This article describes the configuration to apply in your Aruba Instant controller to enable the Cloudi-Fi splash page feature.
Note that it is not necessary to configure Aruba in the case of a zscaler deployment.
1. Create an authentication server
This server will be used to send the authorization to the Aruba controller after the user provided his credentials to Cloudi-Fi.
In the Aruba Instant controller GUI, in the top right corner, go to Security > Authentication Server > New
IP Address : 126.96.36.199
Auth Port : 1812
Accounting port : 1813
Shared key : provided by Cloudi-Fi support team
Service type framed user : tick Captive Portal
2. Create an external captive portal
In this section, we will configure the URL where the user are redirected to be authenticated.
Go to Security > External Captive Portal > New
Type: RADIUS Authentication
IP or hostname: login.cloudi-fi.net
URL: your dedicated URL is provided in the Cloudi-Fi administration portal
Use https: Enabled
Captive Portal failure : Deny Internet
All other settings are Disabled
3. Create a Pre-Authentication role
This role will be assigned to users which are not authenticated yet in the Cloudi-Fi portal.
This role will authorize non-authenticate user to access to external ressources needed for the authentication.
For example, we allow the user to access Facebook in order to use his Facebook account to login.
Go to Security > Role > New > Name it CloudiFi_pre-auth
Create rules as below:
Rule type: Access control
Destination: to domain name
Domaine name: Depending authentication module available on your captive portal, you need to add differents URL.
Cloudi-Fi Support team will provide you needed URL.
4. WLAN Creation
In the controller GUI Dashboard, in the Network section, click on "+" to add a new WLAN.
Give it a name
Primary usage: Guest
These choices are depending of your your network infrastructure (if you have a dedicated DHCP server, if you need to assign users in a VLAN...)
Else you can let default choices.
In the Security tab:
Splash page type: External
Captive portal profil : Cloudi-Fi
MAC authentication: Disabled
Auth server1: Cloudi-Fi Radius
Reauth interval: this timer shall be equal to the lifetime session confgiured in Cloudi-Fi portal
All other option must be disabled
In the Access tab:
Select default_wired_port_profile (expect if you want to restrict some specific ressources)
Tick and assign the pre_authentication role we created earlier
5. Captive Portal Certificate
In order to bring up a secured channel between guest device and Aruba controller, a public certificate has to be deployed on the controller. Without this certificate, guests will receive "Untrusted Certificate" error messages after they authenticate on Cloudi-Fi portal.
Once you get a public certificate, you will have to put all certificate material in a single file in x509 ( aka PEM ) or PKCS12 format.
The AP’s certificate must be first, followed by the certificate chain in order, and then followed by the private key for the certificate. For example, with a root CA, a single intermediate CA, and a root CA, the PEM or PKCS12 file must contain the following parts, in this order:
1. Server Certificate
2. Intermediate CA
3. Root CA
4. Private key
Once done, upload the certificate under System > Advanced > Certificate.
Aruba Controller will automatically create a DNS record corresponding to your Server Certificate Common Name.