This page explains basic configuration for Aruba Virtual Controller and external Captive Portal with RADIUS authentication.
Sign-in to the Aruba Administration console usually available at https://instant.arubanetworks.com:4343.
Click on the Edit button next to the Captive portal profile and enter values from the IronWifi console:
Type: Radius Authentication
IP or hostname: splash.ironwifi.com
Use https: Enabled
Captive Portal failure: Deny internet
Automatic URL Whitelisting: Enabled
Redirect URL: empty
By default, Aruba controller will intercept HTTPS traffic to all external servers breaking SSL connections. To prevent this, we need to create new Role permitting TCP connections to port 443 on external servers - splash.ironwifi.com, google.com, facebook.com etc.
Enable the Assign pre-authentication role and select create role. Click on the Finish button to apply new settings.
To fix the SSL error, you will need to replace default invalid certificate.
You can generate a valid SSL certificate for free on this URL - https://www.sslforfree.com/. You can let the page generate a certificate signing request for you, or visit the following page for detailed instructions on how to generate a request manually - https://community.arubanetworks.com/t5/Controller-less-WLANs/How-to-Create-a-Certificate-for-Instant-Captive-Portal-using/ta-p/277025. Don't use a wildcard SSL certificate.
Copy content of downloaded files certificate.crt, ca_bundle.crt and private.key to a single file (aruba.pem).
Upload this file to your Aruba IAP - click on Maintenance -> Certificates.
Certificate type: Captive portal server certificate
Certificate format: PAM
Click on the Upload Certificate button to apply new settings.