Controller-less WLANs

802.1x supplicant support for IAP

by ‎05-20-2016 10:57 AM - edited ‎05-20-2016 10:57 AM
Requirement:

Aruba Instant Access Points should complete 802.1x authentication before it sends and receives any other traffic.



Solution:

Starting 4.2.3.0, IAP supports AP uplink dot1x.  When IAP boots up it’ll perform 802.1x authentication prior to initiating DHCP.



Configuration:

To enable 802.1X supplicant support, configure 802.1X authentication parameters on every IAP using the Instant UI.
 

UI Configuration


To use PEAP protocol based 802.1X authentication method, complete the following steps:

a. In the Access Points tab, click the IAP on which you want to set the variables for 802.1X authentication, and then click the edit link.
b. In the Edit Access Point window, click the Uplink tab.
c. Under PEAP user, enter user name, password, and retype the password for confirmation. The IAP user name and password are stored in IAP flash. The default inner authentication protocol         for PEAP is MSCHAPV2.

 

To upload server certificates to validate the authentication server credentials, complete the following steps:

a. Click Upload New Certificate.
b. Specify the URL from where you want to upload the certificates and select the type of certificate.
c. Click Upload certificate.

 

To configure 802.1X authentication on uplink ports of an IAP, complete the following steps:

a. Click System > Show advanced options > Uplink.
b. Click AP1X.
c. Select PEAP or TLS as an authentication type.
d. If you want to validate the server credentials using server certificate, select the Validate Server check
box. Ensure that the server certificates for validating server credentials are uploaded to IAP database.
e. Click OK.


After the above configuration, the AP needs to be rebooted for 802.1x to be in effect.

 



Verification

 


show ap1x config    --> To verify configuration

Instant# show ap1x config 
#generated by rcS.fatap
ctrl_interface=/var/run/wpa_supplicant
ap_scan=0
eapol_version=1
fast_reauth=1


show ap1x status   --> To check the current status

Instant# show ap1x status 
ap1x:tls with validating server 
ap1x auth result:succeed


show ap1x debug-logs   --> Logs during the AP bootup

Instant# show ap1x debug-logs
1970-01-01 00:00:32:apdot1x authentication type is peap
1970-01-01 00:00:32:trigger wpa_supplicant with configure file…

show ap1xcert    --> Displays current CA and Client certificate

Insant## show ap1xcert 
Current ap1x CA Certificate:
Version       :3
Serial Number :AB:C1:1E:06:77:69:20:4F
Issuer        :/C=CN/ST=Beijing/O=Aruba Networks/O=an HP company/OU=Aruba Instant/CN=Feng Ding
Subject       :/C=CN/ST=Beijing/O=Aruba Networks/O=an HP company/OU=Aruba Instant/CN=Feng Ding
Issued On     :Jan 26 08:48:16 2016 GMT
Expires On    :Jan 23 08:48:16 2026 GMT
Signed Using  :SHA1-RSA
RSA Key size  :2048 bits
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.