Aruba Mobility Controller

Integrate Aruba Mobility Controller with IronWifi's RADIUS authentication and external captive portal services. This comprehensive guide covers AAA server groups, captive portal profiles, pre-authentication ACLs, user roles, WLAN configuration, and WPA-Enterprise setup for enterprise-grade guest and employee WiFi networks.

Prerequisites

In Aruba Mobility Controller:

Aruba Mobility Controller running ArubaOS 8.x or later
Access to the controller web interface or CLI
Administrator credentials

In IronWifi Console (complete these first):

Create a Network and note the RADIUS details:
- Primary and backup server IP addresses
- Customer authentication and accounting ports (displayed in Network Settings)
- Shared secret
Create a Captive Portal with vendor set to Aruba and note the Splash Page URL

Controller Configuration

Step 1: Configure RADIUS Server

Navigate to Configuration → Security → Authentication → Servers
Click Add
Configure primary server:

Field	Value
Name	IronWifi-Primary
IP Address	`{Primary IP from IronWifi}`
Auth Port	`{Customer Authentication Port}`
Acct Port	`{Customer Accounting Port}`
Shared Key	`{Shared secret from IronWifi}`

Add backup server with the same settings using the backup IP

Step 2: Create Server Group

Navigate to Authentication → Server Group
Click Add
Configure:

Field	Value
Name	IronWifi
Servers	Add both IronWifi-Primary and IronWifi-Backup

Step 3: Create AAA Profile

Navigate to Authentication → L3 Authentication → Captive Portal Authentication
Create new profile:

Field	Value
Name	IronWifi-CaptivePortal
Login page	External
Redirect URL	`{Splash Page URL from IronWifi}`
Server Group	IronWifi

Step 4: Configure Captive Portal Profile

Navigate to Security → Captive Portal
Create new profile:

Field	Value
Name	IronWifi-Portal
Type	External
Auth text	Welcome to Guest WiFi
Server	`107.178.250.42`

Step 5: Create Pre-Authentication ACL

Create a whitelist for access before authentication.

Required Entry

Always allow the IronWifi server:

ip access-list session ironwifi-preauth
  any host 107.178.250.42 any permit
  any any svc-dns permit
  any any svc-dhcp permit

Additional Entries by Authentication Provider

Only add entries for authentication methods you've enabled in IronWifi:

Provider	ACL Entries to Add
Google	`any host accounts.google.com any permit` , `any network 142.250.0.0/16 any permit`
Facebook	`any host facebook.com any permit` , `any network 157.240.0.0/16 any permit`
LinkedIn	`any host linkedin.com any permit`
Twitter/X	`any host twitter.com any permit` , `any host x.com any permit`
Apple	`any host appleid.apple.com any permit`
Microsoft	`any host login.microsoftonline.com any permit`

tip

For wildcard domain support, consider using destination-based ACLs with DNS snooping or use IP ranges for the authentication providers.

Step 6: Create User Role

Navigate to Roles → Add
Create authenticated role:

Field	Value
Name	IronWifi-Authenticated
Access Policies	Configure appropriate internet access

Step 7: Configure WLAN

Navigate to WLANs → Add
Configure:

Field	Value
Name	Guest-WiFi
SSID	Guest-WiFi
AAA Profile	IronWifi-CaptivePortal
Captive Portal Profile	IronWifi-Portal
Initial Role	(role using ironwifi-preauth ACL)
Authenticated Role	IronWifi-Authenticated

CLI Configuration

For administrators who prefer CLI configuration:

# Configure RADIUS servers
aaa authentication-server radius IronWifi-Primary
  host {PRIMARY_IP}
  key {SHARED_SECRET}
  authport {AUTH_PORT}
  acctport {ACCT_PORT}

aaa authentication-server radius IronWifi-Backup
  host {BACKUP_IP}
  key {SHARED_SECRET}
  authport {AUTH_PORT}
  acctport {ACCT_PORT}

# Create server group
aaa server-group IronWifi
  auth-server IronWifi-Primary
  auth-server IronWifi-Backup

# Pre-authentication ACL
ip access-list session ironwifi-preauth
  any host 107.178.250.42 any permit
  any any svc-dns permit
  any any svc-dhcp permit

# Captive portal profile
aaa authentication captive-portal IronWifi-Portal
  login-page external
  redirect-url "{SPLASH_URL}"
  server-group IronWifi

# WLAN configuration
wlan ssid-profile Guest-WiFi
  essid Guest-WiFi
  opmode opensystem

wlan virtual-ap Guest-WiFi
  ssid-profile Guest-WiFi
  aaa-profile IronWifi-CaptivePortal
  captive-portal-profile IronWifi-Portal

Alternative: WPA-Enterprise (No Captive Portal)

For 802.1X authentication where users enter credentials in their device WiFi settings:

# AAA profile for 802.1X
aaa authentication dot1x IronWifi-Dot1x
  server-group IronWifi

# WLAN with WPA2-Enterprise
wlan ssid-profile Secure-WiFi
  essid Secure-WiFi
  opmode wpa2-aes

wlan virtual-ap Secure-WiFi
  ssid-profile Secure-WiFi
  aaa-profile IronWifi-Dot1x

Testing and Verification

After completing the configuration, verify everything works correctly.

Test Captive Portal Flow

Connect a device to the Guest-WiFi SSID
Open a browser and navigate to
```
http://example.com
```
Verify redirect to IronWifi splash page
Complete authentication
Verify internet access is granted

Verification Commands

# Check RADIUS server status
show aaa authentication-server radius statistics

# View server group configuration
show aaa server-group IronWifi

# Check client connections
show user-table

# View captive portal sessions
show captive-portal sessions

Troubleshooting

If testing reveals issues, use this section to diagnose common problems.

Captive Portal Not Redirecting

Symptom	Cause	Solution
No redirect	Captive portal not applied	Verify WLAN has captive portal profile
Wrong page	Incorrect redirect URL	Check external portal URL configuration
Blank page	Whitelist missing	Add `107.178.250.42` to pre-auth ACL

RADIUS Failures

Symptom	Cause	Solution
Timeout	Server unreachable	Verify IP and check firewall
Reject	Wrong secret	Confirm shared secret matches
No accounting	Server not configured	Add accounting server to group

Debug commands:

show aaa authentication-server radius statistics
debug aaa all

Authentication Issues

Symptom	Cause	Solution
Stuck in initial role	Auth not completing	Check captive portal profile
Wrong role assigned	Role mapping issue	Verify authenticated role configuration
Can't reach internet	ACL blocking	Check authenticated role policies

Debug commands:

show user-table
show datapath user
debug aaa events all

Prerequisites​

Controller Configuration​

Step 1: Configure RADIUS Server​

Step 2: Create Server Group​

Step 3: Create AAA Profile​

Step 4: Configure Captive Portal Profile​

Step 5: Create Pre-Authentication ACL​

Required Entry​

Additional Entries by Authentication Provider​

Step 6: Create User Role​

Step 7: Configure WLAN​

CLI Configuration​

Alternative: WPA-Enterprise (No Captive Portal)​

Testing and Verification​

Test Captive Portal Flow​

Verification Commands​

Troubleshooting​

Captive Portal Not Redirecting​

RADIUS Failures​

Authentication Issues​

Related Topics​