Wireless Access

Regular Contributor I

Instant 802.1x Supplication

I am testing iAP 802.1x supplicant to authenticate the AP on an ethernet interface that has been secured with 802.1x. It is straight forward for PEAP, I enable PEAP in the System settings then configure the User/Pass in the AP settings and it works fine.


EAP-TLS is a little more difficult. I was hoping that I could use the built-in  TPM engine to generate and use a built-in User Private Key during the authentication. On the 215/225 model I am testing with, the only option is to use a User Cert. I beleive this means I will need to use an external CA to generate a certificate for each individual AP and upload each cert to each AP. 


Anyone have any tips? The CLI does show support for TPM (ap1x tls tpm) but no option in GUI which leads me to beleive it is either not supported on this model or it is not a functional option yet. 


Running 6.5.4 release

Regular Contributor I

Re: Instant 802.1x Supplication

Think through this a little more... Generating a unique cert wont do any good. I need to generate or upload a Key. Not sure how to go about that. 

Re: Instant 802.1x Supplication

TLS authentication with the TPM certificate, where you install the Aruba AP root CA into your ClearPass or other RADIUS server, is available in the controller version of ArubaOS 8.2. It might come to the Instant AP in the future given the message that is shown when you try to configure it via the CLI:

does not support tpm yet!

TLS with uploaded client certificates was implemented in earlier versions but seems to unavailable on 6.5.4.


Your Aruba partner or Aruba SE can help you with requesting this feature or finding out if it is on the roadmap.

If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Regular Contributor I

Re: Instant 802.1x Supplication

Thanks Herman!


We are an Aruba Partner and just wanted to be sure I wasnt missing something. 



Regular Contributor I

Re: Instant 802.1x Supplication

We have been doing a lot of Wired 802.1x deployments lately and this would be helpful in such deployments. 

New Contributor

Re: Instant 802.1x Supplication

I tested this today with an IAP-315 running Aruba Instant version today and it still does not allow ap1x to use the TPM certificate.  I am doing some extensive testing with wired 802.1x and ClearPass and was really hoping that this feature would work out of the box.  I would like to see if it would be added and possibly even ported back to 6.5.x since 8.3 removed hardware support for hardware such as the IAP-205. 

Guru Elite

Re: Instant 802.1x Supplication

This is on available on controller platforms. Submit a feature request if you'd like to see it on Instant.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Instant 802.1x Supplication

I posted https://innovate.arubanetworks.com/ideas/WLAN-I-946 so please vote on it if you think this feature is worthwhile.

Search Airheads
Showing results for 
Search instead for 
Did you mean: