Wireless Access

last person joined: 42 minutes ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

force wifi with client certificate

Jump to Best Answer
This thread has been viewed 0 times
  • 1.  force wifi with client certificate

    Posted Apr 30, 2014 08:02 PM

    Hi I am a beginner to Aruba WLC and Radius and need some help.

    I am trying Aruba exem and got 2nd hand 3200 controller, playing around with 3200/freeradius to understand how things work.

    So far, i configured freeradius and WLC for peap with own created server cert. now I would like to configure "EAP-TLS" only Wifi which requries client certificate on Wifi device side. I checked EAP-TLS check box in L2 authenticate tab in security->authentication. but wifi devices are still able to connect without client cert. I would like to make this config as only the users with client cert can connect to wifi AP. can anyone give me first 1 or 2 points I should check? is this setting needs to be done on WLC side or radius server sdie(or both)?




  • 2.  RE: force wifi with client certificate
    Best Answer

    Posted May 01, 2014 01:12 AM


    Good morning.

     Start reading here:



    Trobuleshooting: (After u have configured everything on the controller and on your radius - NAS IP , SECRET,CERT on client machince <> on radius server )


    1. Check that u have connectiviy - use diagnsotic - check aaa

    2. Check logs in your Radius server

    3.Be sure that port 1812/1813 are open between your radius and your controller




    how to config on contoller?




    The following steps demonstrate how to enable the 802.1x local terminatoin with eap-eap/eap-mschapv2. Please modify it with you desired EAP type.

    1. Navigate to Configuration → Security → Authentication → servers → server group. Create a new server group if you are using external server for 802.1x authentication, and click Add. Click the server group you have just created and enter the server details.

    2. Navigate to Configuration → Security → Authentication → L2 Authentication → 802.1x Authentication Profile → Create a profile → Add → Apply.

    3. Select the profile that you have just created under 802.1x Authentication profile. Click → Advanced → Termination EAP-Type → check the eap-peap and eap-mschapv2 → Apply.
    Note: ONLY , If you are using the internal server for 802.1x authentication, click the basic and check the termination option and click Apply.

    4. Click the AAA profile tab. Under AAA Profiles Summary → Create a profile → Apply.

    5. Click the profile you have just created under AAA profile → 802.1x Authentication Profile → choose the profile that you have created under L2 Authentication in step 2.

    6. Click the AAA profile → 802.1x Authentication Server Group → select the server group from the drop-down menu → Apply.

    7. Navigate to Configuration → Wireless → AP Configuration → Choose the AP group → edit → Wireless LAN → Virtual AP → Default → AAA profile → under Profile details, from the drop-down menu, select the AAA profile that you created in step 4 → Apply.

    8. Click the SSID profile > Basic tab → Select the WPA encryption in network authentication → Apply.


    Here 3 screenshots of config tips for the wi-fi client itself:






  • 3.  RE: force wifi with client certificate

    Posted May 01, 2014 01:25 AM

    Hi thx for reply. I will follow the steps and see.