This article describes the configuration to apply in your Aruba Instant controller to enable the Cloudi-Fi splash page feature.

Note that it is not necessary to configure Aruba in the case of a zscaler deployment.

1. Create an authentication server

This server will be used to send the authorization to the Aruba controller after the user provided his credentials to Cloudi-Fi.
In the Aruba Instant controller GUI, in the top right corner, go to Security > Authentication Server > New

IP Address : 87.98.173.68
Auth Port : 1812
Accounting port : 1813
Shared key : provided by Cloudi-Fi support team
Service type framed user : tick Captive Portal

2. Create an external captive portal 

In this section, we will configure the URL where the user are redirected to be authenticated.
Go to Security > External Captive Portal > New

Type: RADIUS Authentication
IP or hostname: login.cloudi-fi.net
URL: your dedicated URL is provided in the Cloudi-Fi administration portal
Port: 443
Use https: Enabled
Captive Portal failure : Deny Internet
All other settings are Disabled

3. Create a Pre-Authentication role

This role will be assigned to users which are not authenticated yet in the Cloudi-Fi portal.
This role will authorize non-authenticate user to access to external ressources needed for the authentication.
For example, we allow the user to access Facebook in order to use his Facebook account to login.
Go to Security > Role > New > Name it CloudiFi_pre-auth
Create rules as below:
Rule type: Access control
Service: Network
Action: Allow
Destination: to domain name
Domaine name: Depending authentication module available on your captive portal, you need to add differents URL.
Cloudi-Fi Support team will provide you needed URL.

4. WLAN Creation

In the controller GUI Dashboard, in the Network section, click on "+" to add a new WLAN.

Give it a name
Primary usage: Guest
Next

These choices are depending of your your network infrastructure (if you have a dedicated DHCP server, if you need to assign users in a VLAN...)
Else you can let default choices.

In the Security tab:
Splash page type: External
Captive portal profil : Cloudi-Fi
WISPr: Disabled
MAC authentication: Disabled
Auth server1: Cloudi-Fi Radius
Reauth interval: this timer shall be equal to the lifetime session confgiured in Cloudi-Fi portal
All other option must be disabled

In the Access tab:
Select default_wired_port_profile (expect if you want to restrict some specific ressources)
Tick and assign the pre_authentication role we created earlier
Click Finish

5. Captive Portal Certificate

In order to bring up a secured channel between guest device and Aruba controller, a public certificate has to be deployed on the controller. Without this certificate, guests will receive "Untrusted Certificate" error messages after they authenticate on Cloudi-Fi portal.

Once you get a public certificate, you will have to put all certificate material in a single file in x509 ( aka PEM ) or PKCS12 format.

The AP’s certificate must be first, followed by the certificate chain in order, and then followed by the private key for the certificate. For example, with a root CA, a single intermediate CA, and a root CA, the PEM or PKCS12 file must contain the following parts, in this order:

1. Server Certificate

2. Intermediate CA

3. Root CA

4. Private key

Once done, upload the certificate under System > Advanced > Certificate.

<screenshot>

Aruba Controller will automatically create a DNS record corresponding to your Server Certificate Common Name.


 


Did this answer your question?