To set up RADIUS for Aruba, add a RADIUS authentication server in Aruba Instant or Aruba Central with the server IP, assigned port, and shared secret from your IronWiFi Console. Then configure a WPA-Enterprise WLAN profile that references this server. Aruba access points will use 802.1X to authenticate each user against the RADIUS server before granting network access.
In This Guide
Aruba Networks (now HPE Aruba Networking) is a leading enterprise wireless platform known for its robust security features, granular policy enforcement, and scalable cloud management. Aruba access points are widely deployed in enterprise, education, healthcare, and government environments where security is paramount.
This guide covers the complete process of integrating Aruba access points with IronWiFi's Cloud RADIUS server for WPA-Enterprise authentication. We cover both Aruba Instant (standalone/virtual controller) and Aruba Central (cloud-managed) deployment models.
Why Use RADIUS with Aruba Networks?
Aruba's enterprise-grade access points are built for environments that demand strong authentication. While Aruba supports PSK-based networks, the platform's real strength shines with RADIUS-based 802.1X authentication:
- Per-user identity and accountability: Every connection is tied to a specific user or device, enabling detailed audit trails and compliance reporting
- Dynamic role assignment: Aruba's role-based access framework maps RADIUS attributes to firewall policies, bandwidth limits, and VLAN assignments
- Certificate-based security: EAP-TLS eliminates credential theft risks by authenticating with client certificates instead of passwords
- RadSec support: Aruba Instant supports RADIUS over TLS (RadSec), encrypting the entire RADIUS exchange for environments where UDP-based RADIUS is not permitted
- Seamless directory integration: Cloud RADIUS connects to Microsoft Entra ID, Google Workspace, Okta, and LDAP directories for centralized user management
Aruba Deployment Models
Aruba offers several management architectures. This guide covers the two most common:
- Aruba Instant (IAP): Standalone APs with a virtual controller. One AP is elected as the virtual controller and manages the cluster. Configuration is done via the local web interface or CLI
- Aruba Central: Cloud-managed APs where configuration is pushed from the HPE Aruba Central dashboard. Ideal for multi-site deployments managed from a single pane of glass
Prerequisites
Before starting, ensure you have:
- Aruba access points - Aruba Instant (AP-505, AP-515, AP-535, AP-635, or any Instant-capable model) or Aruba Central-managed APs
- Firmware version: ArubaOS Instant 8.x or later (for Instant mode) or ArubaOS 10.x (for Central-managed APs)
- IronWiFi account - Talk to Sales
Trusted by 1,000+ organizations in 108 countries
Step 4: Certificate-Based Authentication (EAP-TLS)
For the highest level of security, replace password-based authentication with client certificates. EAP-TLS provides mutual authentication - both the client and the server prove their identity using certificates, eliminating credential theft and phishing risks.
Server-Side Setup (IronWiFi)
- Navigate to Networks in the IronWiFi console and select your Aruba network
- Enable certificate-based authentication under Authentication Settings
- Upload or generate a CA certificate using IronWiFi's Cloud PKI. This CA will sign client certificates
- Configure certificate validation rules: Require specific certificate fields (CN, SAN), enforce expiration checks, and optionally check certificate revocation lists (CRL)
Client Certificate Deployment
Client devices need a trusted certificate installed before they can authenticate. There are several deployment methods:
- MDM deployment: Push certificates via Intune, Jamf, or Workspace ONE through a SCEP profile
- IronWiFi Enrollment Portal: Users self-enroll through a web portal that generates and installs the certificate automatically. See the Enrollment Portal documentation
- Manual installation: Export the client certificate (PKCS#12 format) and install it on the device. Appropriate for small deployments or testing
Why EAP-TLS with Aruba?
- No passwords to steal: Certificates cannot be phished or brute-forced
- Automated rotation: SCEP and Cloud PKI handle certificate lifecycle automatically
- Aruba role mapping: Certificate attributes (OU, CN) can drive Aruba role assignment for granular access control
- Compliance friendly: Meets requirements for PCI-DSS, HIPAA, and SOC 2 network access controls
Step 5: Server Certificate Validation
Proper server certificate validation prevents man-in-the-middle attacks where a rogue access point impersonates your network. Client devices should verify the RADIUS server's identity before sending credentials.
How It Works
During the EAP handshake, the RADIUS server presents its server certificate to the client. The client checks that the certificate is signed by a trusted CA and that the server name matches the expected value. If validation fails, the client rejects the connection.
Configuration by Platform
- Windows: Configure the trusted root CA and expected server name in the Wi-Fi profile's PEAP/EAP-TLS settings. Deploy via Group Policy for managed devices
- macOS/iOS: Deploy a Wi-Fi configuration profile via MDM that includes the trusted CA certificate and server name constraint
- Android: Set the CA certificate to the RADIUS server's root CA in the Wi-Fi connection settings. Android 11+ requires this for WPA-Enterprise connections
- ChromeOS: Configure the 802.1X network policy in Google Admin Console with the server CA certificate
Do Not Skip Server Certificate Validation
Setting CA certificate to"Do not validate" on client devices is convenient for testing but creates a serious security vulnerability. An attacker with a rogue AP can impersonate your network, capture credentials, and gain unauthorized access. Always deploy proper server certificate validation in production.
Step 6: Role-Based Access Policies
Aruba's role framework is one of the platform's strongest features. RADIUS attributes returned during authentication can map users to specific roles, each with its own firewall policies, bandwidth limits, and VLAN assignments.
Configuring RADIUS-Based Roles
In IronWiFi, configure reply attributes that Aruba interprets for role assignment:
- Aruba-User-Role: Maps directly to a user role defined on the Aruba AP. Set this as a RADIUS reply attribute for each user group
- Tunnel-Private-Group-ID: Assigns the user to a specific VLAN (with Tunnel-Type=13 and Tunnel-Medium-Type=6)
- Filter-Id: An alternative method to assign roles or ACLs based on user identity
Example Role Configuration
| User Group | Aruba Role | VLAN | Policy |
|---|---|---|---|
| IT Administrators | admin-role | 10 | Full access, all subnets |
| Corporate Staff | employee-role | 20 | Internal resources + internet |
| Contractors | contractor-role | 30 | Limited internal + internet |
| BYOD Devices | byod-role | 40 | Internet only, bandwidth limited |
| IoT Devices | iot-role | 50 | Specific endpoints only, isolated |
Creating Roles on Aruba Instant
- Navigate to Configuration > Roles on the Aruba Instant web interface
- Click the "+" to create a new role (e.g.,"employee-role")
- Define Access Rules for the role - these are firewall policies that control what the user can access
- Set bandwidth limits if needed (upstream/downstream in Kbps)
- Configure the VLAN assignment for the role
- In IronWiFi, set the Aruba-User-Role reply attribute to match the role name exactly
Testing and Troubleshooting
Testing the Connection
- Connect a test device to the enterprise SSID
- Enter credentials (PEAP) or ensure the client certificate is installed (EAP-TLS)
- Accept the server certificate on first connection (or pre-deploy via MDM)
- Verify the connection: Check the assigned IP address matches the expected VLAN subnet
- Confirm the role: On the Aruba Instant web interface, go to Monitoring > Clients and verify the user's assigned role
Common Issues and Solutions
Authentication Timeout
- Firewall blocking RADIUS: Verify the assigned RADIUS UDP ports are open from the AP network to the RADIUS server. If using RadSec, ensure TCP 2083 is open
- Wrong NAS IP: If Dynamic RADIUS Proxy is disabled, each AP sends requests from its own IP. Either enable Dynamic RADIUS Proxy or register all AP IPs in IronWiFi
- Server timeout too low: For Cloud RADIUS over high-latency links, increase the Aruba server timeout from 5 to 10 seconds
Authentication Rejected
- Shared secret mismatch: The shared secret must be identical on both the Aruba AP and IronWiFi. Check for trailing spaces or copy-paste issues
- User not found: Verify the username exists in IronWiFi and is assigned to the correct network. Check case sensitivity
- Certificate issues (EAP-TLS): Ensure the client certificate is signed by the CA configured in IronWiFi. Check certificate expiration dates
VLAN/Role Not Applied
- Role does not exist: The Aruba-User-Role value returned by RADIUS must match a role name defined on the Aruba AP exactly (case-sensitive)
- VLAN not configured: Ensure the VLAN ID returned by RADIUS exists on the Aruba AP and on the upstream switch trunk ports
- Missing RADIUS attributes: Verify all three tunnel attributes are configured for VLAN assignment (Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID)
Checking Logs
- Aruba Instant: Navigate to Monitoring > Clients for connection status. Use the CLI command
show auth-tracebuffor detailed authentication traces - Aruba Central: Check Alerts & Events for authentication failures. Use the Client Details view for per-client troubleshooting
- IronWiFi: Review the Authentication Log in the console for complete RADIUS transaction details, including accept/reject reasons and returned attributes
Frequently Asked Questions
Yes. Aruba Instant APs fully support external RADIUS servers for 802.1X authentication. When creating an employee network SSID, select Enterprise security and enter the Cloud RADIUS server IP, the assigned port from your IronWiFi Console, and shared secret. Aruba Instant also supports RadSec (RADIUS over TLS) for encrypted RADIUS communication.
Dynamic RADIUS Proxy routes all authentication requests through the Aruba Instant virtual controller rather than sending them from each individual AP's IP address. This simplifies RADIUS server configuration because you only need to register one NAS IP (the virtual controller IP) instead of every AP's IP. Enable it under System settings in the Aruba Instant web interface.
To set up EAP-TLS certificate authentication with Aruba, configure the SSID with Enterprise security and select EAP-TLS as the authentication method. On the RADIUS server side, configure IronWiFi with your CA certificate and enable certificate-based authentication. Client devices need a trusted client certificate installed, which can be deployed via MDM, SCEP, or the IronWiFi Enrollment Portal.
Yes. Aruba Central supports external RADIUS servers for all managed APs. In the Aruba Central dashboard, create a new SSID with Enterprise security, then configure the RADIUS server details (IP, port, shared secret). The configuration is pushed to all APs in the selected group. Ensure the assigned RADIUS UDP ports are accessible from your AP network.
RADIUS timeout errors on Aruba typically indicate a network connectivity issue between the AP and the RADIUS server. Common causes: firewall blocking the assigned RADIUS UDP ports, incorrect RADIUS server IP, the AP's source IP not registered in the RADIUS server's NAS list, or Dynamic RADIUS Proxy disabled causing requests to come from individual AP IPs instead of the virtual controller IP.
Daniel Konecny
Founder & CEO, IronWiFi
Daniel founded IronWiFi to make enterprise WiFi authentication simple and secure. With deep expertise in RADIUS, 802.1X, and cloud infrastructure, he writes about practical network security for IT teams managing thousands of devices.
About the author