Wireless Access

last person joined: an hour ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Pre-shared key Vs dot1x

  • 1.  Pre-shared key Vs dot1x

    Posted Apr 14, 2020 06:28 PM

    what is the main difference between deploying Pre-shared key method or dot1x method on Aruba controller ?

  • 2.  RE: Pre-shared key Vs dot1x

    Posted Apr 14, 2020 06:49 PM

    WPA2-Enterprise is far more secure than PSK but require a RADIUS authentication server.


    Radius-Request are always handled by the controller (or a virtual instant controller), this is true for any forwaring mode. 


    In bridge-mode (when the controller is down) Radius request cannot reach the controller and will not work. Therefore clients cannot authenticate dot1x when the controller is down.


    Some Reference:



    You have three options to create redundancy:

    1. Do nothing, stay with one controller, accept the low risk a controller fails. Never expose myself


    If you need redundancy in a critical enviorment what depends on wifi:

    2. Place a second controller


    If you have instant (IAP-xxx) access points;

    3. Change to a instant Virtual Cluster, dont use a physical controller.


    All depends on start with a design and requirements, is a pleasure to assist you with your questions.


    What can you tell use:

    - What controller do you have? What ArubaOS version

    - How many and what model of AP's

    - How many clients?

    - What type of clients / application need.

    - SSIDs and authentication methods.

    - Remote locations (need for VPN?)





  • 3.  RE: Pre-shared key Vs dot1x

    Posted Apr 14, 2020 07:14 PM

    1- 7204 controller with the latest version, only one controller standalone mode

    2- 303 APs . 30 Aps

    3- approximately 100 client

    4- N/A , i need to create ssid for guest clients with captive portal

    5- authentication method WPA2 Personal ( is this what meant by Pre-shared key?)
    6- Campus Aps

    Important note there's no radius server , the main problem is keeping Access points up when controller is down , what mode should i use with campus and what authentication method 

  • 4.  RE: Pre-shared key Vs dot1x

    Posted Apr 15, 2020 04:17 AM

    Hi Ahmed,


    The good news is that your AP-303 are "Unify" access points (similar/new name of instant APs) that can run in a virtual instant cluster.


    Your controller a 7205 is oversized for your envoirment and can handle 256 APs where your need to support 30 APs in your environment a 7030 was fit better and support 64 APs. May ask why you choice for a 7205 controller?


    As mentioned before captive-portal don't work in bridge mode. And the captive-portal runs on the wlan controller in a controller based solution, clients can't authenticated when the controller is down. Even if you had a dedicated radius sever, captive-portal and 802.1x are handled by the controller.


    Forget about the forwarding mode bridge-mode it will not fit your solutions.


    If you want redundancy on a controller based solution, add a second, a 7030 will fit your solution in a master-local set. BUT!!!! when you run ArbuaOS8 in and like to have clustering in active-active both controllers must be same, then you need a 7205 controller. Cluster mode is what we recommend because your users, ap's an controllers are highly redundant with hitless failover. Also your configuration is much more clear.


    If a second controller is to expensive for you, you can go for the instant virtual controller option. It have almost the same feature set as a controller based solution, like clientmatch, adaptive radio management, roaming, captive-portal, IDS/IPS firewalling, end so on.


    YES with PSK (Pre shared key) we mean WPA2-Personal or WPA3-Personal.


    Based on 30 APs and 100 users the virtual controller solution will fits perfect your case.


    On the a instant cluster you can run a simple captive-portal.


    Some intant virtual controller notes:

    • All 30 Access Point must be managed in the same layer 2 domain (vlan network) for management.
    • All 30 Access Point must be configured on the switch interfaces with the management, corporate and guest vlans.
    • WPA Encryption is decrypted at the access point self, instead of the controller
    • 802.11 wifi frames are translated to 802.3 ethernet frames at the access point self, instead of the controller.
    • Because a instant cluster runs in the same VLAN, plan for one instant cluster per site. (if you have more than one location).

    One good reason for choose a controller based solutions is where you need a controller for VPN termination for IAP-VPN or RAPs or in some cases VIA clients.


    One more thing: A instant virtual concluster can be managed from the AP,  Aruba Airwave management solutions (licenced) or Aruba Central cloud solutions (subscripred). In Airwave or Central you can manage separate Aruba instant clusters together.


    Hope this helps in making your decisions and better understand the solution choices.


    If you need more help, just ask! But also consider to contact your local aruba partner.