Setting up IAP uplink dot1x

MVP Expert
MVP Expert

•In, IAP support AP uplink dot1x, when IAP boots up it’ll perform 802.1x authentication before it sends and receives any other traffic such as DHCP.

•If  IAP cannot successfully authenticate within 1 minute, it will initiates DHCP and all traffic directly.


IAP now support authenticate using PEAP or TLS. The credentials or certs that the used to authenticate must be provisioned by the operator and are stored in IAP flash in advance.







UI – Configuration

•System -> Uplink -> AP1X


"AP1X type", 3 options:  “PEAP”,”TLS”,”None”, and “None” by default;

Validate server:  disable by default.


UI-Per AP configuration 

•Per AP edit -> Uplink -> PEAP User



PEAP credentials by default is NULL


•Per AP edit -> Uplink -> Upload New Certificate  



URL could be tftp,ftp,http.


CLI Configuration:


ac:a3:1e:cd:47:b2 (config) # ap1x



ac:a3:1e:cd:47:b2 (config) # ap1x peap



ac:a3:1e:cd:47:b2 (config) # ap1x tls user



ac:a3:1e:cd:47:b2 (config) # ap1x peap validate-server

ac:a3:1e:cd:47:b2 (config) # end

ac:a3:1e:cd:47:b2# commit apply

committing configuration...

configuration committed.

ac:a3:1e:cd:47:b2# show running-config | in ap1x

ap1x peap user validate-server


note: This configuration needs reload to take effect. 


CLI – Per AP PEAP configuration


•If choose PEAP as AP1x type, configure PEAP credentials in ap-env


ac:a3:1e:cd:47:b2# ap1x-peap-user

<ap1xuser>     MSCHAPv2 identity

ac:a3:1e:cd:47:b2# ap1x-peap-user aruba

<password>     MSCHAPv2 password

ac:a3:1e:cd:47:b2# ap1x-peap-user aruba aruba




ac:a3:1e:cd:47:b2# show ap-env

Antenna Type:Internal




This configuration needs reload to take effect 


CLI – Per AP Certificate Upload





ap1x <url> format pem [psk <psk>]

ap1xca <url> format pem




copy tftp <ip-address> <filename> {ap1x {ca|cert} <password> format pem} format pem

Note: Both “download-cert” && “copy” can be used to upload Client cert or CA cert.






AP1x auth log during bootup


apdot1x authentication type is peap​ trigger wpa_supplicant with configure file /aruba/ap1x/wpa.conf checking the authentication result and will time out at most 1 min

[   43.748516] Kernel watchdog refresh ended on core 1.

[   43.800531] Kernel watchdog refresh ended on core 0.

ap1x authentication succeeded

Getting an IP address...

Jan  1 00:00:36 udhcpc[3158]: udhcpc (v0.9.9-pre) started

Jan  1 00:00:36 udhcpc[3158]: send_discover: pkt num 0, secs 0


show ap1x config --->    It shows ap1x configuration in wpa_supplicant currently


ac:a3:1e:cd:47:b2# show ap1x config

#generated by rcS.fatap





show ap1x status ---->  It shows ap1x auth result currently

18:64:72:c6:ea:ec# show ap1x status 
ap1x:tls with validating server 
ap1x auth result:succeed

show ap1x debug-logs  ----> It shows ap1x debug-logs during bootup

ac:a3:1e:cd:47:b2# show ap1x debug-logs
1970-01-01 00:00:32:apdot1x authentication type is peap
1970-01-01 00:00:32:trigger wpa_supplicant with configure file


show ap1xcert ---->It shows current CA && client certificate on IAP.

ac:a3:1e:cd:47:b2## show ap1xcert 

Current ap1x CA Certificate:
Version       :3
Serial Number :AB:C1:1E:06:77:69:20:4F
Issuer        :/C=CN/ST=Beijing/O=Aruba Networks/O=an HP company/OU=Aruba Instant/CN=Feng Ding
Subject       :/C=CN/ST=Beijing/O=Aruba Networks/O=an HP company/OU=Aruba Instant/CN=Feng Ding
Issued On     :Jan 26 08:48:16 2016 GMT
Expires On    :Jan 23 08:48:16 2026 GMT
Signed Using  :SHA1-RSA
RSA Key size  :2048 bits


Version history
Revision #:
2 of 2
Last update:
‎03-31-2019 10:26 AM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: