Aruba CX setup guide

AOS-CX 10.x

Applies to: CX 6100/6200/6300/6400 switches running AOS-CX 10.x. The radius-server tracking and dynamic-authorization commands are first-class in CX and produce clean Arbiter integration.

Wired — RADIUS server, 802.1X and MAB

Global RADIUS, AAA, and per-port 802.1X + MAC-auth (Aruba's term for MAB).

radius-server host 10.10.10.10 key plaintext ARBITER_PSK
radius-server host 10.10.10.11 key plaintext ARBITER_PSK
radius-server tracking
 user-name arbiter-probe
 interval 30
 retries 1
radius-server timeout 2
radius-server retransmit 1
radius-server deadtime 5
!
aaa group server radius ARBITER
 server 10.10.10.10
 server 10.10.10.11
!
aaa authentication port-access dot1x authenticator
 enable
aaa authentication port-access mac-auth
 enable
!
radius dyn-authorization enable
radius dyn-authorization client 10.10.10.10 secret-key plaintext ARBITER_PSK
radius dyn-authorization client 10.10.10.11 secret-key plaintext ARBITER_PSK
!
interface 1/1/1-1/1/48
 no shutdown
 no routing
 vlan access 10
 aaa authentication port-access auth-precedence dot1x mac-auth
 aaa authentication port-access dot1x authenticator
  enable
 aaa authentication port-access mac-auth
  enable

Wireless — 802.1X SSID

Aruba CX is wired-only. For Aruba wireless on this estate, see the Aruba Instant guide.

(see Aruba Instant / Instant On guide)

Guest SSID — open with captive portal redirect

Guest port profile with MAC-auth and a captive-portal-style role downloaded by RADIUS.

port-access role GUEST-REDIRECT
 vlan access 999
 captive-portal-profile ARBITER-GUEST
!
captive-portal-profile ARBITER-GUEST
 url https://acme-7f3-guest.arbiter.ie/

Arbiter returns on the MAB Access-Accept:
  Aruba-User-Role = GUEST-REDIRECT
After T&C acceptance, Arbiter issues CoA -> re-MAB -> production role/VLAN.

DHCP relay to Edge

Per-VLAN ip-helper.

vlan 10
interface vlan 10
 ip address 10.0.10.1/24
 ip helper-address 10.0.0.5
 ip helper-address 10.10.10.10
 ip helper-address 10.10.10.11

AAA dead-server detection

Optional but recommended. AOS-CX exposes per-server tracking as a first-class feature: probe every 30 seconds across four attempts before declaring the server dead, then hold the dead flag for 3 minutes before retrying. Use it.

! 1. Probe every 30s, 4 attempts before declaring dead
radius-server tracking
 user-name arbiter-probe
 interval 30
 retries 4

! 2. Hold the dead flag for 3 minutes before retrying
radius-server deadtime 3
radius-server timeout 2
radius-server retransmit 1

CoA listener

UDP/3799 by default.

radius dyn-authorization enable
radius dyn-authorization client 10.10.10.10 secret-key plaintext ARBITER_PSK
radius dyn-authorization client 10.10.10.11 secret-key plaintext ARBITER_PSK