To set up RADIUS for Aruba, add a RADIUS authentication server in Aruba Instant or Aruba Central with the server IP, port 1812, and shared secret. Then configure a WPA-Enterprise WLAN profile that references this server. Aruba access points will use 802.1X to authenticate each user against the RADIUS server before granting network access.
In This Guide
Aruba Networks (now HPE Aruba Networking) is a leading enterprise wireless platform known for its robust security features, granular policy enforcement, and scalable cloud management. Aruba access points are widely deployed in enterprise, education, healthcare, and government environments where security is paramount.
This guide covers the complete process of integrating Aruba access points with IronWiFi's Cloud RADIUS server for WPA-Enterprise authentication. We cover both Aruba Instant (standalone/virtual controller) and Aruba Central (cloud-managed) deployment models.
Why Use RADIUS with Aruba Networks?
Aruba's enterprise-grade access points are built for environments that demand strong authentication. While Aruba supports PSK-based networks, the platform's real strength shines with RADIUS-based 802.1X authentication:
- Per-user identity and accountability: Every connection is tied to a specific user or device, enabling detailed audit trails and compliance reporting
- Dynamic role assignment: Aruba's role-based access framework maps RADIUS attributes to firewall policies, bandwidth limits, and VLAN assignments
- Certificate-based security: EAP-TLS eliminates credential theft risks by authenticating with client certificates instead of passwords
- RadSec support: Aruba Instant supports RADIUS over TLS (RadSec), encrypting the entire RADIUS exchange for environments where UDP-based RADIUS is not permitted
- Seamless directory integration: Cloud RADIUS connects to Azure AD, Google Workspace, Okta, and LDAP directories for centralized user management
Aruba Deployment Models
Aruba offers several management architectures. This guide covers the two most common:
- Aruba Instant (IAP): Standalone APs with a virtual controller. One AP is elected as the virtual controller and manages the cluster. Configuration is done via the local web interface or CLI
- Aruba Central: Cloud-managed APs where configuration is pushed from the HPE Aruba Central dashboard. Ideal for multi-site deployments managed from a single pane of glass
Prerequisites
Before starting, ensure you have:
- Aruba access points - Aruba Instant (AP-505, AP-515, AP-535, AP-635, or any Instant-capable model) or Aruba Central-managed APs
- Firmware version: ArubaOS Instant 8.x or later (for Instant mode) or ArubaOS 10.x (for Central-managed APs)
- IronWiFi account - sign up for a free trial
- Network connectivity: APs must reach the RADIUS server on UDP ports 1812 (authentication) and 1813 (accounting), or TCP port 2083 for RadSec
- VLANs configured: If using dynamic VLAN assignment, create the required VLANs on your network infrastructure
Step 1: Configure IronWiFi RADIUS Server
Set up the RADIUS server infrastructure in IronWiFi before configuring the Aruba APs.
- Log in to the IronWiFi console at console.ironwifi.com and navigate to Networks
- Create a new Network with a descriptive name (e.g., "Aruba-Corporate" or "Campus-Aruba"). The system generates RADIUS server IPs, ports, and a shared secret
- Register the NAS IP address: For Aruba Instant, this is the virtual controller's IP address (if Dynamic RADIUS Proxy is enabled) or each AP's IP address. For Aruba Central, register each site's public IP or the AP subnet's gateway IP
- Record the RADIUS server details: Primary IP, secondary IP, authentication port (1812), accounting port (1813), and shared secret
- Set up users: Create user accounts directly, or connect an identity provider (Azure AD, Google Workspace, Okta, LDAP) for directory-based authentication
Dynamic RADIUS Proxy
Aruba Instant's Dynamic RADIUS Proxy feature routes all RADIUS requests through the virtual controller's IP address instead of individual AP IPs. This is strongly recommended - it means you only need to register one NAS IP in your RADIUS server instead of every AP. Enable it under System > General > Dynamic RADIUS Proxy.
Step 2: Aruba Instant AP Configuration
Configure WPA-Enterprise on Aruba Instant APs using the local web interface.
Create the Employee SSID
- Log in to the Aruba Instant web interface by browsing to the virtual controller's IP address
- Navigate to Configuration > Networks and click the "+" button to create a new network
- Set the network name (SSID) and configure basic settings:
- Type: Employee
- SSID: Your desired network name
- Configure VLAN settings:
- Client IP assignment: Virtual Controller managed (for L2/L3 roaming) or Network assigned
- Client VLAN assignment: Static or Dynamic (RADIUS-based)
- Set the Security level to Enterprise
- Configure Key Management:
- WPA-2 Enterprise: Maximum compatibility with all client devices
- WPA-2 + WPA-3 Enterprise: Transition mode for mixed environments
- WPA-3 Enterprise: 192-bit security for high-security deployments
Add the RADIUS Server
- In the Security tab, under Authentication Server, click "New"
- Enter the primary RADIUS server details:
- Name: IronWiFi-Primary
- IP Address: IronWiFi primary RADIUS server IP
- Authentication Port: 1812
- Accounting Port: 1813
- Shared Key: Your IronWiFi shared secret
- Add a secondary server for failover by clicking "New" again and entering the IronWiFi secondary server details
- Set the server timeout - the default of 5 seconds is appropriate for Cloud RADIUS. Increase to 10 seconds if your network has high latency
- Click Save to apply the configuration. Aruba Instant will push the settings to all APs in the cluster
Enable Dynamic RADIUS Proxy
Before testing, ensure Dynamic RADIUS Proxy is enabled. Navigate to System > General and check the Dynamic Proxy: RADIUS box. Without this, each AP sends RADIUS requests from its own IP, and you would need to register every AP's IP in the IronWiFi NAS list.
Step 3: Aruba Central Cloud Configuration
If your Aruba APs are managed through Aruba Central, configure the SSID and RADIUS server from the cloud dashboard.
- Log in to Aruba Central and navigate to Networking > WLANs
- Click "Add SSID" to create a new wireless network
- Configure the SSID:
- Name: Your desired SSID name
- Security Level: Enterprise
- Key Management: WPA2 Enterprise or WPA2/WPA3 Enterprise
- Under Authentication, add the RADIUS server:
- Server IP: IronWiFi primary RADIUS IP
- Port: 1812
- Shared Secret: Your shared secret
- Add accounting server (same IP, port 1813, same shared secret)
- Assign the SSID to the desired AP group or site
- Click Save & Apply - Aruba Central will push the configuration to all APs in the group
| Feature | Aruba Instant | Aruba Central |
|---|---|---|
| Management | Local web UI / CLI | Cloud dashboard |
| RADIUS Configuration | Per-cluster | Per-group (multi-site) |
| Dynamic RADIUS Proxy | Virtual controller IP | Per-AP or gateway IP |
| RadSec Support | Yes | Yes (AOS 10.x) |
| Role-Based Policies | Full role framework | Full role framework |
| Multi-Site Management | Per-cluster only | Centralized |
Cloud RADIUS Built for Aruba Networks
IronWiFi's Cloud RADIUS integrates seamlessly with Aruba Instant and Central. Deploy WPA-Enterprise with certificate authentication, role-based policies, and directory integration across all your Aruba sites.
Start Free Trial Schedule a DemoTrusted by 1,000+ organizations in 108 countries
Step 4: Certificate-Based Authentication (EAP-TLS)
For the highest level of security, replace password-based authentication with client certificates. EAP-TLS provides mutual authentication - both the client and the server prove their identity using certificates, eliminating credential theft and phishing risks.
Server-Side Setup (IronWiFi)
- Navigate to Networks in the IronWiFi console and select your Aruba network
- Enable certificate-based authentication under Authentication Settings
- Upload or generate a CA certificate using IronWiFi's Cloud PKI. This CA will sign client certificates
- Configure certificate validation rules: Require specific certificate fields (CN, SAN), enforce expiration checks, and optionally check certificate revocation lists (CRL)
Client Certificate Deployment
Client devices need a trusted certificate installed before they can authenticate. There are several deployment methods:
- MDM deployment: Push certificates via Intune, Jamf, or Workspace ONE through a SCEP profile
- IronWiFi Enrollment Portal: Users self-enroll through a web portal that generates and installs the certificate automatically. See the Enrollment Portal documentation
- Manual installation: Export the client certificate (PKCS#12 format) and install it on the device. Appropriate for small deployments or testing
Why EAP-TLS with Aruba?
- No passwords to steal: Certificates cannot be phished or brute-forced
- Automated rotation: SCEP and Cloud PKI handle certificate lifecycle automatically
- Aruba role mapping: Certificate attributes (OU, CN) can drive Aruba role assignment for granular access control
- Compliance friendly: Meets requirements for PCI-DSS, HIPAA, and SOC 2 network access controls
Step 5: Server Certificate Validation
Proper server certificate validation prevents man-in-the-middle attacks where a rogue access point impersonates your network. Client devices should verify the RADIUS server's identity before sending credentials.
How It Works
During the EAP handshake, the RADIUS server presents its server certificate to the client. The client checks that the certificate is signed by a trusted CA and that the server name matches the expected value. If validation fails, the client rejects the connection.
Configuration by Platform
- Windows: Configure the trusted root CA and expected server name in the Wi-Fi profile's PEAP/EAP-TLS settings. Deploy via Group Policy for managed devices
- macOS/iOS: Deploy a Wi-Fi configuration profile via MDM that includes the trusted CA certificate and server name constraint
- Android: Set the CA certificate to the RADIUS server's root CA in the Wi-Fi connection settings. Android 11+ requires this for WPA-Enterprise connections
- ChromeOS: Configure the 802.1X network policy in Google Admin Console with the server CA certificate
Do Not Skip Server Certificate Validation
Setting CA certificate to "Do not validate" on client devices is convenient for testing but creates a serious security vulnerability. An attacker with a rogue AP can impersonate your network, capture credentials, and gain unauthorized access. Always deploy proper server certificate validation in production.
Step 6: Role-Based Access Policies
Aruba's role framework is one of the platform's strongest features. RADIUS attributes returned during authentication can map users to specific roles, each with its own firewall policies, bandwidth limits, and VLAN assignments.
Configuring RADIUS-Based Roles
In IronWiFi, configure reply attributes that Aruba interprets for role assignment:
- Aruba-User-Role: Maps directly to a user role defined on the Aruba AP. Set this as a RADIUS reply attribute for each user group
- Tunnel-Private-Group-ID: Assigns the user to a specific VLAN (with Tunnel-Type=13 and Tunnel-Medium-Type=6)
- Filter-Id: An alternative method to assign roles or ACLs based on user identity
Example Role Configuration
| User Group | Aruba Role | VLAN | Policy |
|---|---|---|---|
| IT Administrators | admin-role | 10 | Full access, all subnets |
| Corporate Staff | employee-role | 20 | Internal resources + internet |
| Contractors | contractor-role | 30 | Limited internal + internet |
| BYOD Devices | byod-role | 40 | Internet only, bandwidth limited |
| IoT Devices | iot-role | 50 | Specific endpoints only, isolated |
Creating Roles on Aruba Instant
- Navigate to Configuration > Roles on the Aruba Instant web interface
- Click the "+" to create a new role (e.g., "employee-role")
- Define Access Rules for the role - these are firewall policies that control what the user can access
- Set bandwidth limits if needed (upstream/downstream in Kbps)
- Configure the VLAN assignment for the role
- In IronWiFi, set the Aruba-User-Role reply attribute to match the role name exactly
Testing and Troubleshooting
Testing the Connection
- Connect a test device to the enterprise SSID
- Enter credentials (PEAP) or ensure the client certificate is installed (EAP-TLS)
- Accept the server certificate on first connection (or pre-deploy via MDM)
- Verify the connection: Check the assigned IP address matches the expected VLAN subnet
- Confirm the role: On the Aruba Instant web interface, go to Monitoring > Clients and verify the user's assigned role
Common Issues and Solutions
Authentication Timeout
- Firewall blocking RADIUS: Verify UDP ports 1812 and 1813 are open from the AP network to the RADIUS server. If using RadSec, ensure TCP 2083 is open
- Wrong NAS IP: If Dynamic RADIUS Proxy is disabled, each AP sends requests from its own IP. Either enable Dynamic RADIUS Proxy or register all AP IPs in IronWiFi
- Server timeout too low: For Cloud RADIUS over high-latency links, increase the Aruba server timeout from 5 to 10 seconds
Authentication Rejected
- Shared secret mismatch: The shared secret must be identical on both the Aruba AP and IronWiFi. Check for trailing spaces or copy-paste issues
- User not found: Verify the username exists in IronWiFi and is assigned to the correct network. Check case sensitivity
- Certificate issues (EAP-TLS): Ensure the client certificate is signed by the CA configured in IronWiFi. Check certificate expiration dates
VLAN/Role Not Applied
- Role does not exist: The Aruba-User-Role value returned by RADIUS must match a role name defined on the Aruba AP exactly (case-sensitive)
- VLAN not configured: Ensure the VLAN ID returned by RADIUS exists on the Aruba AP and on the upstream switch trunk ports
- Missing RADIUS attributes: Verify all three tunnel attributes are configured for VLAN assignment (Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID)
Checking Logs
- Aruba Instant: Navigate to Monitoring > Clients for connection status. Use the CLI command
show auth-tracebuffor detailed authentication traces - Aruba Central: Check Alerts & Events for authentication failures. Use the Client Details view for per-client troubleshooting
- IronWiFi: Review the Authentication Log in the console for complete RADIUS transaction details, including accept/reject reasons and returned attributes
Frequently Asked Questions
Yes. Aruba Instant APs fully support external RADIUS servers for 802.1X authentication. When creating an employee network SSID, select Enterprise security and enter the Cloud RADIUS server IP, port (1812), and shared secret. Aruba Instant also supports RadSec (RADIUS over TLS) for encrypted RADIUS communication.
Dynamic RADIUS Proxy routes all authentication requests through the Aruba Instant virtual controller rather than sending them from each individual AP's IP address. This simplifies RADIUS server configuration because you only need to register one NAS IP (the virtual controller IP) instead of every AP's IP. Enable it under System settings in the Aruba Instant web interface.
To set up EAP-TLS certificate authentication with Aruba, configure the SSID with Enterprise security and select EAP-TLS as the authentication method. On the RADIUS server side, configure IronWiFi with your CA certificate and enable certificate-based authentication. Client devices need a trusted client certificate installed, which can be deployed via MDM, SCEP, or the IronWiFi Enrollment Portal.
Yes. Aruba Central supports external RADIUS servers for all managed APs. In the Aruba Central dashboard, create a new SSID with Enterprise security, then configure the RADIUS server details (IP, port, shared secret). The configuration is pushed to all APs in the selected group. Ensure UDP ports 1812 and 1813 are accessible from your AP network.
RADIUS timeout errors on Aruba typically indicate a network connectivity issue between the AP and the RADIUS server. Common causes: firewall blocking UDP 1812/1813, incorrect RADIUS server IP, the AP's source IP not registered in the RADIUS server's NAS list, or Dynamic RADIUS Proxy disabled causing requests to come from individual AP IPs instead of the virtual controller IP.