Controllerless Networks

Trusted Contributor I

IAP with local EAP-TLS SSID

was looking if this is possible: Doing EAP-TLS, so client cert authentication with only Aruba Instant, so no radius server or such.


some googling turned up mixed results.


this support document seems to indicate it is possible:


although how remains vague.


then some airheads threads, here it is mentioned it isn't easy:


here it mentioned twice it is possible (limitations are mentioned, but not which) but without details:


so i started to configure it myself. first loaded a server certificate (cert / key) and a CA. then configured the SSID Security section like this.


Key management: WPA-2 Enterprise
Termination: Enabled
Authentication server 1: ?


and now i was stuck, because why do i need a Authentication server and why can't i select the Internal one if it is really needed. so i took a chance and just selected my CPPM server.


and it worked ... without recieving anything on the CPPM server. if i disable termination i do see the username (CN from cert) being send to CPPM, but with Termination Enabled it seems to function fine.


some questions:


1) is this how you do client certificate based authentication with an IAP only?


2) is the fact you need to select a Authentication server but it isn't used a known issue? the fact you can't select the EAP type might be related here, but im looking for some documentation saying this is how it should work. im using version will try a newer soonish


3) is it correct you can't use the internal database for WPA Enterprise SSIDs in combination with Termination?


4) anyone see issues with my approach, i tested with Windows, that worked, but perhaps not with others?

Guru Elite

Re: IAP with local EAP-TLS SSID


You are doing it the right way.


The external server option when doing EAP Termination is if you are using EAP-GTC which could require you to connect to an external LDAP server.  It is still selectable if you are doing different EAP types, but it does not do anything.


Please see the Instant training here: and specifically Module 5 which discusses EAP Termination Options.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Trusted Contributor I

Re: IAP with local EAP-TLS SSID

appreciated as always cjoseph.


it is not the fact you can select an auth server that confused me, it is the fact you NEED to select one. even when you don't do anything with it. but i understand the need in this case as you can't predict how it will be used.

Guru Elite

Re: IAP with local EAP-TLS SSID

There is similar behavior in ClearPass as well. When doing EAP-TLS
authentication, you still have to select an authentication server.

Tim Cappalli | Aruba Security
@timcappalli | | ACMX #367 / ACCX #480
Trusted Contributor I

Re: IAP with local EAP-TLS SSID

if you do authentication yes, but you can turn that off right? in the EAP-TLS settings. do you still need an auth server then?

Guru Elite

Re: IAP with local EAP-TLS SSID

Yes. Any 802.1X service in ClearPass requires an authentication source. In
some cases, it won't be used.

Tim Cappalli | Aruba Security
@timcappalli | | ACMX #367 / ACCX #480
Trusted Contributor I

Re: IAP with local EAP-TLS SSID

oh and after watching the self learn it was noted that the internal database should be usable for EAP-TLS / EAP-TTLS / EAP-PEAP and LEAP. but i seemed unable to select it, did i do it wrong or ...?

Trusted Contributor I

Re: IAP with local EAP-TLS SSID

ah, thanks cappalli, probably hit me before, but couldn't remember.

Re: IAP with local EAP-TLS SSID

Also keep in mind that there is a recently fixed issue in IAP code with 1x termination. Please see below from release notes:


Symptom: Client devices running the Android 6.0+ or Windows 10 software were unable to connect to the 802.1x SSID of the IAP. The fix ensures that the client devices are able to connect to the 802.1x SSID.


Scenario: This issue occurred when 802.1x termination was enabled on the IAP and was observed in all IAPs running Instant release.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
If you found my post helpful, please give kudos

Re: IAP with local EAP-TLS SSID



I have the samer issue on ArubaOS. Do you know of a release which fixes this for ArubaOS using the internaldb with termination active?

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: