Configuring a Guest Splash Page Profile

The Guest app allows MSP administrators to configure Splash Page profiles for tenant accounts. If
the tenant account is mapped to a group and the Guest service is enabled on the tenant account,
the tenant account users inherit the splash page profiles configured in the MSP. If the group
associated to a tenant account is locked for editing on the MSP mode, the tenant account users
cannot edit the Splash Page profiles inherited from the MSP. The guest MSP administrator users can
delete only those Splash Pages that are not linked to any tenant account.
This topic describes the following procedures:
 Adding a Guest Splash Page Profile
 Customizing a Splash Page Design
 Previewing and Modifying a Splash Page Profile
 Localizing a Guest Portal
 Associating a Splash Page Profile to an SSID
Meta will terminate Facebook Wi-Fi service soon. With this, existing visitor deployments within Aruba
Central Guest and Aruba ClearPass Guest that use Facebook Wi-Fi will stop working. This only impacts the
Facebook Wi-Fi functionality offered through Meta. Customers using Facebook authentication as a remote
identity source are not affected. Customers are advised to read and complete the recommended
configuration changes explained in the Aruba Central and ClearPass Policy Manager - Guest Access after
Facebook Wi-Fi Service Ends support advisory at Aruba Support Portal at the earliest to ensure guest
network authentication remains functional after the termination of Facebook Wi-Fi.

Adding a Guest Splash Page Profile

To create a splash page profile, complete the following steps:

1. In the Aruba Central app, set the filter to a group.

The dashboard context for the group is displayed.

2. Under Manage, click Guests.

The Guest Access > Splash Pages page is displayed.

3. To create a new splash page, click the + icon.

The New Splash Page pane is displayed.

4. On the Configuration tab, configure the parameters described in the following table:

Table 1: Splash Page Configuration

Data Pane Content Description

Name Enter a unique name to identify the splash profile.

NOTE: If you attempt to enter an existing splash profile's name, Aruba
Central displays a message stating that Splash page with this name
already exists.
Table 1: Splash Page Configuration

Data Pane Content Description

Type Configure any of the following authentication methods to provide a

secure network access to the guest users and visitors.
Anonymous
Authenticated
Facebook Wi-Fi

Anonymous Configure the Anonymous login method if you want to allow guest users

to log in to the Splash page without providing any credentials.
For anonymous user authentication, you can also enable a pre-shared
key to allow access. To enable a pre-shared key based authentication, set
the Guest Key to ON and specify a password.

Configure authentication and authorization attributes, and login

credentials that enable users to access the Internet as guests. You can
configure an authentication method based on sponsored access and
Authenticated
social networking login profiles.
The authenticated options available for configuring the guest splash page
are described in the following rows.

The Username/Password based authentication method allows pre-

configured visitors to obtain access to wireless connection and the
Internet. The visitors or guest users can register themselves by using the
splash page when trying to access the network. The password is
delivered to the users through print, SMS or email depending on the
options selected during registration.
To allow the guest users to register by themselves:

 Enable Self-Registration.

 Set the Verification Required to ON if the guest user account

must be verified.
Username/Password
 Enable the Bypass Apple Captive Network Assistant (CNA) to
bypass the CNA on the iOS devices. Enabling CNA bypass allows
users to bypass the Apple Captive Network Assistant pop-up on
their iOS devices. However, users still need to verify their
credentials with a browser. When the CNA bypass is disabled, the
iOS clients have to enter the credentials in the CNA pop-up on
their devices. The Bypass Apple Captive Network Assistant
(CNA) toggle button is displayed only when Verification
Required is enabled. Users can either enable or disable CNA
bypass based on their requirement.

 Specify a verification criteria to allow the self-registered users to

Table 1: Splash Page Configuration

Data Pane Content Description

verify through email or phone.

 If email-based verification is enabled and the Send
Verification Link is selected, a verification link is sent to the
email address of the user. The guest users can click the link to
obtain access to the Internet.
 If phone-based verification is enabled, the guest users will
receive an SMS. The administrators can also customize the
content of the SMS by clicking on Customize SMS.

 Specify the duration within the range of 1-60 minutes, during

which the users can access free Wi-Fi to verify the link. The users
can log in to the network for the specified duration and click the
verification link to obtain access to the Internet.

By default, the expiration date for the accounts of self-registered guest

users is set to infinite during registration. The administrator or the guest
operator can set the expiration date after registration.

Enable Social Login to allow guest users to use their existing login

credentials from social networking profiles such as Facebook, Twitter,
Google, or LinkedIn and sign on to a third-party website. When a social
login based profile is configured, a new login account to access the guest
network or third-party websites is not required.
NOTE: When configuring the OAuth for the social login, specify the cloud
guest URL provided in the Aruba Central as the Redirect URI. For
information about how to obtain the guest URL, see Obtaining the
Redirect URI for OAuth.
The following social logins are available:
 Facebook—Allows guest users to use their Facebook credentials to
log on to the splash page. To enable Facebook integration, you must
Social Login create a Facebook app and obtain the app ID and secret key. For
more information on app creation, see Create an App in the
Facebook documentation portal.
Enter details obtained during creation of Facebook app for the
following parameters:
o Client ID—Enter the app ID obtained from
Facebook.
o Client Secret—Enter the secret key obtained
from Facebook.
 Twitter—Allows guest users to use their Twitter credentials to log
on to the splash page. To enable Twitter integration, you must
create a Twitter app and obtain the app ID and secret key. For more
information, see Developer Apps in the Twitter documentation
Table 1: Splash Page Configuration

Data Pane Content Description

portal.
Enter details obtained during creation of the Twitter app for the
following parameters:
o Client ID—Enter the app ID obtained from
Twitter.
o Client Secret—Enter the secret key obtained
from Twitter.
 Google—Allows guest users to use their Google credentials to log
on to the splash page. To enable Google integration, you must
create a Google app and obtain the app ID and secret key. For more
information, see Creating your Project in the Google documentation
portal.
Enter details obtained during creation of the Google app for the
following parameters:
o Client ID—Enter the app ID obtained from
Google.
o Client Secret—Enter the secret key obtained
from Google.
o Gmail for Work Domain—Enter the domain
name to restrict authentication attempts to only the members of
a Google hosted domain. Ensure that you have a valid domain
account licensed by Google Domains or Google Apps.
o Sign-in Button Test—Specify a text for the
sign-in button.
 LinkedIn—Allows guest user to use their LinkedIn credentials to log
on to the splash page. To enable LinkedIn integration, you must
create a LinkedIn app and obtain the app ID and secret key. For
more information, see Creating an App and Sign In with LinkedIn in
the LinkedIn documentation portal.
Enter details obtained during creation of the LinkedIn app for the
following parameters:
o Client ID—Enter the app ID obtained from
LinkedIn.
o Client Secret—Enter the secret key obtained
from LinkedIn.

If you want to enable network access through the free Wi-Fi service
offered by Facebook. Select the Facebook Wi-Fi option. The Facebook
Wi-Fi feature allows you to pair your network with a Facebook business
Facebook Wi-Fi page, thereby allowing the guest users to log in from Wi-Fi hotspots using
their Facebook credentials.
If the Facebook Wi-Fi business page is set up, when the users try to
access the Internet, the browser redirects the user to the Facebook page.
Table 1: Splash Page Configuration

Data Pane Content Description

The user can log in with their Facebook account credentials and can
either check in to access free Internet or skip checking in and then
continue.

After selecting the Facebook Wi-Fi option, complete the following steps to
continue with the Facebook Wi-Fi configuration.

 Click the Configure Now link.

 Sign in to your Facebook account.

Facebook Wifi  If you do not have a business page, click Create Page. For more
Configuration information on setting Facebook Wi-Fi service, see Facebook Wi-
Fi in the Facebook documentation portal.

NOTE: Instant AP devices support Facebook Wi-Fi services on their own,

without Aruba Central. However, for enabling social login based
authentication, the guest splash pages must be configured in Aruba
Central. For more information on Facebook Wi-Fi configuration on
an Instant AP, see the Aruba  Instant User Guide.

Allow Internet In To allow users access the Internet when the external captive
Failure portal server is not available, click the Allow Internet In Failure toggle
switch. By default, this option is disabled.

Override Common To override the default common name, click the Override Common
Name Name toggle switch and specify a common name. The common name is
the web page URL of the guest portal. By default, the common name is
set to securelogin.arubanetworks.com. The guest users can override
this default name by adding their own common name.
If your devices are managed by AirWave and you want to use your own
certificate for the captive portal service, ensure that the captive portal
certificate is pushed to the Instant AP from the AirWave management
system. When the appropriate certificate is loaded on the AP, perform
the following actions:

 Run the show captive-portal-domains command at the Instant

AP command prompt.

 Note the common name or the internal captive portal domain

name.

 Add this domain name in the Override Common Name field on

Table 1: Splash Page Configuration

Data Pane Content Description

the Splash Page configuration page.

 Save the changes.

To set password for anonymous users, enable the Guest Key and enter a
Guest Key
password.

Enable the Sponsored Guest option to provide authorization control to a

Sponsored Guest guest sponsor for allowing and denying a guest from accessing the
network.

Enter accepted company domain names. The domain name must match
the suffix of the sponsor's email address. The domain names must be
Allowed Sponsor
company names and not any public domain names such as Gmail,
Domains
Yahoo, and so on. To add more domain names, click the add icon and
enter the domain name. This is a mandatory field.

Enter the allowed email addresses. If you leave this field empty, all emails
Allowed Sponsor that correspond to the allowed domains list are permitted to sponsor
Emails guests. To add more sponsor emails, click the add icon and enter the
sponsor's email address. This is an optional field.

Authentication If Anonymous or Authenticated option is selected as the guest user

Success Behavior authentication method, specify a method for redirecting the users after a
successful authentication. Select one of the following options:
 Redirect to Original URL— When selected, upon successful
authentication, the user is redirected to the URL that was originally
requested.
 Redirect URL— Specify a redirect URL if you want to override the
original request of users and redirect them to another URL.

Authentication If the Authenticated option is selected as the guest user authentication

Failure Message method, enter the authentication failure message text string returned by
the server when the user authentication fails.

Session Timeout Enter the maximum time in Day(s): Hour(s): Minute(s) format for which a
client session remains active. The default value is 0:8:00. When the
session expires, the users must re-authenticate.
If MAC caching is enabled, the users are allowed or denied access based
on the MAC address of the connective device.

Share This Profile Select this check box if you want to allow the users to share the Splash
Table 1: Splash Page Configuration

Data Pane Content Description

Page profile. The Splash Page profiles under All Devices can be shared
across all the groups.
NOTE: When you clone an existing group, the unshared splash page
profile in the existing group is not cloned to the new group. In the
existing group, if an unshared splash page is associated with a guest
network, then the splash page value is empty in the guest network of the
new group.

Daily Usage Limit Use this option to set a data usage limit for authenticated guest users,
anonymous profiles, and Facebook Wi-Fi logins. By default, no daily
usage limit is applied.
To set a daily usage limit, use one of the following options:
 By Time— Specify the time limit in hours and minutes for data
usage during a day. When a user exceeds the configured time limit,
the device is disconnected from the network until the next day
begins; that is, until 00.00 hours in the specified time zone.
 By Data— Specify a limit for data usage in MB. You can set this limit
to either Per User, Per Session, or Per Device. When the data
usage exceeds the configured limit, the user device is disconnected
from the network until the next day begins; that is, until 00.00 hours
in the specified time zone.
o Per User— This option applies the data usage
limit based on authenticated user credentials.
o Per Session—This option applies the data
usage limit based on user sessions.
o Per Device—This option applies the data usage
limit based on the MAC address of the client device connected
to the network.
Important Points to Note
 The values configured for this feature do not serve as hard limits.
There might be a slight delay in enforcing daily usage limits due to
the time required for processing information.
 For anonymous and Facebook Wi-Fi logins, the daily usage limit is
applied per MAC address of the client device connected to the
network.

Allowlist URL To allow a URL, click + and add the URL to the allowlist. For example, if
the terms and conditions configured for the guest portal include URLs,
you can add these URLs to the allowlist, so that the users can access the
required web pages.