How to integrate IAP with CPPM to perform Captive Portal authentication

Aruba Employee
Aruba Employee

This Article explains about-

   i) adding the Aruba IAP as NAD device.
   ii) Integrating Aruba Controller with CPPM to perform Captive portal authentication.
   iii) Configuring service on CPPM to handle this request.


Environment : This Article is written  for CPPM 6.2.0 and greater.


Below are the detailed steps.

1: Adding Aruba Controller as NAD device on CPPM.

Navigate to Configuration > Network > Devices

Click Add Device

Add the device as shown below.



The Vendor name should be selected as Aruba and COA enabled.

Make sure that we configure the same Radius Shared secret on the VC as well.


2: Integrate Aruba IAP  with CPPM to perform Captive Portal.

Click on "System" and fill the below details.

rtaImage (2).png


Give an IP to the Virtual Controller and enable Dynamic radius Proxy. This will forward all the radius packets ( from any IAP in the cluster) to CPPM with the VC's IP.

Click on " Security - >Authentication Servers " and add a new radius Server.


rtaImage (3).png


Create a new SSID.

Click on "New" and give a name to the SSID.


rtaImage (4).png


We will set the Primary Usage as Guest as this is for Guest access.

On next page, select the Client IP assignment.

We can have it either VC assigned or Network Assigned based on our requirements.


rtaImage (5).png


On the Next page,


rtaImage (6).png


Splash page type : Must be set as "External- Radius Authentication"
Auth Server : select the CPPM from the drop down.
Enable radius accounting and set accounting interval as 10 minutes.
IP or Hostname is the IP/Hostname of the CPPM server.
URL is the URL of the guest login page from the CP Guest server.

On this page, create a new Preauth role as per the details below.


rtaImage (7).png


The Preauth role must have HTTP and HTTPS access to the CPPM server. The authenticated role (it gets created by default with the SSID's name) could be customised to control access.

We can Save and Exit and this completes the configuration on the Iap.


3: Configuration of CPPM

Login to Clear Pass Guest and navigate to  Home » Configuration » Authentication and enble the HTTPS for Guest access as below.

Navigate to Home » Configuration » Web Logins on CPG and create a new page.

rtaImage (9).png

The name should be exactly same as the name provided in the IAP configuration.

We can leave the other configuration items as default on this page apart from inserting the Guest self registering link in the header or footer and save the page.

Click on the page and hit test to check the page look and view.

rtaImage (10).png

rtaImage (11).png

This completes the congiguration on the CP Guest.

Now, we will add a Service to handle this request.

Navigate to "
Configuration » Service Templates" use the template for  "Guest Access".

rtaImage (12).png

On the page, fill in the details as below to autofill the configuration.

rtaImage (13).png

Hit "Add Service" and the service is added.

We can then connect a client and check.

Version history
Revision #:
1 of 1
Last update:
‎07-18-2014 10:58 AM
Updated by:
Labels (1)

Can you provide the CLI text for this type of configuration?  I am a customer that doesn't have write priveleges to my IAPs, so I can't view the configuration via the GUI but I am the one responsible for delivering the configuration to my managed service vendor.

I watched that video and read that post first.  What I need is the CLI for this since I can't look at what is already setup via the GUI (no rights).  I can however see the CLI (read only) so I am developing this solution (works with my CAPs in a test environment).  Need to deliver a text file with the commnds to be implemented to my manged service provider that shows the configuration.

The ASE config DOES give you the CLI. if you go through the step process it will give you the CLI.Screen Shot 2015-08-19 at 1.07.27 PM.png

Well thanks for that...guess I should learn how to navigate that ase page  Smiley Indifferent.  I have sent it over to my managed service vendor, should be able to test on Monday.

This isn't working for me. Despite explicitly allowing HTTP/HTTPS to CPPM, I can't hit CPPM on those ports. I also added an ICMP rule for testing and that works successfully. It looks like the instant controller is intercepting HTTP/HTTPS and denying that traffic to CPPM. Any ideas?
Search Airheads
Showing results for 
Search instead for 
Did you mean: