Environment : This article applies to all Aruba Instant platforms and versions.
No, the certificate has to be uploaded on the virtual controller only.
Aruba Instant has a built-in FreeRadius server that can support:
• EAP-TTLS (MSCHAPv2)
• EAP-PEAP (MSCHAPv2)
However; note that EAP-PEAP and EAP-TTLS require a server certificate. Instant APs do not get shipped with a server certificate. Each time user uploads a new certificate file to Aruba Instant AP through the webUI, the master AP distributes that same certificate to all the member APs in the cluster. This allows a single certificate to be available for use on all the Instant APs in the cluster and ensures that 802.1x authentication still happens if the master AP (Virtual Controller) goes down.