Aruba Instant AP

Set up Aruba Instant Access Points with IronWifi for controller-less WiFi management. This guide covers RADIUS server configuration, external captive portal profiles, walled garden whitelist setup, and WPA-Enterprise deployment for both guest and secure employee networks running ArubaOS Instant.

Prerequisites

In Aruba IAP:

Aruba Instant AP running ArubaOS Instant 8.x or later
Access to the IAP web interface or CLI
Administrator credentials

In IronWifi Console (complete these first):

Create a Network and note the RADIUS details:
- Primary and backup server IP addresses
- Authentication port (1812) and Accounting port (1813)
- Shared secret
Create a Captive Portal with vendor set to Aruba and note the Splash Page URL

IAP Configuration

Access Web Interface

Connect to the Instant AP network
Navigate to the management IP (e.g., https://instant.arubanetworks.com or the AP's IP)
Log in as administrator

Step 1: Configure RADIUS Server

Navigate to Security → External Servers
Click New
Configure primary server:

Field	Value
Name	IronWifi
IP Address	`{Primary IP from IronWifi}`
Auth Port	`1812`
Acct Port	`1813`
Shared Key	`{Shared secret from IronWifi}`

Add backup server with the same settings using the backup IP

Step 2: Create Captive Portal Profile

Navigate to Security → Captive Portal
Click New
Configure:

Field	Value
Name	IronWifi-Portal
Type	External
Splash page URL	`{Splash URL from IronWifi}`
Auth server	IronWifi

Step 3: Configure Walled Garden

In the captive portal profile, add whitelist entries.

Required Entry

Always add the IronWifi server:

107.178.250.42

Additional Entries by Authentication Provider

Only add entries for authentication methods you've enabled in IronWifi:

Provider	Required Whitelist Entries
Google	`.google.com`, `.googleapis.com`, `*.gstatic.com`, `accounts.google.com`
Facebook	`.facebook.com`, `.fbcdn.net`, `connect.facebook.net`, `facebook.com`
LinkedIn	`.linkedin.com`, `.licdn.com`, `linkedin.com`
Twitter/X	`.twitter.com`, `.twimg.com`, `twitter.com`, `*.x.com`, `x.com`
Apple	`.apple.com`, `.icloud.com`, `appleid.apple.com`
Microsoft/Azure AD	`.microsoft.com`, `.microsoftonline.com`, `*.msftauth.net`, `login.microsoftonline.com`
Stripe	`*.stripe.com`, `js.stripe.com`
PayPal	`.paypal.com`, `.paypalobjects.com`
Twilio (SMS)	`*.twilio.com`

Step 4: Create Guest WLAN

Navigate to Network → New
Configure Basic settings:

Field	Value
Name	Guest-WiFi
Primary Usage	Guest

Configure Security settings:

Field	Value
Splash Page Type	External
Captive Portal Profile	IronWifi-Portal
Auth Server 1	IronWifi

Save the configuration

Step 5: Configure Access Rules

Set the initial role with restricted access until authenticated. The default guest role typically allows DNS and DHCP before authentication.

CLI Configuration

For administrators who prefer CLI configuration:

# Configure RADIUS server
wlan auth-server IronWifi
  ip {PRIMARY_IP}
  port 1812
  acctport 1813
  key {SHARED_SECRET}

# Configure captive portal
wlan captive-portal IronWifi-Portal
  type external
  server 107.178.250.42
  url "{SPLASH_URL}"
  auth-server IronWifi
  white-list 107.178.250.42

# Create guest SSID
wlan ssid-profile Guest-WiFi
  type guest
  captive-portal IronWifi-Portal
  auth-server IronWifi

# Configure access rules
wlan access-rule Guest-WiFi
  rule any any match any any any permit

Alternative: WPA-Enterprise (No Captive Portal)

For 802.1X authentication where users enter credentials in their device WiFi settings:

wlan ssid-profile Secure-WiFi
  type employee
  opmode wpa2-aes
  auth-server IronWifi

Testing and Verification

After completing the configuration, verify everything works correctly.

Test Captive Portal Flow

Connect a device to the Guest-WiFi SSID
Open a browser and navigate to http://example.com
Verify redirect to IronWifi splash page
Complete authentication
Verify internet access is granted

Verification Commands

show network
show captive-portal
show auth-server
show clients

Troubleshooting

If testing reveals issues, use this section to diagnose common problems.

External Portal Not Loading

Symptom	Cause	Solution
Blank page	Missing whitelist entry	Add `107.178.250.42` to whitelist
Wrong page	Incorrect splash URL	Verify URL matches IronWifi Console
Timeout	DNS issues	Ensure DNS is allowed in pre-auth ACL

Authentication Failures

Symptom	Cause	Solution
Timeout	RADIUS unreachable	Verify server IP and firewall rules
Reject	Wrong secret	Check shared secret matches exactly
No response	Port blocked	Ensure UDP 1812/1813 are open

Clients Not Getting IP

Symptom	Cause	Solution
No IP address	DHCP issue	Check DHCP server configuration
Wrong subnet	VLAN mismatch	Verify VLAN settings
Stuck in initial role	Role assignment	Check access rule configuration

Prerequisites​

IAP Configuration​

Access Web Interface​

Step 1: Configure RADIUS Server​

Step 2: Create Captive Portal Profile​

Step 3: Configure Walled Garden​

Required Entry​

Additional Entries by Authentication Provider​

Step 4: Create Guest WLAN​

Step 5: Configure Access Rules​

CLI Configuration​

Alternative: WPA-Enterprise (No Captive Portal)​

Testing and Verification​

Test Captive Portal Flow​

Verification Commands​

Troubleshooting​

External Portal Not Loading​

Authentication Failures​

Clients Not Getting IP​

Related Topics​