What is the functionality and the advantage of voice-aware 802.1x in Aruba Networks?

Aruba Employee
Aruba Employee

Product and Software: This article applies to all Aruba controllers and ArubaOS versions.

The voice-aware Dot1x feature in ArubaOS allows optimizing the authentication activities by minimizing authentication transactions, which can affect call quality.

After the 802.1x success, key exchange happens between the client and the AP.

After a certain amount of time (which is configurable), the key rotates/changes.

802.1X transactions in the middle of a call can result in choppy voice quality due to the time taken by the AP and client for the four-way key handshake and the group key handshake.


Without key-caching, key negotiations are important and unavoidable as a client moves from one AP to another. However, ArubaOS can postpone rekeying for the duration of a call when a handset remains on the same AP, thus avoiding choppiness.


Also, rekeying in an 802.1x network can stress the processor of a handset to the degree that it can interrupt voice calls. Therefore, ArubaOS now has a feature that delays rekeying till the handset is idle (not on a call).

To enable this feature in Dot1x authentication profile, issue the following command:

(arun-3200) (802.1X Authentication Profile "dot1x") #voice-aware


Unicast and multicast rekeying and re-authentication can also be enabled in the AAA authentication Dot1x profile.


Also the unicast and multicast rekey and reauthentication intervals can be set in the same profile.


802.1X Authentication Profile "dot1x"


Parameter Value

--------- -----

Max authentication failures 0

Enforce Machine Authentication Disabled

Machine Authentication: Default Machine Role guest

Machine Authentication Cache Timeout 24 hrs

Blacklist on Machine Authentication Failure Disabled

Machine Authentication: Default User Role guest

Interval between Identity Requests 30 sec

Quiet Period after Failed Authentication 30 sec

Reauthentication Interval 86400 sec ç Configure reauthentication interval

Use Server provided Reauthentication Interval Disabled ç Using re-authentication interval on RADIUS

Multicast Key Rotation Time Interval 1800 sec ç Configure multicast rekey interval

Unicast Key Rotation Time Interval 900 sec ç Configure unicast rekey interval

Authentication Server Retry Interval 30 sec

Authentication Server Retry Count 2

Framed MTU 1100 bytes

Number of times ID-Requests are retried 3

Maximum Number of Reauthentication Attempts 3

Maximum number of times Held State can be bypassed 0

Dynamic WEP Key Message Retry Count 1

Dynamic WEP Key Size 128 bits

Interval between WPA/WPA2 Key Messages 2000 msec

Delay between EAP-Success and WPA2 Unicast Key Exchange 0 msec

Delay between WPA/WPA2 Unicast Key and Group Key Exchange 0 msec

WPA/WPA2 Key Message Retry Count 3

Multicast Key Rotation Disabled ç Enable/Disable Multicast re-keying

Unicast Key Rotation Disabled ç Enable/Disable Unicast re-keying

Reauthentication Disabled ç Enable/Disable re-authentication

Opportunistic Key Caching Enabled

Validate PMKID Disabled

Use Session Key Disabled

Use Static Key Disabled

xSec MTU 1300 bytes

Termination Disabled

Termination EAP-Type N/A

Termination Inner EAP-Type N/A

Token Caching Disabled

Token Caching Period 24 hrs

CA-Certificate N/A

Server-Certificate N/A

TLS Guest Access Disabled

TLS Guest Role guest

Ignore EAPOL-START after authentication Disabled

Handle EAPOL-Logoff Disabled

Ignore EAP ID during negotiation. Disabled

WPA-Fast-Handover Disabled

Disable rekey and reauthentication for clients on call Disabled ç Enable/Disable Voice aware Dot1x

When voice-aware Dot1x is enabled, and when clients are on call, rekey or re-authentication should not happen until the call is disconnected.

Version history
Revision #:
1 of 1
Last update:
‎07-05-2014 06:56 AM
Updated by:
Labels (1)