This manual includes the use of the pre-Authentication rules instead of Walled Garden. This allows to login with social networks.

Basic Setup

The setup presumes the factory default status of device, however, the modification of productive hotspots is possible too. This manual shows just the features required for the hotsptot with the external captive portal functionality. Other settings are optional.

Select Add New Network and follow the wizard.

1.WLAN Settings

Set the name for the new network and switch "Primary usage" to "Guest".


Switch "Client IP assignment" to  "Virtual Controller managed" and "Client VLAN assignment" to "Default".

3. Security

Select "External" for "Splash page type" and "New profile" for "Captive portal profile".

3.1. Captive portal Profile

Set the Captive portal name (eg. Socfi) and then use folowing settings:

TypeRadius Authentication
IP or
Use httpsDisabled
Captive Portal failureDeny intenet
Redirect URL

Confirm the CP profile dialog and set "WISPr" and "MAC authentication" to "Disabled"

3.2. Radius server

Select "New" for "Auth server 1" and fill in the following options:

Switch to "RADIUS"

Nameaccording to region related recommendation
IP addressaccording to region related recommendation
Auth port1812
Accounting port1813
Shared keysocifi
Retype keysocifi
Timeout5 sec.
Retry count3
RFC 3576Disabled
NAS IP address
NAS identiferAruba-IAP
Dead time5 min
DRP Mask
DRP Gateway

Repeat the procedure for "Auth server 2"

Confirm the Auth server settings, go back to Security Tab and finish the configuration with the following settings:

Load balancingDisabled
Reauth interval0 hrs.
Walled garden
Disable if uplink type is(unchecked all)

The "Walled garden" setting is suitable only for the firmware version older than It is limited by only 16 whitelist entries. The Role-based Access Rules are preffered to use in the later firmware versions and allow to use a Social Network login.

 4. Access

Set "Access Rules" to "Role-based" on the Access Tab.

Select Role according to configured SSID. Open the Acces Rule editation. Change the rule settings to  "Access control - Network - any - Allow - to all destinations". This Role can contain just this one rule. Delete the other rules.

In the  "Role Assignment Rules" field set the edited rule as default.

In the  "Roles" field create a new preauthentication rules set. Choose the name like pre-

The first rule is the external Captive Portal redirection:

Add rules for each FQDN from the Walled Garden list.  "Access control - Network - Allow - to domain name" and enter the FQDN.

Set this role set as "pre-authentization role" by checking this option on the Acces Tab.

Where is MAC for the SOCIFI Dashboard?

Select the network name on the default screen. The list of the all included APs will show. All these APs is neccesary to add to the SOCIFI Dashboard as unique hotspots.

The name of AP is editable. DO NOT change the name of the  AP if it is used with SOCIFI. Changing the name will cause a dysfunction.

Add a new hotspot to SOCIFI Dashboard

Firmware version

This setup was tested on firmware verion (Build time 2015-04-05 01:53:10 PDT) and device IAP-205