How does dot1x termination work?

Aruba Employee
Aruba Employee

Product and Software: This article applies to ArubaOS version 2.5 and 3.X.  ArubaOS 3.X is required to terminate EAP-TLS.


Use Case/Application  With Dot1x Termination enabled, you will be able to:


  • Authenticate user with 802.1X using either LDAP server or internal DB.
  • Improve authentication performance by offloading crypto computation load from performance-constrained RADIUS servers.
  • Enable RADIUS fail-through for 802.1X authentication.

How It Works 


Dot1x Termination (also known as AAA FastConnect) enables the encryption portion of an 802.1X transaction to be processed inside the Aruba Mobility Controller.


Dot1x Termination is disabled by default. If disabled, the controller simply passes all the 802.1X exchanges between the authentication server and the client through to the external RADIUS server.


When Dot1x Termination is enabled, the controller terminates 802.1X traffic from clients and processes crypto algorithms defined in each EAP protocol standards, for example, verification of certificates and derivation of encryption keys.


Aruba can terminate EAP-PEAP/GTC, EAP-PEAP/MSCHAPv2, and EAP-TLS.  CA certificate needs to be uploaded to the controller to terminate EAP-TLS.  CA certificate is used to verify the client's certificate.


In addition, if the controller terminates EAP-PEAP, the server certificate needs to be uploaded to the controller. Aruba controllers are shipped with a preinstalled digital certificate. However, this certificate is intended primarily for feature demonstration and a temporary deployment and not for long-term use in a production network.


You can use RADIUS, LDAP, or internal DB as an authentication server for Dot1x Termination.


You must use EAP-PEAP/GTC to authenticate against LDAP server.

Version history
Revision #:
1 of 1
Last update:
‎07-02-2014 12:12 PM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: