OBJECTIVE
This document explains how to configure Aruba Central–managed APs and gateways to function each access point as hotspot for IPERA Starling, including the setup of RADSec (RADIUS over TLS) for secure RADIUS communication.
ARCHITECTURE
PREREQUISITES
This guide applies to the solution for the active environment of Aruba Central for Cloud-managed networking.
To use an Aruba Central device as a Hotspot, the controller and Access Points must be connected to the Internet.
Configure via Aruba Central
Log in to your Aruba Central account.
Go to Devices > Access Points > Config (top right) > WLANs and click on Add SSID at the bottom left
General Settings
Name (SSID): Guest Wi-Fi (or any name)
Click Next
VLAN Settings
Client IP Assignment: External DHCP server assigned
Client VLAN Assignment: Native VLAN
Click Next
Security Settings
Security Level: Visitors
Type: External Captive Portal
Captive Portal Profile: Click on the plus button
Name: STARLING
Authentication Type: RADIUS Authentication
IP or Hostname: engage.iperawifi.com
URL: /onboarding
Port: 443
Use https: Enabled
Captive portal failure: Deny internet
Automatic URL whitelisting: Enabled
Server offload: Disabled
Prevent frame overlay: Disabled
Use VC IP in Redirect URL: Disabled
Redirect URL: https://engage.iperawifi.com/onboarding?res=success
Click OK to save
Radsec Setup
Adding Authentication Server
Go to Devices > Access Points > Config (Top Right) > Security > Authentication Servers > Click + icon to Add New Server
Server Type: Radius
Name : Radsec
Radsec: Enabled
IP Address / FQDN: engage.radius.iperawifi.com
Radsec Port: 2083
Dynamic Authorization: Disabled
Radsec Keepalive Type: TCP Keepalive
NAS Identifier: IAP
NAS IP Address: N/A
Server Type Framed User: MAC/Captive Portal
Query Status of Radius Servers: Authentication - Enabled
Accounting - Enabled
Adding CA Certificate
Go to Organization > Click on Cerificates > Add Certificate
Name: Radsec_CA
Type: CA Certificate
Format: PEM
Certificate File: The File will be provided by IPERA Engineers
Click Add
Certificate Usage
Go to Devices > Access Points > Config (Top Right) > Security > Certificate Usage
Certificate Authority: Select the certificate that was added in the previous step
Authentication Server: Default
Captive Portal: aruba_default
Radsec Use EST: Disabled
Radsec Client Cert: Default
Radsec CA: Select the certificate that was added in the previous step
Clearpass: default
AP1X CA: default
AP1X Client Cert: default
WebCC CA Cert: default
Again Go to Devices > Access Points > Config (top right) > WLANs > Select WLAN > Security
LOAD BALANCING: Disabled
Encryption: Disabled
Key Management: Enhanced Open
Click Advanced Settings
Mac Auth Configuration
Mac Authentication: Enabled
Called Station ID Type: MAC Address
Reauth Interval: 24 hrs
Denylisting: Enabled
Called Station ID Include SSID: Enabled
Mac Auth Uppercase Support: Enabled
Then click Accounting
Accounting: Use authentication servers
Accounting Interval: 10 min
Fast Roaming: 802.11k Enabled
Click Next
Access Settings
- Access rules: Role-based (Default Role)
This will be create automatically with "Allow any to all destinations"
- Access rules: Role-based (Pre Auth Role)
Under Roles, click on the plus button and enter captive-portal as the name
Under Access Rules for captive-portal, click on Add Rule and add the following rules:
It is mandatory to add the following domains to ACL
- static.iperawifi.com
- engage.iperawifi.com
If you wish to support social network logins, you need to add rules for domains below for each network you plan to support
|
|
login.microsoftonline.com | accounts.google.com | |
| aadcdn.msauth.net | www.google.com | ||
| login.live.com | fonts.gstatic.com | ||
| akamaihd.net | play.google.com | ||
| aadcdn.msftauth.net | ssl.gstatic.com | ||
| www.facebook.com | accounts.youtube.com | ||
| www.facebook.net | accounts.google.com | ||
| static.xx.fbcdn.net | TikTok (**) | *.tiktok.com | |
| api.twitter.com | firebaseinstallations.googleapis.com | ||
| abs-0.twimg.com | storage.googleapis.com | ||
| pbs.twimg.com | *.ibytedtos.com | ||
|
|
www.linkedin.com | *.tiktokv.com | |
| static.licdn.com | open-api.tiktok.com | ||
| media.licdn.com | www.tiktok.com | ||
| ponf.linkedin.com | *.ttwstatic.com | ||
| platform.linkedin.com | *.tiktokcdn.com | ||
| Apple | www.apple.com | ||
| appleid.apple.com | |||
| appleid.cdn-apple.com | |||
| is4-ssl.mzstatic.com | |||
(*) Please refer to the below URL if you wish to use Microsoft login method
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/review-admin-consent-requests
(**) Google, Facebook, Twitter, and Apple should be also added for TikTok
Check ASSIGN PRE-AUTHENTICATION ROLE and select PreAuth
Click Finish to complete the setup
Comments
0 comments
Please sign in to leave a comment.