Wired Intelligent Edge

With the incoming of these high-speed, dual-port 802.11ax APs I'm curious: What does Aruba/community recommend for AAA with LACP/LAG in the AOS-CX OS.

I know that they cannot live together, but how would I take advantage of the dual ports on a AP535, and have that AP/port authenticate using EAP-TLS?

Is the answer really: it's one or the other? This kind of flies in the face of the dynamic/colorless ports, right?

Thanks,

LACP and Port authentication are indeed mutually exclusive, so you can't use them together.

Note that LACP configuration is static in general as you need to configure which ports belong to what port-channel/trunk, so it is hard to combine that with the dynamics of colorless ports as well.

I haven't tested, but heard that if you don't bundle the AP ports but leave them as two independent ports, you could do 802.1X on the AP uplink for both ports, it just doesn't load-balance and will be more active/passive. You may give that approach a try.

Thanks for the tip, Herman. 

From my testing, it appears that you can enable 802.1X on both ports without the LAG configured. I just hooked up both cables and it switched out of power-restricted mode. After a reboot to confirm this was working, I noticed the second port does not authenticate.

This makes me curious: What is going on in the AP to allow this without a loop being created?