First, you want to add our ES box as the AAA server on your controller, assuming you are using our onboard RADIUS. To get the RADIUS info from ES, log into the admin UI and go to Configuration—>Advanced—>RADIUS Server. This page will show you the IP, ports and shared secret, which you will need to add a AAA on your controller.
Second, you need to create a Whitelist, HotSpot, Pre-Auth ACL, or whatever mechanism Aerohive uses to create a captive portal. For instance, with Cisco controllers you use a ACL, and these are the instructions:
Step 1: Define an ACL which allows access to the XpressConnect webpage.
Log into the Cisco WLAN Controller.
Along the top, click on the Security tab.
Along the left, click on the Access Control Lists link.
To add the ACL, do the following:
In the Access Control List Name field, name the ACL Unauthenticated.
Next to the Unauthenticated ACL, click Edit.
Click Add New Rule.
Add the following rules:
Sequence 1, Destination [XpressConnect IP Address], Protocol TCP, Destination Port HTTP*, Action Permit
Sequence 2, Source [XpressConnect IP Address], Protocol TCP, Source Port HTTP*, Action Permit
Sequence 3, Protocol UDP, Source Port DHCP Server, Action Permit
Sequence 4, Protocol UDP, Source Port DHCP Client, Action Permit
Sequence 5, Protocol UDP, Source Port DNS, Action Permit
Step 2: Enable the portal page on an SSID and enforce the preauthentication ACL.
Along the top, click on the WLANs tab.
Next to the open SSID, click Edit.
In the Security Policies section, set the following:
Check the Web Policy box.
Select the Authentication option.
In the Preauthentication ACL dropdown box, select the new Unauthenticated ACL.
The ACL is definitely the hardest way to configure a captive portal.
Some controllers allow you to just put in the Redirect URL, then add to a Walled Garden or Whitelist, the XpressConnect IP Address/DNS and the IP/DNS for DHCP Server, DHCP Client, and your DNS server.
Third, once you have a AAA server and a Whitelist(or something similar), then you create 2 WLANs or SSIDs.
The first WLAN should be a WPA2-Enterprise Encryption, and EAP-TLS as the authentication, with AES as the Data Encryption, you can then choose our AAA server as the authentication server.
The second WLAN should be Open/None, with the captive portal enabled and use the Whitelist, HotSpot, Pre-Auth ACL, or whatever mechanism Aerohive uses for the captive portal. That will allow the user to connect the WLAN, and then be redirected to the portal for authentication.