Guys, here is the config I created:
#Create SSID profile
wlan ssid-profile "tpl-Mountcom_guest_access"
essid "Mountcom_guest_access"
opmode opensystem
exit
aaa authentication-server radius "tpl-Mountcom_guest_access"
host "10.17.2.30"
key "aruba123"
!
aaa rfc-3576-server "10.17.2.30"
key "aruba123"
!
aaa server-group "tpl-Mountcom_guest_access"
auth-server "tpl-Mountcom_guest_access"
!
aaa profile "tpl-Mountcom_guest_access"
radius-accounting "tpl-Mountcom_guest_access"
rfc-3576-server "10.17.2.30"
!
#Create an ACL that allows the unauthenticated guest to reach the external captive portal page.
netdestination "tpl-Mountcom_guest_access-allow-external-captive-portal"
no invert
host 10.17.2.30
exit
ip access-list session "tpl-Mountcom_guest_access-allow-external-captive-portal"
user alias "tpl-Mountcom_guest_access-allow-external-captive-portal" svc-http permit
user alias "tpl-Mountcom_guest_access-allow-external-captive-portal" svc-https permit
exit
#BEGIN - Create ACL's for the unauthenticated guest before they log in on the captive portal. These provide basic network access and cause the captive portal redirect.
ip access-list session "tpl-Mountcom_guest_access-cplogout"
user alias controller svc-https dst-nat 8081
exit
#Allow basic network access such as DNS and DCHP but deny the user from acting as a DHCP server.
ip access-list session "tpl-Mountcom_guest_access-logon-control"
user any udp 68 deny
ipv6 user any icmpv6 rtr-adv deny
any any svc-icmp permit
any any svc-dns permit
any any svc-dhcp permit
any any svc-natt permit
exit
ip access-list session "tpl-Mountcom_guest_access-captiveportal"
user alias controller svc-https dst-nat 8081
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
user any svc-http-proxy1 dst-nat 8088
user any svc-http-proxy2 dst-nat 8088
user any svc-http-proxy3 dst-nat 8088
exit
#END - Create ACL's for the client before they log in on the captive portal. These provide basic network access and cause the captive portal redirect.
#Create a logon user role with the ACL restrictions.
user-role "tpl-Mountcom_guest_access-logon"
access-list session "tpl-Mountcom_guest_access-allow-external-captive-portal"
access-list session "tpl-Mountcom_guest_access-logon-control"
access-list session "tpl-Mountcom_guest_access-captiveportal"
exit
#BEGIN - Create ACL's to restrict authenticated guest user from accessing internal networks. Only allow HTTP/HTTPS access to public sites.
netdestination "tpl-Mountcom_guest_access-internal-net"
network 10.0.0.0 255.0.0.0
network 172.16.0.0 255.240.0.0
network 192.168.0.0 255.255.0.0
exit
ip access-list session "tpl-Mountcom_guest_access-block"
user alias "tpl-Mountcom_guest_access-internal-net" any deny
exit
ip access-list session "tpl-Mountcom_guest_access-authenticated"
any any svc-http permit
any any svc-https permit
exit
ip access-list session "tpl-Mountcom_guest_access-drop-all"
user any any deny log
exit
#END - Create ACL's to restrict authenticated guest user from accessing internal networks. Only allow HTTP/HTTPS access to public sites.
#Create a post authenticated user role that has limited network access.
user-role "tpl-Mountcom_guest_access"
access-list session "tpl-Mountcom_guest_access-cplogout"
access-list session "tpl-Mountcom_guest_access-logon-control"
access-list session "tpl-Mountcom_guest_access-block"
access-list session "tpl-Mountcom_guest_access-authenticated"
access-list session "tpl-Mountcom_guest_access-drop-all"
exit
aaa authentication captive-portal "tpl-Mountcom_guest_access"
login-page "https://10.17.2.30/guest/weblogin.php/3?_browser=1"
welcome-page "/auth/welcome.html"
no guest-logon
no logout-popup-window
redirect-pause 3
server-group "tpl-Mountcom_guest_access"
default-role "tpl-Mountcom_guest_access"
exit
aaa authentication mac "tpl-Mountcom_guest_access"
exit
#Attach the captive portal profile to the logon user role
user-role "tpl-Mountcom_guest_access-logon"
captive-portal "tpl-Mountcom_guest_access"
exit
aaa profile "tpl-Mountcom_guest_access"
#Set the initial user role to the logon user role that enabled captive portal.
initial-role "tpl-Mountcom_guest_access-logon"
#Apply the MAC authentication profile to support MAC caching. Successfully authenticated MAC addresses will bypass the captive portal login and get immediate access.
authentication-mac "tpl-Mountcom_guest_access"
mac-server-group "tpl-Mountcom_guest_access"
mac-default-role "tpl-Mountcom_guest_access"
exit
#Create VLAN and VLAN Properties.
vlan 230
interface vlan 230
ip address 10.230.0.31 255.255.252.0
#DHCP Helper is used for Policy Manager "Profile" feature
ip helper-address "10.17.2.30"
exit
#Create DHCP Pool
ip dhcp pool "tpl-Mountcom_guest_access"
default-router 10.230.0.31
dns-server 8.8.8.8 8.8.4.4
network 10.230.0.0 255.255.252.0
domain-name Mountcom.com
exit
#Enable DHCP service
service dhcp
wlan virtual-ap "tpl-Mountcom_guest_access"
aaa-profile "tpl-Mountcom_guest_access"
ssid-profile "tpl-Mountcom_guest_access"
vlan 230
exit
ap-group "FirstFL_Basement"
virtual-ap "tpl-Mountcom_guest_access"
exit
end