Configuring Aruba WLC
Configuring Aruba WLC for IPS Guest Self-Registration
This sections explains the steps to configure Aruba WLC for deploying IPS GUAM and ‘Guest Self-Registration’ feature. This section provides examples of how to configure the Aruba WLC. For more information, see Aruba documentation.
Configuration required on Aruba WLC for Campus Only mode
WLAN Configuration for Campus Only mode
- Log in to Aruba WLC. Select Configuration > Wizards > WLAN/LAN Wizard. The Welcome to the WLAN/LAN Configuration Wizard appears.
- Select Campus Only option and click Begin. The Specify Group to Configure screen appears.
- On Specify Group to Configure screen select an existing AP group or create a new AP group and click Next. The Ready to Configure Wireless LANs for Group screen appears.
- Click Continue button. The Specify Wireless LAN (WLAN) for Group default screen appears.
- On Specify Wireless LAN (WLAN) for Group default screen, select a group from the AP Groups list.
- In the WLANS for list do one of the following:
- Select an existing WLAN.
- Click New to create a new WLAN.
- Click Next.
- The Specify Forwarding Mode for Guest_Aruba in Group default screen appears.
- On Specify Forwarding Mode for Guest_Aruba in Group default screen, under Forward Mode, select Tunnel option and click Next. The Specify Radio Type and VLAN for Guest_Aruba in Group default screen appears.
- On Specify Radio Type and VLAN for Guest_Aruba in Group default screen select:
- Radio Type - Select ‘all’ from the drop-down list.
- VLAN - Select required options from the drop-down list and click the arrow button to include in the VLAN box.
- Click Next.
- The Specify whether WLAN is for Internal or Guest use for Guest_Aruba in Group default screen appears.
- Specify whether WLAN is for Internal or Guest use for Guest_Aruba in Group default screen specify the purpose of the WLAN. Select Guest option for WLAN use and click Next.
- The Specify Authentication and Encryption for Guest_Aruba in Group default screen appears.
- On Specify Authentication and Encryption for Guest_Aruba in Group default screen move the slider to Captive portal with authentication via credentials option and click Next. The Specify Captive Portal Options for Guest_Aruba in Group default screen appears.
- Specify Captive Portal Options for Guest_Aruba in Group default screen, click Next.
- The Specify Authentication Server for Guest_Aruba in Group default screen appears.
- On Specify Authentication Server for Guest_Aruba in Group default screen, specify IPS server as the authentication server and click Next.
- The Specify Roles & Policies for Guest_Aruba in Group default screen appears.
- On Specify Roles & Policies for Guest_Aruba in Group default screen, configure the roles and click Next. The Configure Role Assignment for Guest_Aruba in Group default screen appears.
- On Configure Role Assignment for Guest_Aruba in Group default screen, click Next.
- The WLAN Configuration is Complete screen appears.
- Click Finish to complete the configuration.
- The WLAN Configuration is Complete screen appears displaying the summary of the configuration.
- Click Finish.
- The Controller Has Been Configured screen appears.
- Click Finish.
- The system refreshes and takes you to the Configuration tab.
- Select Security > Authentication > AAA Profiles and click on RADIUS Accounting Server Group.
- Select an appropriate server group for RADIUS Accounting Server Group.
External Captive Portal Configuration
- In Aruba WLC select Configuration > Security > Authentication > L3 authentication.
- The L3 authentication screen appears.
- Click Captive Portal Authentication Profile. The list expands. Select the corresponding profile of the above configured WLAN.
- Select the check box Add switch IP address in the redirection URL.
- In the Login page box enter the IPS guest access URL that is configured as part of IPS configuration.
- Click Apply to save the configuration.
RFC 3576 server configuration
- In Aruba WLC go to Configuration > Security > Authentication > Servers tab.
A list of configured servers is displayed. - Click the RFC 3576 Server and add IPS as RFC 3576 server, for supporting disconnect messages.
- Click on the RFC server that is newly created to provide the key.
- Select Security > Authentication > AAA Profiles. Go to AAA profile and click on RFC 3576 server. Add the server that is newly created in step1.
WLAN Configuration for Remote Networking mode on Aruba WLC
- Log in to Aruba WLC. Select Configuration > Wizards >WLAN/LAN Wizard. The Welcome to the WLAN/LAN Configuration Wizard screen appears.
- Select Remote Networking option and click Begin.
- The Specify Group to Configure screen appears.
- On the Specify Group to Configure screen, select an AP group and click Next.
- On the Specify RAP DHCP settings for Group qa-group screen, configure:
- DHCP pool start
- DHCP pool end
- DHCP pool netmask
- Default router
- DNS server
- VLAN ID
- DHCP Lease time – Select the required option and set the limit.
- Click Next.
The Specify RAP DNS Query Routing for Groups qa-group screen appears. - On the Specify RAP DNS Query Routing for Groups qa-group screen click Next.
- The Ready to Configure Wired LANs, and Wireless LANs for Group screen appears.
- On the Ready to Configure Wired LANs, and Wireless LANs for Group screen, click the Wireless LANs Wizard link.
- Follow the Step 4 to step 17 of Campus Only mode to complete Wireless WLAN configuration.
- Follow External Captive Portal Configuration of Campus Only mode to configure Captive Portal for Remote Networking mode.
- Follow RFC 3576 server configuration of Campus Only mode to configure IPS as RFC 3576 server.
Configuring Aruba WLC in campus only mode using CLI
To configure Aruba WLC for Guest Access in campus only mode via command-line interface, access the CLI in config mode and issue the following commands.
Configuring RADIUS server:
aaa authentication-server radius <RADIUS-profile-name>
host <IPS ip-address>
key <password>
Configuring Server Group:
aaa server-group <server-group-name>
auth-server <RADIUS-profile-name>
Configuring AAA profile:
aaa profile <AAA-profile-name>
Configuring SSID profile:
wlan ssid-profile <ssid-profie-name>
essid <ssid-name>
ssid-enable
no hide-ssid
opmode opensystem
Configuring Captive portal:
aaa authentication captive-portal <CP-profile-name>
login-page <IPS-guest-URL>
switchip-in-redirection-url
server-group <server-group-name>
user-logon
no guest_logon
default-role guest
Creating a User-role:
user-role <Role-Name>
captive-portal <CP-profile-name>
access-list session logon-control
access-list session captiveportal
Attaching initial-role to AAA profile:
aaa profile <AAA-profile-name>
initial-role <role-name>
Configuring Firewall policy rules for IPS: ip access-list session captiveportal
host <IPS-IP> any permit position 1
any host <IPS-IP> any permit position 2
Configuring Virtual-AP and associating SSID profile:
wlan virtual-ap <vap-profile-name>
forward-mode tunnel
vlan <vlan-id>
ssid-profile <ssid-profile-name>
aaa-profile <AAA-profile-name>
Configuring AP group and associating Virtual-AP profile:
ap-group default
# If it is another ap-group, give as required.
virtual-ap <vap-profile-name>
Configuring RFC-3576 server:
aaa rfc-3576-server <IPS-IP>
key <password>
Attaching RFC-3576 server to AAA profile:
aaa profile <aaa-profile-name>
rfc-3576-server <IPS-IP>
Attaching RADIUS accounting server group to AAA profile:
aaa profile <aaa-profile-name>
radius-accounting <server-group-name>
Configuring Aruba WLC in Remote Networking mode using CLI
To configure Aruba WLC for Guest Access in Remote Networking mode via command-line interface, access the CLI in config mode and issue the following commands.
Configuring RADIUS server:
aaa authentication-server radius <RADIUS-profile-name>
host <IPS ip-address>
key <password>
Configuring Server Group:
aaa server-group <server-group-name>
auth-server <RADIUS-profile-name>
Configuring AAA Profile:
aaa profile <AAA-profile-name>
Configuring SSID Profile:
wlan ssid-profile <ssid-profie-name>
essid <ssid-name>
ssid-enable
no hide-ssid
opmode opensystem
Configuring Captive Portal:
aaa authentication captive-portal <CP-profile-name>
login-page <IPS-guest-URL>
switchip-in-redirection-url
server-group <server-group-name>
user-logon
no guest_logon
default-role guest
Creating a User-role:
user-role <Role-Name>
captive-portal <CP-profile-name>
access-list session logon-control
access-list session captiveportal
Attaching initial-role to AAA profile:
aaa profile <AAA-profile-name>
initial-role <role-name>
Configuring Firewall policy rules for IPS:
ip access-list session captiveportal
host <IPS-IP> any any permit position 1
any host <IPS-IP> any permit position 2
Configuring Virtual-AP and associating SSID profile:
wlan virtual-ap <vap-profile-name>
forward-mode tunnel
vlan <vlan-id>
ssid-profile <ssid-profile-name>
aaa-profile <AAA-profile-name>
Configuring DHCP server on Remote AP:
ap system-profile <name>
rap-dhcp-default-router <ipaddr>
rap-dhcp-dns-server <ipaddr>
rap-dhcp-lease <days>
rap-dhcp-pool-start <ipaddr>
rap-dhcp-pool-end <ipaddr>
rap-dhcp-pool-netmask <netmask>
rap-dhcp-server-vlan <vlan>
Configuring AP group and associating Virtual-AP profile:
ap-group default
# If it is another ap-group, give as required.
virtual-ap <vap-profile-name>
ap-system-profile <name>
Configuring RFC-3576 server:
aaa rfc-3576-server <IPS-IP>
key <password>
Attaching RFC-3576 server to AAA profile:
aaa profile <aaa-profile-name>
rfc-3576-server <IPS-IP>
Attaching RADIUS accounting server group to AAA profile:
aaa profile <aaa-profile-name>
radius-accounting <server-group-name>