How to configure 802.1X client authentication on ArubaOS-Switch devices


How to configure 802.1X client authentication on ArubaOS-Switch devices?

ASE Link:  Go to the solution



This solution will simplify configuration of 802.1X port access control on an ArubaOS-Switch device being managed by an external authentication server (e.g. ClearPass Policy Manager, RADIUS, etc).

Minimum Software Versions Required

Varies by switch model: K.12.xx (3500, 5400, 6600); KA.15.03 (3800); KB.15.15 (5400R); KB.16.01 (3810); RA.15.05 (2620); WB.15.11 (2920); WC.16.02 (2930F); YA.15.10/YB.15.12 (2530)

Configuration Notes

The first item configured is an authentication server host to be used to authenticate clients connected to the switch; parameters include IP address and (optionally) a pre-shared key.  Next, select ports to be used for client authentication, and assign VLAN IDs to be used for unauthenticated and authenticated clients (in the latter case, to be assigned if the authentication server does not assign a specific VLAN). Optionally, enable GVRP VLAN discovery on authenticator ports for VLANs assigned by the authentication server that are not already configured on the switch. Lastly, configure a backup authentication method for when the server is unreachable (if desired), and/or enable a per-port client limit.

Platform(s) Tested

Tested on a 3810M running KB.16.02.0008.


For switches: none. Standard license requirements apply for authentication servers (ClearPass, RADIUS, etc).


  1. HPE ArubaOS-Switch Access Security Guide K/KA/KB.16.01
  2. HPE ArubaOS-Switch Advanced Traffic Management Guide K/KA/KB.16.01
Version history
Revision #:
6 of 6
Last update:
‎03-20-2017 09:31 AM
Updated by:
Labels (1)