Aruba Instant AP

This guide walks through configuring Aruba Instant Configuration. This is the GUI or web-based interface that sits on the IAP itself. 

Note: Before getting started, please verify you have IAP version 6.3 or higher, as this is required.

Note 2: Before getting started, please make sure the Access Point is named the MAC address.  For example, instead of "Dining Room" as the AP name, the AP name should be 00:11:22:AA:BB:CC.


1. Log in via your Aruba IAP, through the web-based browser. In the top left under 'Network', click 'New'.


2. Under 'WLAN Settings':

  • Enter your desired network name (SSID)
  • 'Primary usage' as 'Guest'


3. Under 'VLAN Settings':

  • 'Client IP assignment' as 'Virtual Controller managed'
  • 'Client VLAN assignment' as 'Default
    • *Note, custom VLAN assignment configurations are also acceptable


4.  Under 'Security':

a.'Splash page type' as 'External' 


b. Create a new 'Captive portal profile' 

  • 'Name' as 'Turnstyle Captive Portal'
  • 'Type' as 'Radius authentication'
  • 'IP or hostname' as ''
  • 'URL' as '/'
  • 'Port' as '443'
  • 'Use https' as 'Enabled'
  • 'Captive Portal failure' as 'Deny Internet'
  • 'Automatic URL Whitelisting' as 'Disabled'
  • 'Redirect URL' as ''


c. Create two new 'Auth server' 

Auth Server 1

  • 'Name' as 'Turnstyle-RADIUS'
  • 'Server address' as ''
  • 'RadSac' as 'Disabled'
  • 'Auth port' as '1812'
  • 'Accounting port' as '1813'
  • 'Shared key' as '*contact'
  • 'Retype key' as '*contact'

Auth Server 2

  • 'Name' as 'Turnstyle-RADIUS-2'
  • 'Server address' as ''
  • 'RadSac' as 'Disabled'
  • 'Auth port' as '1812'
  • 'Accounting port' as '1813'
  • 'Shared key' as '*Contact'
  • 'Retype key' as '*Contact'

d. 'Reauth interval' as '0'


e. Click 'Blacklist, Walled garden'

In 'Whitelist', click 'New' and add each URL in the list below:

 Note: The above walled garden does not support Google+ as an authentication method.  For full details please see here.


5. Under 'Access':

  • 'Access Rules' as 'Role-based'
  • Under 'Roles', select 'New' and enter 'Preauth' as the name
    • Under 'Access Rules' for 'Preauth', select 'New' and create the following rule:

      • Rule type: Access control
      • Service: Network - any
      • Action: Allow
      • Destination: to domain name
  • Like you did above, you'll need to add a rule, for all the below domains:



  • Under 'Roles', select the role with the same name as the SSID name you previously created. At the bottom, check 'Assign pre-authentication role' and select 'Preauth' from the drop-down menu. 


Click 'Finish' to complete the process! 




Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request