Skip to main contentSkip to search
Skip to main content

Aruba Instant AP

Set up Aruba Instant Access Points with IronWiFi for controller-less WiFi management. This guide covers RADIUS server configuration, external captive portal profiles, walled garden whitelist setup, and WPA-Enterprise deployment for both guest and secure employee networks running ArubaOS Instant.

Prerequisites

In Aruba IAP:

  • Aruba Instant AP running ArubaOS Instant 8.x or later
  • Access to the IAP web interface or CLI
  • Administrator credentials

In IronWiFi Console (complete these first):

  1. Create a Network and note the RADIUS details:
    • Primary and backup server IP addresses
    • Authentication port (
      {AUTH_PORT}
      ) and Accounting port (
      {ACCT_PORT}
      )
    • Shared secret
  2. Create a Captive Portal with vendor set to Aruba and note the Splash Page URL

IAP Configuration

Access Web Interface

  1. Connect to the Instant AP network
  2. Navigate to the management IP (e.g., 
    https://instant.arubanetworks.com
    or the AP's IP)
  3. Log in as administrator

Aruba Instant AP web interface dashboard showing networks, access points, and clients

Step 1: Configure RADIUS Server

tip

Have your IronWiFi Console open in another browser tab. You will need to copy the RADIUS IP addresses, ports, and shared secret directly into the IAP configuration.

  1. Navigate to SecurityAuthentication Server
  2. Click New
  3. Configure primary server:
FieldValue
NameIronWiFi
IP Address
{Primary IP from IronWiFi}
Auth Port
{AUTH_PORT}
Acct Port
{ACCT_PORT}
Shared Key
{Shared secret from IronWiFi}
  1. Add backup server with the same settings using the backup IP

Step 2: Create Captive Portal Profile

  1. Navigate to SecurityCaptive Portal
  2. Click New
  3. Configure:
FieldValue
NameIronWiFi-Portal
TypeExternal
Splash page URL
{Splash URL from IronWiFi}
Auth serverIronWiFi

Step 3: Configure Walled Garden

warning

Missing walled garden entries are the most common cause of captive portal failures. Users will see a blank page or timeout if 

107.178.250.42
is not whitelisted.

In the captive portal profile, add whitelist entries.

Aruba IAP Security settings showing Walled Garden with Blacklist and Whitelist entries

Required Entry

Always add the IronWiFi server:

107.178.250.42

Additional Entries by Authentication Provider

Only add entries for authentication methods you've enabled in IronWiFi:

ProviderRequired Whitelist Entries
Google
*.google.com
, 
*.googleapis.com
, 
*.gstatic.com
, 
accounts.google.com
Facebook
*.facebook.com
, 
*.fbcdn.net
, 
connect.facebook.net
, 
facebook.com
LinkedIn
*.linkedin.com
, 
*.licdn.com
, 
linkedin.com
Twitter/X
*.twitter.com
, 
*.twimg.com
, 
twitter.com
, 
*.x.com
, 
x.com
Apple
*.apple.com
, 
*.icloud.com
, 
appleid.apple.com
Microsoft Entra ID
*.microsoft.com
, 
*.microsoftonline.com
, 
*.msftauth.net
, 
login.microsoftonline.com
Stripe
*.stripe.com
, 
js.stripe.com
PayPal
*.paypal.com
, 
*.paypalobjects.com
Twilio (SMS)
*.twilio.com

Step 4: Create Guest WLAN

  1. Navigate to NetworkNew
  2. Configure Basic settings:
FieldValue
NameGuest-WiFi
Primary UsageGuest

Aruba IAP WLAN Settings tab showing SSID name and Guest primary usage selected

Aruba IAP VLAN tab showing Client IP and VLAN assignment settings

  1. Configure Security settings:
FieldValue
Splash Page TypeExternal
Captive Portal ProfileIronWiFi-Portal
Auth Server 1IronWiFi

Aruba IAP Security tab showing splash page type set to External, captive portal profile, and authentication server settings

Aruba IAP Security tab with captive portal profile edit dialog showing external portal URL

  1. Configure the RADIUS authentication server by clicking Edit next to Auth server:

Aruba IAP RADIUS server configuration dialog with IP address, ports, and shared key

  1. Save the configuration

Step 5: Configure Access Rules

Set the initial role with restricted access until authenticated. The default guest role typically allows DNS and DHCP before authentication.

Aruba IAP Access Rules tab showing roles with Allow any to all destinations rule and CP only pre-authentication role

Aruba IAP Access Rules tab showing CP only role with Allow any on server 107.178.250.42 rule

CLI Configuration

For administrators who prefer CLI configuration:

Alternative: WPA-Enterprise (No Captive Portal)

tip

WPA-Enterprise with EAP-TLS (certificate-based) provides the highest security for employee networks. See the client configuration guides for device setup instructions.

For 802.1X authentication where users enter credentials in their device WiFi settings:

Testing and Verification

After completing the configuration, verify everything works correctly.

Test Captive Portal Flow

  1. Connect a device to the Guest-WiFi SSID
  2. Open a browser and navigate to 
    http://example.com
  3. Verify redirect to IronWiFi splash page
  4. Complete authentication
  5. Verify internet access is granted

Verification Commands

Troubleshooting

If testing reveals issues, use this section to diagnose common problems.

External Portal Not Loading

SymptomCauseSolution
Blank pageMissing whitelist entryAdd 
107.178.250.42
to whitelist
Wrong pageIncorrect splash URLVerify URL matches IronWiFi Console
TimeoutDNS issuesEnsure DNS is allowed in pre-auth ACL

Authentication Failures

SymptomCauseSolution
TimeoutRADIUS unreachableVerify server IP and firewall rules
RejectWrong secretCheck shared secret matches exactly
No responsePort blockedEnsure UDP 
{AUTH_PORT}
/
{ACCT_PORT}
are open

Clients Not Getting IP

SymptomCauseSolution
No IP addressDHCP issueCheck DHCP server configuration
Wrong subnetVLAN mismatchVerify VLAN settings
Stuck in initial roleRole assignmentCheck access rule configuration

For this vendor

Shared configuration

Was this page helpful?