How to configure an AP for dot1x authentication of uplink?

Aruba Employee
Aruba Employee

Customers have been deploying edge secure and are very cautious about leaving ports open. When ports to which APs are connected also are to be configured for 802.1x, AP should have the capability to work as a dot1x client.


This article explains on the requirement, network setup, configuration and troubleshooting for configuring AP for dot1x authentication on its uplink port.


Environment : RAP 3 requiring authentication on uplink Cisco port.


Network Topology : 


Network Setup
RAP3 =======(Trunk)=======Cisco 3750 (Trunk + Dot1x authenticator on port) ====== Network ------- Controller ---------- Network---------- CPPM



RAP Provisioning profile:
ap provisioning-profile "test123"
   apdot1x-username "test"
   apdot1x-passwd "test123"
Cisco Port & Radius config:
aaa new-model
aaa authentication dot1x default group radius
interface GigabitEthernet1/0/17
switchport access vlan 160
switchport trunk encapsulation dot1q
switchport trunk native vlan 160
switchport mode trunk
authentication port-control auto
dot1x pae authenticator
radius server CPPM
address ipv4 auth-port 1645 acct-port 1646
key test123
(Configure CPPM for Radius client as Cisco switch & user for auth in local db)


Ensure that Cisco switch is able to authenticate with the radius server with a test authentication.

Cisco-3750-X-1#test aaa group radius test test123 legacy
Attempting authentication test to server-group radius using radius
User was successfully authenticated.

AP successfully Authenticates on the Dot1x port, Cisco working as Authenticator.

(GEC-RAP) #show ap active
Active AP Table
Name     Group     IP Address  11g Clients  11g Ch/EIRP/MaxEIRP  11a Clients  11a Ch/EIRP/MaxEIRP  AP Type   Flags  Uptime   Outer IP
----     -----     ----------  -----------  -------------------  -----------  -------------------  -------   -----  ------   --------
MM-RAP3  cigna-63     0            AP:HT:6/3/18         0                                 RAP-3WNP  R1E2a  12m:47s
Flags: 1 = 802.1x authenticated AP; 2 = Using IKE version 2;
       A = Enet1 in active/standby mode;  B = Battery Boost On; C = Cellular;
       D = Disconn. Extra Calls On; E = Wired AP enabled; F = AP failed 802.1x authentication;
       H = Hotspot Enabled; K = 802.11K Enabled; L = Client Balancing Enabled; M = Mesh;
       N = 802.11b protection disabled; P = PPPOE; R = Remote AP;
       S = AP connected as standby; X = Maintenance Mode;
       a = Reduce ARP packets in the air; d = Drop Mcast/Bcast On; u = Custom-Cert RAP;
       r = 802.11r Enabled
Channel followed by "*" indicates channel selected due to unsupported configured channel.
"Spectrum" followed by "^" indicates Local Spectrum Override in effect.
Num APs:1
To verify at Cisco switch if the dot1x authentication is complete:
Cisco-3750-X-1#show dot1x interface gigabitEthernet 1/0/17 details
Dot1x Info for GigabitEthernet1/0/17
PAE                       = AUTHENTICATOR
QuietPeriod               = 60
ServerTimeout             = 0
SuppTimeout               = 30
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30
Dot1x Authenticator Client List
EAP Method                = PEAP
Supplicant                = 000b.8682.7b67
Session ID                = 0AA3A305000000200444998D
    Auth SM State         = AUTHENTICATED
    Auth BEND SM State    = IDLE
Ensure that you have configured the right credentials in the provisioning profile.
Ensure that you have mapped the right provisioning profile in group.
Ensure that Switch can acts as a Radius client and complete an authentication successfully.
Check logs in the Radius server.
Version history
Revision #:
1 of 1
Last update:
‎04-08-2015 03:42 AM
Updated by:
Search Airheads
Showing results for 
Search instead for 
Did you mean: