How to Enable Dot1x authentication for wireless users on IAP

By arunhasan1 posted Aug 05, 2014 06:06 PM


This Article explains about-

   i) adding the Aruba IAP as NAD device.
   ii) Integrating Aruba Controller with CPPM to perform Dot1x authentication.
   iii) Configuring service on CPPM to handle this request.


Environment : This Article is written  for CPPM 6.2.0 and greater.


Below are the detailed steps.

1: Adding Aruba Controller as NAD device on CPPM.

Navigate to Configuration > Network > Devices


Click Add Device


Add the device as shown below.



The Vendor name should be selected as Aruba and COA enabled.

Make sure that we configure the same Radius Shared secret on the VC as well.

 2: Integrate Aruba IAP  with CPPM to perform Dot1x.

Click on "System" and fill the below details.

rtaImage (1).png


Give an IP to the Virtual Controller and enable Dynamic radius Proxy. This will forward all the radius packets ( from any IAP in the cluster) to CPPM with the VC's IP.

Click on "Authentication" and add a new radius Server.

rtaImage (2).png

Navigate to Security - Role page and add two new roles.

Employee : allowed to all destination.
Contractor : limited access
These roles can be customized based on user's requirements.

rtaImage (3).png

Sample Contractor Role.

rtaImage (4).png

Create a new SSID.

Click on "New" and give a name to the SSID.

rtaImage (5).png

On next page, select the Client IP assignment.

We can have it either VC assigned or Network Assigned based on our requirements.

rtaImage (6).png

On the Next page,

rtaImage (7).png

Select the security as "Enterprise"
Key Management as "WPA-2-Enterprise"
Authentication server as " CPPM"
Authentication Survivability - enable this. This if enabled will cache the MAC of the client and will authenticate it for 24 hours if the CPPM server is offline.

On the next page,

We can leave the Access control as "unrestricted" as we will push the role from CPPM.

rtaImage (8).png

This completes the configuration on the IAP.

3: Configuration of CPPM

Navigate to "Configuration » Identity » Local Users" and create two users.

rtaImage (9).pngFor Employee user  assign Employe role and for Contractor assign Contractor Role.

rtaImage (10).png

These users would be used for authentication.

Now, we will add  Enforcement profiles for Employee and Contractor.

Navigate to "Configuration » Enforcement » Profiles » Add Enforcement Profile".

rtaImage (11).png

The Aruba-user-role must be exactly same as the role which we added on the IAP.

rtaImage (12).png

Similarly add a Contractor enforcement policy .

rtaImage (13).png

Now we will add an Enforcement Policy to apply the logic.

Navigate to "Configuration » Enforcement » Policies"

and Add a new policy.

rtaImage (14).png


Make sure that the Default Role is set to "Deny Access Profile" and Enforcement type is "Radius".

rtaImage (15).png

This Rule is set as " If Tips Role = Contractor the CPPM will return the Contractor Role to IAP"

Similarly set the rule for Employee.

rtaImage (16).png

Save this policy and exit.

Now, we will add a Service to handle this request.

Navigate to "Configuration » Start Here" and use the default  "Aruba 802dot1x wireless template."

rtaImage (17).png

Edit the last rule and enter the exact name of the SSID.

rtaImage (18).png

Leave the authentication Methods as default and add Local User repository as Authentication Source.

rtaImage (19).png

Note: We can also use AD to authenticate the users, but CPPM must be joined to the Domain.

Leave the Roles tab as blank becasue we are not using AD for authentication.

On the Enforcement Tab, mapp the correct enforcement profile.

rtaImage (20).png

Click on Save and this completes the CPPM configuration as well.


1 comment


Dec 04, 2019 12:45 PM


Was  an extremely helpful article - since i am a beginner with CPPM