet for successfully configuring a basic Public Wi-Fi Access deployment with the captive portal on the Aruba controller. The Public Wi-Fi Access Supplement should be used for more detailed information on what features are available for public Wi-Fi access.

Known Issues for Using the Captive Portal in the Aruba Controller

  • The public Wi-Fi access features in the local user hospitality database (such as, download/upload bw contract and expiration timers) will not work unless a controller administrator manually adds that guest MAC address with the desired values through CLI or WebUI configuration.
  • A non-standard static IP guest user needs an IP address, subnet mask, gateway, and DNS IP address defined or else its session will not work as a pre-authenticated or post-authenticated user.

How to Configure Public Wi-Fi Access

1) Request a public Wi-Fi access license from Support and install it on the controller.

2) Create the necessary wireless user, wired user, and uplink port VLANs and their IP interfaces and controller default gateway.

Example:

config t

interface vlan 1

description "Internet Uplink Interface"

ip address 1.1.1.1 255.255.255.0

interface vlan 2

description "Wireless client vlan"

ip address 192.168.2.1 255.255.255.0

ip default-gateway 1.1.1.254

end

write memory

3) Configure the controller IP, which has to be IP-reachable by the Aruba APs.

Example:

config t

controller-ip vlan 2

end

write memory

4) Enable IP domain lookup.

Example:

config t

ip domain lookup

ip name-server 8.8.8.8

end

write memory

5) Reboot the controller.

6) Enable public Wi-Fi access in the general firewall and reboot.

Example:

config t

firewall hospitality

end

write memory

reload

7) Create a post-authenticated user role.

Example:

config t

ip access-list session authenticated_http_https_proxy_acl
any any svc-http dst-nat 9000
any any tcp 800 900 dst-nat 9000
any any tcp 911 dst-nat 9000
any any tcp 990 dst-nat 9000
any any tcp 1024 9999 dst-nat 9000

ip access-list session allowall
any any any permit

user-role hotelguest-postauth
session-acl authenticated_http_https_proxy_acl
session-acl allowall

end

write memory

8) Create a captive portal profile that will be applied to the pre-authenticated user role.

Example:

config t

aaa authentication captive-portal "hotel-portal1"

default-role "hotelguest-postauth"
welcome-page "http://www.<company name>.com"
ip-addr-in-redirection-url 192.168.2.1
show-acceptable-use-policy

9) Apply the captive portal profile to the pre-authenticated user role.

Example:

config t

ip access-list session logon-control
user any udp 68 deny
any any svc-icmp permit
any any svc-dns permit
any any svc-dhcp permit
any any svc-natt permit

ip access-list session captiveportal
user alias controller svc-https dst-nat 8081
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
user any svc-http-proxy1 dst-nat 8088
user any svc-http-proxy2 dst-nat 8088
user any svc-http-proxy3 dst-nat 8088

user-role hotelguest-preauth
captive-portal "hotel-portal1"
session-acl logon-control
session-acl captiveportal

end

write memory

10)Apply the pre-authenticated user role to an AAA profile.

Example:

config t

aaa profile "hotel-aaa"
initial-role "hotelguest-preauth"

end

write memory

11)Create an SSID that will be used by public Wi-Fi access wireless clients.

Example:

config t

wlan ssid-profile "hotel-guest-ssid"
essid "hotel-guest"

end

write memory

12)Create a virtual AP and bind it with the new AAA and SSID profile.

Example:

config t

wlan virtual-ap "hotel-guest"
aaa-profile "hotel-aaa"
ssid-profile "hotel-guest-ssid"
vlan 2

end

write memory

13)Add the virtual AP to an AP group that will have APs broadcasting the public Wi-Fi access SSID.

Example:

config t

ap-group "hotel-aps"
virtual-ap "hotel-guest"

end

write memory

14)Add an IP address that will redirect wireless and wired client HTTP and HTTPS requests to the captive portal on the controller.

Example:

config t

ip cp-redirect-address 192.168.2.1

end

write memory

15)Add guest users in the controller local-user-db.

Example:

local-userdb add username "guest" password <password> role hotelguest-postauth

16)If the controller is being used as a DHCP server, configure the necessary DHCP pools for the wireless and wired clients.

Example:

config t

ip dhcp pool user-pool
default-router 192.168.2.1
dns-server 8.8.8.8
lease 1 0 0
network 192.168.2.0 255.255.255.0
authoritative

end

write memory

The controller should now be configured with all the necessary information to be used as a public Wi-Fi access controller.

Refer to the ArubaOS 3.4.1.0 User Guide and Public Wi-Fi Access Supplement for more details on these features and parameters.

Version history
Revision #:
1 of 1
Last update:
‎06-30-2014 04:52 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.