Security

It's 2018 and Aruba still only lets you enter one single IP address for a RADIUS or LDAP server. Why is my question.

 

This is bad because it is very limiting. Businesses and corporations need to ensure there is redundancy. Using round-robin DNS is a very old form of redundancy and used quite a lot when it comes to authentication. Can't use it in Aruba though. You can only enter one single IP address for an authentication server. 

Which product are you referring to? ArubaOS allows IP or FQDN.

Also keep in mind that some functions of RADIUS like Dynamic Authorization require configuration by IP.

We're on IAPs. It only allows us to configure an IP address. Won't even let you type in a hostname.

 

 

Please submit a feature request. Most environments use IP address regardless.

Most environments != all environments though. With a lot of people moving things like RADIUS/LDAP to the cloud, it's less and less using just a single IP address.

RADIUS Dynamic Authorization still requires an IP address. That is the main reason.

That doesn't explain LDAP though.

I would recommend you discuss with your Aruba account team.


A side question. Do you really want APs talking directly to your LDAP infrastructure? A RADIUS server is always recommended.

Why would Aruba offer it and then not recommend it haha. That's backwards.

We offer many things for flexibility. Doesn't mean it's a best practice.

I've not really seen a reason why RADIUS is "best practice" over using LDAP. What is wrong with using LDAP for WPA2-Enterprise? 

Allowing edge network infrastructure to access user credentials is never a good thing. To be clear, LDAP is still used with a RADIUS server.

So it's recommended to use an unencrypted protocol still in 2018?

The EAP method you choose dictates that. The best practice recommendation is EAP-TLS with a RADIUS server. This is industry standard.