This feature helps to authenticate Aruba AP (s) with radius server before they come up on the controller. For many organizations this is requirement for security purposes.
Both CAP (s) (Campus Access Points) and RAP (s) (Remote Access Points) can be provisioned for 802.1x authentication.
Product and Software: This article applies to ArubaOS 6.2.
- Aruba only support PEAP, thus a username and password is required.
- This parameter are sent to AP in a secure manner and stored in flash as part of the environment variable.
- When dot1x AP boots up from flash, it starts SAPD, which initiates wpa-supplicant process.
- Typically AP’s point of attachment (switchport where AP is connected - authenticator) initiates authentication and then whole 802.1x auth will happen where AP will provide its username and password, which will be checked against RADIUS server.
- Once authentication is successful, RADIUS server sends a control message to the authenticator (switch port), which will make port authorized (from uncontrollerd to controlled port) for the AP’s MAC address and communication can commence.
- AP will get IP address through DHCP server or static assignment. AP will communicate to the master controller and will come up on it.
Provisioning From CLI
# configure terminal
# apdot1x-username graman
# apdot1x-passwd password
# reprovision ap-name <apname>
Provisioning From WebUI
When AP comes UP on the controller, you will see it with flag “1” in flags column.