ARUBA 7005 - Mobility Controller + ARUBA AP


Tested versions:

ModelTypeFirmware versionDescriptionLimits
Aruba 7005controller6.4.2.12Can be used for:
Aruba Controller 6000
speed control upon request


Intro:  We assume the Wifi part is already up and running and we need to complete the SOCIFI part only.

1. Walled Garden

 At first we need to set the ACL to enable access for authentication processes. Go to Configuration menu ADVANCED SERVICES > Stateful Firewall > Destination and create new group SOCIFI_WG

Settings

IP VersionIPv4
Destination NameSOCIFI_WG
Destination DescriptionSOCIFI_WalledGarden
Invertunchecked


then let's add DNS entries type "name" using this list:

Enter following Walled garden ranges:

If you are a customer with the White Label solution, please add your custom domain (for example *.mycustomdomain.com) to the Walled Garden list.

*.socifi.com
*.facebook.com
*.akamaihd.net
*.akamai.net
*.edgecastcdn.net
twitter.com
*.twitter.com
*.twimg.com
*.fastly.net
*.li-cdn.net
*.cloudfront.net
facebook.com
*.fbcdn.net
*.instagram.com
*.cdninstagram.com
instagram.com
*.linkedin.com
*.licdn.com
linkedin.com

facebook.com and twitter.com (Yes, twice. Once with and once without the asterisk)

 If you are you using Ruckus equipment, don't forget to set CDN IP ranges to the Walled Garden List.

 

Due to Ruckus firmware behavior end-user devices might not be able to reach some (mainly CDN and cloud) domains from walled garden list. This can cause wrong rendering of the captive portal.

The new IP ranges (indented in the list below) were added on April 2018.
Actual list of Amazon CloudFront (CDN) IPs is here: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html (direct link to IPs list in JSON format: https://ip-ranges.amazonaws.com/ip-ranges.json) 

As a workaround you have to add static IP's shown bellow to adjust firmware behavior and to be able to start monetizing your network immediately.

Work-around solution is to add the following IP ranges to the Walled Garden List:

13.32.0.0/15
13.35.0.0/16
13.54.63.128/26
13.59.250.0/26
34.195.252.0/24
35.162.63.192/26
52.15.127.128/26
52.46.0.0/18
52.52.191.128/26
52.57.254.0/24
52.66.194.128/26
52.78.247.128/26
52.84.0.0/15
52.199.127.192/26
52.212.248.0/26
52.220.191.0/26
52.222.128.0/17
54.182.0.0/16
54.192.0.0/16
54.230.0.0/16
54.233.255.128/26
54.239.128.0/18
54.239.192.0/19
54.240.128.0/18
70.132.0.0/18
71.152.0.0/17
99.84.0.0/16
143.204.0.0/16
204.246.164.0/22
204.246.168.0/22
204.246.174.0/23
204.246.176.0/20
205.251.192.0/19
205.251.249.0/24
205.251.250.0/23
205.251.252.0/23
205.251.254.0/24
216.137.32.0/19

 Want to Allow Google+ login?

The new Allow login through social networks does not include the Google login. The reason is that some Android based devices are not redirected to the Captive Portal when the user gets connected to WiFi network. In case you'd like to add it you need to do following:

  1. Check if your hotspot allows DNS names in the Walled garden. Some hotspots can use IP addresses only. See: Why DNS-based Walled Garden (and not IP-based)
  2. Allow Google+ login: Settings > Brand > Authentication > Allow login through social networks > Set on Allow Google login
  3. Add these walled garden domain into existing list:

Google+ Login DNS's

Please adopt same format your Walled garden is already using e.g. with or without the asterisk, separated by comma or space etc.

 For Cisco Meraki, Ruckus, Xirrus
*.googleapis.com
*.googleusercontent.com
*.gstatic.com
*.accounts.youtube.com
*.apis.google.com
*.accounts.google.com
*.l.google.com

The local accounts.google.XX domain must be added into the Walled Garden list. For example accounts.google.co.uk for United Kingdom, accounts.google.com.sg for Singapore, accounts.google.de for Germany etc. Google domains list you can find at https://ipfs.io/ipfs/QmXoypizjW3WknFiJnKLwHCnL72vedxjQkDDP1mXWo6uco/wiki/List_of_Google_domains.html

 For Open Mesh
googleapis.com,googleusercontent.com,gstatic.com,accounts.youtube.com,apis.google.com,accounts.google.com,l.google.com

The local accounts.google.XX domain must be added into the Walled Garden list. For example accounts.google.co.uk for United Kingdom, accounts.google.com.sg for Singapore, accounts.google.de for Germany etc. Google domains list you can find at https://ipfs.io/ipfs/QmXoypizjW3WknFiJnKLwHCnL72vedxjQkDDP1mXWo6uco/wiki/List_of_Google_domains.html

 For Mikrotik
/ip hotspot walled-garden
add dst-host=*.googleapis.com
add dst-host=*.googleusercontent.com
add dst-host=*.gstatic.com
add dst-host=*.accounts.youtube.com
add dst-host=*.apis.google.com
add dst-host=*.accounts.google.com
add dst-host=*.l.google.com
add dst-host=accounts.google.com

The local accounts.google.XX domain must be added into the Walled Garden list. For example accounts.google.co.uk for United Kingdom, accounts.google.com.sg for Singapore, accounts.google.de for Germany etc. Google domains list you can find at https://ipfs.io/ipfs/QmXoypizjW3WknFiJnKLwHCnL72vedxjQkDDP1mXWo6uco/wiki/List_of_Google_domains.html

 For DD-WRT
googleapis.com googleusercontent.com gstatic.com accounts.youtube.com apis.google.com accounts.google.com l.google.com

The local accounts.google.XX domain must be added into the Walled Garden list. For example accounts.google.co.uk for United Kingdom, accounts.google.com.sg for Singapore, accounts.google.de for Germany etc. Google domains list you can find at https://ipfs.io/ipfs/QmXoypizjW3WknFiJnKLwHCnL72vedxjQkDDP1mXWo6uco/wiki/List_of_Google_domains.html

Related pages:

The Splash Page is not triggered when Android devices connect to WiFi


Pages related to Walled Garden issues

2. RADIUS (AAA) servers

Let's set the authentication service of RADIUS server. Go to Configuration and in menu SECURITY > Authentication > Servers select RADIUS server group and create 2 records - one for Primary one for Secondary RADIUS server. (in pictured example rad-1-euw-1.socifi.com and rad-2-euw-1.socifi.com). Then fill in following values for Primary and Secondary RADIUS server: 

Host

<_hostname of radius server (e.g. rad-2-euw-1.socifi.com)_>

or
<_hostname of radius server (always. rad-2-euw-1.socifi.com)_>

Key (Retype)socifi
CPPM credentials-
Auth Port1812
Acct Port1813
Retransmits3
Timeout5 sec
NAS IDAruba_<macaddr_of_controller> *)
NAS IP-
Enable IPv6unchecked
NAS IPv6-
Source Interface-
Use MD5unchecked
Use IP address for calling station IDunchecked
Modechecked
Lowercase MAC addresschecked
MAC address delimiterdash
Service-type of FRAMED-USERunchecked
called-station-ID

csid_type = macaddr

include_ssid = disable

csid_delimiter = dash


*) to determine the controller MAC address go to  Configuration and then to NETWORK > Controller > System Settings  and get the MAC Address in Controler IP Details tab.

We recommend to use this set of RADIUS servers:
 


 List of RADIUS according to your location:
 For North America

RADIUS Server 1

rad-1-use-1.socifi.com or IP address: 52.7.148.174, Radius shared secret: socifi

RADIUS Server 2

rad-2-use-1.socifi.com or IP address: 52.55.217.23, Radius shared secret: socifi

 For Europe and Africa

RADIUS Server 1

rad-1-euw-1.socifi.com or IP address: 52.209.184.212, Radius shared secret: socifi

RADIUS Server 2

rad-2-euw-1.socifi.com or IP address: 52.50.155.202, Radius shared secret: socifi

 For Asia-Pacific

RADIUS Server 1

rad-1-euw-1.socifi.com or IP address: 52.209.184.212, Radius shared secret: socifi

RADIUS Server 2

rad-2-euw-1.socifi.com or IP address: 52.50.155.202, Radius shared secret: socifi

In order to have the Radius communication working fine, the IP addresses (above) and the ports 1812 Auth and 1813 Acc must be accessible.


Let's create Authentication group. Go to Configuration tab and click through SECURITY > Authentication > Servers. Click on Server Group and create a new group SOCIFI_Radius and add the two RADIUS servers created earlier. Please keep the sequence.

3. Captive portal setting

Go to Configuration tab and click through SECURITY > Authentication > L3 Authentication. In the Captive Portal Authentication group create new record we called SOCIFI_CaptivePortal. Then fill in following values:

Default Roleguest *)
Default Guest Roleguest
Redierct Pause10 sec
User Loginchecked
Guest Loginunchecked
Logout popup windowunchecked
Use HTTP for authenticationchecked
Logon wait minimum wait5 sec
Logon wait maximum wait10 sec
logon wait CPU utilization threshold60 %
Max Authentication failures0
Show FQDNchecked
Authentication ProtocolPAP
Login pagehttp://connect.socifi.com
Welcome page/auth/welcome.html
Show Welcome Pageunchecked
Add swith IP address in the redirection URLchecked
Adding user vlan in redirection URLchecked
Add a controller interface in the redirection URL-
Allow only one active user sessionunchecked
White listadd "SOCIFI_WG"
Black list-
Show the acceptable use policy pageunchecked
User idle timeout-
Redirect URL-
Bypass Apple Captive Network Assistantunchecked
URL Hash Key-



In Submenu Server Group select already defined group SOCIFI_Radius.

4. ACL role

To be able to control users access we need to create two ACL User roles. One for pre-authentication SOCIFI_unauth and one for authenticated SOCIFI_auth.

Go to Configuration tab and click through SECURITY > Access Control > User Roles and add following ACL user role - first for pre-authentication (SOCIFI_unauth) as follows:

MIsc. Configuration
Re-authentication Interval0 minutes
Role VLAN IDNot Assigned
VPN DialerNot Assigned
L2TP PoolNot Assigned
PPTP PoolNot Assigned
Captive Portal ProfileSOCIFI_CaptivePortal
Captive Portal Check for Acountingchecked
Max Sessions65535
idp profile namenone
Stateful NTLM ProfileNot Assigned
Stateful Kerberos ProfileNot Assigned
WISPr ProfileNot Assigned
Enable Deep Packet Inspectionchecked
Enable Web Content Clasificationchecked
Trafic Control ProfileNot Assigned


add these roles to Firewall Policies

ra-guard
logon-control
captiveportal
v6-logon-control
captiveportal6
 
roles below will get created automatically when we save the ACL (click Apply)
--------------------------------------------------------------------------
SOCIFI_CaptivePortal_list_operations
global-sacl
apprf-SOCIFI_unauth-sacl



And for authenticated SOCIFI_auth:

Go to Configuration tab and click menu SECURITY > Access Control > User Roles to create ACL user roles. Abd create role (SOCIFI_auth) using following values:

MIsc. Configuration
Re-authentication Interval0 minutes
Role VLAN IDNot Assigned
VPN DialerNot Assigned
L2TP PoolNot Assigned
PPTP PoolNot Assigned
Captive Portal ProfileNot Assigned
Captive Portal Check for Acountingchecked
Max Sessions65535
idp profile namenone
Stateful NTLM ProfileNot Assigned
Stateful Kerberos ProfileNot Assigned
WISPr ProfileNot Assigned
Enable Deep Packet Inspectionchecked
Enable Web Content Clasificationchecked
Trafic Control ProfileNot Assigned


Click on  tab  Firewall Policies and add following roles:

ra-guard
dhcp-acl
dns-acl
http-acl
https-acl
icmp-acl
v6-dhcp-acl
v6-dns-acl
v6-http-acl
v6-https-acl
v6-icmp-acl
 
roles below will get created automatically when we save the ACL (click Apply):
--------------------------------------------------------------------------
global-sacl
apprf-SOCIFI_auth-sacl


5. ACL roles setting

Let's get back to the Captive portal setting. Go to Configuration tab and then to menu SECURITY > Authentication > L3 Authentication. Click Edit SOCIFI_CaptivePortal and set the Default role as SOCIFI_auth.


Finally we'll set the AAA Profil which is used by the SSID we'll use for SOCIFI. (in our guide we use socifi-aaa-profile). Go to Configuration tab and then to menu SECURITY > Authentication > AAA Profile to set it.


Let's Edit the profile using following values:

Initial roleSOCIFI_unauth
MAC Authentication Default Roleguest
802.1X Authentication Default Roleguest
Download Role from CPPMunchecked
L2 Authentication Fail Throughunchecked
Multiple Server Accountingunchecked
User idle timeout-
RADIUS Interim Accountingchecked
User derivation rulesNONE
Wired to Wireless Roamingchecked
SIP authentication roleNONE
Device Type Clasificationchecked
Enforce DHCPunchecked
PAN Firewall Integrationunchecked

Go to menu RADIUS Accounting Server Group and pick already defined group for authentication:  SOCIFI_Radius


6. Add a new hotspot to SOCIFI Dashboard

You'll need to use the controller MAC address when adding new Hotspot in the Dashboard. Go to  Configuration and then to NETWORK > Controller > System Settings  and get the MAC Address in Controler IP Details tab.


Step 1: Login to SOCIFI Dashboard

Step 2: Click on the "Hotspots" tab on the left sidebar

Step 3: Click on the “Add a new hotspot” button located on the top right corner on the screen (pictured below)

Note: A pop-up window will appear (below)

Step 4: Select the Wi-Fi hardware manufacturer from the drop down menu

Step 5: Enter the serial number or MAC address (depending on the specific equipment manual) of your equipment. You can add multiple hotspots at once.

Step 6: Set your Network location (this step is essential for correct ad targeting)

Step 7: In the pop-up window type your location or just move the marker on the map and click on the save button to confirm the selection. This address is used for ad GEO targeting.

Step 7: Click Save

Note: Newly added hotspot are marked as  (Hotspot pending). After the first user connects to the hotspot via SOCIFI, the status will automatically change and appear as  (Active) within an hour. Get your first connections to test if it works properly.