Leap is configured on the client and server side. In the Aruba controller, you only need to configure the encryption and the radius server. Last but not least, you need to enable the "user-session-key" parameter in the 802.1x profile that was created:
aaa authentication dot1x "dot1x-profile"
use-session-key