OBJECTIVE
This document explains how to configure Aruba Central–managed APs and gateways to function each access point as hotspot for IPERA Starling, including the setup of RADSec (RADIUS over TLS) for secure RADIUS communication.
ARCHITECTURE
PREREQUISITES
This guide applies to the solution for the active environment of Aruba Central for Cloud-managed networking.
To use an Aruba Central device as a Hotspot, the controller and Access Points must be connected to the Internet.
Configure via Aruba Central
Log in to your Aruba Central account.
Go to Devices > Access Points > Config (top right) > WLANs and click on Add SSID at the bottom left
General Settings
Name (SSID): Guest Wi-Fi (or any name)
Click Next
VLAN Settings
Client IP Assignment: External DHCP server assigned
Client VLAN Assignment: Native VLAN
Click Next
Security Settings
Security Level: Visitors
Type: External Captive Portal
Captive Portal Profile: Click on the plus button
Name: STARLING
Authentication Type: RADIUS Authentication
IP or Hostname: engage.iperawifi.com
URL: /onboarding
Port: 443
Use https: Enabled
Captive portal failure: Deny internet
Automatic URL whitelisting: Enabled
Server offload: Disabled
Prevent frame overlay: Disabled
Use VC IP in Redirect URL: Disabled
Redirect URL: https://engage.iperawifi.com/onboarding?res=success
Click OK to save
Radsec Setup
Adding Authentication Server
Go to Devices > Access Points > Config (Top Right) > Security > Authentication Servers > Click + icon to Add New Server
Server Type: Radius
Name : Radsec
Radsec: Enabled
IP Address / FQDN: engage.radius.iperawifi.com
Radsec Port: 2083
Dynamic Authorization: Disabled
Radsec Keepalive Type: TCP Keepalive
NAS Identifier: N/A
NAS IP Address: N/A
CPPM Username: ipera
CPPM Password: Shared key will be shared separately by IPERA
Server Type Framed User: MAC/Captive Portal
Query Status of Radius Servers: Authentication - Enabled
Accounting - Enabled
Adding CA Certificate
Go to Organization > Click on Cerificates > Add Certificate
Name: Radsec_CA
Type: CA Certificate
Format: PEM
Certificate File: The File will be provided by IPERA Engineers
Click Add
Certificate Usage
Go to Devices > Access Points > Config (Top Right) > Security > Certificate Usage
Certificate Authority: Select the certificate that was added in the previous step
Authentication Server: Default
Captive Portal: aruba_default
Radsec Use EST: Disabled
Radsec Client Cert: Default
Radsec CA: Select the certificate that was added in the previous step
Clearpass: default
AP1X CA: default
AP1X Client Cert: default
WebCC CA Cert: default
Again Go to Devices > Access Points > Config (top right) > WLANs > Select WLAN > Security
LOAD BALANCING: Disabled
Encryption: Disabled
Key Management: Enhanced Open
Click Advanced Settings
Reauth Interval: 24 hrs
Then click Accounting
Accounting: Use authentication servers
Accounting Interval: 3 min
Click Next
Access Settings
- Access rules: Role-based
Under Roles, click on the plus button and enter STARLING as the name
Under Access Rules for STARLING, verify any to any rule is created, if it is not created, click on add rule and add it.
- Access rules: Role-based
Under Roles, click on the plus button and enter PreAuth as the name
Under Access Rules for PreAuth, click on Add Rule and add the following rules:
It is mandatory to add the following domains to ACL
- static.iperawifi.com
- engage.iperawifi.com
If you wish to support social network logins, you need to add rules for domains below for each network you plan to support
|
Microsoft 365 (*) |
login.microsoftonline.com | accounts.google.com | |
| aadcdn.msauth.net | www.google.com | ||
| login.live.com | fonts.gstatic.com | ||
| akamaihd.net | play.google.com | ||
| aadcdn.msftauth.net | ssl.gstatic.com | ||
| www.facebook.com | accounts.youtube.com | ||
| www.facebook.net | accounts.google.com | ||
| static.xx.fbcdn.net | TikTok (**) | *.tiktok.com | |
| api.twitter.com | firebaseinstallations.googleapis.com | ||
| abs-0.twimg.com | storage.googleapis.com | ||
| pbs.twimg.com | *.ibytedtos.com | ||
|
|
www.linkedin.com | *.tiktokv.com | |
| static.licdn.com | open-api.tiktok.com | ||
| media.licdn.com | www.tiktok.com | ||
| ponf.linkedin.com | *.ttwstatic.com | ||
| platform.linkedin.com | *.tiktokcdn.com | ||
| Apple | www.apple.com | ||
| appleid.apple.com | |||
| appleid.cdn-apple.com | |||
| is4-ssl.mzstatic.com | |||
(*) Please refer to the below URL if you wish to use Microsoft login method
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/review-admin-consent-requests
(**) Google, Facebook, Twitter, and Apple should be also added for TikTok
Check ASSIGN PRE-AUTHENTICATION ROLE and select PreAuth
Click Finish to complete the setup
Parameters for the Configuration
For AWS:
IPERA Radius IP Address (Primary): 35.156.39.198
IPERA Radius IP Address (Secondary): 35.156.23.166
Shared Secret: (it will be communicated by IPERA)
Radesc Port Number: 2083
Redirect URL after login: https://engage.iperawifi.com/onboarding
External Webauth URL: https://engage.iperawifi.com/onboarding
For Azure:
IPERA Radius IP Address (Primary): 20.174.25.122
IPERA Radius IP Address (Secondary): 20.174.42.3
Shared Secret: (it will be communicated by IPERA)
Radesc Port Number: 2083
Redirect URL after login: https://me.iperawifi.com/onboarding
External Webauth URL: https://me.iperawifi.com/onboarding
Any changes on the above parameters and values will be communicated with IPERA customers in advance.
Comments
0 comments
Please sign in to leave a comment.