AAA, NAC, Guest Access & BYOD

How to enable Dot1x authentication on Aruba controller for CPPM

by on ‎08-05-2014 02:48 PM - edited on ‎09-22-2014 08:40 AM by

This Article explains about-

   i) adding the Aruba controller as NAD device.
   ii) Integrating Aruba Controller with CPPM to perform Dot1x authentication.
   iii) Configuring service on CPPM to handle this request.

 

Environment : This Article is written  for CPPM 6.2.0 and greater.

 

Below are the detailed steps.

1: Adding Aruba Controller as NAD device on CPPM.

Navigate to Configuration > Network > Devices

 

Click Add Device

 

Add the device as shown below.

rtaImage.png

Make sure that we configure the same Radius Shared secret on the controller as well.
 

2: Integrate Aruba Controller  with CPPM to perform Dot1x.


 -> Add a server group on the Controller

Navigate to  Security > Authentication > Servers

Add a new Radius Server.

rtaImage (1).png

 

Enter the IP of the CPPM or a generic name to identify the CPPM server and hit " Add"

After adding, the CPPM server will show in the list.

Click on the entry and modify the below.

 

rtaImage (2).png

 

Make sure that the Host field has the IP/host name of the CPPM and the Key is same as radius secret key in step 1.

-> Map this server to a server group.

Create a new Server group and add the entry of CPPM to it.

 

rtaImage (3).png

 

once we hit "Add Server", the CPPM will be mapped to this group.

-> Create a new AAA profile.

Navigate to
 Security > Authentication > Profiles

and add a new AAA profile and click on the name.

 

rtaImage (4).png

 

 

We can have the Initial and authenticated roles bases on our requirements.

Map this AAA profile to

     i) The radius server group which we have added earlier
     ii) Authentication profile for Dot1x, we can create  new one by using the drop down menu.

 

rtaImage (5).png

 

Hit on New and create a new auth profile.

 

rtaImage (6).png

We can customize these options based on our requirements.
 
-> Create a Dot1X SSID profile.

Navigate to  Configuration > AP Group > Edit "You_AP_Group"

and add a new Virtual AP profile.

 

rtaImage (7).png

Make sure that the Vlan is mapped properly.

Map this VAP to the AAA profile which we added and to the SSID profile.

We can create a new SSID profile as below.

 

rtaImage (8).png

 

Give a name to the SSID profile and SSID name and map this to the VAP profile.

Save the  Configuration.

3: Create Dot1x service on the CPPM.

Browse to  
Configuration » Services

and click on "Add New Service".

Use the default Aruba 802.1X Wireless service default template.

 

rtaImage (9).png

 

 

Make sure that the SSID name is correctly mapped in the last Rule. The name is case sensitive.

Click next and add the below details.

 

rtaImage (10).png

 

We can have multiple authentication sources based on our requirements. Click Next.

Configuring Roles is not necessary in this default setup and we can leave it blank.

 

rtaImage (11).png

 

We can have the "Allow All Access Policy" on the Enforcement tab. However we can customize it bases on our requirements.

 

rtaImage (12).png

 

Hit Save and exit. Connect a client and verify.

We would see the Accept messages in the access tracker.

 

rtaImage (13).png

 

 

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.