Wireless Access

Contributor I

Aruba 3200 Wireless with Radius Authentication

Hey guys, 

So I set up an SSID and attached it to a RADIUS server. Everything works except one thing I am not sure about.

I wanted to test what happens when you change the password in AD, would it kick the user off their phones and other wireless devices or not?

The first time I tested it, it worked but when I tested it again the clients never got kicked off. Is there a way to specify when ARUBA checks the RADIUS server for credentials?

Re: Aruba 3200 Wireless with Radius Authentication

for captive portal login


read here:



Re-authentication Interval (optional)

Time, in minutes, after which the client is required to reauthenticate. Enter a value between 0-4096. 0 disables reauthentication.

Default: 0 (disabled)



for 802.1x


read here:



use re-auth option: (u can apply it on any



Select this option to force the client to do a 802.1x re-authentication after the expiration of the default timer for re-authentication. The default value of the timer (Reauthentication Interval) is 24 hours. If the user fails to re-authenticate with valid credentials, the state of the user is cleared.

If derivation rules are used to classify 802.1x-authenticated users, then the Re-authentication timer per role overrides this setting.

Default: disabled

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Frequent Contributor II

Re: Aruba 3200 Wireless with Radius Authentication

Are you using WPA2-enterprise 802.1X with EAP-PEAP MSCHAPv2?


If the password is changed in AD the user should also change it on his/her device. Depending on type of device this could mean the user has to "forget the network" and then re-configure it. This is one of the big down-sides of PEAP.


For BYOD deployments you should consider using ClearPass OnBoard which will provision a certificate on the device and from then on EAP-TLS is used.


If you have domain joined Windows devices you can just push down a GPO with the correct network settings and the users don't have to worry about changing their password on the 802.1X profile as well.

ACMX#255 | ACDX#742 | ACCX#746 | AMFX#25 | ACMP | ACCP | AWMP
Frequent Contributor II

Re: Aruba 3200 Wireless with Radius Authentication

We are using radius with PEAP for our (BYOD) it's big hassle because everytime users change there password in AD which used to be every 90 days they would not delete the profile on their phones then cause the radius to lockout there account for 24 hours. This produces a lot of help desk calls. We are going to move to clearpass possibly this year.  Also when users bring in windows 7 devices the default settings are setup for AD users but becuase they are not AD users on our network (BYOD) again the windows profile has to be configured not to verify the certificate, and not to use there local credentals from there home laptop. I suggest clearpass we had to go with radius because we didn't have the budget for it clearpass before but I'm hoping this year.

Guru Elite

Re: Aruba 3200 Wireless with Radius Authentication

^ Not validating the server certificate is a very, very bad idea.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
Showing results for 
Search instead for 
Did you mean: