Controller-less WLANs

 View Only
last person joined: one year ago 

Articles relating to existing and legacy HPE Aruba Networking products and solutions including IAP, Central / HPE Aruba Networking Central, MSR, and Outdoor Mesh
Back to Library

How do we configure 802.1x for the wired uplink port in Instant 6.4.4.4-4.2.3.0 and above? 

May 18, 2016 04:22 PM

Q:

How do we configure 802.1x for the wired uplink port of an Instant AP?



A:

From IAP 6.4.4.4-4.2.3.0 802.1x authentication for IAP can be enabled. As a result only authenticated IAP's can join the cluster and hence avoid anyone brining up there own device.

Below is a sample network setup:

 

IAP ------ Aruba MAS --------- Windows 2008 server

 

Below is the sample config:

84:d4:7e:c3:d9:02# show version
Aruba Operating System Software.
ArubaOS (MODEL: 205), Version 6.4.4.4-4.2.3.1
Website: http://www.arubanetworks.com
Copyright (c) 2002-2016, Aruba Networks, an HP company.
Compiled on 2016-04-15 at 05:13:35 PDT (build 54637) by p4build
FIPS Mode :disabled

AP uptime is 14 minutes 7 seconds
Reboot Time and Cause: AP rebooted Mon May 16 20:23:21 UTC 2016; CLI cmd at uptime 0D 0H 3M 0S: reload

 

84:d4:7e:c3:d9:02# configure terminal
We now support CLI commit model, please type "commit apply" for configuration to take effect.

 

84:d4:7e:c3:d9:02 (config) # ap1x peap ==> This will make the IAP to use peap auth.
84:d4:7e:c3:d9:02 (config) # exit
84:d4:7e:c3:d9:02# commit apply
committing configuration...
configuration committed.

 


84:d4:7e:c3:d9:02# ap1x-peap-user iap iap@123 ==> This will configure the username and password.

 

Once configured, IAP has to be reloaded.

 

84:d4:7e:c3:d9:02# show ap1x config
#generated by rcS.fatap
ctrl_interface=/var/run/wpa_supplicant
ap_scan=0
eapol_version=1
fast_reauth=1
network={
   scan_ssid=0
   key_mgmt=IEEE8021X
  eap=PEAP
  eapol_flags=0
  identity="iap"
  password="iap@123"
  phase1="crypto_binding=0"
  phase2="peaplabel=1"
  phase2="auth=MSCHAPV2"
  priority=1

 

84:d4:7e:c3:d9:02# show ap1x status

ap1x:peap
ap1x auth result:succeed

 

On the Aruba MAS side, created a Wired AAA profile with the required configuration for the authentication. Below is a snip of the auth-tracebuf from MAS:

(ArubaS1500-12P) #show auth-tracebuf count 50

Auth Trace Buffer
-----------------

May 16 12:44:12  station-up             *  84:d4:7e:c3:d9:02  01:80:c2:00:00:03          -   -     wired station
May 16 12:44:12  eap-id-req            <-  84:d4:7e:c3:d9:02  01:80:c2:00:00:03          1   5
May 16 12:44:12  eap-id-resp           ->  84:d4:7e:c3:d9:02  01:80:c2:00:00:03          1   8     iap
May 16 12:44:12  rad-req               ->  84:d4:7e:c3:d9:02  01:80:c2:00:00:03          89  178
May 16 12:44:12  rad-resp              <-  84:d4:7e:c3:d9:02  01:80:c2:00:00:03/Win2008  89  90
May 16 12:44:12  eap-req               <-  84:d4:7e:c3:d9:02  01:80:c2:00:00:03          2   6
May 16 12:44:12  eap-resp              ->  84:d4:7e:c3:d9:02  01:80:c2:00:00:03          2   66

May 16 12:44:12  eap-req               <-  84:d4:7e:c3:d9:02  01:80:c2:00:00:03          10  107
May 16 12:44:12  eap-resp              ->  84:d4:7e:c3:d9:02  01:80:c2:00:00:03          10  43
May 16 12:44:12  rad-req               ->  84:d4:7e:c3:d9:02  01:80:c2:00:00:03/Win2008  98  251
May 16 12:44:12  rad-accept            <-  84:d4:7e:c3:d9:02  01:80:c2:00:00:03/Win2008  98  307
May 16 12:44:12  eap-success           <-  84:d4:7e:c3:d9:02  01:80:c2:00:00:03          10  4

 

Above can be configured on the IAP UI as well as shown below:

Statistics
0 Favorited
4 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.