- This Aruba Wi-Fi integration has been verified with Aruba 200-series Wi-Fi APs only.
- Aruba Central is required to manage and configure the APs and all APs should be registered in Aruba Central (MAC address registered and licenses assigned).
- Aruba APs must join the LAN supported by the server, being assigned either static or DHCP IP addresses by the server.
- In order to use the secure VLAN feature, APs must be connected to the server via a VLAN-aware switch.
- This service requires an additional VM to be added to the server to host RADIUS, along with a number of configuration updates. A small amount of storage, RAM and CPU capacity will be assigned to this VM. This VM can be requested when assigning resources for a new server or by contacting the ProLiant Easy Connect Support Team.
Step 1: Adding the Aruba Wi-Fi Integration to your server
Raise a new support request with the Support Team, and ask them to add the Aruba Wi-FI integration to your server. You can raise a support request at the top right of this page
Step 2: Adding the Server’s RADIUS Details to Aruba Central
Monitoring of APs and WPA-E authentication both require Aruba Central to be integrated with the server’s RADIUS service. You do this from Aruba Central: https://portal.central.arubanetworks.com. You obtain the details of your RADIUS server from the Commissioning Console
Login to Aruba Central’s, go to the Wireless Configuration Security settings and add a new Authentication Server.
The specific settings required to support this solution are:
• The Authentication Server type selected must be “RADIUS”.
• The IP Address must be the value indicated in the Commissioning Console’s Authentication Server IP address.
• The Shared Key must be the value indicated in the Commissioning Console’s Shared Secret password.
The remaining settings and options can be left as default or completed to meet the user’s requirements of the network and/or APs being deployed.
The Commissioning Console values for the above fields can be found by selecting the relevant server, then selecting the server details summary tab where the WiFi Access Point Integration details can be found.
(If these details are not present in the Commissioning Console, this indicates the relevant services have not been deployed on the server. Please contact the Support Team.)
Step 3: Configuring Access Point Monitoring and UI Links
Firstly, the RADIUS server must be configured in Aruba Central, as described above.
In order to monitor Aruba APs, Aruba Central must be configured to allow administrator authentication using the RADIUS server.
In the Aruba Central Configuration, Wireless, System screen, setup an Administrator with the following Client Control settings:
- Authentication using “Authentication Server with fallback to internal”.
- Select the RADIUS server previously setup as the Auth Server 1
- Enter the Aruba administrator credentials.
The Monitoring Console and User Control Console will now automatically monitor APs registered in Aruba Central.
Status reports in the Monitoring Console link to the Aruba Central home page by simply clicking on the globe icon next to each Status Detail text.
Configuring a WPA-E Wi-Fi Network
In Aruba Central’s Wireless Configuration Network settings screen, add a new Network.
Generally, WPA-E is used for an “Employee” usage type (meaning they will connect using their credentials held in the server’s Active Directory).
Client IP Assignment should be “Network Assigned”, allowing the server to assign IP addresses to clients connecting to the WPA-E network, in the same way it would supply IP addresses to any client connecting to the LAN.
When using WPA-E for employees, it is not necessary to select a VLAN in the Aruba Central Network settings. The clients will be connecting to the server as employees, with access to the same set of File Shares and VMs as they would if they had a wired connection to the LAN. Therefore, leave VLAN assignment as “Default”.
Ensure “Enterprise” level security is selected in Aruba Central and Key Management is set to “WPA-2 Enterprise”.
Select the RADIUS server added in the previous step as the Authentication Primary Server.
Select “Unrestricted” Access Rules for clients connecting to this Wi-Fi network. This delegates access and authorization rules to the server, allowing clients the same privileges on Wi-Fi as they would receive on a wired LAN connection.
With the new Wi-Fi network, authenticating against the RADIUS server, clients are now able to connect to the network, secured by WPA-E, using their own user credentials.
Using Group Policies to Enable Single Sign-ON
Employee access to the WPA-E Wi-Fi network can be further simplified by creating an Active Directory Group Policy enabling Single Sign-On (SSO).
Users who have logged in to their Windows-based client would simply have to select the relevant WPA-E Wi-Fi network in order to connect, without requiring their user name and password to be entered a second time.
- In Active Directory’s Security Settings, Wireless Network Policies, add a New Profile of type “Infrastructure”.
- In the Connection settings, the Network Name (SSID) should be set to the Aruba Central assigned SSID name.
- In the Security settings, select “WPA2-Enterprise” as the Authentication method.
- The other properties can be left as default.
In Aruba Central’s Wireless Configuration Network settings, add a new Network.
Select the “Guest” usage type (as they will connect using their credentials held in the Server’s Active Directory).
Client IP Assignment should be “Network Assigned”, allowing the server to assign IP addresses to clients connecting to the Guest network.
Choose “Static” for Client VLAN Assignment and enter the VLAN ID provided in the Commissioning Console to use the pre-configured VLAN managed by the server.
It is not necessary to add Wi-Fi encryption and passwords to the guest network to benefit from the VLAN, although it is good practice to do so. Without additional security, the guest network will be open to anyone to connect to without authentication, but will remain securely segregated from the rest of the LAN and server resources, due to the use of the VLAN.
Any additional security or authentication added to the guest network, such as a single shared password for guest authentication, is managed by Aruba Central. Guest clients are not authenticated against the server’s Active Directory.
Select “Unrestricted” Access Rules for clients connecting to this Wi-Fi network. This delegates network access and authorization rules to the server, ensuring guest clients have the same firewall and web filtering rules applied as employees.