Aruba IAP 220 with login over Social Network

This manual includes the use of the pre-Authentication rules instead of Walled Garden. This allows to login with social networks.

Basic Setup

The setup presumes the factory default status of device, however, the modification of productive hotspots is possible too. This manual shows just the features required for the hotsptot with the external captive portal functionality. Other settings are optional.

Select Add New Network and follow the wizard.

1.WLAN Settings

Set the name for the new network and switch "Primary usage" to "Guest".

2. VLAN

Switch "Client IP assignment" to  "Virtual Controller managed" and "Client VLAN assignment" to "Default".

3. Security

Select "External" for "Splash page type" and "New profile" for "Captive portal profile".

3.1. Captive portal Profile

Set the Captive portal name (eg. Socfi) and then use folowing settings:

TypeRadius Authentication
IP or hostnameconnect.socifi.com
URL/
Port80
Use httpsDisabled
Captive Portal failureDeny intenet
Redirect URL


Confirm the CP profile dialog and set "WISPr" and "MAC authentication" to "Disabled"

3.2. Radius server

Select "New" for "Auth server 1" and fill in the following options:

Switch to "RADIUS"

Nameaccording to region related recommendation
IP addressaccording to region related recommendation
Auth port1812
Accounting port1813
Shared keysocifi
Retype keysocifi
Timeout5 sec.
Retry count3
RFC 3576Disabled
NAS IP address
NAS identiferAruba-IAP
Dead time5 min
DRP IP
DRP Mask
DRP Gateway


Repeat the procedure for "Auth server 2"

We recommend to use this set of RADIUS servers:
 


 List of RADIUS according to your location:
 For North America

RADIUS Server 1

rad-1-use-1.socifi.com or IP address: 52.7.148.174, Radius shared secret: socifi

RADIUS Server 2

rad-2-use-1.socifi.com or IP address: 52.55.217.23, Radius shared secret: socifi

 For Europe and Africa

RADIUS Server 1

rad-1-euw-1.socifi.com or IP address: 52.209.184.212, Radius shared secret: socifi

RADIUS Server 2

rad-2-euw-1.socifi.com or IP address: 52.50.155.202, Radius shared secret: socifi

 For Asia-Pacific

RADIUS Server 1

rad-1-euw-1.socifi.com or IP address: 52.209.184.212, Radius shared secret: socifi

RADIUS Server 2

rad-2-euw-1.socifi.com or IP address: 52.50.155.202, Radius shared secret: socifi

In order to have the Radius communication working fine, the IP addresses (above) and the ports 1812 Auth and 1813 Acc must be accessible.

Confirm the Auth server settings, go back to Security Tab and finish the configuration with the following settings:


Load balancingDisabled
Reauth interval0 hrs.
AccountingDisabled
BlacklistingDisabled
Walled garden
Disable if uplink type is(unchecked all)
EncryptionDisabled


The "Walled garden" setting is suitable only for the firmware version older than 6.4.2.3-4.1.1.4_49446. It is limited by only 16 whitelist entries. The Role-based Access Rules are preffered to use in the later firmware versions and allow to use a Social Network login.

 4. Access

Set "Access Rules" to "Role-based" on the Access Tab.


Select Role according to configured SSID. Open the Acces Rule editation. Change the rule settings to  "Access control - Network - any - Allow - to all destinations". This Role can contain just this one rule. Delete the other rules.


In the  "Role Assignment Rules" field set the edited rule as default.

In the  "Roles" field create a new preauthentication rules set. Choose the name like pre-

The first rule is the external Captive Portal redirection:


Add rules for each FQDN from the Walled Garden list.  "Access control - Network - Allow - to domain name" and enter the FQDN.

If you are customer with White Label solution, please add your custom domain (for example mycustomdomain.com) to the Walled Garden list.

socifi.com
facebook.com
akamaihd.net
akamai.net
edgecastcdn.net
twitter.com
twimg.com
fastly.net
li-cdn.net
cloudfront.net
fbcdn.net
instagram.com
cdninstagram.com
linkedin.com
licdn.com






Set this role set as "pre-authentization role" by checking this option on the Acces Tab.

Where is MAC for the SOCIFI Dashboard?

Select the network name on the default screen. The list of the all included APs will show. All these APs is neccesary to add to the SOCIFI Dashboard as unique hotspots.

The name of AP is editable. DO NOT change the name of the  AP if it is used with SOCIFI. Changing the name will cause a dysfunction.



Add a new hotspot to SOCIFI Dashboard

Step 1: Login to SOCIFI Dashboard

Step 2: Click on the "Hotspots" tab on the left sidebar

Step 3: Click on the “Add a new hotspot” button located on the top right corner on the screen (pictured below)

Note: A pop-up window will appear (below)

Step 4: Select the Wi-Fi hardware manufacturer from the drop down menu

Step 5: Enter the serial number or MAC address (depending on the specific equipment manual) of your equipment. You can add multiple hotspots at once.

Step 6: Set your Network location (this step is essential for correct ad targeting)

Step 7: In the pop-up window type your location or just move the marker on the map and click on the save button to confirm the selection. This address is used for ad GEO targeting.

Step 7: Click Save

Note: Newly added hotspot are marked as  (Hotspot pending). After the first user connects to the hotspot via SOCIFI, the status will automatically change and appear as  (Active) within an hour. Get your first connections to test if it works properly. 


Firmware version

This setup was tested on firmware verion 6.4.2.3-4.1.1.4_49446 (Build time 2015-04-05 01:53:10 PDT) and device IAP-205