Aruba Networks Captive Portal Configuration for Resellers

Key Takeaways: Aruba Networks (HPE) is the enterprise WiFi standard in hospitality, healthcare, and higher education. MyWiFi integrates through Aruba Central's cloud controller and optional ClearPass Policy Manager for advanced guest access control. Configuration involves SSID creation, external captive portal redirect, walled garden rules, and RADIUS authentication. Aruba's AI-powered RF optimization and WPA3 Enterprise support make it the highest-security option among MyWiFi-supported hardware. All MyWiFi features — social login, WhatsApp OTP, white-label portals, marketing automation — operate at full parity on Aruba infrastructure.

Aruba Networks is HPE's enterprise wireless division. Where Ubiquiti UniFi dominates SMB deployments on price and Cisco Meraki leads in cloud-managed enterprise, Aruba occupies the space where security requirements, scale, and compliance drive the hardware decision. Hospitals, universities, hotel chains, and government buildings run Aruba because ClearPass and the Aruba Central controller provide the access control granularity these environments demand.

For WiFi marketing resellers, Aruba deployments represent high-value clients. A hotel chain with 50 properties on Aruba infrastructure is a single contract with significant recurring revenue. The technical integration is more involved than UniFi or Meraki, but the venue types and contract sizes justify the setup investment.

This guide covers the complete Aruba captive portal configuration for MyWiFi integration: Aruba Central setup, ClearPass guest management, SSID configuration, walled garden rules, RADIUS, and multi-site deployment.

---

Aruba's architecture: what resellers need to understand

Aruba's product line includes two management planes that matter for captive portal integration:

Aruba Central is the cloud management platform. It handles AP provisioning, monitoring, firmware updates, and basic guest portal configuration. Think of it as Aruba's equivalent to the Meraki Dashboard — a centralized cloud console for managing distributed wireless infrastructure. Aruba Central is where you configure SSIDs, VLANs, and the external captive portal redirect.

ClearPass Policy Manager is Aruba's network access control (NAC) platform. ClearPass handles guest registration, RADIUS authentication, device profiling, and policy enforcement. It is a separate product from Aruba Central and runs on a dedicated server (physical or virtual). ClearPass is optional for basic MyWiFi integration but required for advanced scenarios like device-based policies, tiered access, and enterprise SSO.

For most reseller deployments, Aruba Central alone is sufficient. You configure the external captive portal redirect in Aruba Central, point it at MyWiFi, and use MyWiFi's built-in RADIUS server for authentication. ClearPass is relevant when the client's IT team requires NAC-level control or when the venue has compliance requirements (HIPAA, PCI-DSS) that mandate device-level access policies.

---

Prerequisites

• •Aruba Central account with admin access to the target group/site
• •Aruba APs adopted and online in Aruba Central (AP-303, AP-505, AP-635, or any supported model)
• •MyWiFi account with a location created for the venue
• •ClearPass (optional) — only needed for advanced NAC scenarios
• •DNS access if using a custom captive portal domain

---

Step 1: Create the guest SSID in Aruba Central

Log into Aruba Central at central.arubanetworks.com. Navigate to Wireless Management → WLANs.

Click Add WLAN and configure:

• •WLAN name (SSID): Your client's guest network name
• •Type: Guest
• •Security: Open (no encryption). Guests will authenticate through the external captive portal.
• •VLAN: Assign to a dedicated guest VLAN. Aruba supports VLAN pooling for large deployments — this distributes guests across multiple VLANs to avoid broadcast domain saturation in high-density venues.
• •Band: 2.4 GHz + 5 GHz dual-band is standard. For newer AP models with WiFi 6E, you can add 6 GHz for high-throughput guest access.

Apply the WLAN to a group. Aruba Central uses groups to manage AP configuration. Assign this WLAN to the group containing the venue's APs. If the client has multiple venues, create a group per venue or use labels to target specific AP sets.

---

Step 2: Configure external captive portal redirect

Under the WLAN settings, navigate to the Security or Access tab (varies by Aruba Central version).

Captive portal configuration:

• •Splash page type: Select External (not Aruba's built-in portal)
• •Captive portal URL: Enter your MyWiFi portal URL

https://portal.mywifi.io/location/{location-id}

Or with a custom domain:

https://wifi.youragency.com/location/{location-id}

• •Redirect URL after authentication: Leave this to MyWiFi — the portal handles post-login redirect based on your portal settings (venue website, app store, WhatsApp, etc.)

Authentication method: Select RADIUS and configure the RADIUS server to point at MyWiFi's RADIUS endpoint. Enter the server IP, port (typically 1812 for auth, 1813 for accounting), and shared secret from your MyWiFi dashboard under Location → Hardware Settings → RADIUS Configuration.

---

Step 3: Walled garden configuration

The walled garden (also called "allowlist" or "whitelist" in Aruba terminology) defines which domains guests can reach before they complete the captive portal authentication.

In the WLAN security settings, locate the Walled Garden or Allowlist section and add:

*.mywifi.io
*.mywifinetworks.com
*.facebook.com
*.google.com
*.googleapis.com
*.gstatic.com
*.apple.com
*.whatsapp.com
*.cloudfront.net

Include your custom portal domain if applicable.

Aruba-specific note: Aruba's walled garden supports both DNS-based entries (domain names) and IP-based entries. Use DNS-based entries for social providers, as their IP ranges change frequently. If you notice intermittent login failures with social providers, add the provider's CDN domains as well.

---

Step 4: ClearPass integration (advanced)

If the client's environment requires ClearPass Policy Manager, the integration flow adds a policy enforcement layer between the guest and internet access.

ClearPass Guest module setup:

1. •Create a Guest Portal in ClearPass Guest. This is not the portal guests will see — it is the backend configuration that defines guest session parameters.
2. •Configure a RADIUS service in ClearPass that accepts authentication requests from the Aruba AP/controller and validates them against MyWiFi's authorization callback.
3. •Create an enforcement policy that maps authentication results to access profiles. Authenticated guests receive the "Internet Access" profile. Unauthenticated guests receive the "Captive Portal Redirect" profile.
4. •Device profiling (optional): ClearPass can fingerprint guest devices and apply different policies based on device type. For example, IoT devices can be automatically placed on a restricted network while smartphones are directed to the captive portal.

For most WiFi marketing deployments, ClearPass is overkill. The direct Aruba Central → MyWiFi RADIUS integration handles 90% of use cases. Use ClearPass when the client has existing ClearPass infrastructure and their IT team requires all guest access to flow through their NAC platform.

---

Step 5: Guest network isolation and security

Aruba provides enterprise-grade isolation features that exceed what most SMB platforms offer.

Firewall policies:

• •In Aruba Central, create a firewall policy for the guest WLAN that blocks access to corporate network ranges. Aruba's built-in firewall operates at the AP level, enforcing isolation without requiring a separate firewall appliance.
• •Block guest-to-guest communication using the Deny Inter-User Traffic setting on the guest WLAN.

Dynamic segmentation: Aruba supports dynamic VLAN assignment based on RADIUS attributes. MyWiFi can return VLAN assignment attributes in the RADIUS Access-Accept response, allowing different guest tiers (free vs. premium) to be placed on different VLANs automatically.

WPA3 Enterprise (optional): For venues that require encrypted guest WiFi, Aruba supports WPA3-Enterprise with OWE (Opportunistic Wireless Encryption). This encrypts the WiFi traffic while still allowing the captive portal flow. This is an advanced configuration and is not required for standard WiFi marketing deployments, but it addresses compliance requirements in healthcare and government venues.

Bandwidth contracts: Aruba Central supports per-user and per-role bandwidth contracts. Set a guest role with bandwidth limits (e.g., 10 Mbps down / 5 Mbps up) to ensure guest traffic does not impact business operations.

---

Step 6: Multi-site deployment with Aruba Central

Aruba Central is built for multi-site management, which aligns with the reseller model of deploying across dozens of client venues.

Groups and labels: Aruba Central organizes APs into groups. Each group can have its own WLAN configuration. For a hotel chain with 20 properties, you might create a group per property or use a template group that all properties inherit from.

Configuration templates: Create a base guest WLAN configuration as a template. Override the captive portal URL per site (each MyWiFi location has a unique portal URL). This gives you consistent security policies with per-site portal customization.

Multi-tenant management: If you manage Aruba deployments for multiple independent clients (not just multiple sites for one client), Aruba Central supports MSP mode. This provides tenant isolation at the management level — you see all clients in your dashboard, but each client's IT team only sees their own infrastructure.

In MyWiFi, each venue is a separate location with its own portal design and analytics. The white-label platform lets you assign each client their own branded dashboard.

---

Step 7: Analytics integration

Aruba provides several analytics data sources that complement MyWiFi's captive portal data:

• •Client insights in Aruba Central: Connection quality, airtime usage, roaming events, and client health scores per AP and per SSID.
• •Aruba User Experience Insight (UXI): Synthetic monitoring that tests the guest WiFi experience from a sensor device. Detects captive portal redirect failures, DNS issues, and DHCP problems before guests report them.
• •ClearPass analytics (if deployed): Session logs, authentication success/failure rates, device fingerprinting data.

MyWiFi aggregates the captive portal analytics — guest data, login methods, demographics and segmentation, campaign performance, and ROI metrics. The combination of Aruba's network-level analytics and MyWiFi's marketing-level analytics gives resellers a complete operational picture for client reporting.

---

Aruba hardware recommendations by deployment type

Aruba offers a broad AP lineup. Match the model to the venue:

• •AP-305 / AP-505: Standard indoor enterprise AP. Offices, retail, restaurants, hotel rooms. The workhorse for most WiFi marketing deployments.
• •AP-535 / AP-635: High-density indoor AP with WiFi 6/6E. Conference centers, convention halls, large hotel lobbies. Handles 200+ concurrent clients per AP.
• •AP-387: Outdoor ruggedized AP. Hotel pools, outdoor dining, parking structures, stadium deployments.
• •AP-303H: Hospitality wall-plate AP. Mounts in hotel room wall plates. Each room gets a dedicated AP for consistent coverage and per-room analytics.

Aruba hardware costs more than UniFi. An AP-505 runs $500 to $800 depending on channel and volume. Plus Aruba Central subscription fees per AP. Build this into your client proposal — the higher hardware cost is justified in venues where security compliance, density, or brand requirements demand enterprise-grade infrastructure.

---

Comparing Aruba to other enterprise options

For a full comparison of all supported hardware, visit the hardware compatibility page.

---

FAQ

How long does Aruba captive portal setup take?

Basic Aruba Central → MyWiFi integration takes 20 to 30 minutes per site. If ClearPass is involved, add 1 to 2 hours for the initial policy configuration (subsequent sites reuse the policy).

Do I need ClearPass for MyWiFi integration?

No. ClearPass is optional. The direct Aruba Central RADIUS integration with MyWiFi handles standard guest WiFi marketing deployments. Use ClearPass only when the client has existing NAC requirements or compliance mandates.

Does MyWiFi support Aruba Instant On?

Aruba Instant On is Aruba's SMB product line (separate from the enterprise line). It has a different management interface and more limited captive portal customization. MyWiFi supports Instant On for basic external portal redirect. For full feature parity, the enterprise Aruba line with Aruba Central is recommended.

Can I mix Aruba and non-Aruba hardware in the same MyWiFi account?

Yes. MyWiFi is hardware-agnostic. Each location is configured independently. You can have Aruba venues alongside Meraki, UniFi, and any other supported hardware in the same reseller account.

What Aruba firmware version is required?

Aruba AOS 8.x and AOS 10.x are both supported. AOS 10 (the controller-less architecture managed by Aruba Central) is the recommended platform for new deployments. AOS 8 with a Mobility Controller is the legacy architecture and works but requires controller-side configuration instead of Aruba Central.

How does Aruba handle MAC randomization?

Aruba Central can detect randomized MACs and flag them. However, for WiFi marketing purposes, MyWiFi ties guest identity to the authenticated session (the captive portal login) rather than the MAC address. This ensures accurate analytics and marketing automation regardless of MAC randomization behavior.

---

Next steps

1. •Set up your first Aruba venue — Configure the SSID, external portal redirect, and RADIUS in Aruba Central, then test end-to-end
2. •Optimize your portal — Apply captive portal design patterns proven to increase opt-in rates
3. •Explore all supported hardware — See the hardware compatibility page for 20+ vendors including Ruckus, Fortinet, and Juniper Mist
4. •Build your reseller pricing — Visit MyWiFi pricing and review the MSP pricing guide for margin strategies
5. •Book a demo — Schedule a live demo to see the Aruba integration in action

Aruba Networks gives resellers access to the highest-security tier of enterprise WiFi. Combined with MyWiFi's marketing platform, you deliver compliant, data-rich guest WiFi to hotels, hospitals, universities, and enterprise campuses — verticals where the contract values justify the enterprise hardware investment. The integration is proven, feature parity is full, and every marketing feature from WhatsApp login to automated segmentation works on Aruba infrastructure without compromise.