Product and Software: This article applies to Aruba 600, 3000, and M3 series controllers and ArubaOS 3.4.1 and later.
Note: Public Wi-Fi access is supported in beta with ArubaOS 3.4.1.0 and will not be generally available until ArubaOS 5.0.
This article provides a quick cheat sheet for successfully configuring a basic Public Wi-Fi Access deployment with the captive portal on the Aruba controller. The Public Wi-Fi Access Supplement should be used for more detailed information on what features are available for public Wi-Fi access.
Known Issues for Using the Captive Portal in the Aruba Controller
- The public Wi-Fi access features in the local user hospitality database (such as, download/upload bw contract and expiration timers) will not work unless a controller administrator manually adds that guest MAC address with the desired values through CLI or WebUI configuration.
- A non-standard static IP guest user needs an IP address, subnet mask, gateway, and DNS IP address defined or else its session will not work as a pre-authenticated or post-authenticated user.
How to Configure Public Wi-Fi Access
1) Request a public Wi-Fi access license from Support and install it on the controller.
2) Create the necessary wireless user, wired user, and uplink port VLANs and their IP interfaces and controller default gateway.
Example:
config t
interface vlan 1
description "Internet Uplink Interface"
ip address 1.1.1.1 255.255.255.0
interface vlan 2
description "Wireless client vlan"
ip address 192.168.2.1 255.255.255.0
ip default-gateway 1.1.1.254
end
write memory
3) Configure the controller IP, which has to be IP-reachable by the Aruba APs.
Example:
config t
controller-ip vlan 2
end
write memory
4) Enable IP domain lookup.
Example:
config t
ip domain lookup
ip name-server 8.8.8.8
end
write memory
5) Reboot the controller.
6) Enable public Wi-Fi access in the general firewall and reboot.
Example:
config t
firewall hospitality
end
write memory
reload
7) Create a post-authenticated user role.
Example:
config t
ip access-list session authenticated_http_https_proxy_acl
any any svc-http dst-nat 9000
any any tcp 800 900 dst-nat 9000
any any tcp 911 dst-nat 9000
any any tcp 990 dst-nat 9000
any any tcp 1024 9999 dst-nat 9000
ip access-list session allowall
any any any permit
user-role hotelguest-postauth
session-acl authenticated_http_https_proxy_acl
session-acl allowall
end
write memory
8) Create a captive portal profile that will be applied to the pre-authenticated user role.
Example:
config t
aaa authentication captive-portal "hotel-portal1"
default-role "hotelguest-postauth"
welcome-page "http://www.<company name>.com"
ip-addr-in-redirection-url 192.168.2.1
show-acceptable-use-policy
9) Apply the captive portal profile to the pre-authenticated user role.
Example:
config t
ip access-list session logon-control
user any udp 68 deny
any any svc-icmp permit
any any svc-dns permit
any any svc-dhcp permit
any any svc-natt permit
ip access-list session captiveportal
user alias controller svc-https dst-nat 8081
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
user any svc-http-proxy1 dst-nat 8088
user any svc-http-proxy2 dst-nat 8088
user any svc-http-proxy3 dst-nat 8088
user-role hotelguest-preauth
captive-portal "hotel-portal1"
session-acl logon-control
session-acl captiveportal
end
write memory
10)Apply the pre-authenticated user role to an AAA profile.
Example:
config t
aaa profile "hotel-aaa"
initial-role "hotelguest-preauth"
end
write memory
11)Create an SSID that will be used by public Wi-Fi access wireless clients.
Example:
config t
wlan ssid-profile "hotel-guest-ssid"
essid "hotel-guest"
end
write memory
12)Create a virtual AP and bind it with the new AAA and SSID profile.
Example:
config t
wlan virtual-ap "hotel-guest"
aaa-profile "hotel-aaa"
ssid-profile "hotel-guest-ssid"
vlan 2
end
write memory
13)Add the virtual AP to an AP group that will have APs broadcasting the public Wi-Fi access SSID.
Example:
config t
ap-group "hotel-aps"
virtual-ap "hotel-guest"
end
write memory
14)Add an IP address that will redirect wireless and wired client HTTP and HTTPS requests to the captive portal on the controller.
Example:
config t
ip cp-redirect-address 192.168.2.1
end
write memory
15)Add guest users in the controller local-user-db.
Example:
local-userdb add username "guest" password <password> role hotelguest-postauth
16)If the controller is being used as a DHCP server, configure the necessary DHCP pools for the wireless and wired clients.
Example:
config t
ip dhcp pool user-pool
default-router 192.168.2.1
dns-server 8.8.8.8
lease 1 0 0
network 192.168.2.0 255.255.255.0
authoritative
end
write memory
The controller should now be configured with all the necessary information to be used as a public Wi-Fi access controller.
Refer to the ArubaOS 3.4.1.0 User Guide and Public Wi-Fi Access Supplement for more details on these features and parameters.