How to enable Dot1x authentication on Aruba controller for CPPM

Aruba Employee
Aruba Employee

This Article explains about-

   i) adding the Aruba controller as NAD device.
   ii) Integrating Aruba Controller with CPPM to perform Dot1x authentication.
   iii) Configuring service on CPPM to handle this request.


Environment : This Article is written  for CPPM 6.2.0 and greater.


Below are the detailed steps.

1: Adding Aruba Controller as NAD device on CPPM.

Navigate to Configuration > Network > Devices


Click Add Device


Add the device as shown below.


Make sure that we configure the same Radius Shared secret on the controller as well.

2: Integrate Aruba Controller  with CPPM to perform Dot1x.

 -> Add a server group on the Controller

Navigate to  Security > Authentication > Servers

Add a new Radius Server.

rtaImage (1).png


Enter the IP of the CPPM or a generic name to identify the CPPM server and hit " Add"

After adding, the CPPM server will show in the list.

Click on the entry and modify the below.


rtaImage (2).png


Make sure that the Host field has the IP/host name of the CPPM and the Key is same as radius secret key in step 1.

-> Map this server to a server group.

Create a new Server group and add the entry of CPPM to it.


rtaImage (3).png


once we hit "Add Server", the CPPM will be mapped to this group.

-> Create a new AAA profile.

Navigate to
 Security > Authentication > Profiles

and add a new AAA profile and click on the name.


rtaImage (4).png



We can have the Initial and authenticated roles bases on our requirements.

Map this AAA profile to

     i) The radius server group which we have added earlier
     ii) Authentication profile for Dot1x, we can create  new one by using the drop down menu.


rtaImage (5).png


Hit on New and create a new auth profile.


rtaImage (6).png

We can customize these options based on our requirements.
-> Create a Dot1X SSID profile.

Navigate to  Configuration > AP Group > Edit "You_AP_Group"

and add a new Virtual AP profile.


rtaImage (7).png

Make sure that the Vlan is mapped properly.

Map this VAP to the AAA profile which we added and to the SSID profile.

We can create a new SSID profile as below.


rtaImage (8).png


Give a name to the SSID profile and SSID name and map this to the VAP profile.

Save the  Configuration.

3: Create Dot1x service on the CPPM.

Browse to  
Configuration » Services

and click on "Add New Service".

Use the default Aruba 802.1X Wireless service default template.


rtaImage (9).png



Make sure that the SSID name is correctly mapped in the last Rule. The name is case sensitive.

Click next and add the below details.


rtaImage (10).png


We can have multiple authentication sources based on our requirements. Click Next.

Configuring Roles is not necessary in this default setup and we can leave it blank.


rtaImage (11).png


We can have the "Allow All Access Policy" on the Enforcement tab. However we can customize it bases on our requirements.


rtaImage (12).png


Hit Save and exit. Connect a client and verify.

We would see the Accept messages in the access tracker.


rtaImage (13).png





Version history
Revision #:
2 of 2
Last update:
‎09-22-2014 08:40 AM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: